Announcement

Collapse
No announcement yet.

Terminal Server loosing trust relationship

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Terminal Server loosing trust relationship

    I have inherited administration of a network that consists of 15 or so pc's that exclusively use terminal server sessions for their software, a Windows 2003 Terminal Server running 20 TS User cals and a Windows 2003 server as a Domain Controller. The TS is a member of the domain and clients logon to the domain then straight into remote desktop on the TS.
    This all works well and has been for a number of months, however, for some reason the clients stopped getting access to the TS with an rpc error when trying to authenticate in a remote desktop logon. IE, when you try to connect, you are given the logon screen, but when actually logging in, the error occurs and drops you out.

    I discovered that from the TS system, you could not access the DC in anyway, browsing etc, except for pings.

    I removed the TS from the domain and back into a workgroup, deleted the computer account on the DC and then reconnected the term server back to the domain and presto, clients can log in.

    This has happened two times in two weeks and I'm kinda wondering if anyone has any idea why this is happening?.
    Event logs dont seem to give any indication of errors on either servers, however the TS system has some strange issues accessing the event logs as local admin (be it locally logged on or logging onto the domain) as I cannot see at all the system log entry - it's completly missing.
    If I log in to the TS from a remote pc via remote desktop and as administrator, I can see the system log.

    Any ideas?
    I'll post screen shots of event viewer and error messages when i can.
    Both servers are dual 3ghz xeons with raid 3 serial raptor drives for the o/s, 4gb ecc mem on the TS and 2gb ecc mem on the DC, running Win2k3 std sp1.
    Last edited by scottyb; 15th June 2006, 14:46. Reason: can't spell

  • #2
    Re: Terminal Server loosing trust relationship

    There maybe license server problem, time sync problem etc. There need more information
    how the network, servers etc. Also,in the future, please buy HP/Dell servers.
    Using "PC" as a server is bad idea and can create problems...


    Terminal Server FAQ:

    Group Policy:

    How to apply Group Policy objects to Terminal Services servers

    http://support.microsoft.com/default...b;EN-US;260370

    Loopback Processing of Group Policy

    http://support.microsoft.com/?kbid=231287

    Security Settings - Software Restrictions

    http://www.computerperformance.co.uk...strictions.htm

    Introduction to Group Policy in Windows Server 2003

    http://www.microsoft.com/windowsserv...w/gpintro.mspx

    Windows Server 2003 Security Guide

    http://www.microsoft.com/downloads/d...displaylang=en

    Windows 2003 - Group Policy WMI Filters

    http://www.computerperformance.co.uk...MI_filters.htm

    Using Windows Terminal Services to Run a Single Application

    http://www.windowsecurity.com/articl...plication.html

    How to lock down a Windows Server 2003 or Windows 2000 Terminal Server session

    http://support.microsoft.com/default...b;en-us;278295

    Best Practices for Citrix Policy design for Presentation Server 3 or 4

    http://www.brianmadden.com/content/content.asp?ID=503


    Terminal Server Licensing:

    The Ultimate Guide to Windows 2003 Terminal Server Licensing

    http://www.brianmadden.com/content/content.asp?id=154

    FAQ: Terminal Server Licensing

    http://www.brianmadden.com/content/content.asp?ID=129

    Free TS Licenses For MSDN Users/Microsoft Partners

    http://msdn.microsoft.com/subscripti...minalservices/



    The Ultimate Guide to Terminal Server Printing - Design and Configuration

    http://www.brianmadden.com/content/content.asp?ID=62

    How Microsoft's Windows 2003 SP1 Fallback Printer Driver Works (which now supports color!)


    http://www.brianmadden.com/content/content.asp?ID=438




    How to Configure Windows Network Load Balancing for pure Terminal Server environments

    http://www.brianmadden.com/content/content.asp?id=278


    Session Directory and Load Balancing Using Terminal Server

    http://www.microsoft.com/windowsserv...directory.mspx


    Deploying Windows Server 2003 Terminal Server to Host User Desktops

    http://www.microsoft.com/technet/pro.../adstrmsr.mspx


    Terminal Services Client Cannot Connect to NLB Cluster TCP/IP Address

    http://support.microsoft.com/?kbid=280805

    Network Load Balancing: Frequently Asked Questions for Windows 2000 and Windows Server 2003

    http://www.microsoft.com/technet/pro...ng/nlbfaq.mspx


    Add on tools:


    User Profile Hive Cleanup Service

    http://www.microsoft.com/downloads/d...displaylang=en

    RDP 5.2

    http://www.petri.com/download_rdp_5_2.htm


    Tips:


