Wednesday, August 24, 2011

Remote server management with alternate credentials

This post is something of a throwback to the early Windows NT days, and is still applicable for newer OS's (NT and anything Windows 2000 and above). If you are trying to manage a system remotely (not using remote desktop or similar VNC type technology), you will frequently be using RPC based connections. Tools like pstools, MMC's (eventvwr, compmgmt.msc, etc), regedit and many others use this type of connection. If you the machine you are connecting to does not allow access with your credentials, is not a member of your forest, or is not joined to a domain; then there is one easy way to get all of your tools working. If you use the command line tool for drive mapping, you can also create an authenticated RPC session between your machines which will be used in any access attempt you make after this.

Here is an example of connecting to a remote server using the local administrator account on that machine:

net use \\remoteserver\ipc$ /user:remoteserver\administrator *

The * at the end of the command will cause a prompt for password to come up when you run it. If the connection is successful, you have authenticated with alternate credentials. Now you can use your RPC based tools for access with no problems.

To remove these connections: net use \\remoteserver\ipc$ /delete

Tuesday, August 23, 2011

Can't connect to terminal services (RDP)

If you do a lot of remote management of servers, you may occasionally come across a machine that does not appear to be responding when you make a terminal services connection to it. This can be caused by configuration issues or sometimes the service has just locked up on bad connections (seen with 2003). If you remote check the services, and the terminal services service is running, you can do some digging in the registry. Here I will point out what is normal for remote desktop in remote administration mode (2 connections + 1 console). Open regedit, use the connect to network registry to access your remote machine. Expand down to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server.

Look for these keys:
Dword TSEnabled = 1
Dword TSUserEnabled = 0
Dword fDenyTSConnections = 0

Occasionally one of these may be incorrect. If you flip it to the correct value it should take effect immediately and allow you access.

As I mentioned earlier, with 2003 servers, I've noticed there are cases that RDP connections can cause problems and screw up terminal services complete. Why this happens, I'm not sure. I've seen it occur when accidentally dragging an icon and it ended up in the RDP window at certain points of the connection. Although one of the terminal services tools allows you to reset the tcp listener (or something similar to this), it doesn't work. Rebooting is the only solution to fix this problem.

Another problem you may frequently run into is too many people connected to the system. In 2008 it gives you a list and option to boot someone off. In 2003, you may see that option when logging into the console session. You can also use these two command line tools to assist with this:

qwinsta /server [name of remote machine]
rwinsta /server [name of remote machine] [session id]

These commands query the sessions and kick the specific session respectively. You can't kick someone logged in at the console though, but there are some tools that you may get to work, such as psshutdown (-o option).

This article covers only some of the problems you may come across. When terminal services (or remote desktop services role) is enabled, you may end up with other problems that have different solutions.