Solved

Unable to RDP

Posted on 2014-11-17
15
59 Views
Last Modified: 2015-02-22
Hey everyone.

Today I started seeing this.  Whenever I try to RDP into one of our file servers by it DNS name, I see the Error1.  Then, it seems that groups permissions are not being applied since only explicit users permissions are being displayed (Error2)

Any ideas to correct this without having to restart this machine during business hours?

Thank you!
Error1.PNG
0
Comment
Question by:IDMA
  • 8
  • 4
15 Comments
 

Author Comment

by:IDMA
ID: 40447981
0
 

Author Comment

by:IDMA
ID: 40447983
0
 
LVL 39

Expert Comment

by:footech
ID: 40448160
Have you investigated what the error message is referring to?  Is the time on your machine and the file server in sync with domain controllers?  Are all DCs in sync?
0
 
LVL 5

Expert Comment

by:sAMAccountName
ID: 40448462
The clock on your file server is skewed.  You cant authenticate to active directory from the file server, so you only see the GUIDs in the permissions window instead of the domain accounts/groups (notice you can still see the local ones).  To fix this issue, you will need to set the time on the file server to match the domain.

You should be controlling time for all member servers using group policy.  Start here:  Time configuration in Active Directory (Technet Blog)
0
 

Author Comment

by:IDMA
ID: 40448580
Thanks, sAMAccountName.  But believe me that I have made sure that the time in the file server is the same as the domain.  We do have a GPO for Windows time.
I have scheduled a machine reboot for later tonight and will let you know what happens.
0
 
LVL 5

Expert Comment

by:sAMAccountName
ID: 40448700
If you log on to the file server as local admin, you should be able to force a sync using:
w32tm /resync /nowait


If that doesnt update time in a minute or so, you can try to restart the time service:
restart-service w32time

A reboot shouldn't be necessary to fix a skewed clock.  Have you checked timezone and DST settings?  You can check how much the system clocks are off using w32tm:
w32tm /monitor /computers:host1,host2,host3
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:IDMA
ID: 40450105
Thank you all for the input.  A reboot of the server has resolved this.
Even though I tried all of your solutions, this was the most convenient fix.
0
 

Author Comment

by:IDMA
ID: 40458217
I've requested that this question be closed as follows:

Accepted answer: 0 points for IDMA's comment #a40450105

for the following reason:

All of the suggested solutions did not resolved the issue.
0
 
LVL 5

Expert Comment

by:sAMAccountName
ID: 40450633
Im glad the immediate issue is resolved, but I would caution against considering this fixed.  A reboot may correct behavior but it doesnt fix anything.  Invest some time toward researching why the Time skewed despite the domain time policy.

Just my $.02
0
 

Author Comment

by:IDMA
ID: 40458218
Cancel request.  Issue continues.

sAMAccountName,

You were right.  Issue came back.

I did find the following and the 2 suggestion is to delete the RDC certificate and reboot.
I am not familiar with this certificate.  Would you say it is safe to reboot.  We have 30+ servers and this is the only one presenting this issue.

http://www.chicagotech.net/netforums/viewtopic.php?f=3&t=13346
0
 
LVL 5

Expert Comment

by:sAMAccountName
ID: 40479687
IDMA,

Sorry for not getting back earlier.  I'm unclear how a certificate would affect the time service.  Can you verify a couple things?

1.  Use:  "gpresult /h <somefilename.html>" and search the output file for the time policy settings, just to make sure the policy is being applied - You will need to run this from an administrator shell
2.  Check the registry key "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\" and make sure all the parameters in the Group Policy are setting the registry values correctly.

You need to determine that 1: the group policy is being scoped/filtered/evaluated properly by the file server and 2: the policy is being applied to the registry

If you could post the settings your policy has and the settings the server has, that would be helpful
0
 

Accepted Solution

by:
IDMA earned 0 total points
ID: 40480984
No worries, sAMAccountName.
I ended up reaching out to Microsoft and found the culprit: Double-Take.  It was clogging-up the system's resources after and update going wrong.
We recently upgraded to its latest version (7.1) and the rest of the targets failed to received it.  I guess that the source server (our troubled one) kept trying to reach out to the others and this overloaded the handles.

Information provided by MS:

Symptom  
One or more processes are using a high number of handles
Description  
A process is allocating a high number of handles and this may cause performance problems.

Information Collected:
Process ID: 1896
Process Name: DoubleTake.exe
Current Handle Count: 49,625
Root Cause  
RC_HighHandleCount
Public Document
http://blogs.technet.com/b/markrussinovich/archive/2009/09/29/3283844.aspx
0
 

Author Closing Comment

by:IDMA
ID: 40624037
After reaching out to Microsoft Support, it was determined that a third-party application was using a very high number of handles on the server.
0

Featured Post

Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

Join & Write a Comment

Usually shares are where we want them for our users and we tend to take them for granted. There are times, however, when those shares may disappear causing difficulty for your users. One of the first things to try is searching for files that shou…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now