franable
asked on
problem connecting to several xp computers by Remote Desktop on domain
I'm having problems connecting to some xp computers on domain by Windows Remote Desktop Connection.
so far what I have looked at is (some checked stuff might not be necessary for it to work):
XP FW off (no other FW software installed)
remote desktop turned on
server service started
F&P sharing on
port 3389 enabled and listening tied to svchost.exe (by netstat -ano)
my domain user id is in local admin group on computers I'm trying to rdp into (I'm a member of IT support group)
computers trying to connect are pingable both ways
checked dns records no problems, also tried connecting also by ip address
I also could not connect with my laptop on same subnet
in all cases probably a dozen total, if computer was removed from domain then readded there was no more problems connecting by Windows Remote Desktop Connection.
I'm looking for ideas on what else to check for.
Thank you,
Jim
so far what I have looked at is (some checked stuff might not be necessary for it to work):
XP FW off (no other FW software installed)
remote desktop turned on
server service started
F&P sharing on
port 3389 enabled and listening tied to svchost.exe (by netstat -ano)
my domain user id is in local admin group on computers I'm trying to rdp into (I'm a member of IT support group)
computers trying to connect are pingable both ways
checked dns records no problems, also tried connecting also by ip address
I also could not connect with my laptop on same subnet
in all cases probably a dozen total, if computer was removed from domain then readded there was no more problems connecting by Windows Remote Desktop Connection.
I'm looking for ideas on what else to check for.
Thank you,
Jim
Are you able to ping the computers by name? Also, will it work using the fully qualified domain name?
ASKER
yes always able to to ping computers by name. Also unable to connect by fully qualified domain name.
3 ideas:
1. Does your environment have Computer objects created for them in Active Directory? If so, are they pre-created (created before machine is added to domain) or does it create them when joining domain? Make sure they objects exist for the machines that you cannot remote into, and check permissions to the AD objects (although object permissions should not matter for RDP).
2. Check which authentication you are using and try changing it.:
As administrator, open "secpol.msc", go to Local Policies -> Security Options -> Network Security: LAN Manager authentication level. Try all the options, but most likely either Send LM & NTLM - use NTLMv2 session security if negotiated” or “Send NTLMv2 response only\refuse LM & NTLM”
If it works, you can create a batch file to run on each machine with:
reg ADD "SYSTEM\CurrentControlSet\ Control\Ls a" /f /v "lmcompatibilitylevel" /t REG_DWORD /d "N"
where "N" is 0-5 depending on option you pick in th order displayed on the local securty setting dropdown (1 or 5 for my suggested options)
3. Try a 3rd party remote application, such as VNC or Dameware. I have known that to work when RDC does not, although it doesn't fix the problem it is a workaround.
1. Does your environment have Computer objects created for them in Active Directory? If so, are they pre-created (created before machine is added to domain) or does it create them when joining domain? Make sure they objects exist for the machines that you cannot remote into, and check permissions to the AD objects (although object permissions should not matter for RDP).
2. Check which authentication you are using and try changing it.:
As administrator, open "secpol.msc", go to Local Policies -> Security Options -> Network Security: LAN Manager authentication level. Try all the options, but most likely either Send LM & NTLM - use NTLMv2 session security if negotiated” or “Send NTLMv2 response only\refuse LM & NTLM”
If it works, you can create a batch file to run on each machine with:
reg ADD "SYSTEM\CurrentControlSet\
where "N" is 0-5 depending on option you pick in th order displayed on the local securty setting dropdown (1 or 5 for my suggested options)
3. Try a 3rd party remote application, such as VNC or Dameware. I have known that to work when RDC does not, although it doesn't fix the problem it is a workaround.
@ECHO OFF
reg ADD "SYSTEM\CurrentControlSet\Control\Lsa" /f /v "lmcompatibilitylevel" /t REG_DWORD /d "5"
Can you connect to other computers from any of the computers that cannot be connected remotely?
Have you tried removing the computersfrom the domain and re-registering them?
Have you tried removing the computersfrom the domain and re-registering them?
hav you checked that on both computers you are connecting Enable Remote Desktop on this computer checkbox is checked. hav you inserted the remote users i.e the full domain of the computer or the computer name and the user who you want to allow.
i,e when i am in domain computer, i would allow users to connect to me and share my resources.
as well as when i am in non-domain computer i would add the fully qualified name of my domain.
try it .it may work.
i,e when i am in domain computer, i would allow users to connect to me and share my resources.
as well as when i am in non-domain computer i would add the fully qualified name of my domain.
try it .it may work.
ASKER
thanks for replying
AD objects are usually precreated (created before machine is added to domain) I can't tell you for sure about the dozen I have had problems with.
I will try your suggestions and update hopefully tomorrow or Friday.
AD objects are usually precreated (created before machine is added to domain) I can't tell you for sure about the dozen I have had problems with.
I will try your suggestions and update hopefully tomorrow or Friday.
ASKER
my domain user id is in local admin group on computers I'm trying to rdp into (I'm a member of IT support group)
yesterday there was another computer with same problem. IT person removed and rejoined to domain and remote desktop started working again. for testing the computer was rebooted and remote desktop stopped working. everything listed above was rechecked and found to be normal.
************************** ******
XP FW off (no other FW software installed)
remote desktop turned on
server service started
F&P sharing on
port 3389 enabled and listening tied to svchost.exe (by netstat -ano)
my domain user id is in local admin group on computers I'm trying to rdp into (I'm a member of IT support group)
computers trying to connect are pingable both ways
checked dns records no problems, also tried connecting also by ip address
yesterday there was another computer with same problem. IT person removed and rejoined to domain and remote desktop started working again. for testing the computer was rebooted and remote desktop stopped working. everything listed above was rechecked and found to be normal.
**************************
XP FW off (no other FW software installed)
remote desktop turned on
server service started
F&P sharing on
port 3389 enabled and listening tied to svchost.exe (by netstat -ano)
my domain user id is in local admin group on computers I'm trying to rdp into (I'm a member of IT support group)
computers trying to connect are pingable both ways
checked dns records no problems, also tried connecting also by ip address
ASKER
TS problem - found 1 thing in common. All computers having this problem are xp sp2 computers. Tried installing sp3 on 3 computers all these computers get error - Service Pack installation did not complete. Access is denied. Tried installing from domain account with admin permissions and also local admin account.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
so far it seems like security problem and was able to be fixed with batch files on this page
http://support.microsoft.com/kb/949377/
http://support.microsoft.com/kb/949377/
ASKER
ASKER
not sure why it gave final grade as 6.8
I choose the letter "A" as grade
I choose the letter "A" as grade