Jump to content


Photo

Server2k3 - RDP/Terminal Services


  • Please log in to reply
27 replies to this topic

#1 Lackadaisical

Lackadaisical

    Geek

  • Members
  • PipPipPip
  • 580 posts
  • Gender:Male
  • Location:Arizona

Posted 27 January 2011 - 04:57 PM

Hey guys, I could really use some help here. I'm running in to some very odd issues with a Server2k3 machine. The machine is the domain controller for the domain, there is no secondary domain controller currently on the network. My coworker decided it would be a good idea to install Terminal Services server role on it so we could have multiple remote desktop sessions. The bad thing is we do not have the licensing required for this type of setup, so terminal server had to be removed from the server. After the removal of the terminal server role, we are no longer able to get any type of remote desktop connection going to the server. Now we can only access it via console, which is less than ideal.

When trying to do a RDP session (with any type of account including full admin) I receive the following error: "To log on to this computer, you must be granted the Allow log on through Terminal Services right. By default, members of Remote desktop users group have this right. If you are not a member of remote desktop user group or another group that has this right or if the remote desktop users group does not have this right, you must be granted this right manually."

I have checked all of my permissions over and over, all my users do have access set within the allow log on through terminal services option and yet still no dice. I have removed and re-added the users while forcing gpudates after each step, but I still just cannot get this to work. I have set the Domain controller policy, the domain policy and even the local policy to have this users allowed for terminal services log on. Nothing seems to make a difference, RDP just refuses to come back up.

I just don't understand what is going on here, I figured after having removed the terminal server role I could just configure RDP like normal, but that does not seem to be the case. If anyone has any ideas, I would really appreciate the help. I've done a bunch of searching and found similar issues, but no real solution. I might have to just start up a VM to try and replicate this issue.

sigimage.gif?c1=FFFFFF&c2=000000&c3=0000


#2 Nerm

Nerm

    OCC Beefcake

  • Forum Admin
  • PipPipPipPipPipPip
  • 9698 posts
  • Gender:Male
  • Location:Madison, IN

Posted 27 January 2011 - 05:28 PM

Have you tried installing ts again and then removing it again?

Rig #1 :: Q6600 @ 3.8Ghz :: 2x HD4850 Crossfire :: Asus P5K3 Premium Black Pearl ::

Rig #2 :: i7-3930K @ 4Ghz :: 32GB G.Skill Ripjaws Z Series :: Evga GTX 670 :: Asus P9X79 Pro :: OCZ Vertex 256GB SSD ::
HTPC :: 4850e :: HD2600xt :: Gigabyte GA-MA78GM-S2H :: 1TB Storage ::
OCC Site Rules :: Site Help FAQ :: Extreme Cooling FAQ :: OCC Benchmark Team


#3 Lackadaisical

Lackadaisical

    Geek

  • Members
  • PipPipPip
  • 580 posts
  • Gender:Male
  • Location:Arizona

Posted 27 January 2011 - 05:36 PM

Have you tried installing ts again and then removing it again?


Yeah I have tried it a couple of times :(

sigimage.gif?c1=FFFFFF&c2=000000&c3=0000


#4 MercuryDoun

MercuryDoun

    Banana

  • Members
  • PipPipPipPip
  • 1548 posts
  • Gender:Male
  • Location:South Eastern Michigan, USA

Posted 27 January 2011 - 06:47 PM

Hey guys, I could really use some help here. I'm running in to some very odd issues with a Server2k3 machine. The machine is the domain controller for the domain, there is no secondary domain controller currently on the network. My coworker decided it would be a good idea to install Terminal Services server role on it so we could have multiple remote desktop sessions. The bad thing is we do not have the licensing required for this type of setup, so terminal server had to be removed from the server. After the removal of the terminal server role, we are no longer able to get any type of remote desktop connection going to the server. Now we can only access it via console, which is less than ideal.

When trying to do a RDP session (with any type of account including full admin) I receive the following error: "To log on to this computer, you must be granted the Allow log on through Terminal Services right. By default, members of Remote desktop users group have this right. If you are not a member of remote desktop user group or another group that has this right or if the remote desktop users group does not have this right, you must be granted this right manually."

