Troubleshoot Remote desktop disconnected errors

  • Commodity
  • 19 minutes to read

This commodity helps you lot understand the most common settings that are used to institute a Remote Desktop session in an enterprise environment, and provides troubleshooting information for Remote desktop disconnected errors.

Applies to: Windows Server 2012 R2
Original KB number: 2477176

Note

This article is intended for apply by back up agents and Information technology professionals.

Remote Desktop Server

A Remote Desktop Session Host server is the server that hosts Windows-based programs or the full Windows desktop for Remote Desktop Services clients. Users can connect to an RD Session Host server to run programs, to salvage files, and to apply network resources on that server. Users can access an RD Session Host server from within a corporate network or from the Internet.

Remote Desktop Session Host (RD Session Host) was formerly known equally the Remote Desktop server role service, and Remote Desktop Session Host (RD Session Host) server was formerly known as Remote Desktop server.

Remote connections for administration

Remote Desktop supports two concurrent remote connections to the estimator. Yous do non have to have Remote Desktop Services client access licenses (RDS CALs) for these connections.

To let more than two administrative connections or multiple user connections, yous must install the RD Session Host Role and have advisable RDS CALs.

Symptom 1: Limited Remote Desktop session or Remote Desktop Services session connections

When yous try to make a Remote Desktop Connection (RDC) to a remote computer or to a Remote Desktop server (Concluding Server) that is running Windows Server 2008 R2, you receive i of the following error messages:

Remote Desktop Disconnected.
This estimator can't connect to the remote reckoner.
Try connecting again. If the problem continues, contact the owner of the remote computer or your network administrator.

Also, you are limited in the number of users who can connect simultaneously to a Remote Desktop session or Remote Desktop Services session. A limited number of RDP connections can be caused by misconfigured Group Policy or RDP-TCP backdrop in Remote Desktop Services Configuration. By default, the connection is configured to let an unlimited number of sessions to connect to the server.

Symptom 2: Port assignment disharmonize

You experience a port assignment conflict. This problem might indicate that another awarding on the Remote Desktop server is using the same TCP port as the Remote Desktop Protocol (RDP). The default port assigned to RDP is 3389.

Symptom 3: Incorrectly configured authentication and encryption settings

Later a Remote Desktop server client loses the connexion to a Remote Desktop server, you experience one of the following symptoms:

  • You lot cannot make a connectedness by using RDP.
  • The session on the Remote Desktop server does not transition to a disconnected state. Instead, it remains agile even though the customer is physically disconnected from the Remote Desktop server.

If the customer logs dorsum in to the same Remote Desktop server, a new session may be established, and the original session may remain agile.

Also, you lot receive 1 of the following error messages:

  • Error bulletin i

    Considering of a security error, the client could not connect to the Terminal server. After making sure that y'all are logged on to the network, try connecting to the server again.

  • Error message 2

    Remote desktop asunder. Because of a security mistake, the client could not connect to the remote computer. Verify that you are logged onto the network and and then try connecting again.

Symptom 4: License document corruption

Remote Desktop Services clients are repeatedly denied access to the Remote Desktop server. If you are using a Remote Desktop Services client to log on to the Remote Desktop server, yous may receive 1 of the post-obit fault messages.

  • Error message ane

    Because of a security error, the customer could not connect to the Terminal server. Later on making certain that you are logged on to the network, try connecting to the server again.

  • Error message 2

    Remote desktop disconnected. Because of a security fault, the client could not connect to the remote computer. Verify that you are logged onto the network and and so try connecting again.

  • Error message 3

    Because of a security mistake, the client could not connect to the Concluding server. After making certain that yous are logged on to the network, endeavour connecting to the server again.
    Remote desktop disconnected. Because of a security error, the client could not connect to the remote reckoner. Verify that you are logged onto the network and and then try connecting once again.

Additionally, the post-obit event ID messages may be logged in Event Viewer on the Remote Desktop server.

  • Result message one

                      Issue ID: 50   Effect Source: TermDD   Event Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.

