RDS: The RD Gateway server must be able to contact Active Directory Domain Services
Applies To: Windows Server 2008 R2, Windows Server 2012
This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Remote Desktop Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.
Operating System |
Windows Server 2008 R2, Windows Server 2012 |
Product/Feature |
Remote Desktop Services |
Severity |
Error |
Category |
Operation |
Issue
An authorization policy on the Remote Desktop Gateway (RD Gateway) server is configured to use an Active Directory security group, but the RD Gateway server is unable to contact Active Directory Domain Services (AD DS).
Impact
If the RD Gateway server is unable to contact AD DS, users cannot be authenticated and the users will be unable to connect to internal network resources (computers) through the RD Gateway server.
Resolution
Ensure that the RD Gateway server is a member of an Active Directory domain and that there is network connectivity between the RD Gateway server and AD DS.
Membership in the local Administrators group, or equivalent, on the RD Gateway server that you plan to configure, is the minimum required to complete this procedure.
To verify the RD Gateway server is a member of the Active Directory domain
Open System Properties on the RD Gateway server. To open System Properties, click Start, click Control Panel, and then click System and Security.
On the Control Panel\System and Security page, click System.
On the System page, under Computer name, domain and workgroup settings click Change Settings.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
On the System Properties property sheet, on the General tab, verify the RD Gateway server is a member of the correct domain. If the RD Gateway server is not a member of the domain:
On the System Properties property sheet, on the General tab, click Change.
In the Computer Name/Domain Changes dialog box, click Domain and type the Active Directory domain name.
Click OK.
When prompted, type your domain name and password to join the computer to the domain.
Restart the computer when prompted.
To confirm the RD Gateway server can connect to AD DS
On the RD Gateway server open an elevated Command Prompt window. To open a Command Prompt, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
Type ping <server_FQDN>, where <server_FQDN> is the fully qualified domain name (FQDN) of the domain controller (for example, server1.contoso.com), and then press ENTER.
If the ping was successful, you will receive a reply similar to the following:
Reply from IP_address: bytes=32 time=3ms TTL=59
Reply from IP_address: bytes=32 time=3ms TTL=59
Reply from IP_address: bytes=32 time=3ms TTL=59
Reply from IP_address: bytes=32 time=3ms TTL=59
Type ping ip*_address*, where ip_address is the IP address of the domain controller, and then press ENTER.
If you can successfully connect to the domain controller by IP address but not by FQDN, this indicates a possible issue with Domain Name System (DNS) host name resolution. If you cannot successfully connect to the domain controller by IP address, this indicates a possible issue with network connectivity, firewall configuration, or Internet Protocol security (IPsec) configuration.
Additional references
See Also
Concepts
Best Practices Analyzer for Remote Desktop Services: Configuration
Best Practices Analyzer for Remote Desktop Services