Remote connections to a Windows instance can fail for many reasons. This topic describes how to troubleshoot and resolve these issues.
Use the self-service troubleshooting tool
The Alibaba Cloud self-service troubleshooting tool helps you quickly check security group configurations, the instance firewall, and the listener status of common application ports. The tool provides a detailed diagnostic report.
Click to go to self-service troubleshooting page, and switch to the target region.
If the self-service troubleshooting tool cannot identify the issue, follow these steps to troubleshoot the issue manually.
Manual troubleshooting
Follow these steps to check the status of the ECS instance. Then, use Cloud Assistant to send commands to the Windows instance or log on to the instance using VNC.
Step 1: Check the ECS instance status
First, check the status of the ECS instance, regardless of the cause of the remote logon failure. An instance must be in the Running state to provide services. Follow these steps:
Go to ECS console - Instance.
In the top navigation bar, select the region and resource group of the resource that you want to manage.
Step 2: Log on to the ECS instance using VNC
If Cloud Assistant is unavailable or does not meet your requirements, you can use the Alibaba Cloud VNC tool to log on remotely. Follow these steps:
Go to ECS console - Instance.
In the top navigation bar, select the region and resource group of the resource that you want to manage.
In the Remote connection dialog box, click Show Other Logon Methods. Then, under VNC, click Sign in now.
Log on to the instance operating system.
Click in the upper-left corner of the page.
Enter the logon password for the instance and press Enter.
NoteThe default account for a Windows instance is Administrator.
Step 3: Send commands to the Windows instance using Cloud Assistant
You can send commands to the Windows instance using Alibaba Cloud Cloud Assistant. Follow these steps:
Go to ECS console - Instance.
In the top navigation bar, select the region and resource group of the resource that you want to manage.
On the Instance page, find the instance that you want to manage and choose
> Remote Connection > Send Command in the Actions column.You can enter a command and click Execute to run it on the Windows instance without logging in.
For more information about Cloud Assistant, see Cloud Assistant overview.
No specific error message is returned
If the remote connection fails without returning an error message and the ECS instance is in the Running state, follow these steps to troubleshoot the issue:
Step 11: Check for incorrect Windows registry configurations
Step 12: Check if the Windows RDP self-signed certificate has expired
Step 1: Use Alibaba Cloud Workbench to test the remote logon
You can use the Workbench tool provided by Alibaba Cloud to log on remotely. If the remote logon fails, Workbench returns a specific error message and a solution. Follow these steps to perform the test:
Go to ECS console - Instance.
In the top navigation bar, select the region and resource group of the resource that you want to manage.
In the Remote Connection dialog box, under Connect With Workbench, click Log On Now.
Workbench automatically fills in the basic information required to log on to the target instance. Confirm that the information is correct and enter the username and authentication credentials. Then, take the appropriate action based on the result:
If you still cannot log on, Workbench returns an error message and a solution. Follow the on-screen instructions to resolve the issue and then try to connect again. You can connect to the instance using VNC to resolve common issues that occur when you use Workbench.
If you can log on to the instance using Workbench but cannot log on remotely from your local server, the remote connection port and service are working as expected. In this case, you must troubleshoot the issue on your local client.
Step 2: Check for blackhole filtering notifications
Check whether you have received a blackhole filtering notification for the instance. During blackhole filtering, the instance cannot access the Internet. For more information, see Alibaba Cloud blackhole filtering policy.
Step 3: Check ports and security groups
Check whether the security group rules are blocking the connection. Follow these steps:
Go to ECS console - Instance.
In the top navigation bar, select the region and resource group of the resource that you want to manage.
On the Instances page, click the instance ID.
Click the Security Groups tab. Find the security group you want to manage in the Security Group List and click Manage Rules in the Actions column.
Select the direction for the security group rule.
On the Security Group Details tab, you can use one of the following methods to add a security group rule.
Method 1: Quickly add a security group rule
Select RDP Connection to a Windows Instance
Method 2: Manually add a security group rule
Action: Allow
Priority: 1 (A lower value indicates a higher priority, with 1 being the highest priority.)
Protocol: Custom TCP
: 0.0.0.0/0 (represents all IP addresses)
: Set to the RDP port. The default is 3389.
Connect to the remote desktop in the
IP:Portformat.
Run the following command to test the port and determine whether it is working correctly.
telnet <IP> <Port>Note<IP> refers to the IP address of the Windows instance.
<Port> refers to the RDP port number of the Windows instance.
For example, after you run the
telnet 192.168.0.1 4389command, the following command output is returned.Trying 192.168.0.1 ... Connected to 192.168.0.1 4389. Escape character is '^]'If the port test fails, see Check port availability when the ping command is successful but the port is unreachable for troubleshooting.
Step 4: Check the firewall configuration
You must have permissions to modify the instance firewall to perform this step. If the firewall is enabled, you may need to modify its configuration policy. For more information, see Manage the system firewall of a Windows instance.
In the menu bar, select .
Set View By to Small Icons. Then, click Windows Firewall.
In the Windows Firewall window, click Advanced Settings.
Enable the firewall configuration.
In the Windows Firewall With Advanced Security window, click Windows Firewall Properties.
Select On (recommended) and click Apply.
We recommend enabling the firewall on the Domain Profile, Private Profile, and Public Profile tabs.
In the Windows Firewall With Advanced Security window, click Inbound Rules. In the right pane, scroll to the bottom. Right-click Remote Desktop - User Mode (TCP-In) and select Enable Rule.
Step 5: Check the Remote Desktop service
Check whether Remote Desktop Service is enabled on the Windows server. Follow these steps:
This step uses Windows Server 2012 as an example. The steps may vary depending on your operating system version.
Right-click the Start menu and click System.
In the System window, click Remote Settings.
In the Remote Desktop area, you can select Allow Remote Connections To This Computer, and then click OK.
Start the Remote Desktop Services service.
In the Start menu, select Administrative Tools > Component Services > Services (Local). In the right pane, find the Remote Desktop Services service and check its status. If the service is not running, start it.
Load the drivers and services on which Remote Desktop Service depends.
For security purposes, some key services on which Remote Desktop Service depends are sometimes disabled by mistake. This can cause Remote Desktop Service to stop working correctly. To resolve this, perform the following check.
Right-click the Start menu, click Run, enter
msconfig, and click OK.
In the System Configuration dialog box, on the General tab, select Normal Startup, and then click OK.
Step 6: Check the remote terminal service configuration
The remote desktop of a Windows instance may be unreachable because of incorrect configuration of the remote terminal service.
This example uses Windows Server 2008. The operations for other Windows Server versions are similar.
Exception 1: The server-side self-signed certificate is damaged
If the local client runs a version of Windows later than Windows 7, it attempts to establish a Transport Layer Security (TLS) connection with the ECS instance. If the self-signed certificate that is used for the TLS connection on the ECS instance is corrupted, the remote connection fails.
Select Start > Administrative Tools > Remote Desktop Services > Remote Desktop Session Host Configuration.
In the Connections section, right-click RDP-Tcp and click Properties.
In the RDP-Tcp Properties window, set Security Layer to RDP Security Layer and click OK.
In the Actions section, click Disable Connection and then Enable Connection.
Exception 2: The Remote Desktop Session Host Configuration connection is disabled
The output of the netstat command shows that the port is not listening.
After you log on to a Windows instance using VNC, you may find that the Remote Desktop Protocol (RDP) connection is disabled. In this case, you can re-enable the RDP-Tcp Connection. For more information, see Exception 1: The server-side self-signed certificate is damaged.
Exception 3: Terminal server role configuration
When you use RDP to connect to a Windows instance, the following error message may appear: "If you are not a member of the Remote Desktop Users group or another group that has these permissions, or if the Remote Desktop Users group does not have these permissions, you must be granted these permissions manually."
This issue occurs if a Terminal Server is installed on the server without a valid access authorization. To resolve this issue, use one of the following solutions:
If the issue is caused by the Terminal Server role, log on to the server, right-click Computer, and then select Roles > Remove Role Services.
Step 7: Check the network
If you cannot connect to a Windows instance remotely, first check whether the network is working correctly.
Use computers in other network environments, such as different network segments or from different carriers, to test the connection. This helps determine whether the issue is with the on-premises network or the server.
If the issue is with your on-premises network or carrier, contact your local IT staff or the carrier to resolve it.
If the network interface card (NIC) or NIC driver is not working correctly, you may need to update the NIC driver. Follow these steps:
NoteThis operation uses Windows Server 2016 as an example. The UI may differ on other versions. Adjust the steps accordingly for your operating system version.
In the notification area, right-click the
icon and select Open Network and Sharing Center.Click Change Adapter Settings to check whether the NIC is enabled.
If the network interface card is disabled, right-click it and select Enable. Verify that the remote connection to the Windows instance is restored.
If the NIC is enabled but still unavailable, proceed to the next step.
Open the Run window, enter
regedit, and click OK.In Registry Editor, navigate to and verify that the following entries exist in the right pane. If the entries do not exist, right-click a blank area and select New to add them.
ImportantAfter you change the information in the Registry Editor, you must restart the system for the changes to take effect.
Name:
Installer32Type:
REG_SZData:
NetCfgx.dll,NetClassInstaller
Open the Run window, enter
devmgmt.msc, and click OK.In Device Manager, under Network Adapters, right-click the network adapter and select Update Driver Software....
In the dialog box that appears, click Search Automatically For Updated Driver Software. When the update is complete, click Close.
Confirm that the remote connection to the Windows instance is restored.
Run the
pingcommand on your local client to test the network connectivity to the instance.If a network issue occurs, see Use a packet capture tool to capture network packets for troubleshooting.
If ping packets are lost or the ping fails, use MTR to analyze network paths for troubleshooting.
If intermittent packet loss occurs and the network of your ECS instance is unstable, see Link interruption to resolve the issue.
If you receive a General Failure error when you ping a client from your instance, see A "General failure" error is reported when you ping a public IP address from a Windows instance to resolve the issue.
Step 8: Check the CPU load, bandwidth, and memory usage
A remote connection to a Windows instance may be unreachable because of high CPU load, insufficient bandwidth, or insufficient memory.
Select the appropriate operation based on the CPU load.
If the CPU load is not high, proceed to Step 2 to continue troubleshooting.
If the CPU load is high, resolve the issue as described in this step.
Log on to the instance from the terminal on the Instance Details page and check whether Windows Update is running in the background. A high CPU load is expected if Windows Update is running. Wait for the update to complete.
If the applications that are hosted on an instance perform many disk read/write operations, initiate many network requests, or generate compute-intensive workloads, a high CPU load is expected. In this case, you can upgrade the instance type to resolve resource bottlenecks.
NoteFor more information about how to resolve high CPU loads, see What do I do if a Windows instance has high CPU utilization?.
Troubleshooting insufficient public bandwidth.
A remote connection may fail due to insufficient public bandwidth. Follow these steps to troubleshoot the issue.
Go to ECS console - Instance.
In the top navigation bar, select the region and resource group of the resource that you want to manage.
On the Instances page, click the instance ID. On the Instance Details tab, you can view the Public Bandwidth in the Configuration Information section.
If the public bandwidth is 0 Mbps, the instance was created without public bandwidth. You can resolve this issue by upgrading the public bandwidth.
Check for insufficient memory.
After you connect to a Windows instance remotely, the desktop may not display correctly and the connection may close without an error message. This can be caused by insufficient server memory. Follow these steps to check the memory usage.
Go to Start > Administrative Tools > Event Viewer and check for warning logs that indicate insufficient memory.
