IISRESET needed for clients to reestablish TS-connection

Dear all,

We have a problem on our TS 2008. For some reason we have to do iisreset
/restart

Our clients are able to reconnect to the Terminal Server after this action.
Sometimes we have this several times a day, and other times it could be that
we have no problems at all during the day.

In the Eventlog the only thing that might be worrysome is the following:
Error event: 4402 (NPS = Network Policy Server)
There is no domain controller available for domain <OurDomain>.

Although when i run following command in prompt: nltest /dsgetdc:<ourdomain>

It does return our DC. We have for now only one DC in our domain. Can anyone
tell me what might be wrong and why we need to restart IIS so that our users
can reconnect to TS remote apps and TS itself.

Thx in advance for all the help

 

"deconinckg" <deconinckg@discussions.microsoft.com> wrote in message
news:E12F9847-36E4-4BAC-96F6-0B5D7F39EB41@microsoft.com...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Dear all,
>
> We have a problem on our TS 2008. For some reason we have to do iisreset
> /restart
>
> Our clients are able to reconnect to the Terminal Server after this
> action.
> Sometimes we have this several times a day, and other times it could be
> that
> we have no problems at all during the day.
>
> In the Eventlog the only thing that might be worrysome is the following:
> Error event: 4402 (NPS = Network Policy Server)
> There is no domain controller available for domain <OurDomain>.
>
> Although when i run following command in prompt: nltest
> /dsgetdc:<ourdomain>
>
> It does return our DC. We have for now only one DC in our domain. Can
> anyone
> tell me what might be wrong and why we need to restart IIS so that our
> users
> can reconnect to TS remote apps and TS itself.<!--colorc--><!--/colorc-->

IIS has no relationship with TS. Are you sure the problem isn't with TS Web
Access or TS Gateway?

What error does the client see when this happens?

Rob

 

Dear,

Like i said it was with remote appz. And with TS i meant to connect with RDP
if we have the TS Gateway filled in. TS itself works.

The Client doesn't really see an error just that he cannot login. It doesn't
say his username or password might be incorrect. It just reopens the login
screen for retyping his username and password.

Only thing i see then on the terminal server is the following:

An account was logged off.

Subject:
Security ID: DOMAIN\user
Account Name: user
Account Domain: DOMAIN
Logon ID: 0xa1e8d4a

Logon Type: 3

This event is generated when a logon session is destroyed. It may be
positively correlated with a logon event using the Logon ID value. Logon IDs
are only unique between reboots on the same computer.

so he logs the user off directly after he hit enter to login on remote appz
or through TS Web Access

"Rob Leitman [MSFT]" wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
>
> "deconinckg" <deconinckg@discussions.microsoft.com> wrote in message
> news:E12F9847-36E4-4BAC-96F6-0B5D7F39EB41@microsoft.com...<!--coloro:green--><span style="color:green <!--/coloro-->
> > Dear all,
> >
> > We have a problem on our TS 2008. For some reason we have to do iisreset
> > /restart
> >
> > Our clients are able to reconnect to the Terminal Server after this
> > action.
> > Sometimes we have this several times a day, and other times it could be
> > that
> > we have no problems at all during the day.
> >
> > In the Eventlog the only thing that might be worrysome is the following:
> > Error event: 4402 (NPS = Network Policy Server)
> > There is no domain controller available for domain <OurDomain>.
> >
> > Although when i run following command in prompt: nltest
> > /dsgetdc:<ourdomain>
> >
> > It does return our DC. We have for now only one DC in our domain. Can
> > anyone
> > tell me what might be wrong and why we need to restart IIS so that our
> > users
> > can reconnect to TS remote apps and TS itself.<!--colorc--><!--/colorc-->
>
> IIS has no relationship with TS. Are you sure the problem isn't with TS Web
> Access or TS Gateway?
>
> What error does the client see when this happens?
>
> Rob
>
>
> <!--colorc--><!--/colorc-->

 

In the meantime i have also fixed the Network Policy Event error.

I have added my TS to the group RAS & IAS Servers. Now i don't have the
problem anymore that NPS can't find a DC.

