All Products
Search
Document Center

Elastic Compute Service:What do I do if I cannot connect to a Windows instance?

Last Updated:Jul 26, 2024

Various factors may cause you to be unable to connect to a Windows Elastic Compute Service (ECS) instance. When you cannot connect to a Windows instance, perform operations based on your actual scenario to troubleshoot the issue. This topic describes how to troubleshoot the issues that prevent you from connecting to a Windows instance.

Quick connection to a Windows instance

If you want to connect to and manage a Windows instance in the event of an emergency, you can perform the following steps to check the status of the instance, connect to the instance by using Virtual Network Computing (VNC), and then send commands to the instance by using Cloud Assistant:

Step 1: Check the status of the instance

Before you can identify the cause of the connection failure, you must check the status of the instance. An instance can provide external services only if the instance is in the Running state. Perform the following operations:

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Instances & Images > Instances.

  3. In the upper-left corner of the top navigation bar, select a region.

  4. On the Instance page, click the ID of the instance to which you want to connect, check the Instance Status (lifecycle status) and Health Status of the instance, and then use an appropriate method to connect to the instance.

    • If the instance is in a lifecycle state and a health state as described in the following table, you can perform the operations in Step 2: Connect to the instance by using VNC.

      Instance lifecycle state

      Instance health state

      Connection method

      Starting

      Initializing

      VNC

      Running

      Initializing

      VNC

      OK or Impaired

      VNC or Workbench

      Stopping

      InsufficientData

      VNC

      Stopped

      InsufficientData

      None

    • If the instance is in a lifecycle state that is not described in the preceding table, resolve the issue based on the lifecycle state.

      For more information about instance lifecycle states, see Instance lifecycle.

Step 2: Connect to the instance by using VNC

If Cloud Assistant is not available or cannot meet your business requirements, you can use VNC to connect to the instance. Perform the following operations:

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Instances & Images > Instances.

  3. In the upper-left corner of the top navigation bar, select a region.

  4. On the Instance page, find the instance to which you want to connect and click Connect in the Actions column.

  5. In the Remote connection dialog box, click Show Other Logon Methods and then click Sign in now in the VNC section.

  6. Log on to the instance operating system.

    1. In the upper-left corner of the page that appears, choose Send Remote Commands > CTRL+ALT+DELETE.

      window按键

    2. Select an account, enter the logon password of the instance, and then press the Enter key.

      Note

      The default account for Windows instances is Administrator.

Step 3: Send commands to the instance by using Cloud Assistant

You can send commands to the instance by using Cloud Assistant. Perform the following operations:

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Instances & Images > Instances.

  3. In the upper-left corner of the top navigation bar, select a region.

  4. On the Instance page, find the instance that you want to manage and choose image > Connect > Send Command in the Actions column.

  5. Enter a command and click Run to run the command on the instance without logging on to the instance.

    For more information about Cloud Assistant, see Overview.

    重启ECS实例

No error message is returned

If no error message is returned when you cannot connect to a Windows instance that is in the Running state, perform the following steps to troubleshoot the issue:

  1. Step 1: Use Alibaba Cloud Workbench to connect to the instance

  2. Step 2: Check whether you received a blackhole filtering notification for the instance

  3. Step 3: Check the ports and security groups of the instance

  4. Step 4: Check whether the public IP address of the on-premises server from which to connect to the instance is blocked by Security Center

  5. Step 5: Check the firewall settings of the instance

  6. Step 6: Check whether RDS is enabled for the instance

  7. Step 7: Check whether remote terminal services are properly configured

  8. Step 8: Check network connectivity

  9. Step 9: Check the CPU load, bandwidth usage, and memory usage of the instance

  10. Step 10: Check whether the security policies of the instance are properly configured

  11. Step 11: Check whether the registry of the instance is properly configured

  12. Step 12: Check whether the self-signed certificate for RDP connections of the instance has expired

Step 1: Use Alibaba Cloud Workbench to connect to the instance

Use Workbench to connect to the instance. If you cannot connect to the instance by using Workbench, Workbench reports an error message and a corresponding solution. Perform the following operations:

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Instances & Images > Instances.

