HP ThinPro T520 - RDS 2012 R2 USB Redircetions

Similar Messages

• RDS 2012 Encrypted USB drives

  So we are about a week into our RDS 2012 VDI roll out. We have made 100% thin clients, in fact we have even replaced the shell. unencrypted flash drives work just fine. They mount up and redirect. However encrypted flash drives are giving us problems.
  It works if we drop back into the thin client and deencrypt but since we replaced the shell our end users can not do this. What options do i have here?

  Hi,
  Firstly please explain what you want to perform. Additionally are you using BitLocker Drive Encryption on your server? Have you used RemoteFX feature on your server?
  “Drive redirection does not provide low-level access to the redirected drive. As such, the following are not supported in the remote session: Managing BitLocker-encrypted USB storage “(Quoted from article).
  Meanwhile take a look at below article.
  Introducing Microsoft RemoteFX USB Redirection: Part 3
  http://blogs.msdn.com/b/rds/archive/2010/11/08/introducing-microsoft-remotefx-usb-redirection-part-3.aspx
  BitLocker: How to deploy on Windows Server 2012
  http://technet.microsoft.com/en-us/library/jj612864.aspx
  RemoteFX USB Redirection in Windows Server 2012 and Windows 8
  http://blogs.msdn.com/b/rds/archive/2012/09/11/remotefx-usb-redirection-in-windows-server-2012-and-windows-8.aspx
  Hope it helps!
  Thanks.

• How do you configure a farm name in RDS 2012?

  I understand Remote Desktop Services has undergo some drastric changes.
  How do you configure a farm name in RDS 2012? Or is the concept around farm name changed in another concept?
  Although I have imported a certificate on the RDCH withe the farm name I want to use. When I click on a RemoteApp on the RD Web Access portal, it does not connect to the right farm name.
  Boudewijn Plomp, BPMi Infrastructure & Security

  You don't.  You create a collection.  A client connects to the Connection Broker and then is redirected to the collection it is connecting to.  The collection name is embedded in the connection file that the client downloads from RDWeb or
  the RDWeb feed. 
  A collection is basically at least one RDSH server (for session based desktops) or one virtual machine (virtual machine based desktops). 
  Don Geddes - SR Support Escalation Engineer - Remote Desktop Services - Printing and Imaging

• Installed the RDS 2012 Server License per user CAL (5pcs) after not allow over two users remote desktop connection problem

  I have successfully to installed the RDS 2012 Server R2 per user CAL (5pcs) Open License after is found not allow over two users to remote desktop connection on this Server problem, I try to uninstall the license and then (internet on-line & telephone
  call Microsoft Activate Center get the activate key) to reinstall is still same of the result on below problem.
  Select a user disconnect so that you can sign in.
  There are too many users signed in
  User1 Active
  User2 Active
  () Force disconnect of the user

  Hi,
  In addition you can also refer following article for RDL configuration.
  RD Licensing Configuration on Windows Server 2012
  http://blogs.technet.com/b/askperf/archive/2013/09/20/rd-licensing-configuration-on-windows-server-2012.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Best practice for RDGW placement in RDS 2012 R2 deployment

  Hi,
  I have been setting up a RDS 2012 R2 farm deployment and the time has come for setting up the RDGW servers. I have a farm with 4 SH servers, 2 WA servers, 2 CB servers and 1 LS.
  Farm works great for LAN and VPN users.
  Now i want to add two domain joined RDGW servers.
  The question is; I've read a lot on technet and different sites about how to set the thing up, but no one mentions any best practices for where to place them.
  Should i:
  - set up WAP in my DMZ with ADFS in LAN, then place the RDGW in the LAN and reverse proxy in
  - place RDGW in the DMZ, opening all those required ports into the LAN
  - place the RDGW in the LAN, then port forward port 443 into it from internet
  Any help is greatly appreciated.
  This posting is provided "AS IS" with no warranties or guarantees and confers no rights