I hope this might have been the login failures on our TS through TS Gateway.
I'll keep you updated in case the problem persist.

Greetz

"deconinckg" wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Dear,
>
> Like i said it was with remote appz. And with TS i meant to connect with RDP
> if we have the TS Gateway filled in. TS itself works.
>
> The Client doesn't really see an error just that he cannot login. It doesn't
> say his username or password might be incorrect. It just reopens the login
> screen for retyping his username and password.
>
> Only thing i see then on the terminal server is the following:
>
> An account was logged off.
>
> Subject:
> Security ID: DOMAINuser
> Account Name: user
> Account Domain: DOMAIN
> Logon ID: 0xa1e8d4a
>
> Logon Type: 3
>
> This event is generated when a logon session is destroyed. It may be
> positively correlated with a logon event using the Logon ID value. Logon IDs
> are only unique between reboots on the same computer.
>
> so he logs the user off directly after he hit enter to login on remote appz
> or through TS Web Access
>
> "Rob Leitman [MSFT]" wrote:
> <!--coloro:green--><span style="color:green <!--/coloro-->
> >
> > "deconinckg" <deconinckg@discussions.microsoft.com> wrote in message
> > news:E12F9847-36E4-4BAC-96F6-0B5D7F39EB41@microsoft.com...<!--coloro:darkred--><span style="color:darkred <!--/coloro-->
> > > Dear all,
> > >
> > > We have a problem on our TS 2008. For some reason we have to do iisreset
> > > /restart
> > >
> > > Our clients are able to reconnect to the Terminal Server after this
> > > action.
> > > Sometimes we have this several times a day, and other times it could be
> > > that
> > > we have no problems at all during the day.
> > >
> > > In the Eventlog the only thing that might be worrysome is the following:
> > > Error event: 4402 (NPS = Network Policy Server)
> > > There is no domain controller available for domain <OurDomain>.
> > >
> > > Although when i run following command in prompt: nltest
> > > /dsgetdc:<ourdomain>
> > >
> > > It does return our DC. We have for now only one DC in our domain. Can
> > > anyone
> > > tell me what might be wrong and why we need to restart IIS so that our
> > > users
> > > can reconnect to TS remote apps and TS itself.<!--colorc--><!--/colorc-->
> >
> > IIS has no relationship with TS. Are you sure the problem isn't with TS Web
> > Access or TS Gateway?
> >
> > What error does the client see when this happens?
> >
> > Rob
> >
> >
> > <!--colorc--><!--/colorc--><!--colorc--><!--/colorc-->

 

Additional Info for TS:

- Printer Redirection has been disabled
- PnP Device support disbaled
- Serial ports disabled

Problem came back unfortunatly I'm guesing the last thig i could really
do is do a hourly "iisreset /restart"

Other info that might be usefull i didn't mention yet:
We use ISA firewall 2006. Could there be a problem between the
authentication under ISA 2006 and TS Gateway itself. That the authentication
on TS fails for some reason, that we need to restart iis.

I hope someone can help me out with this problem, cause this is a very
annoying behaviour as we have nothing logged what might cause the problem.

