The Remote Desktop Gateway mysterious case of Error 0

Let’s face it , most Active Directory Domains were created a long long time ago. And while most of these are now migrated to newer versions , Group Policies sometimes were left as is. These Group Policy objects are what I like to call “Lingering GPO Settings” 🙂

This case was both simple and complicated , a client had a brand new installation of Windows Server 2012 R2 Remote Desktop Services and various clients connecting to it. Some of those clients were unable to connect to the gateway for no obvious reason. Only a couple of warnings logged on the Microsoft-Windows-TerminalServices-RDPClient/Operationall logs:

  • RDPClient_Gateway: An error was encountered when transitioning from AAStateCreatingOutChannel to AAStateError in response to 3 (error code 0x800703E5).
  • RDPClient_Gateway: An error was encountered when transitioning from AAStateInitializingTunnel to AAStateError in response to 6 (error code 0x800703E5).

The problem laid within a Group Policy setting that was configured quite some time ago. This policy forced the client to use “Send LM & NTLM Responses” on Computer Configuration->Windows Settings->Security Settings->Security Options->Network Security:  LAN Manager Authentication Level. Changing that to “Send NTLMv2 response only” immediately enabled those clients to connect.

So while sometimes an error may seem Remote Desktop related make sure you check all of the underlying technology to ensure security protocol compliance and proper operation.

Merging VHD

Last night I had to troubleshoot a low free space alert on a cluster. While everything looked normal and no Checkpoints or backups of Virtual Machines were on the Clustered Shared Volume a problem with the backup software flew under the radar and created a massive problem! There was an offending VM that was backed up normally and no checkpoints existed but it’s VHD files were differencing disks. A situation most of the IT Pro’s out there are familiar with.

So how do you rectify this? This VM had grown to a TB of data and while no checkpoints existed it had over 300 differencing VHD files. Restoring such a VM would take hours so that’s not a great option. Well I first started with copying over the XML configuration files of the virtual machine and importing this VM again with NO-VHD drives on it. So far so good we have a working VM with the same GUID and the same network adapters but with no drives.

{Powershell} to the rescue!

Powershell is capable of doing amazing things so I wrote this little script that actually gets each drive and then merges all of the VHD files into the parent so that you can attach it again on the virtual machine. Enjoy!


Νέα Windows Insider build για τον Server 2016

Η υπόσχεση της Microsoft σχετικά με τον κύκλο των αναβαθμίσεων γίνεται πραγματικότητα. Μέσα από ένα λεπτομερέστατο blogpost η Dona Sarkar ανακοινώνει την νέα έκδοση του Server που μπορείτε να κατεβάσετε ως μέλος του Windows Insider Program ή του Windows Insider for Business . Μερικές από τις νέες δυνατότητες όπως τις αναφέρεις το άρθρο:


General Scenario Highlights

Developers and Containers:

  • New base container images (available on Windows Insider Docker Hub repo)
    • Optimized Nano Server base image (over 70% smaller)
      • The .NET team is providing an preview image based on Nano Server with .NET Core 2.0
      • The PowerShell team is providing a preview image based on PowerShell 6.0
    • Optimized Server Core base image (over 20% smaller)
  • Support for SMB volume mounting
  • Infrastructure for Orchestrators
    • Networking enhancements for on going Kubernetes work
    • Named pipe mapping support
  • Bug fixes, performance enhancements

Cloud Guest:

  • IIS
    • TLS info: administrators can make specific recommendations to default to HTTPS
  • Disaster Recovery
    • Storage Replica Test Failover
  • Guest + Host better together
    • vPMEM in Guest: Tenants can use and manage PMEM/SCM
    • Tenant-Aware VM Start Ordering: App Ready / OS Heartbeat for better load balancing
    • Guest RDMA
  • Improvement in time accuracy
  • Azure enlightened clusters – optimized to run on Azure IaaS

Cloud Host:

  • Software Defined Data Center (SDDC) host
    • Security
      • Shielded Linux VM
      • SDN: Encrypted virtual networks
      • Secure clusters
      • SMB 1 disabled  by default
    • Resiliency and Availability
      • SDN: Reduced downtime for tenant connections through gateways
      • Spaces Direct: Scoped Spaces to mitigate impact of multi-node loss
      • Spaces Direct: Marginal drive handling for predictive detection of drive failures
    • Efficiency
      • Data Deduplication available for ReFS
      • New Data Deduplication DataPort API for optimized ingress/egress
      • Space efficiency with ReFS Compaction
      • Performant Spaces Direct Multi Resilient Volumes (MRV)
    • Hyper-converged Scale
      • Cluster Sets: Significantly increases hyper-converged SDDC cloud scale by grouping multiple clusters into a larger fabric
    • Hardware support
      • Support for Storage Class Memory (SCM) in Spaces Direct

