none
Remote Desktop stops working after joining domain?

    Question

  • I recently installed 2008 Server CORE on a new dell poweredge server.  This is my first Core install, so I'm learning a fair bit as I go along.  The box will be used primarily to host virtual machines for testing, using Hyper-V, and as a fileserver, which is why I went with the Core OS version.

    Everything was going fairly well, I'd managed to get the OS installed, named the system the way I wanted, etc.. (the step by step server core KB article is a great reference for this) I got remote desktop enabled, and went to my desk to finish working on the system from my Vista workstation

    Logged in via remote desktop, and everything went fine until I joined the system to our domain.  Shortly after doing that, just as I was about to tell the system to yes go ahead and reboot, I lost the remote desktop connection.  I originally assumed the machine was rebooting, but later when I returned to the server room I discovered it was still sitting at that screen, and had NOT rebooted.

    after rebooting (as required after joining domain) I still had no access via remote desktop (it doesn't even connect, the error I get on the client is as follows:

    [Window Title]
    Remote Desktop Disconnected

    [Content]
    This computer can't connect to the remote computer.

    Try connecting again. If the problem continues, contact the owner of the remote computer or your network administrator."

    I've tried a number of things, repeating the commands to turn on remote desktop, ensureing my user is in the remote desktop user's local group, opening up firewall settings for remote management, etc.   I can get most other remote management tools to work (the disk and shares tools, most MMC tools that are applicable, the Hyper-v manager, etc  all seem to work fine, but remote desktop won't even connect.   Since there are still a fair number of things that require access to the command line to do, lack of remote desktop is a real PITA for me.

    Does anyone have any ideas why joining the domain would have suddenly turned this off?   My domain admin tells me there's no policies that should be affecting this (he uses RD to manage the domain servers).  Incidently he gets the same error when he tries to remote to the system also.


    --Chuck
    Tuesday, July 22, 2008 3:54 PM

Answers

  • Windows Firewall may have been the problem.

    The built-in firewall has three "profiles". Public, Private, and Domain. If your computer is not connected to the domain, it will be in either public or private, and this is configurable using netsh firewall and netsh advfirewall. The correct profile is determined based on a database of previously connected networks. When the Windows service responsible for detecting changes to the network connections (Network Location Awareness) detects that the network has changed, it notifies the Firewall to change operational profiles based on previous information.

    Have you noticed Windows Vista prmopting you what kind of network you are on when you plug in for the first time? It gives you three options. Home, Work, and Public. Obviously Public corresponds to the public profile. You may think that Home is private, and Work is domain, however it is not that simple. Both of these options (home and work) correspond to private. Domain is a special profile mode that is only choosen by Windows if the computer is connected to a domain.

    Once your computer is connected to the domain it receives a group policy object (GPO) from the domain controller (DC). When the GPO is received, Windows records the current domain name suffix in the registry.( HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkName) Whenever Network Location Awareness detects that the current suffix matches the recorded one, it puts the firewall into domain profile.

    This is hardly hacker resistant, but that is not the purpose. Windows Firewall is trying to seamlessly transition to provide appropriate security based on where the user is. If you happen to name your domain suffix after the local starbucks wifi network, your users will end up in domain profile while sipping their coffee.

    When you join the domain, the Windows Firewall profile probably changed to domain profile. In this case, you will need to reconfigure your firewall to allow remote management. You can use the netsh advfirewall command to this end.

    netsh advfirewall firewall set rule group="remote administration" new enable=yes
    netsh advfirewall set currentprofile settings remotemanagement enable

    Now you can even use the Firewall with Advanced Security snap-in for MMC on your Vista workstation to connect and remotely manage your server core. Simply start MMC as a user with administrative privliges on both machines.
    • Proposed as answer by Ryan Capp Wednesday, March 04, 2009 11:11 PM
    • Marked as answer by Chuck vdL Wednesday, March 04, 2009 11:20 PM
    Wednesday, March 04, 2009 6:47 PM
  •   OK issue has been resolved by bailing on server core.   I've reinstalled the OS using the full version.

    While I was willing to climb the server core learning curve, I would have been the only one that could effectively manage the system since the rest of our IT folks have not plunged into the Server Core pool yet.  That was not acceptable to my managers (and I can respect that) who wanted me to be able to fall back on our IT staff if I had issues with the server.

    I'll probably dive back into server core if I need to create VM's for network functions like DHCP, DC, etc when setting up virtual networks since there is huge value in having those VM's use as little disk and memory as possible.

