Remote Desktop Not listening on Port 3389 Windows 2008R2

I cannot connect to a windows server 2008r2 with any remote desktop.

-No firewall enabled
-No antivirus firewall
-Remote Desktop is enable thru system properties
-Changing listening port via registry makes no difference(still will not listen on new port)
-have recreated the connection in the Remote Desktop Session Host
-have tried specific network adapters and the setting for all network adapters.

Any ideas why i cannot connect and get this message" Remote Desktop can't connect to the remote computer for one of these reasons"?
HungerMountainAsked:
Who is Participating?
 
HungerMountainConnect With a Mentor Author Commented:
Thank you everyone for the troubleshooting.

I will summarize the events of the last 2 days and the solution.

1) placed a call with microsoft
2) after 8 hours of troubleshooting the tech decided to replace the registry keys from the RDP from another working 2008R2 server.
3)This was a huge mistake.. It made the server endlessly reboot. It could not start in safe mode and last known good configuration would not either.
4)Escalated call to Engineering, who attempted to repair registry. We got the system to boot but without any video!!!
5) We decided we would do a bare metal restore round 3PM, by 6PM the system was back online to the same state it was to begin with.
6)This morning the original tech, discovered the the "RDP Winstation Driver" could not start.You can view this d driver in the device manager Non-Plug and Play Drivers(it is hidden, you must display hidden devices).Attempted to restart, it gave a error message but did not write to the even viewer.
7)Downloaded 2 new drivers from microsoft HotFix KB2666484-x64 and HotFix KB2624677-x64. These updated RDPWD.sys and RDBSS.sys in windows\system32\drivers
8)Rebooted and RDP admin worked as it should!!

A lesson on just how important disaster recovery is!
0
 
Tony JLead Technical ArchitectCommented:
You say it's not listening, but have you tried to telnet to it on port 3389?

telnet xxx.xxx.xxx.xxx 3389

If the screen goes black, to a cursor, then it is actually listening.

What is the full error message you are receiving?

Has it ever worked?

Have you disabled the firewall service? If so, re-enable it and turn it off via the security centre or create a rule for RDP.

Is there anything in the event logs of either the server or client?

What client are you using? XP/Vista/7 ?

Have you enabled Remote Desktop Services? If so, this is akin to Terminal Server and after a grace period will require licenses. If you just want remote management, uninstall the RDS features.

If you can answer the above, it'll help to narrow down the problem.
0
 
HungerMountainAuthor Commented:
Thanks
1)Opening a telnet connection ...I get "Could not open connection to the host , on port 3389:connect failed"

using netstat -ano it does not show 3389 listening at all

2)I am getting the standard error connection as if the machine had Remote Desktop disabled (see attached screen shot)

3)I dont believe i have ever tried it before now

4) Enabling Remote Desktop Rules with active firewall made no difference.(i had not stopped the firewall service, just turned it off in the control panel)

5)Nothing visible in either client or sever event logs

6)I am using a windows 7 client ..have also tried another machine , and and XP client.

7)I have not added any of the Remote Desktop Service Features thru server management.(We just need Remote Desktop for Administration)
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
GeodashCommented:
Make sure it is actually running on port 3389 at this registry key. If it is, try a different port like 3390, reboot and try again.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
0
 
HungerMountainAuthor Commented:
I have tried this a number of times. It makes no difference what the port number is set at. It will not listen on any other port either.
0
 
GeodashCommented:
I think it is definitely firewall. Disable the firewall completely and try again. Can the server be pinged from a client? Have you tried removing the setting to allow rdp and then re-enabling them?
0
 
HungerMountainAuthor Commented:
Still nothing with the firewall completely disabled. Yes the machine is fully online. I can access shares and ping it.
0
 
GeodashCommented:
You are disabling the firewall on the domain side, right? Just making sure. And also, you disabled both areas of the firewall, correct?
0
 
HungerMountainAuthor Commented:
Yes 100% sure the wall is not blocking it. I am not sure what you mean by "both" areas. I have turned off the firewall in areas --Domain Home and Public -----as well as stopping the windows firewall service in services.

