Windows Remote Desktop Service – Manually creating a .RDP file

I will talk about a small tip; how to manually create a .RDP’s file.

Why would I do that you may ask me, well, if you got a new Remote Desktop Server in 2012R2 you may seen that the wizard to create and deploy the icon is no longer there.

You may deploy all the icon with the correct way with RDWeb, but what if you need a onetime connection to another server that you just want the RemoteAPP icon on the desktop ?

This tip is meant for that;

There is a small .RDP file’s example edited in notepad :

redirectclipboard:i:1
redirectposdevices:i:0
redirectprinters:i:1
redirectcomports:i:1
redirectsmartcards:i:1
devicestoredirect:s:*
drivestoredirect:s:*
redirectdrives:i:1
session bpp:i:32
prompt for credentials on client:i:1
span monitors:i:1
use multimon:i:1
remoteapplicationmode:i:1
server port:i:3389
allow font smoothing:i:1
promptcredentialonce:i:1
authentication level:i:2
gatewayusagemethod:i:2
gatewayprofileusagemethod:i:0
gatewaycredentialssource:i:0
full address:s:SERVERNAME.CONTOSO.COM
alternate shell:s:||AcroRd32
remoteapplicationprogram:s:||AcroRd32
gatewayhostname:s:
remoteapplicationname:s:Adobe Reader 9
remoteapplicationcmdline:s:

As you can see the layout is pretty simple, 3 things must be edited to have that work;

1- Servername (full address:s:FQDN)

2- The application name (alias) (alternate shell:s:||AcroRd32)

3- The application name (remoteapplicationname:s:Adobe Reader 9)

To see what those name mean, there is an example from an older 2008R2 display:

 

Now with that information, you can now publish that small icon with GPP, or any other mean ( and at the same time we demystified that .RDP’s file 🙂 )

 

Advertisement

Microsoft Office 2013 32-bit over 64-bit error

Today I will blog about a small bug that happened to me on a Terminal Server, but the KB was really hard to find, the why I’m spotlighting it 🙂

This message is displayed with Outlook :

“Microsoft Office 64-bit Components 2013” with a progress bar stating “Please wait while Windows configure Microsoft Office 64-bit Components 2013”

…

“Error 2503: an internal error occured. Contact Microsoft support”

The KB2643974 is “Please wait while Windows Configures Microsoft Office 64-bit Components 2013” message when you start Outook 2013

The way to correct the bug :

To resolve this issue, install the Windows Search Service. To do this, following the steps that are appropriate for your version of Windows.

Windows 7 and Windows 8
Close Outlook.
Start Control Panel.
Click Programs and Features, and then click Turn Windows features on or off.
Enable Windows Search, and then click OK.
Restart the computer if you are prompted to do this.

Windows Server 2012
Start Server Manager.
Click Manage, and then click Add Roles and Features.
On the Before You Begin page, click Next.
On the Installation Type page, select Role-based or Feature-based Installation, and then click Next.
On the Server Selection page, select the server or virtual hard disk on which you want to install the Windows Search Service.
On the Features page, select Windows Search Service, and then click Next.
On the Confirmation page, verify that Windows Search Service is listed, and then click Install.

Windows Server 2008
Start Server Manager.
Click Roles in the left navigation pane.
Click Add Roles in the Roles Summary pane.
On the Server Roles page, select the File Services role, and then click Next.
On the Role Services page, select the Windows Search Service role service, and then click Next.
On the Confirmation page, verify that Windows Search Service is listed, and then click Install.

If you prefer not to use or install the Windows Search Service, you can disable indexing in Outlook. To do this, follow these steps:

Exit Outlook.
Start Registry Editor. To do this, use one of the following procedures, as appropriate for your version of Windows.
Windows 8: Press Windows Key + R to open a Run dialog box. Type regedit.exe and then press OK.
Windows 7, Windows Server 2008, or Windows Server 2012: Click Start, type regedit.exe in the search box, and then press Enter.
In Registry Editor, locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search

Point to New on the Edit menu, and then click DWORD (32-bit) Value.
Type PreventIndexingOutlook, and then press Enter.
Right-click PreventIndexingOutlook, and then click Modify.
In the Value data box, type 1, and then click OK.
On the File menu, click Exit to exit Registry Editor.