    Printers That Use Ports That Do Not Begin With COM, LPT, or USB Are Not Redirected in a Remote Desktop or Terminal Services Session
    View products that this article applies to.

    http://support.microsoft.com/kb/302361/en-us

    Windows 2000 Terminal Services server logs events 1111, 1105, and 1106

    http://support.microsoft.com/?id=239088

    Troubleshooting Remote Desktop Licensing Error Messages

    http://technet2.microsoft.com/Window...97e2c1033.mspx

    How to Configure ActiveSync for PDA Synchronization

    http://support.citrix.com/article/CTX821115

    HOW TO: Use Group Policy to Permit Users to Redirect and Play Audio in a Remote Desktop Session to Terminal Services in Windows Server 2003

    http://support.microsoft.com/?kbid=818465
    Best Regards,

    Yuval Sinay

    LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

    Comment


    • #3
      Re: Terminal Server loosing trust relationship

      Originally posted by yuval14
      There maybe license server problem, time sync problem etc. There need more information
      how the network, servers etc. Also,in the future, please buy HP/Dell servers.
      Using "PC" as a server is bad idea and can create problems...
      Server Specs...
      Chassis Intel SC5300LX w/ sec hotswap PSU
      Mainboard Intel E7520
      Dual 3Ghz Xeons
      4GB Kingston ECC ram
      3x 74GB Sata Raptors in raid 3 config (operatuing system)
      2x 250Gb Seagate drive in raid 1 (storage)
      Intel SCRS16 raid card
      Iomega Rev drive
      Liteon DVDrw drive
      Intel 6 bay Sata Hotswap cage

      Operating system - windows 2003 server std w/ sp1
      25 user cals for term server installed and configured for user use (not device)

      Domain controller is essentiall the same except has only 1 cpu and 1gb ram, otherwise identical.

      Hardly pc's....

      Network is very basic, a single 24port rack mount unmanaged switch which connects all devices via a patch panel and a 1 yr old network (building is new).

      Desktop pc's are all p4's running windows xp pro sp2. About 15 or so pc's on the network and around 5 or so use remote desktop to access the terminal server.

      what other info would you like?
      Last edited by scottyb; 15th June 2006, 14:46.

      Comment


      • #4
        Re: Terminal Server loosing trust relationship

        1. Please use network switch from HP/Hortel/Cisco.
        2. Did you checked the time sync and DNS?
        3. Move the TS license mode to per device and check if this error occur again..
        4. License server - Please provide information on the TS license server position,
        installation method and if you tried to set the license server settings in the TS
        server manually so the TS server can locate the server automtaclly?
        5. In the future - consider to use a real server (e.g. Dell 1850, HP DL 360 G4 etc.)
        Best Regards,

        Yuval Sinay

        LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

        Comment


        • #5
          Re: Terminal Server loosing trust relationship

          Please post any errors from the TS Application or System Event Log that are on the same day as the failure. When in per-user mode, the TS queries the TSLS and verifies that:

          A. The server is activated
          B. There are per-user TSCALs installed.

          http://www.sessioncomputing.com/licensing.htm

          If you get desparate, send me a message and I'll (at your request) remote into your system and see what's going on. Sorry you're having such a problem.
          Patrick Rouse
          Microsoft MVP - Terminal Server, Provision Networks VIP
          President - Session Computing Solutions, LLC
          http://www.sessioncomputing.com

          Comment


          • #6
            Re: Terminal Server loosing trust relationship

            Thanks so much for the reply's and especially the offer to help!. It's really good to know there are people out there more than willing to help out.

            As I said before, I've inherited this situation and am trying to learn as much about it as I can to try and resolve the issues and to reassure our client that their systems will be reliable and stable in the future.

            I've been working on resolving some smaller issues that were "left over" from the previous admin - folder redirections applied at domain level GP, batch scripts that pointed to nothing etc, and have discovered the causes behind other strange problems - inabiity to log off caused by an SNTP agent that locks itself and you have to manually shut it down first, things like that.

            The Licensing side. OK please bear with me here as I've not had much to do with TS licensing. As far as I'm aware, the server that users log into via remote desktop is the same server that has the license manager installed on it. 25 User cals have been install on this same server and licensing manager is set to user cals.

            All user authentication is from the other server, the domain controller.
            The problem has now reoccured , I cannot log into the TS via remote desktop by logging onto the domain, i get the rpc server unavailable message, if I log on locally (still via remote desktop), there is no problem. All users need authentication from the domain controller and therefore get this error.

            I cannot access the domain contoller via windows explorer from the terminal server, but can ping it from command prompt even using dns names - ie ping domaincont gets a reply.

            Errors in logs to be posted as soon as I can.
            Last edited by scottyb; 17th June 2006, 07:22.

