asked on
A Domain Controller is refusing RDP connections from my Windows 10 desktop
We had a Windows 2016 server that was upgraded from 2012 Server, which used to be a Terminal Server for our network. It had a 100-user TS license that allowed up to 100 remote user connections to the server. We have since done the following:
1) Upgraded the machine to Server 2016 (due to 2012 EOL this year)
2) Ran all Windows updates on the 2016 machine
3) Promoted the machine to a domain controller on an existing 2016 AD network
Now, the server does not allow me (the admin) to RDP to it, in spite of remote settings allowing for connections to the machine. the error it gives is "This computer can't connect to the remote computer"
The RDP service answer me and allows me to put in my password, but then fails. Not sure why this would be. Could this be some glitch from the upgrade / promotion?
Thanks,
Damian
ASKER
Hi Paul - thanks for your response. Yeah I should clarify that we are no longer using the machine as a terminal server - its been repurposed as a DC. For the remote settings, I have put my user account in the SELECT USERS button, and have verified that I am in there. But perhaps its my computer that is being blocked somehow?
Two items upon upgrade remote defaulted to off
Or if enabled, the windows firewall kicked In and is blocking
And/or
The issue following update, the RDA (administartiin) activated the secure connection settings, NLA.
Your option is to lologin to the DC on the console and update the RDadmijistrator setting to less secure.
Or use wmi/remote registry to chabge the mode of operation
ASKER
Arnold - thanks for your help. I checked REMOTE SETTINGS and they are set to "Allow Remote Connections". Also checked Windows firewall, and all 3 firewalls are down.
The allow connection for remote desktop which option is selected our of the two
Less secure?
Maybe you need to turn off NLA on RDP first until your other systems support it.
Public is most restrictive
Check advanced windows firewall rules incoming and make sure the remote desktop rule is enabled and scope includes public.
Even if the firewall is off.
Is there another DC on the network that holds the FSMO Roles?
ASKER
Good morning guys - thanks for your help and input.
Philip: yes there is another DC on the network that holds the FSMO roles, I am pretty sure. I remember transferring these years ago to our primary DC.
Arnold: Let me figure out what the classification of the DC is. I'll also check the firewall rule
SerialBand: how do you disable "NLA"?
Thanks
ASKER
Sorry I missed one - Peter, thanks for your input on the RDP licenses. If all we need is temporary connectivity for a single user for RDP, do I need to worry about RDP licenses at all?
thanks
ASKER
So I'm trying everything suggested here - disabling NLA, making sure the scopes on Remote Desktop rules include public and also changing them to "ALL", making sure the server is pingable, and that "Remote connections are allowed"....but still failing. I'm beginning to think this is some type of glitch in the server and that it is not a logical problem. I mayu just burn it down and rebuild it from scratch and try again....
DCPromo the problematic one _out_ of ADDS. Clean-up AD Sites, DNS, and check using NTDSUtil using the metadata clean-up method.
Flatten the OS and re-install either with that version or a current version then DCPromo back into ADDS.
Please don't repurpose like this.
ASKER
I melted it down and rebuilt it as a DC - works fine now. No idea what the cause was, but it must have been some form of corruption. Thanks for everyone's help.
Actually, the problem was the change in the network stack and the Remote Desktop Protocol that Remote Desktop Services does when it is set up on an OS.
EDIT: A domain controller does not have local accounts which is another reason things were broken. /EDIT
There's no way to remove them. That's why the request to flatten and re-install.
"...in spite of remote settings allowing for connections to the machine..."
You're certain permissions allow for RDP connections in general, and for you specifically? What's in the Event Logs on your machine and/or the Domain Controller?
(Note: Using a Domain Controller as a Terminal Server is against best practices.)