Troubleshoot Remote desktop disconnected errors

  • Commodity
  • 19 minutes to read

This article helps you understand the near mutual settings that are used to found a Remote Desktop session in an enterprise environs, and provides troubleshooting information for Remote desktop asunder errors.

Applies to: Windows Server 2012 R2
Original KB number: 2477176

Notation

This article is intended for use by support agents and It professionals.

Remote Desktop Server

A Remote Desktop Session Host server is the server that hosts Windows-based programs or the total Windows desktop for Remote Desktop Services clients. Users tin connect to an RD Session Host server to run programs, to save files, and to use network resources on that server. Users can access an RD Session Host server from within a corporate network or from the Internet.

Remote Desktop Session Host (RD Session Host) was formerly known every bit the Remote Desktop server role service, and Remote Desktop Session Host (RD Session Host) server was formerly known as Remote Desktop server.

Remote connections for administration

Remote Desktop supports two concurrent remote connections to the calculator. Y'all practise not have to have Remote Desktop Services client access licenses (RDS CALs) for these connections.

To allow more two administrative connections or multiple user connections, you lot must install the RD Session Host Role and take appropriate RDS CALs.

Symptom 1: Express Remote Desktop session or Remote Desktop Services session connections

When you endeavor to make a Remote Desktop Connection (RDC) to a remote computer or to a Remote Desktop server (Terminal Server) that is running Windows Server 2008 R2, you receive i of the following error messages:

Remote Desktop Disconnected.
This computer tin can't connect to the remote estimator.
Try connecting once again. If the problem continues, contact the owner of the remote calculator or your network administrator.

Also, you are express in the number of users who can connect simultaneously to a Remote Desktop session or Remote Desktop Services session. A limited number of RDP connections can be acquired past misconfigured Grouping Policy or RDP-TCP backdrop in Remote Desktop Services Configuration. Past default, the connectedness is configured to allow an unlimited number of sessions to connect to the server.

Symptom 2: Port consignment disharmonize

You experience a port assignment conflict. This problem might betoken that some other application on the Remote Desktop server is using the same TCP port as the Remote Desktop Protocol (RDP). The default port assigned to RDP is 3389.

Symptom 3: Incorrectly configured authentication and encryption settings

After a Remote Desktop server client loses the connection to a Remote Desktop server, you lot experience 1 of the following symptoms:

  • You cannot brand a connection past using RDP.
  • The session on the Remote Desktop server does not transition to a disconnected state. Instead, it remains agile even though the client is physically disconnected from the Remote Desktop server.

If the client logs back in to the same Remote Desktop server, a new session may be established, and the original session may remain agile.

Also, you lot receive 1 of the following error messages:

  • Error message ane

    Because of a security error, the client could non connect to the Terminal server. Afterward making sure that you are logged on to the network, try connecting to the server again.

  • Mistake message 2

    Remote desktop asunder. Because of a security error, the client could not connect to the remote computer. Verify that you are logged onto the network and then try connecting again.

Symptom four: License certificate corruption

Remote Desktop Services clients are repeatedly denied admission to the Remote Desktop server. If you are using a Remote Desktop Services customer to log on to the Remote Desktop server, you may receive ane of the following error messages.

  • Error message ane

    Because of a security mistake, the client could non connect to the Concluding server. Afterwards making sure that you are logged on to the network, try connecting to the server once more.

  • Mistake message 2

    Remote desktop disconnected. Considering of a security fault, the client could non connect to the remote computer. Verify that you are logged onto the network and then effort connecting once more.

  • Error bulletin 3

    Because of a security error, the customer could not connect to the Terminal server. After making sure that you are logged on to the network, try connecting to the server again.
    Remote desktop disconnected. Considering of a security error, the client could non connect to the remote reckoner. Verify that you are logged onto the network and then try connecting again.

Additionally, the following outcome ID messages may be logged in Issue Viewer on the Remote Desktop server.

  • Issue bulletin one

                      Event ID: fifty   Event Source: TermDD   Consequence Description: The RDP protocol component X.224 detected an error in the protocol stream and has asunder the customer.