  • Upshot message 2

                      Event ID: 1088 Event Source: TermService Event Clarification: The terminal services licensing grace period has expired and the service has not registered with a license server. A concluding services license server is required for continuous operation. A terminal server can operate without a license server for 90 days afterwards initial start up.

  • Event message 3

                      Effect ID: 1004   Event Source: TermService   Effect Description: The final server cannot event a client license.

  • Event message 4

                      Event ID: 1010   Outcome Source: TermService   Event Description: The terminal services could not locate a license server. Confirm that all license servers on the network are registered in WINS/DNS, accepting network requests, and the Terminal Services Licensing Service is running.

  • Event message 5

                      Consequence ID: 28   Event Source: TermServLicensing   Event Description: Final Services Licensing can just exist run on Domain Controllers or Server in a Workgroup. See Terminal Server Licensing help topic for more information.

Resolution for Symptom 1

To resolve this problem, use the following methods, equally appropriate.

Verify Remote Desktop is enabled

  1. Open the Arrangement item in Control Console. To outset the System tool, click Start, click Control Panel, click System, and and then click OK.

  2. Under Control Panel Abode, click Remote settings.

  3. Click the Remote tab.

  4. Under Remote Desktop, select either of the available options, depending on your security requirements:

    • Allow connections from computers from computers running any version of Remote Desktop (less secure)

    • Allow connections from computers only from computers running Remote Desktop with Network Level Authentication (more secure)

If you select Don't allow connections to this computer on the Remote tab, no users will be able to connect remotely to this figurer, even if they are members of the Remote Desktop Users group.

Verify Remote Desktop Services Limit number of connections policy

  1. Start the Group Policy snap-in, and and then open the Local Security Policy or the advisable Group Policy.

  2. Locate the post-obit command:

    Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections Limit number of connections

  3. Click Enabled.

  4. In the RD Maximum Connections allowed box, type the maximum number of connections that you want to allow, and then click OK.

Verify Remote Desktop Services RDP-TCP properties

Follow these steps, depending on your operating system version.

Setting via Remote Desktop Services Configuration

Configure the number of simultaneous remote connections immune for a connection:

  1. On the RD Session Host server, open up Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative Tools, point to Remote Desktop Services.

  2. Under Connections, right-click the name of the connection, and then click Properties.

  3. On the Network Adapter tab, click Maximum connections, enter the number of simultaneous remote connections that you want to permit for the connection, and so click OK.

  4. If the Maximum connections option is selected and dimmed, the Limit number of connections Group Policy setting has been enabled and has been applied to the RD Session Host server.

Verify Remote Desktop Services Logon rights

Configure the Remote Desktop Users Group.

The Remote Desktop Users group on an RD Session Host server grants users and groups permission to remotely connect to an RD Session Host server. You can add users and groups to the Remote Desktop Users group by using the following tools:

  • Local Users and Groups snap-in
  • The Remote tab in the System Properties dialog box on an RD Session Host server
  • Agile Directory Users and Computers snap-in, if the RD Session Host server is installed on a domain controller

You can use the following procedure to add together users and groups to the Remote Desktop Users grouping past using the Remote tab in the System Properties dialog box on an RD Session Host server.

Membership in the local Administrators group, or equivalent, on the RD Session Host server that you programme to configure, is the minimum required to complete this procedure.

Add users and groups to the Remote Desktop Users grouping past using the Remote tab

  1. Start the System tool. To do this, click Start, click Command Console, click the System icon, and so click OK.

  2. Under Command Panel Dwelling house, click Remote settings.

  3. On the Remote tab in the System Backdrop dialog box, click Select Users. Add the users or groups that accept to connect to the RD Session Host server by using Remote Desktop.

Notation

If yous select the Don't allow connections to this estimator option on the Remote tab, no users will be able to connect remotely to this calculator, even if they are members of the Remote Desktop Users group.

