At the moment I’m helping out on a project that has a Windows 2008 R2 RDS farm with some problems. The issue that was seen was that at random moments the users could log on to a server but was logged of immediately with out any errors in the event logs. First thing I did was install the missing updates and searched for hotfixes for the RDS farm and found KB2312539. It’s a pretty big list containing the current hotfixes for RDS:
Authentication | |
2203302 | An RDP connection that uses SSL authentication and CredSSP protocol fails in Windows 7, in Windows Server 2008 R2, in Windows Vista and in Windows Server 2008 |
975943 | Error code when an application uses the CredSSP if the authenticated user account is a member of many security groups on a computer that is running Windows Vista or Windows Server 2008: “0x80090329” |
972595 | You cannot log on or the system stops responding when the Stored User Names and Passwords feature is enabled on a computer that is running Windows Server 2008 or Windows Vista |
954910 | Error message when you use smart card authentication to log on to a Windows Server 2008-based terminal server from a client computer that is running Windows Vista or Windows Server 2008: “0xC000040C” |
953760 | When you enable SSO for a terminal server from a Windows XP SP3-based client computer, you are still prompted for user credentials when you log on to the terminal server |
952234 | When you establish a Terminal Services session that requires smart card authentication to log on to a Windows Server 2008-based terminal server, the Terminal Services session stops responding |
951608 | Description of the Credential Security Support Provider (CredSSP) in Windows XP Service Pack 3 |
Core | |
2523307 | A shadowed Windows Server 2008 Terminal Services session is disconnected from a computer that is running Windows Server 2008 R2 SP1 or Windows 7 SP1 |
2518298 | “0x0000003B” Stop error on a terminal server in Windows Server 2008 |
2481109 | MS11-017: Description of the security update for Remote Desktop client 6.1 and Remote Desktop client 6.0: March 8, 2011 |
2462310 | A 16-bit application that uses initialization (.ini) files does not work correctly in a Windows Server 2008 x86 Terminal Services session |
982303 | Terminal Services performance counters report an incorrect number of sessions when a heavy load situation occurs in Windows Server 2008 R2 or in Windows Server 2008 |
980568 | A terminal server that is running Windows Server 2008 stops responding when lots of clients make terminal sessions to the server |
978829 | The CTRL and ALT keys in a Terminal Service session get stuck when you unlock a local computer |
977269 | Error message when you make a remote desktop connection to a terminal server that is running Windows Server 2008: “The requested operation requires elevation” |
976110 | A terminal server session that is shadowed is incorrectly disconnected when the terminal server session that is shadowing stops shadowing on a computer that is running Windows Vista or Windows Server 2008 |
971338 | The terminal server roaming profile of a user account is not loaded correctly on a terminal server that is running Windows Server 2008 R2 or Windows Server 2008 after the user password is changed during session logon |
971253 | You receive a blank screen when you log on to a terminal server that is running Windows Server 2008 |
970911 | The “Terminal Services” service cannot protect a console session from being disconnected in Windows Server 2008 |
970089 | A hotfix is available that addresses occasional crashes of Vmwp.exe processes on a Windows Server 2008-based Hyper-V host computer |
970067 | You find high CPU usage for the Wmiprvse.exe process on a terminal server that is running Windows Server 2008 when you run the Windows System Resource Manager |
969851 | Instead of the specified startup program, the whole desktop is started on a remote desktop connection when you change the “Terminal Services Profile” setting for the user account |
969940 | When you start a terminal session to a computer that is running Windows Server 2008 and that has the terminal server role installed, the full Windows desktop starts instead of the program that is specified by the terminal server |
969851 | Instead of the specified startup program, the whole desktop is started on a remote desktop connection when you change the “Terminal Services Profile” setting for the user account |
941641 | Remote Desktop Connection 6.0 prompts you for credentials before you establish a remote desktop connection |
Device Redirection & Printing | |
2655998 | Long logon time when you establish an RD session to a Windows Server 2008 R2-based RD Session Host server if Printer Redirection is enabled |
2532459 | Print queue does not work if the queue is not one of the first 100 queues installed in a Windows Server 2008 or Windows Server 2008 R2 Terminal Services session |
2059743 | You cannot print to multiple trays in a terminal server session in Windows Server 2008 |
2028453 | The redirected printer does not print a document in Windows Server 2008 if the TS Easy Print feature is used in a terminal server session |
981650 | You cannot print text in a terminal server session in Windows Server 2003, in Windows Server 2008, or in Windows Vista if the printer uses the “Generic / Text Only” driver |
979163 | Many pages are printed when you try to print an Excel worksheet by using a redirected printer if the Terminal Services Easy Print feature is used |
973744 | You cannot exit an application that uses a redirected printer when you enable the Terminal Services Easy Print feature on a terminal server that is running Windows Server 2008 |
973356 | Error message when you create one or more network printers in a Windows Server 2008-based terminal server session: “Printers cannot be installed” |
973062 | The audio redirection feature does not work when you use Remote Desktop Connection Client for Mac 2.0 to make a terminal server session to a computer that is running Windows Server 2008 x64 Edition or Windows Vista x64 Edition |
972600 | After you disconnect from a remote desktop session to a destination computer that is running Windows Vista or Windows Server 2008, the default printer is changed when you log on the destination computer from the console |
971370 | You randomly hear audio from another terminal server session when you play audio in a terminal server session that is hosted on server that is running Windows Server 2008 |
970603 | The content of a printout is different when you print a PDF document by using Terminal Services Easy Print in a Terminal Services (TS) session in Windows Vista or Windows Server 2008 |
958596 | Users cannot use a smart card to log on to a Terminal Services session on a computer that is running Windows Server 2008 |
954744 | FIX: Some pages are printed in the incorrect orientation when you use Terminal Services Easy Print to print a document that contains both portrait-oriented pages and landscape-oriented pages |
Licensing | |
2542272 | You receive a temporary TS CAL when the DN of a user account contains the forward slash-mark character in Windows Server 2008 if Per User licensing mode is used |
2028637 | A domain administrator or local administrator incorrectly receives a warning message “Cannot find a valid Terminal Services Licensing Server” when this user account logs on to a Windows Server 2008 Terminal server |
2021885 | Terminal Server License Server/Remote Desktop License Server Only Issuing Temporary Licenses and Event ID 17 Logged |
983385 | Event ID 17 is logged in the System log on a TS Licensing server or on a RD Licensing server in Windows Server 2003 SP2, in Windows Server 2008, or in Windows Server 2008 R2 |
979548 | You cannot enter an agreement number of a volume license that contains more than seven digits in Remote Desktop Licensing Manager or in TS Licensing Manager |
977686 | The Licensing Diagnosis tool incorrectly reports that there are no available Terminal Services client access licenses in Windows Server 2008 |
972069 | A terminal server that is running Windows Server 2008 cannot obtain terminal licenses from a Terminal Server license server that is running Windows Server 2008 after you enable the “License Server Security Group” Group Policy setting |
971302 | Single CALs support is available for Terminal Server license servers that are running Windows Server 2008 |
968995 | The Terminal Server Licensing MMC snap-in or the TS Licensing Manager MMC snap-in uses NT LAN Manager instead of the Kerberos protocol to pass authentication, respectively, in Windows Server 2003 or in Windows Vista and Windows Server 2008 |
968074 | An update is available that enables the Terminal Services license servers that are running Windows Server 2008 to be able to use the CALs for the Windows Server 2008 R2 Remote Desktop Services |
TS Gateway | |
2620264 | You cannot start any RemoteApp applications through a Windows Server 2008-based TS gateway |