    NOTE:  while I presume the issue was created when I added a domain since thats the action I had taken right before I was cut-off.  However, I suspect it's possible it could have been related to enabling hyper-v, since I think that 'installation' was happening in the background at that time also.  If somehow both network adaptors on the system were configured for virtual networks, it would have left none availble for remote desktop.   This is plainly spelled out in the GUI when you add Hyper-V on a 'normal' server, but of course you get no such guidence on a Core installation where it's all done from the command line.

    --Chuck
    Wednesday, July 23, 2008 3:44 PM

All replies

  •   OK issue has been resolved by bailing on server core.   I've reinstalled the OS using the full version.

    While I was willing to climb the server core learning curve, I would have been the only one that could effectively manage the system since the rest of our IT folks have not plunged into the Server Core pool yet.  That was not acceptable to my managers (and I can respect that) who wanted me to be able to fall back on our IT staff if I had issues with the server.

    I'll probably dive back into server core if I need to create VM's for network functions like DHCP, DC, etc when setting up virtual networks since there is huge value in having those VM's use as little disk and memory as possible.

    NOTE:  while I presume the issue was created when I added a domain since thats the action I had taken right before I was cut-off.  However, I suspect it's possible it could have been related to enabling hyper-v, since I think that 'installation' was happening in the background at that time also.  If somehow both network adaptors on the system were configured for virtual networks, it would have left none availble for remote desktop.   This is plainly spelled out in the GUI when you add Hyper-V on a 'normal' server, but of course you get no such guidence on a Core installation where it's all done from the command line.

    --Chuck
    Wednesday, July 23, 2008 3:44 PM
  • Hello.

    I had exactly the same problem and was able to find a solution.

    I have blogged the solution here

    http://www.andymcdonald.co.uk/?p=45
    Wednesday, February 25, 2009 11:31 AM
  • When you modify the firewall settings, make sure it's being applied to the current profile, i.e., public, private, or domain.
    • Edited by Ryan Capp Sunday, March 01, 2009 1:41 PM Date of Question; Rephrase
    • Proposed as answer by Ryan Capp Wednesday, March 04, 2009 11:11 PM
    Sunday, March 01, 2009 1:40 PM
  • Windows Firewall may have been the problem.

    The built-in firewall has three "profiles". Public, Private, and Domain. If your computer is not connected to the domain, it will be in either public or private, and this is configurable using netsh firewall and netsh advfirewall. The correct profile is determined based on a database of previously connected networks. When the Windows service responsible for detecting changes to the network connections (Network Location Awareness) detects that the network has changed, it notifies the Firewall to change operational profiles based on previous information.

    Have you noticed Windows Vista prmopting you what kind of network you are on when you plug in for the first time? It gives you three options. Home, Work, and Public. Obviously Public corresponds to the public profile. You may think that Home is private, and Work is domain, however it is not that simple. Both of these options (home and work) correspond to private. Domain is a special profile mode that is only choosen by Windows if the computer is connected to a domain.

    Once your computer is connected to the domain it receives a group policy object (GPO) from the domain controller (DC). When the GPO is received, Windows records the current domain name suffix in the registry.( HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkName) Whenever Network Location Awareness detects that the current suffix matches the recorded one, it puts the firewall into domain profile.

    This is hardly hacker resistant, but that is not the purpose. Windows Firewall is trying to seamlessly transition to provide appropriate security based on where the user is. If you happen to name your domain suffix after the local starbucks wifi network, your users will end up in domain profile while sipping their coffee.

    When you join the domain, the Windows Firewall profile probably changed to domain profile. In this case, you will need to reconfigure your firewall to allow remote management. You can use the netsh advfirewall command to this end.

    netsh advfirewall firewall set rule group="remote administration" new enable=yes
    netsh advfirewall set currentprofile settings remotemanagement enable

    Now you can even use the Firewall with Advanced Security snap-in for MMC on your Vista workstation to connect and remotely manage your server core. Simply start MMC as a user with administrative privliges on both machines.
    • Proposed as answer by Ryan Capp Wednesday, March 04, 2009 11:11 PM
    • Marked as answer by Chuck vdL Wednesday, March 04, 2009 11:20 PM
    Wednesday, March 04, 2009 6:47 PM
  • Thanks for the response, even after all this time. 

    that sure SOUNDS like it could well have been the issue, but I've no way to verify it for sure.   I've long since given up trying to run Server Core on that box even though it initially seemed like a good idea at the time. 

    Note I didn't give up due to any flaw with Server Core per say, but rather I got told by my boss to stick a standard GUI install (it's running Hyper-V) on the system  because none of the IT staff knew how to administer a Server Core system, so it would have meant I was the only one that could admin the box.)
    --Chuck  (Hyper-V is a tester's best friend!)
    Wednesday, March 04, 2009 11:20 PM