Category: Windows Server

RDP 2012R2 Web access? Why not!

Published on in Terminal server, Windows Server by Elvis

Publishing terminal services through the web is more and more popular and I am still convinced that we have to use them more. Maybe with publishing this article I will help someone to decide and publish them. In this article, it is nothing new or revolutionary; there are practically few tricks, that my customers like.
There are many changes, in working with remote applications, that are coming with Windows Server 2012. After some of us really appreciated publishing remote applications with a method of distributing RDP files or MSI installers in Windows Server 2008 and 2008R2, now it is not possible to do it anymore. Many changes are visible also in the installation of RDP rules. Now we have separate steps form installing “just rules and features” – this is a good thing, because doing installation this way, there are not so many errors in RDP deployment and it is the only right way for installing web access and other RDP rules (don’t do it through rules and features!!!).
In addition, this WEB access is the functionality where I want to show some tricks.
As we know, the address https://rdp_server.publicname.com/rdweb is the address, where we can access to our applications. Here you can see a desired application instantly after it was installed and published.
RDP Web
Many times we have unhappy users, because for running those application they have »a lot of work« – they have to type this web address and login… Other not nice functionality of this web interface is that some browsers are unable to run RDP file directly from the web and they have to download it and run it.
Here we can do something for our users. In Windows 7 and newer, in the control panel it is present a setting called Remote App and Desktop Connections. This is exactly what we want to do. Just type in the apposite text box the published web address and add in the end feed/webfeed.aspx (example: https://rdp_server.publicname.com/rdweb/feed/webfeed.aspx). This setting will put all published applications to which user has access to his Start menu under Work Resources (RADC). Need more? They are also dynamic; if you revoke permissions or deinstall application, the application will disappear from there. In addition, if you add a new one, it will simply appear there. Nice.
It is still too complex for your users? OK. Then we can try making this easier for them. There is an option to write the E-Mail address. In this case, E-Mail is used only for getting the domain name. All other work is done by DNS setting and all other process is equal as you write down a published address. Of course, the domain used in the E-Mail address must have a TXT record with this few parameters:

  • Type:                  TXT
  • Record Name:    _msradc
  • Text:                   https://rdp_server.publicname.com/rdweb/feed/webfeed.aspx

The text is the same as you have to write it manually and the domain can be published in a different way, as is the domain in the E-Mail address. Therefore, you have really many opportunities and a user needs to know only E-Mail address, username and password. Things that, I hope, he knows.
RDP2
There is also another great thing: if you publish applications this way, you can publish them from different servers and domains at the same time and you can have contemporary access to services from different hosted services / clouds. It’s great!

There is also another simple change that you can do in Internet Information Service (IIS) console. Just open the console and go to the location Sites > Default Web Site > RDWeb >Pages. At this point, open Application settings. As you can see on the picture, here are many settings that can help you with configuration:

RDP3

  • DefaultTSGateway – It is used to fix which RD Gateway will be used.
  • Password Change enabled – It enables the option to change the password in RD Web console. It is very useful when a user has only RD access to our environment. But you have to be careful here, because if the user with a domain joined PC changes his password from outside, maybe he will lose some other offered services on his PC.
  • ShowDesktops – It is a setting, that determinate if it is a section »Connect to a remote PC« visible or not. Some companies want their employees to connect remotely to their PC’s, other don’t allow this option. Don’t forget, that RD connections true RD Gateway will still work, even if this setting is disabled!
  • Enabling or disabling redirections – This is actually an alternative place, where you can enable or disable redirections for printers, ports, drives, PnP devices and clipboard for all RD users. The same thing you are able to do through policies.

.

Remote enable RDS (not thru remote registry)

Published on in Windows, Windows Server by Elvis

If you want to open the remote desktop connectivity on a remote computer, you have few options. There is one that is very easy to find on posts – change the registry key: hklm\system\currentcontrolset\control\terminal server, key fDenyTSConnections to value 0. The second option is to propagate the same registry key with group policy (maybe this is the best choice).
However, what to do if you need to connect to the remote computer in this moment and there is no possibility to connect to the remote registry (remote registry service is disabled)? You can use a simple trick to execute commands on remote computer. The easiest way is psexec (you can download it here) and execute two commands:

  • psexec \\remotemachine reg add “hklm\system\currentcontrolset\control\terminal server” /f /v fDenyTSConnections /t REG_DWORD /d 0
  • psexec \\remotemachine netsh advfirewall firewall set rule group=”remote desktop” new enable=yes

This will enable the Firewall rule and change a registry key also in a situation where all other trying would fail. Be careful with firewall profiles. If you want to open RDP only for domain or private profile, you have to modify the command line properly..

Essentials functionality with more than one DC

Published on in Essentials Server, Office 365, Windows Server by Elvis

Some of us want to use Essentials server rule for federation with Office365 in small companies, where we have more than one DC. Until now, this was a non supported functionality and it was not possible to install it (in this case, you received an error, that this is possible only on a DC – here is the article). August rollup for Server 2012R2 solves this issue and now it is possible to use the Essentials sync option for Office 365 also if you have more than one DC. You can download the update here..

Problems with Essentials role configuration

Published on in Essentials Server, Windows Server by Elvis

In some cases, you can have different errors when you try to configure Essentials role on Standard Windows Server 2012R2. First you have to check is if they are all FSMO roles hosted on the server where you are trying to install the Essentials role. This is an obligated condition.
The second error is also frequent and I found it when I tried to migrate SBS 2008 or 2011 to Standard server 2012R2 with Essentials role enabled. The error (as you can see on the picture) is very bad documented and it is practically impossible to understand what is wrong.

Essential Role Error 1
The next step that an Administrator has to check is the Event viewer and here is the situation more clearly.

Event ID: 7000
Source: Service Control Manager
Description: The Windows Server Essentials Management Service failed to start due to the following error: The service did not start due to a logon failure.

If you see this error, you have just to find the Error 7041, where is listed the username responsible for this event (usually is ServerAdmin$ or MediaAdmin$). The second way to find the right account is open the Service manager console and check which account is used for starting Windows Server Essentials Management Service.

Essential Role Error 2
When you know the account name, you have to assign to this account “Run as a service” right in the Default Domain Controllers Policy. To do this open Group Policy Editor and Edit the Default Domain Controllers Policy.

Essential Role Error 3
Add to the missing account Run as Service right in “Computer Configuration>Windows Settings>Security Settings>Local Policies>User Rights Assignment”, close the console and restart the server.
When the server comes up, you will be able to configure successfully Essentials role.

Essential Role Error 4

Good luck..