 

Post related to that bug

Windows – How to easily deploy XenApp’s multiple farm config for a user

You got a network with a remote desktop’s farm, you use the citrix receiver with SSO to connect to another’s farm and you need a third receiver configuration ?

It seem an overkill setup, but I seen it often as usually when like two enterprise merge, you can have the internal resource, and one another in another domain/forest.

I talk about simple stuff, the .ica, but be advised it’s info hard to find in citrix, so kinda why I wrote it.

The limitation of the receiver can be hit pretty fast as :

• Only one farm/pn agent’s site can be used at the same time.
  • In the citrix web interface you can’t add citrix server from another realm.
• Only one type of authentication used when the receiver is loaded.

In that scenario, you can imagine that if you need to connect to a third farm, you can hit the limitation pretty fast.

With those limitation in head, you can easily deploy a .ica file with GPP, and place the icon on the user desktop to open the connection.

A simple .ICA to connect to MS Word :

Word.ica

[Encoding]
InputEncoding = ISO8859_1
[WFClient]
Version=2
ProxyType=Auto
HttpBrowserAddress=X.X.X.X:80
ConnectionBar=0

[ApplicationServers]
Word 2013=

[Word 2013]
Address=X.X.X.X
InitialProgram=#Word 2013
CGPAddress=*:2598
ClientAudio=Off
DesiredColor=8
TWIMode = True
KeyboardTimer = 0
MouseTimer = 0
ConnectionBar=0
Username=
Domain=
TransportDriver=TCP/IP
WinStationDriver=ICA 3.0
BrowserProtocol=HTTPonTCP
Compress=On
EncryptionLevelSession=Encrypt
[Encrypt]
DriverNameWin32=PDCRYPTN.DLL
DriverNameWin16=PDCRYPTW.DLL
[Compress]
DriverName=PDCOMP.DLL
DriverNameWin16=PDCOMPW.DLL
DriverNameWin32=PDCOMPN.DLL

There is a ICA to connect to a bigger farm in balancing.

[Encoding]
InputEncoding = ISO8859_1
[WFClient]
Version=2
HttpBrowserAddress=X.X.X.X:80
HttpBrowserAddress2=X.X.X.X:80
ConnectionBar=0
CDMAllowed=Off

[ApplicationServers]
Excel=

[Excel]
Address=excel
InitialProgram=#Excel
ClientAudio=Off
DesiredColor=8
TWIMode = True
KeyboardTimer = 0
MouseTimer = 0
ConnectionBar=0
UseLocalUserAndPassword=Off
TransportDriver=TCP/IP
WinStationDriver=ICA 3.0
BrowserProtocol=HTTPonTCP
EncryptionLevelSession=Encrypt
[Encrypt]
DriverNameWin32=PDCRYPTN.DLL
DriverNameWin16=PDCRYPTW.DLL

You could add the line username, clearpassword and domain if you need to make it automatic and that you can’t use SSO.

Username=
clearpassword=
Domain=

 

ps, you can use that tip to connect to a old metaframe/presentation server’s farm with the newer receiver without the program neighborhood

 

Windows Server 2012 R2 KB3185279 & KB3185331 seem to break Google tip to block Youtube with DNS

In enterprise Google offered a tip to block youtube with the DNS;

Some users posted that nslookup started not working after KB3185331

If we dig in the KB’s text, we find that itselft that KB include nothing that can touch the DNS server, but digging farther show that;

The update 3185279 include that fix :

Addressed issue that causes Wildcard CNAME queries with Domain Name System Security Extensions (DNSSEC) enabled to not return Next Secure (NSEC) records.