I have checked all of my permissions over and over, all my users do have access set within the allow log on through terminal services option and yet still no dice. I have removed and re-added the users while forcing gpudates after each step, but I still just cannot get this to work. I have set the Domain controller policy, the domain policy and even the local policy to have this users allowed for terminal services log on. Nothing seems to make a difference, RDP just refuses to come back up.

I just don't understand what is going on here, I figured after having removed the terminal server role I could just configure RDP like normal, but that does not seem to be the case. If anyone has any ideas, I would really appreciate the help. I've done a bunch of searching and found similar issues, but no real solution. I might have to just start up a VM to try and replicate this issue.


I have good news and bad news... First the good news: I have 3 Microsoft certifications in server 2008. And i feel qualified to help you with this! And the bad news: I have 3 Microsoft certs in server 2008 and i happen to hate server 2003, lol. But being that we have a mixed environment of 2k3 and 2k8 at work. I get enough exposure to it to help. Let me know if this doesnt help. Ill be happy to try some more things with you.


Ensure that the remote desktop settings in the computer properties is actually enabled. Ive seen it a couple times that AFTER uninstalling TS on a 2k3 machine it for some reason disables this setting. Blocking all RDP sessions. And then on top of that. Even if it doesnt turn off that check mark. It still doesnt work properly. If its still checked, You need to uncheck it. Click apply. Then check it back on, and click apply again. I dont this will fix your issue, but i figure lets start with the easy fix first. Please see the attached SS if you wanna see what im talking about! Also you have restarted this server after uninstalling TS right? If not, a simple server restart will likely resolve the issue.

Attached Thumbnails

  • RDP.png

*My System*
>< Case: Antec DF-85 >< PSU: Antec CP-850 850w >< MoBo: Asus P6X58D-E ><

>< CPU: i7-930, @ 4.0Ghz >< CPU Cooler: Prolimatech Megahalems >< TIM: Artic Silver MTX ><

>< RAM: Mushkin Blackline 6gb DDR3-1600 @ 1914mhz 7-10-7-24 2T ><

>< SSD: Corsair Force F120 120gb >< HDD: 2x Samsung F4 320gb Raid-0 ><

>< GPU: MSI Twin Frozr II GTX570 @ 900/1800/2250 24/7>< Monitor: Asus 24" LCD @ 1920x1080 ><

My gold plated butt-plug business is being sued by Apple. Apparently they have a patent for overpriced crap for a holes.


#5 Lackadaisical

Lackadaisical

    Geek

  • Members
  • PipPipPip
  • 580 posts
  • Gender:Male
  • Location:Arizona

Posted 27 January 2011 - 07:17 PM

Thanks for the reply, I have tried your idea and no dice. I have restarted the server quite a few times, and every time after removing or reinstalling TS. If it makes a difference the server is actually a VM running on vmware Esxi.

sigimage.gif?c1=FFFFFF&c2=000000&c3=0000


#6 MercuryDoun

MercuryDoun

    Banana

  • Members
  • PipPipPipPip
  • 1548 posts
  • Gender:Male
  • Location:South Eastern Michigan, USA

Posted 27 January 2011 - 07:46 PM

It shouldnt make a difference. Most of our environment is heavily virtualized as well, but we use Hyper-V, i have almost no experience with VMware. But regardless that shouldnt make a difference, thats kind of the point of virtualization haha.

How about checking the permissions in this RDP settings. See the attached SS. Start -> Admin Tools -> TS Config -> Connections -> RDP-Tcp -> Permissions tab -> Admins and remote users, Make sure permissions for this particular resource somehow didnt get messed up or changed. Cant hurt to look for other options in this properties sheet. If you want, we can compare settings see if some settings is messed up for you.

You could also try giving just yourself(your domain account) access full access to this RDP-Tcp and see if there is something else going on permission wise. Could also try going into the advanced tab, and resetting all the permissions to the default.

You know how bad it is to have just one Domain controller right?? Lol, Disaster waiting to happen with only one DC.