Add users and groups to the Remote Desktop Users grouping by using Local Users and Groups snap-in

  1. Click Showtime, click Administrative Tools, and and so click Reckoner Direction.
  2. In the console tree, click the Local Users and Groups node.
  3. In the details pane, double-click the Groups folder.
  4. Double-click Remote Desktop Users, and and so click Add together.
  5. In the Select Users dialog box, click Locations to specify the search location.
  6. Click Object Types to specify the types of objects that you want to search for.
  7. In the Enter the object names to select (examples) box, type the name you want to add.
  8. Click Check Names.
  9. When the name is located, click OK.

Note

  • You lot tin can't connect to a computer that'due south comatose or hibernating, and so make sure the settings for sleep and hibernation on the remote computer are fix to Never. (Hibernation isn't available on all computers.) For data near making those changes, run into Change, create, or delete a power plan (scheme).
  • You can't use Remote Desktop Connectedness to connect to a computer using Windows 7 Starter, Windows seven Home Basic, or Windows vii Home Premium.
  • Members of the local Administrators group can connect even if they are not listed.

Resolution for Symptom 2

Important

This section, method, or task contains steps that tell you lot how to modify the registry. However, serious problems might occur if you lot change the registry incorrectly. Therefore, brand sure that yous follow these steps carefully. For added protection, support the registry before you lot modify it. Then, you can restore the registry if a problem occurs. For more data almost how to dorsum up and restore the registry, meet How to dorsum up and restore the registry in Windows.

To resolve this trouble, decide which application is using the same port equally RDP. If the port assignment for that application cannot be changed, modify the port assigned to RDP by irresolute the registry. After y'all alter the registry, you lot must restart the Remote Desktop Services service. After y'all restart the Remote Desktop Services service, you should verify that the RDP port has been changed correctly.

Remote Desktop server listener availability

The listener component runs on the Remote Desktop server and is responsible for listening for and accepting new Remote Desktop Protocol (RDP) customer connections, thereby allowing users to establish new remote sessions on the Remote Desktop server. At that place is a listener for each Remote Desktop Services connexion that exists on the Remote Desktop server. Connections can be created and configured past using the Remote Desktop Services Configuration tool.

To perform these tasks, refer to the post-obit sections.

Determine which application is using the same port as RDP

You tin run the netstat tool to determine whether port 3389 (or the assigned RDP port) is existence used by another awarding on the Remote Desktop server:

  1. On the Remote Desktop server, click Start, click Run, type cmd, and then click OK.
  2. At the control prompt, type netstat -a -o and then press Enter.
  3. Wait for an entry for TCP port 3389 (or the assigned RDP port) with a condition of Listening. This indicates another application is using this port. The PID (Process Identifier) of the procedure or service using that port appears under the PID cavalcade.

To make up one's mind which application is using port 3389 (or the assigned RDP port), use the tasklist control-line tool forth with the PID information from the netstat tool:

  1. On the Remote Desktop server, click Start, click Run, type cmd, and then click OK.
  2. Type tasklist /svc and and so press Enter.
  3. Look for an entry for the PID number that is associated with the port (from the netstat output). The services or processes that are associated with that PID announced on the right.

Alter the port assigned to RDP

You should determine whether this application can use a different port. If you cannot modify the application's port, you lot must alter the port that is assigned to RDP.

Of import

We recommend that you practise not change the port that is assigned to RDP.

If you take to modify the port assigned to RDP, you must modify the registry. To do this, you must be a member of the local Administrators grouping, or you must have been granted the appropriate permissions.

To change the port that is assigned to RDP, follow these steps:

  1. On the Remote Desktop server, open Registry Editor. To open up Registry Editor, click Start, click Run, type regedit, and then click OK.

  2. If the User Account Control dialog box appears, verify that the activeness information technology displays is what you want, and then click Continue.

  3. Locate and so click the following registry subkey:

    HKEY_LOCAL_MACHINE\Arrangement\CurrentControlSet\Control\Remote Desktop server\WinStations

RDP-TCP is the default connection name. To modify the port for a specific connexion on the Remote Desktop server, select the connection under the WinStations fundamental:

  1. In the details pane, double-click the PortNumber registry entry.
  2. Type the port number that you lot want to assign to RDP.
  3. Click OK to save the modify, and then close Registry Editor.

