What is Terminal Services (Remote Desktop Services)
Beginning with Server 2008 R2, Terminal Services has been renamed Remote Desktop Services. RDS, as it is abbreviated, allows you to have a powerful server that all of your users connect to using Remote Desktop Protocol (RDP). You can think of it as a computer that many people log on to remotely at the same time, but they all have their own user sessions and desktops and don’t know each other at all. All of your apps are installed once and available for any user to run. The user can access the server remotely using the Remote Desktop Connection Manager included with Windows or, more often, can connect from thin clients, in fact, they can connect from anything that implements the Remote Desktop protocol. If you’re looking to save money and already own some old machines, you should look at Microsoft’s recently released operating system called Windows Thin PC, which essentially turns your machines into thin clients.
Things to watch out for:
- Application license: No application can be installed on a remote desktop server. A great example is Office 2010. If you want to install Office on an RDS server, you will need the volume license version, or you will not be able to install it.
- Client Access Licenses: Connection to an RDS server also requires licenses in the form of CALs per user or per device, this is what allows more than one user to connect remotely to the server. Although you still have to buy licenses, buying CALs is much cheaper than buying everyone a new Windows 7 license.
Note: The applications that you want to run on the Remote Desktop server do not need to be installed yet, they should only be installed after you install the Remote Desktop session host role.
Installing Remote Desktop Services
Open Server Manager and right click on Roles, select Add Roles from the context menu
Click Next on the Before You Are page to display a list of roles that can be installed, select Remote Desktop Services and click Next
If you need to install your licenses, you can do so through the RD License Manager. However, you will need to activate the server first. I’m not going to go through it because it is self-explanatory.
This article provides guidelines to install and configure the Remote Desktop Session Host role service on a computer that is running Windows Server 2019, Windows Server 2016, or Windows Server 2012 R2 without the Remote Desktop Connection Broker role service installed.
Applies to: Windows Server 2019, Windows Server 2016, Windows Server 2012 R2
Original KB number: 2833839
When you create a standard deployment of Remote Desktop Services, the Remote Desktop Connection Broker role service provides access to the complete functionality of Remote Desktop Services. A configuration that does not use the RD Connection Broker role service provides desktop sessions to users based on the number of Remote Desktop Services client access licenses (RDS CALs) that are installed on the server. Such a configuration does not provide access to RemoteApp programs or the RDWeb website. Because a configuration without the RD Connection Broker role service does not provide access to all RDS functionality, you should use such a configuration only if there is no other option.
You can use the instructions in this article to configure RDS service by using a single server (either a member of a workgroup or a domain controller (DC)). If you have a separate DC, we recommend that you use the Standard Remote Desktop Services deployment wizard.
Configuring RDS on a workgroup server creates the following additional restrictions:
- You must use per-device licensing instead of per-user licensing. For more information, see License your RDS deployment with client access licenses (CALs).
- You must use Windows PowerShell to manage the RDS role services. This is because the Server Manager tools for RDS do not work. For more about using PowerShell cmdlets together with RDS, see Using Powershell to Install, Configure and Maintain RDS in Windows Server 2012.
For more information about the RDS roles, see Remote Desktop Services roles.
Process of deploying RDS service roles
The process of deploying RDS service roles on a single workgroup server or DC differs from that of deploying a standard RDS configuration on multiple computers.
Unless otherwise noted, these steps apply to both workgroup computer and DC cases.
If you are using a single computer as both the RDS server and as a DC, configure the computer as a DC before you begin installing the RDS roles. For more information about how to install Active Directory Domain Services (AD DS) and configure the computer as a DC in Windows Server 2016 or Windows Server 2012, see Install Active Directory Domain Services (Level 100).
On the workgroup computer or DC, install the Remote Desktop Licensing role service and the Remote Desktop Session Host role service. To do this, follow these steps:
- Open Server Manager.
- Click Manage and select Add Roles and Features.
- Select Role-based or Feature-based installation.
- Select the computer as the destination server.
- On the Select server roles page, select Remote Desktop Services.
- On the Select role services page, select the Remote Desktop Licensing and Remote Desktop Session Host role services.
- Continue the installation. Select default values for the remaining settings.
DC step: Open Remote Desktop Licensing Manager, right-click the server, and then select Review Configuration.
Select Add to group.
If you have to manage group memberships manually, the Terminal Server License Servers group is located in the Built-in container in Active Directory Users and Computers.
Restart the Remote Desktop Services service.
Use one of the following methods to activate the RDS license server:
- To activate a Windows Server 2012 RDS license server, see Test Lab Guide: Remote Desktop Licensing.
- To activate a Windows Server 2016 RDS license server, see Activate the Remote Desktop Services license server.
Install the appropriate RDS CALs.
If you are using a workgroup server, you must use per-device CALs. For more information, see License your RDS deployment with client access licenses (CALs). For more information about how to install RDS CALs, see Install Remote Desktop Services Client Access Licenses.
Add the users that you want to allow to connect to the Remote Desktop Users group. To do this, use the following tools:
- To find the Remote Desktop Users group on a DC, open Active Directory Users and Computers and navigate to the Builtin container.
- To find the Remote Desktop Users group on a workgroup server, open Computer Management and then navigate to Local Users and Groups\Groups.
Change the local policy of the computer to add your remote desktop users to the Allow logon through Remote Desktop Services local policy object. To do this, follow these steps:
- Open Local Security Policy.
- Navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
- Double-click Allow log on through Remote Desktop Services, and then select Add User or Group.
- Type Remote Desktop Users (or the user names of each user account that you want to add, separated by semicolons), and then select OK two times.
Configure the Remote Desktop Session Host role service to use the local RDS license server.
Before you begin this procedure, make sure that the RDS license server is activated.
To do this, follow these steps:
Open an elevated Windows PowerShell Command Prompt window.
Run the following command:
To set the licensing mode, run the following command:
In this command,
Run the following command:
To verify the settings, run the following command:
You should see the RDS licensing server name in the output. After you finish this step, users can start remote desktop sessions by using any supported RDS client.
DC step: To enable printer redirection to function correctly on a DC that is acting as the RDSH host, follow these additional steps.
Remote Desktop Services (RDS) is one of the roles that a Windows Server can have. You must install this role to set up an RDS host that runs Windows Server 2008 R2.
- Verify that the RDS host is running Windows Server 2008 R2 Service Pack 1 (SP1).
- Verify that the RDS host is part of the Active Directory domain for the Horizon 7 deployment.
- Install the Microsoft hotfix rollup that is documented in http://support.microsoft.com/kb/2775511.
- Install the Microsoft update https://support.microsoft.com/en-us/kb/2973201.
- Log in to the RDS host as an administrator.
- Start Server Manager.
- Select Roles in the navigation tree.
- Click Add Roles to start the Add Role wizard.
- Select the role Remote Desktop Services .
- On the Select Role Services page, select Remote Desktop Session Host .
- On the Specify Authentication Method page, select either Require Network Level Authentication or Do not require Network Level Authentication , whichever is appropriate.
