Link to home
Start Free TrialLog in
Avatar of ipendlebury
ipendlebury

asked on

Server stops accepting RDP Connections

I administer six SBS2003 networks. Three of these have additional Terminal Servers on the domain. My usual way of configuring things is to use ISA Server to publish the Terminal Server RDP on port 3389, whilst publsihing the SBS Server RDP on port 63389 for administrative purposes.

I have an occasional problem on the three neteworks with Terminal Servers. I find that I cannot externally use RDP to log into the SBS Server on port 63389. However, when this happens, I can still log into the Terminal Server on port 3389. I have noted that at this time I can never RDP into the SBS Server from the Terminal Server. My only recourse is, from the Terminal Server Command prompt, to reboot the SBS Server using Shutdown.exe /m \\server /f /r. When the SBS Server has rebooted, everything is ok again for a few weeks.

So why does this happen just on the networks with Terminal Servers. I have properly joined the Terminal Servers to the Domain by using the steps outline in ADS_TermServ.doc

Ian
Avatar of Philip Elder
Philip Elder
Flag of Canada image

A suggestion: When you publish TS on SBS, you will see a new link in the Remote Web Workplace called: Connect to My Company's Application Servers.

Why not use this built in RWW functionality for both TS and system management?

It is a lot more secure than exposing ports to the Internet.

From the TS: open IE and the following: http://mysbsserver/tsweb to get to the TS internally.

Sounds to me like SBS doesn't like the additional port setup in the registry for RDP.

We manage a lot of SBS servers, and we use the built-in functionality on all of them to manage them and the clients.

Philip
Hi Ian,

Did you add that port in the Internet Connection Wizard?
I agree with MPECInc. As long as you installed the TS the SBS way you can use RWW with no networking issues. Easy and yes it works!!
Olaf
Bingo...

Remote Web Workplace gives you SSL. This provides a level of security above and beyond what RDP 5.x in SBS and TS on W2K3 can give.

RDP version 6 on Vista/Longhorn/2K8 rectifies this a bit by preauthenticating.

So, never expose ports unless you absolutely have to. See if you can find any info on TSHammer. It was big a few years back and provided a way of hammering a found TS connection. TS does not have a limit on authentication attempts in version 5.

Philip
Avatar of ipendlebury
ipendlebury

ASKER

Thanks for the replies guys. When this happens, the SBS Terminal Services is completely unavailable. It can't be accessed via RWW or even from the SBS server console. I'm about to call in to the company where this has just happened. Last time the fix was to re-run the CEICW.

Ian
Hi Olaf,

Yes, that's the document I mentioned at the top of this thread.

I went into the customer's this morning and re-ran the CEICW. I learned something obvious though which I hadn't appreciated previosuly.... In the wizard, I always check the option to enable Terminal Services in the firewall. However, this switches on the SBS RDP External Access Rule. I had previously disabled this rule in favour of my own rule which redirects RDP traffic to port 63389. So I disabled the SBS rule once again and the SBS server is now accessible externally. Although I can't launch a Terminal Services session from the server console. I know that there is no reason to do this, but I used to be able to do so. Does anyone know why I might be prevented from doing this now? When I attempt it, I get a message stating that the server cannot be found.

Can you please post IPconfig/all of server and TS?
Olaf
Here's the IP config from the SBS Server. i've changed the domain name for security reasons

Windows IP Configuration
   Host Name . . . . . . . . . . . . : VERNON
   Primary Dns Suffix  . . . . . . . : mydomain.local
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : mydomain.local
PPP adapter RAS Server (Dial In) Interface:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
   Physical Address. . . . . . . . . : 00-53-45-00-00-00
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.0.18
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Disabled
Ethernet adapter Network Connection:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI For Complete PC Management NIC (3C905C-TX)
   Physical Address. . . . . . . . . : 00-50-DA-49-14-F0
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.2.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.2.1
   DNS Servers . . . . . . . . . . . : 192.168.0.2
   NetBIOS over Tcpip. . . . . . . . : Disabled
Ethernet adapter Server Local Area Connection:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-14-22-50-1B-D1
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.0.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.0.2
   Primary WINS Server . . . . . . . : 192.168.0.2

