Various factors may cause you to be unable to connect to a Windows Elastic Compute Service (ECS) instance. When you cannot connect to a Windows instance, perform operations based on your actual scenario to troubleshoot the issue. This topic describes how to troubleshoot the issues that prevent you from connecting to a Windows instance.
Quick connection to a Windows instance
If you want to connect to and manage a Windows instance in the event of an emergency, you can perform the following steps to check the status of the instance, connect to the instance by using Virtual Network Computing (VNC), and then send commands to the instance by using Cloud Assistant:
Step 1: Check the status of the instance
Before you can identify the cause of the connection failure, you must check the status of the instance. An instance can provide external services only if the instance is in the Running state.
Go to ECS console - Instance.
In the top navigation bar, select the region and resource group of the resource that you want to manage.
Step 2: Connect to the instance by using VNC
If Cloud Assistant is not available or cannot meet your business requirements, you can use VNC to connect to the instance.
Go to ECS console - Instance.
In the top navigation bar, select the region and resource group of the resource that you want to manage.
In the Remote connection dialog box, click Show Other Logon Methods and then click Sign in now in the VNC section.
Log on to the operating system of the instance.
In the upper-left corner of the page that appears, choose .
Enter the logon password of the instance and press the Enter key.
NoteThe default account for Windows instances is Administrator.
Step 3: Send commands to the instance by using Cloud Assistant
You can send commands to the instance by using Cloud Assistant.
Go to ECS console - Instance.
In the top navigation bar, select the region and resource group of the resource that you want to manage.
On the Instance page, find the instance that you want to manage and choose
> Connect > Send Command in the Actions column. Enter a command and click Run to run the command on the instance without logging on to the instance.
For information about Cloud Assistant, see Overview.
No error message returned
If no error message is returned when you cannot connect to a Windows instance that is in the Running state, perform the following steps to troubleshoot the issue:
Step 1: Use Alibaba Cloud Workbench to connect to the instance
Step 2: Check whether you received a blackhole filtering notification for the instance
Step 8: Check the CPU load, bandwidth utilization, and memory usage of the instance
Step 9: Check whether the security policies of the instance are properly configured
Step 11: Check whether the registry of the instance is properly configured
Step 12: Check whether the self-signed certificate for RDP connections of the instance expires
Step 1: Use Alibaba Cloud Workbench to connect to the instance
Use Workbench to connect to the instance. If you cannot connect to the instance by using Workbench, Workbench reports an error message and a corresponding solution.
Go to ECS console - Instance.
In the top navigation bar, select the region and resource group of the resource that you want to manage.
In the Remote connection dialog box, click Sign in now in the Workbench section.
In the Instance Login dialog box, the basic information about the instance is automatically populated by Workbench. Make sure that the basic information is correct, and enter a username and authentication information for the instance. Then, perform operations based on the following results:
You cannot connect to the instance by using Workbench, and Workbench reports an error message and a corresponding solution. You can follow the on-screen instructions to resolve the issue and then use Workbench to connect to the instance. If issues occur when you connect to instances by using Workbench, you can connect to the instance by using VNC.
You can connect to the instance by using Workbench but cannot connect to the instance from the on-premises server. This indicates that the connection ports and services on the instance work as expected. Proceed to troubleshoot the issue.
Step 2: Check whether you received a blackhole filtering notification for the instance
Check whether you received a blackhole filtering notification for the instance. During blackhole filtering, the instance does not have Internet connectivity. For more information, see Blackhole filtering policy of Alibaba Cloud.
Step 3: Check the ports and security groups of the instance
Check whether the security groups of the instance are properly configured.
Go to ECS console - Instance.
In the top navigation bar, select the region and resource group of the resource that you want to manage.
On the Instance page, click the ID of the instance that you want to manage.
Click the Security Groups tab. In the security group list, find a security group that you want to manage and click Manage Rules in the Operation column.
Select the direction to which the security group rule applies.
On the Security Group Details tab, use one of the following methods to add security group rules:
Method 1: Use the Quick Add feature to add a security group rule
Action: Allow.
Port Range: RDP (3389).
Authorization Object: 0.0.0.0/0, which specifies all IP addresses.
Method 2: Manually add a security group rule
Action: Allow.