  3. In the upper-left corner of the top navigation bar, select a region.

  4. On the Instance page, find the instance to which you want to connect and click Connect in the Actions column.

  5. In the Remote connection dialog box, click Sign in now in the Workbench section.

  6. In the Instance Login dialog box, the basic information about the instance is automatically populated by Workbench. Make sure that the basic information is correct, and enter a username and authentication information for the instance. Then, perform operations based on the following results:

    • You cannot connect to the instance by using Workbench, and Workbench reports an error message and a corresponding solution. You can resolve the issue as instructed. After you resolve the issue, reconnect to the instance by using Workbench. For information about common Workbench connection issues, see the Use Workbench to connect to a Windows instance section of the "Issues that occur when VNC or Workbench is used to connect to an instance" topic.

    • You can connect to the instance by using Workbench but cannot connect to the instance from the on-premises server. This indicates that the connection ports and services on the instance work as expected. Proceed to troubleshoot the issue.

Step 2: Check whether you received a blackhole filtering notification for the instance

Check whether you received a blackhole filtering notification for the instance. During blackhole filtering, the instance does not have Internet connectivity. For more information, see Blackhole filtering policy of Alibaba Cloud.

Step 3: Check the ports and security groups of the instance

Check whether the security groups of the instance are properly configured. Perform the following operations:

  1. Log on to the ECS console.

  2. In the upper-left corner of the top navigation bar, select a region.

  3. On the Instance page, click the ID of the instance that you want to manage.

  4. On the Instance Details page, click the Security Groups tab. In the security group list, find the security group whose rules you want to manage and click Manage Rules in the Actions column.

  5. Select the direction to which the security group rule applies.

  6. On the Security Group Details page, you can use one of the following methods to add a security group rule. For more information, see Add a security group rule.

    • Method 1: Use the Quick Add feature to add a security group rule

      • Action: Allow

      • Port Range: RDP (3389)

      • Authorization Object: 0.0.0.0/0, which indicates all IP addresses

    • Method 2: Manually add a security group rule

      • Action: Allow.

      • Priority: 1, which indicates the highest priority. A smaller number indicates a higher priority.

      • Protocol Type: Custom TCP.

      • Port Range: If your custom connection port is 33899, set it to 33899.

      • Authorization Object: 0.0.0.0/0, which indicates all IP addresses.

  7. Specify the IP address and the port in the <IP address:Port> format to connect to the instance by using Remote Desktop, as shown in the following figure.

    远程桌面

  8. Run the following command to check whether the port works as expected:

    telnet <IP> <Port>
    Note
    • Replace the <IP> variable with the IP address of the Windows instance.

    • Replace the <Port> variable with the Remote Desktop Protocol (RDP) port number of the Windows instance.

    For example, after you run the telnet 192.168.0.1 4389 command, the following command output is returned:

    Trying 192.168.0.1 ...
    Connected to 192.168.0.1  4389.
    Escape character is '^]'

    If the port check fails, troubleshoot the issue by referring to What do I do if I cannot ping the public IP address of an ECS instance?

Step 4: Check whether the public IP address of the on-premises server from which to connect to the instance is blocked by Security Center

If you enter an invalid password multiple times when you connect to the instance from an on-premises server, requests from the IP address of the on-premises server may be denied. You can go to the Settings page in the Security Center console and add the IP address of the on-premises server to the access whitelist of the instance. This way, the IP address of the on-premises server can access the instance.

  1. Log on to the Security Center console.

  2. In the left-side navigation pane, choose System Configuration > Feature Settings.

  3. On the Settings tab, click the Other Settings tab. In the Security Control section, click Configuration to go to the Security Control console.

  4. In the left-side navigation pane, choose Whitelist > Access Whitelist.

  5. On the Access Whitelist page, click Add.

    For more information, see the Security Control section of the "Enable features on the Other Settings tab" topic.

Step 5: Check the firewall settings of the instance

Note

You can perform this step only when you have permissions to disable the firewall of the instance. Check whether the firewall is disabled. If the firewall is enabled, modify the firewall configuration policy. For more information, see How to configure a firewall for remote connection to a Windows instance.

  1. Connect to the instance by using VNC.

    For more information, see Connect to a Windows instance by using a password.

  2. In the lower-left corner of the taskbar, click Start and then click Control Panel.

  3. Set the View by parameter to Small icons. Then, click Windows Firewall.

  4. In the Windows Firewall window, click Advanced settings.

  5. Enable firewalls.

    1. In the Windows Firewall with Advanced Security window, click Windows Firewall Properties.

    2. Select the On (recommended) option and click Apply.

      We recommend that you enable all firewalls on the Domain Profile, Private Profile, and Public Profile tabs.

