question

RenSrensen-5048 avatar image
0 Votes"
RenSrensen-5048 asked RenSrensen-5048 answered

Windows Server 2019 RDS issue

Hi,

One of our customers is having an issue with their remote desktop setup.

Back in August they upgraded their RDS environment from Windows server 2008 to Windows server 2019, and afterwards this issues began to happen frequently.

They didn´t have any issues before Windows server 2019,

Setup:
1 Broker, 1 Gateway, 1 web and 4 Session hosts
Windows server 2019 Version 1809

The issues can be 1 or 3 servers, it´s very random.
The issue occurs after the daily restart.
The issue can occur every day or once every month.

In this example, let´s say RDS01.
The issues is that some days users won´t be logged onto the session host.
So all users will be using RDS02, RDS03 and RDS04 and RDS01 will be empty.

RDS01 is running, we are able to RDP to it and everything looks OK.

Solution: remove RDS01 from collection (host servers) and add it again. Now users will be logged onto RDS01.

What we have tried:
Reinstall session host role on all RD session hosts.
Rejoined session hosts to the domain.
Checked network connectivity - no problem here.
We found an issue with the replication to one domain controller, we fixed it but it didn´t solve this issue.
Checked the domain controllers with dcdiag, active directory replication status and repadmin /showrepl in cmd - no issues.

In the event viewer, the following errors is created every day after the restart:
rds01: the processing of group policy failed because of lack of network connectivity to a domain controller
rds02: This computer was not able to set up a secure session with a domain controller in domain MESSAGE due to the following:
rds03 This computer was not able to set up a secure session with a domain controller in domain MESSAGE due to the following:
rds04 the processing of group policy failed because of lack of network connectivity to a domain controller


Do you have any ideas?

remote-desktop-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RobertoRicchiari avatar image
0 Votes"
RobertoRicchiari answered RobertoRicchiari edited

Hi, At first glance it seems to me a network problem.

How are the servers distributed between front end and back and the respective DCs?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RenSrensen-5048 avatar image
0 Votes"
RenSrensen-5048 answered

The servers is running on a cluster of 8 hosts.
Last year I moved the sessions hosts and broker on the same host as DC01 but it didn´t help.

DC01 and DC02 are located in our datacenter and DC03 is located at the customers location.
DC03 was the domain controller with the replication issues last year.

The servers are all using the same logical network, same subnet besides Dc03.

Iperf is showing 3gbit/s between the servers, and I had pingplotter installed on all the session hosts for 14 days, where they pinged all the domain controllers without any ping fails.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RenSrensen-5048 avatar image
0 Votes"
RenSrensen-5048 answered

Could it be an DNS issue?
Their domain controllers dns settings seems odd.

DC01 has 2 ipv4 adresses and the network card is private for some reason.

DC01´s first ip, let´s call it 172.0.0.1 and second ip 172.0.0.2

DC01, primary dns DC01´s second ip and secondary DC02
DC02, primary dns: DC01´s first ip and secondary itself
DC03 primary itself, secondary DC01´s second ip and itself

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered RenSrensen-5048 commented

Hello @RenSrensen-5048,

Thank you for your question.

Please follow these steps, it will help you:

To resolve this problem, use the following methods, as appropriate.

Verify Remote Desktop is enabled
Open the System item in Control Panel. To start the System tool, click Start, click Control Panel, click System, and then click OK.

Under Control Panel Home, click Remote settings.

Click the Remote tab.

Under Remote Desktop, select either of the available options, depending on your security requirements:

Allow connections from computers from computers running any version of Remote Desktop (less secure)

Allow connections from computers only from computers running Remote Desktop with Network Level Authentication (more secure)

If you select Don't allow connections to this computer on the Remote tab, no users will be able to connect remotely to this computer, even if they are members of the Remote Desktop Users group.

Verify Remote Desktop Services Limit number of connections policy
Start the Group Policy snap-in, and then open the Local Security Policy or the appropriate Group Policy.

Locate the following command:

Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections Limit number of connections

Click Enabled.

