|
| 1 | +--- |
| 2 | +title: Unable to Install RDS Deployment or Add RDS Roles |
| 3 | +description: Helps troubleshoot issues related to the installation of RDS roles. |
| 4 | +ms.date: 04/17/2025 |
| 5 | +manager: dcscontentpm |
| 6 | +audience: itpro |
| 7 | +ms.topic: troubleshooting |
| 8 | +ms.reviewer: warrenw |
| 9 | +ms.custom: |
| 10 | +- sap:remote desktop services and terminal services\deployment,configuration,and management of remote desktop services infrastructure |
| 11 | +- pcy:WinComm User Experience |
| 12 | +--- |
| 13 | +# Unable to install RDS deployment or add RDS roles |
| 14 | + |
| 15 | +This article helps troubleshoot issues related to the installation of Remote Desktop Services (RDS) roles. The issue occurs when deploying a brand new RDS deployment or manually adding roles to a system or a currently existing RDS deployment. |
| 16 | + |
| 17 | +There are several possible causes, different possible behaviors, and error messages. This article addresses some of those common reasons. |
| 18 | + |
| 19 | +## Verify whether TLS 1.0 is disabled on the system |
| 20 | + |
| 21 | +> [!NOTE] |
| 22 | +> This specific issue applies only to Windows Server 2016 and earlier versions. From Windows Server 2019 and later versions, the RD Connection Broker role can communicate with the Windows Internal Database (WID) using higher Transport Layer Security (TLS) versions, such as TLS 1.2. |
| 23 | +
|
| 24 | +### Symptoms |
| 25 | + |
| 26 | +Assume that you use the inbox WID in Windows Server. If you disable TLS 1.0 when you configure security settings, you experience the following issues: |
| 27 | + |
| 28 | +* The RD Connection Broker role can't be installed. |
| 29 | +* The RDS service fails. |
| 30 | +* An existing RDS deployment that uses RD Connection Broker and WID fails. |
| 31 | +* The Remote Desktop Management service (RDMS) doesn't start. |
| 32 | +* You receive the following error message when you try to start RDMS: |
| 33 | + |
| 34 | + > The Remote Desktop Management service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs. |
| 35 | +
|
| 36 | +### Cause |
| 37 | + |
| 38 | +This behavior is expected because of the current dependencies between RDS and WID. RDMS and Connection Broker depend on TLS 1.0 to authenticate with the database. WID doesn't currently support TLS 1.2. So, disabling TLS 1.0 breaks this communication. |
| 39 | + |
| 40 | +> [!NOTE] |
| 41 | +> RDS deployments that use Connection Broker must establish an encrypted channel to WID by using one of the following methods: |
| 42 | +> |
| 43 | +> * TLS |
| 44 | +> * SSL 3.0 |
| 45 | +> * FIPS |
| 46 | +
|
| 47 | +### Resolution |
| 48 | + |
| 49 | +To fix this issue, use one of the following methods: |
| 50 | + |
| 51 | +* Don't disable TLS 1.0 on a single Connection Broker deployment. |
| 52 | +* Configure a high availability Connection Broker deployment that uses a dedicated SQL Server. |
| 53 | +* Upgrade the computers that run the RDS service to Windows Server 2019. |
| 54 | + |
| 55 | +> [!NOTE] |
| 56 | +> Microsoft has released [TLS 1.2 support for Microsoft SQL Server](../../sql/database-engine/connect/tls-1-2-support-microsoft-sql-server.md) to enable SQL Server communications to use TLS 1.2. |
| 57 | +
|
| 58 | +## Connection Broker role fails to install due to "Logon as a service" permissions being removed for service accounts |
| 59 | + |
| 60 | +When you try to install the RD Connection Broker role, the installation fails with the following error: |
| 61 | + |
| 62 | +> Unable to install RD Connection Broker role service on server \<ServerName\> - Failed. |
| 63 | +
|
| 64 | +This is commonly because the object "NT SERVICE\ALL SERVICES" has been removed from the **Logon as a service** security policy, or there's another policy denying the **Logon as a service** privilege to the corresponding service account. |
| 65 | + |
| 66 | +You might also see the following error event in the System event log: |
| 67 | + |
| 68 | +```output |
| 69 | +Log Name: System |
| 70 | +Source: Service Control Manager |
| 71 | +Date: mm/dd/yyyy hh:mm:ss pp |
| 72 | +Event ID: 7041 |
| 73 | +Task Category: None |
| 74 | +Level: Error |
| 75 | +Keywords: Classic |
| 76 | +User: N/A |
| 77 | +Computer: MyServer.com |
| 78 | +Description: |
| 79 | +The MSSQL$MICROSOFT##WID service was unable to log on as NT SERVICE\MSSQL$MICROSOFT##WID with the currently configured password due to the following error: |
| 80 | +Logon failure: the user has not been granted the requested logon type at this computer. |
| 81 | +
|
| 82 | +Service: MSSQL$MICROSOFT##WID |
| 83 | +Domain and account: NT SERVICE\MSSQL$MICROSOFT##WID |
| 84 | +
|
| 85 | +This service account does not have the required user right "Log on as a service." |
| 86 | +
|
| 87 | +User Action |
| 88 | +
|
| 89 | +Assign "Log on as a service" to the service account on this computer. You can use Local Security Settings (Secpol.msc) to do this. If this computer is a node in a cluster, check that this user right is assigned to the Cluster service account on all nodes in the cluster. |
| 90 | +
|
| 91 | +If you have already assigned this user right to the service account, and the user right appears to be removed, check with your domain administrator to find out if a Group Policy object associated with this node might be removing the right. |
| 92 | +``` |
| 93 | + |
| 94 | +### Resolution |
| 95 | + |
| 96 | +Add the "NT SERVICE\ALL SERVICES" group back to the **Log on as a service** security policy. Also, confirm that this group or another service account object (such as Network service) isn't part of the **Deny logon as a service** security policy. |
