Link to home
Start Free TrialLog in
Avatar of MISquared
MISquared

asked on

Remote Desktop license server

Users are not able to connect randomly. In RDS License Manager, reviewing the configuration results in "The system cannot determine if the license server is registered as service connection point(SCP) in Active Directory Domain Services(AD DS) because the AD DS cannot be contacted.

Then all of a sudden it goes away. The RDS server and the domain controller are both VMs running in Hyper-V connected to the same virtual switch. The DC is the primary DNS server for the RDS server. At the time of the issue, the DC is able to be pinged with no problem. Also, there are no entries in the logs on the DC that indicate a problem with AD or DNS.

I've attached two screen grabs, one that shows the issue, and the other that shows no problem, both of which happen at random as far as I can tell.

Suggestions?

Thanks!
FailedStatus.JPG
SuccessStatus.JPG
Avatar of MISquared
MISquared

ASKER

More to add. In the event logs of the RDS Server, we see a corresponding event id 1054 from Group Policy: the processing of group policy failed. windows could not obtain the name of a domain controller.

When I looked into this, I noticed that the secondary DNS server of the DC was set to the ISP's public DNS. I removed this as suggested by a comment in this post: https://social.technet.microsoft.com/Forums/office/en-US/4061ae7b-b692-4df4-bcca-95a7c8c86330/gpupdate-fails-event-id-1054-windows-could-not-obtain-the-name-of-a-domain-controller?forum=winserverGP.

We'll see if it makes a difference. In the meantime, suggestions are still welcome and appreciated.

Thanks.
Avatar of Adam Brown
I've run into issues with the RD Licensing role that were caused by the Windows Firewall incorrectly blocking ports needed for determining license status. If you have the Firewall enabled on the RD Licensing server, I'd start by turning that off to see if that resolves the issues. From there you should be able to either create custom rules that won't block the traffic or just leave the windows firewall off (Software Firewalls kinda suck anyway).
Just to keep you posted, the problem has not arisen again yet. If we get through the rest of the day without it happening again, the change to the secondary DNS setting on the DC may have done the trick.
Ok, it just happened again. I have disabled the Windows firewalls on both the RDS and DC servers for the domain profile. SEP is also running on the RDS server; so, I disabled the SEP firewall on that. The problem seems to happen once or twice a day. Nobody will be using the RDS server tomorrow after noon; so, we might not hear of any complaints again until next week...if it happens again. I'll keep you posted.
More info:

On the DC, multiple log entries related to this. Clearly a DNS/AD issue. Here are the events:

Log Name:      System
Source:        NETLOGON
Date:          8/18/2016 3:02:42 PM
Event ID:      5775
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      FakeDC.FakeDomain.local
Description:
The dynamic deletion of the DNS record '_kerberos._tcp.dc._msdcs.FakeDomain.local. 600 IN SRV 0 100 88 FakeDC.FakeDomain.local.' failed on the following DNS server:  

DNS server IP address: 10.10.1.1
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

USER ACTION  
To prevent remote computers from connecting unnecessarily to the domain controller, delete the record manually or troubleshoot the failure to dynamically delete the record. To learn more about debugging DNS, see Help and Support Center.  

ADDITIONAL DATA
Error Value: DNS bad key.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="NETLOGON" />
    <EventID Qualifiers="0">5775</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-18T19:02:42.000000000Z" />
    <EventRecordID>18385</EventRecordID>
    <Channel>System</Channel>
    <Computer>FakeDC.FakeDomain.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>_kerberos._tcp.dc._msdcs.FakeDomain.local. 600 IN SRV 0 100 88 FakeDC.FakeDomainlocal.</Data>
    <Data>%%9017</Data>
    <Data>10.10.1.1</Data>
    <Data>5</Data>
    <Data>9017</Data>
    <Binary>0500</Binary>
  </EventData>
</Event>
------------------------------------------
Log Name:      System
Source:        NETLOGON
Date:          8/18/2016 3:02:49 PM
Event ID:      5719
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      FakeDC.FakeDomain.local
Description:
This computer was not able to set up a secure session with a domain controller in domain FakeDC due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="NETLOGON" />
    <EventID Qualifiers="0">5719</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-18T19:02:49.000000000Z" />
    <EventRecordID>18403</EventRecordID>
    <Channel>System</Channel>
    <Computer>FakeDC.FakeDomain.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>FakeDC</Data>
    <Data>%%1311</Data>
    <Binary>5E0000C0</Binary>
  </EventData>
</Event>
------------------------------------------
Log Name:      System
Source:        Microsoft-Windows-DNS-Client
Date:          8/18/2016 3:02:48 PM
Event ID:      1014
Task Category: (1014)
Level:         Warning
Keywords:      (268435456)
User:          NETWORK SERVICE
Computer:      FakeDC.fakedomain.local
Description:
Name resolution for the name _ldap._tcp.dc._msdcs.fakedomain.local. timed out after none of the configured DNS servers responded.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-DNS-Client" Guid="{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}" />
    <EventID>1014</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>1014</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000010000000</Keywords>
    <TimeCreated SystemTime="2016-08-18T19:02:48.978286700Z" />
    <EventRecordID>18405</EventRecordID>
    <Correlation ActivityID="{24543EDC-F294-0001-44C2-5B2494F2D101}" />
    <Execution ProcessID="1016" ThreadID="476" />
    <Channel>System</Channel>
    <Computer>FakeDC.fakedomain.local</Computer>
    <Security UserID="S-1-5-20" />
  </System>
  <EventData>
    <Data Name="QueryName">_ldap._tcp.dc._msdcs.fakedomain.local.</Data>
    <Data Name="AddressLength">128</Data>
    <Data Name="Address">020000007F000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000</Data>
  </EventData>
</Event>
------------------------------------------
Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          8/18/2016 3:02:49 PM
Event ID:      2886
Task Category: LDAP Interface
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      FakeDC.fakedomain.local
Description:
The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection.  Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
 
Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made.  To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred.  You are encouraged to configure those clients to not use such binds.  Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds.
 
