cant use cached domain credentials when logging on through rdp

Hi,

We have a domain controller in 1 location and a member server in an other location. They are both server 2012 R2. The 2 are connected through an ipsec vpn tunnel. On the domain controller we have set that the policy "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" to 50 logons.

Here's the problem:

We logon to the memberserver through rdp. When the vpn tunnel is down, we cant login because the server says there's no domaincontroller available. We have checked that the gpo is applied bij going to the registry key that controls the number of cached logons. It says 50, so the gpo is applied.

Any suggestions on how to resolve this are very welcome.

Regards,
PramoITAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
MaheshConnect With a Mentor ArchitectCommented:
Yes, that's right

logging on server with RDP protocol and logging on server with console (interactive) are two different processes

RDP required domain controller validation, hence either you use RDP in administrative mode or terminal server mode (application mode), it will not work unless domain controller is available

Anyways:
If you can test below scenario to check if it works for you....

Put your member servers in one OU and apply new GPO on that OU with below settings (keep disabled): Network access: Do not allow storage of passwords and credentials for network authentication
https://technet.microsoft.com/en-us/library/jj852185(v=ws.10).aspx

In same GPO also add cached credentials setting for 50 users - "Interactive logon: Number of previous logons to cache (in case domain controller is not available)"

Also ensure that RDP properties of server are configured as below:
select "allow remote connections to this computer"
Uncheck " allow connections only from remote desktop using NLA"
OR
If these servers are terminal (RDS) servers, in same GPO navigate to
"computer configuration\administartive templates\windows components\remote desktop services\remote desktop session host\security" and disable "require user authentication for remote connections by using network level authentication OR you might find option to disable NLA in RDSH collection properties

be informed that these settings are not recommended by me or Microsoft becaue it reduces security

Mahesh.
0
 
JeffMatthiasCommented:
Have you signed on to the member server at least once before with the same account?
0
 
PramoITAuthor Commented:
Yes, i did mutliple times. Through rdp.
0
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

 
MaheshArchitectCommented:
the policy is applicable only for interactive logon (console logon), the one which you using on workstations for day to day logon....not for RDP sessions, your DC must be reachable in order to get the RDP because RDP require domain controller validation

The another thing is, this policy should be applied on OU containing workstations, not on domain controllers OU. Now this policy only affect domain controllers machines (that is also console / interactive logon)and not standard workstations.

Even if you don't configure this setting, by default 10 or 25 (I don't recollect exact value) last successful logon information is cached on workstations / member servers
I don't know why you set it as 50 - its not that it will allow logon interactively only 50 times
what policy is saying that once it applied machines will remember last successful logon attempts (50 users in your case on one machine - i don't think 50 users are logging on one machine) and it did not put any restrictions how many times you can logon to workstation with cached credentials
Check below link
http://windowsitpro.com/systems-management/q-what-are-different-windows-logon-types-can-show-windows-event-log
and
https://technet.microsoft.com/en-us/library/jj852209(v=ws.11).aspx

Mahesh.
0
 
Davis McCarnOwnerCommented:
0
 
MaheshArchitectCommented:
In short what devis is suggesting is to add domain controller at site where member server resides. This server should also be configured as global catalog server so that you don't need to traverse through VPN tunnel to validate RDP credentials
0
 
PramoITAuthor Commented:
Hi Mahesh,

Do you mean that the cached domain credentials will never work on a virtual terminal server where people will only be logging in through RDP? Is a connection to a domain controller always needed when loging in through RDP?

Regards.
0
 
PramoITAuthor Commented:
Hi Mahesh,

I've done what you said, but users still cant login via RDP when dc is down. I guess this is just not possible when logging in via RDP.

Regards,
Mohamed
0
 
MaheshConnect With a Mentor ArchitectCommented:
Thats right.
That i told you earlier

The what i told you to test is, just work around because I have never tested that

The RDP protocol do require DC validation
The best way you can do is, put one local DC at location and made it global catalog so that all requests will be validated locally

This is what MS exchange administrator does if they have exchange boxes in multiple sites, they place GC in each site to avoid exchnage lookup failure if link betwwen both site goes down, because exchange do need functional DC with GC role, without that it can't function

Mahesh
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.