Restart the Remote Desktop Services service

For the RDP port consignment alter to have effect, end and start the Remote Desktop Services service. To do this, you lot must be a member of the local Administrators group, or you must accept been granted the advisable permissions.

To stop and start the Remote Desktop Services service, follow these steps:

  1. On the Remote Desktop server, open the Services snap-in. To do this, click Commencement, point to Administrative Tools, and then click Services.

  2. If the User Account Control dialog box appears, verify that the activity it displays is what you want, and then click Go on.

  3. In the Services pane, right-click Remote Desktop Services, and and then click Restart.

  4. If yous are prompted to restart other services, click Yeah.

  5. Verify that the Status column for the Remote Desktop Services service displays a Started condition.

Verify that the RDP port has changed

To verify that the RDP port assignment has been changed, utilize the netstat tool:

  1. On the Remote Desktop server, click Start, click Run, type cmd, and and then click OK.

  2. At the command prompt, blazon netstat -a then press Enter.

  3. Look for an entry for the port number that you assigned to RDP. The port should appear in the list and have a status of Listening.

Of import

Remote Desktop Connection and the Terminal server Web Customer employ port 3389, past default, to connect to a Remote Desktop server. If you change the RDP port on the Remote Desktop server, you volition have to modify the port used by Remote Desktop Connection and the Remote Desktop server Spider web Client. For more data, see Change the listening port for Remote Desktop on your reckoner.

Verify that the listener on the Remote Desktop server is working

To verify that the listener on the Remote Desktop server is working correctly, use whatsoever of the following methods.

Notation

RDP-TCP is the default connection name and 3389 is the default RDP port. Employ the connection name and port number specific to your Remote Desktop server configuration.

  • Method 1

    Use an RDP customer, such equally Remote Desktop Connectedness, to institute a remote connection to the Remote Desktop server.

  • Method 2

    Use the qwinsta tool to view the listener status on the Remote Desktop server:

    1. On the Remote Desktop server, click Start, click Run, type cmd, and and then click OK.
    2. At the control prompt, type qwinsta, and then press Enter.
    3. The RDP-TCP session state should exist Heed.

  • Method 3

    Utilize the netstat tool to view the listener status on the Remote Desktop server:

    1. On the Remote Desktop server, click Start, click Run, type cmd, then click OK.
    2. At the control prompt, blazon netstat -a then press Enter.
    3. The entry for TCP port 3389 should exist Listening.

  • Method four

    Use the telnet tool to connect to the RDP port on the Remote Desktop server:

    1. From another computer, click Start, click Run, blazon cmd, and so click OK.
    2. At the command prompt, type telnet <servername> 3389 , where <servername> is the name of the Remote Desktop server, and then press Enter.

    If telnet is successful, you receive the telnet screen and a cursor.

    If telnet is not successful, you receive the following mistake message:

    Connecting To servername... Could not open up connection to the host, on port 3389: Connect failed

    The qwinsta, netstat, and telnet tools are also included in Windows XP and Windows Server 2003. You can also download and use other troubleshooting tools, such equally Portqry.

Resolution for Symptom 3

To resolve the issue, configure authentication and encryption.

To configure authentication and encryption for a connection, follow these steps:

  1. On the RD Session Host server, open Remote Desktop Session Host Configuration. To open up Remote Desktop Session Host Configuration, click Commencement, point to Authoritative Tools, bespeak to Remote Desktop Services, and so click Remote Desktop Session Host Configuration.

  2. Under Connections, correct-click the name of the connection, and so click Properties.

  3. In the Properties dialog box for the connection, on the General tab, in Security layer, select a security method.

  4. In Encryption level, click the level that you want. You lot can select Low, Customer Compatible, High, or FIPS Compliant. Encounter Footstep 4 in a higher place for Windows Server 2003 for Security layer and Encryption level options.

