In some situations, you might not be able to connect to your Compute Engine Windows instance with RDP. This might be due to configuration errors, network errors, or the boot process might not have completed.
This page describes a number of tips and approaches to troubleshoot and resolve common RDP issues.
Ensure the instance is online and ready
Once the boot process is completed, which might take a few minutes, the status of your Windows instance is available through serial console output. Connect to the read only or interactive serial console to check if the instance is ready.
Serial Console 1 (read only)
- Open your Windows instance from the VM instances page in Google Cloud console.
Click the drop-down arrow next to Connect to serial console, and select Serial port 1, or the
gcloudSDK command below:gcloud compute connect-to-serial-port [INSTANCE_NAME] --port 1Confirm that the instance has started, and has attempted to run startup scripts.
Booting from Hard Disk 0... GCEWindowsAgent: GCE Agent Started (version x.x.x@x) GCEMetadataScripts: No startup scripts to run.
Serial Console 2 (interactive)
Enable interactive access on the serial console by using the VM instance page , or the
gcloudSDK command below:gcloud compute instances add-metadata [INSTANCE_NAME]^ --metadata=serial-port-enable=1Open your Windows instance from the VM instances page in Google Cloud console.
Click the drop-down arrow next to Connect to serial console, and select Serial port 2. Alternatively, you can run the following
gcloudSDK command:gcloud compute connect-to-serial-port [INSTANCE_NAME] --port 2Confirm that the cmd process is available to use.
Check your VPC firewall rules
Compute Engine automatically provisions new projects with a firewall rule that allows RDP traffic. If you have an existing project, or have modified the configurations, the default firewall rule that permits RDP might not exist. Confirm that a rule allows RDP traffic to connect to the network that your affected instance is on.
To check if the
default-allow-rdp
firewall rule exists on your project, check the
Firewall rules page, or run
the following gcloud SDK command:
gcloud compute firewall-rules list
To create a new rule if one does not exist, create a rule with the following command:
gcloud compute firewall-rules create allow-rdp --allow tcp:[PORT_NUMBER]
Check your Windows instance password
Each Compute Engine Windows instance must have a local password set
if it is not already on a domain or custom image. Confirm you have the correct
password set by
connecting to the Windows SAC
through the gcloud command-line tool or Cloud Console.
If you have problems connecting, try creating or resetting the password on the Windows instance.
Verify the external IP address
Ensure that you're connecting to the correct external IP address for the
instance. View the IP for the instance from the
VM instance page
or by using the following gcloud SDK command:
gcloud compute instances list
Use of Windows Remote Desktop Services (RDS)
If you have Windows Remote Desktop Services (formerly known as Terminal Services) installed on your instance, then the conditions of the Client Access Licenses (CALs) are enforced. With these CALs, RDP connections will fail under any of the following conditions:
- You have used all your available licenses
- Your license is installed, but not configured or activated correctly
- Your RDS trial period of 180 days has expired
Symptoms that you may not have enough valid licenses include messages such as:
- This remote session was disconnected because there are no Remote Desktop License Servers available to provide a license.
- The remote session was disconnected because of an error related to licensing in terminal server.
- The remote session was disconnected because there are no Remote Desktop client access licenses available for this computer.
If your RDP connections fail, you can use the admin switch to connect to the instance for administrative purposes. This can be done on a Windows machine by using the native Remote Desktop Connection client.
%systemroot%/system32/mstsc.exe /admin
To resolve issues with RDP connections, purchase new licenses for your instance. For more details about CALs, review the Microsoft documentation. Alternatively, if Remote Desktop Services is not required, uninstall the service and use the regular RDP connections.
Check the OS configuration
If the environment and configurations for the instance are correct, the operating system on the instance might be misconfigured. You can use the interactive serial console to connect to the instance and troubleshoot the problem.
Connect to the instance through one of the available command line methods, and run the following commands to ensure that the instance is accepts connections:
Check to see that the 'Remote Desktop Service' is running:
- Command: net start | find "Remote Desktop Services"
- Pass: Remote Desktop Service
- Fail: (Remote Desktop Service missing from output)
- Solution: net start "Remote Desktop Services"
Check that Remote Connections are enabled:
- Command: reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
- Pass: fDenyTSConnections REG_DWORD 0x0
- Fail: fDenyTSConnections REG_DWORD 0x1
- Solution: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /f /v fDenyTSConnections /t REG_DWORD /d 0
Ensure that the Windows firewall has Remote Desktop Connections enabled:
- Command: netsh advfirewall firewall show rule name="Remote Desktop - User Mode (TCP-In)"
Pass: Enabled:Yes, Direction: In, Profiles: Public, Grouping: Remote Desktop, LocalIP: Any, RemoteIP: Any, Protocol:TCP, LocalPort: 3389, RemotePort: Any, Edge traversal: No, Action: Allow
Fail: (unexpected results, such as enabled = No)
Solution: netsh firewall set service remotedesktop enable
Check to see what port number is configured for RDP connections on the remote instance:
- Command: reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber
- Pass: PortNumber REG_DWORD [PORT NUMBER]
- Fail: (unexpected port number)
Solution: reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /f /v PortNumber /t REG_DWORD /d [PORT NUMBER]
Ensure that connected user account has permissions for remote connections:
- Command: net localgroup "Remote Desktop Users"
- Pass: (target local/domain username in resulting list)
- Fail: (target local/domain username missing)
Solution: net localgroup "Remote Desktop Users" /add [DOMAIN\USERNAME]
Verify that your MTU size is no greater than the MTU of the network:
- Command: netsh interface ipv4 show subinterfaces
- Pass: When the number after the MTU matches the MTU of the VPC network.
- Fail: When the number after MTU is larger than the MTU of the VPC network.
Solution: netsh interface ipv4 set subinterface Ethernet mtu=MTU_OF_VPC_NETWORK
Note: VPC networks have a default maximum transmission unit (MTU) of1460bytes. However, the network MTU can be set to1500bytes. See Maximum transmission unit for background on network MTUs.
Ensure that your antivirus/endpoint protection client settings allow for the configured port number and services.
Use your disk on a new instance
If the other troubleshooting steps do not resolve your connection issue, you might be able to delete the existing instance and preserve your persistent disk. Remount the disk to a new instance and make another troubleshooting attempt, or simply recover existing data from the disk.
gcloud compute instances delete [INSTANCE_NAME] --keep-disks=boot
gcloud compute instances create [NEW_INSTANCE_NAME] --disk name=[DISK_NAME],boot=yes,auto-delete=no