  • Consequence bulletin 2

                      Event ID: 1088 Result Source: TermService Event Description: The terminal services licensing grace period has expired and the service has not registered with a license server. A concluding services license server is required for continuous functioning. A terminal server can operate without a license server for 90 days afterwards initial start up.

  • Event bulletin iii

                      Consequence ID: 1004   Upshot Source: TermService   Event Description: The terminal server cannot event a client license.

  • Event message 4

                      Upshot ID: 1010   Event Source: TermService   Result Clarification: The final services could not locate a license server. Confirm that all license servers on the network are registered in WINS/DNS, accepting network requests, and the Terminal Services Licensing Service is running.

  • Event bulletin 5

                      Event ID: 28   Upshot Source: TermServLicensing   Event Clarification: Terminal Services Licensing can simply exist run on Domain Controllers or Server in a Workgroup. Come across Final Server Licensing assistance topic for more information.

Resolution for Symptom i

To resolve this problem, use the following methods, as appropriate.

Verify Remote Desktop is enabled

  1. Open the System item in Command Console. To start the Organisation tool, click Kickoff, click Control Panel, click System, and so click OK.

  2. Nether Control Console Home, click Remote settings.

  3. Click the Remote tab.

  4. Under Remote Desktop, select either of the bachelor options, depending on your security requirements:

    • Allow connections from computers from computers running any version of Remote Desktop (less secure)

    • Allow connections from computers only from computers running Remote Desktop with Network Level Authentication (more secure)

If you select Don't permit connections to this computer on the Remote tab, no users will exist able to connect remotely to this computer, fifty-fifty if they are members of the Remote Desktop Users group.

Verify Remote Desktop Services Limit number of connections policy

  1. Start the Group Policy snap-in, and and then open up the Local Security Policy or the appropriate Group Policy.

  2. Locate the following command:

    Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections Limit number of connections

  3. Click Enabled.

  4. In the RD Maximum Connections allowed box, blazon the maximum number of connections that yous want to allow, and and so click OK.

Verify Remote Desktop Services RDP-TCP properties

Follow these steps, depending on your operating system version.

Setting via Remote Desktop Services Configuration

Configure the number of simultaneous remote connections immune for a connexion:

  1. On the RD Session Host server, open up Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, indicate to Administrative Tools, point to Remote Desktop Services.

  2. Nether Connections, right-click the name of the connection, so click Properties.

  3. On the Network Adapter tab, click Maximum connections, enter the number of simultaneous remote connections that you lot desire to allow for the connection, then click OK.

  4. If the Maximum connections option is selected and dimmed, the Limit number of connections Group Policy setting has been enabled and has been applied to the RD Session Host server.

Verify Remote Desktop Services Logon rights

Configure the Remote Desktop Users Group.

The Remote Desktop Users group on an RD Session Host server grants users and groups permission to remotely connect to an RD Session Host server. You can add users and groups to the Remote Desktop Users group by using the following tools:

  • Local Users and Groups snap-in
  • The Remote tab in the System Properties dialog box on an RD Session Host server
  • Active Directory Users and Computers snap-in, if the RD Session Host server is installed on a domain controller

You can apply the post-obit procedure to add together users and groups to the Remote Desktop Users group past using the Remote tab in the System Properties dialog box on an RD Session Host server.

Membership in the local Administrators group, or equivalent, on the RD Session Host server that you lot programme to configure, is the minimum required to complete this procedure.

Add users and groups to the Remote Desktop Users grouping by using the Remote tab

  1. Beginning the Arrangement tool. To practice this, click Kickoff, click Control Panel, click the Organisation icon, and then click OK.

  2. Under Control Panel Dwelling house, click Remote settings.

  3. On the Remote tab in the System Properties dialog box, click Select Users. Add the users or groups that have to connect to the RD Session Host server past using Remote Desktop.

Note

If you select the Don't permit connections to this reckoner option on the Remote tab, no users will be able to connect remotely to this computer, even if they are members of the Remote Desktop Users grouping.