The system still does not show 3389 listening as it does in all of our other 2008R2 servers with SP1
0
 
GeodashCommented:
Try it from an elevated command prompt, disabling all 3 for the test-

Disable Windows 2008 R2 Firewall from Command Line:

Domain Profile:
Netsh advfirewall set domainprofile state off

Private Profile:
Netsh advfirewall set privateprofile state off

Public Profile:
Netsh advfirewall set publicprofile state off

To enable the firewall replace the OFF at the end of the sentence for ON.

Turn them all off from the elevated command prompt and try again. It is still acting like the firewall by the symptoms you are describing. I just want to make sure.

Thanks!
0
 
HungerMountainAuthor Commented:
All commands ran successfully to turn off the firewall, but that did not fix the problem.
0
 
GeodashCommented:
Are you using NLA?
0
 
HungerMountainAuthor Commented:
Network Location Awareness service is running.
0
 
Tony JLead Technical ArchitectCommented:
I think he meant network level authentication but in this case it's a complete misdirection as you're not even getting it listening.

Also, netsh commands to disable firewall functions are deprecated and shouldn't be used now.

I'm at a loss on this one - the general consensus I've found online has been to do a reinstall of the OS.

Is it service packed? It might be worthwhile putting it on/reapplying it.
0
 
HungerMountainAuthor Commented:
Yes i agree , it needs to be listening first.

It is on service pack 1. I may re-pack it, I want to avoid OS re-installation.

Maybe its time to open a microsoft ticket. :-(

This one has me stumped too.
0
 
Ilya RubinshteynCommented:
Have you tried removing/reinstalling RDS role/s?
0
 
GeodashCommented:
Netsh is deprecated? Directly on MS website, it says you can use the Firewall commands using Netsh. I don't understand why one would think it is deprecated unless they are not used to using the command prompt or powershell. I am a past Linux guy so I like command line.

http://technet.microsoft.com/en-us/library/cc766337%28v=ws.10%29.aspx

Back to the point at hand, I still think it is the firewall messing it up in someway. I cannot see a large enterprise wiping a DC if they are unable to RDP to the server.

1. Make sure all of these services are running on the Server

DNS Client
Function Discovery Resource Publication
SSDP Discovery
UPnP

2. Go to Control Panel > System & Security > Click on 'Allow Remote Access' under System and allow RDP

I had a jr admin actually disable "DNS Client" on a DC because he thought "Its a DNS Server, why does it need to be a client" which wreaked some havoc for a day or two.
0
 
GeodashCommented:
Also, have you gone through this whole article, from MS ?

http://support.microsoft.com/kb/2477176
0
 
HungerMountainAuthor Commented:
The only service that was not running was Function Discovery Resource Publication(that made no difference and is not running on other 2008r2 servers that allow RDP admin

I have "allow Remote Access" Turned on

I have been thru the microsoft article. I cannot get the port to listen on any port!!

Just to clarify, I am only using RDP for administration purposes, I have not installed the roles for Remote Desktop Services. It says on the opening screen when you attempt add them , that this is not needed for Administration only.
0
 
Ilya RubinshteynCommented:
Correct, i have experienced it where installing the remote desktop services role and then removing clears the problem, hence the question. There is something in the reg. or the system that is preventing the RDP port from functioning. Even though you eliminated the firewall and the RDP Registry entry, it is obviously lurking somewhere. Installing/test/removing RDS will allow you to reset this w/out reinstalling the OS.
0
 
HungerMountainAuthor Commented:
I have installed the RDS roles
Rebooted
could still not connect
I have uninstalled the RDS roles
Rebooted
could still not connect

Great idea though.
0
 
Ilya RubinshteynCommented:
Ms call it is, I'm afraid :-(
0
 
GeodashCommented:
Have you ever been able to connect to this Server remotely? Is there any AV installed? Any type of security software, port blockers, McAfee, Norton etc. ?
0
 
HungerMountainAuthor Commented:
I dont believe i have ever tried connecting this way before.

