We have a 2008 DFL/FFL domain, with 4 existing domain controllers, 3 Win2008, 1 Win2008R2. We are in the process of migrating all of our systems to MEM/Azure.
We are running an older version of Azure AD-Connect that is compatible with Win2008R2.
As part of this process, we needed a DC in Azure.
Yesterday I made sure we had the necessary prereqs for promoting a Server 2022 as DC:
- Migrated FRS to DFS-R
- 2008 DFL/FFL
I had no issues promoting the server, but then shortly afterwards, I began to be unable to RDP into any domain-joined machines.
I get: "Your credentials did not work, the logon attempt failed" from a Win10 machine trying to mstsc /v into the affected machines.
Oddly enough, the one Windows XP machine we have joined to the domain, allows me to RDP into it, and from there, I can RDP into any machine.
This seems to be tied to NLA / ciphers, but I've been unable to come up with a specific solution.
I found a workaround in disabling NLA on affected machines with these registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\SecurityLayer = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\UserAuthentication = 0
I've checked the following, and everything looks good:
- Application, System, Security, Directory Services, DFS-R, DNS event logs on multiple affected systems
- Group policies are unchanged, no issues running gpupdate, no issues in Group Policy event logs
- Ran Dcdiag /v /c /d /e /s:vm-azdc-011 >C:\dcdiag.log
- Ran repadmin /showrepl >C:\repl.txt
- An EMC Celerra SAN joined to the domain
- A Synology NAS joined to the domain
- Logging in to Win7 domain-joined systems
- Accessing file shares
There are some oddities in the Security log of the new DC, I will see 4673 Audit Failures for SeTcbPrivilege, for the domain admin account I'm using to RDP in, for various processes, intermittently.
Aside from this, everything seems to be working properly.
Any help would be greatly appreciated.
EDIT1: Correction, I am able to log into an Azure VM that is domain joined running Server 2019. I was also able to log into the new DC fine, until I rebooted it, then I began experiencing the same RDP login rejections as with the other machines.
EDIT2: I am able to get to affected machines if I use their IP address rather than DNS names.