Friday, November 09, 2012 5:04 PM
It seems out of the blue, I can no longer RDP into any server. The setup is AD 2008 R2, one physical host, with 3 VM's. RDP has been fine for a couple of years, then just stopped.
No updates were done as I run WSUS and haven't had tmie to log in to approve anything in maybe 3 weeks. This issue occurs regardless of what system I am coming from (all Win7 systems). Also i I am at the server and RDP to one of the VM's, no go tghere either. However I can use Hyper-V manager to open standard console sessions to the VM's no problem, for what that's worth. All clients are Win7 systems and also haven't been updated in 3 weeks.
Interestingly, I also cannot pcAnywhere to the Hyper-V host. I have this in place as a backup in case RDP has issues.
So one would think something 3rd party is blocking this stuff. I have SEP 11 running with a nearly default firewall, allowing all traffic from server to server. Just the same I turned off this firewall, no change. Oddly, Windows Firewall was started. I generally disable the WFW service itself as that seems to be the only way to truely tuen if off, since having that plus a 3rd party firewall product is generally not recommended (two FW's on one system). I've followed this practice for years and in various environments without problem. I know you need WFW running to enable RDS, so I do that, then disable WFW.
So I am lost as to how to troubleshoot this since it apepars Symantec isn't the issue, and WFW shoulnd't be since I switch off the service itself, and yet I am getting nowhere. Event logs didn't log any errors at all during the times when I was testing this.
From the client end, in the mstsc window when I click Connect, within 2 secons I get the standard "remote machine isn't RDP enabled, machine is turned off, or machine isn't on the netowrk" kind of error. This happens the same if i use hostname or IP.
Event Logs on both the client and the server(s) contain no entries in Systme or Application hat are timestamped around when I do my logging in attempts.
I'm not sure if I can get anything from the Security event logs, it just has constant Succcess Audits for mydomain admin doing something or NULL SID doing something.
Friday, November 09, 2012 5:20 PMModerator
To disable the built-in firewall please leave the Windows Firewall service running and set to automatically start and then turn Off the firewall in all three profiles using Windows Firewall with Advanced Security (wf.msc). To do this right-click on Windows Firewall with Advanced Security in the left pane and choose Properties, then on each of the three profile tabs set the Firewall state to Off.
Friday, November 09, 2012 6:11 PM
how do you RDP on your servers? When you RDP, is it outside of your network like you access the server from home?
Monday, November 12, 2012 10:03 AM
I am Chetan Savade from Symantec Technical Support team.
Even thought Symantec is not causing any issue I would suggest to try with following steps.
What is security level for all network traffic in firewall policy. (You will find this from Firewall Policy --> Firewall Rules --> Select "Customize the default settings.") Check what option is selected below all the firewall rules.
"Allow All application" rule may be the rule which can allow the RDP traffic.
Create a rule --> Allow connection for traffic which has a destination of port 3389.
Move this rule to the top and check if we still face the same issue.
Monday, November 19, 2012 6:00 AMModerator
As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios.
If the issue still persists and you want to return to this question, please reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
In addition, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems.
TechNet Subscriber Support
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Monday, November 19, 2012 2:39 PM
I'll reply to each post, sorry all for taking so long. I unmarked this one as an answer and will likely need to do so for each on here unless one proves to solve my problme. So I'm going one at a time, thus give me some time today between each reply while I work on things :)
Just a comment on this Windows Firewall part. Over the years I've found that just turning the firewall to Off, but leaving the service enabled, did not fully hsut down the protection. Common example is when I want to remotely admin the system say by using Remote registry, or opening Serv ices.msc on a different system, then changing the context from local to the machine I want to manage, I'd get the RPC server unavailable messag ethat tells you when a firewall is blocking access. The only solution, over dozens of the same situation ove rthe years, is just to disbale the Windows Firewall service itself. This has been an issue since b efore even SP2 for XP. I also know sometimes one has to reboot a system before the changes to Windows Firewall take effect, but not always, but the one thing that has consistently worked for 10 years for me has been to disable the service.
Just sharing my experience :)
Monday, November 19, 2012 2:39 PMBoth. But since the issue occurs from a LAN system to the servers as well I know it's not perimeter security.
Monday, November 19, 2012 3:01 PMModerator
My comments are for Windows Firewall with Advanced Security, which first appeared in Server 2008/Vista. It is significantly more powerful/different than previous windows firewall versions.
You may also uncheck the interface in each profile under Protected network connections button.
I have not had any problems with remote registry, other remote tools that use RPC, remote sql server connections, many other things and at all times windows firewall service still running. Changes to settings have taken effect immediately for me (no restart needed), however, perhaps there are certain unique cases that would require restart that I have not run into.
The orginal way I learned not to stop windows firewall was by trial and error--when 2008 first came out I needed the firewall to be completely disabled and stopping the service was the first thing I tried. After seeing that did not give the desired effect I researched the new methods.
Monday, November 19, 2012 4:26 PM
Hi Chetan, nice to see you on this forum as well.
