We currently have an 2012R2 RDS environment running 8 farms across 12 session hosts from one connection broker. Recently I went to provision 2 new Session Hosts (one to a new farm and one to an existing) however they both fail with the following error in the Server Manager Wizard:

Access is denied
The term 'Get-LocalMachineFqdn' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

I've also tried installing from PowerShell without success.

Has anyone come across this before? I haven't been able to find anything in my searches on the web let alone find anything of use in the event viewer.

Cheers,

Ryan.

After a little more digging around I'm wondering if this has something to do with Certificates. A few weeks back we installed an internally published wildcard certificate to the RDS Deployment properties and one of the farms. When checking the Deployment Properties this morning the "Current deployment certificate level is Unknown" and none of the Role Services are listed. There is also a warning message stating:

The server has both the RD Gateway and RD Web Access role services installed. You should not configure different certificates for these role services.

Our RD Gateway server sits in a DMZ is not currently part of this deployment and therefor does not share the same certificate. Any thoughts on how to fix this up?

Cheers,

Ryan.

Hi Ryan,

The server has both the RD Gateway and RD Web Access role services installed. You should not configure different certificates for these role services.

Specifically for above lines, I can suggest you to have note that; if you are deploying both role on same server then you dont need different certificates. As 1 wildcard certificate works well with all the roles of RDS Farm. Also as per your comment you need to recheck the certificate associated and must be trusted for all roles. You can go through beneath article for information.
Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
http://blogs.technet.com/b/askperf/archive/2014/01/24/certificate-requirements-for-windows-2008-r2-and-windows-2012-remote-desktop-services.aspx

Apart suggest you to recheck all the related setting and try again with below described blog.
Step by Step Windows 2012 R2 Remote Desktop Services Part 3
https://msfreaks.wordpress.com/2013/12/26/windows-2012-r2-remote-desktop-services-part-3/

Hope it helps!

Thanks.

Dharmesh,

The RD GW and WA roles are installed on different servers. As far as the farm is concerned the GW server is stand-alone - that is, it doesn't appear under the 'Deployment Overview'. When attempting to add the GW server to the deployment, I receive the same error:

Access is denied
The term 'Get-LocalMachineFqdn' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

When attempting to manage (create or select) the certificates for the deployment I receive the following error:

Object reference not set to an instance of an object.

So how then would I go about removing the certificates from the farm deployment given that I can't manage them with Server Manager anymore?

Regards,

Ryan.

When attempting to view the certificates via PowerShell I receive the following error, despite having the correct permissions:

PS C:\WINDOWS\system32> Get-RDCertificate -ConnectionBroker pv-rdcb02.ksgroup.com.au
New-PSSession : Access is denied
At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\RemoteDesktop\Certificate.psm1:34 char:19
+     $M3PSession = New-PSSession -ConfigurationName Microsoft.Windows.ServerManag ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], RemoteExc
   eption
    + FullyQualifiedErrorId : PSSessionOpenFailed

Invoke-Command : Cannot validate argument on parameter 'Session'. The argument is null or empty. Provide an argument
that is not null or empty, and then try the command again.
At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\RemoteDesktop\Certificate.psm1:36 char:40
+     $RDCerts = Invoke-Command -Session $M3PSession -ArgumentList @($optionalPara ...
+                                        ~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Invoke-Command], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.InvokeCommandCommand

New-Object : Cannot convert argument "6", with value: "", for "Certificate" to type
"Microsoft.RemoteDesktopServices.Common.CertificateRole": "Cannot convert null to type
"Microsoft.RemoteDesktopServices.Common.CertificateRole" due to enumeration values that are not valid. Specify one of
the following enumeration values and try again. The possible enumeration values are "None, RDGateway, RDWebAccess,
RDRedirector, RDPublishing"."
At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\RemoteDesktop\Certificate.psm1:96 char:9
+         New-Object Microsoft.RemoteDesktopServices.Management.Certificate `
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [New-Object], MethodException
    + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand

Does anyone have any thoughts?

Cheers,

Ryan.

Interestingly I can only retrieve the certificates if I run the PS command from the RDCB and specify the NETBIOS name as opposed to FQDN...