Priority: 1, which indicates the highest priority. A smaller number indicates a higher priority.
Protocol Type: Custom (TCP).
Port Range: If you use the custom RDP port 3389, set this parameter to port 3389.
Authorization Object: 0.0.0.0/0, which specifies all IP addresses.
Specify the IP address and the port in the
<IP address:Port>format to connect to the instance by using Remote Desktop.
Run the following command to check whether the port works as expected:
telnet <IP> <Port>NoteReplace the <IP> variable with the IP address of the Windows instance.
Replace the <Port> variable with the Remote Desktop Protocol (RDP) port number of the Windows instance.
For example, after you run the
telnet 192.168.0.1 4389command, the following command output is returned:Trying 192.168.0.1 ... Connected to 192.168.0.1 4389. Escape character is '^]'If the port check fails, troubleshoot the issue by referring to What do I do if I cannot ping the public IP address of an ECS instance?
Step 4: Check the firewall settings of the instance
You can perform this step only when you have permissions to disable the firewall of the instance. Check whether the firewall is disabled. If the firewall is enabled, modify the firewall configuration policy. For more information, see Manage the system firewall of a Windows instance.
In the lower-left corner of the taskbar, choose .
Set View by to Small icons. Then, click Windows Firewall.
In the Windows Firewall window, click Advanced settings.
Enable firewalls.
In the Windows Firewall with Advanced Security window, click Windows Firewall Properties.
Select the On (recommended) option and click Apply.
We recommend that you enable all firewalls on the Domain Profile, Private Profile, and Public Profile tabs.
In the Windows Firewall with Advanced Security window, click Inbound Rules. Scroll down and find the Remote Desktop - User Mode (TCP-In) rule. Then, right-click the rule and select Enable Rule.
Step 5: Check whether RDS is enabled for the instance
Check whether Remote Desktop Services (RDS) is enabled for the instance.
In this example, Windows Server 2012 is used. The operations may vary based on Windows Server versions.
In the lower-left corner of the taskbar, choose . In the Control Panel window, click System and Security and then click System.
In the left-side navigation pane of the System window, click Remote settings.
On the Remote tab of the System Properties dialog box, select Allow remote connections to this computer and then click OK.
Enable RDS.
In the lower-left corner of the taskbar, choose . In the Control Panel window, click Administrative Tools. In the window that appears, double-click Component Services. In the window that appears, choose Services (Local). Scroll down and find Remote Desktop Services. Then, check whether RDS is enabled. If RDS is disabled, enable it.
Load drivers and services that are required by RDS.
Specific critical services required by RDS may be disabled accidentally to improve system security. In this case, RDS may not work as expected. Perform the following steps to check whether the required drivers and services work as expected:
In the lower-left corner of the taskbar, click Start and then click Run. In the Run dialog box, enter
msconfigand click OK.
In the System Configuration dialog box, click the General tab. Select Normal startup and click OK.
Step 6: Check whether RDS is properly configured
If you cannot connect to a Windows instance, it may be due to the following invalid configurations of remote terminal services.
In this example, the instance runs Windows Server 2008. Operations are similar when your instances run other Windows Server versions.
Exception 1: The self-signed certificate of the instance is corrupt
If the on-premises client runs an operating system later than Windows 7, it attempts to establish a TSL connection to the instance. If the self-signed certificate for TLS connections of the instance is corrupt, the connection cannot be established.
In the lower-left corner of the taskbar, click Start. Then, choose Administrative Tools > Remote Desktop Services > Remote Desktop Session Host Configuration.
In the Connections section, right-click RDP-Tcp and select Properties.
In the RDP-Tcp Properties window, set Security Layer to RDP Security Layer and then click OK.
In the Actions section of the Remote Desktop Session Host Configuration window, click Disable Connection and then click Enable Connection.
Exception 2: The connection that is configured for the remote desktop session host is disabled
The port is not in a state of listening for incoming connections based on the netstat command output.
After you connect to the instance by using VNC, you can observe that the configuration file that controls the attributes and settings of RDP connections is disabled. In this case, re-enable the RDP-Tcp connection. For more information, see the Exception 1: The self-signed certificate of the instance is corrupt section in this topic.