- On the Configure Client Experience page, select the functionality that you want to provide to users.
- Follow the prompts and finish the installation.
What to do next
If you plan to use HTML Access or scanner redirection, install the Desktop Experience feature. The steps for installing Desktop Experience differ on Windows Server 2008 R2 and Windows Server 2012 or 2012 R2.
Restrict users to a single desktop session. See Restrict Users to a Single Session.
Configuring Windows 2008 R2 Remote Desktop Farm with Connection Broker
In my previous article about Windows 2008 R2 Remote Desktop Services (RDS) I set up a single server with the RD Session Host and Web Access roles. Now I will expand on this and add an additional Session Host/Web Access server to create an RDS server farm for redundancy. I will use the RD Connection Broker role to provide session reconnection and load balancing features. Both of my RD servers are members of an Active Directory domain. This is a requirement for using the Connection Broker role.
Install RD Connection Broker Role
The Connection Broker role can be installed on a separate server or on one of your Session Hosts. For the highest reliability and in larger environments I would recommended installing the Connection Broker on a separate server. That way you can bring down either of your Session Hosts for maintenance while ensuring that the Connection Broker service is available for the remaining server(s). I will be installing the Connection Broker role on a server that was previously configured with the RD Licensing role. In this example my Session Host/Web Access servers are named RD1 and RD2, and my Connection Broker is named DC2. All of the configuration will be done using a Domain Administrator account.
Go into Server Manager.
In the left pane highlight Roles, then on the right under Role Services select “Add Role Services”.
Check Remote Desktop Connection Broker, then click Next.
Click Install at the confirmation, then click Close once the install completes.
Install RD Session Host and Web Access Roles on Second Server
On the second Session Host/Web Access server follow the steps in the article Installing and Configuring Remote Desktop Services under the section “Install Remote Desktop Session Host and Web Access Roles”.
Add Web Access and Connection Broker Servers to TS Web Access Group on Session Host Servers (RD1 & RD2)
Now on both Session Host servers we’ll need to make sure that our Web Access and Connection Broker servers are included in the TS Web Access Computers group. Since the Session Host/Web Access servers are dual role, I’ll specify both itself and the other server in the pair. Doing this will allow both Web Access servers to enumerate all of the applications published on your RDS farm.
On each of your RD Session Hosts go to Start > Administrative Tools > Computer Management.
Open Local Users and Groups and select the Groups sub-folder on the left, then double click the “TS Web Access Computers” group in the center.
Click Object Types.
To allow us to add computers to the group we need to check Computers in the Object Types and click OK.
Now in the “Enter the object names to select” field type the names of your RD Web Access and Connection Broker servers. Specify the names of each separated by a semicolon. Click Check Names to verify the names you entered, then click OK.
Click OK back at the TS Web Access Computers properties dialog box. Be sure and repeat the section above on all of your Session Hosts.
Hello everyone! This is a quick blog post that provides information on how to register TLS certificate with Remote Desktop Services (RDS).
Starting with Windows Server 2008 R2 it became extremely easy to deploy RDS certificates to AD hosts from private CA using group policies and Microsoft CA. Since then RDS over TLS should be a baseline configuration in any Active Directory environment. If for some reason certificate is not configured using GPO an autogenerated self-signed certificate is used which raises warning dialogs to connecting users. With GPO, you don’t have to care about certificate lifecycle management (such as installation, configuration, renewal) and everything works without popping warning dialogs, because GPO certificates are issued by a centrally managed enterprise CA.
However, it is not always possible to use GPO. RDS Certificate GPO is simple in configuration and this puts limitations to settings:
- certificate is issued against RDS host name only
- requires that all connecting clients trust enterprise CA certificate
There are legitimate scenarios when administrators need a custom certificate with possibly additional names included in Subject Alternative Names (SAN) certificate extension or use 3rd party CA. Prior to Windows Server 2012 you could install a 3rd party certificate and associate with Remote Desktop Services using Remote Desktop Session Host Configuration MMC snap-in:
This MMC was gone in Windows Server 2012 and subsequent OS versions and never was available on client operating systems. This makes RDS configuration to use custom certificate installed in certificate store a bit complicated. Fortunately, there are automation means using WMI Win32_TSGeneralSetting class as follows:
First line retrieves path to RDS connection. By default, it is “RDP-tcp”. Specify custom RDS connection name if non-default connection must be configured. In the second line, specify a TLS certificate SHA1 thumbprint. It must be exactly 40 hexadecimal character long string without spaces and control characters. For example, “09d1a73113ceeae873d005a80e62699aa2d0bf05”. You don’t need to restart anything, setting is applied immediately to any new connection. Existing connections are not affected. This script can be used on client operating systems as well.
Microsoft Windows Terminal Server is a core component of Windows Desktop products and Microsoft Windows Server that allows remote computers to connect to a Windows operating system computer using a remote terminal session. With the remote terminal session, remote computers can run applications on the remote machine and run multiple remote connections independently of each other.
Microsoft introduced this concept by releasing Terminal Services as a part of the Windows Server operating system. Terminal Services was an integral part of Windows Server OS editions beginning with Windows NT 4.0. With the release of Windows Server 2008 R2, Terminal Services was renamed Remote Desktop Services (RDS). Before implementing this technology, it is essential to know what a Terminal Server is, how it works and why you should use one.
Why Use Terminal Server?
Terminal Server (now known as Remote Desktop Session Host) is popular it enables businesses to centrally host applications and resources and publish them to remote client devices, regardless of the location and platform of the end-user device. A Terminal Server provides multiple benefits.
- Provide end-users with access to company resources from anywhere and from any device.
- Facilitate a single point of maintenance and allow you to monitor the infrastructure from a central dashboard.
- Applications are installed once and regularly updated on the server, so there is no need to install or update a program on each machine in the network.
- With concurrent licenses instead of per-device ones, businesses can reduce licensing costs, and thin clients allow businesses to optimize costs and power savings for a better ROI.
- The lifespan of desktop hardware extends is extended, and network security is significantly improved.
What is Terminal Server Architecture?
It is also important to understand the Terminal Server architecture which consists of three crucial components:
- A multi-core server where resources are centrally hosted.
- A remote desktop protocol that enables data transmission between the server and the client.
- Client software on each remote client device. This client program allows the device to connect to the server via Remote Desktop Protocol (RDP).
In addition, there is the Terminal Services Licensing Service, which provides the server with the TS CAL licenses for devices to connect to it. The sessions list is saved in the Sessions Directory Service. This list is indexed by username, allowing the user to reconnect to the same server.
What is Terminal Server Licensing?
Each user/device connecting to the TS server should have an RDS CAL. The terminal server licensing role is installed on an RDS license server. The role of this TS licensing server is to store and track all RDS CALs installed for a group of servers. A single licensing server can serve multiple TS servers. The license server should be activated to provide permanent RDS CALs; otherwise, it issues temporary RDS CALs. It is important to know what terminal server licensing is to estimate costs.
