1

I have a server that has since been decommissioned and I have some services that have been moved over to another server however these servers still point to the old server so I have set up a Cname for the old server to the new one, however when I try to RDP to the old server surely it should redirect me to the new server. But I constantly get the below error.

"The connection cannot be completed because the remote computer that was reached is not the one you specified. This could be caused by an outdated entry in the DNS cache. Try using the IP address of the computer instead of the name."

I know using the IP will work as this has been tested, but short of putting it in the host file of the machine that hosts the services I am at a loss.

Steps I have tried:

  1. FlushDNS on both target,DNS server and Local Server
  2. Checked time and confirmed that both are correct
  3. Added a SPN for the old server that points to the new one

Any ideas on this would be great.

user2244590
  • 11
  • 2

2 Answers2

1

I don't think it's a Kerberos issue. Funny enough, Kerberos isn't used for RDP.

But RDP uses TLS for security. A CN in the certificate is a server FQDN (in terms of a domain). So, when you connect to alias, an (alias) name you're connecting to doesn't match a (real) name in the certificate and system says "the computer is not the one you specified". The solution may be to recreate certificate used for RDP, adding a SAN (subject alternative name) which would contain both "real" name and "alias" name, so both of them would be valid.

Nikita Kipriyanov
  • 8,033
  • 1
  • 21
  • 39
0

This is probably because the server you decommissioned is still registered in Active Directory.

Kerberos authentication will use the SPN TERMSRV/%computername%, and in your case this SPN is still registered by an AD object representing the old server. You should delete the old computer account in AD and this message will probably not show up anymore.

Swisstone
  • 6,357
  • 7
  • 21
  • 32