  Hi,
  The deployment is totally depends on your & company requirements as many things to taken care such as Hardware, Network, Security and other related stuff. Personally to setup RD Gateway server I would not prefer you to select 1st option. But as per my research,
  for best result you can use option 2 (To place RDG server in DMZ and then allowed the required ports). Because by doing so outside network can’t directly connect to your internal server and it’s difficult to break the network by any attackers. A perimeter
  network (DMZ) is a small network that is set up separately from an organization's private network and the Internet. In a network, the hosts most vulnerable to attack are those that provide services to users outside of the LAN, such as e-mail, web, RD Gateway,
  RD Web Access and DNS servers. Because of the increased potential of these hosts being compromised, they are placed into their own sub-network called a perimeter network in order to protect the rest of the network if an intruder were to succeed. You can refer
  beneath article for more information.
  RD Gateway deployment in a perimeter network & Firewall rules
  http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• RDS 2012 App-V 5 SP2, Applications are not pinned in the Metro Start Menu

  Hey All,
  I've been building a new App-V 5 Environment using server 2012 R2 for the App-V management\Publishing\Reporting servers.
  I've installed app-v 5 SP2 on the RDS 2012 R2 servers and installed the App-V 5.1 SP1 Hotfix (KB2897087) for the 2012 R2 support.
  I have run into the following issue; When triggering a app-v publishing sync the applications are only added in the classic start menu. The applications aren't pinned in the Metro Start menu like our App-V sp1 RDS 2012 clients.
  I have checked the App-V client eventlogs (including the debug logs) and I haven't been able to find any errors that point out the cause of my issue.
  Has anyone experienced the same issue or has anyone got any tips to get the app-v 5 sp2 client on RDS 2012 R2 to pin the sequences to the Metro Start Menu?
  Thanks.

  This is the default behaviour of Windows 8.1 and Windows Server 2012 R2 - there are no programmatic ways to pin shortcuts to the Start screen.
  Here's a way to customise the Start screen layout: http://stealthpuppy.com/customizing-the-windows-8-1-start-screen-dont-follow-microsofts-guidance/
  Here's how to go it with Group Policy: http://www.grouppolicy.biz/2013/06/customising-windows-8-1-start-screen-layout-with-group-policy/
  Note that neither approach will help you pin shortcuts to the Start screen for users that have already logged on, without overwriting their existing preferences.
  Please remember to click "Mark as Answer" or "Vote as Helpful" on the post that answers your question (or click "Unmark as Answer" if a marked post does not actually
  answer your question). This can be beneficial to other community members reading the thread.
  This forum post is my own opinion and does not necessarily reflect the opinion or view of my employer, Microsoft, its employees, or other MVPs.
  Twitter:
  @stealthpuppy | Blog:
  stealthpuppy.com |
  The Definitive Guide to Delivering Microsoft Office with App-V

• RDS 2012 (An Authentication error has occurred 0x607) - WINDOWS 8 ONLY

  Hi - please help. I've read many posts relating to this error, but none have fixed my issue.
  We have an RDS 2012 setup.  2 Servers.  Both session hosts.  only 1 is the broker.  Cert from official CA.
  My authentication is set to ONLY allow devices with Network Level Authority.  I don't want to remove this.
  Windows XP and Windows 7 can connect both internally, and externally via the RDWeb address perfectly fine, but all Win8 machines get the error "An authentication error has occurred. Code 0x607.
  Can anyone please advise why?
  Many thanks

  Hi,
  I have seen other similar cases got resolved by setting the encryption level to low and security layer to Negotiate.
  Here is a thread below:
  An authentication error has occured (Code: 0x607)
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/94780a11-23ba-4a3c-b11a-734007c2d2fd/an-authentication-error-has-occured-code-0x607?forum=winserverTS
  If it is not an option for you, I suggest you check whether the SSL certificate used by RDWeb access is trusted by the Windows 8 clients. There should be a corresponding root CA certificate installed in the Trusted Certification Authorities store.
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Users see all applications in RDS 2012 Web access in one-way trust domain environment

