If you’ve configured the Server Authentication Certificate Template GPO option, which determines the certificate that the machine uses for Remote Desktop connections, and applied it to 2008 R2 or older servers then you may find that you’re getting a lot of duplicate certificates being issued. It’s a problem with an easy solution but it’s not an obvious one.

You see, if you read the documentation for the setting (something which is helpfully not included in the GPO explanation text in the GPMC) you’ll soon discover that:

You must set the certificate template’s attributes Template display name and Template name to the same value.

Due to a disparity in the way the API checks to see if a certificate already exists on the machine for this purpose if the Template Name is not the same as the Template Display name it fails to identify that it already has a matching certificate and so requests a new one.

This problem is resolved in Server 2012 R2. It’s possibly resolved in Server 2012 as well but I don’t have a box to hand I can test with.

As far as I can tell the “Do not automatically reenroll if a duplicate certificate exists in Active Directory” option has no impact on this issue.

Sometimes you have badly written apps that need to run interactively on servers, which means you have to connect to the console session to manage them over RDP. If you need to be able to leave the console session unlocked it causes issues as disconnecting an RDP will lock it by default.

This can be changed by running the following command from within the RDP session:
tscon 0 /dest:console

Where “0” is the ID of the session you’re connected to – on 2K3 boxes this will be 0 if you’re connected to the console, but on 2K8+ it will vary depending on how many other users are connected. You can find out the session ID by running query session.

The ever-helpful joeware has just released a little tool for testing RDP connectivity to servers, which you can find here http://www.joeware.net/freetools/tools/rdp-sec-check/

If you don’t know about joeware, I strongly recommend checking out the various free tools he’s published, available here http://www.joeware.net/freetools/index.htm – while many of them have been superseded by the Powershell modules now available to Windows admins, if you’re not comfortable with Powershell or are working with older systems, they’re still extremely useful.

Very simply returns True or False for a given list of hostnames or IP addresses depending on whether or not it can connect to TCP/3389 – a successful connection does not mean that you will be able to login, of course. If you’re running RDP on a non-standard port, you’ll need to adjust the script appropriately.


$results = @()
foreach($name in $computername){
        $result = "" | select Name,RDP
        $result.name = $name
           $socket = New-Object Net.Sockets.TcpClient($name, 3389)
           if($socket -eq $null){
                 $result.RDP = $false
                 $result.RDP = $true
                 $result.RDP = $false
        $results += $result
return $results