"deconinckg" wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> In the meantime i have also fixed the Network Policy Event error.
>
> I have added my TS to the group RAS & IAS Servers. Now i don't have the
> problem anymore that NPS can't find a DC.
>
> I hope this might have been the login failures on our TS through TS Gateway.
> I'll keep you updated in case the problem persist.
>
> Greetz
>
> "deconinckg" wrote:
> <!--coloro:green--><span style="color:green <!--/coloro-->
> > Dear,
> >
> > Like i said it was with remote appz. And with TS i meant to connect with RDP
> > if we have the TS Gateway filled in. TS itself works.
> >
> > The Client doesn't really see an error just that he cannot login. It doesn't
> > say his username or password might be incorrect. It just reopens the login
> > screen for retyping his username and password.
> >
> > Only thing i see then on the terminal server is the following:
> >
> > An account was logged off.
> >
> > Subject:
> > Security ID: DOMAINuser
> > Account Name: user
> > Account Domain: DOMAIN
> > Logon ID: 0xa1e8d4a
> >
> > Logon Type: 3
> >
> > This event is generated when a logon session is destroyed. It may be
> > positively correlated with a logon event using the Logon ID value. Logon IDs
> > are only unique between reboots on the same computer.
> >
> > so he logs the user off directly after he hit enter to login on remote appz
> > or through TS Web Access
> >
> > "Rob Leitman [MSFT]" wrote:
> > <!--coloro:darkred--><span style="color:darkred <!--/coloro-->
> > >
> > > "deconinckg" <deconinckg@discussions.microsoft.com> wrote in message
> > > news:E12F9847-36E4-4BAC-96F6-0B5D7F39EB41@microsoft.com...
> > > > Dear all,
> > > >
> > > > We have a problem on our TS 2008. For some reason we have to do iisreset
> > > > /restart
> > > >
> > > > Our clients are able to reconnect to the Terminal Server after this
> > > > action.
> > > > Sometimes we have this several times a day, and other times it could be
> > > > that
> > > > we have no problems at all during the day.
> > > >
> > > > In the Eventlog the only thing that might be worrysome is the following:
> > > > Error event: 4402 (NPS = Network Policy Server)
> > > > There is no domain controller available for domain <OurDomain>.
> > > >
> > > > Although when i run following command in prompt: nltest
> > > > /dsgetdc:<ourdomain>
> > > >
> > > > It does return our DC. We have for now only one DC in our domain. Can
> > > > anyone
> > > > tell me what might be wrong and why we need to restart IIS so that our
> > > > users
> > > > can reconnect to TS remote apps and TS itself.
> > >
> > > IIS has no relationship with TS. Are you sure the problem isn't with TS Web
> > > Access or TS Gateway?
> > >
> > > What error does the client see when this happens?
> > >
> > > Rob
> > >
> > >
> > > <!--colorc--><!--/colorc--><!--colorc--><!--/colorc--><!--colorc--><!--/colorc-->

 

Rob,

Could it be that the following may cause the problem of our authentication
that fails from time to time.

We have our TSG installed on one server and have exchange 2007 on another.
But as both TSG and Outlook anywhere use RPCProxy we had to change the
rpcproxy in the following way:

HKLM\Software\Microsoft\Rpc\RpcProxy
- edit ValidPorts key :
TSGserver:593;TSGserver:49152-65535;mailboxserver:6001-6002;mailboxserver:6004;mailboxserver.domain.local:6001-6002;mailboxserver.domain.local:6004

I'm wondering if this could be any problem as Exchange uses NTLM
authentication and TS uses windows authentication. But like i said they both
run on different server. Only the RPCProxy has been changed on our Terminal
server.

Kind regards

"Rob Leitman [MSFT]" wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
>
> "deconinckg" <deconinckg@discussions.microsoft.com> wrote in message
> news:E12F9847-36E4-4BAC-96F6-0B5D7F39EB41@microsoft.com...<!--coloro:green--><span style="color:green <!--/coloro-->
> > Dear all,
> >
> > We have a problem on our TS 2008. For some reason we have to do iisreset
> > /restart
> >
> > Our clients are able to reconnect to the Terminal Server after this
> > action.
> > Sometimes we have this several times a day, and other times it could be
> > that
> > we have no problems at all during the day.
> >
> > In the Eventlog the only thing that might be worrysome is the following:
> > Error event: 4402 (NPS = Network Policy Server)
> > There is no domain controller available for domain <OurDomain>.
> >
> > Although when i run following command in prompt: nltest
> > /dsgetdc:<ourdomain>
> >
> > It does return our DC. We have for now only one DC in our domain. Can
> > anyone
> > tell me what might be wrong and why we need to restart IIS so that our
> > users
> > can reconnect to TS remote apps and TS itself.<!--colorc--><!--/colorc-->
>
> IIS has no relationship with TS. Are you sure the problem isn't with TS Web
> Access or TS Gateway?
>
> What error does the client see when this happens?
>
> Rob
>
>
> <!--colorc--><!--/colorc-->