Server 2008 R2 Remote Desktop problem

We have the following problem which I have been investigating on and off for some time.

One of our DCs (Server 2008 R2) failed catastrophically (we could not log in to it at all) and had to be restored from backup. Everything appeared to work normally except that we could not initially use remote desktop to connect to it for administration (at all).

We were getting an error message that the “remote desktop services activex control (mstscax.dll) does not match the version of the client shell”. After some research I fixed this by copying the relevant file from our other DC.

We could now connect to the DC using RDP (domain admin account), but as soon as we enable “negotiate” or TLS, or tick the NLA box we cannot connect (the connection is dropped and an error message tells us that the connection was unable to authenticate). Whilst we have been working with RDP for the time being I would obviously like to restore the more secure connections.

When the connection is refused, the DC has an event TermDD 56, but none of the documentation and solutions that I could find for this error has made any difference. The error information is as follows:

Log Name:     System

Source:       TermDD

Date:         07/03/2014 14:12:47

Event ID:     56

Task Category: None

Level:        Error

Keywords:     Classic

User:         N/A

Computer:     [The DC]

Description:

The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP: [Windows 7 Pro]

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="TermDD" />

    <EventID Qualifiers="49162">56</EventID>

    <Level>2</Level>

    <Task>0</Task>

    <Keywords>0x80000000000000</Keywords>

    <TimeCreated SystemTime="2014-03-07T14:12:47.694605700Z" />

    <EventRecordID>88551</EventRecordID>

    <Channel>System</Channel>

    <Computer>[The DC]</Computer>

    <Security />

  </System>

  <EventData>

    <Data>\Device\Termdd</Data>

    <Data>[Win 7 IP]</Data>

    <Binary>0000040002002C000000000038000AC00000000038000AC00000000000000000000000000000000030030980</Binary>

  </EventData>

</Event>

I suspect that we probably have another corrupt file related to the Remote Desktop Protocol, but I don’t have a list of the relevant files. I would like to replace each relevant file one by one with copies from our “known good” DC.

Things that I know don’t fix it:

New certificates from our root CA.

Anything to do with the remote desktop users group (not relevant since we are using Domain Admin credentials).

Remote Desktop Services role (not installed and never has been).

Things that I am suspicious of:

DCOM/COM – the initial crash occurred when we attempted to modify the following policies from our default domain policy:

DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax

DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax

(The settings mangled this DC without adversely affecting the other).

Any suggestions appreciated.