Remote Desktop using Domain Credentials
-
Saturday, April 14, 2012 3:32 AM
I have two Domain Controllers (Windows Server 2k8 R2 with IIS and DNS role). Forest and Domain functional level is Windows Server 2008. They are in separate locations joined by a VPN. I also have Dev servers (also Win 2k8 R2 with IIS role).
I want to log into the Dev servers using my domain credentials. Can anyone tell me what I need to check or configure in order to achieve this?
Note:
- I do not have DHCP (yet), -> please confirm if this is an issue.
- I can RDP to the Dev servers using their respective local users.
- but network users (which are members of Domain Admin and Remote Desktop Users) cannot RDP.
- do I need to have Remote Desktop Services (Terminal Services)? -> if so, i need to raise my functional level, right?
- I am accessing them from Windows 7 (which is not a member of the domain)
- Edited by mazecred Sunday, April 15, 2012 9:34 PM removed signature
All Replies
-
Saturday, April 14, 2012 5:40 AMModerator
Hi,
1. What is the precise error message you receive when you attempt to connect to your dev servers using Remote Desktop?
2. Please check the Security log for audit failure entries at the time of a failed logon attempt. Please post the entries here.
3. Please check the System log as well as Applications and Services logs for warnings/errors that may be related to this problem.
Thanks.
-TP
-
Saturday, April 14, 2012 7:34 AM
Hi,
Thanks in advance. I can connect to my dev server (using domain credentials) when I am accessing it from my Domain Controller but when I am using my Windows 7 client, it produces these errors:
*I usually get this error
Remote Desktop can't connect to the remote computer for one of these reasons:
1) Remote access to the server is not enabled
2) The remote computer is turned off
3) The Remote computer is not available on the network
Make sure the remote computer is turned on and connected to the network, and that remote access is enabled.---- OR ----
*Least frequent error
Configuration information could not be read from the domain controller, either because the machine is unavailable or access has been denied.
---- OR -----
*I get this whenever I entered the IP Address instead of the name (dev1):
Your credentials did not work
The credentials that were used to connect to 10.0.0.20 did not work. Please enter new credentials.
The logon attempt failed
2. There was no Security log when I got that error, but, a while ago, I was able to produce this security log:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 4/13/2012 9:52:47 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: dev1.domain.com
Description:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: admindomain
Account Domain: DOMAIN
Failure Information:
Failure Reason: Domain sid inconsistent.
Status: 0xc000006d
Sub Status: 0xc000019b
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: DC-00
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2012-04-14T02:52:47.862465000Z" />
<EventRecordID>139204</EventRecordID>
<Correlation />
<Execution ProcessID="808" ThreadID="4648" />
<Channel>Security</Channel>
<Computer>dev1.domain.com</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">admindomain</Data>
<Data Name="TargetDomainName">DOMAIN</Data>
<Data Name="Status">0xc000006d</Data>
<Data Name="FailureReason">%%2314</Data>
<Data Name="SubStatus">0xc000019b</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">NtLmSsp </Data>
<Data Name="AuthenticationPackageName">NTLM</Data>
<Data Name="WorkstationName">DC-00</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">-</Data>
<Data Name="IpPort">-</Data>
</EventData>
</Event>3. No Application Errors
- Edited by mazecred Sunday, April 15, 2012 9:34 PM removed signature
-
Saturday, April 14, 2012 8:15 AMModerator
Hi,
1. Is this server from a cloned image and/or has it been cloned to other servers? If yes, did you use sysprep with the Generalize option before joining it to your domain?
2. Are you able to reliably ping the dev server from your workstation with no packet loss and low, consistent ping times?
3. In Windows Firewall with Advanced Security (wf.msc) do you have the Incoming rule for Remote Desktop (TCP-In) Scope tab set to Any Remote IP Address?
4. Please confirm that your DCs can communicate with each other and that your dev servers can communicate with both of your DCs. As part of this you may need to review/modify the rules in wf.msc as well as review/modify your VPN/firewall device rules.
5. When logged on to the physical console of your dev servers using Domain Admin credentials, are you able to map drives to both of your DCs, connect to both DCs using admin tools like Active Directory Users and Computers, Remote Desktop Services Manager, etc? You may install Active Directory Users and Computers and other mmc snapins on your dev servers using Server Manager -- Add Features -- Remote Server Administration Tools -- Role Administration Tools
6. I recommend you consider examining the logs on your DCs for warnings/errors that may provide clues, run dcdiag, etc.
It appears you may be having network issues, perhaps caused by your VPN configuration, and additionally there may be problems with your servers communicating with your domain controllers caused by cloning/network issues/misconfiguration. Please make sure your dev servers are using your DCs for their DNS servers.
Thanks.
-TP
-
Saturday, April 14, 2012 9:16 AM
Hello TP,
1. I am not the one who created this VM, let me get back to you on this item.
2. Ping always say: Request time out. It might be disabled. Do you want me to enable it?
3. Remote Desktop (TCP-In) is enabled and Any Remote IP Address was set.
4. DCs can communicate with each other (updated a user, reflected to the other DC). Both DCs can remote desktop to all Dev Servers (using Domain Credentials). But I cannot when I use my Win7 to connect to the Dev Servers using Domain Credentials.
5. Checked, I could use AD Users and Computers and Remote Desktop Services Manager (from DC and to Dev vice versa). Haven't tried mapping drives (not sure how to).
6. I will update you once I tried dcdiag.
Yes, all dev servers are using my DCs for their DNS Servers. The servers are hosted on a cloud which also provided us the VPN for both machines.
Thanks.
-M
- Edited by mazecred Sunday, April 15, 2012 9:35 PM removed signature
-
Monday, April 16, 2012 12:04 AMModerator
Hi,
1. Yes, please enable ping on your server so that you may test from your Windows 7 station. Please verify you have enabled it properly by pinging from your DCs to your dev servers (I assume that you will be able to ping from your DCs since you are able to connect via RD from them).
2. Please verify that the date/time as well as time zone is set properly on all of your servers and your workstation.
3. When you get the "Remote Desktop can't connect to the remote computer for one of these reasons:" error message you mentioned earlier please make sure your workstation has a proper static ip address/mask/default gateway/dns pointing to your DC. The static ip should be on the same subnet as your servers. I mention this because you said you do not have DHCP yet.
Thanks.
-TP
- Marked As Answer by mazecred Saturday, April 21, 2012 6:41 AM
-
Saturday, April 21, 2012 6:43 AM
TP,
Thanks. It was the SID. Good call. Thanks for the pointers as well.
-M
.png)
