RemoteApps not working after DC migration

Ok so over this week I removed my last 2008 DC and moved to 2012 R2, everything went as planned no errors or anything.  However today my remote users aren't able to access their published RemoteApps. They can browse to the gateway authenticate fine and see their apps, but when they try to open them 2 odd things happened. It times out and prompts them for their user, then just keeps doing that to no avail.

2 other clues as to what it may be. They also get a prompt to trust the certificate, which they shouldn't as the rds deployment uses a properly signed one, and this had been working fine for 6 months now. The other oddity is my CiscoAnyConnect won't authenticate to the LDAP properly either. If i add them as a AAA local user they can vpn then they can log in, but they've never had to VPN to access this before the DC change.

Any ideas?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bhiebAuthor Commented:
Could be the cert warning is normal, I think I may have just checked trust. Here is a screen shot. To me it screams somethings up with the ldap authentication since both this and the ASA started failing.

bhiebAuthor Commented:
I think I might be narrowing in on it. I fixed the VPN issue. The other thing I did this week was to move the built in domain admin account (administrator) to its own OU. That is what broke AnyConnect as the ldap connection string didn't have the right OU.

Is there something in RDS that would care as well? I can't imagine so. FYI I've tried with and without the firewall on, and no luck. Also looked at the asa logs and that all seems normal. Something in the RDS deployment is just not aware of the new DC stuff and/or the administrator move.
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
DNS 0 and 1 on the RDS Broker/Gateway/RDWeb/RD Session Host(s) are pointing to the new DC/DNS servers?

IPConfig /FlushDNS from an elevated command prompt on all RDS systems after verifying they are pointing to the correct DNS servers.
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Peter HutchisonSenior Network Systems SpecialistCommented:
Also check Remote Desktop Licensing.
Moving the built in Administrator account is not a good idea, and you should use a specific ldap account for LDAP, NOT the administrator account.
bhiebAuthor Commented:
Philip, No luck even went as far as restarting the License, gateway, broker and session servers after the flush on all 3. The really weird part to me is that it authenticates fine to list their work resources, it is only when they launch them that it fails.

Peter, I did change the ldap user when i fixed the ASA, plus ldap shouldn't be the issue with RDS. As far as to move it or not, I've read conflicting posts, of course MS says you should disable it and never use it unless it is a disaster recovery scenario (as well as frankly a bunch of GPO stuff to be sure it can't be used). 

Since I'm a one man shop I've used it more than I should and that was already on my road map to rectify this year.
bhiebAuthor Commented:
The other odd part is that it does work IF they VPN first, that wasn't the behavior before the DC upgrade. Part of my goal with moving to RemoteApps was to eliminate the need for VPN and secure it using RDS.

Also just to be sure I moved the Administrator account back restarted the servers still no luck.
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Are you using Single Sign-On (SSO) in Group Policy? Did the Group Policy setup get modified or tweaked somehow during the DC migration?

Make sure the IIS setting for DefaultTSGateway is set on the broker.
bhiebAuthor Commented:
There is no value there, what value should be there the internal name for the RD gateway or the external?
bhiebAuthor Commented:
no SSO
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
It should be that users will connect to both externally and internally.

Set up the in DNS and set the IP to the broker. That allows users to connect internally and externally.

If internal users are using RemoteApps then set up SSO. Why have them authenticate when they don't have to?
bhiebAuthor Commented:
I tried both internal and external, no luck. As well as IP and name for the server they are connecting to.  I haven't deployed to internal yet as they usually just have a full install of the app so SSO hasn't been needed yet.
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Look for the RDS specific Event Logs on the Broker. What do they say? There should be some specific errors or warnings.
bhiebAuthor Commented:
The only log i see with any activity is here %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Admin.evtx. Cleared it tried to connect, no unusual messages.
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Check the Session Hosts' logs.
bhiebAuthor Commented:
yah just finished doing that and the client logs, nothing.
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
The initial prompt looks normal.

Is there a Group Policy setting in place to force the Session Hosts to prompt for passwords always?

We've dealt with dropped RemoteApp problems in the past. Some were due to network routing issues like improper IIS setting (DefaultTSGateway), DNS not configured correctly. Gateway on the RDS server's NIC set incorrectly, and sometimes a misbehaving DC.

Is Replication on the DCs working as expected? FSMO Roles are where they belong and recognized by all DCs on the domain?
bhiebAuthor Commented:
No RDS specific policies, the servers are all in one OU the only policy is the disable shutdown tracker.

I agree that it is likely the change in DC that messed this up, although it is likely not the dc itself rather some rds deployment component still looking for the old dc's.

Replication status tool is all clear and the FSMO rules where all transferred and reporting correctly as DC1. Netdom query dc and netdom query fsmo all look good. repadmin /showrepl is all clear too.
bhiebAuthor Commented:
What really has me scratching my head is why it works when the VPN is connected.  It has to be something in the gateway or broker.
DonNetwork AdministratorCommented:
Are the remote users on windows 10 1709 ??

Does it work if you uncheck printers under "Allow the remote computer to access the following...."  ??
bhiebAuthor Commented:
Nope, windows 7, and no luck with no printers option either.
DonNetwork AdministratorCommented:
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Three things:

1: Open Network Policy Server/Services on Broker: Right click root node and Register in AD
2: Check Resource Access Policies to make sure things are correct
3: Check Computer Access Policies to make sure things are correct
bhiebAuthor Commented:
We might be getting somewhere Philip, I've never had a reason to open those settings. I did re-register it, and rebooted it. But still no luck.

Regarding 2 and 3 what would be considered "correct" , I've uploaded some screenshots.
bhiebAuthor Commented:
I'm out for the weekend, I'll catch base back here Monday.
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
What's with all of the Deny policies?

We set up a dedicated security group for RDS access since everyone is a member of Domain users and not all folks may need access. Doing this also makes a license audit go smoother.

We set up two resource policies:
Admins + RDS Users --> Domain Computers
Admins --> Domain Controllers

We don't make any further changes.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bhiebAuthor Commented:
I've never even been in these pages so anything in here likely came from when I deployed the RDS roles via the 2012 wizard thing.

I do a similar thing, but not at this level at the license server I have RDS groups setup. then I further group limit it via the app deployments. so although it looks like all domain users could access the gateway they'd have no access to resources unless they were in the right group(s).
bhiebAuthor Commented:
No solution fixed the issue, but I've moved on. Needing a VPN connection to work, is not a big deal and adds a layer of security.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.