974195 | You cannot connect to a terminal server that is running Windows Server 2008 through the TS Gateway by using its FQDN if it is in a disjointed namespace and if the TCP port 445 is disabled between the terminal server and the TS Gateway |
TS RemoteApp | |
2579055 | A started RemoteApp application is intermittently not visible in Windows Server 2008 |
2381675 | The RemoteApp program is not terminated after the idle session time limit expires on a computer that is running Windows Server 2008 |
983533 | The pop-up windows are hidden and the TS RemoteApp application stops responding in Windows Vista, in Windows 7, in Windows Server 2008, and in Windows Server 2008 R2 |
981211 | A RemoteApp program does not show the saved user name when you start the program on a computer that is running Windows Vista |
979425 | A combo box item in a RemoteApp application is updated incorrectly when you connect by using Remote Desktop Connection (RDC) 7.0 |
978927 | The highlighted menus of all the running applications are displayed incorrectly in a Windows Server 2008-based terminal server session |
970689 | A Windows Server 2008-based terminal server denies connection requests with the error message “The remote procedure call failed and did not execute” randomly under a heavy logon/logoff condition |
TS Session Broker | |
2522829 | Sessions are not correctly distributed after the Terminal Services Session Broker service runs for 25 or more days consecutively in Windows Server 2008 |
977541 | You are not redirected to the previously-disconnected terminal server session through the TS Session Broker service in a Windows Server 2008-based farm in TS Session Broker |
TS Web Access | |
951607 | You cannot connect to a remote computer or start a remote application when you use Terminal Services Web Access or Remote Web Workspace on a Windows XP SP3-based or Windows Small Business Server 2003 SP1-based computer |
To bad none of the hotfixes solved the problem I was troubleshooting so I just installed the updates that where delivered from Windows Update directly.
As Microsoft FEP (ForeFront Endpoint Protection) was used I searched in the SCCM console to take a good look at the current policies but the RDS farm was deployed with a default server policy instead of an policy specific for this RDS farm so I went on a quest on the internet to search for best practises for FEP on RDS:
BP for RES Workspace Manager on antivirus
BP for Citrix XenApp but can be applied to RDS for a large part
A colleague found the following site: http://www.microsoft.com/en-us/download/details.aspx?id=13088. If you download the fepserverrolepoliciesforusewithconfigmgrui.exe and extract it you’ll find a couple of XML files and one of them is FEP_Default_TermSrv.xml in which is stated:
Microsoft Forefront Endpoint Protection performance optimized server role policy for Terminal Server workloads. This policy combines default server workload policy settings with settings optimized for terminal servers. This policy is applicable to terminal servers running on Windows Server 2003, Windows Server 2003 R2, Windows Server 2008 and Windows Server 2008 R2.
So we imported this XML file, made some changes based on the first BP’s and applied it to all RDS servers.
There where different GPO’s applied and they had conflicting settings (mostly in the user conf) which couldn’t cause the problems as mentioned but to ensure optimal user performance we decided to create a new OU and re-do the GPO’s; putting all the stuff configured in the User policies into RES Workspace Manager and configure all the Computer policies into one.
So what we did in 3 steps:
- Install all available Windows Updates.
- Configure antivirus using vendor best practices but you decide what to configure.
- Keep GPO’s simple, try to keep the number of policies to a minimal.
After all these configuration changes we tested the environment and the issues where gone. Point of this blogpost is to show you should try to keep it simple and make sure you read all the best practices and choose what’s relevant for you and your environment.
Kees Baggerman
Latest posts by Kees Baggerman (see all)
- Nutanix AHV and Citrix MCS: Adding a persistent disk via Powershell – v2 - November 19, 2019
- Recovering a Protection Domain snapshot to a VM - September 13, 2019
- Checking power settings on VMs using powershell - September 11, 2019
- Updated: VM Reporting Script for Nutanix with Powershell - July 3, 2019
- Updated (again!): VM Reporting Script for Nutanix AHV/vSphere with Powershell - June 17, 2019
[…] Troubleshooting session log offs on Microsoft RDS […]