Azure 中 Windows VM 远程桌面连接问题的详细故障排除步骤Detailed troubleshooting steps for remote desktop connection issues to Windows VMs in Azure

本文提供详细的故障排除步骤,用于为基于 Windows 的 Azure 虚拟机诊断和修复复杂的远程桌面错误。This article provides detailed troubleshooting steps to diagnose and fix complex Remote Desktop errors for Windows-based Azure virtual machines.

重要

要消除更常见的远程桌面错误,请务必先阅读远程桌面的基本故障排除文章,再继续。To eliminate the more common Remote Desktop errors, make sure to read the basic troubleshooting article for Remote Desktop before proceeding.

可能遇到不像基本远程桌面故障排除指南中所述的任何特定错误消息的远程桌面错误消息。You may encounter a Remote Desktop error message that does not resemble any of the specific error messages covered in the basic Remote Desktop troubleshooting guide. 请遵循以下步骤来确定远程桌面 (RDP) 客户端为何无法连接到 Azure VM 上的 RDP 服务。Follow these steps to determine why the Remote Desktop (RDP) client is unable to connect to the RDP service on the Azure VM.

如果对本文中的任何观点存在疑问,可以联系 Azure 支持上的 Azure 专家。If you need more help at any point in this article, you can contact the Azure experts on Azure support. 或者,也可以提出 Azure 支持事件。Alternatively, you can also file an Azure support incident. 转到 Azure 支持站点Go to the Azure support site. 有关使用 Azure 支持的信息,请阅读 Azure 支持常见问题For information about using Azure Support, read the Azure Support FAQ.

远程桌面连接的组件Components of a Remote Desktop connection

RDP 连接涉及以下组件:The following components are involved in an RDP connection:

显示远程桌面 (RDP) 连接所涉及的组件的关系图。

在继续之前,在脑海中回想一下自上次远程桌面成功连接到 VM 后更改的内容可能会有帮助。Before proceeding, it might help to mentally review what has changed since the last successful Remote Desktop connection to the VM. 例如:For example:

  • VM 或包含 VM 的云服务的公共 IP 地址(也称为虚拟 IP 地址 (VIP))已更改。The public IP address of the VM or the cloud service containing the VM (also called the virtual IP address VIP has changed. RDP 失败的原因可能是 DNS 客户端缓存仍然有针对该 DNS 名称注册的旧 IP 地址The RDP failure could be because your DNS client cache still has the old IP address registered for the DNS name. 请刷新 DNS 客户端缓存,并重新尝试连接 VM。Flush your DNS client cache and try connecting the VM again. 或者尝试直接使用新 VIP 进行连接。Or try connecting directly with the new VIP.

  • 使用第三方应用程序来管理远程桌面连接,而不是使用 Azure 门户所生成的连接。You are using a third-party application to manage your Remote Desktop connections instead of using the connection generated by the Azure portal. 验证应用程序配置是否包含正确的远程桌面流量 TCP 端口。Verify that the application configuration includes the correct TCP port for the Remote Desktop traffic. 可以通过在 Azure 门户中单击 VM 的“设置”>“终结点”来检查经典虚拟机的此端口。You can check this port for a classic virtual machine in the Azure portal, by clicking the VM's Settings > Endpoints.

预备步骤Preliminary steps

在继续进行详细故障排除之前,Before proceeding to the detailed troubleshooting,

在执行这些步骤后,尝试通过远程桌面重新连接到 VM。Try reconnecting to the VM via Remote Desktop after these steps.

详细故障排除步骤Detailed troubleshooting steps

由于以下源出现问题,远程桌面客户端可能无法访问 Azure VM 上的远程桌面服务:The Remote Desktop client may not be able to reach the Remote Desktop service on the Azure VM due to issues at the following sources:

来源 1:远程桌面客户端计算机Source 1: Remote Desktop client computer

验证计算机是否可以与本地另一台基于 Windows 的计算机建立远程桌面连接。Verify that your computer can make Remote Desktop connections to another on-premises, Windows-based computer.

远程桌面 (RDP) 连接中组件的关系图,其中突出显示了 RDP 客户端,一个箭头指向另一个本地计算机(指示连接)。

如果不能,请检查计算机上是否有以下设置:If you cannot, check for the following settings on your computer:

  • 阻止远程桌面流量的本地防火墙设置。A local firewall setting that is blocking Remote Desktop traffic.
  • 本地安装的阻止远程桌面连接的客户端代理软件。Locally installed client proxy software that is preventing Remote Desktop connections.
  • 本地安装的阻止远程桌面连接的网络监视软件。Locally installed network monitoring software that is preventing Remote Desktop connections.
  • 其他类型的阻止远程桌面连接的安全软件,该软件监视流量或允许/禁止特定类型的流量。Other types of security software that either monitor traffic or allow/disallow specific types of traffic that is preventing Remote Desktop connections.

