Cannot RDP to domain controllers

We have just setup a complete new environment consisting of two Domain Controllers (2008 R2) and a few member servers (2012 R2).

We have manually enabled RDP on all servers and use our Domain Admin accounts to log remote via RDP to the servers.

Next, we also wanted to grant a specific security group the right to logon remotely. In order to achieve this we added this group in Default Domain Policy / Local Policies / User Rights Assignment / Allow Logon through terminal services". As soon as the policy change took effect, no one could logon remotely, not even Domain Admins.

After some research we understood that the correct way of doing this is to just add the group to the builtin AD group "Remote Desktop Users" group. So we removed the setting in the GPO and now domain admins can RDP to member servers but not Domain Controllers.

We have verified using rsop.msc on the domain controllers that the setting is in fact not set but we can still not RDP to the domain controllers. 

All servers are using swedish versions of Windows except one of the DC:s that have english version (no idea why).

Thanks, Jonas 

July 28th, 2015 10:49am

Hi

 Could you check on DC's in remote settings "Network Level Authentication" is enabled or disabled?if it's enabled,you could add the users on "select users" tab.

Also try to Access Dc from a client with "telnet dcipadrreses 3389" is it avaible??

Free Windows Admin Tool Kit Click here and download it now
July 28th, 2015 11:07am

are you certain no one made the same GPO change in the Default Domain Controllers Policy?

whoever is in the builtin Administrators group in AD should be able to RDP to DCs as long as RDP is enabled and not blocked on the network/windows firewall

July 28th, 2015 11:49am

Open a command prompt and run the following command:

netstat -an | findstr 3389

You should see something like this:

TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING

You should have at least one returned value from the above command. If not, verify that the Remote Desktop Services service is actually running on the Domain Controller.

Free Windows Admin Tool Kit Click here and download it now
July 28th, 2015 1:48pm

Soyry guys,. forgot to specify that the service is available and working, when i RDP to any of the DC:s im prompted for my password and the following error appears:

"To log on to this remote computer you must be granted the allow log on through terminal services right....."  

And as i mentioned, i have verified using RSOP.msc (on the DC:s) that I have not accidently changed any other policy, and that all policies have taken effect properly. 

I have also tried to manually add a specific domain account to the list of allowed remote users on the DC:s remote settings but with no luck so I removed the account so the list is now empty again. 

Any other suggestions?

Thanks.

Jonas

July 29th, 2015 2:48am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics