This topic is resolved

Share
Viewing 2 reply threads
  • Author
    Posts
    • #1556209
      Darryl Baker, CISSP
      Participant
      • Topics: 5
      • Replies: 3
      Post count: 7
      Member Points: 382
      Rank: Level 2

      I have a remote desktop service deployment consisting of 2 servers; a remote desktop gateway (with the RD gateway and RD webaccess roles), and host server (with the session host, broker, licensing, and web access roles). I am using remoteapp to publish rdp connections to specified computers. Initially, both of these servers were in our internal network and internal AD site and everything worked perfectly. I recently moved the the gateway server to our DMZ and our AD DMZ site. Now I am not longer able to configure the RD Connection Authorization Policy or the Resource Authorization Policy; I can access remote desktop management and open the CAP RAP wizard, but after I select the AD security group, it does not save into the box. The box just stays blank.
      The remoteapp solution works from within the our network (because it bypasses the gateway), but for remote users, they can navigate to the page and login. When they select one of the published RDP connections a prompt to access the Session host server appears and the username/passwords are denied.
      Looking at my firewall logs, it looks like the rd gateway is trying to connect to my internal DC’s and not my RODC in the DMZ. The server is on the DMZ subnet with a static IP and RODC’s chosen for DNS (they are the DMZ DNS servers as well). I have changed the HK local machine netlogon parameters for SiteName and DynamicSite to our DMZ site…..What am I missing here? Why is this server still trying to use my internal DC’s for the RDS deployment? Any help would be great! Thanks

      0
    • #1556222
      Joel Tbo
      Participant
      • Topics: 0
      • Replies: 2
      Post count: 2
      Member Points: 77
      Rank: Level 1

      Sounds like an issue I have seen before when the users or computers are not in the Precached group on the RODC. If the users can not be found on the RODC it will redirect the user login to the writeable DC.

      Here is a reference to confirm users are setup correctly. https://www.itprotoday.com/windows-8/pre-populate-users-passwords-read-only-domain-controller-rodc

      Joel T

      2+
      avataravatar
      • #1556277
        Darryl Baker, CISSP
        Participant
        • Topics: 5
        • Replies: 3
        Post count: 7
        Member Points: 382
        Rank: Level 2

        Thanks! That was exactly the issue!

        0
    • #1556278
      Joel Tbo
      Participant
      • Topics: 0
      • Replies: 2
      Post count: 2
      Member Points: 77
      Rank: Level 1

      Your welcome. Glad it worked out.

      0
Viewing 2 reply threads
  • You must be logged in to reply to this topic.
© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account