            Comment


            • #7
              Re: Terminal Server loosing trust relationship

              Remove any SNTP agents - this may create time sync. problem - Active Directory
              doesnt allow logon if the time different beetwen the DC/Server is higher then 5 min....
              Also, following the request of Patrick Rouse please add the errors that you get in the event logs.
              Best Regards,

              Yuval Sinay

              LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

              Comment


              • #8
                Re: Terminal Server loosing trust relationship

                From App log on terminal server.
                This is the first error encountered since the last time a user was able to successfully logon remotely. Numerous instances of this exact same error occure

                Event Type: Error
                Event Source: Userenv
                Event Category: None
                Event ID: 1053
                Date: 17/06/2006
                Time: 6:06:06 AM
                User: NT AUTHORITY\SYSTEM
                Computer: TERMSERV
                Description:
                Windows cannot determine the user or computer name. (Not enough storage is available to complete this operation. ). Group Policy processing aborted.

                For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

                Checked , both servers have plenty of disk space on all partitions.

                Second error as follows

                Event Type: Error
                Event Source: Winlogon
                Event Category: None
                Event ID: 1219
                Date: 17/06/2006
                Time: 2:25:02 PM
                User: N/A
                Computer: TERMSERV
                Description:
                Logon rejected for CONDOBOLIN\administrator. Unable to obtain Terminal Server User Configuration. Error: The RPC server is unavailable.


                For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
                Data:
                0000: ba 06 00 00 ...

                See attachment for a view of the missing system log( I'm thinking thats just a local admin profile problem as I can view the system log from a remote desktop logging locally on the termserver (or authenticated via the domain when its working)
                Now in the acutall system log I find these events. The first two browser issues came first then the netlogon error about 6hrs later.
                Event Type: Warning
                Event Source: BROWSER
                Event Category: None
                Event ID: 8021
                Date: 17/06/2006
                Time: 6:10:52 AM
                User: N/A
                Computer: TERMSERV
                Description:
                The browser service was unable to retrieve a list of servers from the browser master \\CONDOAD on the network \Device\NetBT_Tcpip_{FFF584AA-8A18-47A5-A647-87E4CF1B8EBF}.

                Browser master: \\CONDOAD
                Network: \Device\NetBT_Tcpip_{FFF584AA-8A18-47A5-A647-87E4CF1B8EBF}

                This event may be caused by a temporary loss of network connectivity. If this message appears again, verify that the server is still connected to the network. The return code is in the Data text box.

                For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
                Data:
                0000: 1f 00 00 00 ....

                Event Type: Error
                Event Source: BROWSER
                Event Category: None
                Event ID: 8032
                Date: 17/06/2006
                Time: 6:11:52 AM
                User: N/A
                Computer: TERMSERV
                Description:
                The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{FFF584AA-8A18-47A5-A647-87E4CF1B8EBF}. The backup browser is stopping.

                For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
                Data:
                0000: 1f 00 00 00 ....

                Event Type: Error
                Event Source: NETLOGON
                Event Category: None
                Event ID: 5719
                Date: 17/06/2006
                Time: 1:25:12 PM
                User: N/A
                Computer: TERMSERV
                Description:
                This computer was not able to set up a secure session with a domain controller in domain CONDOBOLIN due to the following:
                Not enough storage is available to process this command.
                This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.

                ADDITIONAL INFO
                If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.

                For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
                Data:
                0000: 17 00 00 c0 ...└

                It's not until after this that there are errors relating to inability to logon due to rpc server being unavailble.

                The browser errors are repeated about every 2-3hrs.
                Again I checked and cannot see any problems with drives.
                There are no other errors in both system and application and the domain controller reports no errors at all in either logs.

                I'll need to disconnect and reconnect the terminal server from the domain to get the network back up and running again for Monday as it will be needed.

                Hope this helps...(sorry about any spelling mistakes...getting late and am bloody tired) oh forgot to mention it's an SMTP NOT SNTP service and it apparently has to run for the software the clients use. Thing is this system has been running for months without an issue till the last couple of weeks.
                Last edited by scottyb; 17th June 2006, 15:04.

                Comment


                • #9
                  Re: Terminal Server loosing trust relationship

                  Also to I checked the time sync between the servers and they're within less that a second of each other, Occasionally there is a locating time server error, then soon after its' resolved. Maybe one or two events like that a month, but surely not enough to cause issues.

                  The network switch is again only a few months old, but even still, I'd have thought that network connectivity issues would not "lock" out one device after an intermittent problem has occured. IE if someone accidently pulled a patch cable out then plugged it back in, the servers would reestablish themselves fairly quickly.
                  Remember I can still ping from the TS server to the DC (via ip address or domain name), but nothing else until I remove the ts from the domain.

