Archive for the ‘Terminal Server’ Category

The Group Policy Client service failed the logon. Access denied

Thursday, March 17th, 2016

I had a user complaint over not being able to access a terminal server. He would attempt access and receive an error message:

The Group Policy Client service failed the logon. Access denied.

Since it was a terminal server; I renamed his profile and he was able to access it.

Remote logins are currently disabled.

Sunday, November 15th, 2015

Our monitoring systems reported errors with a terminal server. I tried remote desktop and received the following error:

Remote logins are currently disabled.

Someone with administrator access disabled the logins with the change logon command.

The management console for reasons not pertinent to this issue was not usable at this time. In order to enable the logins, I needed to a way to submit the command.

Time for our trusty friend “psexec”

psexec.exe “\\<terminal server>\ change logon /enable”

After that we could access the terminal server.

Please wait for the System Event Notfication Service…

Thursday, August 7th, 2014

One of the most annoying things is a server which is hung up and won’t allow you to access it remotely. Especially, if it requires driving to get to the server.

Such was the case of a trouble call from a user trying to access a server. He would try remote desktop and received the following message:

Please wait for the System Event Notification Service…

The login process would remain at this point.

Remote Reboot failed but the system would ping and I could mount a hidden drive.

I needed remote desktop to work so I could look into this problem.

The System Event Notification Service as described from an article in the Microsoft Developer Network states:

Applications designed for use by mobile users require a unique set of connectivity functions and notifications. In the past these individual applications were required to implement these features internally. The System Event Notification Service (SENS) now provides these capabilities in the operating system, creating a uniform connectivity and notification interface for applications. Using SENS developers can determine connection bandwidth and latency information from within their application and optimize the application’s operation based on those conditions.

It sounds like something that is not needed, but it wasn’t the time to make this call when there was an annoyed user waiting for the server. I suspected we could at least kill the process and see if Remote Desktop would work again. Time to use the useful SC command:

sc \\servername queryex SENS

This returned:

TYPE               : 20  WIN32_SHARE_PROCESS
STATE              : 4  RUNNING
WIN32_EXIT_CODE    : 0  (0x0)
CHECKPOINT         : 0x0
WAIT_HINT          : 0x0
PID                : 976
FLAGS              :

Using the PID; I could attempt a taskkill of the sens process.

taskkill /S <servername> /PID 976 /F

This made the login session continue and I had access to the server.

Checking the Net; there are a several situations which could cause this condition.  It ranged from removing Live Messenger (which was not installed), registry changes (which didn’t work or didn’t apply) to removing an update (which was not installed).

I had to log out and found the error was back.  I used the same taskkill steps and was able to access the server again.

Not seeing the obvious; I figured I would try the “fix most things Microsoft” solution and rebooted.

The error went away.

Sometimes a reboot is all that is needed.


Missing license server for windows 2012 Remote Desktop Services

Wednesday, August 6th, 2014

Windows Server 2012 can be a little disconcerting due to the new look and layout.

Such was the case for a request of a 2012 server with Remote Desktop Services enabled. I installed the OS and added it to AD. I installed the requested applications and then I went through the wizard and installed the “Remote Desktop Session Host.”

I didn’t need the license server installed as I have a couple already in place.

When it came time to configure verify the setup; I went to Administrative Tools and looked at Remote Desktop Services and only found “RD Licensing Diagnoser”

Ok? Where do I configure the license servers?  Oh wait! the Dashboard.  I looked under that and found the same thing.

I reinstalled the role and found nothing changed.

I did get the warning about licenses and so I ran the diagnoser to see what was wrong.  Two license servers were found but the problem was the missing license server had the licenses for 2012.

Time became an issue and I literally had the user panicking to use the server so I needed a quick resolution as this system was a short term “crash and burn” setup.

I decided to add the missing entry via the registry and reboot.

The license server list can be found here:

HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\Terminal Services

The entry you need to modify is : LicenseServers

I added the missing license server to the list and rebooted.

