• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 596
  • Last Modified:

problem connecting to several xp computers by Remote Desktop on domain

I'm having problems connecting to some xp computers on domain by Windows Remote Desktop Connection.

so far what I have looked at is (some checked stuff might not be necessary for it to work):
XP FW off (no other FW software installed)
remote desktop turned on
server service started
F&P sharing on
port 3389 enabled and listening tied to svchost.exe (by netstat -ano)
my domain user id is in local admin group on computers I'm trying to rdp into (I'm a member of IT support group)
computers trying to connect are pingable both ways
checked dns records no problems, also tried connecting also by ip address
I also could not connect with my laptop on same subnet

in all cases probably a dozen total, if computer was removed from domain then readded there was no more problems connecting by Windows Remote Desktop Connection.

I'm looking for ideas on what else to check for.

Thank you,
Jim
0
franable
Asked:
franable
1 Solution
 
Darryl AllenCommented:
Are you able to ping the computers by name?  Also, will it work using the fully qualified domain name?
0
 
franableAuthor Commented:
yes always able to to ping computers by name.  Also unable to connect by fully qualified domain name.
0
 
lefton4yaCommented:
3 ideas:

1.  Does your environment have Computer objects created for them in Active Directory?  If so, are they pre-created (created before machine is added to domain) or does it create them when joining domain?  Make sure they objects exist for the machines that you cannot remote into, and check permissions to the AD objects (although object permissions should not matter for RDP).

2.  Check which authentication you are using and try changing it.:
As administrator, open "secpol.msc", go to Local Policies -> Security Options -> Network Security: LAN Manager authentication level.  Try all the options, but most likely either Send LM & NTLM - use NTLMv2 session security if negotiated” or “Send NTLMv2 response only\refuse LM & NTLM”
If it works, you can create a batch file to run on each machine with:
reg ADD "SYSTEM\CurrentControlSet\Control\Lsa" /f /v "lmcompatibilitylevel" /t REG_DWORD /d "N"
  where "N" is 0-5 depending on option you pick in th order displayed on the local securty setting dropdown (1 or 5 for my suggested options)

3.  Try a 3rd party remote application, such as VNC or Dameware.  I have known that to work when RDC does not, although it doesn't fix the problem it is a workaround.
@ECHO OFF

reg ADD "SYSTEM\CurrentControlSet\Control\Lsa" /f /v "lmcompatibilitylevel" /t REG_DWORD /d "5"

Open in new window

0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
kemitHamiteCommented:
Can you connect to other computers from any of the computers that cannot be connected remotely?
Have you tried removing the computersfrom the domain and re-registering them?
0
 
sameerb5Commented:
hav you checked that on both computers you are connecting  Enable Remote Desktop on this computer checkbox is checked. hav you inserted the  remote users i.e the full domain of the computer or the computer name  and the user who you want to allow.
i,e when i am in domain computer, i would allow users to connect to me and share my resources.
as well as when i am in non-domain computer i would add the fully qualified name of my domain.

try it .it may work.
0
 
franableAuthor Commented:
thanks for replying

AD objects are usually precreated (created before machine is added to domain)  I can't tell you for sure about the dozen I have had problems with.

I will try your suggestions and update hopefully tomorrow or Friday.
0
 
franableAuthor Commented:
my domain user id is in local admin group on computers I'm trying to rdp into (I'm a member of IT support group)

yesterday there was another computer with same problem.  IT person removed and rejoined to domain and remote desktop started working again.  for testing the computer was rebooted and remote desktop stopped working. everything listed above was rechecked and found to be normal.  

********************************
XP FW off (no other FW software installed)
remote desktop turned on
server service started
F&P sharing on
port 3389 enabled and listening tied to svchost.exe (by netstat -ano)
my domain user id is in local admin group on computers I'm trying to rdp into (I'm a member of IT support group)
computers trying to connect are pingable both ways
checked dns records no problems, also tried connecting also by ip address
0
 
franableAuthor Commented:
TS problem - found 1 thing in common.  All computers having this problem are xp sp2 computers.  Tried installing sp3 on 3 computers all these computers get error - Service Pack installation did not complete. Access is denied.  Tried installing from domain account with admin permissions and also local admin account.
0
 
lefton4yaCommented:
Try removing the AD group you are in from the machine's local administrator group then re-adding it and see if it fixes the error.  If this fixes it, it means the Group was changed recently.

Try Checking the permission to the Window\System folder - maybe they are not right but are corrected when you re add to the domain.  Edit C Drive security permissions make sure the local administrator group has full control and go to advanced permissions and check "Replace permission entries on all child objects with entries shown here that apply to child objects" and hit apply (and wait awhile)

Also, try my previous authentication change technique on both the computers you are logging in to and the computer you are remoting from.

Let us know what fixes the remote issue or SP3 update.
0
 
franableAuthor Commented:
so far it seems like security problem and was able to be fixed with batch files on this page
http://support.microsoft.com/kb/949377/
0
 
franableAuthor Commented:
ended up being a permissions issue  
http://support.microsoft.com/kb/949377/

thanks all for helping!
0
 
franableAuthor Commented:
not sure why it gave final grade as 6.8

I choose the letter "A" as grade
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now