This object monitors the configuration of the TS Web Access Computers security group.
The RemoteApp and Desktop Connection Management service uses the TS Web Access Computers security group on the RD Connection Broker server to control access to who can communicate with the service. The TS Web Access Computers group must exist and be populated with the appropriate members.
To resolve this issue, check the event ID, and then view the troubleshooting information for that event in the sections below.
Resolution steps for the following event ID: 1006
Create a TS Web Access Computers security group
The TS Web Access Computers security group must exist on the RD Connection Broker server.
To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
Note: If you are creating a TS Web Access Computers security group on a domain controller, you should use the procedure named "To create the TS Web Access Computers security group when using a domain controller”.
To create the TS Web Access Computers security group on the RD Connection Broker server:
1. On the RD Connection Broker server, open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager.
2. Expand Configuration, expand Local Users and Groups, and then click Groups.
3. Right-click Groups, and then click New Group.
4. In the Group name box, type TS Web Access Computers.
5. Click Add to add the appropriate members, and then click Create.
6. Click Close.
If you need to create the TS Web Access Computers security group on a domain controller, you must create the group by using Active Directory Users and Computers.
To create the TS Web Access Computers security group when using a domain controller:
1. On the domain controller, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2. Right-click Builtin, point to New, and then click Group.
3. In the Group name box, type TS Web Access Computers, and then click OK.
4. Close Active Directory Users and Computers.
Resolution steps for the following event ID: 1007
To resolve this issue, you must add the RD Web Access server to the TS Web Access Computers group on the RD Connection Broker server.
To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
To add the RD Web Access server to the TS Web Access Computers group on the RD Connection Broker server:
1. On the RD Connection Broker server, open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager.
2. Expand Configuration, expand Local Users and Groups, and then click Groups.
3. Right-click TS Web Access Computers, and then click Add to Group.
4. Click Add.
5. Click Object Types, select the Computers check box, and then click OK.
6. In the Enter the object names to select box, type the name of the RD Web Access server, and then click OK.
7. Click OK to close the TS Web Access Computers dialog box.
If this does not resolve the issue and you are using a non-Microsoft application, you can ensure that the credentials being used to make the Remote Procedure Call in the application are members of the TS Web Access Computers group on the RD Connection Broker server.
Resolution steps for the following event ID: 1010
To resolve this issue, do one of the following:
Add the RD Connection Broker computer account to the TS Web Access Computers group on the RD Session Host server.
Modify the DCOM permissions on the RD Session Host server.
Modify the Windows Management Instrumentation (WMI) security settings on the RD Session Host server.
To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
Add the RD Connection Broker computer account to the TS Web Access Computers group on the RD Session Host server
You can modify the membership of the TS Web Access Computers group by using Server Manager.
To add the RD Connection Broker computer account to the TS Web Access Computers group on the RD Session Host server:
1. On the RD Session Host server, open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager.
2. Expand Configuration, expand Local Users and Groups, and then click Groups.
3. Right-click TS Web Access Computers, and then click Add to Group.
4. Click Add.
5. Click Object Types, select the Computers check box, and then click OK.
6. In the Enter the object names to select box, type the name of the RD Connection Broker server, and then click OK.
7. Click OK to close the TS Web Access Computers dialog box.
Modify the DCOM permissions on the RD Session Host server
You can modify the DCOM permissions on the RD Session Host server by using the Component Services console.
To modify the DCOM permissions on the RD Session Host server:
1. On the RD Session Host server, open the Component Services console. To open the Component Services console, click Start, point to Administrative Tools, and then click Component Services.
2. Expand Component Services, right-click My Computer, and then click Properties.
3. Click the COM Security tab.
4. Under Access Permissions, click Edit Limits.
5. Click Add.
6. Click Object Types, select the Computers check box, and then click OK.
7. In the Enter the object names to select box, type TS Web Access Computers and then click OK.
8. Click the Remote Access check box in the Allow column, and then click OK.
9. Under Launch and Activation Permissions, click Edit Limits.
10. Click Add.
11. Click Object Types, select the Computers check box, and then click OK.
12. In the Enter the object names to select box, type TS Web Access Computers and then click OK.
13. Click the Remote Launch, Local Activation, and Remote Activation check boxes in the Allow column, and then click OK.
14. Click OK to close the My Computer dialog box.
Modify the WMI settings on the RD Session Host server
You must modify the WMI settings by using the WmiMgmt console, and allow WMI calls through the Windows Firewall on the RD Session Host server.