Well, no luck with your suggestion but it was worth a try. I set the rule but no change. The current SEP fw policy is a single policy (can't remember if there were three of them by default but now, there is only one). In it I have Allow All between the servers themselves even before I tried your suggestion.
So as it stands now, I cannot RDP to the host server from any system whether a PC on the LAN or from a VM that I am connected to through Hyper-V Manager. And cannot RDP from one VM to the other and so on. I CAN RDP from a VM to a PC on the LAN.
The failed connection response from mstsc.exe is nearly immediate, which likely means something is actively blocking the connection. It's not a timed-out scenario in other words.
On to the next post I go :)
Monday, November 19, 2012 5:15 PM
Hi TP. I'll give it more consideration then. I'll default to leaving the service running even if turning Off in the three profiles.
So in this case after enabling the service but turning off the fw on the three profiles, I used Hyper-V Manager to get to the desktop of one of the VM's. Noting the time, I tried to RDP to it from a PC on the LAN. No events whatsoever get logged in the basic System and Application logs, as well as the Application & Services logs for TermSvcs:LocalSessionManager and the Windows Firewall with Adv. Security logs, either on the source or destination system.
So I enabled the Firewall on the three profiles, but went in looking for a setting related to RDP. Under Advanced Settings > Inbound rules, the one I found, called Remote Desktop (Tcp-in) seemed the one. It was not Enabled (this is default I believe). My guess is that some master rule overrides these and other Remote ______ rules because all of them were not Enabled, yet the corresponding function works anyway.
But for testing I decided to Enable this rule. It was alreadsy set to Allow.
Still cannot RDP to this VM server however the difference now is that instead of an immediate connection failed error, it times out after around 20 secons or so.
Nothing in the event logs after this, surprisingly.
I will check the OUtbound rules but I want to assume this Windows Firewall is stateful? I'll post again if anything new happens, though I expect at this stage I need more advice :)
Update: Just also wanted to add that the Windows Firewall msc has it in the Program column saying SYSTEM for Remote Desktop (Tcp-in) , instead o say for example c:\windows\system32 or something.
- Edited by viProCon Monday, November 19, 2012 5:30 PM
Monday, November 19, 2012 5:33 PMModerator
1. Are you able to use Remote Desktop to connect back to itself (localhost)? For example, connect to the VM's console and log on, then use Remote Desktop Connection to make a connection to localhost.
If Remote Desktop is enabled, the default is for Remote Desktop (TCP-In) Incoming rule to be enabled. I am not sure how your windows firewall settings are non-default, perhaps if you had the service stopped in the past that is the cause.
2. Did you uncheck the network interface in Protected network connections for all three profiles? This should not be necessary if you have the firewall Off but I thought I would mention again since it is another way to disable the firewall.
3. As a test, I would suggest completely removing any/all third-party firewall/security/antivirus/antimalware/etc. software from one of the servers, restarting, and then testing with Remote Desktop (TCP-In) enabled and/or firewall set to Off, etc.
Tuesday, November 20, 2012 4:36 PM
1. Not sure how you mean to do this. I'm at the VM's desktop via HV console. In the VM open mstsc, and are you saying I try a localhost there somehow? I tried 127.0.0.1 and "localhost" without quotes, both said I"m already connected.
Unless something has changed, I haven't needed the WFW service itself to be running to use Remote Desktop. True it has to be runing to enable RD, but after RD is enabled I have always trned off the WFW service, including on these servers and every Win7 machine I've ever deployed.
What I ran into when trying to enable the service during the day to troubleshoot was that suddenly users all over could no longer get to their shared drives and some databases. I know WFW is very ungraceful as it basically resets the network connection when you bring up or down the service, so that might be the reason why this happened. In either case, because of that I can't pursue turning things off/on like that until at least 10PM and I'm not available each night for that so it might be a few days beore I can do this :)
For 2 and 3, I'll add those to the things to try.
I wonder if there are any other logging methods possible here? event logs are showing nothing which is quite annoying as I can test settings and even perhaps find the solution in the above suggestions, and yet if I do, am I to now run 2 firewalls on every server? I think I miht creat a 4th VM on this machine, and make it a member server and see if that catches the issue too - if so it bet it's some GP thing :)
Anyway I will post back as soon as I have progress made, thanks TP!
Tuesday, November 20, 2012 4:46 PMModerator
Yes, inside of the VM I am suggesting you open mstsc and connect to localhost. You need to use a different user account or else it will not let you if you have the server configured to restrict users to single session, which is the default. This test is basically confirming that there is something firewall-related blocking the connection, which I believe you already know since PCAnywhere fails as well.
