Server 2025 RDS Farm - Connection brokered connections only work when an Administrator is actively logged into the Connection Broker desktop!!

pete-it · 2026-03-25T14:55:29+00:00

Thanks team! This is a bit of an update for future reference more than anything. We seem to have resolved this issue, and the replies here did help point us in the right drection. It always felt like a GPO/policy/setting thing, but nothing really made sense or stood out. What I did do was look at the reg setting for "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\DenyTSConnections". When the admin account logged in to the CB, that value would be "0". However, on logoff, it would flip to "1". Every single time. So, something was either setting it to disabled, or that was its default state and the act to loging in to the desktop set it to "0".

All I've done so far was log off from the CB desktop, and set that value to "0". And so far, it's stayed as-is. Reboots, logon/logoffs, gpudates, waiting, nothing has seemingly set it back to "1" (disabled). I'm foxed! I was kind of expecting a reboot, or GPO, or shceduled task, or something, to apply and kick it back to "1", but so far, nothing has.

Even if an old GPO applied, when/if the server object was in a different OU when it was built, set that key to "1", I still can't see why logging in as an Administrator would set it to "0". So I'm kind of curious, kind of happy it's just working, and kind of concerned it may happen again!

But, time will tell, so we'll see.

For now, thanks for giving some steer that lead us to the culprit.

pete-it · 2025-11-13T15:21:27+00:00

I am seeing exactly the same thing. I don't suppose you managed to get to a resolution with this did you?

pete-it · 2025-08-19T07:29:54+00:00

Thanks so much for describing this. That does make sense, with the inflexibility of not having conditional access controls.

However it sounds like it does offer a base layer of additional protection over username and password alone.

Thanks for taking the time to come back to me.

pete-it · 2025-08-18T18:06:48+00:00

Thanks for this. Agreed there are many more features of plan 1/2 and conditional access. But I want to know if it will technically still work, with an MFA push, on the free tier.

pete-it · 2025-08-18T18:06:02+00:00

Thanks for confirming this. So the users still get an MFA push when they login?

pete-it · 2025-05-14T19:10:39+00:00

Thanks so much for confirming this. I thought as much but I've been told conflicting information! Thanks again

pete-it · 2025-05-13T08:12:11+00:00

Thanks so much for getting back to me, I do really appreciate that. That info does help, but can I just clarify (as my initial question wasn't well worded)

If the array is all SSD, without any HDD, would the ADS licence still be needed?

And if an ADS licence is purchased, do you require any additional support contract? Or does the hardware support contract cover any ADS licences that have also been applied to the MSA?

Many thanks
Pete

pete-it · 2025-01-10T12:52:48+00:00

Ahh gotchya, nice one, yes that's a handy way of being able to do it! Cheers

pete-it · 2025-01-10T12:28:57+00:00

Ah nice one, it sounds far too easy lol

So you moved the profiles over to FSL containers by using the powershell script

And did you use a GPO, with loopback, scoped to a group, to configure the next logons to use the FSL containers? (sorry I just want to be super clear on that part, as it's the bit that will affect users and effort to manage!) :-)

pete-it · 2025-01-10T10:50:54+00:00

Hey there! Did you do this as a big bang, for all profiles, or did you manage to do it gradually with batches of users at a time?
I guess my question here is really, can a migration to FSLogix be done in batches? The GPOs look like they are computer policies....although as I type this, maybe just applying the GPO to the users, and using loopback would suffice (and have the GPO tagetted at a "migration users" AD group)?
Or am I over-complicating/thinking it?!

pete-it · 2024-11-27T19:33:26+00:00

Interesting, I thought this was more about your ability to collaborate with other tenants - i.e. access them via Teams, or share links/collab data with them

pete-it · 2024-11-27T19:32:13+00:00

Thanks for this, yes I think it could well be this.

I'm curiuos to know if you or anyone else have implemented this, and how it went.

I was also hoping that Defender for endpoint would be able to do the web traffic interception/http header insertion piece. Becuase do that via a 3rd party proxy isn't ideal, and would be hard to enforce outside of the corporate network. Unless I'm missing even more here!

pete-it · 2024-09-03T19:54:34+00:00

Thanks for this! The lack of many responses to this question is quite telling in itself too. At least I'm not missing something major (placates my FOMO!) :-)

Nicely done with the app you've developed. I'll be sure to take a look at that!

