2 Common Issues With Microsoft Terminal Services

Many WAN connections can vary in quality and latency, and often times these two characteristics will manifest themselves in disconnected terminal services sessions. By doing two relatively easy registry hacks, you can reduce these disconnects and improve the overall experience of your users.

 

Keep Alives:

In the registry at HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server, create or edit the DWORD value of KeepAliveEnable and set it to 1. This will turn Keep Alives on. This will serve to stabilize the connection by sending ‘heartbeat’ packets to the client every so often. This will cause an idle connection to be probed every so often just to be sure that the connection is still alive and that the client is still listening on the other side. This will also help prevent disconnects by preventing network devices from killing off sockets that it assumes to be idle.  By turning on Keep Alives, the connection will not appear idle, and therefore the network device will not attempt to terminate the socket.

Two other registry entries to look at are at HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveInterval and HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime.  KeepAliveInterval determines the interval separating keep alive retransmissions until a response is received. If a response is received, the delay until the next keep alive transmission is again controlled by the value of KeepAliveTime. KeepAliveTime controls how often TCP attempts to verify that an idle connection is still intact by sending a keep alive packet. If the remote system is still reachable and functioning, it will acknowledge the keep alive transmission.

 

TcpMaxDataRetransmissions:

In the registry at HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, create or edit the DWORD value of TcpMaxDataRetransmissions. By default it is set to 5, but I would recommend doubling that value, to 10.  The value of TcpMaxDataRetransmissions is the number of times TCP retransmits an unacknowledged data segment on an existing connection. TCP retransmits data segments until they are acknowledged or until this value expires.

 

Enjoy..

[Solved] Prevent previous credentials from another session/domain to auto fill when starting a RDP session to a Windows Server 2008 box

Who has not started a RDP session to a Windows 2008 Server or Windows 7 system and had the previous domain credentials popup as the default login for the next system you touch. Well if you are like me and touch many different customers each day then you have no doubt had the login for your Windows 2008 terminal session show the log on of the previous domain that your were logged in to. This can be a big pain in the “arse” if you know what I mean.

Well here is how to fix that problem:

On your own PC go to the registry key

HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers\127.0.0.1

Right click and select  permissions on the 127.0.0.1  folder then set permissions to deny yourself read access to it. As soon as you do this, you should start seeing the right domain name when opening a terminal session  to Windows 2008 servers or Windows 7 workstations.

 

Enjoy

Cubert 😎

Weird Network Issues, Can’t surf the web or web applications are failing but ping and DNS works?

There are many symptoms that may arise when you are installing a new firewall on a network that is using a DSL circuit and the MTU is not set correctly. That’s right the MTU, Max transmission Unit as it is know is a happy 1500 bytes on any Ethernet,  that medium makes up most endpoint networks on the Internet. Most admins never think about what the MTU is set at the gateway device, when they forget to realize that the circuit to the Internet is a DSL circuit they may see things on the network that can’t seem to explain.

MTU is the maximum packet size (in bytes) that can be transported reliably across any particular network; IP Ethernet in this case. The maximum size of an IP Ethernet packet is 1500, but overhead like IP, TCP, and PPPoE must also be taken into account. The wrong MTU will actually prevent you from accessing some web sites or FTP sites. It may even cause you to not authenticate properly on mail servers or secure web sites. There are too many variables to be able to estimate what your optimum MTU should be but my rule of thumb is -32bytes which makes the MTU 1468.

If your running a VPN to a remote domain and you are having domain failures that don’t seem to make since? Some people have no issues and others fail with different errors when the should work?

Only some websites working correctly?

DNS and ping work but other services  may fail like mail or ftp?

What maybe taking place is a conflict in the MTU available on a DSL circuit. The Ethernet is placing packets on the wire at up to 1500 bytes each but the DSL has only 14XX bytes available to it so a fragment has to take place that ends up breaking the request being made.