RDS Modern infrastructure

Στο Inspire conference η Microsoft έκανε τις πρώτες ανακοινώσεις σχετικά με το RDS Modern Infrastructure. Αυτή είναι η μεγαλύτερη αλλαγή που θα πραγματοποιηθεί τα τελευταία χρόνια στο Remote Desktop με τη χρήση Azure App Services καθώς και νέα χαρακτηριστικά όπως το RD HTML5 Client! Επίσης μπορείτε να κάνετε εγγραφή για να δοκιμάσετε τα νέα χαρακτηριστικά σε Preview όταν είναι διαθέσιμα!





Wiki Ninja contest 2017!

Last December I wrote an article regarding the installation of Windows Server 201x using an unattend.xml file , a syspreped vm and some powershell Code. So the story is about an IT guy who needs to get things up and running blazingly fast when deploying. He also has to make sure that all of his setup is consistent no matter how many times the VMs are deployed plus the fact that you simply can’t open a HyperV manager console in Server Core.

So if you need to spin up a VM and have it deployed using a specified password and IP and all of the config needed for remoting , you need a way to provide all of these stuff during the installation and simply start the VM. Sounds great but wait a minute.

How do you configure all of these settings without console access? How do you do that if you simply have a Windows Server 2016 core and nothing else? Or if you do not want to use a whole bunch of consoles and mouse clicks?

The solution is easy: Use Unattend.xml files with a sysprepped VM. In the article I have posted on the TechNet WiKi you will find a sample unattend.xml which you can customize with the sample PowerShell code. The script will create a new vm, copy the sysprepped file in it , create a new vhd with the unattend.xml file and spin up the VM. In a few minutes …. voila! The VM is ready to accept connections with PowerShell remoting where you can continue workload setup.

Nano Server DNS

Nano server is Microsofts new implementation of Windows Server for the cloud born datacenters. Nano has a very small footprint that allows for better security and management. One of the roles that are supported on Nano Server is the DNS server and it makes perfect sense to have a Nano DNS server hosting your public DNS records as it will be super lightweight and a born security champion. Here comes the tough part , you have to configure Nano by using PowerShell.  To add some extra difficulty your primary DNS server should be located in a DMZ with the smallest possible attack surface so the only thing allowed would be remote management. Since I have a lot of labs going on and build up and tear down is trivial to success here is the PowerShell commands to configure your Nano DNS server. This specific code is from an O365 lab where numerous resource records have to be created for O365 suite to work , so you will get a great example of configuring most of the types of records required in a DNS server. It is build for a new DNS Zone but you can easily customize it and simply add records to your zone. Here it is:


SDDC 2016 availability

Με την έναρξη της Ignite και ακριβώς όπως υποσχέθηκε η Microsoft είναι πλέον διαθέσιμες οι RTM εκδόσεις για evaluation και labs του Windows Server 2016 / System Center 2016!

Σε λίγες μέρες θα είναι διαθέσιμα και τα κανονικά ISO από το MSDN καθώς επίσης σύμφωνα με τους executives θα μπορεί κανείς να τα αγοράσει από τις αρχές Οκτωβρίου!

Read more “SDDC 2016 availability”

Remote Desktop Commander Lite Is Now Free!

Διαθέσιμο ως δωρεάν προϊόν πλέον το Remote Desktop Commander Lite! Με τη χρήση του Remote Desktop Commander μπορείτε να έχετε πλήρη έλεγχο και παραμετροποίηση της υποδομής Remote Desktop της εταιρείας σας! Μερικές από τις δυνατότητες που έχει είναι οι παρακάτω:

  • Messaging/alerting users
  • Observing which users are idle, and if so, for how long
  • Observing which users are disconnected, and if so, for how long
  • Observing memory use by application and by user
  • Terminating hung applications or programs that have begun to use excessive resources
  • Shadowing user sessions for troubleshooting/help desk purposes
  • Determining if a user is utilizing too many server resources (e.g. memory or RDP bandwidth)
  • Forcibly logging off or disconnecting users
  • Placing Remote Desktop Session Hosts in drain mode

Μπορείτε να το δείτε σε δράση σε αυτό το Video!

New Transport Advancements in the Anniversary Update for Windows 10 and Windows Server 2016

TechNet Server and tools blog


TCP based communication is used ubiquitously in devices from IoT to cloud servers. Performance improvements in TCP benefit almost every networking workload. The Data Transports and Security (DTS) team in Windows and Devices Group is committed to making Windows TCP best in class. This document will describe the first wave of features in the pipeline of upcoming Windows Redstone releases.