 

Be sure to test out correctly if you need to make such tip after the update, as you may need to create a *.youtube.com’s zone to bypass the problem (or remove the update)

 

Microsoft Offer some Virtual Machine for testing purpose

I wanted to share that Microsoft share some VM for testing purpose, it’s something I didnt seen much link too, and was surprised to see, thus why I share it there.

Download virtual machines

The site tag them for testing IE, but they are not stripped down, thus it’s a good platform to test on.

In Windows Server 2012 R2, and error copying file name too long ?

File name too long to be copied ? still in 2016 with Windows Server 2012R2 ?

Yes, it can still happen !

Be sure Windows Update work good !, as it got patched in : Windows Server 2012 R2 Update (KB2919355)

The KB include that specific KB : 2891362 – A file copy operation fails when files or folders have long paths in Windows Explorer

Symptoms
Consider the following scenario:

You have a computer that is running Windows 8.1, Windows Server 2012 R2, Windows 8, Windows Server 2012, Windows 7 Service Pack 1 (SP1), or Windows Server 2008 R2 Service Pack 1 (SP1).
You use Windows Explorer to try to copy files or folders in order to paste them into some other folder.
The files or folders that you copy have paths that exceed the maximum allowable path length.
In this scenario, the behavior of the copy operation is unreliable and fails because of the length of the file or folder path. Additionally, you may experience one of the following symptoms:

The copy operation fails and generates a message that states that the path (file name) is too long. The message also suggests that you shorten the file name and try to copy again.
The copy operation does not start. In this case, no message is generated.
The copy operation starts, copies a few files or folders, and then fails without generating a message.
This problem may prevent some files or folders from being copied. You may not realize the the problem occurred if you do not receive an error message. Different symptoms may occur, depending on how the files are selected for copying.

Note This problem can also occur when you try to copy files or folders from Volume Shadow Copy Service snapshots if the file or folder length in the snapshot exceeds the maximum path length.

Apply the KB to fix the problem for good ! and if you can’t, shorten the path to make the copy.

 

Windows Server – Stress that spooler ! – The terminal Server session will love you after

Today I will share a tip that is useful to stress test the windows spooler.

Any TS admin will know how much this can become frustrating to debug the print spooler, as often the spooler service will stop or will hang at 100% CPU usage.

The problem does not arise much when a customer use the Terminal Server Easy Print’s driver, but a lot of older TS’s does not use it, or they still need old driver for special’s printer.

To stress test the driver I found a useful Citrix’s tool.. wait, citrix ?  yes as everyone know that xenapp is built over terminal server’s service, thus their tool can be used without problem to test a TS.

The tool is StressPrinter (https://support.citrix.com/article/CTX109374)

I will quote the tool info;

Many printer driver problems in Terminal Services/Remote Desktop Services environments revolve around poor multi-threaded performance, which in turn can cause print spooler instability. Problematic multi-threaded performance is usually exposed when multiple users connect to a Terminal Server simultaneously using the same printer driver. Symptoms include the failure to autocreate client printers, increased thread count of the printer spooler and/or Citrix Print Manager services, and possibly the unresponsiveness and/or unexpected termination of these services (stop responding).

This tool can be used to simulate multiple sessions auto-creating printers using the same printer driver.

It can also be used to compare the following among various drivers:

• CPU load incurred while creating a printer using a particular driver

• Time required to successfully create a printer using a particular driver

Note: The current version of the tool does not test concurrent printer capabilities, settings, or actual printing calls, which are also possible causes of failing to print. Therefore, good/passing stress results do not always mean that printers are actually working or certified.

 

Now with that tool we can stress a bit more the driver to find some culprit before it crash live. A tool in our toolbox 🙂

Windows/Linux/BSD – How to check if the memory is functioning in ECC mode

In case the BIOS does not show the memory’s configuration, while in Windows you can issue that simple command to validate if the memory is working in ECC.

wmic MEMORYCHIP get DataWidth,TotalWidth

You will get an output like that;

The number to watch is the TotalWidth:

64 = Not ECC

72 = ECC

An bonus, if you are running a BSD or Linux’s OS a similar command exist: dmidecode -t 17 or dmidecode -t memory

It would give an output like :

dmidecode 2.12 SMBIOS 2.5 present.

dmidecode 2.12
SMBIOS 2.5 present.

