[SOLVED] RDS server not allowing more than 2 sessions

[HCHTech]

I'm setting up an RDS server for a client who is hiring about 7 remote employees. All will be connecting through VPN, so no RD Gateway is needed (as I undersand). I spun up a fresh Server 22 VM, joined it to the domain, added Remote Desktop services, and did a "QuickSessionCollection" which is meant for exactly this "all on one server" situation. Single server has Connection Broker, Session Host, Licensing and Web Access roles. The licensing is set "Per User".

Everything works as expected - I have installed their LOB apps and did a shared activation installation of Office (all employees have Business Premium licenses). We purchased 10 RDP CALs and they have been loaded into the Licensing Manager, which shows the server as Activated.

I've run into two problems, which may be related. When there is an active user session, it does NOT show in Server Manager in the Connections section. Also, if I try to connect with a 3rd user account when there are already 2 active sessions, there is a popup asking which current connection you want to disconnect.

In the event log, I'm seeing an error 5719, source = NETLOGON: This computer was not able to set up a secure session with a domain controller in domain XXXXXXXX due to the following: We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your organization's network and try again. If you previously signed in on this device with another credential, you can sign in with that credential.

The computer is clearly joined to the domain, I see it in AD, and can browse the network unfettered.

I'm also seeing error 1306 - Remote Desktop Connection Broker Client failed to redirect the user XXXXXXX\Username.

I found this post googling, which states you can use group policy to increase the allowable session count, and I've followed those instructions but the problems remain. I'm not sure how to troubleshoot this further. There were no errors or problems with the initial deployment, and things are working except for the session limitation.

What should be my next step?

 

[Markverhyden]

I'm setting up an RDS server for a client who is hiring about 7 remote employees. All will be connecting through VPN, so no RD Gateway is needed (as I undersand). I spun up a fresh Server 22 VM, joined it to the domain, added Remote Desktop services, and did a "QuickSessionCollection" which is meant for exactly this "all on one server" situation. Single server has Connection Broker, Session Host, Licensing and Web Access roles. The licensing is set "Per User".

Everything works as expected - I have installed their LOB apps and did a shared activation installation of Office (all employees have Business Premium licenses). We purchased 10 RDP CALs and they have been loaded into the Licensing Manager, which shows the server as Activated.

I've run into two problems, which may be related. When there is an active user session, it does NOT show in Server Manager in the Connections section. Also, if I try to connect with a 3rd user account when there are already 2 active sessions, there is a popup asking which current connection you want to disconnect.

In the event log, I'm seeing an error 5719, source = NETLOGON: This computer was not able to set up a secure session with a domain controller in domain XXXXXXXX due to the following: We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your organization's network and try again. If you previously signed in on this device with another credential, you can sign in with that credential.

The computer is clearly joined to the domain, I see it in AD, and can browse the network unfettered.

I'm also seeing error 1306 - Remote Desktop Connection Broker Client failed to redirect the user XXXXXXX\Username.

I found this post googling, which states you can use group policy to increase the allowable session count, and I've followed those instructions but the problems remain. I'm not sure how to troubleshoot this further. There were no errors or problems with the initial deployment, and things are working except for the session limitation.

What should be my next step?

Take a look at this

 

[putz]

I'm setting up an RDS server for a client who is hiring about 7 remote employees. All will be connecting through VPN, so no RD Gateway is needed (as I undersand). I spun up a fresh Server 22 VM, joined it to the domain, added Remote Desktop services, and did a "QuickSessionCollection" which is meant for exactly this "all on one server" situation. Single server has Connection Broker, Session Host, Licensing and Web Access roles. The licensing is set "Per User".

Everything works as expected - I have installed their LOB apps and did a shared activation installation of Office (all employees have Business Premium licenses). We purchased 10 RDP CALs and they have been loaded into the Licensing Manager, which shows the server as Activated.

I've run into two problems, which may be related. When there is an active user session, it does NOT show in Server Manager in the Connections section. Also, if I try to connect with a 3rd user account when there are already 2 active sessions, there is a popup asking which current connection you want to disconnect.

In the event log, I'm seeing an error 5719, source = NETLOGON: This computer was not able to set up a secure session with a domain controller in domain XXXXXXXX due to the following: We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your organization's network and try again. If you previously signed in on this device with another credential, you can sign in with that credential.

The computer is clearly joined to the domain, I see it in AD, and can browse the network unfettered.

I'm also seeing error 1306 - Remote Desktop Connection Broker Client failed to redirect the user XXXXXXX\Username.

I found this post googling, which states you can use group policy to increase the allowable session count, and I've followed those instructions but the problems remain. I'm not sure how to troubleshoot this further. There were no errors or problems with the initial deployment, and things are working except for the session limitation.

What should be my next step?

Did you check the settings of the Collection that was created to verify it has the licensing server assigned properly and set to correct mode? If you run the licensing diagnostic tool on the system what does it report?

I typically dont use collections for just a single RDP server, Instead I opt to just install RDS Session Host role and Licensing role only. Dont really need web or broker for a single setup. Does the RDS server have its DNS settings pointing to your internal AD server and not to public DNS? If you nslookup mydomain.local on it does it resolve to correct address?

By default when you setup a collection it should allow unlimited number of connections but if you changed it at a certain point you can also check that in the collection properties.

