After promotion of Server 2022 DC, unable to RDP into any domain-joined machines

Question

We have a 2008 DFL/FFL domain, with 4 existing domain controllers, 3 Win2008, 1 Win2008R2. We are in the process of migrating all of our systems to MEM/Azure.
We are running an older version of Azure AD-Connect that is compatible with Win2008R2.

As part of this process, we needed a DC in Azure.

Yesterday I made sure we had the necessary prereqs for promoting a Server 2022 as DC:

• Migrated FRS to DFS-R
• 2008 DFL/FFL

I had no issues promoting the server, but then shortly afterwards, I began to be unable to RDP into any domain-joined machines.

I get: "Your credentials did not work, the logon attempt failed" from a Win10 machine trying to mstsc /v into the affected machines.

Oddly enough, the one Windows XP machine we have joined to the domain, allows me to RDP into it, and from there, I can RDP into any machine.

This seems to be tied to NLA / ciphers, but I've been unable to come up with a specific solution.

I found a workaround in disabling NLA on affected machines with these registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\SecurityLayer = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\UserAuthentication = 0

I've checked the following, and everything looks good:

• Application, System, Security, Directory Services, DFS-R, DNS event logs on multiple affected systems
• Group policies are unchanged, no issues running gpupdate, no issues in Group Policy event logs
• Ran Dcdiag /v /c /d /e /s:vm-azdc-011 >C:\dcdiag.log
• Ran repadmin /showrepl >C:\repl.txt
• An EMC Celerra SAN joined to the domain
• A Synology NAS joined to the domain
• Logging in to Win7 domain-joined systems
• Accessing file shares

There are some oddities in the Security log of the new DC, I will see 4673 Audit Failures for SeTcbPrivilege, for the domain admin account I'm using to RDP in, for various processes, intermittently.

Aside from this, everything seems to be working properly.

Any help would be greatly appreciated.

EDIT1: Correction, I am able to log into an Azure VM that is domain joined running Server 2019. I was also able to log into the new DC fine, until I rebooted it, then I began experiencing the same RDP login rejections as with the other machines.

EDIT2: I am able to get to affected machines if I use their IP address rather than DNS names.

Answer 1

Hello Erik,

I am having this exact same issue and I am wondering if you found the root cause or fix at some point.
The environment was a Server 2011 SBS so Server 2008 R2
I installed Server 2022 Standard as new DC, DCpromo'd it, moved DHCP and DNS.

Everything seemed to be working fine however I have the same problem with "Logon attempt failed" when trying to RDP to any domain joined servers.
I have found that I am able to connect no problem by using the IP address of the server vs the NETBIOS or DNS name for it.

I also found that if I set the DNS server on my computer to the 2008 R2 system then I am able to connect to servers with their name.
But when I change my local DNS to Server 2022 IP then I am getting this logon attempt failed error.
Internet and all other DNS queries seem to work fine when using the 2022 server DNS.
however RDP will not function same as your issue.

Any updates or does anyone else have any suggestions?

Answer 2

Hi all,

I am having the same issue. One of my projects is to upgrade our current 2012 R2 DCs to 2022.

Two weeks ago, I promoted a 2022 server to a domain controller, migrated the DHCP, DNS and the NPS.

The next day, I started having this problem. I was only able to RDP using

• The IP Address
• From another server that is on the same VLAN

Then I thought about the IT 101 trick: Rebooting. I rebooted my machine and I was fine for about 90% of our servers.

The next week, end-users started having the same problem and a reboot solved the issue.

It still happens for me and some other colleagues from time to time, so this is not 100% solved.

I then looked into the event viewer on my 2022 domain controller (DC2) and came across this error:

         An error event occurred.  EventID: 0x80000025

            Time Generated: 01/31/2023   12:50:41

            Event String:

            The Key Distribution Center (KDC) encountered a ticket that did not contain information about the account that requested the ticket while processing a request for another ticket. This prevented security checks from running and could open security vulnerabilities. See https://go.microsoft.com/fwlink/?linkid=2173051 to learn more.

            

              Ticket PAC constructed by: DC1

              Client: domain.COM\\USERLAPTOP$

              Ticket for: krbtgt

Seems that the error is related to this:

https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041

I pushed this update on the 2012 server but the same errors still come up, and seems that there are still some issues with RDP.

I will be looking into this more, as I am not sure I want to promote my other 2022 server yet.

Answer 3

same problem i have been experiencing with rdp in this scenario since oct/nov 2022 working on a project with 2x 2008 r2 server dc's attempting to move to over to 2x new 2019 server dc's.

this long of time and still no fixes...? wow! someone at ms has to have info...

https://community.spiceworks.com/topic/2467355-2008-r2-domain-dc-s-rep-new-2019-dc-s-w-ad-dhcp-dns-not-prmtd-rdp-probs-users?page=1#entry-10248856