Attached Thumbnails

  • RDP Permissions.PNG

*My System*
>< Case: Antec DF-85 >< PSU: Antec CP-850 850w >< MoBo: Asus P6X58D-E ><

>< CPU: i7-930, @ 4.0Ghz >< CPU Cooler: Prolimatech Megahalems >< TIM: Artic Silver MTX ><

>< RAM: Mushkin Blackline 6gb DDR3-1600 @ 1914mhz 7-10-7-24 2T ><

>< SSD: Corsair Force F120 120gb >< HDD: 2x Samsung F4 320gb Raid-0 ><

>< GPU: MSI Twin Frozr II GTX570 @ 900/1800/2250 24/7>< Monitor: Asus 24" LCD @ 1920x1080 ><

My gold plated butt-plug business is being sued by Apple. Apparently they have a patent for overpriced crap for a holes.


#7 Lackadaisical

Lackadaisical

    Geek

  • Members
  • PipPipPip
  • 580 posts
  • Gender:Male
  • Location:Arizona

Posted 27 January 2011 - 08:05 PM

Yeah I know how bad having one DC is... This is not a production environment and we are in the process of some major upgrades. This is a demo/testing lab, there will be another DC added soon. I'm hoping we can just switch it over to 2k8 though. Just need to get the licensing sorted.

All my permissions look good, I have full control on the admin account and remote users has the right permissions too.

sigimage.gif?c1=FFFFFF&c2=000000&c3=0000


#8 MercuryDoun

MercuryDoun

    Banana

  • Members
  • PipPipPipPip
  • 1548 posts
  • Gender:Male
  • Location:South Eastern Michigan, USA

Posted 27 January 2011 - 08:21 PM

Yeah I know how bad having one DC is... This is not a production environment and we are in the process of some major upgrades. This is a demo/testing lab, there will be another DC added soon. I'm hoping we can just switch it over to 2k8 though. Just need to get the licensing sorted.

All my permissions look good, I have full control on the admin account and remote users has the right permissions too.


Id still reset the permissions on it. Due to the wording of the error message it really sounds like there is some permission issue somewhere. In the advanced section of that same permissions tab you can do it there. I think that is a good next step. The default permissions are the same as they are set now, but you know how windows it. Nothing is ever as it seems, haha.

Nice, Server 2008 is so much better, and on top of that, server 2008 R2 is SOOOOOOOO much better. I guess the only "Problem" with 2k8R2, is that its 64-bit only. But thats not really a bad thing.

Let me know how resetting the permissons work. I have one other idea that might pan out, but im not exactly sure where the setting im thinking of is. And im going to bed now, so its gonna have to wait until tomorrow.

*My System*
>< Case: Antec DF-85 >< PSU: Antec CP-850 850w >< MoBo: Asus P6X58D-E ><

>< CPU: i7-930, @ 4.0Ghz >< CPU Cooler: Prolimatech Megahalems >< TIM: Artic Silver MTX ><

>< RAM: Mushkin Blackline 6gb DDR3-1600 @ 1914mhz 7-10-7-24 2T ><

>< SSD: Corsair Force F120 120gb >< HDD: 2x Samsung F4 320gb Raid-0 ><

>< GPU: MSI Twin Frozr II GTX570 @ 900/1800/2250 24/7>< Monitor: Asus 24" LCD @ 1920x1080 ><

My gold plated butt-plug business is being sued by Apple. Apparently they have a patent for overpriced crap for a holes.


#9 Lackadaisical

Lackadaisical

    Geek

  • Members
  • PipPipPip
  • 580 posts
  • Gender:Male
  • Location:Arizona

Posted 27 January 2011 - 08:33 PM

Sorry, I did in fact set it to default when you mentioned it last post. I also tried a gpupdate /force after doing so and I still do no notice any difference when trying to RDP. The good news is we have a snapshot of the DC that we could restore to pretty easily, the bad news is it is about 3 weeks old and we did quite a few changes since then... I've only even been working in this lab for 2 weeks now, so I'm still trying to figure it all out, it definitely needs work. Between the projects we got going on and this stupid server issues I've been at work for almost 14 hours now... So I won't be lasting much longer :P

I've also tried a brand new user and gave it explicit privileges for RDP, no dice.

sigimage.gif?c1=FFFFFF&c2=000000&c3=0000


#10 MercuryDoun

MercuryDoun

    Banana

  • Members
  • PipPipPipPip
  • 1548 posts
  • Gender:Male
  • Location:South Eastern Michigan, USA

Posted 28 January 2011 - 07:16 AM

Doing a gpupdate isnt likely to fix anything as this appears to be a local machine issue, because your still able to remote into other servers on the domain correct?