To deliver virtual desktops and applications to remote users, terminal services use the RDP protocol. It works on TCP/IP and listens on port 3389. The RDP protocol was improved to provide a rich graphical experience to end-users. The new version, RemoteFX, was introduced in Windows Server 2008 R2 SP1. Using RemoteFX technology, businesses can seamlessly deliver graphic-intensive applications such as AutoCAD and the Adobe Suite to remote client devices.
Terminal Services Use Cases
Let’s say, for instance, that a company has a geographically dispersed network of 1,000 users connected over WAN. The company develops a new application which is to be used by all employees. The application is not web-based, and employees work from different locations. The company has to provide access to that application for every user/device. Terminal services are an excellent solution to this issue. With one server, a TS server OS license, TS licensing server, and RDS CALs for each user/device, you can set up a Terminal Services environment to centrally host applications and deliver them to remote client devices with ease.
Parallels RAS Enhances Terminal Server
Many businesses still use a Windows OS, but there are several challenges associated with the terminal server setup. While the complexity of installing and configuring multiple components is the primary challenge, the cost of RDS CALs is another burden. Secondly, a Terminal Services environment only supports Windows and Mac environments. Parallel®s Remote Application Server (RAS) allows you to use the Terminal Services or RDSH environment while eliminating its limitations. Parallels RAS is easy to install and manage. By using a simple wizard, you can set up the tool in five minutes. Secondly, all the virtualization components come auto-configured out of the box. Another important advantage of Parallels RAS is the support of a range of client devices, including iOS, Android and Chromebooks. Most importantly, Parallels RAS is cost-effective and reduces the total cost of ownership (TCO).
- How to install an SSL Certificate on Remote Desktop Services
This step by step guide will show you how to install an SSL Certificate on Remote Desktop Services (RDS). You will also learn a few interesting facts about RDS, and discover the best place to shop for any type of SSL Certificates. If you still haven’t generated your CSR (Certificate Signing Request) and passed the SSL authentication, refer to the CSR Generation tutorials in the first part of this guide.
Generate a CSR Code for Remote Desktop Services
When applying for an SSL Certificate, you must generate a CSR code and submit it to the CA. The CSR includes contact details about your website or company. Depending on the version of your Remote Desktop Gateway Server, you can create the CSR in the same release of IIS. Microsoft IIS server comes pre-installed with every version of Windows.
For instance, if you use RDS 2016, you will generate your CSR in IIS 10 which is included in Windows Server 2016.
We’ve already written comprehensive guides on how to generate a CSR code on various IIS versions. Use the links below to find the relevant guide:
? (RDS 2008) (RDS 2012) (RDS 2016)
After you create your CSR and complete the SSL validation, the CA will send all the necessary certificate files to your inbox. You can now proceed to SSL installation.
Install an SSL Certificate on Remote Desktop Services
Before beginning the installation, make sure you have all the required SSL files.
- Your server certificate: this is your SSL certificate with .cer or .crt You need to extract it from the ZIP archive that you’ve received from your CA and save it on your device.
- Your intermediate certificates: this is the .ca-bundle file from your ZIP archive
- Your private key: this is the .key You’ve generated it along with your CSR code.
- To access the Remote Desktop Gateway Manager, click Start > AdministrativeTools > Remote Desktop Services > Remote Desktop Gateway Manager
- In the Remote Desktop Gateway Manager Console tree, right click on RD Gateway Server and then select Properties
- Next, click on the SSL Certificate tab, and then on Import a certificate on the RD Gateway Certificates (local computer)/personal store
- Click on Browse and import certificate
- Locate your SSL Certificate and click Open
- Enter the password that you’ve created for your Private Key
- Click on Import Certificate and then OK
- Restart your server for changes to take effect.
Congratulations, now you know how to install an SSL Certificate on Remote Desktop Services.
Test your SSL Installation
After you install the SSL Certificate on RDS, type your URL in your browser’s address bar to check the SSL padlock and certificate information. Even if everything displays correctly, we recommend doing a thorough test of your SSL configuration that’ll pinpoint potential hidden errors and vulnerabilities. These powerful SSL tools deliver instant scans and reports on the state of your SSL Certificate.
Remote Desktop Gateway history and versions
Remote Desktop Services (RDS) is one of the components of Microsoft Windows that allow users to access a remote computer or virtual machine over a network connection. RDS was known as Terminal Server, until Microsoft renamed it 2009, and introduced the first RDS version in Windows Server 2008 R2.
Remote Desktop Gateway allows authorized users to connect to virtual desktops, Remote-App programs, and session-based desktops over a private network or the Internet. At the moment of writing this article, there are 4 versions of Remote Desktop Gateway:
- Remote Desktop Gateway 2019
- Remote Desktop Gateway 2016
- Remote Desktop Gateway 2012
- Remote Desktop Gateway 2008
Where to buy an SSL Certificate for Remote Desktop Services?
If you’re looking for affordable SSL Certificates, then SSL Dragon is your best SSL vendor. Our intuitive and user-friendly website will walk you through the entire range of SSL Certificates. All our products are issued by reputable Certificate Authorities and are compatible with Remote Desktop Services. We offer the following SSL validation types:
We bring you the lowest prices on the market and dedicated customer support for any certificate you choose. And, if your struggling to find the ideal cert for your website, use our SSL Wizard and Advanced Certificate Filter tools to get suggestions.
If you find any inaccuracies, or you have details to add to these SSL installation instructions, please feel free to send us your feedback at [email protected] . Your input would be greatly appreciated! Thank you.
I’m looking for some ideas on how to disconnect, logoff, or reset a user’s session in a 2008 Terminal Server (unable to login as the user either as it is completely locked-up). This is a production environment, so rebooting the server or doing something system-wide is out of the question for now. Any Powershell tricks to help us with this?
We’ve tried to disconnect, log the user off and reset the session as well as killing the session’s processes too, directly from the same terminal server (from the task manager, Terminal Services Manager and the Resource Monitor) with no results.
UPDATE: We ended up rebooting the server as no other attempts that we could think of worked. I’ll leave this question open hoping someone might have more information about this one issue, and it’s potential fixes
24 Answers 24
What worked for me to resolve this same issue was to kill off all the processes running under the locked account from under Task Manager and then I was able to simply log off that account (from an Administrator account).
The user was then able to log back on under the account.
No reboot was necessary and no third party software needed to be downloaded.
I want to share how I reset of the account without the need to reboot the server. First of all you need to have administrator access to the server. I use the following logon option: mstsc /v:servername /console /admin in order to access the server. Then in “Windows Taks Manager”, go to the Users tab and proceed to do a right click over the account that you want to “Log Off”, select log off. This should free the locked session used by that account.
The simple answer is to run an elevated command prompt and type “Taskmgr” and then it will allow you to logoff the sessions under the USERS tab. It will not work without being in the elevated session.
You can start a cmd, do a query session, check the id of the session to be killed and then do a reset session. For instance, if with query session you get that the session name rdp-tcp#1 is the one you want to kill, then you can execute reset session rdp-tcp#1 and get it killed.