  6. In the Windows Firewall with Advanced Security window, click Inbound Rules. Scroll down and find the Remote Desktop - User Mode (TCP-In) rule. Then, right-click the rule and select Enable Rule.

For more information, see How to configure a firewall for remote connection to a Windows instance.

Step 6: Check whether RDS is enabled for the instance

Check whether Remote Desktop Services (RDS) is enabled for the instance. Perform the following operations:

  1. Connect to the instance by using VNC.

    For more information, see Connect to a Windows instance by using a password.

  2. In the lower-left corner of the taskbar, click Start and then click Control Panel. In the Control Panel window, click System and Security and then click System.

  3. In the left-side navigation pane of the System window, click Remote settings.

    远程设置

  4. On the Remote tab of the System Properties window, select Allow remote connections to this computer and then click OK.

    设置远程

  5. Enable RDS.

    In the lower-left corner of the taskbar, click Start and then click Control Panel. In the Control Panel window, click Administrative Tools. In the window that appears, double-click Component Services. In the window that appears, choose Services (Local). Scroll down and find Remote Desktop Services. Then, check whether RDS is enabled. If RDS is disabled, enable it.

    启动

  6. Load drivers and services that are required by RDS.

    Specific critical services required by RDS may be disabled accidentally to improve system security. In this case, RDS may not work as expected. Perform the following operations to check whether the required drivers and services work as expected:

    1. In the lower-left corner of the taskbar, click Start and then click Run. In the Run window, enter msconfig and click OK.

      image

    2. In the System Configuration window, click the General tab. Select Normal startup and click OK.

      image

    3. Restart the instance.

      For more information, see Restart an instance.

Step 7: Check whether remote terminal services are properly configured

If you cannot connect to a Windows instance, it may be due to the following invalid configurations of remote terminal services.

Note

In this example, the instance runs Windows Server 2008. Operations are similar when your instances run other Windows Server versions.

Exception 1: The self-signed certificate of the instance is corrupt

If the on-premises client runs an operating system later than Windows 7, it attempts to establish a TSL connection to the instance. If the self-signed certificate for TLS connections of the instance is corrupt, the connection cannot be established.

  1. Connect to the instance by using VNC.

    For more information, see Connect to a Windows instance by using a password.

  2. In the lower-left corner of the taskbar, click Start. Then, choose Administrative Tools > Remote Desktop Services > Remote Desktop Session Host Configuration.

  3. In the Connections section, right-click RDP-Tcp and select Properties.

  4. In the RDP-Tcp Properties window, set Security Layer to RDP Security Layer and then click OK.

  5. In the Actions section of the Remote Desktop Session Host Configuration window, click Disable Connection and then click Enable Connection.

Exception 2: The connection that is configured for the remote desktop session host is disabled

The port is not in a state of listening for incoming connections based on the netstat command output.

After you connect to the instance by using VNC, you can observe that the configuration file that controls the attributes and settings of RDP connections is disabled. In this case, re-enable the RDP-Tcp connection. For more information, see the Exception 1: The self-signed certificate of the instance is corrupt section in this topic.

Exception 3: The role of the terminal server is improperly configured

When you connect to a Windows instance by using Remote Desktop, the following error message may appear.

In most cases, the issue occurs because a terminal server is installed on the instance but does not have the required permission. To resolve the issue, refer to the following topics or perform the following operation:

Step 8: Check network connectivity

When you cannot connect to a Windows instance, check the network connectivity of the instance.

  1. Use servers from different CIDR blocks or different carriers to connect to the instance over other networks to determine whether an issue occurs on the on-premises network or the server side.

    • If the issue is related to your on-premises network or your carrier, contact your on-premises IT personnel or your operator.

    • If an exception occurs on a network interface (NIC) driver, re-install the driver. If the issue is not caused by your on-premises network, proceed to the next step.

  2. Run the ping command on your on-premises client to test the network connectivity of the instance.

  3. If the "General failure" error message appears when you run the ping command on your on-premises client to test the network connectivity of the instance, refer to the When you ping the internet address of a Windows instance, the system prompts "General failure" topic.

Step 9: Check the CPU load, bandwidth usage, and memory usage of the instance

If you cannot connect to a Windows instance, a possible cause is that the instance has a high CPU load or the instance has low bandwidth or memory.

  1. Check the CPU load on the instance and perform operations based on the check result.

    • If the CPU load is not high, proceed to Step 2.