  Hello!
  We have RDS 2012 deployment in domainA.local. There is a one-way trust between domainA.local and domainB.local: A trusts B and B doesn't trust A.
  A user from domainB.local authenticates in Web-access interface (wa.domainA.local) and sees
  every published application in every collection in the deployment independently of UserGroups setting of collections and applications. This occurs for any domainB user.
  In the security log of wa.domainA.local we can find an event :
  An account failed to log on.
  Subject:
  Security ID:                IIS APPPOOL\RDWebAccess
  Account Name:                RDWebAccess
  Account Domain:                IIS APPPOOL
  Logon ID:                0x2C7B16
  Logon Type:                        3
  Account For Which Logon Failed:
  Security ID:                NULL SID
  Account Name:                
  Account Domain:                
  Failure Information:
  Failure Reason:                An error occurred during logon
  Status:                        0xC000005E
  Sub Status:                0x0
  Also in network trace on wa.domainA.local kerberos error could be found:
  On TGS-REQ for krbtgt/[email protected] there is an answer: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7), server name krbtgt/domainB.
  How to deal with this issue? The aim is to show only specified applications to domainB users.
  Any help would be appreciated.

  Hi,
  Thank you for your posting in Windows Server Forum.
  Please check below links might useful for your case.
  “After adding the RDS server’s computer account to the Builtin Windows Authorization Access Group domain group, the RemoteApp icons displayed perfectly.” (Quoted from
  this article)
  1. Remote APP list empty
  2. RD
  Web Access unable to access Source (RD Server)
  In respect to Kerberos Error, refer this link for troubleshooting.
  1. Troubleshooting Kerberos Authentication problems – Name resolution issues
  2. Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 2
  Hope it helps! 
  Thanks,
  Dharmesh

• RDS 2012 - Certificate Mistmatch

  I am getting the most annoying error with my RDS 2012 Setup.
  certificate mismatch and double password prompts when trying to connect to my RDS setup.
  I have tried all that's out there and have got no positive results.
  All roles are on identical on 2 servers. the RDCB is in HA Mode.
  I keep getting the Certificate mismatch error.
  Already have a public or external SAN certificate assigned to all roles.
  Ran the powershell and wmi query to ensure the correct url is used when connected to gateway but I still get the double prompt when launching the remoteapps.
  I even tried the approach by cleaning IE's history, data to get the RDPSHplugin and its not helped in my case.
  All servers run 2012.
  I need some urgent assistance, please and thank you
  I have also checked and rebooted the RDS environment multiple times.
  All certs show valid. the mismatch also goes to another cert in my environment which is utilized by OWA.
  Please help me.

  I downloaded the script to C:\ and tried running it - no luck
  PS C:\> .\Set-RDPublishedName.ps1 "remote.domain.com"
  Security warning
  Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your
  computer. Do you want to run C:\Set-RDPublishedName.ps1?
  [D] Do not run  [R] Run once  [S] Suspend  [?] Help (default is "D"): R
  iwmi : Privilege not held.
  At C:\Set-RDPublishedName.ps1:9 char:11
  + $return = iwmi -class "Win32_RDMSDeploymentSettings" -namespace "root\CIMV2\rdms ...
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : InvalidOperation: (:) [Invoke-WmiMethod], ManagementException
      + FullyQualifiedErrorId : InvokeWMIManagementException,Microsoft.PowerShell.Commands.InvokeWmiMethod
  I also tried it from the other HA RDCB server.
  PS C:\> .\Set-RDPublishedName.ps1 "remote.domain.com"
  Security warning
  Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm
  computer. Do you want to run C:\Set-RDPublishedName.ps1?
  [D] Do not run  [R] Run once  [S] Suspend  [?] Help (default is "D"): R
  Set-RDClientAccessName : A valid fully qualified domain name (FQDN) for the server was not specified.
  At C:\Set-RDPublishedName.ps1:22 char:1
  + Set-RDClientAccessName -ConnectionBroker $ConnectionBroker -ClientAccessName $Cl ...
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
      + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Set-RDClientAccessName
  I also tried is this way- 
  PS C:\Users\administrator.TBCL\Downloads> .\Set-RDPublishedName.ps1
  Security warning
  Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your
  computer. Do you want to run C:\Users\administrator.TBCL\Downloads\Set-RDPublishedName.ps1?
  [D] Do not run  [R] Run once  [S] Suspend  [?] Help (default is "D"): R
  cmdlet Set-RDPublishedName.ps1 at command pipeline position 1
  Supply values for the following parameters:
  (Type !? for Help.)
  ClientAccessName: remote.domain.com
  iwmi : Invalid namespace
  At C:\Users\administrator.TBCL\Downloads\Set-RDPublishedName.ps1:9 char:11
  + $return = iwmi -class "Win32_RDMSDeploymentSettings" -namespace "root\CIMV2\rdms ...
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : InvalidOperation: (:) [Invoke-WmiMethod], ManagementException
      + FullyQualifiedErrorId : InvokeWMIManagementException,Microsoft.PowerShell.Commands.InvokeWmiMethod

• RDS 2012 - Certificates

  Hi all,
  This is my setup :
  RDS 2012 R2
  Two connection brokers setup in HA:  FQDN = RDCB.Internaldomain.com
  Two Web Access servers for internal user setup with DSN Round Robin so I can have a basic HA: FQDN = InternalWA.internaldomain.com
  Two Gateway servers in HA:  FQDN:
   RemoteGW.InternalDomain.com
  Both Gateway server have RD Web Access installed and using DNS Round Robin to have a basic HA): FQDN 
  RemoteWA.ExternalDomain.com
  My company will not approve having a trusted wildcard certificate. So, in the “Edit Deployment Wizard”, I was thinking of deploying
  one public (and trusted) SAN certificate containing all the above FQDNs to all the Role Services (RD Connection Broker –Single Signon, RD Connection Broker -
   Publishing, RD Web Access and RD Gateway).
  Will this be ok or do I need to add other FQDNs to the certificate (for example the FQDN of all the Session Host servers)?
  Best regards,
  Jesmat.

  Hello,
  In your FQDN  did you forget to add a "." as : RDCB.Internaldomain.com
  and RemoteWA.ExternalDomain.com
  are 2 different domain names
  The SAN option i thiink will not be liable here . Except if you use self signed for your internal connection  ans
  the san for the external one.
  refer to :http://en.wikipedia.org/wiki/Wildcard_certificate
  But i cannot confirm that the san certificate will be allowed on the gateways.
  Hope it helps 
  Fred

• RDS 2012 Deployment guide

  Hi,
  I'm looking for a RDS 2012 Deployment Guide or best practices document but not finding it.  Basically I'm looking for the equivalent of the document below but for Server 2012 R2 instead of 2008 R2
  <won't let me add link to body yet>
  We are planning a new RDS implementation and want to make sure we get the environment and resources right from the beginning.  Initially I'm mainly curious about the recommendations on how many servers are needed and which roles can be combined
  on single servers and which need to be broken out onto their own boxes.  For example is it best to have the RD Gateway and the RD Web Access roles on their own individual servers or should/can they be combined on to one box in the DMZ? 
  If separate; can one of them also double as the connection broker?  That sort of thing. 
  Any help is appreciated.  Thanks

  Hi Col,
  Have a look at the following articles:
  http://ryanmangansitblog.com/2013/09/27/rds-2012-deployment-and-configuration-guides/ 
  I would recommend that you look at splitting the roles on a large environment or use a layer 7 load balancer so you can scale up the number of Gateway/RDweb servers if your connections grow.
  I would advise against configuring the connection broker on a server which has a connection to the public interface (web and remote access via gateway). I would advise against exceeding 400 connections per RD Gateway server.
  a example configuration:
  Server 1 : connection broker and Licensing role
  Server 2 : Session host
  Server 3 : RDWeb and RD Gateway.
  This may help you with regards to capacity planning:
  http://ryanmangansitblog.com/2014/06/24/capacity-planning-for-a-rds-2012-pooled-2000-seat-vdi-collection/
  Ryan Mangan | Ryanmangansitblog.wordpress.com | Help keep the forums tidy, if this has helped please mark it as an answer