Here's the Ipconfig from the Terminal Server:

Windows IP Configuration
Host Name . . . . . . . . . . . . : TERMINALSERVER
Primary Dns Suffix  . . . . . . . : mydomain.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No    
WINS Proxy Enabled. . . . . . . . : No    
DNS Suffix Search List. . . . . . : mydomain.local  
Ethernet adapter Local Area Connection:    
Connection-specific DNS Suffix  . :    
Description . . . . . . . . . . . : Intel 21140-Based PCI Fast Ethernet Adapter (Generic)    
Physical Address. . . . . . . . . : 00-03-FF-53-1B-D1    
DHCP Enabled. . . . . . . . . . . : No    
IP Address. . . . . . . . . . . . : 192.168.0.3    
Subnet Mask . . . . . . . . . . . : 255.255.255.0    
Default Gateway . . . . . . . . . : 192.168.0.2    
DNS Servers . . . . . . . . . . . : 192.168.0.2

What I didn't mention is that in this case  the Terminal Server is a Virtual Machine running inside Virtual Server inside the SBS box. It runs well.

I've fixed another problem tonight and I wonder if it has any relevance. I hadn't looked at RWW on the SBS server for ages. When it was mentioned today, I took a look and found that I got an error when I tried to open the first page. It turned out that there was a conflict of ASP versions. The default website is running an intranet written in ASP 2.0 I had it in a seperate application pool, but the RWW (ASP 1.14) application didn't seem to like this. I've now configured RWW to run under ASP 2.0. It now works ok. Then I then found that I can now launch an RDP session into the SBS Terminal Server from the SBS Terminal Server desktop. Admittedly I was already logged into the SBS server via RDP, but I now assume that I will be able to open an RDP session from the server console.

When I next go in there, i'll reboot the server again and see if Terminal Services works afterwards. I'll also get the Terminal Services users to try logging in via RWW. In the meantime i'd appreciate any comments relating to the above.

Ian
IPconfig is OK.
Did you upgrade to Server 2003 SP2??
Olaf
Hi Olaf,

I put SP2 on a couple of weeks ago.

Ian
Hi Olaf,

I just checked that article. I couldn't see anything in there about RDP.

I was on site today and rebooted the server. When it came back up, the SBS Terminal Server was unavailable again. I still haven't been able to get it back on line. I can't start a session from the server console, remotely or via RWW.

I need a couple of days to get people used to the idea of going into the Terminal Server via RWW, then I can take out my firewall rules which redirect the ports. If anyone has any ideas about why the SBS Terminal Server might be unavailable, i'd be very grateful.

Ian
Backup the following key on SBS:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\MyCustomRDPPorts]

Then DELETE it. Get rid of that extra setting and make sure that TS is listening on 3389 when you reboot the server.

Philip
Because of my current problem, I can't log in and do this. I'll have to do it the next time I go on site.

Should there be anything present in ISA to enable TS to work from the console or RWW? I put in a rule to direct external RDP traffic on port 63389 to the SBS  Server on 192.168.0.2. I also put in place a rule to redirect external RDP traffic on port 3389 to the Terminal Server on 192.168.0.3 I disabled the generic SBS external RDP access rule.

Ian
Do you have any SBS Premium installs that are still in stock form?

Simple thing is to log in and have a look at the default rules created by the ISA portion of the install.

If not, I published a screen shot for you on our blog: http://blog.mpecsinc.ca

Philip
Yes I have 3 installations which are unmodified. I've played around withe the rules in the problem server tonight before I had to leave. I'm sure that it should have started working for me. Last time, it came back on after I re-ran the CEICW. Not this time though. So I'm curious about the issues in sp2 now.

Ian

ASKER CERTIFIED SOLUTION
Avatar of Olaf De Ceuster
Olaf De Ceuster
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Olaf,

Thanks for that. It looks quite relevent. I can't TS into the server to apply the fixes. It will be tomorrow before I can get down there. I'll post back here when I've tried it.

Ian
I went into client's today. The first thing I did was to visit the Microsoft Update website. There was a patch for SP2 available so I installed it, rebooted and my Terminal Server was back on line. So thanks everyone for your input.

Ian