I suppose the same happened today on my Win2008R2 Terminal Server. Sympthoms were: 1. He phoned me with “‘connecting’ message just hangs forever”. He’s just a simple user so I can’t expect detailed problem description. 2. Tried logging off/resetting session (which usually helps in these cases) – did not work. The session still hangs in the list with ‘disconnected’ status. 3. Tried killing all processes for that user – did not help. Session persists and refuses to get killed.
Solution was – connect as user (login with his credentials if you can reset his password or use some kind of remote assistance to see what happens on his computer) and see what happens in logon window. When connecting I clicked on RDP Client’s ‘details’ button – and here it was, a error message that winlogon did something wrong, it was waiting for user to click on ‘retry/ignore/etc’ buttons and since it’s the omnipotent winlogon it caused all that weird behavior.
A Remote Desktop Gateway server is a Windows 2008R2 server which is typically located in a corporate or private network. It acts as the gateway into which RDP connections from an external network connects through to access a Remote Desktop server (Terminal Server) located on the corporate or private network. The external network is usually the internet. (In Windows 2008, it is known as TS Gateway or Terminal Services Gateway.)
Why Not Just Connect to the Remote Desktop Server or Terminal Servers Directly From the Internet?
Remote Desktop Servers typically use port 3389. To enable Remote Desktop Servers to be accessed over the internet, you must enable/forward TCP Port 3389 to the Remote Desktop Server. If you have more RD servers than you have internet IP addresses, you will have to start port forwarding other ports to the other RD Servers, i.e. forward TCP Port 3390 on your firewall to Port 3389 on your second RD Server, forward TCP Port 3391 to Port 3389 on your third RD server and so on.
This can be quite confusing for clients because they have to remember what port to connect to.
With Remote Desktop Gateway installed, you can give your clients the address or DNS name of the gateway server. Give them the name or private IP address of the Remote Desktop server that you want your client to connect to. It doesn’t matter that the name of the RD Server is not resolvable on the internet or the IP address is from a private range. As long as the RD Gateway can resolve the name, and the appropriate rights are given to the user credentials which your clients are using, they can connect to the Remote Desktop Server.
You can create groupings of servers and allow only certain Windows users or groups access to particular servers.
The Microsoft Remote Desktop Services (RDS) architecture is widely used to publish centralized Desktop and Windows Applications to users from remote sites. With RDS, only the software user interfaces are transferred to the client system. All input from the client system is transmitted to the server, where software execution takes place.
RDS was first released as “Terminal Server” in “Windows NT Server 4.0 Terminal Server Edition”. Starting with Windows 2000, it was an optional role.
Early releases only allowed connections through a single TCP port: 3389/TCP.
Windows Server 2008 introduced the Remote Desktop Gateway service component, also known as RD Gateway, which can tunnel the RDP session using an HTTPS channel, which is most suitable for Internet service publishing.
Early RDS versions could only share the whole Windows Desktop on a remote client. Beginning with Windows Server 2008 R2 and Windows XP, RDS can share single Applications.
Windows Server 2012 introduced session data streaming using a UDP flow: typically, on port 3389/UDP. This stateless data flow allows better performance via connections with a limited packet loss.
Windows Server 2016 introduced User Profile Disks to host users’ roaming profiles.
Modern RDS architecture can become very complex, with Roles hosted on several servers:
RDS User Interface Customization
The preferred way to access RDS services is through Web Access, either directly from internal LAN or remotely through the RD Gateway component which acts as a reverse proxy.
The default web interface shows the published Desktops and the Remote Applications.
Unfortunately, the user interface cannot be easily customized. But in any event, some interesting basic results can be achieved with just a few configuration changes such as:
Hiding the “Connect to a remote PC” tab.
This tab allows users to connect to a remote PC of their choice (almost useless, and always dangerous).
Go to the RD Web Access server open Internet Information Services Manager (IIS Manager).
Expand the tree on the left and click Pages, then double-click Application Settings and select ShowDesktops. Notice its value is “true” by default, so click Edit and change it to “false”. This change is immediate, without the need to restart IIS.
The same IIS panel contains some other interesting values which can be customized:
PasswordChangeEnabled. Notice its value is “false” by default, so click Edit to change it to “true”. This will allow the user to change his password when it has expired.
PrivateModeSessionTimeoutInMinutes or PublicModeSessionTimeoutInMinutes.
Click Edit to change the default value to something you prefer, or to something that your organization enforces.
Unfortunately some other interesting customizations, such as setting a default Domain in the login panel, can only be done by editing some .aspx files!
The default login panel in fact expects the NT User Account format, e.g. Domain\user name.
Measuring RDS Performance
In a complex distributed RDS environment, it’s difficult to measure RDS performance: the end user typically experiences site responsiveness in a different way than measuring the single Windows Performance Counters!
The correct way to measure RDS performance is by simulating users’ operations: the Alyvix product is designed for just this task. It can repeat these tasks continuously, building metrics based on common users’ RDS tasks.
This way you can detect not only abnormal situations, but also bad long term trends.
For example, in the graph above you can see that RDS Desktop Ready time has increased by about 10 seconds over 8 days.
Create Firewall Rules in Windows 7 thru Windows Server 2012 R2 to allow RDP and ICMP traffic for you have to open “Windows Firewall with Advanced Security” control panel applet. You can get here by typing “firewall” in the search box near the start button and selecting it from the list (likely on top) or you can go to control panel.
Tested on: Windows 7, Windows 8, Windows Server 2018, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Start – Control Panel – System and Security – Windows Firewall – Advanced Settings
Note: You could also get to control panel from the Windows-X drop down menu
This will bring up the Windows Firewall with Advanced Security Screen.
Click on Inbound Rules
The easy way to allow Ping is to enable the existing ICMP rules.
Enable ICMP (PING) Existing Rule(s)
You could scroll down and select File and Printer Sharing (Echo Request – ICMPv4-in) – Right Click and Select Enable Rule (Notice you will have one for multiple networks, you can enable the only the Domain network if you are in a domain environment or enable both if you want to enable on private networks also.
Notice there are ICMPv4 and ICMPv6. If you are using (or plan on using) IPv6 on your network, I would encourage you to “enable” the IPv6 rules as well.
You could also Create a Rule from Scratch but if you do that the default action will be to enable all ICMP traffic instead of just enabling echo requests. If you want to do that… Create a new rule click on New Rule in the Actions pane (upper right corner) or right click on Inbound Rule and select New Rule. Select Custom – All Programs – for Protocol select ICMPv4. If you only want to do Echo Requests you will have to click on Customize, select Specific ICMP Types and Enable only Echo Request. Scope leave at Any Action Leave at Allow the connection. Profile Select the networks you want to have it enabled (usually Domain) and turn off the ones you do not want to have (usually public). Finally on the Name page of the wizard give it a name like (Allow Ping) and click Finish. If you scroll to the top of the inbound rules, you should see your new rule there.
Enable Remote Desktop (mstsc) Existing Rule
You could scroll down and select Remote Desktop (TCP-In) – Right Click and Select Enable Rule (Notice you will have one for multiple networks, you can enable the only the Domain network if you are in a domain environment or enable both if you want to enable on private networks also.
