Wednesday, August 28, 2013

KB: Best practices for setting up Remote Desktop Licensing across Active Directory Domains/Forests or Workgroup (2473823)

imageMicrosoft has published a new KB article (KB2473823 ) covering Best Practices for Remote Desktop Licensing.


Can the RD Licensing (Terminal Server Licensing) server issue a Client Access License (CAL) to users or devices connecting to RD Session Host (Terminal Server) servers under any of the following conditions?

  • RD Session Host servers are in an Active Directory Domain and RD Licensing server is in a workgroup environment
  • RD Session Host servers are in a workgroup and the RD Licensing server in an Active Directory Domain
  • RD Session Host servers and RD Licensing server are in different forests. No trusts exist (One-way or Two-way trust) between these forests
  • RD Session Host servers and RD Licensing servers are in the same workgroup

For both Per Device and Per User CALs issuance to work, the RD Session Host and RD Licensing server in any one of the following three configurations:
  • Both in the same workgroup
  • Both in the same domain
  • Both in the trusted (Two-way trust) Active Directory Domains or Forest..”

For more information on these scenario’s see the KB article:

Friday, August 23, 2013

Kemp announces FREE software load balancer for Windows Azure!

Kemp Technologies ( have announced the availability of a free software load balancer specifically for Azure!

Why is this important?

The Azure load balancing options that Windows Azure offers today are very basic. Basically its just round robin. Which means no layer 7 functionality is available, and therefor there is no option for affinity, content switching, compression etc.

I have previously performed some testing with the load balancing options available in Azure today, and ran into serious issues where Session Affinity was required by the web application.

The Kemp Load Master for Azure solution could solve those issues with a license free software load balancer that even includes e-mail support!

Here is a link where Kemp announced this:

My request for the Free LoadMaster for Azure is on it’s way!

A quick comparison sheet taken from their description:


Tuesday, August 20, 2013

KB: "Not enough storage is available to process this command" error when a new user tries to log on through RDP in Windows Server 2008 R2

A new KB article (2877056) was released yesterday regarding an error message when connecting via RDP to a non domain-joined RD Session Host Server with a user account that is configured to change the password at next logon. Which results in a “Not enough storage is available to process this command.”.

“…You have a Windows Server 2008 R2-based computer that is not a member of a domain. An administrator of the server creates a new user who is also an administrator, sets a password for the new user, and selects the option to require a password change at the next logon. When the new user connects to the server through Remote Desktop Protocol (RDP) for the first logon, he or she is prompted to enter a new password. When the user types the new password and tries to continue, he or she receives the following error message: Not enough storage is available to process this command.

The password is not changed, and the user receives the same error message when he or she tries to log on again.

This issue occurs because the RPC runtime receives an error.
Specifically, the scenario that occurs is as follows:
The password change request process is put into an anonymous access token by Local Security Authority (LSA). This occurs because the password is not valid and the user is therefore not authenticated…”

Source en download:

Monday, August 19, 2013

New feature in RDP 8.1 : RestrictedAdmin

A new feature has been added to RDP 8.1, currently available in Windows 8.1 preview and Windows Server 2012 R2. The feature is called Restricted Admin (mstsc /RestrictedAdmin).

The description taken from the mstsc client:

“…/restrictedAdmin -- Connects you to the remote PC or server in Restricted Administration mode. In this mode, credentials won’t be sent to the remote PC or server, which can protect you if you connect to a PC that has been compromised. However, connections made from the remote PC might not be authenticated by other PCs and servers, which might impact app functionality and compatibility. Implies /admin…”

The parameter can be added on the commandprompt using it as follows:

mstsc.exe /RestrictedAdmin

or in the GUI, as shown below:


When using the above method the following error message occurs:


After clicking Ok, you can still continue so I’m assuming this is a bug in the preview release.

Using this RestrictedAdmin option the credentials you connect with are not passed to your session and therefor it prevents you from connecting to other resources despite for example your membership of the domain admins group.

I did a quick test and connected with my Windows Surface Pro running Windows 8.1 to a Windows Server 2012 R2 with my domain admin credentials and the /RestrictedAdmin switch enabled.

Upon browsing to the administrative share \\dc01-demo\c$ on the domain controller I was presented with an access denied:


It’s an interesting feature, I could think of some “delegation of control” scenario’;s where this might be useful.

There a a very detailed blog here by Kurt Falde that brought this to my attention. If you’re interested, it’s a good read!

What do you think about the feature? Is it useful for your environment or your customers environment? I’d be happy to hear about that!

Wednesday, August 14, 2013

KB: Updates to improve Remote Desktop Protocol network-level authentication

A new KB article was released that contains a NLA update for the RDP Protocol.
The corresponding security advisory page seems to be not available yet.

