RDP suddenly stopped working on newly joined domain PCs. I can tracert, ping, access file system from other subnets. And i can RDP from those affected PCs to other pc’s just fine.
RDP works from the same subnet. All “old” PCs still work, and i can RDP from other subnets, vpn or forwarded port.
I don’t have anything in the event viewer, or on the DC that would indicate the problem.
Checked firewall, GPO, DNS, PTar records…kinda stuck.
EDIT: telnet shows the port is blocked. Checked the rules, checked everything. I don’t think it’s the firewall, because all other PCs work.
Use powershell tnc to test port 3389.
Ok down to the network rabbit hole. Wish you good luck on figuring out. Check windows firewall is not getting in the way.
If you take one of the domain joined machines that currently doesn’t work and remove it from the domain, does RDP being working again?
Smt=crowdstrike? July 19 update could be the start?
Rdp works from the same subnet. It is really weird to be honest. I tested if the 3389 is used by smt else, or blocked.
I am afraid that smt blocks the ports from subnets when joining a domain. The other 50 PCs work just fine. I am just hoping its not that Kerberos issue.
No, they still don’t work. First i tried to see if it’s maybe an account or OU. Then i checked the netsh advfirewall show allprofiles. Funny thing is that powershell tnc command shows different result from the netsh.
Sorry your question is july 16, i. e. earlier but crowdstrike can be the cause of problem?
Okay tcptest failed from other subnet.
Are you seeing the ports for RDP open in the firewall output? You could enable logging of dropped/blocked inbound traffic on the RDP ports and see if you see blocks in the log despite the firewall appearing to not be configured to block.
Not crowdstrike, is Eset
https://forum.eset.com/topic/41907-option-in-endpoint-client-missing-in-policies-in-eset-protect-on-prem/
smt as something 
It is not a firewall, it’s not a GPO. Tried telnet and nmap last night, the port is definitely closed.
Lol, ok sorry about that - I’m too old for some of these acronyms. This is a long shot, but is it possible that the domain policy is disabling the ‘Enable Remote Desktop’ setting on the clients?
It works from the same subnet. The weird thing is, we joined one old pc, installed two or three years ago. It works just fine. So my guess is this is windows update issue.
Can you try to RDP using the IP address rather than the FQDN of the target desktop?
Are the subnets between which you are attempting to RDP part of different AD sites, or the same site?
I tried ip, fqdn, shortname, nothing works. Same site, i have nothing in between. Tracert shows one hop.
Well, this is definitely a strange one. I guess the next thing I’d probably try is changing the RDP listening port on one of your clients, and then try to RDP to it from a machine on the other subnet. Specify whatever custom port you chose in your rdp connection string. That will at least help us narrow down if we’re running up against a port blockage issue or something else.