If you want to manually create your own rule, you would use the Predefined: Remote Desktop application or open the TCP Port 3389.
If you want to do Remote Administration on your Hyper-V Server you might also want to check out
If you have System Center Virtual Machine Manager (SCVMM) and you want to enable management of that the easy way to do it is to mount the SCVMM ISO or insert the DVD and run the client application. It can enable Hyper-V if needed and it can also setup all your firewall rules for you.
If your box is actually the SCVMM machine it is far more complicated. Check out SCVMM and Network Ports We Use for Communication
Want to improve this question? Update the question so it’s on-topic for Stack Overflow.
Closed 4 years ago .
Having an issue with one user’s printers not mapping when connecting via RDP to a Windows Server 2008 R2 64-bit with Terminal Services. Here’s the scenario:
- Approximately 7 users connect via RDP to a Windows Server 2008 R2 64-bit server running Terminal Services
- Users connect via either Windows 7 or Windows XP SP3 workstations running latest RDP client
- All users connect via the same Organizational Unit and utilize the same Group Policy
- Users have 3 networked printers that their RDP client is setup to map:
- HP LaserJet 4250 PCL 6 (Default)
- HP LaserJet P4010_P4510 PCL 6
- Sharp MX-5001N PCL6
Not sure what steps to take at this point — any ideas?
1 Answer 1
Ensure that the Terminal Services Configuration (2003 R2 and 2008) and the Remote Desktop Services Configuration (2008 R2) allows for client printer mapping.
For Windows 2008: Click Start, Administrative Tools, Terminal Services, Terminal Services Configuration. On the left pane, select RD Session Host Configuration and then right-click RDP-Tcp within the Connections section of the right-hand pane, then select Properties. In the window that pops up, click the Client Settings tab and make sure that the box next to Windows Printer is UNCHECKED (read: a check in this box means printer mapping is DISABLED).
For Windows 2008 R2: Click Start, Administrative Tools, Remote Desktop Services, Remote Desktop Host Configuration. On the left pane, select RD Session Host Configuration and then right-click RDP-Tcp within the Connections section of the right-hand pane, then select Properties. In the window that pops up, click the Client Settings tab and make sure that the box next to Windows Printer is UNCHECKED (read: a check in this box means printer mapping is DISABLED).
For Windows 2003 R2: Click Start, Administrative Tools, Terminal Services Configuration. Select the Connections folder and right-click RDP-Tcp and select Properties. In the window that pops up, click the Client Settings tab and make sure that the box next to Windows Printer Mapping is UNCHECKED (read: a check in this box means printer mapping is DISABLED). Note: Rackspace no longer offers Cloud Servers with Windows 2003, but these instructions are here for legacy support purposes.
EDIT – I found my issue: Check your EVENT VIEWER – SYSTEM “Driver TOSHIBA Universal Printer required for printer !!cgy-dc1!Spa-Colour is unknown. Contact the administrator to install the driver before you log in again.”
This document describes the settings that must be made when ProCall is running in a remote desktop connection and audio/video communication is to be used over it.
This scenario has been tested with the following operating systems and is sometimes only supported with Windows Server 2012 R2 or newer:
- Windows Server 2012 R2
- Windows 8.1
- Windows 10
Via group policy (distributed or local) the option for redirection is enabled.
Terminal server group policy
On the terminal server (Remote Desktop Services), the redirections for audio must be configured or enabled.
To do this, open the group policy editor on the server and navigate to:
Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection
Enable/disable the following settings:
- Do not allow video redirection
- Do not allow redirection for supported Plug & Play devices
- Allow redirection of audio and video playback
- Allow redirection of audio recording
Example screenshot: Device and Resource Redirection
Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment
- RemoteFX coding for RemoteFX clients for Windows Server 2008 R2 SP1
Example screenshot: Local Group Policy Editor – Remote Session Environment
Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Host\Remote Session Environment\RemoteFX for Windows Server 2008R2
- Configure RemoteFX
Example screenshot: Local Group Policy Editor – RemoteFX
Client group policy
On the client (Remote Desktop Client) the redirection for locally connected USB devices (in this case the WebCam) must be enabled.
To do this, open the Local Group Policy Editor on the client and navigate to:
Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\RemoteFX USB Device Redirection
- Allow RDP redirection for other supported RemoteFX USB devices on this computer
Example screenshot: Local Group Policy Editor RemoteFX USB Device Redirection
Note that updating group policies (when group policies become active) depends on several factors. You can find more details about this in the Microsoft documentation:
Remote Desktop Connection Settings
Local Resources >> Remote Audio >> Settings.
Local Resources >> Local Devices and Resources >> More.
“Other supported RemoteFX USB devices” must be available, but should not be enabled:
RDP client session configuration check
In Microsoft Windows Microphone Privacy Settings (Settings\Privacy\Microphone), enable the “Allow apps to access your microphone” option.
In Microsoft Windows Camera Privacy Settings (Settings\Privacy\Camera), enable the “Allow apps to access your camera” option.
The input and output devices selected in the client (Remote Desktop Client) operating system are available within the RDP session on the Terminal Server under Control Panel\All Control Panel Items\Device Manager as “Remote Audio”:
and can be selected in the ProCall Client Audio/Video Wizard under Microphone, Playback Device and Ring tone:
The next step is to select the camera:
Further technical notes
General operating instructions
Due to the lack of its own optimization options, estos cannot make a generally valid recommendation for softphone operation in the Microsoft Windows Terminal Server environment. The design and utilization of such a topology varies too much from customer to customer, so that the possibility of using ProCall softphones must only be verified on a customer-specific basis within the scope of intensive tests.
Prioritization of audio data
The audioqualitymode:i:1 or audioqualitymode:i:2 setting can be used to statically specify the audio quality in the RDP file at the local client, regardless of the available bandwidth.
Tests in the lab have shown that the audioqualitymode parameter cannot significantly improve audio quality when Terminal Services is under load. Compressing or reducing the audio packets using this parameter then has no significant effect on the delivery of the RTP packets to the UC Media Server. This means that the RTP packets are received with audible gaps at the Kurento and are thus also forwarded directly to the PBX.
Analysis of audio quality problems
For the analysis of the RTP data stream, a described Wireshark Trace of the Terminal Server and the UCServer (Media Server) as well as a network topology is required: A nalysis of softphone behavior
If the analysis shows that data packets are delayed or sent irregularly on the network route or are even lost, no improvement can take place via ProCall, but must be further analyzed and remedied by the integrator in the environment.
I have a Terminal Server setup on Windows server 2008 R2.
I am trying to log in to it with RDP, using the local admin account. (Not the domain admin) I have placed the local admin in the remote desktop users group, but I am still getting the following message trying to log in:
To log on to this computer, you must be granted the Allow log on through Terminal Services right. By default, members of the Remote Desktop Users group have this right. If you are not a member of the Remote Desktop Users group that has this right, or if the Remote Desktop Users group does not have this right, you must be granted this manually.
Any help will be greatly appreciated.
