When attempting to add new Remote Desktop Session Hosts (RDSH) to a session host collection, you may run into the following error message:
This error can possibly be accompanied by additional messages.
When checking the logs, you apparently cannot find anything wrong with the collections: they show up correctly in Server Manager and users can still log on to the collection using existing servers.
Sometimes it can happen that the security descriptors of one of the collections get corrupted, in which case it is not possible to add a new session host, whether it's through Server Manager or through Powershell.
The problematic collection does not have to be the collection to which you are adding the RDSH. If you have multiple collections, the problem can exist with another collection, but still block the addition of the host on a different collection.
First we need to determine which collection has the problem. For that, log on to the broker with Powershell and follow the steps below.
First import the required cmdlets. The module is present on any server with the broker management tools installed.
After that, retrieve a list of all collections with some details, including the security descriptors.
$FormatEnumerationLimit = -1 Get-RDSHPool -ManagementServer BrokerFQDN -Alias *
Note that you can leave out the -ManagementServer parameter if you're running this on the broker itself.
In a normal situation, you should not get any errors here. If you see an error about one of the collections, then that's the collection that's causing the problems:
To resolve the corrupt security descriptors, return to the Server Manager, navigate to the collection and its properties:
Edit the properties, and add a different group (i.e. domain admins) to the User Groups, then click OK. This should restore the corrupted security descriptors, allowing to add the RDSH to that (or another) collection. Don't forget to remove the group you just added to the collection with the formerly corrupted security descriptors.