- Proposed As Answer by Clarence ZhangModerator Monday, December 03, 2012 1:52 AM
- Unproposed As Answer by Clarence ZhangModerator Monday, December 03, 2012 1:52 AM
- Marked As Answer by Clarence ZhangModerator Thursday, December 06, 2012 5:51 AM
- Unmarked As Answer by viProCon Thursday, December 13, 2012 2:46 PM
Thursday, November 22, 2012 3:05 AM
have you tried telnet?
if not try this from a windows 7 to one of the servers: telnet Server Name or IP Address 3389
example: telnet 192.168.1.14 3389.
if the port is opened and the server is listening on it, the screen should go blank, otherwise it would give something like unable to connect.
if unable to connect, then from the server run netstat -na | more
check to see if the 3389 is listed with listening, and if not then check to make sure that the service is running in the services.msc
Friday, December 14, 2012 2:51 PM
Hi all, sorry but I had to unmark as answer. I realize the MS forums sort of mandate that all threads be moderated towards an answer4 if the poster is too slow to reply but in this case it's just that I have 50 things I have on my list at any given time.
Anyway, and unortunately, no solution yet. But here's the latest update:
The host system I still cannot RDP to.
The three VMs I can now RDP to, and it was simply that i had to re-enable the option in the Remote tab. Why they went to disabled I do not know - nobody else in the org has access to the server(s). I had assumed the VMs had the same issue as the host, since I had checked the host's remote config and sure enough on the tab there, it was set correctly.
Regarding telnet to port 3389 - no luck. I've used that trick ove rthe years so know what to expect. Also FYI to anybody reading who does not know, in Win7 telnet is not an option by default until you add it via Turn Windows Features On or Off in Control Panel > Program & Features.
I will go onsite and try the netstat -na | more option, thank you for that.
TP: I must be doing something wrong with this RDP-to-self thing. In the mstsc window, even if I go to options and tell it a differfent username, and click Connect, I get the same result, the error about the remote computer being offline, etc.
Saturday, December 15, 2012 1:59 PM
here's an idea for you.
how about your take a copy of one of the VMs with the problem, sysprep and bring it up with a new name and IP Address.
now you can start to uninstall any installed software 1 at a time, and disable whatever services that could be causing the problem, and then after you find out which software or service was causing the problem, then work on it and get it fixed. now you can apply the same fix to the production servers.
please report back with your finding.
Monday, December 17, 2012 5:52 PM
The VM' are ok now, so it's just the host machine that's having the issue. I'm ashamed ot say, overall the years, I have never learned how to use sysprep either, just enought o know it's not a quick click or two and done :|
But the Host machine has so little running, as my licensing scenario is that by using 2008 R2 Enterprise, the host can't run anything except being the host if I have 4 VM's in use. IN truth I hvae 3, but a 4th is planned. Anyway, so beyond just Windows, on the host I have Backup Exex 2010 R3, and my endpoint security solution.
It was suggested previously that I completely remove any 3rd party AV, firewall, etc. I will do that, since re-installing it is just a management-server click away. I strongly doubt that's the issue but if any of us really knew what makes something break we'd have the answer immediately anyway so all things are worth trying.
Also I still need to get onsite to try the netstat idea and to verify the way the Windows Firewall w/ Adv. Sec. is set up, if it is non-default.
I dont know if anybody knows the way the various MS services and protocls work, but while I can use MMC to connect to view and change Services and the registry via another system to the Host, I cannot connect to said host using Server Manager. I wonder what the differences are but perhaps that's too complicated here because some basics are still needing to be done.
Tuesday, December 18, 2012 1:20 AMHave you checked the net.tcp port sharing service to see if it is enabled? both rpc services up and running? can you ping the physical machine by ip and fqdn? When running Hyper-v if you have conflicting mac address or ip address settings on a host and guest you could have issues too. I wonder what are the event logs saying on the client trying to rdp and the server you are connecting with? Have you not seen one log with errors as to connection or network issues?
Wednesday, December 19, 2012 3:24 PM
Thanks for the suggestions but I resolved my issue and it's my own d&mn fault too.
Long time ago when vfirst deploying this server, I had set the server's listening port for RDP to something other than 3389, and also had set the perimeter firewall's port mapping for this to something different then 3389 and different than what the server had, using NAT to bind them together. When we replaced the router, I had though the perimeter firewall listening port was the same as the one on the server itself, thus whether from outside or inside the network, I could not RDP. I haven't had a chance to go out to the site to look at things, but I can access the registry remotely sodid so and viewed RDP settings there. Sure enough the port was different. So with that new info I was able to remote a LAN system to the serve, and then chaged the NAT on the perimeter firewall router and then RDP worked.
Just a quick note on previous suggestions by other forum members:
The RDP to self option works well. In 2008 R2, you don't even have to specify a different username - on the computer yo're already on and plan to RDP-to-self with, the connection will still prompt you for a username/pass which is enough to know that RDP is responding. If you proceed to enter the same creds as the current user, you'll just get an Access is Denied error due to that 1 session per user account thing. TP probably knows this so this info is just for anybody else reading.
That netstat option would have worked great had I been onsite. I wonder if netstat can be run remotely. will have to check.
Thank you all, sorry for my own blunder on this one.
- Marked As Answer by viProCon Wednesday, December 19, 2012 3:25 PM