Exception 3: The role of the terminal server is improperly configured
When you use RDP to connect to a Windows instance, the "If the group you're in doesn't have this right, or if the right has been removed from the Remote Desktop Users group, you need to be granted this right manually" error message may appear.
In most cases, the issue occurs because a terminal server is installed on the instance but does not have the required permission. To resolve the issue, refer to the following topics or perform the following operation:
If the issue is caused by the installed Terminal Server role, connect to the instance, click Server Manager, and then choose Roles > Remove Roles.
Step 7: Check network connectivity
When you cannot connect to a Windows instance, check the network connectivity of the instance.
Use servers from different CIDR blocks or different carriers to connect to the instance over other networks to determine whether an issue occurs on the on-premises network or the server side.
If the issue is related to your on-premises network or your carrier, contact your on-premises IT personnel or your operator.
If the network interface controller (NIC) or NIC driver is abnormal, make sure that the NIC is available and update the NIC driver. Perform the following steps.
NoteIn this example, Windows Server 2016 is used. The operations may vary based on Windows Server versions.
In the lower-right corner of the taskbar, right-click the
icon and select Open Network and Sharing Center. Click Change adapter settings and check whether the NIC is enabled.
If the NIC is disabled, right-click the NIC name and select Enable.
If the NIC is enabled but still unavailable, proceed to the next step.
Open the Run dialog box, enter
regedit, and then click OK.In the Registry Editor window, choose and check whether the following parameters exist in the right pane. If the parameters do not appear, right-click New in the blank space to add the parameters.
ImportantAfter you modify the registry editor information, restart the operating system to allow the modification to take effect.
Parameter:
Installer32Type:
REG_SZData:
NetCfgx.dll,NetClassInstaller
Open the Run dialog box, enter
devmgmt.msc, and then click OK.In the Device Manager window, click Network adapters, right-click the NIC name, and then select Update Driver Software.
In the dialog box that appears, click Search automatically for updated driver software. After the update is complete, click Close.
Check whether you can connect to the Windows instance as expected.
Run the
pingcommand on your on-premises client to test the network connectivity of the instance.If a network exception occurs, use a packet capture tool to capture network packets.
If ping packets are lost or the ping fails, use My Traceroute (MTR) to analyze network paths.
If intermittent packet loss occurs, the network connectivity of the instance remains unstable. To troubleshoot the issue, refer to Node interruption.
If the "General failure" error message appears when you run the ping command on your on-premises client to test the network connectivity of the instance, refer to What do I do if a general fault occurs when I ping the public IP address of a Windows instance?
Step 8: Check the CPU load, bandwidth utilization, and memory usage of the instance
If you cannot connect to a Windows instance, the instance may have high CPU loads, low bandwidth, or insufficient memory.
Check the CPU loads on the instance and perform operations based on the check result:
If the CPU loads are not high, proceed to Step 2.
If the CPU loads are high, perform the following operations:
Click Connect on the Instance Details page of the instance and check whether Windows Update runs in the background. It is normal for Windows Update to consume significant CPU resources while running in the background. Wait until Windows Update completes its processes.
If the applications that are hosted on the instance perform large numbers of disk read/write operations, initiate large numbers of network requests, or generate compute-intensive workloads, it is normal that the CPU load on the instance is high. In this case, we recommend that you upgrade the instance type to resolve resource bottleneck issues.
NoteFor information about how to resolve high CPU loads, see What do I do if CPU utilization is high on a Windows ECS instance?
Check whether the public bandwidth of the instance is sufficient.
If you cannot connect to a Windows instance, a possible cause is that the instance has insufficient public bandwidth. To troubleshoot the issue, perform the following operations:
Go to ECS console - Instance.
In the top navigation bar, select the region and resource group of the resource that you want to manage.
On the Instance page, click the ID of the instance. In the Configuration Information section of the Instance Details tab, view the value of the Internet Bandwidth parameter.
If the value is 0 Mbit/s, the instance does not have public bandwidth. To allocate public bandwidth to the instance, upgrade the public bandwidth configurations.
Check whether the memory of the instance is sufficient.
If the desktop is not displayed as expected for the instance and the instance exits without an error message after you connect to the instance, a possible cause is that the instance has insufficient memory. In this case, check the memory usage of the instance. Perform the following operations:
In the lower-left corner of the taskbar, choose Start > Administrative Tools > Event Viewer. In the Event View window, check whether warning logs exist for insufficient memory. For more information, see Troubleshooting Windows low virtual memory problem.
