RDS CALS not working - how to troubleshoot?
1. Check disk space and delete old snapshots to free space
To fix snapshot creation failure due to out of space, deleted old ZFS snapshots automatically using this script:
#!/bin/bash
AGE_MINS=1440
NOW_TS=$(date +%s)
for disk in vm-180-disk-0 vm-180-disk-1; do
zfs list -t snapshot -o name,creation -s creation | grep "$disk@auto20min-" | while read -r SNAPLINE; do
SNAP_NAME=$(echo "$SNAPLINE" | awk '{print $1}')
CTIME=$(echo "$SNAPLINE" | awk '{$1=""; print substr($0,2)}')
SNAP_TS=$(date -d "$CTIME" +%s 2>/dev/null)
if [ -n "$SNAP_TS" ]; then
AGE=$(( (NOW_TS - SNAP_TS) / 60 ))
if [ "$AGE" -gt "$AGE_MINS" ]; then
echo "Deleting $SNAP_NAME (age: $AGE minutes)"
zfs destroy "$SNAP_NAME"
fi
fi
done
doneThis prunes snapshots older than 24 hours automatically.
2. Create AD domain using PowerShell with correct parameters
Used this PowerShell script to create the Active Directory forest with proper (INTERNAL LAN ONLY) domain and passwords:
Import-Module ADDSDeployment
Install-ADDSForest `
-DomainName "example.local" `
-DomainNetbiosName "EXAMPLE" `
-SafeModeAdministratorPassword (ConvertTo-SecureString "[REDACTED]" -AsPlainText -Force) `
-InstallDns `
-NoRebootOnCompletion:$false `
-ForceRan this from an elevated PowerShell prompt.
3. Add domain users to Remote Desktop Users group in AD
Added all domain users who need RDP access (i.e. everyone) to the “Remote Desktop Users” AD group like this:
$users = @(
"adminuser",
"user1",
"user5",
"user2",
"user3",
"user6",
"user7",
"user4",
"user8"
)
foreach ($user in $users) {
Add-ADGroupMember -Identity "Remote Desktop Users" -Members $user
}This enabled these users to log in via Remote Desktop.
4. Set a common password for all AD users
Set a common secure password for all users with this script, each to change:
$password = ConvertTo-SecureString "[REDACTED]" -AsPlainText -Force
foreach ($user in $users) {
$adUser = Get-ADUser -Filter { SamAccountName -eq $user }
if ($adUser) {
Set-ADAccountPassword -Identity $adUser -NewPassword $password -Reset
Set-ADUser $adUser -ChangePasswordAtLogon $false
Write-Host "Password updated for $user"
} else {
Write-Warning "User $user not found."
}
}Make sure the user list variable $users is set as above.
5. Set static IP and DNS on the domain controller
Set the IP to static and DNS to localhost and itself, this is the ancient Windows TCP/IP dialogue:
- IP: 192.168.1.10
- Subnet Mask: 255.255.255.0
- Gateway: 192.168.1.1
- DNS Preferred: 127.0.0.1
- DNS Alternate: 192.168.1.10
This ensures reliable FIXED domain name resolution.
6. Verify DNS records for domain and SRV records
Check DNS records with PowerShell commands :
Resolve-DnsName example.local
Resolve-DnsName -Type SRV _ldap._tcp.dc._msdcs.example.localEnsured these return the correct domain controller IPs and services.
7. Confirm user rights assignment for Remote Desktop
Check user rights assignment for Remote Desktop login in the security policy export:
secedit /export /cfg C:\temp\secpol.cfg
Select-String "SeRemoteInteractiveLogonRight" C:\temp\secpol.cfgMade sure “Domain Users” and “Administrators” or equivalent were present.
Server administrator user is of course disabled.
8. Install Remote Desktop Session Host role and licensing server
Installed RDS roles with this command and restarted:
Install-WindowsFeature -Name RDS-RD-Server -IncludeManagementTools
Restart-ComputerVerified licensing configuration and that licensing server is detected.
9. Check Remote Desktop firewall rules and enable them
Ensure all inbound Remote Desktop firewall rules are enabled:
Get-NetFirewallRule -Direction Inbound | Where-Object {$_.DisplayName -like '*Remote*Desktop*'} | Enable-NetFirewallRuleChecked the service is running:
Get-Service -Name mpssvc10. Add domain users to local Remote Desktop Users group
Added domain users to the local Remote Desktop Users group for the server:
foreach ($user in $users) {
net localgroup "Remote Desktop Users" "$user" /add
}Ignored errors if user is already a member.
11. Verify RDS CALs are installed and licensing mode
Checked licensing mode and servers:
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM" -Name LicensingMode
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\Licensing Core" -Name LicenseServersLicense mode 4 means “Per User” so we avoid the per device restriction on Workgroup “mode”.
12. Verify licensing server availability
Used “RD Licensing Diagnoser” GUI tool to verify the licensing server is active and no issues exist. Found in Tools top right.
13. Final confirmation of RDP login and hostname
Checked hostname:
hostnameVerify users can log in using the domain format example\username and test Remote Desktop.
14. Confirm shared folder and printer access
Check SMB share permissions for Documents folder:
Get-SmbShareAccess -Name "Documents"
(Get-Acl "D:\Documents").Access | Format-Table IdentityReference, FileSystemRights, AccessControlType -AutoSizeCheck shared printers:
Get-Printer | Where-Object {$_.Shared -eq $true} | Format-Table Name, ShareName, PublishedMade sure permissions are set to allow necessary user access.
15. Install and open Print Management if needed
Installed Print Services feature and opened Print Management console:
Install-WindowsFeature Print-Services
Start-Process printmanagement.mscChecked if all (the) printers are available.
16. Verify Remote Desktop Users group and access rights
Check Remote Desktop Users group membership:
net localgroup "Remote Desktop Users"Confirmed the users in the group can log in.
17. Troubleshoot Remote Desktop Group Policy and security rights
Check group policy application:
gpresult /RChecked if user rights assignment includes Remote Desktop logon rights:
secedit /export /cfg C:\temp\secpol.cfg
Select-String "SeRemoteInteractiveLogonRight" C:\temp\secpol.cfg(Adjust policies if needed.)
18. Verify and fix Remote Desktop firewall and Windows Defender Firewall status
Check inbound firewall rules and enable as needed:
Get-NetFirewallRule -Direction Inbound | Where-Object {$_.DisplayName -like '*Remote*Desktop*'} | Enable-NetFirewallRule
Get-Service -Name mpssvcMade sure Windows Defender Firewall is running for rules to apply.
19. Final user experience validation
Users can continue to login as before, using username format. Shared folders and printers remain accessible, and Remote Desktop logins work with RDS CALs correctly installed.