    • If the CPU load is high, perform the following operations:

      • Click Connect on the Instance Details page of the instance and check whether Windows Update runs in the background. It is normal for Windows Update to consume significant CPU resources while running in the background. Wait until Windows Update completes its processes.

      • If the applications that are hosted on the instance perform large numbers of disk read/write operations, initiate large numbers of network requests, or generate compute-intensive workloads, it is normal that the CPU load on the instance is high. In this case, we recommend that you upgrade the instance type to resolve resource bottleneck issues. For more information, see Overview of instance configuration changes.

        Note

        For information about how to resolve high CPU loads, see What do I do if CPU utilization is high on a Windows ECS instance?

  2. Check whether the public bandwidth of the instance is sufficient.

    If you cannot connect to a Windows instance, a possible cause is that the instance has insufficient public bandwidth. To troubleshoot the issue, perform the following operations:

    1. Log on to the ECS console.

    2. In the upper-left corner of the top navigation bar, select a region.

    3. On the Instance page, click the ID of the instance to which you want to connect and check the Internet Bandwidth value in the Configuration Information section.

      If the value is 0 Mbps, the instance does not have public bandwidth. To allocate public bandwidth to the instance, upgrade the public bandwidth configurations. For more information, see the Modify the maximum public bandwidth section in the "Overview of instance configuration changes" topic.

  3. Check whether the memory of the instance is sufficient.

    If the desktop is not displayed as expected for the instance and the instance exits without an error message after you connect to the instance, a possible cause is that the instance has insufficient memory. In this case, check the memory usage of the instance. Perform the following operations:

    1. Connect to the instance by using VNC.

      For more information, see Connect to a Windows instance by using a password.

    2. Choose Start > Administrative Tools > Event Viewer. In the Event View window, check whether warning logs exist for insufficient memory. For more information, see Troubleshooting Windows low virtual memory problem.

Step 10: Check whether the security policies of the instance are properly configured

Check whether security policies are configured to deny RDP connections on the Windows instance. Perform the following operations:

  1. Connect to the instance by using VNC.

    For more information, see Connect to a Windows instance by using a password.

  2. In the lower-left corner of the taskbar, click Start and then click Control Panel. In the Control Panel window, click Administrative Tools. Then, double-click Local Security Policy.

  3. In the Local Security Policy window, click IP Security Policies on Local Computer. Check whether a security policy exists to deny RDP connections.

    1. If the security policy exists, modify or delete the security policy.

      • To delete the security policy, right-click the security policy and select Delete. In the message that appears, click Yes.

      • To modify the security policy, double-click the security policy and allow connections by using RDS.

    2. If the security policy does not exist, reperform the operations described in Step 10: Check the security policies of the instance are properly configured.

Step 11: Check whether the registry of the instance is properly configured

Invalid configurations of the Windows registry may deny RDP connections. To resolve the issue, perform the following operations:

  1. Connect to the instance by using VNC.

    For more information, see Connect to an instance by using VNC

  2. In the Run window, enter regedit and click OK to open Registry Editor.

    输入regedit

  3. In the Registry Editor window, modify the configurations of the following parameters:

    • Set the fEnableWinStation parameter in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp registry key to 1.

    • Set the fDenyTSConnections parameter in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server registry key to 0.

Step 12: Check whether the self-signed certificate for RDP connections of the instance has expired

If the self-signed certificate for RDP connections of a Windows instance has expired, you cannot connect to the instance. To resolve the issue, perform the following operations:

  1. Connect to the instance by using VNC.

    For more information, see Connect to an instance by using VNC.

  2. Start Windows PowerShell as an administrator.

  3. In the Windows PowerShell window, run the following command to check whether the current self-signed certificate has expired:

    Get-Item 'Cert:\LocalMachine\Remote Desktop\*' | Select-Object NotAfter
  4. If the self-signed certificate has expired, run the following commands to delete the certificate and restart the TermService service:

    Remove-Item -Path 'Cert:\LocalMachine\Remote Desktop\*' -Force -ErrorAction SilentlyContinue
    Restart-Service TermService -Force

    After the TermService service is restarted, the system automatically generates a new self-signed certificate.

  5. Run the following command to check whether the validity period of the new self-signed certificate is updated:

    Get-Item 'Cert:\LocalMachine\Remote Desktop\*' | Select-Object NotAfter
    Note

    By default, the validity period of a self-signed certificate for RDP connections is six months.

An error message is returned

References