Hello Community,

we are currently having serious problems with our RDS deployment in the production environment - the parallel built development environment is working fine.

A few key data where which roles are installed on Windows Server 2019, Build 1809 machines:

• Server A
  RDS Broker
  RDS License Server
  Part of the AD group "Terminal Server License Servers".
  30 User CAL RDS Windows Server 2019 installed
• Server B
  RDS Gateway
• Server C
  RDS host
  Part of the only collection (using user profile disks, share resides on its own disk, attached to Server C).

error pattern

First, the RDS host is successfully added to the deployment, the RDS License Manager reports no errors. Licenses are assigned to the users according to the RDS License Manager. After some time, usually after a reboot, the following behavior occurs:

• If a user logs on, the system reports: License mode is not configured.
• A user does not receive a license according to the RDS License Manager.
• The RDS Licensing Diagnoser contains two warnings:
• License mode not configured
• License server not configured

NLA-Issue

The following GPO policy (Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security) is intentionally disabled because it caused problems when setting up the RDS deployment: Require user authentication for remote connections by using Network Level Authentication: 0 (disabled)

Problems solved by disabling the policy:
When adding an RDS license server to the deployment, we get an "Invalid Operation" error message in the Assistant. Apparently NLA does not get along with the deploment operation.

Errors in eventlog "RemoteDesktopServices-RdpCoreTS"

Furthermore, we could find the error event ID 227 in the log RemoteDesktopServices-RdpCoreTS:

'SendClientLicense failed!' in CUMRDPConnection::SendClientLicense at 3839 err=[0x80070057].
A login attempt looks like this in the DesktopServices-RdpCoreTS log: 249324-event-log-remotedesktopservices-rdpcorets-logon-li.xml
Because the error occurred in the RemoteFX module, we tried to disable it using GPO and registry key. Unfortunately, the error remains.

----------

# Attempts to fix
The entire environment has already been completely rebuilt once. All systems were reinstalled from an image that was built according to Windows Security Baseline.
Open ports checked.

Setting the license server and license mode via the GPO

We have set the appropriate GPOs (Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing):

• Set the Remote Desktop licensing mode: 4 (per User)
• Use the specified Remote Desktop license servers: “Server A” (FQDN)

Manually setting the registry entry (HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM)

• (edit) LicenseMode: 4 (REG_DWORD, dezimal)
• (add) SpecifiedLicenseServers: Server A (FQDN)

Effects: none

Setting the LicenseServer via Powershell

$obj = gwmi -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting  
$obj.SetSpecifiedLicenseServerList("ServerA.FQDN.com")  
  

Effects: none

Ressources used (selection)

• https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/troubleshoot-rds-licensing-guidance
• [GER] https://www.doktorlatte.de/windows-server-2019-der-remotedesktop-lizenzierungsmodus-ist-nicht-konfiguriert/
• http://woshub.com/the-remote-desktop-session-host-server-does-not-have-a-remote-desktop-license-server-specified/

I would really appreciate any suggestions for solutions. Thanks a lot!

Hello @JimmySalian-2011 ,

I have set the RegistryKey only on Server C (RDS Host).
The build version is 17763.3406. Two updates are pending: KB5018419 and KB5018542.

The accesses are performed from Windows 10 clients (21H2), which are managed centrally. Most users have no administrative permissions on their RDS clients (I do). The clients are of course in the same domain as the RDS servers.

I am having the same problem with a similar deployment. have you had any luck with fixes? started around October time as well, i am able to reboot the gateway, host, and license server and issues go away for a short time. but then creep in after awhile.

Hi @Nick Bryan ,
we are still investigating this case and getting support from Microsoft.
It looks like it is due to the applied Windows Security Baselines and further hardening of the system.
We are therefore currently reviewing the individual hardening measures.

We have already got the following findings:

• Without hardening, we get a correct deployment and the errors do not seem to show up.
• We have noticed that the registry keys "LicensingMode" and "SpecifiedLicenseServers" are not always set correctly when deploying the RDS host.
  As expected, the GPOs under "Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\" have an impact on a correct RDS deployment.
• It is helpful to use the Powershell to create the RDS deployment because the error messages are much more meaningful than those of the GUI. The GUI sometimes terminates without a more detailed explanation of the error, such as "invalid operation".

• Since Windows Server 2019, additional AD permissions are required for the logging in users in the Active Directory. The RDS-UserCAL is also stored in an attribute of the AD user since Windows Server 2019. The broker queries this attribute. However, Microsoft itself cannot say exactly whether it really causes problems if these permissions are not granted, because the RDS license server is still asked for the license. If the license is missing in the attribute, it is assigned again by the RDS license server. However, it is apparently not issued twice. Currently these rights are not yet implemented in our environment.

I hope this information helps for now. I will update this topic next year as soon as we got some more information about whats going on.

Happy holidays :)

Nearly forgot to mention that you should always use a fresh version of the RDS-Connection-Shortcut.
You can download it from your RDS Webserver with any other Browser than IE or EDGE.

There are only two supported scenarios on how to use RDS:

1. RDS with a "real" desktop the user connects to
2. RDS with Remote Programs which looks to the user like the app is running on the client

An RDS-Collection can only provide one of the scenarios above at a time. We're using scenario one. So the RDS Webserver provides correctly configured RDS-Connection-Files so the clients esthablish its connection correctly via the broker and not directly to the host. Changing the RDS-Deployment-Configuration might leads to changes in those RDS-Connection-Files, thats why you should always use a fresh file from RDS-Webserver when testing.

Hi Alex,

We're experiencing a similar issue. I'm curious if you ever found a reason/resolution?

Thanks!

Hi,

What version of client OS you are using and after the UCRP registry did you applied on all the 2019 servers? What is the OS version build of 2019 Server?

Hi @JimmySalian-2011 ,
thanks for your answer.

The policy to "Network Characteristic Detection" is not set.

With Wireshark we don't see any blocked traffic on server A and server C with the filter "tcp.flags.syn==1 or tcp.flags.reset==1".

I tried to suppress UCRP Connection Mode via RegistryKey as you described. The error persists after a reboot.

If it is the same error regarding RemoteFX I can't say. The thread doesn't seem to have a solution for the problem either. The system is quite up to date (KB512170 SU 08/2022, KB5017315/CU WS2019 09/2022). So RemoteFX should already be disabled - that's how I understand the post?

Hi,

In the logs it points to Network Characteristic Detection do you have set this policy enabled or disabled? Try to set it to disable so it stops analysing the network bandwidth and interfere with the connection - admx.help

Do you have wireshark or Network traces to see what is happening?

Also there was connection errors on the Server related to the

Try this setting to stop the URCP connection mode by applying the following Registry key on your Windows server 2019.
On your Server 2019, open the registry editor and navigate to HKLM\SOFTWARE\Microsoft\Terminal Server Client
Create a new d-word (32-bit) value and name it UseURCP with decimal value of 0

Check this thread for similar issue windows-2019-server-rds-disconnecting-with-error-2.html

Hope this helps.

==
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.