Handle 0x1100, DMI type 17, 28 bytes
Memory Device
Array Handle: 0x1000
Error Information Handle: Not Provided
Total Width: 72 bits
Data Width: 64 bits
Size: 2048 MB
Form Factor: DIMM
Set: 1
Locator: DIMM1
Bank Locator: Not Specified
Type: DDR2
Type Detail: Synchronous
Speed: 667 MHz
Manufacturer: AD00000000000000
Serial Number: 00002062
Asset Tag: 010839
Part Number: HYMP125P72CP8-Y5
Rank: 2

You need to watch the TotalWidth again, there it’s 72 for ECC.

PowerShell – RDS – XenApp – Force password change for account near passoword’s expiration date

Hi everyone !

Today I will talk a small tip if you need to want to make sure no password expiration will happen during the day.

Why the tip;

• It’s a way to prevent any user to need to change the password during a live TS’ session, and at the same would force a re-logging.
  • It will force the user to change at the connection attempt the morning.
• If you use the Citrix Receiver in  the Windows Client OS with SSO’s option and your PN Agent site is set to  Pass-through Authentication, then that will happen:
  • The receiver will to ask for a password change during the attempt to launch the published application
  • As the password changed, the receiver will pop a windows to enter the new user credential.
  • Indirectly, the Citrix Receiver is now set to a manual authentication, no longer using pass-through authentication (until next time the user change is password…)

The tip make the password expire at X time before the real password expiration

# This PowerShell Script will query Active Directory and return the user accounts with passwords
# set to expire before the end of the next day, export a list of the affected accounts, and require
# a password change at the next logon.  The script is configured to ingore accounts which have been
# configured with passwords that never expire, and to ignore accounts who do not have permission to
# change their own password.  Any other account would be affected, so be warned before running this
# script, as you could experience unintended consequences.  Either modify the script to reduce the
# scope of user accounts, or ensure that accounts that shouldn’t be affected are either flaged with
# a non-expiring password or are flagged with “cannot change password.  When ready to run/schedule
# in production, remove the -WhatIf from the last line.
#
# – MWT, 10/11/13

# The 89 is based upon your environment. If passwords expire every X (90) days, and you run the script
# in the early morning, you can set it to -1*(X-1) (-89), if you run the script late at night, set it to
# -1*(X-2) (-88).

Import-Module ActiveDirectory # Required for PowerShell 2.0 only

$a = (Get-Date).Date.AddDays(-88)

# The following line will build the variable based upon the noted criteria
$b = Get-ADUser -SearchBase “OU=Contonso,DC=com” -Property Name,SamAccountName,PasswordLastSet,CannotChangePassword,PasswordNeverExpires -Filter {(PasswordLastSet -lt $a) -and (PasswordNeverExpires -eq $false) -and (Enabled -eq $true)} | Where-Object {$_.CannotChangePassword -eq $false}

# The following line will display/export the data logging the accounts to be changed; please note the
# Out-File path and change to suit your needs.
$b | Format-Table Name,PasswordLastSet,CannotChangePassword,PasswordNeverExpires -AutoSize

# The following line will actually flag the accounts to require a password change (after -WhatIf is removed)
$b | ForEach-Object {Set-ADUser -Identity $_ -ChangePasswordAtLogon $true}

Now with that script, it can be planned each day to run after the work shift. A -WhatIf can be added to the last line to test the command before running it live.

On top of that tip, we can change the password expiration warning to less than the value we configure the script. In example in the script I do a -2, Thus there for the password expiration warning I would set it to 1. That way I’m sure the user are not remembered to change their password in the session/login.

The group policy to alter this default can be found at: Computer Configuration\Windows Settings\Local Policies\Security Options under Interactive Logon: Prompt user to change password before expiration

 

Thanks !

 

 

 

nb The original’s script was took there, but it was modified by me to work on newer OS.