| 97 | + |
| 98 | +If it still fails after the preceding conditions are met, try adding the service account "NT SERVICE\MSSQL$MICROSOFT##WID" to the **Logon as a service** security policy. |
| 99 | + |
| 100 | +## Issues related to WinRM |
| 101 | + |
| 102 | +Server Manager, RDMS UI (Remote Desktop Management Services User Interface), and RDS PowerShell cmdlets heavily rely on WinRM to operate. |
| 103 | + |
| 104 | +If the issue is related to Server Manager or RDMS UI not operating properly, you might eventually face a WinRM-related issue. |
| 105 | + |
| 106 | +* A common reason is having a proxy set on the system's WinHTTP interface. You can check this by running the following command in an elevated command prompt: |
| 107 | + |
| 108 | + ```console |
| 109 | + netsh winhttp show proxy |
| 110 | + ``` |
| 111 | + |
| 112 | + If a proxy is configured, you can remove it by using the following command: |
| 113 | + |
| 114 | + ```console |
| 115 | + netsh wintthp reset proxy |
| 116 | + ``` |
| 117 | + |
| 118 | + Alternatively, set exclusions using the following command (we recommend removing the proxy first for testing purposes. Use the preceding steps to confirm the proxy is indeed the cause of the issue): |
| 119 | + |
| 120 | + For example: |
| 121 | + |
| 122 | + ```console |
| 123 | + set proxy proxy-server="http=<proxy>;https=<sproxy>:88" bypass-list="\*.contoso.com" |
| 124 | + ``` |
| 125 | + |
| 126 | +* You can also check if the system has any WinRM-related Group Policy Objects (GPOs) configured under the following path. It can also be a good test to temporarily remove them for testing purposes. |
| 127 | + |
| 128 | + **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Remote Management (WinRM)** |
| 129 | + |
| 130 | +* Finally, you can look in the Event Viewer for potential WinRM problematic events under: |
| 131 | + |
| 132 | + **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Remote Management** > **Operational** |
| 133 | + |
| 134 | +## Fails to add RD Session Host to a session collection or create a new collection |
| 135 | + |
| 136 | +Adding an RD Session Host to a collection might fail. You might receive different error messages. Usually, the error message starts with "Unable to add the RD Session Host to the collection…" followed by a more descriptive sentence of the underlying reason. |
| 137 | + |
| 138 | +This behavior can be caused by different reasons. Here are some possible causes: |
| 139 | + |
| 140 | +* WinRM-related reasons, as described in previous sections of this article. |
| 141 | +* The RD Session Host has existing GPOs configured, especially RDS-related ones, which prevent the deployment from overriding the desired settings. To resolve this issue, temporarily remove the GPOs, add the RD Session Host to the deployment or collection, and then reapply the desired GPOs. |
| 142 | + |
| 143 | + The error message might vary. Commonly, the error message can be "Unable to configure the RD Session Host Server \<ServerName\>. Invalid Operation." |
| 144 | + |
| 145 | + > [!NOTE] |
| 146 | + > Here's a list of common GPOs that might cause this behavior, but we recommend removing any RDS-related GPOs and testing: |
| 147 | + > |
| 148 | + > * **Require user authentication for remote connections by using Network Level Authentication** |
| 149 | + > * **Set client connection encryption level** |
| 150 | + > * **Use the specified Remote Desktop license servers** |
| 151 | + > |
| 152 | + > Paths to the preceding GPOs: |
| 153 | + > |
| 154 | + > * **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Remote Desktop Services** > **Security** |
| 155 | + > * **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Remote Desktop Services** > **Remote Desktop Session Host** > **Licensing** |
| 156 | +
|
| 157 | +* If you receive an error message that contains "Some or all identity references could not be translated" while adding an RD Session Host to a collection, this typically indicates issues with resolving the SID(s) of groups that are part of the permission list of the Session Collection. |
| 158 | + |
| 159 | + There can be various reasons for issues resolving the SID. We recommend that you contact Microsoft Support for a detailed analysis of the situation. To confirm this issue (or temporarily work around it), you can test by gradually removing groups of users from the Session Collection permission list until you identify the group(s) causing the behavior. |
| 160 | + |
| 161 | +* The error message "Unable to connect to the server by using Windows PowerShell Remoting" can be due to different reasons, but a possible cause is that the environment variousariables have been changed or are incorrectly configured. |
| 162 | + |
| 163 | + To fix this issue, follow these steps: |
| 164 | + |
| 165 | + 1. run the `sysdm.cpl` command. |
| 166 | + 2. In the **System Properties** window, select the **Advanced** tab, and then select **Environment Variables**. |
| 167 | + 3. Under **System variables**, select **Path** > **Edit**. |
| 168 | + |
| 169 | + You might have several environment variables, and this can vary according to each system, but make sure the following ones are present and correctly configured: |
| 170 | + |
| 171 | + * **%SystemRoot%\\system32** |
| 172 | + * **%SystemRoot%** |
| 173 | + * **%SystemRoot%\\system32\\Wbem** |
| 174 | + * **%SYSTEMROOT%\\System32\\WindowsPowerShell\\v1.0\\** |
| 175 | + * **%SYSTEMROOT%\\System32\\OpenSSH\\** |
0 commit comments