For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
 
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind.  To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
    <EventID Qualifiers="32768">2886</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>16</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-18T19:02:49.478332000Z" />
    <EventRecordID>631</EventRecordID>
    <Correlation />
    <Execution ProcessID="568" ThreadID="24352" />
    <Channel>Directory Service</Channel>
    <Computer>FakeDC.fakedomain.local</Computer>
    <Security UserID="S-1-5-7" />
  </System>
  <EventData>
  </EventData>
</Event>
------------------------------------------
Log Name:      DNS Server
Source:        Microsoft-Windows-DNS-Server-Service
Date:          8/18/2016 3:02:55 PM
Event ID:      4013
Task Category: None
Level:         Warning
Keywords:      (131072)
User:          SYSTEM
Computer:      FakeDC.fakedomain.local
Description:
The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-DNS-Server-Service" Guid="{71A551F5-C893-4849-886B-B5EC8502641E}" />
    <EventID>4013</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000020000</Keywords>
    <TimeCreated SystemTime="2016-08-18T19:02:55.212902600Z" />
    <EventRecordID>181</EventRecordID>
    <Correlation />
    <Execution ProcessID="6016" ThreadID="7404" />
    <Channel>DNS Server</Channel>
    <Computer>FakeDC.fakedomain.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData Name="DNS_EVENT_DS_OPEN_WAIT">
  </EventData>
</Event>
------------------------------------------
Log Name:      System
Source:        NETLOGON
Date:          8/18/2016 3:03:17 PM
Event ID:      5781
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      FakeDC.fakedomain.local
Description:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'fakedomain.local.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).  

Possible causes of failure include:  
- TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers
- Specified preferred and alternate DNS servers are not running
- DNS server(s) primary for the records to be registered is not running
- Preferred or alternate DNS servers are configured with wrong root hints
- Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration  

USER ACTION  
Fix possible misconfiguration(s) specified above and initiate registration or deletion of the DNS records by running 'nltest.exe /dsregdns' from the command prompt on the domain controller or by restarting Net Logon service on the domain controller.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="NETLOGON" />
    <EventID Qualifiers="0">5781</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-18T19:03:17.000000000Z" />
    <EventRecordID>18414</EventRecordID>
    <Channel>System</Channel>
    <Computer>FakeDC.fakedomain.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>fakedomain.local.</Data>
    <Binary>B4050000</Binary>
  </EventData>
</Event>
------------------------------------------
Log Name:      System
Source:        LsaSrv
Date:          8/18/2016 3:03:16 PM
Event ID:      40960
Task Category: None
Level:         Warning
Keywords:      
User:          SYSTEM
Computer:      FakeDC.fakedomain.local
Description:
The Security System detected an authentication error for the server LDAP/Localhost. The failure code from authentication protocol Kerberos was "An attempt was made to logon, but the netlogon service was not started.
 (0xc0000192)".
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="LsaSrv" Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
    <EventID>40960</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-18T19:03:16.228495200Z" />
    <EventRecordID>18415</EventRecordID>
    <Correlation />
    <Execution ProcessID="568" ThreadID="9648" />
    <Channel>System</Channel>
    <Computer>FakeDC.fakedomain.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="Target">LDAP/Localhost</Data>
    <Data Name="Protocol">Kerberos</Data>
    <Data Name="Error">"An attempt was made to logon, but the netlogon service was not started.
 (0xc0000192)"</Data>
  </EventData>
</Event>
Is the RDS license server a physical or VM?
How long has this issue be going on for?
Any change to the server and/or environment lately?
Any other member servers getting Event ID 1054 regarding GP policy?
Is AV installed?
Does the license server have ample free CPU, memory and disk resources?
Both servers are VMs on Hyper-V. This was running on a temporary server while we retooled the hardware that it will reside on permanently. The VMs are actually being migrated to the permanent hardware as I type this. Maybe it won't be an issue on the other hardware, for example if the problem was with a network adapter.

The issue presented itself a few days after we put the temp server and VMs into production last week. It never happened in the lab, but then it was not under the same pressures.

No workstations/clients are getting the issue. There are no other member servers.

The RDS server is running Symantec Endpoint Protection; however, I turned the firewall portion off temporarily.

The license server's resources are ample. Sometimes the CPU usage would spike, but it wouldn't stay high long. The retooled hardware has even more CPU, memory, and disk resources.
Since moving the VMs to the new hardware/hyper visor, this problem happened once today. The firewalls are still disabled on the RDS server and the DC. Any suggestions?
ASKER CERTIFIED SOLUTION
Avatar of MISquared
MISquared

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
No response for a while, and went elsewhere for assistance.