Cannot RDP onto new windows 2008 server access denied

I'm having some real problems with getting new users to connect to a new 2008 R2 server with RDP. Ive set up hundreds of TS's before & never ran into this issue I'm having with W2K8 R2. Here is what I have created so far.

Server 1 = 1 X W2K8 R2 server & configured it as a PDC. Created some test users.

Server 2 = 1 X W2K8 R2 server & configured it with Remote desktop services. Is joined to server 1's domain.

Ive got around this issue previously by just making the front end terminal server a W2K3 R2 server & everything works fine. Add the relevant group to RDP users on the local server ( the front end terminal server) & away it goes. But I need to get it working with W2K8 R2 as I cant just keep doing that forever.

If I dont install the RDP role on server 2, the test users login fine. Although as per normal, without RDP role installed, only a couple of users can log on. If I install the RDP role on Server 2, test users get "access denied".

Event log on Server 2 shows: An account was succesfully logged on....but it didnt.

I have added the test users to the local rdp user group on Server 2, but when I click apply, it just empties the box. If I try to add it again, it says the user is already added. If I do the same thing on a W2K3 server, the users stay there.

I went to RD session host & security & added the users there, still no logon.

I went to the local security policy on Server 2  & user rights assignment & added the users there, but upon clicking apply, the users names appear as just a SID. Its like Server 2 sees it as an orphaned SID & cant identify what it should be associated with.

I went to the DC & added the relevant users to the group policy computer config/user rights assignment/Allow log on through RD services. Still no logon. Rebooted both server, still no logon.

Administrator logs on fine, but not test users. Even if I add a test user to administrators group, still no logon.

If I logon via the ip from outside the domain I get "access denied" & nothing interesting in the evnt logs. If I try & rdp onto Server 2 from itself I get Event 4625:

An account failed to log on.


Security ID: NULL SID

Account Name: -

Account Domain: -

Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:

Security ID: NULL SID

Account Name: karen

Account Domain: XYZ

Failure Information:

Failure Reason: Unknown user name or bad password.

Status: 0xc000006d

Sub Status: 0xc000006a

The servers are only a few days old & no TS licensing is installed as yet, but its within the grace period so this shouldnt be an issue. I've never had so much trouble getting a windows server to act as a terminal server before until 2008.



Can anyone help?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

if you just see the SIDs on your TS i think your AD-membership is broke

try to take TS out of the domain, delete the machine account and rejoin it
try modifying group policy to allow the RD sessions...

Computer configuration/Policy/Administrator Templates/Windows Components/ Remote Desktop Services/ Remote Desktop Session Hosts/Connections

 enable “Allow users to connect remotely using Remote Desktop Services”
try to create some local users in the TS-repository
put them into the local rdp-group
dont use domain-users at this time

check if they are then known to the system and can log on

if so, you dont have a problem with permissions
your problem is AD i guess
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

D2011Author Commented:
Looks like I accepted too early without thoroughly testing. oops. Still doesnt work, ah well forfeited some points there.
Go to General Support and ask for a refund or reallocation of points.

What errors are you getting now?  Can you post both client and server errors if full?  Thanks.
Post errors "in" full, I meant to say.  Thanks!
D2011Author Commented:
I cannot see any area on experts exchange that says "general support", "support" or "general".

D2011Author Commented:
Exactly the same error I am experiencing as before top rung. The suggestion you gave me before worked until I rebooted, then came back.

D2011Author Commented:
The issue seems to stem from a lack of ability for the 2 2008 servers to correctly see each other. The reason I say this is:

1)  If I have a @2K3 server acting as a DC & the TS  is a W2K8 server, then there is no issues. I can add users to the local RDP group on the W2K8 server & they show up there fine.

2) If I have a W2K8 server acting as the DC & the TS is a W2K3 server, then there is also no issues. . I can add users to the local RDP group on the W2K8 server & they show up there fine.

But when I have both the Backend DC as a W2K8 server & the front end as a W2K8 server with Remote services role installed, it doesnt work. If I right click on my computer & go to properties, then remote users & add them there, then each entry gets a? over the entry, like the RDP server cant identify the SID. If I right click on my computer & go to manage, then access the local SAM users & groups on the RDP server & add users or groups there, then they just disappear when I click apply.

However, when I go to the backend W2K8 DC & go to the computers container , the front end RDP server is there & if I go to the front end rdp server & run an nslookup looking for the server records, it correctly identifies the backend W2K8 DC. DCdiag is showing up all good, so Im stuck now.
D2011Author Commented:
Ok, I believe I have found the answer. I realized it after reading my last post.

What has happened I believe is we have a repository of virtual files for use on hyper v host servers. Usually on W2K3 servers we would use New SID on a brand new virtual server so allthe SIDS werent common.

Someone told me & sent me a link about a year ago that said you no longer needed to do this with W2K8 servers, I cant find the link now, but to cut a long story short.....WRONG.

However you cant use New SID on W2K8 servers or you will get BSOD & frequent crashes. You need to use sysprep.

The whole procedure for changeing your SID on a W2K82 server is here:

Also on the same site is a link for systinternals PSGetSIDto check your SIDS:

Now after running sysprep on the rdp server, the remote desktop group doesnt empty itself or have question marks instead of usernames or groups.

I imagine this would also be an issue not only for people using virtual servers, but people cloning physical servers. Anyways, I will test some more, but if all is good after the next 2 days I will come back & close the question off.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Very interesting. Yes, please post back your findings as it will be good for everyone to have on record.

D2011Author Commented:
Ok, all good. Running Sysprep & changeing the SID on the RDP server did the trick. The new W2K8 R2 servers have been in production for a day & all seems good.

The only thing I am having troubles with now is the start menu for W2K8 R2. I cant get classic menu & folder redirection for the start menu does nothing on W2K8 R2. I might post this as a separate question later today, but will close this question off now. Thanks for the input guys.
Glad to hear it.    

See if this hotfix relates to your start menu....

D2011Author Commented:
Top rung I wasnt aware of that group policy or its need to be enabled for RDP to work on a W2K8 TS. On a W2K3 TS all I need to do is enable TS & add users to the local RD users group. Bizarre.

Awesome, now I can move on with a total W2K8 R2 64Bit solution & ditch W2K3, thanks heaps.

Thanks for your input Deibel.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.