PS C:\Windows\system32> Get-RDCertificate -ConnectionBroker "pv-rdcb02"

Role          Level          ExpiresOn                           IssuedTo
----          -----          ---------                           --------
RDRedirector  Trusted        03/05/2017 11:26:45                 CN=*.ksgroup.com.au
RDPublishing  Trusted        03/05/2017 11:26:45                 CN=*.ksgroup.com.au
RDWebAccess   Trusted        03/05/2017 11:26:45                 CN=*.ksgroup.com.au
RDGateway     Unknown

Trying NETBIOS name from a remote computer still returns the access denied error. I've ran 'winrm qc' against the RDCB and everything is configured correctly.

Any help appreciated!

Cheers,

Ryan.

I ended up logging a ticket with MS and uploaded a bunch of logs, but after a few weeks of waiting for a response I followed them up and it looks like the engineer I was working with is no longer working at MS!

So out of frustration I attempted to build up a few new environments but with little success. It looks like I'm receiving the same error under the Rdms-UI logs that I'm receiving on the production CB:

Log Name:      Microsoft-Rdms-UI/Debug
Source:        Microsoft-Windows-Rdms-UI
Date:          5/14/2015 7:54:59 AM
Event ID:      40963
Task Category: None
Level:         Error
Keywords:     
User:          KSGROUP\tech9
Computer:      pv-rdcb03.ksgroup.com.au
Description:
Component RdmsUI: Failed to fetch local DB connection string from server: pv-rdcb03.ksgroup.com.au : System.Management.Automation.RemoteException: Property DBConnString does not exist at path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tssdis\Parameters.
   at Microsoft.RemoteDesktopServices.Common.DeploymentModel.ExecutePowerShellScript(String serverName, String script, Object argumentList, Boolean isLocalhost)
   at Microsoft.RemoteDesktopServices.Common.DeploymentModel.IsHighAvailabilityConfigured(String managementServer)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Rdms-UI" Guid="{fb750ad9-8544-427f-b284-8ed9c6c221ae}" />
    <EventID>40963</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000000</Keywords>
    <TimeCreated SystemTime="2015-05-13T21:54:59.613488600Z" />
    <EventRecordID>198</EventRecordID>
    <Correlation />
    <Execution ProcessID="2984" ThreadID="3012" ProcessorID="0" KernelTime="2" UserTime="3" />
    <Channel>Microsoft-Rdms-UI/Debug</Channel>
    <Computer>pv-rdcb03.ksgroup.com.au</Computer>
    <Security UserID="S-1-5-21-3737267418-821311152-4000168340-26155" />
  </System>
  <EventData>
    <Data Name="arg1">RdmsUI</Data>
    <Data Name="arg2">Failed to fetch local DB connection string from server: pv-rdcb03.ksgroup.com.au : System.Management.Automation.RemoteException: Property DBConnString does not exist at path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tssdis\Parameters.
   at Microsoft.RemoteDesktopServices.Common.DeploymentModel.ExecutePowerShellScript(String serverName, String script, Object argumentList, Boolean isLocalhost)
   at Microsoft.RemoteDesktopServices.Common.DeploymentModel.IsHighAvailabilityConfigured(String managementServer)</Data>
  </EventData>
</Event>

The GUI fails the deployment with the following error: "Cannot Install Role Service"

No, it's not installed on a DC..

Is it possible there's something in AD that's causing issues (DCDIAG didn't show any problems)?

Any help at this point would be greatly appreciated!

Cheers,

Ryan.

So we finally got to the bottom of this and it's definitely worth posting the answer!

We'd deployed a GPO to add a PSModulePath environment variable which had been in place and working for a long time, however with the aid of ProcMon we identified that something strange was happening when anything tried to access the RDS PS Modules - it was constantly referencing the path we'd added as opposed to the local path and hence the failures.

Removing the policy, resetting the $env:PSModulePath back to default and rebooting still didn't fix it though - it still kept trying to reference the path we'd added... Deleting the profile we were trying to manage the deployment with proved successful!

We're now able to manage the certificates for the deployment and add new servers to the deployment (but only after removing the profile from the servers before trying to add them to the deployment).

Hopefully this helps someone else at some point :)

• Marked as answer by Ryan Jolly 8 hours 25 minutes ago