Remote Desktop Services Collection Creation Issue

Hi Guys;

I've set up an RDS environment consisting of 5 servers "Session Host, Gateway, Webaccess, License Server, & connection broker"

The Webaccess and the GW servers are in the DMZ, all the required ports are open on the FW, and Windows firewall is disabled on the all servers "service is on though". All servers are on 2012 R2, SQL 2012 Express is installed on the Licensing server. Everything went smooth till the Collection Creation phase, where I'm getting the following:

1. Warning: CorpRDSHP11 "Session host server" The property UserAuthenticationRequired is configured by using Group Policy settings. Use Group Policy Management Console to configure this property.

2. When I access the WebAccess through the link "https://webaccess.domain.com/RDWeb/", I don't see anything under Current Folder!

Please help.

Thanks.
Kinan Al-HaffarSenior Systems EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

StuartTechnical Architect - CloudCommented:
Hi,

Re point 2 - I'm sure when I last did this I had to tick a checkbox within the collection properties to show it in RDWeb. By default nothing is published there
0
Cliff GaliherCommented:
First, I strongly recommend opening two questions (if necessary.)  Mixing two makes awarding points very difficult and can muddy the waters during troubleshooting. Was an expert's advice meant to fix #1 or #2. And if #2 is caused by #1 then is following advice to solve #2 even worth the time?  Just some advice to get the most out of EE and your time....

So with that in mind, I'm going to concentrate on helping you solve #1. Others will obviously contribute in the way they feel appropriate.

The error seems fairly straightforward. You have a group policy (either in AD or locally) defining the userauthenticationrequired setting that is likely in conflict with RDS. In most cases, I recommend putting RDSH servers in their own OU or at the very least security group as they often have different requirements for authentication. For example I want most of my servers to only be accessible by administrators. But RDSH servers need to allow remote access to end users. I'd lock that down with different policies applied to those two groups.

So use RSOP and look at your local policies. Remove those that don't apply and you should see #1 resolved. And if user authentication is being an issue, that can certainly break things causing #2.
0
Kinan Al-HaffarSenior Systems EngineerAuthor Commented:
Hi Solacement;

The check box for showing the collection in WA is checked by default. I checked it, and it is ticked. I un-ticked it, and re-ticked it again and applied the changes, but nothing changed.

Thanks.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Kinan Al-HaffarSenior Systems EngineerAuthor Commented:
Hi Cliff Galiher;

Thank you for your help, I'm sorry for posting 2 questions, but I thought that since both questions are related then it might be better to post them together, but I agree with you.

As for your suggestion, I will check and let you know in a shot while.

Thanks.
0
Kinan Al-HaffarSenior Systems EngineerAuthor Commented:
Hi Cliff Galiher;

#1 has been solved as suggested, it was the local GPO. However; #2 is still an issue :-(
0
Cliff GaliherCommented:
First, since you made the changes, restart the servers in question. Permissions can be tricky things, especially when it comes to getting information from server A to server B.

Secondly, what ports (and in what direction) are open between your DMZ and intranet?  The RDWA needs to be able to properly query the collection information from the RDCB so if that isn't configured, the RDWA screen will appear empty.  There *should* be an event logged on the RDWA server for such issues.  So check your event logs too.
0
Cliff GaliherCommented:
I am not surprised that #2 is still an issue. Ultimately I didn't suspect the issues were related, which is why I thought combining them in the same question would actually be detrimental. But we'll tackle it.
0
Kinan Al-HaffarSenior Systems EngineerAuthor Commented:
Hi Cliff Galiher;

Thank you for your continuous help, below are the FW rules on the ASA which include all the open ports:

DMZ Servers:

1.      CLDMZRDGP11 “10.64.31.62” Remote Desktop Gateway Server – VIP 192.168.71.125
2.      CLDMZRDWAP11 “10.64.31.60” Remote Desktop Web Access Server – VIP 192.168.71.124

Internal Servers:

1.      CORPRDLSP11 “10.64.10.60” Remote Desktop Licensing Server
2.      CORPRDSHP11 “10.64.4.227” Remote Desktop Session Host Server – VIP 10.64.14.139
3.      CORPRDCBP11 “10.64.4.225” Remote Desktop Connection Broker Server – VIP 10.64.14.140

