So we have a few 2012 R2 Terminal Servers at my company that were working fine until we started the process of replacing our Domain Controllers with new Windows 2016 Servers.
Since then our users are getting intermittent "Access Denied" errors when they try to RDP to these terminal servers.
Generally the "Access Denied" error occurs when a terminal servers starts to use one of the newly added 2016 domain controllers. We can workaround the problem by sending an command telling the terminal server to use one of the older 2012 R2 domain controllers instead.
Then things work again.
So the question:
Is there a misconfiguration with the new 2016 domain controllers or can an adjustment be made with the 2012 Terminal Servers?
Is the problem that Windows 2016 Domain Controllers are not compatible with 2012 R2 Remote Desktop Services servers?
We are having problems finding documentation on this.
What we do know is that if we decide to start upgrading to new 2016 Terminal Servers we will have to purchase new 2016 RDS Cals (not sure if we are budgeted for that…)
For those interested, you can find out the domain controller you are using by running the following elevated PowerShell command (this assumes the command is run remotely as you might be locked out due to the RDP access denied error):
nltest /Server:your-terminal-server /DSGETDC:ad-domain
to specify the domain controller you want to be on (in our case we want to switch to back to a 2012 R2 domain controller), the command is:
nltest /Server:your-terminal-server /SC_RESET:ad-domain\specific-domain-controller
Best Answer
We opened a ticket with MS support on this. They had us add this registry on the Windows 2016 DC's and it resolved the issue.
HKLM\SYSTEM\CurrentControlSet\Control\Lsa add the value RestrictRemoteSamAuditOnlyMode DWORD=1 Reboot the server