Cannot Remote Desktop over VPN connection

KB ID 0000845 

Problem

This one had me well and truly stumped! The client has two sites and from their remote site they could not open a remote Desktop connection to a server at the main site.

RDP Stuck at Securing remote connection.

At first, because the client had SBS at their main site I assumed this was the problem, but sadly it was not.

Solution

The following process goes through the steps taken to identify and rectify the problem.

1. Firstly, I’m assuming you can ‘ping’ the target server both by name and IP address, if you can’t do this, then read no further, you have a communication problem, fix that first!

2. Check that RDP (TCP Port 3389) is open by attempting to Telnet to that port on the destination server.

You may receive the following error;

Windows – ‘Telnet’ is not recognized as an internal or external command

If you simply see a ‘cursor’ then the port is open, if not it will give you an error. (If that is the case then you need to look at comms to make sure TCP Port 3389 is not being blocked, either by a hardware firewall/router, or a software firewall on either of the machines.)

3. Check no third party security software is blocking RDP, by issuing the following command;

[box]
fltmc[/box]

This indicates the machine I’m on is running, “Trend Micro’.

4. Try disabling the security software to see if that rectifies the problem,

After much hand wringing, and a few days of rebuilding firewall VPNs, patching servers, and installing hot-fixes, I admitted defeat and got Microsoft on the phone.

5. The fist thing they found, was if they attempted to open a UNC path to the destinations server IP address it worked.

6. BUT If they did the same to the server name it failed.

Error: The specified network name is no longer valid

7. Normally this is an indication that the secure channel between this machine, and the target machine is broken. Normally this can be fixed with the following commands;

[box]

net stop KDC

klist purge

netdom resetpwd /server:{IP address of domain controller}/userd:{your-domain-name}administrator /passwordd:*

Then supply the domain administrators password

net start KDC

[/box]

However this did not fix our problem, but indicated that it was not just RDP that was failing. Both the machine we were using, and the destination machine were domain controllers, so domain replication was checked and the following was found;

Event ID 1865

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Event ID: 1311
Task Category: Knowledge Consistency Checker
Level: Error
Keywords: Classic
User: ANONYMOUS LOGON
Computer: your-server-your-domain.com
Description:
The Knowledge Consistency Checker (KCC) has detected problems with the following 
directory partition. 

Directory partition: CN=Configuration,DC=your-domain,DC=com There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers. User Action Perform one of the following actions: – Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option. – Add a Connection object to a directory service that contains the directory partition in this site from a directory service that contains the same directory partition in another site.

Event ID 1311

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Event ID: 1566
Task Category: Knowledge Consistency Checker
Level: Warning
Keywords: Classic
User: ANONYMOUS LOGON
Computer: your-server-your-domain.com
Description:
All directory servers in the following site that can replicate the directory partition 
over this transport are currently unavailable. 

Event ID 1566

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Event ID: 1865
Task Category: Knowledge Consistency Checker
Level: Warning
Keywords: Classic
User: ANONYMOUS LOGON
Computer: your-server-your-domain.com
Description:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site. 
Sites:
CN=Your-OU,CN=Sites,CN=Configuration,DC=your-domain,DC=com 

8. So we DO have a communications problem, some things work others do not! Let’s make sure our traffic is not getting fragmented, you would expect a packet of 1500 bytes to be able to get though, ours did not, using trial and error Microsoft ascertained that 1320 was the highest we could get though without error.

[box]

ping -f -l {packet size}

[/box]

Note: To get the figure exactly right, you need to keep decreasing the packet size by 1, then when you have found the largest size permissible, you need to add 28 to it (for the overhead of the IP Header).

9. So the MTU was ‘locked’ at BOTH ENDS (source machine and destination server). To do so, Windows Key+R > regedit > Navigate to;

[box]

HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > Tcpip > Parameters > Interfaces

[/box]

Note: There may be many ‘keys’ here, check each one in turn, to find the one that equates to the IP address on your machine, (the one you are working on).

When you have located the correct key, create a new DWORD (32 bit) value (or edit one if it exists) set the DECIMAL value to the same size that you could get though without error in step 8.

10. Reboot the machines and try again.

Related Articles, References, Credits, or External Links

Special thanks and credit to Harprit Singh at Microsoft, for his hard work and outstanding support.