• Certificate setup RDS 2012 R2

  Hi,
  I have set up an RDS 2012 R2 deployment for internal use. I plan to add a gateway server cluster for external access later (RDGW). That cluster will be placed in DMZ and use a public wildcard cert. It will connect external users to the farm. Internal or
  Direct Access (DA) users will use the Web Access servers to connect internally in the corp. LAN.
  For now, i have the following setup. Web Access role on 2 servers with DNS RR (RDWA). 2 clustered Connection Broker servers (RDCB), two Session Hosts (RDSH) and one licesning server. So a total of 7 servers (+ 2 GRGW servers in DMZ that are not set up
  yet).
  So, the issue is; I need to set up certificates. We have a CA in an AD top domain (our site is a sub.domain.com). We do not have access to that CA and need to order certs. from our corp. HQ. Ok, but what do i ask for? I need 3
  DER encoded binary X.509
  certs. That's the info i have. How can create a cert. request? See pictures below.
  This posting is provided "AS IS" with no warranties or guarantees and confers no rights

  Hi,
  Thank you for your posting in Windows Server Forum.
  Can you exactly let us know which certificate you want for your network (Self-signed or SSL)?
  As per my suggestion you can use wildcard or SAN certificate for your network which can be used for external network also. 
  If you want Self-signed certificate for internal use, you can create the certificate from Deployment properties of RDS page or IIS Manager as per below path.
  IIS Manager>Server Certificate>Create Self-Signed Certificate>Export the certificate on specified location then select the certificate in RDS installation process.
  But see that, the certificate is installed into computer’s “Personal” certificate store with its corresponding private key & it’s added under trusted root certificate authority.
  Please check below articles for detail.
  1. Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
  2. Configuring RDS 2012 Certificates and SSO
  3. Minimum Certificate Requirements for Typical RDS implementation
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• 2 Separate RDS 2012 R2 Deployments in Same Domain ?

  We have a current RDS 2012 R2 deployment. We are changing hosting vendors and want to completely redo the entire deployment (rather than try to migrated the VMs). What is the best way to go about this?
  We do want to continue to use the GPO and user files will be migrated. How can we have the prod and dev RDS environments coexisting on the same domain? 
  Just to clarify, we do not want to use any of the existing infrastructure because it is all going to go away. Thank you!

  Hi,
  Thank you for posting in Windows Server Forum.
  I thinks that good way to start for new environment without any mixing up. Yes, everything can be setup under same domain. For common domain environment,
  You can buy one single wildcard certificate with domain name which can be used for all roles. As in domain joined environment, we can use to have them both RDS server use the same RD Gateway. For this we need to enter the same FQDN of working RDG into the Deployment
  properties of the second deployment.
  There are several other points which need to check, you can refer following article for depth understanding and configuration.
  1.Step by Step Windows 2012 R2 Remote Desktop Services – Part 2
  2. How To Work with RD Gateway in Windows Server 2012
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• RDS 2012 R2 cannot add 3rd party (parent domain) licensing server

  Hi,
  I have a RDS 2012 R2 farm and i cannot add a 3rd party licensing server that is in a parent domain (forest root domain - hosted by our corp HQ). I will edit deployment properties for the deployment in the first CB server to add a licensing server in per
  user mode. Seemes to work, however no licenses are given to SH servers. Have made GPO aswell to explicitly specify licensing server and mode, however i think this should not be neccessary.
  Any ideas?
  This posting is provided "AS IS" with no warranties or guarantees and confers no rights