I found a temporary solution; Installign LogMeIn, this logged me in to the local admin account, remotely without problems
- The server IS part of a domain.
- Domain users placed in RDP users group can successfully login without any problem.
- I have placed the local admin, inside the local RDP group. (And it is not working)
- The TS server is a ‘vigrin’ system
- The AD/DNS are not ‘virgin’.
- There are NO restricted groups, yet.
- I am using \Administrator as a login (This avoids domain logins)
- Also tried Computername\Administrator and .\Administrator
- Domain functionality level is Windows Server 2008 R2
- Cannot alter group policy: “Allow log on through Remote Desktop Services” (the add button is greyed out) +
+: A following note on the group policy; It states that “This setting is not compatible with computers running Windows 2000 SP1 or earlier. Apply group policy objects containing this setting only to computers running a later version of the OS.
Shadow keys have been around forever, since way before Terminal Services were renamed to Remote Desktop Services (does anybody use that name?). It seemed they would stay in the OS forever, too. Yet, when installing applications on Server 2008 R2 many people notice that the shadow key area does not get populated. Let us find out why that is the case and if shadow keys still work in Server 2008 R2.
A quick refresher what I am talking about: badly written applications create the registry settings they need to run at install time and only for the user currently logged on. Two capital sins Microsoft tried to work around by creating shadow keys. The main idea is that writes to HKCU during setup are captured and replayed for every user logging on individually.
Terminal Servers operate in two modes: install and execute. In the wild old days one had to manually switch to install mode (using the command change user /install ) before every installation, but for a long time the operating system has been clever enough to do that on its own reliably enough.
If install mode is enabled for a session, any changes to HKEY_CURRENT_USER are mirrored to the shadow key areas HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software (64-bit processes) and HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software (32-bit processes).
In execute mode during logon, timestamps are compared to determine if application settings stored in HKLM need to be copied to HKCU. This happens for every application key individually.
To sum this up, shadow keys are a mechanism to distribute initial application configuration values to all users on a Terminal Server.
In order to find out if the shadow key functionality is still present in Server 2008 R2 I executed the following commands:
- change user /install
- reg add HKCU\Software\Test /v test /d “test”
- change user /execute
This adds a registry key “Test” with a value of “test” in install mode. I checked the shadow key areas mentioned above for the Test key and found – nothing. Looks like shadow keys are gone, right?
Then I tried something else:
- change user /install
- change user /execute
This runs the installer for Total Commander. The installer creates the key HKEY_CURRENT_USER\Software\Ghisler. I checked the shadow key areas for the Ghisler key and found – an exact copy of the key in HKCU. Apparently, shadow keys are still functional.
But why did my first experiment fail?
With the help of my new free tool IsTSAwareApp I found that reg.exe has the flag TSAWARE (i.e. a special bit in the header of the executable is enabled). This means that the developer of reg.exe says it is aware of terminal services. The installer for Total Commander, on the other hand, does not have the TSAWARE flag.
The conclusion is that shadow keys are enabled only if an executable is not marked as Terminal Services aware. To prove my conclusion I used the Visual C++ tool editbin to remove the TSAWARE flag from reg.exe – and, bingo, I could use the modified reg.exe to create shadow keys during install mode.
The reason why the shadow key areas in the registry are often empty today: most modern applications have the TSAWARE flag which tells the operating system they work correctly on Terminal Servers without crutches like shadow keys.
Is the shadow key functionality still present in Windows 8? I have bad news for some of you: nothing was changed. Shadow keys work the same way in Windows 8 (Beta) as in Server 2008 R2.
Windows Server 2008r2 and SQL Server 2008r2 End-of-Life End-of-Support coming soon
- Post author
Windows Server 2008r2 and SQL Server 2008r2 will be END OF SUPPORT soon. This means no more security updates. SQL Server 2008/R2 supports ends July 2019 and Windows Server 2008R2 support ends January 2020. Contact us to migrate from Windows Server 2008r2 to 2016 at no charge!
Create RDP Shortcuts for users to login to Windows Server
- Post author
Users can create a shortcut on their desktop to the Remote Desktop Connection Client on their local PC to make it easier to login to their remote server. The shortcut can include customization like enabling printer redirection, enabling clipboard (to copy and paste between the server and local PC), hard drive redirection and more. You […]
VDI, Desktop as a Service (DaaS), Hosted Desktop and Remote Desktop Hosting
- Post author
Summary – Hosting desktops in the cloud goes by many names and can be setup in several methods depending on your needs. As you can see below, some setups can be costly from a Microsoft licensing perspective and some setups are better if you wish to share applications among users or alternatively have a completely […]
Hosted Remote Desktop Services RDS on Windows Server – Summary
- Post author
RDS SUMMARY: We get many questions about Remote Desktop Services on our hosted Windows Servers and below is a summary of many of our blog post, issues and links to helpful solutions and discussions. Most clients that use Remote Desktop Services (RDS) use full “desktop sessions” where each user has their own desktop session to […]
Remote Desktop Connection: An authentication error has occurred. The Local Security Authority cannot be contacted
- Post author
Fixing login problems with Remote Desktop Services If you have having issues logging into a Windows Server with Remote Desktop Services, below are some things to try. For example, some users have seen an error like this when trying to login “Remote Desktop Connection: An authentication error has occurred. The Local Security Authority cannot be […]
Microsoft Licensing – Volume Licensing versus SPLA Licensing costs
- Post author
We can provide most Microsoft software licensing on a monthly basis through the SPLA program. These licenses are provided on a monthly basis and are easily provisioned. In some situations, you can use your own valid Microsoft volume licenses but there are numerous restrictions. For example, Microsoft Office does not have license mobility rights and […]
RemoteApp RDWeb website hosted on Windows Server 2008R2 does not work with Windows 10 Edge Browser
- Post author
If you are using the RemoteApp RDWeb Access website feature (RDweb) in Windows Server 2008 R2 and have client/user PCs that have upgraded to Windows 10, read below. This does not apply if you are using full RDP desktop sessions to login and see a desktop which is what many/most people do – i.e. using RDP client […]
Does your hosting provider offer remote desktop services licensing?
- Post author
Although hosting providers are generally required to provide the Windows Server operating system license via the SPLA program on hosted servers, very few offer the Remote Desktop Services (previously Terminal Services) user licenses (aka CALs/SALs) to their customers. If you are using the Remote Desktop Services role, you are required to have RDS user licenses […]
With the AdminTool, you can select a different TCP/IP port number for the RDP service to accept connections on. The default one is 3389. You can choose any arbitrary port, assuming that it is not already used on your network and that you set the same port number on your firewalls and on each TSplus user access programs.
TSplus includes a unique port forwarding and tunneling capability: regardless the RDP port that has been set, the RDP will also be available on the HTTP and on the HTTPS port number!
If users want to access your TSplus server outside from your network, you must ensure all incoming connections on the port chosen are forwarded to the TSplus server.
Management of users and sessions
The session manager is located right below the RDP port:
You can display your server’s task manager, and you have the possibilities to active a remote control, disconnect, logoff or send a message to your users.