It is simple to overcome such a issue by setting the MTU of your firewalls DSL facing Ethernet device. This will then cause the firewall to regulate the MTU and control the MTU going out to the DSL circuit.

You can also change the MTU in a Windows workstation so it will not send out a packet bigger than what the DSL circuit can handle.

To do this edit the registry with REGEDIT and change the following key.

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\
Interfaces\[Adapter ID]]

Value Name: MTU
Data Type: REG_DWORD (DWORD Value)
Value Data: Default = 0xffffffff (1500)

This will fix the Windows system but I prefer to do it at the firewall so one edit changes all systems. Do what you need to do.

Hope this helps someone out there

 

Cubert

“Terminal Server Has Exceeded the Maximum Number of Allowed Connections” fix via Command line (CLI)

The terminal server has exceeded the maximum number of allowed connections. The system can not log you on. The system has reached its licensed logon limit. Please try again later.”

This problem happens because Windows only allows two remote terminal services connections when you are in administrative mode, and you’ve either got two people already on that server, or more likely, you’ve got a disconnected session that still thinks it

The terminal server has exceeded the maximum number of allowed connections. The system can not log you on. The system has reached its licensed logon limit. Please try again later.”

This problem happens because Windows only allows two remote terminal services connections when you are in administrative mode, and you’ve either got two people already on that server, or more likely, you’ve got a disconnected session that still thinks it is active.

The problem with this error is that you have to actually get on the server console to fix the problem if the server isn’t in a domain. (If you are in a domain, then just open Terminal Services Manager and log off or disconnect the sessions)

Here’s a command line arguments that you can use to figure out what sessions are connected to the server. Note that you could substitute the IP address for the server name.

query session /server:servername

Output:

Now we know that the session ID of the offending session is 2. We can use that in the next step, which is using the reset command to log off that user.

reset session [ID] /server:servername

This command won’t display any output, but when we run the query command again, we should see that the session has now been disconnected:

Output:

I hope this helps to get you back in to your terminal sessions!

Enjoy…

Event ID number 2003, “TermService” service does not match the trusted performance library information stored in the registry.

The configuration information of the performance library “C:\WINDOWS\system32\perfts.dll” for the “TermService” service does not match the trusted performance library information stored in the registry. The functions in this library will not be treated as trusted.

This problem occurs when the size and the date of the Perfts.dll file in Windows Server 2003 SP2 dose not match the size and the date of the entry stored earlier in the registry

The configuration information of the performance library “C:\WINDOWS\system32\perfts.dll” for the “TermService” service does not match the trusted performance library information stored in the registry. The functions in this library will not be treated as trusted.

This problem occurs when the size and the date of the Perfts.dll file in Windows Server 2003 SP2 dose not match the size and the date of the entry stored earlier in the registry for the Perfts.dll file .

Event Source: Perflib
Event Type: Warning
Event ID: 2003
Description: The configuration information of the performance library “C:\WINDOWS\system32\perfts.dll” for the “TermService” service does not match the trusted performance library information stored in the registry. The functions in this library will not be treated as trusted.

To resolve this problem, follow these steps after you install Windows Server 2003 SP2:

Click Start, click Run, type cmd, and then click OK.
At the command prompt, type the following command, and then press ENTER.

lodctr /T:TermService

Note This command will modify the size and the date that are stored in the registry for the Perfts.dll file.

Type exit, and then press ENTER to close the Command Prompt window.

Windows Vista Remote Desktop to Terminal Server Shows Black Screen

If your having an issue getting RDP client on Vist to connect to a 2003/2008 TS server you may be having issues with Vista TCP auto tuning.

To disable Vista Auto Tunning

run as an admin from cmd prompt:
netsh interface tcp set global autotuning=disabled

Then try your session again

If your having an issue getting RDP client on Vist to connect to a 2003/2008 TS server you may be having issues with Vista TCP auto tuning.

To disable Vista Auto Tunning

run as an admin from cmd prompt:
netsh interface tcp set global autotuning=disabled

Then try your session again..