 

[HCHTech]

Take a look at this

I found a different article that stopped just short of the bit where the Session Host role had to be installed to allow over 2 simultaneous sessions. Ugh. Ok, now tell me why in the heck the default install via the wizard wouldn't enable this role, and why this little tidbit of information isn't obvious right in the server manager somewhere, or I don't know, in the ERROR MESSAGE. Well, thank you. I owe you a beer, or bourbon, or scotch. Your call!

 

[HCHTech]

Did you check the settings of the Collection that was created to verify it has the licensing server assigned properly and set to correct mode? If you run the licensing diagnostic tool on the system what does it report?

I typically dont use collections for just a single RDP server, Instead I opt to just install RDS Session Host role and Licensing role only. Dont really need web or broker for a single setup. Does the RDS server have its DNS settings pointing to your internal AD server and not to public DNS? If you nslookup mydomain.local on it does it resolve to correct address?

I believe that just installing the Session Host role has solved the problem. I'll be able to test this later this evening. For now, I see that connections DO show in server manager, so that is a step in the right direction.

I do get correct results if I nslookup mydomain.local. I did install the Licensing diagnostic tool, so I'll have to do a run with that as well.

I didn't know that you didn't need a collection for a single server setup - I've only got one other RDS server out there, and I'm self-taught, although I do have Kors' "RDS - The Complete Guide". None of the examples I found there or on the web really talk about the single-server solution, to be fair. Now I wonder if I'm over-complicating the setup be having a Connection Broker and Collection!

 

[Sky-Knight]

RDS not allowing more than 2 sessions means it's not an RDS server, it's in admin mode.

Licensing is FUBAR, but oh wait... you lacked the correct role too? That's a bit embarrassing but the good news is, you fixed it!

 

[Markverhyden]

a beer, or bourbon, or scotch.

Funny you mentioned that. That song was on the radio yesterday while I was out and about. Good to see it's sorted out.

 

[HCHTech]

but oh wait... you lacked the correct role too? That's a bit embarrassing but the good news is, you fixed it!

Yep - just a mistake trying to translate the guides for setting up a whole farm of servers down to a single. I still see a few problems, so it may be best to start over so the right roles are in place before attempted use. Would you agree with @putz that just Session Host and Licensing are needed for a single-server setup for 10 users?

 

[YeOldeStonecat]

I started typing last night but had to bail before completing...
So 2x sessions...Windows Server defaults to allowing 2x console sessions max. Either remote/remote, or remote/local..but only 2. Versions...desktop Windows is just 1 at a time.

So I figured the setup wizard failed somewhere on setting up certain roles, the last terminal servers I deployed were back when 2012R2 was the new kid on the block. Been feverishly working against doing any more of those since then, so I'm not familiar with the new wizard/setup since the bigger change with 2019. But...yeah I'd just redo the steps from another online resource that has a good hand holding guide on setting it up. The steps of adding the roles normally unlocks it...you should not have to go in to specifically unlock it.

 

[Sky-Knight]

Yep - just a mistake trying to translate the guides for setting up a whole farm of servers down to a single. I still see a few problems, so it may be best to start over so the right roles are in place before attempted use. Would you agree with @putz that just Session Host and Licensing are needed for a single-server setup for 10 users?

I've slept since the last time I setup an RDS cluster but I'm pretty sure the Session Host, and the license server are the two core roles you have to have to get anywhere. Everything else bolts onto, and wraps around those two things.

 

[HCHTech]

That song was on the radio yesterday while I was out and about.

I can't NOT stop and listen whenever that thing plays. Listen up, everyone...it's Friday!

 

[HCHTech]

Circling back on this for an update. All is well in RDS land. I nuked the entire VM, starting over from scratch with a fresh VM, added ONLY the Session Host and Licensing roles, and everything is working as it should now. Some things I learned:

• When you assign RDP CALs, record BOTH the product key (which should be available in your M365 tenant) AND the "Server ID". If you ever need to move those licenses to a replacement server, the migration tool requires that information. Without it, you're going to have to get Microsoft involved. That process is ugly and slow. I didn't know this until I had deleted the previous VM, so had to restore it from backup, which was a project, but still faster than the Microsoft way. I had started that process, but 5 transfers after finally finding the number, and once I got to the department, could only get a case number and the instruction to "call back in a couple of hours when they will be less busy". Yeah, no thanks. That was an hour down the drain.
• When you don't have the Connection Broker role installed, and as a result don't have a Collection, you can't see much from Server Manager. You can monitor licenses used, but you can't see current connections. You can see active users from Task Manager, though.
• If you are using User Profile Disks, that is not controllable via the Server Manager GUI without the Connection Broker role. I think it's doable with Powershell, but ultimately I decided to switch to folder redirection, which can be done with Group Policy. I had to do this to keep the user data off of my OS disk.
• It makes a lot of sense to create a separate OU for the RDS server in active directory, and a separate OU for RDS users as well. This lets you control the necessary access rights with Group Policy.

So another dragon slain. I just wish I thought there might be more of these in the future so I could take advantage of all of this hard-earned information, but I doubt it. It's all documented in case that bus ever hits me - so there's that.

Thanks @putz for weighing in on my numerous questions!