对于所有这些情况,请暂时禁用可疑软件,并尝试通过远程桌面连接到本地计算机。In all these cases, temporarily disable the software and try to connect to an on-premises computer via Remote Desktop. 如果可以通过这种方式找出实际原因,请与网络管理员协作,更正软件设置,以允许远程桌面连接。If you can find out the actual cause this way, work with your network administrator to correct the software settings to allow Remote Desktop connections.

来源 2:组织 Intranet 边缘设备Source 2: Organization intranet edge device

验证直接连接到 Internet 的计算机是否可以与 Azure 虚拟机建立远程桌面连接。Verify that a computer directly connected to the Internet can make Remote Desktop connections to your Azure virtual machine.

远程桌面 (RDP) 连接中组件的关系图,其中突出显示了连接到 Internet 的 RDP 客户端,一个箭头指向 Azure 虚拟机(指示连接)。

如果没有直接连接到 Internet 的计算机,则可以在资源组或云服务中创建新的 Azure 虚拟机并使用它进行测试。If you do not have a computer that is directly connected to the Internet, create and test with a new Azure virtual machine in a resource group or cloud service. 有关详细信息,请参阅在 Azure 中创建运行 Windows 的虚拟机For more information, see Create a virtual machine running Windows in Azure. 在测试后,可以删除该虚拟机和资源组或云服务。You can delete the virtual machine and the resource group or the cloud service, after the test.

如果可以创建与直接连接到 Internet 的计算机的远程桌面连接,请检查组织的 Intranet 边缘设备中是否有以下项:If you can create a Remote Desktop connection with a computer directly attached to the Internet, check your organization intranet edge device for:

  • 阻止与 Internet 的 HTTPS 连接的内部防火墙。An internal firewall blocking HTTPS connections to the Internet.
  • 阻止远程桌面连接的代理服务器。A proxy server preventing Remote Desktop connections.
  • 边界网络中的设备上运行的阻止远程桌面连接的入侵检测或网络监视软件。Intrusion detection or network monitoring software running on devices in your edge network that is preventing Remote Desktop connections.

与网络管理员协作,更正组织 Intranet 边缘设备的设置,以允许与 Internet 建立基于 HTTPS 的远程桌面连接。Work with your network administrator to correct the settings of your organization intranet edge device to allow HTTPS-based Remote Desktop connections to the Internet.

来源 3:云服务终结点和 ACLSource 3: Cloud service endpoint and ACL

重要

经典 VM 将于 2023 年 3 月 1 日停用。Classic VMs will be retired on March 1, 2023.

如果从 ASM 使用 IaaS 资源,请在 2023 年 3 月 1 日之前完成迁移。If you use IaaS resources from ASM, please complete your migration by March 1, 2023. 我们建议你尽快进行切换,以利用 Azure 资源管理器中的许多增强功能。We encourage you to make the switch sooner to take advantage of the many feature enhancements in Azure Resource Manager.

有关详细信息,请参阅在 2023 年 3 月 1 日之前将 IaaS 资源迁移到 Azure 资源管理器For more information, see Migrate your IaaS resources to Azure Resource Manager by March 1, 2023.

对于使用经典部署模型创建的 VM,请验证位于同一云服务或虚拟网络中的另一个 Azure VM 是否可以与 Azure VM 建立远程桌面连接。For VMs created using the Classic deployment model, verify that another Azure VM that is in the same cloud service or virtual network can make Remote Desktop connections to your Azure VM.

远程桌面 (RDP) 连接中组件的关系图,其中突出显示了一个 Azure VM,一个箭头指向同一云服务中的另一个 Azure VM(指示连接)。

备注

对于在 Resource Manager 中创建的虚拟机,请转到来源 4:网络安全组For virtual machines created in Resource Manager, skip to Source 4: Network Security Groups.

如果同一云服务或虚拟网络中没有其他虚拟机,请创建一个。If you do not have another virtual machine in the same cloud service or virtual network, create one. 遵循在 Azure 中创建运行 Windows 的虚拟机中所述的步骤。Follow the steps in Create a virtual machine running Windows in Azure. 测试完成后,请删除测试虚拟机。Delete the test virtual machine after the test is completed.