Add users and groups to the Remote Desktop Users grouping by using Local Users and Groups snap-in

  1. Click First, click Administrative Tools, so click Calculator Direction.
  2. In the console tree, click the Local Users and Groups node.
  3. In the details pane, double-click the Groups folder.
  4. Double-click Remote Desktop Users, and and then click Add together.
  5. In the Select Users dialog box, click Locations to specify the search location.
  6. Click Object Types to specify the types of objects that you want to search for.
  7. In the Enter the object names to select (examples) box, type the proper name you want to add.
  8. Click Cheque Names.
  9. When the name is located, click OK.

Annotation

  • You can't connect to a computer that'due south comatose or hibernating, so make sure the settings for sleep and hibernation on the remote computer are gear up to Never. (Hibernation isn't available on all computers.) For information about making those changes, meet Change, create, or delete a power plan (scheme).
  • You lot can't use Remote Desktop Connection to connect to a computer using Windows vii Starter, Windows vii Domicile Basic, or Windows 7 Habitation Premium.
  • Members of the local Administrators grouping can connect even if they are not listed.

Resolution for Symptom ii

Important

This section, method, or task contains steps that tell you how to modify the registry. Nonetheless, serious problems might occur if you lot modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, dorsum up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information nearly how to support and restore the registry, encounter How to back up and restore the registry in Windows.

To resolve this problem, determine which awarding is using the aforementioned port as RDP. If the port consignment for that application cannot exist changed, alter the port assigned to RDP by irresolute the registry. Subsequently you change the registry, y'all must restart the Remote Desktop Services service. Later on you restart the Remote Desktop Services service, you lot should verify that the RDP port has been changed correctly.

Remote Desktop server listener availability

The listener component runs on the Remote Desktop server and is responsible for listening for and accepting new Remote Desktop Protocol (RDP) client connections, thereby allowing users to establish new remote sessions on the Remote Desktop server. There is a listener for each Remote Desktop Services connectedness that exists on the Remote Desktop server. Connections tin can be created and configured past using the Remote Desktop Services Configuration tool.

To perform these tasks, refer to the following sections.

Determine which application is using the same port as RDP

You lot can run the netstat tool to determine whether port 3389 (or the assigned RDP port) is being used by another application on the Remote Desktop server:

  1. On the Remote Desktop server, click Get-go, click Run, type cmd, and then click OK.
  2. At the command prompt, type netstat -a -o and then press Enter.
  3. Look for an entry for TCP port 3389 (or the assigned RDP port) with a status of Listening. This indicates another application is using this port. The PID (Process Identifier) of the process or service using that port appears under the PID cavalcade.

To determine which application is using port 3389 (or the assigned RDP port), use the tasklist command-line tool along with the PID information from the netstat tool:

  1. On the Remote Desktop server, click Get-go, click Run, type cmd, and and then click OK.
  2. Type tasklist /svc so press Enter.
  3. Look for an entry for the PID number that is associated with the port (from the netstat output). The services or processes that are associated with that PID appear on the right.

Change the port assigned to RDP

Y'all should determine whether this application can use a different port. If y'all cannot change the application's port, you must alter the port that is assigned to RDP.

Important

We recommend that you do not change the port that is assigned to RDP.

If y'all have to change the port assigned to RDP, yous must modify the registry. To do this, you must be a member of the local Administrators grouping, or you must have been granted the appropriate permissions.

To modify the port that is assigned to RDP, follow these steps:

  1. On the Remote Desktop server, open up Registry Editor. To open Registry Editor, click Get-go, click Run, type regedit, and then click OK.

  2. If the User Account Control dialog box appears, verify that the action it displays is what you want, and and then click Continue.

  3. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\Organization\CurrentControlSet\Command\Remote Desktop server\WinStations

RDP-TCP is the default connectedness name. To change the port for a specific connectedness on the Remote Desktop server, select the connection under the WinStations key:

  1. In the details pane, double-click the PortNumber registry entry.
  2. Blazon the port number that you desire to assign to RDP.
  3. Click OK to salvage the modify, then shut Registry Editor.