Note

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authorization. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. Every bit a security best do, consider using Run as to perform this procedure.
  • To open Remote Desktop Services Configuration, click Kickoff, click Command Panel, double-click Administrative Tools, and so double-click Remote Desktop Services Configuration.
  • Any encryption level settings that y'all configure in Grouping Policy override the configuration that you set past using the Remote Desktop Services Configuration tool. Besides, if yous enable the System cryptography: Employ FIPS compliant algorithms for encryption, hashing, and signing Group Policy setting, this setting overrides the Ready customer connection encryption level Group Policy setting.
  • When y'all change the encryption level, the new encryption level takes effect the next time a user logs on. If you require multiple levels of encryption on one server, install multiple network adapters and configure each adapter separately.
  • To verify that document has a respective private fundamental, in Remote Desktop Services Configuration, right-click the connectedness for which you desire to view the certificate, click the General tab, click Edit, click the document that y'all want to view, and then click View Certificate. At the bottom of the General tab, the statement, You take a individual cardinal that corresponds to this certificate, should appear. You lot can also view this information past using the Certificates snap-in.
  • The FIPS compliant setting (the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing setting in Group Policy or the FIPS Compliant setting in Remote Desktop server Configuration) encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140-1 encryption algorithms, using Microsoft cryptographic modules. For more than information, see Terminal Services in Windows Server 2003 Technical Reference.
  • The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption.
  • The Customer Uniform setting encrypts information sent betwixt the customer and the server at the maximum key strength supported past the client.
  • The Low setting encrypts data sent from the client to the server using 56-flake encryption.

Boosted troubleshooting pace: Enable CAPI2 event logs

To help troubleshoot this problem, enable CAPI2 event logs on both the client and server computers. This command is shown in the following screenshot.

Expand CAPI2, right-click Operational, and then select the Enable Log option.

Workaround for the consequence (You cannot completely disconnect a Remote Desktop server connection) described in Symptom 3

To work around this problem, follow these steps:

  1. Click Commencement, click Run, type gpedit.msc, so click OK.
  2. Expand Reckoner Configuration, expand Administrative Templates, expand Windows Components, expand Remote Desktop Services, expand Remote Desktop Session Host, and then click Connections.
  3. In the right pane, double-click Configure go along-alive connectedness interval.
  4. Click Enabled, then click OK.
  5. Close Group Policy Object Editor, click OK, and then quit Active Directory Users and Computers.

Resolution for Symptom 4

Important

This department, method, or task contains steps that tell you lot how to modify the registry. Still, serious bug might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you lot alter information technology. Then, y'all tin can restore the registry if a trouble occurs. For more information well-nigh how to back up and restore the registry, see 322756 How to back up and restore the registry in Windows.

To resolve this problem, back upward and then remove the X509 Certificate registry keys, restart the computer, then reactivate the Remote Desktop Services Licensing server. To do this, follow these steps.

Note

Perform the following procedure on each of the Remote Desktop servers.

  1. Brand sure that the Remote Desktop server registry has been successfully backed up.

  2. Kickoff Registry Editor.

  3. Locate and so click the following registry subkey:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\RCM

  4. On the Registry menu, click Export Registry File.

  5. Type exported- Certificate in the File proper name box, and then click *Save.

    Note

    If you have to restore this registry subkey in the hereafter, double-click the Exported-parameters.reg file that you lot saved in this pace.

  6. Correct-click each of the post-obit values, click Delete, then click Yep to verify the deletion:

    • Certificate
    • X509 Certificate
    • X509 Certificate ID
    • X509 Certificate2

  7. Exit Registry Editor, and and then restart the server.

References

For more information about Remote Desktop Gateway, see the following articles:

  • 967933 Error bulletin when a remote user tries to connect to a resource on a Windows Server 2008-based computer through TS Gateway by using the FQDN of the resources: "Remote Desktop Disconnected"

  • 329896 Because of a security mistake, the client could not connect to the Remote Desktop server

  • Group Policy Settings for Remote Desktop Services in Windows Server 2008 R2

  • Troubleshooting Full general Remote Desktop Error Messages

If this article does not help you lot resolve the trouble, or if you experience symptoms that differ from those that are described in this article, visit the Microsoft Support for more information. To search your issue, in the Search back up for assist box, blazon the text of the mistake message that you received, or type a description of the problem.