You can activate the remote control via a remote session with an admin account on the following Operating Systems:
- Windows Server 2008 R2
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows 7
- Windows 8.1
- Windows 10 pro and above
On Windows XP, 2003, Vista, and 2008 there is no remote control button.
On Windows 2012 and 8 a message appears advising you to update to 2012 R2 or 8.1.
When you activate the remote control for a user’s session, this message appears, indicating the keyboard shortcut to end the session:
On the client side, this message appears to accept the remote control:
You can also send a message to your user:
Message sent on Server Side
Message appearing on Client Side
The Users and Groups tab allows you to add/edit or delete users.
- With the Session Management Settings (GPO) tab, you can set various connection settings for each session and user:
Windows Server 2016 introduced a new “Per user service”, which makes services start all processes per users, which slows the users logons time.
Since TSplus 11.70 release, you can disable per user services in order to speed up users logons.
Services and Properties
- The Windows Toolkit is an enhanced control panel, summarizing all the Windows Administration tools.
– You can also launch the “Server Properties” tab to have an overview of the control panel.
– You can see all the services on your server and their status on the Services tile.
Session Opening Preference
The session opening preference allows you to choose your shell session preference, your logon preferences, the background color of your sessions, add your own logo and rename it to your liking.
By default, on these logon preferences are enabled:
- The “Display progress bar during logon“.
- “Enable Time Zone Redirection” which enables the client computer to redirect its time zone settings to the Remote Desktop Services session. If you enable this policy setting, clients that are capable of time zone redirection send their time zone information to the server.
You can also set a full Desktop for all your users and get a display the last connected users by ticking the corresponding boxes. You can customize your users sessions by adding a new Background Color, another logo or none and use the session name of your choice.
- Since TSplus 11.70 release, you can use TSplus WinXshell as an alternative to the Windows shell.
Following the October 10 Windows Update, administrators allowing their users to start a Remote Desktop saw the Windows shell as an issue.
The main problem resides in the session opening/black screen issue when a complete desktop is assigned to multiple users on Windows 10 and Server 2016.
It provides features and graphical experience similar to Windows 2016 Windows shell, such as the display of the 2016 Start button and taskbar.
It is especially useful if you use Windows 10 or Windows 16 Operating systems, manage 10 users or more and wish to assign them a full desktop.
Backup and restore your server parameters
You can backup or restore your server parameters by clicking on the tile of the same name, on the Advanced tab:
Click on the Backup button to make a backup, which will be dated and added to the list of your restore points:
When a user uses the Launch App link in the web application, the launcher is called and obtains the necessary credential information for the application to launch. The application is launched from the jump server. In turn, VDI displays the remote application on the user’s workstation like a local application. Before application launching can occur, RDS must be configured.
Configure Remote App
- Open Server Manager. Select Remote Desktop Services > Collections.
- Select the collection needed to configure application launcher.
- Select LiebsoftLauncher.exe from the application launcher installation location on the jump server. The default directory for this file is C:\Program Files (x86)\Lieberman\Roulette\LaunchApp.
- Click Next.
- On the Confirmation page, click Publish.
- Once the LiebsoftLauncher application is published, right-click on it in the RemoteApp Programs list. Select Edit Properties.
- On the General tab, set the Show the RemoteApp program in RD Web Access dialog to No.
- On the Parameters tab, select Allow any command-line parameters.
- On the User Assignment tab, we highly recommend that you change the User Assignment option to be a specific user or group of users. You will be connected to the server as a pre-designated account, which can be managed by Privileged Identity . This is the only account that requires access to run the program. The account assigned requires all permissions and rights to launch desired programs.
- Click OK.
BeyondTrust is the worldwide leader in Privileged Access Management (PAM), empowering companies to secure and manage their entire universe of privileges. The BeyondTrust Universal Privilege Management approach secures and protects privileges across passwords, endpoints, and access, giving organizations the visibility and control they need to reduce risk, achieve compliance, and boost operational performance.
©2003-2022 BeyondTrust Corporation . All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority. 3/9/2022
1 or more AADS Terminal Servers
Multiple clients running Windows, OSX, Linux, Thin Clients, or Mobile devices
- Enterprise Terminal Server
- Small Terminal Server
- Unlimited number of Concurrent Users and Remote Desktops.
- Domain Authorization, users defined in the Domain.
- Local users, defined locally in Windows.
- Load Balancing and User distribution among the Farm. Multiple AADS Terminal Servers working together in a Farm.
- Application Publishing and Control for both Domain groups and locally defined users / groups.
- Seamless Windows & Desktops.
- Integrated webserver for an online desktop portal using browser access.
- Integrated SSL Gateway for a secured Desktop, everywhere in the world.
Deploy of Clients and SSL Certificates has never been this easy.
- Runs on:
- Windows 10/11 Professional and Enterprise, LTSB/LTSC, 32 and 64 bits versions.
- Windows 8.x Professional and Enterprise, 32 and 64 bits versions.
- Windows 7 Professional & POS Ready, Enterprise and Ultimate, 32 and 64 bits versions.
- Windows XP Pro SP2 or higher, 32 bits versions.
- Windows Vista Business and Ultimate, 32 and 64 bits versions.
- Server 2016/2019/2022, Essentials.
- Server 2012, Essentials and Foundation.
- Server 2008-R2, Small Business Server 2008-R2, Small Business Server 2011.
- Server 2008, Small Business Server 2008.
- Server 2003, Standard, Enterprise and Small Business Server.
- 5, 10 or Unlimited number of Concurrent Users and Remote Desktops.
- Local users, defined locally in Windows.
- Application Publishing and Control for locally defined users / groups.
- Integrated webserver for an online desktop portal using browser access.
- Runs on:
- Windows 10/11 Professional and Enterprise, LTSB/LTSC, 32 and 64 bits versions.
- Windows 8.x Professional and Enterprise, 32 and 64 bits versions.
- Windows 7 Professional & POS Ready, Enterprise and Ultimate, 32 and 64 bits versions.
- Windows XP Pro SP2 or higher, 32 bits versions.
- Windows Vista Business and Ultimate, 32 and 64 bits versions.
- Application Publishing and Control is not available on Windows 8 and Server 2012.
- Multi Factor Authentication is available on Windows Vista and Server 2008, or newer.
AADS Terminal Server software is available in the following Languages:
I have multiple clients on a network that connect to Windows Server 2008 R2 and 2012 via Remote Desktop Connection.
I have custom preferences set up locally on the clients’ printers. These custom preferences do not carry over when I connect to the remote server though. E.g. page size on the local machine is 4″x6″ but every time I connect to the remote server it’s set to the driver default of 3″x2″.
We just switched off from Server 2003 and this was never a problem on that version.
The drivers are installed correctly on both the server and local machines. None of the clients are on a domain and each client is using its own individual printer. The printer is not shared out or connected to any Print Server. It is redirected from the local machine to the server when they connect using the RDC settings.
I need the preferences to carry over from the local machine to the remote desktop in order for documents to print correctly.
