Solved

Terminal Server 2008 x86 RDP log on "access Denied" just before desktop load.

Posted on 2014-11-17
5
297 Views
Last Modified: 2014-11-24
Server has been running for years with different admins, I recently recreated the domain and rejoined the server to the new domain. This happen 2 month ago. Just last week, the terminal server allows the users to log in all the way up to the desktop and "Access Denied". If I log on at the console, the RDP will most of the time take over the session. other time the "Access Denied". This seems to be a Domain user issue, When I log in as the local admin via RDP all seems fine.

Has 2 Nics
1 with gateway and TCP IP V4 only - No netbios or DNS registration (external RDP connector)
2 with outgateway and standard MS network config (internal RDP Connector & Domain connection)
-DNS register only on Nic 2
-rDNS registered for both IP address as the same server name matching forward DNS

steps so far
-Double check all nic config and DNS resolve the \\domain.local
-Disabled IP offload on the NICs
-Ran Fix it on Kerbose to us TCP

My work around
-Extended discount time to 16hrs
-Log each user in tot he Terminal server before the come in to works
0
Comment
Question by:nhnerd
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 40450167
Did you verify that all the users are in the Remote Desktop Users group on the Terminal server?
0
 
LVL 43

Expert Comment

by:Amit
ID: 40450196
Add users to local Admin and Remote Desktop groups and that should be enough to make it work. In case users are getting removed after some time from these group, then you have a GPO, which is removing these permission. In that case, you need to add them via GPO.
0
 

Author Comment

by:nhnerd
ID: 40451083
"Domain Users" and "Domain Admins" are in the RDS group. the "account denied" happens on my Domain admin account also. Recap, I can log on at the console and most of the time take over the session via RDP. The few errors in the event log have been researched and applied with no desired results. There is something happening at the last second of RDP setup.  

1. I have no issue with RDP log in on the other new terminal server that is almost ready for production. Pretty much removes licensing server issues.

2. There was an error for a GPO in the logs. I disabled the GPO and used Netdom to reset the machine account neither had an effect on the issue.

3. Reconfigured Domain DNS to verify the server can resolve \\domain.local

4. verified rDNS and DNS match

5. Disabled/enabled TCP offload on the NICs no change on either setting

6. Found blog about NTLM / Kerbose authentication and use MS fixed in KB with no effect
0
 

Accepted Solution

by:
nhnerd earned 0 total points
ID: 40453058
The issue was the second NIC needs Microsoft Client enabled. The OS picks a NIC at random to talk to the domain regardless if the protocol is enabled or disabled.

How I discovered the issue. In the event log is an entry about a GPO not able to access "\\domain.local\sysvol\". I was able to manually browse to the sysvol folder by windows explorer and I was able to "use net x: "\\domain.local\sysvol" with success.  When I copied and pasted the location from the event logs in to explorer's address bar, an error about the path was displayed. this lead me to the second NIC on the box. I turned on Netbios with not change in behavior. then I turned on all feature and the issue went away. clean up time.
0
 

Author Closing Comment

by:nhnerd
ID: 40461740
How I discovered the issue. In the event log is an entry about a GPO not able to access "\\domain.local\sysvol\". I was able to manually browse to the sysvol folder by windows explorer and I was able to "use net x: "\\domain.local\sysvol" with success.  When I copied and pasted the location from the event logs in to explorer's address bar, an error about the path was displayed. this lead me to the second NIC on the box. I turned on Netbios with not change in behavior. then I turned on all feature and the issue went away. clean up time.
0

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question