Restart the Remote Desktop Services service

For the RDP port assignment alter to take upshot, stop and start the Remote Desktop Services service. To do this, you lot must be a member of the local Administrators group, or y'all must have been granted the appropriate permissions.

To stop and get-go the Remote Desktop Services service, follow these steps:

  1. On the Remote Desktop server, open up the Services snap-in. To practise this, click Start, point to Administrative Tools, and then click Services.

  2. If the User Business relationship Control dialog box appears, verify that the activity it displays is what y'all want, and so click Continue.

  3. In the Services pane, right-click Remote Desktop Services, and then click Restart.

  4. If y'all are prompted to restart other services, click Yep.

  5. Verify that the Status column for the Remote Desktop Services service displays a Started condition.

Verify that the RDP port has changed

To verify that the RDP port assignment has been changed, use the netstat tool:

  1. On the Remote Desktop server, click Outset, click Run, type cmd, and so click OK.

  2. At the command prompt, type netstat -a then press Enter.

  3. Look for an entry for the port number that you assigned to RDP. The port should appear in the list and take a status of Listening.

Important

Remote Desktop Connexion and the Terminal server Web Client use port 3389, past default, to connect to a Remote Desktop server. If you modify the RDP port on the Remote Desktop server, y'all volition have to modify the port used by Remote Desktop Connection and the Remote Desktop server Spider web Customer. For more information, see Change the listening port for Remote Desktop on your computer.

Verify that the listener on the Remote Desktop server is working

To verify that the listener on the Remote Desktop server is working correctly, use any of the post-obit methods.

Notation

RDP-TCP is the default connection name and 3389 is the default RDP port. Use the connection name and port number specific to your Remote Desktop server configuration.

  • Method ane

    Use an RDP client, such as Remote Desktop Connection, to constitute a remote connection to the Remote Desktop server.

  • Method two

    Use the qwinsta tool to view the listener status on the Remote Desktop server:

    1. On the Remote Desktop server, click Start, click Run, type cmd, and and so click OK.
    2. At the control prompt, blazon qwinsta, and then press Enter.
    3. The RDP-TCP session state should be Listen.

  • Method iii

    Use the netstat tool to view the listener status on the Remote Desktop server:

    1. On the Remote Desktop server, click Start, click Run, type cmd, and then click OK.
    2. At the command prompt, type netstat -a and then press Enter.
    3. The entry for TCP port 3389 should be Listening.

  • Method 4

    Use the telnet tool to connect to the RDP port on the Remote Desktop server:

    1. From another computer, click Start, click Run, type cmd, and and so click OK.
    2. At the command prompt, type telnet <servername> 3389 , where <servername> is the name of the Remote Desktop server, and then press Enter.

    If telnet is successful, yous receive the telnet screen and a cursor.

    If telnet is not successful, you receive the following error message:

    Connecting To servername... Could not open up connexion to the host, on port 3389: Connect failed

    The qwinsta, netstat, and telnet tools are as well included in Windows XP and Windows Server 2003. Y'all tin can also download and use other troubleshooting tools, such every bit Portqry.

Resolution for Symptom 3

To resolve the effect, configure authentication and encryption.

To configure authentication and encryption for a connection, follow these steps:

  1. On the RD Session Host server, open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, indicate to Administrative Tools, indicate to Remote Desktop Services, and so click Remote Desktop Session Host Configuration.

  2. Under Connections, right-click the proper name of the connection, and so click Properties.

  3. In the Backdrop dialog box for the connection, on the General tab, in Security layer, select a security method.

  4. In Encryption level, click the level that you want. You lot tin can select Low, Client Compatible, High, or FIPS Compliant. See Stride 4 above for Windows Server 2003 for Security layer and Encryption level options.

