Terminal Server unable to connect to DC for authentication

We are having intermittent issues with a terminal server 2008r2.  At some point it prevents certain users from connecting giving: "An authentication error has occurred. The Local Security Authority cannot be contacted"

So far the only solution is to delete the AD user and recreate.  

I deliberately entered the wrong password 3 times and it locked the account out on the DC.  I then logged into the same TS as admin (no issues logging on) and opened ADUC on the terminal server.  I pulled up the user and it did show that the user was locked out.   I then reset the password telling it to unlock the user.  The password appeared to reset however the user was still locked out.

I also tried connecting to Exchange OWA and was unable to log in as that user.  Something seems to have corrupted on the AD User.  This only happens to users logging into that one terminal server account.

Any ideas would be appreciated.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Do your event logs have any information relating to this error?  Either on the client side or the server side?

Few broad things to check:
   Make sure your DNS entries on the terminal server are all correct
   See if the users having the issue are required to "change password on next login"

   We get the same error sometimes if we accidentally select the remote desktop option "Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure)".  If that is checked in your "Remote" tab of "System Properties" try selecting the option above it and see if it resolves your issue as a workaround.
Will SzymkowskiSenior Solution ArchitectCommented:
How is your DC health and replication? I would check this first. You said that you unlocked this account and then it was still locked out. Password changes (resets) are instant. This replication does not go through the regular replication cycle. When a password is reset the DC that is resetting the password automatically replicates this password change to the PDC.

Check Replication and Health by using the following commands...
repadmin /replsum
repadmin /showrepl
repadmin /bridgeheads
DCDIag /v

Also as stated make sure your DNS is in check as well.

YMartinAuthor Commented:
Thanks for the help so far.  

I attempted to unlock the user on the DC itself and it would not unlock.  

It could be that one of the other DC's is locking it as fast as I unlock it but would be pretty fast replication across a VPN (all other DC's are remote).  I found no errors relating to this on the DC.  I will check replication issues shortly.  DNS points to the DC.  Nslookup on the domain returns the DC.

Once I changed the account logon name I was able to unlock the user and the login error also was resolved.  This was discovered when deleting the user and recreating a user with the same name failed to resolve the issue.

The problem is that it keeps recurring somewhat randomly.  I had to change the username twice yesterday.  Also early this morning he was unable to log in, however by the time I got into the office the problem was gone so it may be correcting itself sometimes.

I am looking through the group policy for that user- lot of settings disabled in control panel, no cmd, hidden items from the start menu, disable dfs roots/shares.  Alternate credentials are disabled.

Probably more likely to be on the server: most redirection is disabled and this:
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Remote Session Environmenthide
Policy Setting Comment 
Allow desktop composition for remote desktop sessions Disabled  
Optimize visual experience for Remote Desktop Services sessions Enabled  
Visual experience: Text 
Policy Setting Comment 
Set compression algorithm for RDP data Enabled  
RDP compression algorithm: Optimized to use less network bandwidth 

Open in new window

Other things which have been tried (but failed) were to move the user to another OU where users have not had this problem and also a reboot on the RDP server.
Will SzymkowskiSenior Solution ArchitectCommented:
Do you have Active Directory Auditing Enabled? If you don't i would consider doing this and also download Active Directory Auditor by Lepide Software.

This will show exactly where the account is being locked out from.

Active Directory Auditor Lepide Software


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
YMartinAuthor Commented:
It seems to be working now after the last rename.  I would like to trace this down and will use your advice next time we see this issue.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.