US-C-PRI-ASA-FW# show access-list outside-acl
access-list outside-acl; 1175 elements; name hash: 0xb1b82131
access-list outside-acl line 1 remark ***Access for Windows Remote Desktop Services (RDS)***
access-list outside-acl line 2 extended permit tcp any object-group RDS-Ext object-group RDS-Ext-TCP 0xe91026ea
  access-list outside-acl line 2 extended permit tcp any host 192.168.71.124 eq https (hitcnt=0) 0x06306c37
  access-list outside-acl line 2 extended permit tcp any host 192.168.71.124 eq 3389 (hitcnt=0) 0xaccefcea
  access-list outside-acl line 2 extended permit tcp any host 192.168.71.124 eq 3391 (hitcnt=0) 0x3c4ef7ba

access-list outside-acl line 3 extended permit udp any object-group RDS-Ext object-group RDS-Ext-UDP 0xda08c491
  access-list outside-acl line 3 extended permit udp any host 192.168.71.124 eq 3389 (hitcnt=0) 0xabbb45ab
  access-list outside-acl line 3 extended permit udp any host 192.168.71.124 eq 3391 (hitcnt=0) 0x48a99fb0

access-list Web-DMZ-acl line 1 remark ***Access for Windows Remote Desktop Services (RDS)***
access-list Web-DMZ-acl line 2 extended permit tcp object-group RDS-DMZ object-group RDS-Int object-group RDS-DMZ-TCP 0x51a7e0eb
  access-list Web-DMZ-acl line 2 extended permit tcp host 192.168.71.124 host 10.64.14.139 eq 445 (hitcnt=0) 0x7b7cab59
  access-list Web-DMZ-acl line 2 extended permit tcp host 192.168.71.124 host 10.64.14.139 eq 3389 (hitcnt=0) 0x83568535
  access-list Web-DMZ-acl line 2 extended permit tcp host 192.168.71.124 host 10.64.14.139 eq 5504 (hitcnt=0) 0x2609d746
  access-list Web-DMZ-acl line 2 extended permit tcp host 192.168.71.124 host 10.64.14.139 eq 5985 (hitcnt=0) 0xea64f8fd
  access-list Web-DMZ-acl line 2 extended permit tcp host 192.168.71.124 host 10.64.14.140 eq 445 (hitcnt=0) 0x46bb88f0
  access-list Web-DMZ-acl line 2 extended permit tcp host 192.168.71.124 host 10.64.14.140 eq 3389 (hitcnt=0) 0xf0f8e2ea
  access-list Web-DMZ-acl line 2 extended permit tcp host 192.168.71.124 host 10.64.14.140 eq 5504 (hitcnt=0) 0x78f08609
  access-list Web-DMZ-acl line 2 extended permit tcp host 192.168.71.124 host 10.64.14.140 eq 5985 (hitcnt=0) 0x38376943
  access-list Web-DMZ-acl line 2 extended permit tcp host 192.168.71.125 host 10.64.14.139 eq 445 (hitcnt=0) 0x88b1e830
  access-list Web-DMZ-acl line 2 extended permit tcp host 192.168.71.125 host 10.64.14.139 eq 3389 (hitcnt=0) 0x83de87d5
  access-list Web-DMZ-acl line 2 extended permit tcp host 192.168.71.125 host 10.64.14.139 eq 5504 (hitcnt=0) 0x2dac1a6f
  access-list Web-DMZ-acl line 2 extended permit tcp host 192.168.71.125 host 10.64.14.139 eq 5985 (hitcnt=0) 0x0dd1d0de
  access-list Web-DMZ-acl line 2 extended permit tcp host 192.168.71.125 host 10.64.14.140 eq 445 (hitcnt=0) 0xb1e4513a
  access-list Web-DMZ-acl line 2 extended permit tcp host 192.168.71.125 host 10.64.14.140 eq 3389 (hitcnt=0) 0x1136490b
  access-list Web-DMZ-acl line 2 extended permit tcp host 192.168.71.125 host 10.64.14.140 eq 5504 (hitcnt=0) 0x4fac369a
  access-list Web-DMZ-acl line 2 extended permit tcp host 192.168.71.125 host 10.64.14.140 eq 5985 (hitcnt=0) 0xec586c73

Open in new window


Ports have been configured according to the following KB:

http://social.technet.microsoft.com/wiki/contents/articles/16164.which-ports-are-used-by-a-rds-2012-deployment.aspx
0
Kinan Al-HaffarSenior Systems EngineerAuthor Commented:
Hi Cliff Galiher;

I think you are right.. I see the following error on the WA server when I publish a collection.. so I think that the FW configuration needs to be modified... Do you know which ports should be opened?

RDS Error
0
Cliff GaliherCommented:
5504 and DNS must be able to resolve the name and it must be routable. Nslookup, ping, traceroute are all helpful here.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.