                  Even after I disconnect the ts from the domain, I can browse back into the DC via windows explorer with no troubles.

                  As soon as I rejoin the ts back to the domain, everything works perfectly.

                  Comment


                  • #10
                    Re: Terminal Server loosing trust relationship

                    1. Replace the network switch with a real one. The reasons why is not easy to
                    understand but this may help (Remeber only to use: HP/Nortel/Cisco).

                    2. Uninstall the TS License Server (After backup).

                    3. Install Intel/Broadcom (Not other vendor card/model) Server adapter 1 GB on the server
                    & disable the other card via BIOS etc..

                    4. Install the TS License server and activate the server.

                    http://www.jsifaq.com/SUBO/tip7000/rh7017.htm

                    http://www.computing.net/windows2003...orum/2465.html
                    Best Regards,

                    Yuval Sinay

                    LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

                    Comment


                    • #11
                      Re: Terminal Server loosing trust relationship

                      Originally posted by yuval14
                      1. Replace the network switch with a real one. The reasons why is not easy to
                      understand but this may help (Remeber only to use: HP/Nortel/Cisco).

                      2. Uninstall the TS License Server (After backup).

                      3. Install Intel/Broadcom (Not other vendor card/model) Server adapter 1 GB on the server
                      & disable the other card via BIOS etc..

                      4. Install the TS License server and activate the server.

                      http://www.jsifaq.com/SUBO/tip7000/rh7017.htm

                      http://www.computing.net/windows2003...orum/2465.html
                      1. I think I can source a HP switch to try out. I do understand the reasons behind qualty switches, I have seen first hand cisco switches connecting when other won't. Please don't be afraid to techno speak the reasons behind your suggestions I would like to hear them.

                      2. I'd like to try the hardware suggestions first

                      3. The server board in both systems have two 1GB nics, an Intel Pro1000 MT and a Marvel Yukon 1gb. At present both are using the Marvels, I can change them over to the Intels easily enough when I'm next at the site (it's over 100kms away from me) to give that a shot.

                      4. Again I'd like to try the hardware first.

                      I also noted that in your links supplied that one person had the same "Not enough storage is available to process this command" error message as me and it was a custom app causing the problem. Well unfortunatly the very reason for this terminal servers existance is a custom app that has a service (the above mentioned SMTP service) running. Could there be something there?

                      Anyway, you've definalty given me something to try which is WAY more than I had before.
                      Thanks and I'll post results as soon as I can change the nics around.

                      Comment


                      • #12
                        Re: Terminal Server loosing trust relationship

                        Dear yuval and scotty,

                        I 'am having the same problems and the same error messages

                        I also have 1 dc and 1 ts member server

                        and i've posted before scotty on the same issue just under a different name

                        Is it a virus ?

                        Comment


                        • #13
                          Re: Terminal Server loosing trust relationship

                          I've spoken to the software tech guy with regards to the smtp service and he agree's that yes it could be causing issues. We can get rid of it in few weeks when they change over to a new messaging system. I'll post details of how it goes when that happens. At the moment I've changed over to the Intel nic, trialing that - then the switch next, then the smtp service when we are not needing it any more.

                          Will keep you posted. Hope might find solution that helps you too.

                          Comment


                          • #14
                            Re: Terminal Server loosing trust relationship

                            Originally posted by kopal
                            Dear yuval and scotty,

                            I 'am having the same problems and the same error messages

                            I also have 1 dc and 1 ts member server

                            and i've posted before scotty on the same issue just under a different name

                            Is it a virus ?
                            Well now I'm wondering, maybe not a virus, but certainly there is something strange going on with this server. A hijack this log reveals many "file missing" entries. A rootkit revealer scan shows a number of discrepencies point toward a number of files that appear to be malicious.
                            When I can I'll post logs to see what ppls think.
                            One entry as a startup service is"vnc vista" ...? RealVNC is what I use to access this server remotly, so I don't know what that one is.

                            Comment


                            • #15
                              Re: Terminal Server loosing trust relationship

                              I have same problem. 2 computers in NLB (HP DL360 G3 1GB RAM ) running W2k3 SP1 as a member server in DMZ segment (192.168.1.0), DC located in LAN segment (192.168.0.0). One of them OK but second with symptoms described in original post.
                              Firewall - Checkpoint NG R 55
                              Switch HP 2524.
                              Windows was reinstalled 3 times, all drivers and firmware on the server up to date.
                              I n addition we have second NLB in same DMZ ľOK for more then 1 ear. All 4 computers identical.
                              Any idea?

                              Comment

                              Working...
                              X