Step 9: Check whether the security policies of the instance are properly configured
Check whether security policies are configured to deny RDP connections on the Windows instance.
In the lower-left corner of the taskbar, choose . In the Control Panel window, click Administrative Tools. Then, double-click Local Security Policy.
In the Local Security Policy window, click IP Security Policies on Local Computer. Check whether a security policy exists to deny RDP connections.
If the security policy exists, modify or delete the security policy.
To delete the security policy, right-click the security policy and select Delete. In the message that appears, click Yes.
To modify the security policy, double-click the security policy and allow connections by using RDS.
If the security policy does not exist, reperform the operations described in Step 9: Check whether the security policies of the instance are properly configured.
Step 10: Check antivirus software
You may fail to connect to the ECS instance by using RDP due to third-party antivirus settings. You can use the following methods to resolve this issue. The following examples are provided to describe how to troubleshoot the issue that Safe Dog settings cause a client to be unable to connect to ECS instances.
If antivirus software runs in the background, you can connect to the instance by using VNC to upgrade antivirus software to the latest version or delete antivirus software. For information about how to connect to an ECS instance by using VNC, see Methods for connecting to an ECS instance.
Use a commercial version of antivirus software or Microsoft Safety Scanner free of charge to scan for and remove viruses in secure mode. For information about Security Scanner, see Security Scanner.
Case 1: Blocklist the IP address in Safe Dog
If the following situation occurs after you install Safe Dog, check whether the security or interception settings are configured in defense software:
A client cannot connect to a Windows instance by using RDP but can connect to Windows instances in other regions.
The IP address of the Windows instance cannot be pinged, and the route is traced by using the
tracertcommand. The test results show that the instance is not routable.Security Center does not intercept the public IP address of the instance.
Open Server Safe Dog, select Network Firewall, click Super Blacklist/Whitelist, and then right-click the 
icon. If Super Blacklist contains the public IP address of the ECS instance, delete the blacklist rule and add the public IP address to the Super Whitelist.
If the traffic scrubbing threshold is set too low in Security Center, the public IP address of the instance may be blocked. We recommend that you increase the traffic scrubbing threshold to prevent the public IP address of the instance from being blocked. For more information, see Anti-DDoS Origin Basic.
Case 2: The Safe Dog program is abnormal
After you connect to a Windows instance by using VNC, an error message appears in the lower-right corner of the taskbar. For example, the following error message appears: The network driver is abnormal (the driver service is not started). Download the latest version to overwrite the installation and restart the operating system.
This issue may be caused by a Safe Dog exception. You can uninstall Safe Dog from the Windows operating system and restart the ECS instance to restore the network.
Step 11: Check whether the registry of the instance is properly configured
Invalid configurations of the Windows registry may deny RDP connections. To resovle the issue, perform the following steps:
In the Run dialog box, enter regedit and click OK to open Registry Editor.
In the Registry Editor window, change the following parameters:
Set the
fEnableWinStationparameter in theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcpregistry key to 1.Set the
fDenyTSConnectionsparameter in theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Serverregistry key to 0.
Step 12: Check whether the self-signed certificate for RDP connections of the instance expires
If the self-signed certificate for RDP connections of a Windows instance expires, you cannot connect to the instance. To resovle the issue, perform the following steps:
Start Windows PowerShell as the administrator.
In the Windows PowerShell window, run the following command to check whether the current self-signed certificate expires:
Get-Item 'Cert:\LocalMachine\Remote Desktop\*' | Select-Object NotAfterIf the self-signed certificate expires, run the following commands to delete the certificate and restart the TermService service:
Remove-Item -Path 'Cert:\LocalMachine\Remote Desktop\*' -Force -ErrorAction SilentlyContinue Restart-Service TermService -ForceAfter the TermService service is restarted, the system automatically generates a new self-signed certificate.
Run the following command to check whether the validity period of the new self-signed certificate is updated:
Get-Item 'Cert:\LocalMachine\Remote Desktop\*' | Select-Object NotAfterNoteBy default, the validity period of a self-signed certificate for RDP connections is six months.
An error message returned
Error messages related to authorization:
Error messages related to the number of connections: