This post aims to discuss all the common reasons why a Remote Desktop Protocol (RDP) connection can't connect to a remote computer. I will explain how to identify the cause and then show you how to fix your failing Remote Desktop Connection.

Krishnamoorthi Gopal

Krishna is working as a Senior System Administrator for a managed IT Service provider. He has 10 years of IT experience in the insurance and healthcare industries. Krishna focuses on Windows and Active Directory administration and works with various other technologies such as VMware, Azure, Hyper-V, and PowerShell.

Latest posts by Krishnamoorthi Gopal (see all)

There are many reasons why an RDP connection to a remote machine might fail. The screen below shows a typical error for a failed RDP connection.

"Remote Desktop can't connect to the remote computer for one of these reasons:"

RDP connection failed

RDP connection failed

Verify the network connectivity ^

Every admin should be familiar with this RDP error. The most common cause of a failing RDP connection concerns network connectivity issues, for instance, if a firewall is blocking access.

You can use ping, a Telnet client, and PsPing from your local machine to check the connectivity to the remote computer. Keep in mind ping won't work if ICMP is blocked on your network. The main advantage of Telnet and PsPing is that you can connect via TCP, and you can check whether the RDP port 3389 is open.

The Telnet client isn't enabled by default. Use this command to enable Telnet from a command prompt:

And use this one from a PowerShell console:

Use PsPing if you have problems enabling the Telnet client. PsPing also lets you test the connectivity to a specific TCP port. It is portable, so no installation is required.

First, try to ping the remote computer's hostname or IP address.

The remote machine connection timed out with PsPing

The remote machine connection timed out with PsPing

As you can see in the screenshot above, I was unable to ping the remote machine, and the port was not reachable as well.

If this works, and you are unable to ping the machine using the FQDN name, check whether DNS resolution is working properly. Sometimes the hostname is pointing to another machine on DNS that is either offline or not in use.

If you can't connect at all, a local firewall (Windows Firewall or third-party security software) or a network firewall might be blocking the port. The PowerShell command below lets you display the Windows Firewall state on the remote machine.

Remote computer firewall status

Remote computer firewall status

For testing purposes, you can disable Windows Firewall on the remote computer with this command:

Note that you should enable PSRemoting on the remote computer to execute the above command. If not, you can use PsExec to enable PowerShell remoting with the command below:

Verify user permissions ^

If your user account has no administrator privileges, you should be a member of the local Remote Desktop Users group to access the remote machine via RDP. By default, no members are in this group, and only members of the Administrators group can connect via RDP.

Read this 4sysops article to learn how to add users remotely to a user group.

Allow Remote Desktop Connection ^

Ensure Remote Desktop is enabled on the remote computer. The RDP listener could be inactive. You can enable the Remote Desktop Connection either from System Properties or from the registry.

Option 1: Select Start > Run, type sysdm.cpl, and select the Remote tab.

Remote computer RDP settings

Remote computer RDP settings

Option 2: Select Start > Run, type regedit, navigate to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Terminal Server, and set the value for the key fDenyTSConnections to 0 (0 = Enable; 1 = Disable).

Remote computer RDP settings in the Registry

Remote computer RDP settings in the Registry

You can use this PowerShell command to enable RDP remotely:

And from the command prompt, you can use the next command if the Remote Registry service is running on the remote computer:

Verify the status of the RDP services ^

On both the local (client) computer and the remote (target) computer, the following services should be running:

  • Remote Desktop Services (TermService)
  • Remote Desktop Services UserMode Port Redirector (UmRdpService)

The UmRdpService is an RDP port redirector service, which helps redirect drives, printers, and ports from the local to the remote machine. For example, if you want to map all of your local drivers to the remote computer, this service will do the job.

If the UmRdpService service was set to disabled through a central Group Policy, RDP connections to this machine will fail. Note that sometimes restarting the service won't fix the issue, and you have to reboot the machine after reconfiguring the Startup Type to Automatic.