  Hi,
  Thank you for posting in Windows Server Forum.
  1. In Server Manager -- RDS -- Overview -- Tasks -- Edit Deployment Properties -- RD Licensing tab, please make sure that the Licensing mode is set to match the type of licenses you purchased, and that the FQDN of your RD Licensing server is listed.
  2. In Server Manager -- RDS -- Collections -- <your collection> -- Host Servers, please make sure that your RDSH server is listed.  If you have more than one server with the RDSH Role Service in your deployment make sure that all of them are
  listed.  If they are not you may click Tasks -- Add RD Session Host Servers (make sure the servers are part of the Server Manager server pool prior to this).
  3. On Server 1, please open an Administrator PowerShell prompt and enter the following command:
  Add-WindowsFeature RDS-Licensing-UI
  4. After the above powershell command completes you should be able to open RD Licensing Manager (licmgr.exe) on Server 1 if you need to.  Please note that it is more important to have the licensing configured properly in deployment properties and your
  RDSH servers part of a collection than it is to be able to open RD Licensing Manager on both of your servers. 
  (Above one quoted from beneath thread)
  Source:
  RDS 2012 Can't add a licensing server
  In addition, check below article.
  RD Licensing Configuration on Windows Server 2012
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• RDS 2012 R2 - RemoteApp Disconnected

  Hi RDS 2012 R2 Experts,
  I would like some guidance here if possible
  My setup is a follow.
  1x 2012r2 with the following role, Broker, Web access, Gateway and License called RDS01
  2x 2012r2 Session Host called RSH01 an RSH02
  1x wildcard cert
  I would like to my users to be able to either internal and external to use the same link, remote.mydomain.com since my internal domain is mydomain.local
  What i have done so far.
  Created a DNS Zone called remote.mydomain.com and added the following records there.
  REMOTE, it points to web access server IP 192.168.1.31 ( same server for Gateway and Broker )
  2x RDSFarm, one record points to RSH01 and the other to RSH02, 192.168.1.32 and 33
  Gateway, the record points to 192.168.1.31 ( same servers as broker and web access)
  Broker, the record points to 192.168.1.31 ( same servers as web access and gateway)
  i have set the gateway manager the following
  Edited the deployment RD Gateway to remote.mydomain.com
  Installed the wildcert for all the roles, *.mydomain.com in all 4 roles
  created Manage Local computer groups and added both RSH01 and 02, RDSFarm record, remote record, gateway record and broker record
  linked the allowed resources with the policy and users ( also tried allow users to connect to any resources )
  configure the gateway in the RD Gateway farm
  Configured the IIS to
  auto redirect
  and the DefaultTSGAteway under Pages to remote.mydomain.com
  Also I used the Set-PublishName (http://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80) to change it to broker.mydomain.com
  Now, the issue I have is, when users either internally or externally try to launch a RemoteApp they get the error.
  RemoteApp Disconnected
  This computer cant connect to the remote computer.
  Try connecting again.
  To overcome this error I did the following:
  Set-PublishName to RDSFarm.mydomain.com ( it is using the round robin to get to the session host servers)
  There is two problem with this setup.
  I no longer can shadow the users under Connections in the broker ( it seems to be bypassed )
  I get certificate mismatch due the servers names
  What I would like to achieve is to fix both problems above.
  Thanks for any advice in advance.
  N0tl3_Bouya

  Hi,
  Thank you for posting in Windows Server Forum.
  Initially check that you have applied external used FQDN of server under Server name in RD Gateway Deployment properties and used Bypass RD Gateway for local address. 
  Please try to perform the steps 
  •  Create a new DNS zone, .COM to allow split-brain DNS (so that internal clients can resolve external names internally)
  •  Create a relevant DNS entry in the aforementioned zone to point to the RDS environment’s internal IP address
  •  Create a relevant DNS entry in external DNS to point to the firewall which is publishing RDS’s external IP address
  •  Use the following script to change the FQDN of the RDP files provided by RD Web Access / RemoteApp and Desktop connection feed 
  Change published FQDN for Server 2012 or 2012 R2 RDS Deployment
  http://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80
  In addition, for shadow related issue you can use the server in administrative mode use mstsc /shadow command and check the result. 
  Detailed walkthrough on Remote Control (Shadowing), reintroduced in Windows Server 2012 R2  
  Hope it helps!
  Thanks.
  Dharmesh Solanki