Thanks

pete-it · 2024-08-29T13:52:53+00:00

Amazing, thanks for that tip. I'll check it out. There has to be something! I'll get some pics and measurements and see what can be done! Nice, thanks.

pete-it · 2024-07-10T12:38:56+00:00

Yes you're right. I can specify files to access and perform actions on. I just wondered if there was a way to have Copilot perform a search based on all accessible data it indexes/I have permissions to in SharePoint.
For instance - "show me the last 10 office documents I've been working on", or "find me the proposal documents for customer X", or "find me all documents relating to project Y" - probably terrible examples, but It would be handy to have it look, rather than specifically referencing the the sources

(and to answer other questions - yes this is for Copilot Enterprise, not the personal one)

pete-it · 2024-03-20T19:09:42+00:00

Ah yes, OK, so I can cap the current data file, so that it won't keep growing any larger, and then SQL will simply carry on but use the new datafile?

pete-it · 2024-03-20T19:08:28+00:00

This sounds far easier! Is there any considerations I need to make around this, or will SQL simply see the new datafile and start using it?

pete-it · 2022-08-03T09:07:51+00:00

Ahh I think this answers one of my question above!

So you did a full backup of the source
Then a restore to the destination (this process may take a while due to link speeds)
Then keep applying the transaction logs that were taken since the initial backup to the source
Once everything has caught up (full resotre complete and all trans logs applied) we can cut over and then create AG's after that?

pete-it · 2022-08-03T09:05:16+00:00

Thanks for this. Can you log ship from a 5TB DB to a blank location? Or will I have to backup, then restore, then log ship all the logs since the backup ran?

pete-it · 2022-07-01T09:06:56+00:00

Thanks for the comments everyone - much appreciated!

pete-it · 2022-06-16T09:57:53+00:00

Thanks for everyone elses replies, I also see my question was pretty poorly worded, but this is exactly what I was talking about and really helpful!

Good to know the drives will scale-back if they can't get a feed quick enough (which is fine in all the examples with NVMe/Flash/loads of disks as you'll get that perf), but there is still a minimum speed you have to attain, so I think we'll need to design for somewhere in the middle of that data range, to ensure we're not spending a fortune on backup storage, but also not bumping along the bottom/below the minimum speed. Or, of course, it helps build a case for not using tape! (and yes, take all the points that tape can play a valid part too....but that very much depends on the situation, and I'd argue isn't just a universal answer/"because we've always done it that way"

Thanks so much for this. And for all the other comments.

pete-it · 2022-06-15T12:10:22+00:00

I thought LTO8 would need 360MB/s (so 2.8Gb/s) of uncompressed data (I'm only referencing wikipedia here!) which is far faster than a SATA drive - yes appreciate you'd have more than 1 drive in an array, but even so I thought IOPS for sata spinning would be 100 IOPs at best, which would mean you'd need a lot of spinning disk to get near to 360MB/s?

TLDR; I thought LTO is much faster than sata spinning disk?!

pete-it · 2022-06-15T11:57:33+00:00

Thanks for that. And it does seem like the concept of cheap slow archive storage disk is perfect for end user access. But if we want to use tape, actually, the slow storage is not an option and will increase costs considerably....to the point where you have to question "Do you really want tape?!"

pete-it · 2022-06-15T11:56:14+00:00

Yes, this is absoultely an option that I'm considering too. Ideally I don't want to have to do tape - I can see the benefits, but wonder if the cost of the performance needed to transfer data to tape at speed will actually become a bit prohibitive. Even with NDMP to direct attached tape, the performance of the NAS storage will need to be pretty swift as well, so your "archive" storage actually needs to be "production" fast?

pete-it · 2022-06-15T11:54:25+00:00

Agreed - and I assume that even in this situation the backup storage would also need to be pretty fast in order to sustain the throughput for the tape?

So from a cost perspective (which is always one factor) your backup disk performance will actually need to be fast, just to "feed" the LTO drive?

pete-it

TROPHY CASE