Think I found the answer:
When you logon via RDP, “Terminal Services” will contact the domain which your account is in to query terminal services information about your account e.g. profile path. It does this using RPC to a domain controller. Taken from here: http://blog.rhysgoodwin.com/windows-admin/rdp-though-a-firewall-fails-with-the-rpc-server-is-unavaliable/ In our 3 different AD sites for Domain B, there are different ACLs. In Site 1 and Site 2 port 135 is open, from those machines, I can Telnet to any Domain A domain controller over port 135. In the Site 3, that port is not open between the clients and the Domain A domain controllers. So if that really is the issue, I have a few options: There is a registry value on the client side that I can enable that will bypass errors like this (http://support.microsoft.com/kb/815266). I'd like to run this by our Security group, to get their take on it. We can have the Firewall team open that port up, between the clients and the domain controllers. My only question then is why is this working on Windows 2008 systems? I've checked and they don't seem to have that registry value (IgnoreRegUserConfigErrors). I'm guessing there is some change that was made between the two OS versions regarding this? Chris Bodnar, MCSE, MCITP Technical Support III Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: [email protected] Phone: 610-807-6459 Fax: 610-807-6003 From: Christopher Bodnar <[email protected]> To: "NT System Admin Issues" <[email protected]> Date: 10/05/2011 12:58 PM Subject: Problem with RDP to W2K3 machines in specific VLANS using cross trust credentials OK, we recently setup a one-way trust between two separate W2K3 forests using Selective Authentication. Domain A is Trusted, and Domain B is Trusting. Domain B is in a DMZ that spans multiple subnets and sites. Everything seems to be working fine so far except for a strange RDP problem to W2K3 systems in one of the AD sites in Domain B. Let's say that we have 3 AD sites in Domain B (Site 1, Site 2, Site 3). RDP to all machines using Domain A credentials works perfectly except to W2K3 machines in Site3. However I can connect using DameWare to those same machines and logon interactively using Domain A credentials. And if the system is W2K8, no issues at all. The error message is: The System cannot log you on due to the following error: The Specified domain either does not exist or could not be contacted. Anyone run into something like this before? Thanks, Chris Bodnar, MCSE, MCITP Technical Support III Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: [email protected] Phone: 610-807-6459 Fax: 610-807-6003 ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
