Solved

Cannot connect to 2003 DC via RDP over VPN

Posted on 2008-06-11
15
1,069 Views
Last Modified: 2013-11-21
I have a 2003 SBS machine as my primary domain controller in location 1.  There is a VPN connecting it (SonicWall to SonicWall) to a 2003 Standard machine location 2.

- 2003 Standard was able to join the domain over the VPN link (and was able to dcpromo no problem).
- I can ping each server from the other.
- I can connect to SMB shares (\\<server name>) from each side and connect to printers hosted by each server.
- I can issue a 'shutdown /m \\<server name> /r from location 1 and the server at location 2 does reboot.

From all the above signs, I am deducing that the VPN link and DNS is working properly.  However, I cannot remote desktop into the 2003 Standard server, even though I know I manually enabled it.  It is a fresh 2003 server install, and actually does not have any other software installed on it (I was running short on time, and had to catch the flight back home).  Since Location 1 and Location 2 are several states away, I need this RDP connection to work.

Is there a way I can verify that RDP is enabled (I know I can't enable it via GPO)?  Is it possible that something else is getting in the way of the RDP link?
0
Comment
Question by:sm4kxd
  • 8
  • 5
  • 2
15 Comments
 
LVL 11

Expert Comment

by:CynepMeH
ID: 21764322
You can open "computer management" console (compmgmt.msc) and connect to the server in question. Check services and ensure that "Terminal Services" service is started and set to automatic. If it is set to automatic, it means that it was enabled. If it is not started, check your event logs. Also, make sure port 3389 is allowed over your VPN connection (unless it's open for any traffic, once you're connected over vpn).

Post some add'l info to my comments if nothing helped.
0
 
LVL 11

Expert Comment

by:CynepMeH
ID: 21764343
To clarify, say you're running XP on your system. You would right click on "my computer" > manage > right click on "Computer Management (local)" and select "Connect to another computer". Specify the server in question. If for some reason you get "access denied", try mapping a drive to the server first. This way you pass your credentials to the server and should have no problem opening the session.

Once you're connected with computer management console, expand services and check for "Terminal Services" as outlined earlier.

...and if for some reason it was not enabled, here's how to do it remotely:

http://www.petri.co.il/remotely_enable_remote_desktop_on_windows_server_2003.htm

0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21764345
OK first thing is to check and see if any errors are getting produced in event viewer.
I had an issue earlier today where RDP wouldnt work on a new machine.
This was the answer
http://support.microsoft.com/kb/323497
It was on an SBS machine also.
Check there first.  If this isnt the answer you will need to make sure you in fact did enable remote desktop

Here is how you can enable via policy and or a script
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_21936881.html

0
 

Author Comment

by:sm4kxd
ID: 21764396
I am able to connect to it via compmgmt.msc and Terminal Services is running, but was set to Manual.  I went ahead and set to to automatic.

The VPN should not be configured to filter any traffic, but I will have the team who set it up take a closer look at it to verify.

Also, just for clarification, the server that I cannot connect to is a 2003 Standard server.  The 2003 SBS machine is behaving just fine.
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21764416
Ah - the same KB article still applies to 2k3
http://support.microsoft.com/kb/323497

0
 
LVL 11

Expert Comment

by:CynepMeH
ID: 21764471
Hey Ryan, based on some of the info provided I have some doubts about applicability of the kb you quoted.

SM4kxd - if you can connect to one of the servers, chances are your VPN appliance is not filtering ports on per IP basis. This means that you should be able to connect to other server as long as RDP (term services) is running. Once you change to "automatic" you'll need to reboot the box for changes to take effect. I don't believe you can start Term Services if they weren't loaded at start up. (could be rusty on that). There's no difference in RDP functionality between these OSes.
0
 

Author Comment

by:sm4kxd
ID: 21765973
I think I am having some deeper DNS issues, or something.

As far as I can tell, nothing has changed on the network, except now I am suddenly unable to connect with compmgmt.msc, and am not able to send it the shutdown command, even though I can still ping it, and the VPN still is connected.

I have somehow taken a step backwards, but I don't think I actually did anything to make a change like this.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:sm4kxd
ID: 21769774
Alright, well for some reason it is magically working again this morning, so I will ignore the 'disappearing' issue for now.

I verified that 'Terminal Services' was set to Automatic and rebooted the server.  Now that it is back up, it still gives me the "This computer can't connect to the remote computer - Try connecting again.  If the problem continues, contact the owner of the remote computer or your network administrator."