Step 9: Check the system security policy settings
Check whether any security policies on the Windows server are blocking remote desktop connections. Follow these steps.
Select Start > Control Panel > Administrative Tools, and then double-click Local Security Policy.
In the Local Security Policy window, click IP Security Policies On Local Computer. The next step depends on whether a security policy already exists.
If a relevant security policy exists, delete or edit it.
To delete the security policy, right-click it and select Delete. In the dialog box that appears, click Yes.
Double-click the IP security policy to open it, reconfigure it to allow remote desktop connections, and then try to connect again using Remote Desktop.
If a relevant security policy does not exist, go to Step 9: Check the system security policy settings.
Step 10: Check the antivirus software
Remote connection failures may be caused by third-party antivirus software settings. Use the following methods to resolve this issue. This section provides two case studies of how SafeDog configuration can cause remote access to fail.
If antivirus software is running in the background, connect to the instance using VNC to upgrade the antivirus software to the latest version or uninstall it. For more information about how to connect to an ECS instance using VNC, see Methods for connecting to an ECS instance.
Use a commercial version of antivirus software or the free Microsoft Safety Scanner to scan for and remove viruses in safe mode. For more information about Security Scanner, see Security Scanner.
Case 1: Interception by the SafeDog blacklist
If the following situations occur after you install SafeDog, check if security settings or interceptions are configured in the protection software.
The local client cannot connect to the Windows instance remotely, but clients in other regions can.
You cannot ping the server's IP address, and a route trace that uses the
tracertcommand shows that the server is unreachable.The local public IP address is not blocked by Security Center.
Open Server Safe Dog, select Network Firewall, and click the 
icon to the right of Super Blacklist/White List. If the public IP address of the ECS instance is in the Super Blacklist, delete the blacklist rule and add the public IP address to the Super Whitelist.
If the traffic scrubbing threshold is set too low in Security Center, the public IP address of the instance may be blocked. We recommend that you increase the traffic scrubbing threshold to prevent the public IP address of the instance from being blocked. For more information, see Anti-DDoS Origin Basic.
Case 2: SafeDog program error
After you log on to a Windows instance using VNC, SafeDog displays an error message in the lower-right corner of the taskbar, such as The network driver is not working correctly (the driver service is not started). Download the latest version to overwrite the installation and restart the OS.
This issue may be caused by a SafeDog software error. Uninstall the SafeDog software from the Windows system and restart the ECS instance to restore the network.
Step 11: Abnormal Windows registry configuration
Incorrect configurations in the Windows registry may block RDP connections. Follow these steps to fix the issue.
In the Run dialog box, enter regedit and click OK to open the Registry Editor.
In Registry Editor, modify the following parameter configurations.
Set the
fEnableWinStationparameter inHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcpto 1.Set the
fDenyTSConnectionsparameter inHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Serverto 0.
Step 12: The Windows RDP self-signed certificate has expired
An expired RDP self-signed certificate may cause remote logon failures. Follow these steps to fix the issue.
Run Windows PowerShell as an administrator.
In the Windows PowerShell window, run the following command to check whether the current certificate has expired.
Get-Item 'Cert:\LocalMachine\Remote Desktop\*' | Select-Object NotAfterIf the certificate has expired, run the following command to delete the self-signed certificate and restart the TermService service.
Remove-Item -Path 'Cert:\LocalMachine\Remote Desktop\*' -Force -ErrorAction SilentlyContinue Restart-Service TermService -ForceAfter the TermService service is restarted, the system automatically generates a new self-signed certificate.
Run the following command to confirm that the new self-signed certificate's timestamp has been updated.
Get-Item 'Cert:\LocalMachine\Remote Desktop\*' | Select-Object NotAfterNoteThe default validity period of an RDP self-signed certificate is six months.
A specific error message is returned
A protocol error occurs when you remotely connect to a Windows ECS instance
Authorization-related:
Connection count-related: