SOLVED

Unable to install RD Connection Broker role service | Domain Controller | Windows Server 2012 R2

%3CLINGO-SUB%20id%3D%22lingo-sub-1182180%22%20slang%3D%22en-US%22%3EUnable%20to%20install%20RD%20Connection%20Broker%20role%20service%20%7C%20Domain%20Controller%20%7C%20Windows%20Server%202012%20R2%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1182180%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20just%20recently%20installed%20an%20additional%20DC%20on%20our%20domain.%20I'm%20on%20the%20isolated%20test%20environment%20right%20now.%20what%20I'm%20having%20an%20issue%20here%20is%20that%20I%20cannot%20install%20an%20RDP%20feature%20for%20my%20domain%20controller.%20it%20says%20whenever%20I%20installed%20%3CSTRONG%3E%22Unable%20to%20install%20RD%20Connection%20Broker%20role%20service%20on%20server%3CEM%3E(my%20domain%20name)%22.%26nbsp%3B%3C%2FEM%3E%3C%2FSTRONG%3Eit%20all%20happens%20when%20I%20promoted%20the%20server%20into%20a%20domain%20controller.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1182180%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EManagement%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1183294%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20install%20RD%20Connection%20Broker%20role%20service%20%7C%20Domain%20Controller%20%7C%20Windows%20Server%202012%20R2%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1183294%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F547465%22%20target%3D%22_blank%22%3E%40spacegabx%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAccording%20to%20this%20document%2C%20the%20configuration%20is%20not%20supported%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F2799605%2Fremote-desktop-services-role-cannot-co-exist-with-ad-ds-role-on-window%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F2799605%2Fremote-desktop-services-role-cannot-co-exist-with-ad-ds-role-on-window%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20the%20article%20mentions%20a%20Servicing%20Stack%20Update%20that%20allows%20this%20configuration.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F2871777%2Fa-servicing-stack-update-is-available-for-windows-rt-windows-8-and-win%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F2871777%2Fa-servicing-stack-update-is-available-for-windows-rt-windows-8-and-win%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETry%20installing%20the%20SSU%20and%20see%20how%20it%20goes.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20helps%2C%3C%2FP%3E%3CP%3EMark%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1188380%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20install%20RD%20Connection%20Broker%20role%20service%20%7C%20Domain%20Controller%20%7C%20Windows%20Server%202012%20R2%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1188380%22%20slang%3D%22en-US%22%3EI%20hope%20Mark's%20suggestion%20below%20helps.%20However%2C%20please%20do%20not%20expose%20your%20RDP%20server%20over%20the%20internet%20unsecured.%20Please%20see%20this%20FBI%20article%20about%20increasing%20attacks%20against%20exposed%20RDP%20ports%3A%20%3CA%20href%3D%22https%3A%2F%2Fwww.ic3.gov%2Fmedia%2F2018%2F180927.aspx%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.ic3.gov%2Fmedia%2F2018%2F180927.aspx%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%20must%20access%20RDP%20over%20the%20Internet%2C%20please%20use%20a%20VPN%20solution%20-%20avoid%20those%20flagged%20by%20CISA%20such%20as%20Pulse%20VPN.%20Using%20NAT%20or%20changing%20RDP%20port%20will%20not%20help%20due%20to%20Bluekeep%20vulnerabilities.%20If%20you%20find%20VPN%20too%20complicated%2C%20you%20should%20consider%20solutions%20similar%20to%20TruGrid%20SecureRDP.%3CBR%20%2F%3E%3CBR%20%2F%3EBest.%3CBR%20%2F%3E%3CBR%20%2F%3EKPA%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1193385%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20install%20RD%20Connection%20Broker%20role%20service%20%7C%20Domain%20Controller%20%7C%20Windows%20Server%202012%20R2%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1193385%22%20slang%3D%22en-US%22%3EHello%20KPA%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you%20for%20this.%20I'm%20also%20aware%20and%20our%20organization%20is%20using%20a%20secured%20and%20trusted%20VPN.%20but%20we%20still%20keep%20on%20monitoring%20every%20day%20for%20possible%20attacks%20through%20RDP.%20I'll%20look%20at%20the%20link%20you%20provided%20to%20gain%20more%20awareness%20of%20this.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%2C%3CBR%20%2F%3E%3CBR%20%2F%3Espacegabx%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi All,

 

I just recently installed an additional DC on our domain. I'm on the isolated test environment right now. what I'm having an issue here is that I cannot install an RDP feature for my domain controller. it says whenever I installed "Unable to install RD Connection Broker role service on server(my domain name)". it all happens when I promoted the server into a domain controller. 

3 Replies
Highlighted
Best Response confirmed by spacegabx (Occasional Contributor)
Solution

Hi @spacegabx 

 

According to this document, the configuration is not supported

 

https://support.microsoft.com/en-us/help/2799605/remote-desktop-services-role-cannot-co-exist-with-a...

 

However, the article mentions a Servicing Stack Update that allows this configuration.

 

https://support.microsoft.com/en-us/help/2871777/a-servicing-stack-update-is-available-for-windows-r...

 

Try installing the SSU and see how it goes.

 

Hope this helps,

Mark

Highlighted
I hope Mark's suggestion below helps. However, please do not expose your RDP server over the internet unsecured. Please see this FBI article about increasing attacks against exposed RDP ports: https://www.ic3.gov/media/2018/180927.aspx

If you must access RDP over the Internet, please use a VPN solution - avoid those flagged by CISA such as Pulse VPN. Using NAT or changing RDP port will not help due to Bluekeep vulnerabilities. If you find VPN too complicated, you should consider solutions similar to TruGrid SecureRDP.

Best.

KPA
Highlighted
Hello KPA,

Thank you for this. I'm also aware and our organization is using a secured and trusted VPN. but we still keep on monitoring every day for possible attacks through RDP. I'll look at the link you provided to gain more awareness of this.

Thanks,

spacegabx