If you have any idea on how to solve this please let me know! Many thanks!
Popular Topics in Printers, Copiers, Scanners & Faxes
Just to confirm, Printers are connected to the Hosts via USB and then being redirected over to RDP, correct?
The Issue may be with the of Terminal Services Easy Print printer driver first.
This policy setting allows you to specify whether the Terminal Services Easy Print printer driver is used first to install all client printers.
If you enable or do not configure this policy setting, the terminal server first tries to use the Terminal Services Easy Print printer driver to install all client printers. If for any reason the Terminal Services Easy Print printer driver cannot be used, a printer driver on the terminal server that matches the client printer is used. If the terminal server does not have a printer driver that matches the client printer, the client printer is not available for the Terminal Services session.
If you disable this policy setting, the terminal server tries to find a suitable printer driver to install the client printer. If the terminal server does not have a printer driver that matches the client printer, the server tries to use the Terminal Services Easy Print printer driver to install the client printer. If for any reason the Terminal Services Easy Print printer driver cannot be used, the client printer is not available for the Terminal Services session.
Not sure is this is the actual cause but may be worth looking into this.
Deploying Remote Desktop Services (RDS) for your customer’s remote workers is a great way to improve their productivity. RDS in a cloud or hybrid environment will give them secure access to the business applications and resources they’ve been making do without at home.
RDS is highly flexible and easy to set up on both Azure and Sherweb Performance Cloud. Sherweb’s Performance Cloud and Azure support secure connections from virtually any home worker’s computer or mobile device with a reliable network connection. You can run multiple desktop environments from a single RDS installation. Management is simple and efficient.
Get everything you need to set up your remote workforce in our hub
Deploying RDS can seem tricky, but it’s a fairly straightforward process in either an Azure or Performance Cloud tenant. Here are some tips to keep in mind at each step to help get you through the RDS deployment process smoothly.
Deploying virtual servers for RDS
If you’re using Azure, keep in mind that each subscription has a maximum number of networks, VMs, and Cloud Services that can be provisioned. If you’re rolling out a new service for many clients at once, you may need multiple subscriptions to have enough RDS connections available.
A minimal RDS installation requires an RD Session Host and a Connection Broker. On top of that, each client will need either a Gateway server with SSL authentication or a secure tunnel.
Since Remote Desktop servers are valuable targets for attackers, make especially sure that all Administrator passwords meet the necessary complexity requirements, or ideally, randomly generate them for increased security. Set a change schedule for these passwords and make sure they’re only documented in a secure central location that can be accessed only by your trusted administrators.
Lastly, since many Partners are deploying multiple new RDS platforms for different clients right now, don’t forget to change administrator passwords if you’re replicating new tenant environments. It’s an easy thing to overlook when working quickly.
While configuring Remote Desktop Services
While working on an RDS deployment, you may want to temporarily disable Windows Updates so restarts don’t accidentally delay the process. Many clients are looking for rapid deployment right now, so deferring Windows Updates to run outside business hours can be a good way to balance availability with security.
Setting up user accounts
Your customers may have teams of workers with very different desktop application needs. For example, an engineering firm may have one set of administrative staff that only need basic office apps and then another set of engineers who do a lot of CAD modeling that is very graphics intensive.
If your client has distinct sets of staff like this, you should create user groups that will have access to different collections of RDS resources. In AD DS Tools, go to Active Directory Users and Computers. There, you can create those different groups and populate them with different user accounts.
Activating Remote Desktop Service licenses
RDS will assign client access licenses (CALs or SALs) to each user that connects to the Session Host. You’ll need to install the Licensing role and activate the Licensing server on the Session Host VM before your users can connect.
Once they’re installed, CALs will be handed out automatically when users connect. If you need assistance procuring licenses quickly, feel free to contact Sherweb for assistance.
Establishing secure connections
As mentioned earlier, you can either get SSL certificates to work with an RD Gateway or configure VPN tunnels to secure your clients’ remote desktop connections.
You can use self-signed certificates for RDS, but you’ll need to distribute them to each user device, which is not ideal for the fast rollout that your customers will likely want. But if needed, Microsoft has detailed documentation for creating and distributing self-signed certificates for RDS.
Configuring secure tunnels
Performance Cloud* and Azure support a variety of different network models, which should allow you to accommodate any arrangement your customers might need. For example, you can set up a site-to-site tunnel through your customer’s VPN from their on-premise network to their RDS servers. Then configure point-to-site connections for your customer’s users to the RDS Gateway.
Guidance for configuring other secure connections on Azure is available in Microsoft’s documentation.
* Optional components may be required
Need help with more than Remote Desktop Service? Check out everything Sherweb can do for you!
Creating apps in a session collection
RDS can support either fully-fledged virtual personal desktops or more resource-efficient pooled desktop sessions. In either case, you’ll create RemoteApps that users can access. Name your pooled session collections according to the particular set of apps you’re providing and assign them to your Session Host VM.
The best way to provision personal desktop collections is with a PowerShell cmdlet: New-RDSessionCollection. There are a few different session parameters you can assign that are detailed at length in the full RDS documentation.
Note that your app collections won’t be available to users until you publish them in the Session Host Server Manager.
Helping your customers stay productive
These tips should help you get your customers connected more quickly, efficiently, and securely. Once your customers are stabilized and working remotely, there are many ways you can tune and customize RDS installations to help them get the most from their new environments.
Sherweb engineers are available to assist our Partners in getting their clients working remotely whenever they need help.
Download ZeroTier on any device to get a unique 10-digit node address and enter your 16-digit network ID into the join network field on the device to request access to your network.
Check the Auth checkbox on your admin console when your 10-digit node address presents itself.
If a friend wants to join your network they can do so in the exact same way.
Latest Version: 1.8.6/
Mac and Windows platforms have graphical interfaces that provide tray or task bar icons.
A detailed Getting Started guide is available at our Knowledge Base .
Visit our community forums for help.
MSI Installer (x86/x64)
MacOS PKG Installer
MacOS 10.13+ or newer is supported.
Get in App Store
The iOS App runs on iOS 10 or newer.
Get in Google Play Store
The apk is also available for download. The app should work on Android 5 or newer, though more recent versions are recommended. LineageOS and GrapheneOS may have issues and unfortunately we’re not able to duplicate or debug them.
Debian and RPM based distributions including Debian, Ubuntu, CentOS, RHEL, Fedora, and others are supported via a script that adds the right repository and installs the package.
Other Linux distributions may have their own packages. If not try building and installing from source.
If you’re willing to rely on SSL to authenticate the site, a one line install can be done with:
If you have GPG installed, a more secure option is available:
After using the script, use apt or yum to manage future updates to zerotier-one
The FreeBSD package is created and supported by the FreeBSD community and not by ZeroTier, Inc. Contact the package maintainer to report packaging related bugs.
ZeroTier One for Synology NAS is available as a Docker container. See instructions here: docs.zerotier.com/devices/synology.
Packages are available for x86, x64, and several ARM variants. Once installed ZeroTier can be controlled from the command line. Check the ZeroTierNAS repository for more information.