Unable to create a Remote Desktop Connection Authorization policy 2147965514

Failing to deploy Remote Desktop Services on fresh Windows Server 2019 domain

• Question

• 0

  Sign in to vote

  Hi
  
  I am having trouble deploying an RDS environment. My deployment plan was this:
  1. Install RD Connection Broker, RD Licensing, RD Web Access and RD Gateway role on my domain controller (dc01)
  2. RD Session Host on my other virtual server (rds01 - fresh install, only joined to domain)
  
  Step-by-step of how I installed this:
  (on dc01)
  1. Manage > Add Roles and Features > Next
  2. Select "Remote Desktop Services installation" > Next
  3. Select "Standard deployment" > Next
  4. Select "Session-based desktop deployment" > Next > Next
  5. Add "dc01.corp.contoso.com" as RD Connection Broker server > Next
  6. Add "dc01.corp.contoso.com" as RD Web Access server > Next
  7. Add "rds01.corp.contoso.com" as RD Session Host server > Next
  8. Select "Restart the destination server automatically if required"
  9. Confirm rds01 is online and reachable
  10. Hit "Deploy"
  * at this point it takes about 5 minutes before the first error shows up
  
  RD Connection Broker role service: dc01.corp.contoso.com - Failed
  Error message: "Failed: Unable to set the RD Session Host server running in redirection mode because the RD Connection Broker server is unreachable."
  Event viewer error: "RD Connection Broker Configuration Failed on DC01.CORP.CONTOSO.COM With Error: Unable to save the RD Session Host server redirection settings."
  RD Web Access role service: dc01.corp.contoso.com - Succeeded
  RD Session Host role service: rds01.corp.contoso.com - Succeeded
  
  Continuing, I try to install RD Gateway role on dc01:
  Step-by-step of how I installed this:
  (on dc01)
  1. Server Manager > Remote Desktop Services > Overview
  2. Click "RD Gateway" (big green plus + sign)
  3. Add "dc01.corp.contoso.com" as RD Gateway server > Next
  4. Set SSL certificate name to "rdgw.contoso.com" > Next
  5. Configm selections > Add
  * at this point it takes about 2 minutes before the first error shows up
  
  Remote Desktop Gateway role service: dc01.corp.contoso.com - Failed
  Error message: "Failed: Unable to create a Remote Desktop resource authorization policy on dc01.corp.contoso.com. The error is Object reference not set to an instance of an object.. Please check the eventlog on RD Gateway server for more info."
  Event viewer errors(e) and information(i) (order old to newest)
  Error: RD Gateway Configuration Failed on dc01.corp.contoso.com With Error: Failed to create RAP for Domain Computers group. Error = 0
  Information: The resource group "RDG_RDCBComputers" was created.
  Error: RD Gateway Configuration Failed on dc01.corp.contoso.com With Error: Failed to create new RD Connection Broker Computers group. Error = 0
  Information: The resource authorization policy "RDG_RDConnectionBrokers" was created.
  Error: RD Gateway Configuration Failed on dc01.corp.contoso.com With Error: Failed to create RAP for RD Connection Broker Computers group. Error = 0
  Error: RD Gateway Configuration Failed on dc01.corp.contoso.com With Error: Unable to create a Remote Desktop resource authorization policy on dc01.corp.contoso.com. The error is Object reference not set to an instance of an object.. Please check the eventlog on RD Gateway server for more info.
  
  Now you see the informations doesn't really add up with the errors. If I go to RD Gateway Manager application all RAP and CAP are created as well. However,
  
  Additional information:
  * The environment consists of one domain controller (dc01.corp.contoso.com) and one remote desktop session host (rds01.corp.contoso.com)
  * The environment is totally fresh, have only installed AD DS beforehand (was going to use this deployment internally for techs)
  * The servers are volume licensed
  * Both servers have internet connection
  * DNS is working
  
  What I have tried:
  * Rebooting
  * Re-installing all remote desktop services roles
  * Re-installing OS on both servers
  * Re-installing domain
  * Windows Update
  * Disable any GPO that hit the domain controller
  * Checked to see if any local group policies exist on the target server
  * Installing from PowerShell
  * Installing with another domain administrator account
  * Installing the role on the rds01 server
  * Using DISM to repair from original image
  * Quick start deployment
  * Standard deployment
  * This exact deployment procedure was used at a customer last week, where everything is working just fine.
  
  Does anyone have a clue what is going on? What am I doing wrong...
  
  Thanks in advance.

  
  

  
  

  • Edited by I_make_things Tuesday, January 14, 2020 6:03 PM Redacted real domain

  Tuesday, January 14, 2020 6:02 PM

What is a Remote Desktop Gateway

A Remote Desktop Gateway Server enables users to connect to remote computers on a corporate network from any external computer. The RD Gateway uses the Remote Desktop Protocol & the HTTPS Protocol to create a secure encrypted connection.

A 2012 RD Gateway server uses port 443 (HTTPS), which provides a secure connection using a Secure Sockets Layer (SSL) tunnel.

A Remote Desktop Gateway Provides The following Benefits:

• Enables Remote Desktop Connections to a corporate network without having to set up a virtual private network (VPN).
• Enables connections to remote computers across firewalls.
• Allows you to share a network connection with other programs running on your computer. This enables you to use your ISP connection instead of your corporate network to send and receive data over a remote connection.