Found the setting i was thinking of, When you open the TS config window(Start -> Admin Tools -> TS Config), what does it say under the server settings? The settings in the attached SS is what gives you the 2 TS cal's usable for remote administration. If this doesnt work, then something is most likely corrupted with the server. At that point in order to fix it, i would likely be required to do alot of googling and i dont know how helpful it really will be. But hopefully this fixes it for you. Also, I took this attached SS from a 2k3 server that does not nor never had TS installed on it. Being that you have now uninstalled TS from your DC. It should have a similar settings setup to the attached SS, There are different settings for servers that have TS installed. So if you have different settings options than the attached SS, that is likely the area of corruption.

Attached Thumbnails

  • RDP-lic.PNG

*My System*
>< Case: Antec DF-85 >< PSU: Antec CP-850 850w >< MoBo: Asus P6X58D-E ><

>< CPU: i7-930, @ 4.0Ghz >< CPU Cooler: Prolimatech Megahalems >< TIM: Artic Silver MTX ><

>< RAM: Mushkin Blackline 6gb DDR3-1600 @ 1914mhz 7-10-7-24 2T ><

>< SSD: Corsair Force F120 120gb >< HDD: 2x Samsung F4 320gb Raid-0 ><

>< GPU: MSI Twin Frozr II GTX570 @ 900/1800/2250 24/7>< Monitor: Asus 24" LCD @ 1920x1080 ><

My gold plated butt-plug business is being sued by Apple. Apparently they have a patent for overpriced crap for a holes.


#11 Lackadaisical

Lackadaisical

    Geek

  • Members
  • PipPipPip
  • 580 posts
  • Gender:Male
  • Location:Arizona

Posted 28 January 2011 - 07:30 AM

My page looks exactly the same as your screen shot. Oh well, doesn't seem like this is going to have a nice solution.

I appreciate all your help :)

sigimage.gif?c1=FFFFFF&c2=000000&c3=0000


#12 MercuryDoun

MercuryDoun

    Banana

  • Members
  • PipPipPipPip
  • 1548 posts
  • Gender:Male
  • Location:South Eastern Michigan, USA

Posted 28 January 2011 - 07:41 AM

My page looks exactly the same as your screen shot. Oh well, doesn't seem like this is going to have a nice solution.

I appreciate all your help :)


Yeah no problem. Im really going to cop this up to windows 2k3 being a PoS, because it is... lol. Would you like me to begin alittle google searching to maybe find a actual resolution for you? Or do you want to just use the snap-shot to roll back? I dont might doing the research, but the snap shot will prolly be alot easier/faster if this is something you need to get fixed in a timely fashion. But dont forget to account for all the time lost having to redo the 3 weeks of work you lose.

*My System*
>< Case: Antec DF-85 >< PSU: Antec CP-850 850w >< MoBo: Asus P6X58D-E ><

>< CPU: i7-930, @ 4.0Ghz >< CPU Cooler: Prolimatech Megahalems >< TIM: Artic Silver MTX ><

>< RAM: Mushkin Blackline 6gb DDR3-1600 @ 1914mhz 7-10-7-24 2T ><

>< SSD: Corsair Force F120 120gb >< HDD: 2x Samsung F4 320gb Raid-0 ><

>< GPU: MSI Twin Frozr II GTX570 @ 900/1800/2250 24/7>< Monitor: Asus 24" LCD @ 1920x1080 ><

My gold plated butt-plug business is being sued by Apple. Apparently they have a patent for overpriced crap for a holes.