Link to home
Create AccountLog in
Avatar of Damian Gardner
Damian Gardner

asked on

A Domain Controller is refusing RDP connections from my Windows 10 desktop

We had a Windows 2016 server that was upgraded from 2012 Server, which used to be a Terminal Server for our network.  It had a 100-user TS license that allowed up to 100 remote user connections to the server.  We have since done the following:


1) Upgraded the machine to Server 2016 (due to 2012 EOL this year)

2) Ran all Windows updates on the 2016 machine

3) Promoted the machine to a domain controller on an existing 2016 AD network


Now, the server does not allow me (the admin) to RDP to it, in spite of remote settings allowing for connections to the machine.  the error it gives is "This computer can't connect to the remote computer"


The RDP service answer me and allows me to put in my password, but then fails.  Not sure why this would be.  Could this be some glitch from the upgrade / promotion?


Thanks,

Damian

Avatar of Paul MacDonald
Paul MacDonald
Flag of United States of America image

"...in spite of remote settings allowing for connections to the machine..."

You're certain permissions allow for RDP connections in general, and for you specifically?  What's in the Event Logs on your machine and/or the Domain Controller?


(Note: Using a Domain Controller as a Terminal Server is against best practices.)

Avatar of Damian Gardner
Damian Gardner

ASKER

Hi Paul - thanks for your response.  Yeah I should clarify that we are no longer using the machine as a terminal server - its been repurposed as a DC.  For the remote settings, I have put my user account in the SELECT USERS button, and have verified that I am in there.  But perhaps its my computer that is being blocked somehow?  

Are you even able to connect to port 3389?
Two items upon upgrade remote defaulted to off

Or if enabled, the windows firewall kicked In and is blocking
And/or



The issue following update, the RDA (administartiin) activated the secure connection settings,  NLA.

Your option is to lologin to the DC on the console and update the RDadmijistrator setting to less secure.

Or use wmi/remote registry to chabge the mode of operation

Arnold - thanks for your help.  I checked REMOTE SETTINGS and they are set to "Allow Remote Connections".  Also checked Windows firewall, and all 3 firewalls are down.  

ASKER CERTIFIED SOLUTION
Avatar of Peter Hutchison
Peter Hutchison
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Firewall being down does not necessarily allows the connection. Through.

The allow connection for remote desktop which option is selected our of the two
Less secure?

Maybe you need to turn off NLA on RDP first until your other systems support it.

One other thing, on the DC what classification does it have for the network: public, private, or domajn
Public is most restrictive
Check advanced windows firewall rules incoming and make sure the remote desktop rule is enabled and scope includes public.

Even if the firewall is off.

Is there another DC on the network that holds the FSMO Roles?

Good morning guys - thanks for your help and input.


Philip:  yes there is another DC on the network that holds the FSMO roles, I am pretty sure.  I remember transferring these years ago to our primary DC.


Arnold:  Let me figure out what the classification of the DC is.  I'll also check the firewall rule


SerialBand: how do you disable "NLA"?


Thanks



Sorry I missed one - Peter, thanks for your input on the RDP licenses.  If all we need is temporary connectivity for a single user for RDP, do I need to worry about RDP licenses at all?


thanks

So I'm trying everything suggested here - disabling NLA, making sure the scopes on Remote Desktop rules include public and also changing them to "ALL", making sure the server is pingable, and that "Remote connections are allowed"....but still failing. I'm beginning to think this is some type of glitch in the server and that it is not a logical problem.  I mayu just burn it down and rebuild it from scratch and try again....

DCPromo the problematic one _out_ of ADDS. Clean-up AD Sites, DNS, and check using NTDSUtil using the metadata clean-up method.


Flatten the OS and re-install either with that version or a current version then DCPromo back into ADDS.


Please don't repurpose like this.

I melted it down and rebuilt it as a DC - works fine now.  No idea what the cause was, but it must have been some form of corruption.  Thanks for everyone's help.

Actually, the problem was the change in the network stack and the Remote Desktop Protocol that Remote Desktop Services does when it is set up on an OS.


EDIT: A domain controller does not have local accounts which is another reason things were broken. /EDIT


There's no way to remove them. That's why the request to flatten and re-install.