The warning message about licenses went away and I verified multiple users could access the server.

Time to crack open the 2012 books and papers!


Can’t remote desktop to a windows 2008 R2 server

Tuesday, June 17th, 2014

This was a strange problem. I have a simple Windows 2008 R2 server with remote desktop services installed. Everything was properly configured. Plenty of licenses and diagnostics reported the license server was available.

The problem? Can’t access the server through remote desktop. No errors in the logs and the only message available to me was the generic:

Did all the noob checks and I even reloaded Remote Desktop Services, removed and re-added the server to AD.

Still no access.

I installed tightvnc as I did not want to live at the machine and found I had remote access.

I checked the registry to see if port 3389 was configured and it was.

I used portqueryui to see if the port was in use and it reported:

TCP port 3389 (ms-wbt-server service): NOT LISTENING!

A quick telnet to port 3389 confirmed this.

The firewall was not running and there wasn’t a web server or any other process trying to use that port and thus block Remote Desktop Services. I was tempted to declare too much time debugging this and reload but I decided to dig around the Net a little more and stumbled on an old discussion on technet.

As mentioned in the post by itdoug; I found the hidden device driver called “remote desktop services security filter driver” disabled (You just bring up the Device Manager, select show hidden devices and look under Non-Plug and Play Drivers).

I tried to enable it and it failed. I then uninstalled it and rebooted.

Remote Desktop worked after that.


This could be caused by an outdated entry in the DNS cache.

Saturday, February 2nd, 2013

I was setting up a new server and when it came time to test a few things; I received this nice message when I tried Remote Desktop:

The connection cannot be completed because the remote computer 
that was reached is not the one you specified. This could be caused
by an outdated entry in the DNS cache. Try using the IP address of 
the computer instead of the name.

I checked the cache and DNS and found it was in order. Remote desktop would work with the IP address.

This was one of two machines with the same setup and the configuration matched the other machine. I checked the Microsoft site and found this.

All you need to do is:

  1. Start > Administrative Tools > Remote Desktop Services > Remote Desktop Session Host Configuration.
  2. Look under Connections and Right-click the RDP listener (Connection name is RDP-Tcp) and select properties.
  3. Look in the security box where you should see the security layer is set to negotiate.
  4. Change it to RDP Security Layer via the drop down button.
  5. Click OK and close the Remote Desktop Session Host Configuration.

After that; Remote Desktop by hostname works.

I can’t explain why this happened on one of two identically configured systems. I could go back and hunt for a reason if I had time which I never do of course….


Well now. While working on another issue; I found the problem. The hostname was misspelled on the host. DNS and AD managed to give functionality but other things like simply mounting the C drive \\host\C$ failed giving the error “The target account name is incorrect” A quick delete of the domain record, a reboot and the problem is solved.

DsGetSiteName failed: Status = 1919 0x77f ERROR_NO_SITENAME

Sunday, September 16th, 2012

A user reported this error when he attempted to check the site name on a terminal server via the command: nltest /dsgetsite

A rather odd error as it usually appears on domain controllers and exchange servers. DNS was in order and there wasn’t an obvious error in the logs.

I checked which logon server was handling authentication for the terminal server via echo %LOGONSERVER% and found domain controllers in other countries were handling the authentication. I checked a couple other windows boxes and found the same errors.

This suggested the subnet for Active Directory was not configured or had a typo. I was not able to immediately verify this as AD is controlled by another group. I opened a trouble ticket and will wait for an answer.

I needed to solve the problem for the users who spotted this error. I found a registry entry would handle this issue.

From regedit; drill down the following:


Once you click Parameters, add a string word called “SiteName

Add the current site name to the entry and exit regedit.

nltest /dsgetsite will now function as expected.

Not the best of solutions; but it at least it solved the user’s problem while the AD people figure out what is going on.

If I get an answer, I will update this post.


As suspected; a subnet range was missing from the AD configuration.  It was added and the correct site and logonservers were appearing.