“…An update is available that provides additional defense-in-depth measures for Remote Desktop Protocol Network Level Authentication. Microsoft has released a Microsoft security advisory about this issue for IT professionals. The security advisory contains additional security-related information. To view the security advisory, go to the following Microsoft website…”


Windows Server 2012 R2 and Windows 8.1 will launch October 18, 2013

Microsoft has announced that they will launch both Windows Server 2012 R2 and Windows 8.1 on October 18, 2013!

Official annoucement by Brad Anderson:

Mark Your Calendars for Oct. 18: The R2 Wave is Coming!
“…As some of you may have
already noticed, earlier this morning Microsoft announced that Windows 8.1 will be available to consumers and businesses worldwide on October 18, 2013

But before you start your 8.1 party (with a DJ in a data center, for example), there’s even more good news: 

I'm excited to announce that, on the same day, eligible customers will be able to download Windows Server 2012 R2 and System Center 2012 R2, as well as the latest update to Windows Intune!  We’ll make evaluation versions available through the TechNet Evaluation Center, and these products will be available for new purchases when they hit the price list on November 1st..”

KB: You cannot log off from a Remote Desktop session in Windows Server 2008 R2

Microsoft releases a new KB (2866519) article today related to not being able to log off a RDP session on Windows Server 2008 R2. The KB article included a fix for this issue.

When you use a remote desktop connection to connect to a Windows Server 2008 R2-based computer, the Remote Desktop session may freeze, and you cannot log off from the session.
Note You can temporarily resolve this issue by restarting the computer.

This issue is caused by a dead lock situation that occurs in the Win32k.sys file…”

Source & download:

Thursday, August 8, 2013

KB: Error "Invalid parameter" when add Domain Local group for VDI collection (2877941)

A new KB article (2877941) was released today (FAST PUBLISH type) regarding adding Domain Local groups to the User Groups section of a Session Collection. Apparently, this is not supported yet, but will be added in Windows Server 2012 R2.

“…Consider the following scenario:
1. Click on a VDI collection (Personal or Pooled)
2. Click Task, then click “Edit properties”
3. In the opened window of the collection properties, click “User Groups”
4. Add a group, the type is "Security Group - Domain Local"
5. Click OK, we see error "Invalid parameter"

This is a known limitation with Windows Server 2012, There is no workarounds other than using other group types. This issue will be fix in Server 2012 R2…”


KB: Server 2012 VDI collection require two-way trust when adding user group of external domain (2877933)

A new KB article (2877933) was released (FAST PUBLISH type) regarding the RD Connection Broker being in a separate domain as the RD Virtualuzation Hosts. In that case the domain trust must be two-way

“…Consider the following scenario:

  1. RDCB and RDVH are in DomainA
  2. RD users are in DomainB\RD_USER_GROUP, RD_USER_GROUP is a “Security Group - Universal"
  3. DomainA and DomainB are in different forests
  4. DomainA one-way trusts DomainB

When you tried to add DomainB\RD_USER_GROUP directly to VDI collection in DomainA, we got an error “The security identifier could not be resolved. Ensure that a two-way trust exists for the domain of selected user.

Two-way trust is required for this scenario to work

Change one-way trust to two-way trust…”


Lowering the cost of storage for VDI using Windows Server 2012 R2 with Data Deduplication

The Microsoft Remote Desktop Virtualization team posted a new blog on Data Deduplication for VDI in Windows Server 2012 R2:

“..The File Server team just posted two great blogs on the value of live data deduplication for VDI (Extending Data Deduplication to New Workloads in Windows Server 2012 R2) and how to deploy it (Deploying Data Deduplication for VDI Storage in Windows Server 2012 R2).  As you can see, storing your personal virtual desktop collections on a Windows Server 2012 R2 file server just got A LOT cheaper, and in some cases, faster as well!  Coordinating downtime to turn off your virtual machines and deduplicating your virtual hard disks (VHDs) is a thing of the past, as now “live” VDI files can be deduplicated, meaning your VHDs can be deduplicated even while they are running.

To preempt a few follow-up questions you might have:

  • The personal virtual desktop collection is the mainline scenario here, but if you have a session collection running as virtual machines, you should get similar benefits (both often have upwards of 90% duplicative content across the VHDs).
  • User profile disks are now another great candidate for deduplication (often upwards of 50% duplicative content across the VHDs).
  • Yes, Cluster Shared Volumes (CSV) caching will continue to work on your file servers configured with data deduplication. At any given point in time your VDI file servers will contain some content that has been deduplicated and some that has not (i.e. new or modified content); the system cache will handle caching of files that have been deduplicated, and the CSV cache will handle everything else.

So if you haven’t done so already, now is the time to deploy a scale out file server cluster with Data Deduplication enabled by using the Windows Server 2012 R2 Preview…