Remote Desktop Connection Error: Outdated entry in the DNS cache

Users have begun to complain that when trying to connect to the RDS (Remote Desktop Server) farm running Windows Server 2008 R2 using the standard RD client (mstsc.exe) they often get an error:

The connection cannot be completed because the remote computer that was reached is not the one you specified. This could be caused by an outdated entry in the DNS cache. Try using the IP address of the computer instead of the name.

The configuration of the RDS farm: 3 servers running Windows Server 2008 R2 with RD Connection Broker used to distribute workload between the terminals and to reconnect to the current sessions. The fact that the error occurred from time to time had suggested that there was a problem with one of the servers of the farm. By means of sequential search, the problem server was found and we connected to its desktop remotely using its IP address.

Just in case, I ran the server record registration in DNS again:

ipconfig /registerdns

And reset the local DNS cache on the client in a couple of minutes:

ipconfig /flushdns

But it didn’t help. There were no other problems with the server, so I had to use an article in Microsoft knowledge base: https://support.microsoft.com/kb/2493594 (RDP connection to Remote Desktop server running Windows Server 2008 R2 may fail with message ‘The Local Security Authority cannot be contacted’).

The solution in the article offered to reduce the level of the protocol used to encrypt the RDP connection from SSL (TLS 1.0 is used for authentication) to RDP Security Layer (the integrated and less secure RDP encryption).

Note. This setting is located in Remote Desktop Session Host Configuration -> Microsoft RDP 7.1 ->Properties -> Security Layer

But in our configuration, the Negotiate method is used that uses automatic switching from TLS to RDP Security Layer if the client does not support the first method.

Entirely by accident, I noticed that the time on the problem server differ from the domain controller time. Indeed, it turned out that this server (a virtual one) was located on the VMWare ESXi host with the wrong time, and the option of time synchronization with the host hypervisor (Time synchronization between the virtual machine and the ESX Server) was enabled in VMWare Tools settings.

I had to disable ESXi synchronization and restart Windows Time Service to synchronize time with the DC.

net stop w32time
net start w32time

After that, users could connect to all servers of the RDS farm without any errors.

Note. The error “This could be caused by an outdated entry in the DNS cache” also appears if you try to connect to the specific server in the RDS farm by its name. In this case, Connection Broker may redirect the client to another RD host (with another DNS name and IP address), which results in the discrepancy between the specified address and the address of the server, and the client returns the error after the authentication attempt. So always specify the RD farm name to connect.

Recovering Encrypted Files from VSS Snapshot after Ransomware Infection

2 comments

Bob May 1, 2017 - 9:25 pm

Tried the stop w32time/start w32time/ registerdns suggestion and corrected all my errors, thank you!

Andy May 27, 2019 - 6:54 pm

‘net time /set’ worked for me.
Leadup to scenario:
– Yearly factory power outage for electrical maintenance
– Power up, most servers came up clean. DNS server did not.
– Other servers could not sync their clocks and started their own as best they could.
– DNS server returned to service but by not remoting into the other servers was refused.
– Remoting into other server using IP address, ‘set time’ command, then remote logon by server name successful.
!! Thanks for the tip.

Remote Desktop Connection Error: Outdated entry in the DNS cache

Recovering Encrypted Files from VSS Snapshot after Ransomware Infection

GPO Logging Using Gpsvc.log in Windows 7

Related Reading

2 comments

Leave a Comment Cancel Reply