Users have begun to complain that when trying to connect to the RDS (Remote Desktop Server) farm running Windows Server 2008 R2 using the standard RD client (mstsc.exe) they often get an error:
The configuration of the RDS farm: 3 servers running Windows Server 2008 R2 with RD Connection Broker used to distribute workload between the terminals and to reconnect to the current sessions. The fact that the error occurred from time to time had suggested that there was a problem with one of the servers of the farm. By means of sequential search, the problem server was found and we connected to its desktop remotely using its IP address.
Just in case, I ran the server record registration in DNS again:
ipconfig /registerdns
And reset the local DNS cache on the client in a couple of minutes:
ipconfig /flushdns
But it didn’t help. There were no other problems with the server, so I had to use an article in Microsoft knowledge base: https://support.microsoft.com/kb/2493594 (RDP connection to Remote Desktop server running Windows Server 2008 R2 may fail with message ‘The Local Security Authority cannot be contacted’).
The solution in the article offered to reduce the level of the protocol used to encrypt the RDP connection from SSL (TLS 1.0 is used for authentication) to RDP Security Layer (the integrated and less secure RDP encryption).
But in our configuration, the Negotiate method is used that uses automatic switching from TLS to RDP Security Layer if the client does not support the first method.
Entirely by accident, I noticed that the time on the problem server differ from the domain controller time. Indeed, it turned out that this server (a virtual one) was located on the VMWare ESXi host with the wrong time, and the option of time synchronization with the host hypervisor (Time synchronization between the virtual machine and the ESX Server) was enabled in VMWare Tools settings.
I had to disable ESXi synchronization and restart Windows Time Service to synchronize time with the DC.
net stop w32time
net start w32time
After that, users could connect to all servers of the RDS farm without any errors.
3 comments
Tried the stop w32time/start w32time/ registerdns suggestion and corrected all my errors, thank you!
‘net time /set’ worked for me.
Leadup to scenario:
– Yearly factory power outage for electrical maintenance
– Power up, most servers came up clean. DNS server did not.
– Other servers could not sync their clocks and started their own as best they could.
– DNS server returned to service but by not remoting into the other servers was refused.
– Remoting into other server using IP address, ‘set time’ command, then remote logon by server name successful.
!! Thanks for the tip.
I tried ipconfig \registerdns and associate commands, its working for me. Many many thanks!