Note

  • To perform this procedure, you must be a fellow member of the Administrators grouping on the local computer, or you must have been delegated the advisable authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.
  • To open Remote Desktop Services Configuration, click Starting time, click Control Console, double-click Administrative Tools, and so double-click Remote Desktop Services Configuration.
  • Any encryption level settings that you configure in Group Policy override the configuration that you fix past using the Remote Desktop Services Configuration tool. Also, if y'all enable the Organization cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy setting, this setting overrides the Set client connection encryption level Group Policy setting.
  • When you change the encryption level, the new encryption level takes effect the next time a user logs on. If yous crave multiple levels of encryption on one server, install multiple network adapters and configure each adapter separately.
  • To verify that certificate has a corresponding private central, in Remote Desktop Services Configuration, right-click the connection for which yous want to view the document, click the General tab, click Edit, click the certificate that you want to view, and then click View Document. At the bottom of the Full general tab, the argument, You have a private central that corresponds to this certificate, should appear. You tin can also view this information by using the Certificates snap-in.
  • The FIPS compliant setting (the Organization cryptography: Utilize FIPS compliant algorithms for encryption, hashing, and signing setting in Group Policy or the FIPS Compliant setting in Remote Desktop server Configuration) encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140-1 encryption algorithms, using Microsoft cryptographic modules. For more than information, meet Last Services in Windows Server 2003 Technical Reference.
  • The High setting encrypts information sent from the client to the server and from the server to the client by using strong 128-bit encryption.
  • The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the customer.
  • The Low setting encrypts information sent from the client to the server using 56-flake encryption.

Additional troubleshooting stride: Enable CAPI2 event logs

To aid troubleshoot this problem, enable CAPI2 event logs on both the customer and server computers. This command is shown in the post-obit screenshot.

Expand CAPI2, right-click Operational, and then select the Enable Log option.

Workaround for the upshot (You cannot completely disconnect a Remote Desktop server connection) described in Symptom 3

To work around this problem, follow these steps:

  1. Click Start, click Run, blazon gpedit.msc, and then click OK.
  2. Expand Computer Configuration, expand Administrative Templates, expand Windows Components, expand Remote Desktop Services, expand Remote Desktop Session Host, and so click Connections.
  3. In the correct pane, double-click Configure go along-alive connexion interval.
  4. Click Enabled, and then click OK.
  5. Shut Group Policy Object Editor, click OK, and then quit Active Directory Users and Computers.

Resolution for Symptom iv

Important

This section, method, or task contains steps that tell you how to change the registry. Yet, serious bug might occur if you alter the registry incorrectly. Therefore, make sure that yous follow these steps carefully. For added protection, back upwardly the registry earlier you modify it. Then, you lot tin restore the registry if a trouble occurs. For more information about how to support and restore the registry, meet 322756 How to support and restore the registry in Windows.

To resolve this problem, back up and so remove the X509 Certificate registry keys, restart the computer, and and so reactivate the Remote Desktop Services Licensing server. To practice this, follow these steps.

Note

Perform the following procedure on each of the Remote Desktop servers.

  1. Make sure that the Remote Desktop server registry has been successfully backed up.

  2. Kickoff Registry Editor.

  3. Locate and so click the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM

  4. On the Registry menu, click Consign Registry File.

  5. Type exported- Document in the File proper noun box, and then click *Salve.

    Note

    If you lot have to restore this registry subkey in the future, double-click the Exported-parameters.reg file that you saved in this stride.

  6. Right-click each of the post-obit values, click Delete, and and then click Yep to verify the deletion:

    • Certificate
    • X509 Certificate
    • X509 Certificate ID
    • X509 Certificate2

  7. Exit Registry Editor, and then restart the server.

References

For more than information about Remote Desktop Gateway, see the post-obit articles:

  • 967933 Fault message when a remote user tries to connect to a resource on a Windows Server 2008-based figurer through TS Gateway by using the FQDN of the resources: "Remote Desktop Disconnected"

  • 329896 Because of a security error, the customer could non connect to the Remote Desktop server

  • Group Policy Settings for Remote Desktop Services in Windows Server 2008 R2

  • Troubleshooting General Remote Desktop Fault Messages

If this article does not aid y'all resolve the problem, or if you experience symptoms that differ from those that are described in this article, visit the Microsoft Back up for more information. To search your event, in the Search support for aid box, type the text of the mistake message that you received, or blazon a description of the problem.