Remote computer RDP services status

Remote computer RDP services status

The PowerShell command below starts both of these services remotely if they are in a stopped state. Note that this only works if the service Startup Type is set to either Automatic or Manual.

The output of the command should be either 0 (started) or 10 (already running). Check out this article to learn more about return codes and their descriptions.

Identify whether Group Policy is blocking RDP ^

You can enable or disable Remote Desktop centrally through Group Policy settings. To check those settings, go to Start > Run, type gpedit.msc, navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections, and find the Allow users to connect remotely by using Remote Desktop Services setting. If the setting is Disabled, you should change it to Enabled or Not Configured.

RDP settings in Group Policy

RDP settings in Group Policy

Use GPResult (gpresult /h C:\output.htm) from a console on the remote machine to verify whether Group Policy has been applied properly. Also you can use rsop.msc to get the applied Group Policy settings on a particular machine.

Check the RDP listener port on the remote computer ^

By default, the RDP client verifies that the Remote Desktop service on the remote computer is listening on port 3389. If not, another application could be occupying the same port.

To check whether any remote session (RDP-TCP) already exists on that computer, use qwinsta, which gives you a list of local as well as remote sessions.

Using qwinsta to list sessions

Using qwinsta to list sessions

The screenshot above shows that the rdp-tcp session with session ID 65536 already exists.

To verify that the Remote Desktop service is using the correct port, use the Registry Editor. Go to Start > Run, type regedit, navigate to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Terminal Server > WinStations > RDP-Tcp, and review the PortNumber setting.

RDP port setting from the registry

RDP port setting from the registry

Alternatively, you can use the command below:

If the output of the RDP port value is 0x00000d3d (hex), your RDP port is configured with a default port, which is 3389. In the screenshot above, the default RDP port was changed to 3388. In this case, either you have to change the RDP port to the default one, or you access the remote machine via the new port 3388.

In the Remote Desktop client, you have to specify the custom RDP port in the computer address space as shown in below:

RDP access with a different port

RDP access with a different port

If another application is using the RDP port, you have to find that application on the remote machine and then reconfigure it to use a port other than 3389. Use the netstat command to find the application PID listening on port 3389. And with the tasklist command, you can identify the name of the application running with this PID as shown below:

Check whether another process is using the RDP port

Check whether another process is using the RDP port

Checking RDP connectivity with PowerShell ^

Checking all those possible connectivity issues manually is a time-consuming task. I wrote a little PowerShell script that automates this task.

My Get-RDPStatus.Ps1 script checks connectivity of the remote computer via ping, FQDN, RDP ports, and RDP services, and the RDP status with NLA (Network Level Authentication). The script uses WMI cmdlets that work over RPC and therefore does not require PSRemoting. The screenshots below shows the output of the script.

The latest version is available for download from the Github.

Sample Script output 2

Sample Script output 2

Sample Script output 1

Sample Script output 1

Conclusion ^

Many articles discuss Remote Desktop connection problems. I wrote this one mainly to compile all possible causes of failed RDP connections. If you know of another possible cause, please post a comment below.

Are you an IT pro? Apply for membership!

1+
Share
4 Comments
  1. Laurent 4 weeks ago

    Hello,

    A very common error is the famous "CredSSP encryption oracle remediation" message error due to may 2018 update when it's installed on the server but not on the desktop (or the opposite).

    2+

  2. Matt D 4 weeks ago

    Great tips Krishna!

    1+

    Users who have LIKED this comment:

    • avatar
  3. Miguel Velez-White 4 weeks ago

    I tried the famous 'registry hack' for the CredSSP problem and it didn't work for me.  After further research, I came across another fix which requires a group policy edit....and it worked!!

    Here's the link:

    CredSSP Encryption Oracle Remediation Fix

    2+

    Users who have LIKED this comment:

    • avatar

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account