Not abel to add RDS licensing server from trusted domain / Kerberos error

Question

I have two AD 2019 domain (forests), i have created a external two-way trust between.

have on RDS server in domain B and RDS Licensing server in Domain A.

have followd ms guieds how to set this up (https://learn.microsoft.com/en-US/troubleshoot/windows-server/remote/set-up-remote-desktop-licensing-...)

have WInRM activated

-DNS forwarding is working from booth domains.

have added admin/enterprise domain admins group in respective admin groups in AD

-No FW problem, becuse both domain are in same IP subnet ( i know this sounds wired).

-WIndows FW tuned off on both servers (and DC server)

I have in trust properties checked the box "domain support Kerberos".

But i can not add the RDS license server in RDS cnfiguration.

I add the License server in server manager "all server", then it find the server but not listing the ip-address and it says "Kerberos target resolution error":

I can manage server, but not "WIndows Powershell".

If i just contine RDS configurations and try anyway it of course want to exclude server because it can not connect to it via PS.

I have read all posts on internet what i can find about different tips about WinRM and i think i have tried everything, I also added domain admin in local admin group and remote mamanement group on the RDS license server..,not making any difference.

Now im out of ideas and very frustrated , after 2 days of trying....

So does anyone have any idea how to get this to work ? or do i just have to create own RDS license srever in domain B also ? (not what i want, then i have to buy extra RDS licenses).

It looks like it is a clear kerberos problem but I dont know how to fix it since everything else seams to work as it should in a trust.

Apriciate some help or ideas.

Regards

Johan, Finland

Answer 1

Hello @Johan MCorp ,

1.Did you add the other server to the trusted hosts?
https://community.spiceworks.com/topic/583888-unable-to-add-server-in-windows-server-2012-server-manager
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831453(v=ws.11)?redirectedfrom=MSDN
2.Did you report back your DNS setup on both sides and any conditional forwarding you have in place? Or did you have multiple NIC cards active and change the binding order of them? https://community.spiceworks.com/topic/2127319-kerberos-target-resolution-error-when-adding-trusted-domain-server
https://community.spiceworks.com/topic/1428428-target-name-resolution-error
https://community.spiceworks.com/topic/2227249-target-name-resolution-error

Best regards,
Leila

---

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi Leila !

1. i have added server to Server manager, and if i use "manage as" then kerberos error goes away in server manager but when then trying to add the server in RDS licesning server then it doesnt work, and that is also confirmed by article that it doesnt work with RDS and IPAM servers.
   Have added the domain admin account and also domain admin group account on both domains domain admin groups and also in the servers in questions local admin groups.
2. Conditional forward on both sides, i can access all servers with names from one domain to another, so there are no DNS or IP problem. and only one NIC.
3. have done everything i found on "Internet" regarding this, what i have found, i have even tried to labborate with SID filtering , but no results.

Answer 3

Hello @Johan MCorp ,

1.Did you add RDlicensing server to the server manager of RD connection broker server or the server manager of RD session host server?
2.If we run winrm qc in CMD on both RDlicensing server and the server which you want to add RDlicensing server in, will this command running file without error?
3. When winrm issue happen, is there event log on both RDlicensing server and the server which you want to add RDlicensing server in?
C:\Windows\System32\winevt\Logs
Microsoft-Windows-WinRM/ Operational.evtx
system.evtx
application.evtx
Microsoft-Windows-TerminalServices-Licensing/ Admin
Microsoft-Windows-TerminalServices-Licensing/ Operational
4.Is your RD License server on both forest “terminal server license servers” group?

Best practices for setting up RDS licensing across Active Directory domains/forests or work groups: https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/set-up-remote-desktop-licensing-across-domains-forests-workgroups

Answer 4

Hi Leila !
Sorry for late reply. here is results of the suggested actions/questions.
1- That is the problem, when i add the RDLic server on the RDBroker servers / server manager, it is then this error is coming, so you i can add it but it gives kerberos error.
.

2- running winrm qc on both srevers (Lic server and broker server) it gives all OK and running.

3- it gives error in Windows Remote Management log yes.., ]3
but nothing of the errors give anything more when i have serched for them, but here they are:

Level Date and Time Source Event ID Task Category
Error 22.5.2021 7.52.42 Microsoft-Windows-WinRM 49 WinRM MI Operation The WinRM protocol operation failed due to the following error: The metadata failed to be retrieved from the server, due to the following error: WinRM cannot process the request. The following error occurred while using Kerberos authentication: Cannot find the computer mh-appsrv-01.muovi-heljanko.loc. Verify that the computer exists on the network and that the name provided is spelled correctly. .
Error 22.5.2021 7.52.42 Microsoft-Windows-WinRM 142 Response handling WSMan operation Get failed, error code 53
Error 22.5.2021 7.52.42 Microsoft-Windows-WinRM 49 WinRM MI Operation The WinRM protocol operation failed due to the following error: WinRM cannot process the request. The following error occurred while using Kerberos authentication: Cannot find the computer mh-appsrv-01.muovi-heljanko.loc. Verify that the computer exists on the network and that the name provided is spelled correctly..
Error 22.5.2021 7.52.42 Microsoft-Windows-WinRM 161 User authentication WinRM cannot process the request. The following error occurred while using Kerberos authentication: Cannot find the computer mh-appsrv-01.muovi-heljanko.loc. Verify that the computer exists on the network and that the name provided is spelled correctly.

4- yes, Lic srver is in both forest Terminal Server Licensing servers groups, as "best practise"guide says it shall be done.

/Johan

Answer 5

Hello @Johan MCorp ,

1.Please run below command on both RDCB server and RDLS server then share with us:
winrm get winrm/config
2.Please make sure 5985 port is opended hardware router and hardware firewall between RDCB server and RDLS server.
3.If we add the RDLS server to the trusted host of RDCB server, will the same issue happen?
we can do so with a command such as:
Powershell
set-item wsman:\localhost\client\trustedhosts -Concatenate -value 'hostname'