如果可以通过远程桌面连接到同一云服务或虚拟网络中的虚拟机,请检查以下设置:If you can connect via Remote Desktop to a virtual machine in the same cloud service or virtual network, check for these settings:

  • 目标 VM 上远程桌面通信的终结点配置:终结点的专用 TCP 端口必须与 VM 的远程桌面服务正在侦听的 TCP 端口(默认值为 3389)匹配。The endpoint configuration for Remote Desktop traffic on the target VM: The private TCP port of the endpoint must match the TCP port on which the VM's Remote Desktop service is listening (default is 3389).
  • 目标 VM 上远程桌面通信终结点的 ACL:ACL 允许指定基于源 IP 地址允许或拒绝从 Internet 传入的流量。The ACL for the Remote Desktop traffic endpoint on the target VM: ACLs allow you to specify allowed or denied incoming traffic from the Internet based on its source IP address. 错误配置 ACL 可能会阻止传入远程桌面流量到达终结点。Misconfigured ACLs can prevent incoming Remote Desktop traffic to the endpoint. 检查 ACL 以确保允许从代理服务器或其他边缘服务器的公共 IP 地址传入的流量。Check your ACLs to ensure that incoming traffic from your public IP addresses of your proxy or other edge server is allowed. 有关详细信息,请参阅什么是网络访问控制列表 (ACL)?For more information, see What is a Network Access Control List (ACL)?

要检查终结点是否是问题的源,删除当前终结点,创建新终结点,并选择范围 49152-65535 中的随机端口作为外部端口号。To check if the endpoint is the source of the problem, remove the current endpoint and create a new one, choosing a random port in the range 49152-65535 for the external port number. 有关详细信息,请参阅如何对虚拟机设置终结点For more information, see How to set up endpoints to a virtual machine.

来源 4:网络安全组Source 4: Network Security Groups

使用网络安全组可以对允许的入站和出站流量进行更精细的控制。Network Security Groups allow more granular control of allowed inbound and outbound traffic. 可以创建跨 Azure 虚拟网络中的子网和云服务的规则。You can create rules spanning subnets and cloud services in an Azure virtual network.

使用 IP 流验证来确认网络安全组中的规则是否阻止了传入或传出虚拟机的流量。Use IP flow verify to confirm if a rule in a Network Security Group is blocking traffic to or from a virtual machine. 还可以查看有效的安全组规则,确保入站“允许”NSG 规则存在并已针对 RDP 端口(默认值 3389)进行优化。You can also review effective security group rules to ensure inbound "Allow" NSG rule exists and is prioritized for RDP port(default 3389). 有关详细信息,请参阅使用有效的安全规则排查 VM 流量流问题For more information, see Using Effective Security Rules to troubleshoot VM traffic flow.

来源 5:基于 Windows 的 Azure VMSource 5: Windows-based Azure VM

远程桌面 (RDP) 连接中组件的关系图,其中突出显示了云服务中的一个 Azure VM,并显示了一条它可能是“问题的可能原因”的消息。

请按此文说明执行操作。Follow the instructions in this article. 此文介绍如何在虚拟机上重置远程桌面服务:This article resets the Remote Desktop service on the virtual machine:

  • 启用“远程桌面”Windows 防火墙默认规则(TCP 端口 3389)。Enable the "Remote Desktop" Windows Firewall default rule (TCP port 3389).
  • 通过将 HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections 注册表值设置为 0,启用远程桌面连接。Enable Remote Desktop connections by setting the HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections registry value to 0.

从计算机重试连接。Try the connection from your computer again. 如果仍无法通过远程桌面连接,请检查是否存在以下可能问题:If you are still not able to connect via Remote Desktop, check for the following possible problems:

  • “远程桌面”服务未在目标 VM 上运行。The Remote Desktop service is not running on the target VM.
  • “远程桌面”服务未侦听 TCP 端口 3389。The Remote Desktop service is not listening on TCP port 3389.
  • Windows 防火墙或其他本地防火墙使用阻止远程桌面通信的出站规则。Windows Firewall or another local firewall has an outbound rule that is preventing Remote Desktop traffic.
  • Azure 虚拟机上运行的入侵检测或网络监视软件正在阻止远程桌面连接。Intrusion detection or network monitoring software running on the Azure virtual machine is preventing Remote Desktop connections.

对于使用经典部署模型创建的 VM,可以使用与 Azure 虚拟机的远程 Azure PowerShell 会话。For VMs created using the classic deployment model, you can use a remote Azure PowerShell session to the Azure virtual machine. 首先,需要安装虚拟机托管云服务的证书。First, you need to install a certificate for the virtual machine's hosting cloud service. 转到为 Azure 虚拟机配置安全远程 PowerShell 访问,将 InstallWinRMCertAzureVM.ps1 脚本文件下载到本地计算机。Go to Configure Secure Remote PowerShell Access to Azure Virtual Machines and download the InstallWinRMCertAzureVM.ps1 script file to your local computer.

接下来,安装 Azure PowerShell(如果尚未安装)。Next, install Azure PowerShell if you haven't already. 请参阅 如何安装和配置 Azure PowerShellSee How to install and configure Azure PowerShell.