Windows is introducing new TCP features in the Anniversary Update for Windows 10 and Windows Server 2016 releasing summer 2016. In this document we will describe five key features designed to reduce latency, improve loss resiliency and to promote better network citizenship. The goals when starting out were to decrease TCP connection setup time, increase TCP startup speed and to decrease time to recover from packet loss.

Here is a summary of the feature list:

  1. TCP Fast Open (TFO) for zero RTT TCP connection setup. IETF RFC 7413 [1]
  2. Initial Congestion Window 10 (ICW10) by default for faster TCP slow start [5]
  3. TCP Recent ACKnowledgment (RACK) for better loss recovery (experimental IETF draft) [4]
  4. Tail Loss Probe (TLP) for better Retransmit TimeOut response (experimental IETF draft) [3]
  5. TCP LEDBAT for background connections IETF RFC 6817 [2]


TCP Fast Open: TCP Fast Open (TFO) accomplishes zero RTT connection setup time by generating a TFO cookie during the first three-way handshake (3WH) connection setup. Subsequent connections to the same server can use the TFO cookie to connect in zero-RTT. TFO connection setup really just means that TCP can carry data in the SYN and SYN-ACK. This data can be consumed by the receiving host during the initial connection handshake. TFO is one full Round Trip Time (RTT) faster than the standard TCP setup which requires a three way-handshake. This leads to latency savings and is very relevant to short web transfers over the Internet where the average latency is on the order of 40 msec.

Transport Layer Security (TLS) over TCP using Fast Open is typically two Round Trip Times faster than a standard TLS over TCP connection setup because a client_hello can be included in the SYN packet saving an additional RTT in the TLS handshake. This savings can add up to a substantial increase in resource efficiency while using busy servers that deliver many small Internet objects to the same clients (standard web page, mobile APP data, etc.) TLS 1.3 is an ongoing effort at the IETF and it will help us achieve zero-RTT connection setup for HTTP workloads in a subsequent release.

Because we are changing the 3WH behavior of TCP there are several issues that we must address and mitigate. Windows recommends that TLS be used over TCP when employing TCP Fast Open to remove the chance that a man in the middle could manipulate TFO cookies for use in amplified DDOS attacks. TLS connections are immune to attacks from behind Shared Public IPs (NATs), however, it is still possible for a compromised host to flood spoofed SYN packets with valid cookies. To address the problem of compromised hosts Windows TFO sets a dynamically adjusted maximum limit on the number of pending TFO connection requests preventing resource exhaustion attacks from compromised hosts running malicious code. Finally, it is possible for the SYN packet to be duplicated in the network. TLS precludes such duplicate delivery but other services need to ensure that TFO is used for idempotent requests. Windows TFO is safe when used as recommended (with TLS) and can provide a substantial increase in resource efficiency.

Read more “New Transport Advancements in the Anniversary Update for Windows 10 and Windows Server 2016”

What’s new in failover clustering: #06 Start Ordering

Ένα νέο χαρακτηριστικό θα είναι διαθέσιμο στο clustering του νέου Server 2016 , το Virtual Machine Start Ordering. Με το χαρακτηριστικό αυτό θα μπορούν οι administrators να διαλέξουν τη σειρά με την οποία θα ξεκινήσουν τα Virtual Machine σε ένα Cluster.

Μπορείτε να διαβάσετε για το νέο αυτό χαρακτηριστικό στο TechNet Blogs

Νέο MCSA 2016

Αν και ο νέος Server 2016 δεν είναι ακόμη έτοιμος ,η Microsoft προχώρησε στην ανακοίνωση του Certification για αυτόν. Για όσους δεν είναι Certified σε κάποια τεχνολογία θα υπάρχει το αντίστοιχο path με τα παρακάτω exams που θα παρέχουν τον τίτλο MCSA 2016

  1. 20740 – Installation, Storage, and Compute with Windows Server 2016
  2. 20741 – Networking with Windows Server 2016
  3. 20742 – Identity with Windows Server 2016

Ενώ για αυτούς που είναι ήδη certified ως MCSA 2008 ή MCSA 2012 θα υπάρχει upgrade με την εξέταση

20743 – Upgrading Your Skills to Windows Server 2016 MCSA

Εντωμεταξύ υπάρχει ήδη επιλογή για εκπαίδευση με το νέο Course 10983 Upgrading Your Skills to Windows Server 2016  για όσους επιθυμούν να είναι έτοιμοι.