There is antivirus software, but it gives no issues on any other of our servers(No add on firewall or port blocker)

Other software is CA ArcServe,Sharepoint foundation 2010 and SQL Server.

I think i will be making a long phone call.
0
 
GeodashCommented:
I would still try eliminating all possibilities before calling MS. The first thing they will do is tell you to uninstall AV (if it is 3rd party) and try again. I have tried it in the past and they always say it. Are you able to uninstall AV, reboot and try again, just to eliminate any possibility?

Even if there is no FW or Port blocking in the AV, I have seen it still happen in the past. Just a suggestion before calling MS and paying the money/time to do so.
0
 
HungerMountainAuthor Commented:
Uninstalled antivirus, rebooted....and .. Same problem... no connection...not listening on port.
0
 
Tony JLead Technical ArchitectCommented:
The comment re lack of experience with the command shell was rather personal and uncalled for. I made a simple mistake and misread the advfirewall as firewall which is the command that has been deprecated. I did not say netsh has been,

I would uninstall the RDS role as this installs the session host role but I assume you want the remote administrative mode.

I'd also re-service pack it.

It might be worth checking which, if any, updates have gone on recently that may be different on other (working) servers and remove them.
0
 
GeodashCommented:
Tony1044 - I apologize if you took it personal, it was not my intention at all nor was it referring that you had a lack of knowledge. All of the questions are relevant and I don't think any should be overlooked, hence my questioning.

I still think it is firewall related - try below - taken from here:

http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2rds/thread/811b722f-78e4-479c-afc8-bbfd604447fa/
_____________________________________________________________________________________________
By default, there is pre-defined rule Remote Desktop (TCP-in) in all profile that allow the incoming RDP connection. Please double check this rule to make sure it is enabled and applies to all profiles.

 

 

If the issue persists, please enable the Windows Firewall Audit Events on the server and then reproduce the issue to verify whether RDP traffic that is blocked by the Windows Server 2008 firewall.

1. In the command prompt, type the following command. You can copy and paste this command into the Command Prompt window:

auditpol.exe /set /SubCategory:"MPSSVC rule-level Policy Change","Filtering Platform policy change","IPsec Main Mode","IPsec Quick Mode","IPsec Extended Mode","IPsec Driver","Other System Events","Filtering Platform Packet Drop","Filtering Platform Connection" /success:enable /failure:enable

2. Restart the Windows Firewall service by typing the following commands, ending each by pressing ENTER:

net stop MPSSVC

net start MPSSVC

3. On the client, try to establish the RDP connection and then verify the event log in the Event Log--->Security.

 

Enable IPsec and Windows Firewall Audit Events

http://technet.microsoft.com/en-us/library/cc754714.aspx
0
 
HungerMountainAuthor Commented:
Enabling logging on the firewall revealed nothing. I do not believe this is a firewall issue. I still cannot see the port listening.

All servers have the same updates and service packs .. no issues with any other machines.

About to open a ticket with microsoft.

I will let you know what i will find.
0
 
Tony JLead Technical ArchitectCommented:
I'm really glad you got it working - also glad you had a working backup to go back to.

One quick tip for the future (where it's relevant) before I do anything so invasive, if it's a physical HP or Dell* server with a RAID 1 drive set for the OS (quite a common setup), I pull one of the drives.

That way if you end up with it stuffed like MS did, it can be quickly restored by pulling the stuffed drive and plugging the one you pulled out back in.

Ditto if it's a virtual machine - take a snapshot first.

Either way though - really glad you got it working.

*May work on other servers but have never tried it.
0
 
HungerMountainAuthor Commented:
Great suggestion Tony. I will keep that in mind for future issues.

A side note on the fix--

The official resolution and driver file versions.

RDPWD.SYS from 6.1.7601.1779 to 6.1.7601.2149
RDBSS.SYS from 6.1.7601.17514 to 6.1.7601.17737
0
 
HungerMountainAuthor Commented:
The provides a solution to a problem that most were recommending a full system re-install. I wanted to avoid reinstalling.
0
 
J SpoorTMECommented:
Just had the same,
run
sfc /scannow
shutdown
power on
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.