接下来,打开 Azure PowerShell 命令提示符,将当前文件夹更改为 InstallWinRMCertAzureVM.ps1 脚本文件所在的位置。Next, open an Azure PowerShell command prompt and change the current folder to the location of the InstallWinRMCertAzureVM.ps1 script file. 若要运行 Azure PowerShell 脚本,必须设置正确的执行策略。To run an Azure PowerShell script, you must set the correct execution policy. 运行 Get-ExecutionPolicy 命令,确定当前的策略级别。Run the Get-ExecutionPolicy command to determine your current policy level. 有关设置相应级别的信息,请参阅 Set-ExecutionPolicyFor information about setting the appropriate level, see Set-ExecutionPolicy.

接下来,填写 Azure 订阅名称、云服务名称和虚拟机名称(删除 < 和 > 字符),并运行这些命令。Next, fill in your Azure subscription name, the cloud service name, and your virtual machine name (removing the < and > characters), and then run these commands.

$subscr="<Name of your Azure subscription>"
$serviceName="<Name of the cloud service that contains the target virtual machine>"
$vmName="<Name of the target virtual machine>"
.\InstallWinRMCertAzureVM.ps1 -SubscriptionName $subscr -ServiceName $serviceName -Name $vmName

可以从 Get-AzureSubscription 命令显示的 SubscriptionName 属性获取正确的订阅名称。You can get the correct subscription name from the SubscriptionName property of the display of the Get-AzureSubscription command. 可以从 Get-AzureVM 命令显示的 ServiceName 列中获取虚拟机的云服务名称。You can get the cloud service name for the virtual machine from the ServiceName column in the display of the Get-AzureVM command.

检查是否有新证书。Check if you have the new certificate. 打开当前用户的“证书”管理单元,并在“受信任的根证书颁发机构\证书”文件夹中查找。****Open a Certificates snap-in for the current user and look in the Trusted Root Certification Authorities\Certificates folder. 应会看到在“颁发给”列中具有你的云服务的 DNS 名称的证书(示例:cloudservice4testing.chinacloudapp.cn)。You should see a certificate with the DNS name of your cloud service in the Issued To column (example: cloudservice4testing.chinacloudapp.cn).

接下来,使用以下命令启动远程 Azure PowerShell 会话。Next, initiate a remote Azure PowerShell session by using these commands.

$uri = Get-AzureWinRMUri -ServiceName $serviceName -Name $vmName
$creds = Get-Credential
Enter-PSSession -ConnectionUri $uri -Credential $creds

输入有效的管理员凭据之后,应会看到类似于下面的 Azure PowerShell 提示:After entering valid administrator credentials, you should see something similar to the following Azure PowerShell prompt:

[cloudservice4testing.chinacloudapp.cn]: PS C:\Users\User1\Documents>

此提示的第一部分是包含目标 VM 的云服务名称,可能与于“cloudservice4testing.chinacloudapp.cn”不同。The first part of this prompt is your cloud service name that contains the target VM, which could be different from "cloudservice4testing.chinacloudapp.cn". 现在,可以对此云服务发出 Azure PowerShell 命令,调查上述问题,并更正配置。You can now issue Azure PowerShell commands for this cloud service to investigate the problems mentioned and correct the configuration.

手动更正远程桌面服务侦听 TCP 端口To manually correct the Remote Desktop Services listening TCP port

出现远程 Azure PowerShell 会话提示时,运行此命令。At the remote Azure PowerShell session prompt, run this command.

Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "PortNumber"

PortNumber 属性显示当前端口号。The PortNumber property shows the current port number. 如果需要,可使用此命令将远程桌面端口号更改回其默认值 (3389)。If needed, change the Remote Desktop port number back to its default value (3389) by using this command.

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "PortNumber" -Value 3389

使用此命令验证是否已将端口更改为 3389。Verify that the port has been changed to 3389 by using this command.

Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "PortNumber"

使用此命令退出远程 Azure PowerShell 会话。Exit the remote Azure PowerShell session by using this command.

Exit-PSSession

验证 Azure VM 的远程桌面终结点是否也使用 TCP 端口 3398 作为其内部端口。Verify that the Remote Desktop endpoint for the Azure VM is also using TCP port 3398 as its internal port. 重启 Azure VM,并重新尝试远程桌面连接。Restart the Azure VM and try the Remote Desktop connection again.

其他资源Additional resources

如何为 Windows 虚拟机重置密码或远程桌面服务How to reset a password or the Remote Desktop service for Windows virtual machines

如何安装和配置 Azure PowerShellHow to install and configure Azure PowerShell

对于基于 Linux 的 Azure 虚拟机的 Secure Shell (SSH) 连接进行故障排除Troubleshoot Secure Shell (SSH) connections to a Linux-based Azure virtual machine

对在 Azure 虚拟机上运行的应用程序的访问进行故障排除Troubleshoot access to an application running on an Azure virtual machine