Looking through the event log I can't find any errors or flags indicating that something is wrong with terminal services.  I can see entries from when the server rebooted on my command, but I can't see anything about failed connections or even failed authentication.

Since this was a fresh 2003 server install, is it possible that I forgot to enable something that is required for Terminal Services to work properly?
0
 
LVL 11

Expert Comment

by:CynepMeH
ID: 21770448
Some suggestions/things to check:

1. Are you a member of local admin group or "remode desktop users"?
2. Is your password non-blank? Sometimes freshly built system will deny you remote logon ability if your password is blank (part of local security policy setting).
3. Check your security policy settings - e.g. Logon Interactively (locally) or Deny local logon.
4. To exclude DNS,  try connecting by IP - see if that works.
5. From the command line try "telnet servername 3389" (without quotes) this should connect you to server's RDP port - if you get a flashing cursor, that means that service is started and server is listening on port 3389, and it also means that your VPN is not blocking you
6. Check your event logs on the server - see if there are any "Failure" messages, could be a security issue such as wrong password.
7. I'm pretty sure this won't work either but worth a shot - try running "mstsc /console" - this will connect you to server's console RDP session but if you can't get in through regular RDP, chances are this won't work either.

Though I do suspect that you may have an issue due to your VPN. Here's a little trick you can try:

You said you can RDP in your SBS server... Try connecting to your SBS server and then launch RDP session from SBS server to your new server. If you can connect, then it's your VPN. If not, I'd double-check to ensure you can ping new server and/or map drives to it. Could possibly be a network issue.

Let us know what you find out.
0
 

Author Comment

by:sm4kxd
ID: 21770802
(I've separated the answers below that might be interesting)

1. I am using the Domain Administrator account, and I think that since this server has been dcpromo'd all local users/groups have been removed.
2. Password is non-blank.
3. Local logon is not denied, and logon interactively is permitted for this account.
4. IP address nets me the same error message.

5. Telnet fails: "Could not open connection to host, on port 3389: Connect failed"

6. I see nothing in the event logs that seems to be related to any authentication failures.
7. 'mstsc -console' gives me the same response as standard 'mstsc'.

I am unable to RDP or connect to shares from SBS to 2k3, but SBS CAN ping the server by both name and ip address.

My workstation can, however, connect to admin shares on the 2k3 machine.  It cannot RDP.
0
 
LVL 11

Accepted Solution

by:
CynepMeH earned 500 total points
ID: 21772346
Looks like there's a problem with your RDP config on the box. If you're saying that you are unable to telnet to 3389, then most likely the service is not running, therefore the server is not listening. This indicates that you may have to possibly re-install the server. If you're saying that Terminal Services is set to automatic and it is "started", then most likely the server is not responding.

You wouldn't have any kind of firewall enabled on this server, would you? This is the only other thing I can think of. Something along the lines of either built-in firewall/IP filter or some 3rd party firewall software. Bottom line, your TS service is not working and that's the reason why you can't connect.

You may want to try running a service pack install instead of re-install, this should replace some of the files used by your TS. If that does not fix it and there's nothing in your event logs confirm that you have in fact enabled RDP, not REMOTE ASSISTANCE. See screenshot below for proper setting.
rdp.jpg
0
 
LVL 11

Expert Comment

by:CynepMeH
ID: 21772376
BTW, try running that reghack I linked to earler to enable RDP (or confirm that it is enabled).
0
 
LVL 11

Expert Comment

by:CynepMeH
ID: 21772410
Can you confirm that Remote Procedure Call (RPC) service is running on the system that's having a problem? Also, try connecting to \\servername\c$ or \\servername\admin$

0
 

Author Comment

by:sm4kxd
ID: 21772695
Okay, I took some drastic measures and walked a user through installing GoToMyPC on the server just so I had the ability to log in and see just wtf is going on.

GoToMyPC gets me right in, of course.  From that machine I can see that I do have 'Remote Access' enabled on the machine.  The only firewall on the machine is the standard Windows Firewall, which as it turns out was the culprit.  Adding an exception to the firewall for RDP connections let me right in.

I feel pretty silly with all the other hoops I jumped through.

Thanks CynepMeH for all your suggestions and sticking with it.
0
 
LVL 11

Expert Comment

by:CynepMeH
ID: 21773370
Don't kick yourself too hard - happens to the best of us. We all have our days and that's why you have sites like this... so that all that useless knowledge we all accumulated through user (or *cough* our own *cough*) screw-ups could be shared with others =)
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now