RDS Collection error: Unable to configure the RD Sessionhost server. Invalid operation

When trying to create a new Remote Desktop Session Collection you receive an error: Unable to configure the RD Sessionhost server servername.domain.local. Invalid operation.

rds collection error

The collection it self is created but not completly, some parts are missing, like there is no Desktop icon on the Webaccess page. And probably some other settings aren’t set correctly. So it would be wise to solve the problem, delete the old and create a new collection.

Described in this kb kb3014614 article it is a know issue, some policies are already applied to the RD Session Host server. To solve the issue make sure there are no policies set to the new RD Session Host server especially these two gpo strings:

  • Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Security
  • Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing

In most cases this would be the case when there is already an existing Remote Desktop server and policies are applied via a group policy to a specific OU and the new server is already moved to this OU.

Move the new Remote Desktop server to another OU where no policies are applied. Run gpupdate /force or reboot the new RDSH server. Then delete the existing collection and create a new collection.

If you already set local policies on the RD Sesions Host policy these also need to be removed.

Posted in Remote Desktop, Windows Server 2012 R2 at February 24th, 2016. 20 Comments.

Azure AD Connect does not sync all users to Azure AD

Just configured a Azure AD Connect (AADConnect / AADSync) synchronisation between an on premise domain and Office 365. All users are synchronized without any problems except one user. Nothing special for this user, same OU, member of the same groups, no special rigths or anything visible different. Also no errors in AADConnect logs, event logs or whatever.

Also followed this helpful Microsoft document One or more objects don’t sync when the Azure Active Directory Sync tool is used, but none of the options described solved the problem. sAMAccountName, proxyAddresses, etc are all correctly filled.
Other strange thing is when you run IdFix as described in the same document, the result also does not show this specific “problem” user.

Accidently I did an export of all mailboxes and properties and for this perticular user I saw that LinkedMasterAccount was filled with an SID and the IsLinked value was set to true.
To see if these values are set for this account run the following powershell command: get-mailbox username | select-object *link*

If the IsLinked is set to true the mailbox is a linked Mailbox and linked mailboxes are not synced to Azure AD, as described in this article: Understanding Users and Contacts in Azure Active Directory Sync

A disabled account will contribute userPrincipalName and sourceAnchor, unless it is a linked mailbox.

An account with a linked mailbox will never be used for userPrincipalName and sourceAnchor. It is assumed that an active account will be found later.

Disabled accounts are synchronized as well to Azure AD. Disabled accounts are common to represent resources in Exchange, for example conference rooms. The exception is users with a linked mailbox; as previously mentioned, these will never provision an account to Azure AD.

In this case the linked mailbox was probably a leftover from the past so we could convert the mailbox back to a normal user with this powershell command: Set-User -Identity kweku@fabrikam.com -LinkedMasterAccount $null and after that the account was directly synced to Azure AD at the next syncronization schedule.

Posted in Active Directory, Blog, Exchange 2010, Office 365 at February 3rd, 2016. 1 Comment.

Sharing Buttons by Linksku