In the RD Maximum Connections allowed box, type the maximum number of connections that you want to allow, and then click OK.

Verify Remote Desktop Services RDP-TCP properties
Follow these steps, depending on your operating system version.

Setting via Remote Desktop Services Configuration

Configure the number of simultaneous remote connections allowed for a connection:

On the RD Session Host server, open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative Tools, point to Remote Desktop Services.

Under Connections, right-click the name of the connection, and then click Properties.

On the Network Adapter tab, click Maximum connections, enter the number of simultaneous remote connections that you want to allow for the connection, and then click OK.

If the Maximum connections option is selected and dimmed, the Limit number of connections Group Policy setting has been enabled and has been applied to the RD Session Host server.

Verify Remote Desktop Services Logon rights
Configure the Remote Desktop Users Group.

The Remote Desktop Users group on an RD Session Host server grants users and groups permission to remotely connect to an RD Session Host server. You can add users and groups to the Remote Desktop Users group by using the following tools:

Local Users and Groups snap-in
The Remote tab in the System Properties dialog box on an RD Session Host server
Active Directory Users and Computers snap-in, if the RD Session Host server is installed on a domain controller
You can use the following procedure to add users and groups to the Remote Desktop Users group by using the Remote tab in the System Properties dialog box on an RD Session Host server.

Membership in the local Administrators group, or equivalent, on the RD Session Host server that you plan to configure, is the minimum required to complete this procedure.


Add users and groups to the Remote Desktop Users group by using the Remote tab

Start the System tool. To do this, click Start, click Control Panel, click the System icon, and then click OK.

Under Control Panel Home, click Remote settings.

On the Remote tab in the System Properties dialog box, click Select Users. Add the users or groups that have to connect to the RD Session Host server by using Remote Desktop.


Add users and groups to the Remote Desktop Users group by using Local Users and Groups snap-in

Click Start, click Administrative Tools, and then click Computer Management.
In the console tree, click the Local Users and Groups node.
In the details pane, double-click the Groups folder.
Double-click Remote Desktop Users, and then click Add.
In the Select Users dialog box, click Locations to specify the search location.
Click Object Types to specify the types of objects that you want to search for.
In the Enter the object names to select (examples) box, type the name you want to add.
Click Check Names.
When the name is located, click OK.


For more information please go through this link:
https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/troubleshoot-remote-desktop-disconnected-errors#resolution-for-symptom-1




If the reply was helpful, please don't forget to upvote or accept as answer.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the suggestion but I can´t see how this would help with the problem.

0 Votes 0 ·
RobertoRicchiari avatar image
0 Votes"
RobertoRicchiari answered RobertoRicchiari commented

By network problem I meant a logical separation problem (server in multiple VLANs with firewall in between).
If the network is not separated between the DCs and the RDS Servers then you need to see the Broker configuration

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Same VLAN, all servers are behind the same firewall besides DC03, which is located at the customers located.

We have checked the brokers configuration with the gui and everything is good.

0 Votes 0 ·

How did you configure the DNS names of the RD Host service?

How do you access the host individually?

0 Votes 0 ·
RenSrensen-5048 avatar image
0 Votes"
RenSrensen-5048 answered

Update:
I checked the event viewer once more and found some interesting logs.
Source: TerminalServices-SessionBroker, Evend ID:776“RD Connection Broker successfully added an RD Session Host Server Server1.xxx.intranet to Farm XXX.”
The above log is created every day after reboot for each RD session host.
Some days the log is only created for 3 out of 4 RD session hosts, the session host without an log is not working aswell.
3 days ago RDS03 didn´t work (no users logged on the server), and in the event viewer there are only an log 776 for RDS01, RDS02 and RDS04. There are no log 776 for rds03.
I found this article and it´s the same issue
https://social.technet.microsoft.com/Forums/en-US/e2770064-6369-40a0-a449-fdfc2b2411d2/rds-session-hosts-fail-to-join-farm-after-reboot?forum=winserverTS

Any ideas?
Can I enable more logging on the connection broker?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.