To modify the WMI settings on the RD Session Host server:
1. On the RD Session Host server, click Start, and then click Run.
2. Type wmimgmt.msc and then click OK.
3. Right-click WMI Control, and then click Properties.
4. Click the Security tab.
5. Navigate to Root\CIMV2\TerminalServices.
6. Click Security, and then click Add.
7. Click Object Types, select the Computers check box, and then click OK.
8. In the Enter the object names to select box, type TS Web Access Computers and then click OK.
9. Click the Execute Methods, Enable Account, and Remote Enable check boxes in the Allow column, and then click OK.
10. Click OK to close the WMI Control dialog box.
11. Close the wmimgmt console.
You can allow WMI calls through the Windows Firewall by using the Windows Firewall console.
To allow WMI calls through the Windows Firewall:
1. On the RD Session Host server, open the Windows Firewall console. To open the Windows Firewall console, click Start, click Control Panel, and then under the System and Security heading, click Check firewall status.
2. Click Allow a program or feature through Windows Firewall.
3. Select the check box next to Windows Management Instrumentation (WMI), and then click OK.
4. Close the Windows Firewall console.
| Target | Microsoft.Windows.Server.2012.RemoteDesktopServicesRole.Service.RDConnectionBroker | ||
| Parent Monitor | System.Health.ConfigurationState | ||
| Category | Custom | ||
| Enabled | True | ||
| Alert Generate | True | ||
| Alert Severity | MatchMonitorHealth | ||
| Alert Priority | High | ||
| Alert Auto Resolve | True | ||
| Monitor Type | Microsoft.Windows.2SingleEventLogManualReset3StateMonitorType | ||
| Remotable | True | ||
| Accessibility | Public | ||
| Alert Message |
| ||
| RunAs | Default |
Home<UnitMonitor ID="Microsoft.Windows.Server.RemoteDesktopServices.2012.NewUnitMonitor_26" Accessibility="Public" Enabled="true" Target="Microsoft.Windows.Server.2012.RemoteDesktopServicesRole.Service.RDConnectionBroker" ParentMonitorID="SystemHealth!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="Windows!Microsoft.Windows.2SingleEventLogManualReset3StateMonitorType" ConfirmDelivery="true">
<Category>Custom</Category>
<AlertSettings AlertMessage="Microsoft.Windows.Server.RemoteDesktopServices.2012.NewUnitMonitor_26_AlertMessageResourceID">
<AlertOnState>Warning</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>High</AlertPriority>
<AlertSeverity>MatchMonitorHealth</AlertSeverity>
<AlertParameters>
<AlertParameter1>$Data/Context/EventDisplayNumber$</AlertParameter1>
<AlertParameter2>$Data/Context/EventDescription$</AlertParameter2>
</AlertParameters>
</AlertSettings>
<OperationalStates>
<OperationalState ID="UIGeneratedOpStateId74b9c3813e9c4e8883f42823a37e7112" MonitorTypeStateID="ManualResetEventRaised" HealthState="Success"/>
<OperationalState ID="UIGeneratedOpStateId5c2cdc5241d54b88bf7fcfcac5459fa7" MonitorTypeStateID="SecondEventRaised" HealthState="Warning"/>
<OperationalState ID="UIGeneratedOpStateIdd35204e2769a4a998123af3fbbab7608" MonitorTypeStateID="FirstEventRaised" HealthState="Error"/>
</OperationalStates>
<Configuration>
<FirstComputerName>$Target/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</FirstComputerName>
<FirstLogName>Microsoft-Windows-RemoteApp and Desktop Connection Management/Admin</FirstLogName>
<FirstExpression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">Channel</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">Microsoft-Windows-RemoteApp and Desktop Connection Management/Admin</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">1006</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</FirstExpression>
<SecondComputerName>$Target/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</SecondComputerName>
<SecondLogName>Microsoft-Windows-RemoteApp and Desktop Connection Management/Admin</SecondLogName>
<SecondExpression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">Channel</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">Microsoft-Windows-RemoteApp and Desktop Connection Management/Admin</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">1007</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">1010</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</Or>
</Expression>
</And>
</SecondExpression>
</Configuration>
</UnitMonitor>