RDP Terminal server 2012 DC connection issue quantity no more than four sessions

hi experts,

we have 2012 server RDP , and role DC/terminal server roles / license 15 cal
session seem to be only four allowing and if the fifth user connect and it will spin around and throw error remote server not configure or not turn on, firewall .
the strange thing if i go to server logon as fifth users at local box then then let the user know it ready, then he can connect using RDP to it no problem
called Microsoft support  they checked traffic / log file  etc... but no luck
any one have same issue like this please let me know and how to fix this
thank you so much for all your input, again than you all experts
VN-PC viewAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
I am thinking if it has to do with the local RDUser group.
E.g User to login via RDP into the server will also needs to belong to the server's local Remote Desktop Users group. In other words, the server that users need to RD into has to be granted RD access into it. Few option
a) Do check if can add that domain user userid into RDUsers group on your mentioned TS member server. There is no need to create a new local account on that server.
b) Another mean is to create and add a new <YOUR_DOMAIN>\<YOUROWN_GRANTEDTSUser> Group into the local RDUsers group on the TS. Then start adding the respective domain users into this new group created - this avoid access the local TS server to add in individual new user.. see this MS forum
> I cannot add the domain/builtin/Remote Desktop Users group to the local group policy.

Remote Desktop Users group is a build-in group, it only available for local computer. So you can’t add a domain controller Remote Desktop Users group to a local computer.

Group Policy “Allow users to connect remotely using Terminal Services”, if you enable the policy, you enabled remote desktop feature on the target computer, but not grant user permission to remote to target computer.

So add you specified user accounts to a security group, and then manually add the group to Remote Desktop Users group on target computer. Or use Group Policy Preference Local Users and Groups feature to add the security group to target computers.
VN-PC viewAuthor Commented:
hi Btan,

first thank you
i do have security group rdp_group1
 rdp_group1 member of built-in rdp user group of that dc/ts
also local policy of DC allow rdp_group1 to connect through rdp
connection session host server also show that rdp_group1

2012 r2 dc/ts on vmware
the only way to allow all users connect to it for now by open vsphere client and connected users first by logon that box first, then let them know it , so the can connected to it.
microsoft team they on it and i pushed it up to level ii but they keep saying they don't have solution
the only thing they recommended split ts server and DC into two server. but i disagreed with them because there no statement from microsoft saying you can't using same DC/TS .
i am thinkig  some  patches mess-up my .
i also rebuild license server database , the error seemed license but it is not true , we have valid license , also those tech from microsoft confirmed we do have valid license. but then why that error popup , microsoft tech they have no idea what's going on  with my box, again they suggestion add another server and make that ts ,
but thank you for your input
btanExec ConsultantCommented:
Thanks for sharing.
Specific to the "new error", typically it would only happen if the two users are using the same username or reached the max concurrent users for the server. For your case, if licence is alright and the max no is not even reached in your testing, it may be the "same username". Hence, we may want to check setting e.g. ... Administrative Tools > Remote Desktop Services > Remote Desktop Session Host configuration. Set "No" in the setting "Restrict each user to a single session".

I am thinking to rejoin the domain for the client instead and also the network logging to see the exchanges but it may not be worthy since most use case are tested so far. MS should simulate your env ..
SolarWinds® VoIP and Network Quality Manager(VNQM)

WAN and VoIP monitoring tools that can help with troubleshooting via an intuitive web interface. Review quality of service data, including jitter, latency, packet loss, and MOS. Troubleshoot call performance and correlate call issues with WAN performance for Cisco and Avaya calls

VN-PC viewAuthor Commented:
hi btan,

they are not part of the domain, we hosting their server, they only using rdp client to connect to their server .
i will get back to   as soon as microsoft final solution from them.

thanks again,
btanExec ConsultantCommented:
noted seems like there may be also some inter domain trust relationship to be considered especially if the domains are all different and in disparate forest. Agree that MS should better advise rather than leaving it in limbo state. There is need to justify what are the limitation and pre-req not known in your use case.
VN-PC viewAuthor Commented:
hi Btan,

do you know how and where in registry to control limit connection?
i know there a way in registry we can mange that reg=gpo , just  want to make sure no funky on that reg ?, i am on hunting down that reg setting but seem not luck.
just want to ask you, maybe you know some where in reg that can hard set.
again thank you so much Btan
btanExec ConsultantCommented:
noted...should be under
HKEY_Local_Machine \ SOFTWARE \ Policies \ Microsoft \ Windows NT \ Terminal Services
e.g. For keep-alive connection interval:
 KeepAliveEnable       REG_DWORD           0x00000001 (1)
 KeepAliveInterval      REG_DWORD           0x00000001 (1)

This is old Win2K3 with most of the existing RD registry fields (e.g. MaxConnectionTime, MaxDisconnectionTime, MaxIdleTime etc) intact which I believe can still be applicable for newer server (if it exist). The above is probably the newer add on as example (not exhaustive though). But do backup first before testing and restart service after changes http://www.planet-europe.fr/docs/support/Performances-Serveur/Most%20Important%20Registry%20Keys%20for%20Terminal%20Services.pdf

Should still check out from gpo aspects too (server host having as Remote Desktop Session Host Configuration as a role)
• Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits
• User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits
• Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections
• User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
VN-PC viewAuthor Commented:
Awesome , Btan thank you very much sir....
btanExec ConsultantCommented:
thanks glad to have help and learn
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.