//windows.microsoft.com/en-us/windows7/what-is-a-remote-desktop-gateway-server

Please see the following linkFor more information on deploying a Gateway on the perimeter network://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx

RDS Collection error: Unable to configure the RD Sessionhost server. Invalid operation

20 Responses to “RDS Collection error: Unable to configure the RD Sessionhost server. Invalid operation”

1. yaro says:

   November 27, 2016 at 9:10 pm

   I get the error without any of the GPOs you mentioned applied

   Reply
2. Randy Fleszar says:

   April 19, 2017 at 8:54 pm

   Hello,

   I came across this error while upgrading my domain controller to Server 2016. I previously set up a RD server and had GPOs applied. I also had local GPOs configured.

   I started troubleshooting by removing the RD server from any OUs with GPOs, but this didn’t work. I had to run gpedit.msc on the local RDS server and edit the settings there also.

   Once I modified both the Domain GPO and the Local GPO, the Wizard completed successfully.

   Your post should elaborate on this last comment.
   “If you already set local policies on the RD Sesions Host policy these also need to be removed.” If you are not a Windows GPO expert, you may not know that the local GPO has to be checked in addition to the Domain GPO.

   Reply
3. Nicole L says:

   February 1, 2018 at 9:12 pm

   Thank you for this. This really helped. As you suggested, I disabled the policy associated with Licensing below, deleted the collection and recreated the collection with success (no error now).

   •Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing

   I had originally configured the above (enabled “Use the specified Remote Desktop license servers” and “Set the Remote Desktop licensing mode”) in order to active my RD CAL licensing. So, if I re-enable these two parameters now, will that impact my collections now that it has been successfully created? Otherwise, my third-party app using the RDS will have issues because it isn’t licensed, correct?

   Reply
   • Dimitri Dittrich says:

     February 14, 2019 at 6:16 pm

     I’m having the same question … I changed the OU computer and I was able to create a collection in trouble. However now I need to move the computer back to a correct OU as I need the licensing to be OK. In this case I will not have problems?

     Reply
     • Thomas says:

       April 16, 2019 at 9:07 pm

       Hi, i was wondering how this worked out for you as i am on the same boat now.

       Reply
   • Jeff says:

     October 31, 2019 at 7:30 pm

     Something messed up .Net permissions on a relatively new Server 2019 VM requiring me to reinstall IIS. This broke RDWeb. I was having the same issue and your suggestion worked. I disabled the policies and was able to successfully install. Thank you!

     Reply
4. Miles says:

   May 3, 2018 at 12:58 pm

   I had a similar issue when trying to uninstall then reinstall RD services on 2016. When I tried to reinstall I got an error relating to group policies but when I checked, there were none that related to remote desktop being applied.

   I was able to fix it by deleting the whole HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\CentralPublishedResources\PublishedFarms\QuickSessionCollection key.

   Reply
   • Ashutosh says:

     August 5, 2020 at 8:31 pm

     It really helped me and saved my whole night.

     Thanks a lot Miles

     Reply
   • OVDP says:

     April 29, 2021 at 1:38 pm

     You saved my day! Thanks a lot!

     Reply
5. Eugene S. says:

   July 8, 2019 at 12:51 pm

   God bless you bro! You saved my day, thank you so much!

   Reply
6. Stephen says:

   September 14, 2019 at 3:21 pm

   This worked Perfectly Nice big Green Checkmark now going to redoo all my Collections they seeem buggy and ill bet this was why.
   Thank You

   Reply
7. SuiteFiles says:

   October 23, 2019 at 11:46 pm

   Argh, I wish the installer could set these required reg keys as part of the install, or even detect this before the install as a prerequisite. It’d be nice if you also didn’t have to recreate the collections.

   Thanks for the workarounds 🙂

   Reply
8. SuiteFiles says:

   October 24, 2019 at 1:42 am

   Argh, I thought this was fixed, now I’m getting “Unable to create the session collection.”. I’ll post a follow up if I find a fix for that.

   Reply
9. C.T. Baarslag says:

   November 7, 2019 at 4:36 pm

   Googled my issue ‘unable to configure the rdsession host server’ and came here.
   What I then did, following the gist of what is written here, is to move the session host server to a new OU where no policies get applied (block inheritance!), then reboot the server just to be sure. Then I removed the session host from the session collection, and added it back. No error messages at all, success. I can now go to my gateway with the browser, select an application from the collection, and it runs on the new server.

   Thanks!

   Reply
10. DawidGK says:

    February 23, 2020 at 1:37 am

    In my case no GPO was configured as suggested by MS KB, it was just some leftover after decomissioning RD License Server. Looks like the Server Manager’s remove role didn’t removed the role correctly, so I had to delete HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\LicenseServers registry key manually!

    Reply
    • henry says:

      May 8, 2020 at 1:12 am

      that key does not exists in windows server 2012 R2.

      Reply
11. Martin Benzeval says:

    July 16, 2020 at 9:58 am

    Deleting all registry DWORDs from the following location fix it for me:

    Server: Windows Server 2016
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\

    The main dword that I believe it was is LicensingMode

    Reply
12. Hans says:

    September 2, 2020 at 1:38 pm

    Thanks for the tip, saved me quite some time.

    Reply
13. Elad Cohen says:

    February 7, 2021 at 5:49 pm

    for me Server: Windows Server 2019
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services

    Delete all \Terminal Services folder (KEY)

    Reply
14. Raj says:

    March 31, 2021 at 4:27 pm

    For me, what worked was this: On all session hosts, delete only the key which specifies the RDS license servers. Create the collection again… worked! (it does give some yellow warning about some two other keys, but succeeds in creating the collection)
    License Key comes back after some time because of domain level GPO; that is ok. Collection keeps on working.

    Reply