Forum Discussion

gregcharland's avatar
gregcharland
Copper Contributor
May 06, 2020

On-Prem RDS NLA troubleshooting

Hi, I'm working to support integration of my customer with a new parent company.

 

Our environment, we'll call this Site A: Windows Server 2016 w/Essentials Role, Windows 2016 w/MultiPoint Role, Windows 10 Pro desktops (1909). Local AD Domain runs AAD Connect using password hash sync.

 

Is now connected using site-to-site VPN and 2-way forest trust to....

(We have site-to-site VPN to both Site 1 and Site 2 below)

 

Their environment:

Site 1:

2x DCs Windows Server 2016 Std

1x Terminal Server running Windows Server 2016 DC *this is just a Windows Server 2016 set up as a Session Host, there's no RD Gateway, Broker, etc because those things are hard <shrug>

 

Site 2:

1x DC Windows Server 2012

Mostly people connecting into our Multipoint server

 

Our users connect from the Windows 10 desktops and MultiPoint server (joined to our domain) into the Site 1 Terminal Server (joined to the remote domain) and primarily run an Access app there.

 

On a frequent basis our users get disconnected - they usually get the generic disconnected message....when they try to re-connect they generally get an NLA error. Anecdotally it appears to happen when Site A - Site 2 VPN connection drops.

 

I understand using NLA the RDS server tries to communicate back to the domain to authenticate the machine that's trying to connect.....but every article I find about RDS and NLA is "how to disable NLA," which we don't want to do.

 

Any resources or links discussing how to troubleshoot NLA in the RDS context? 

 

Beyond that....would the RDS be trying to authenticate the client PCs via the trust through its own domain, or contacting our DC directly? Which domain should we be nltest-ing?

Thanks in advance!

-Greg C

7 Replies

    • gregcharland's avatar
      gregcharland
      Copper Contributor

      Dave Patrick 

      Thanks....I don't have the initial disconnect error message handy but it did not reference NLA. 

       

      But when trying to reconnect they see:

       

      Remote Desktop Connection

      The remote computer that you are trying to connect to requires Network Level Authentication (NLA), but your Windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using the options on the Remote tab of the System Properties dialog box.

       

      • Dave Patrick's avatar
        Dave Patrick
        MVP

        From a windows perspective NLA uses port 389 to connect to domain controller so I'd check that port is open and that problem members have a healthy domain controller listed for DNS on connection properties and no others such as router or public DNS.

         

         . 

         

         

Resources