排查 Azure 虚拟机的远程桌面连接问题Troubleshoot Remote Desktop connections to an Azure virtual machine

与基于 Windows 的 Azure 虚拟机 (VM) 的远程桌面协议 (RDP) 连接可能会因各种原因而失败,使用户无法访问 VM。The Remote Desktop Protocol (RDP) connection to your Windows-based Azure virtual machine (VM) can fail for various reasons, leaving you unable to access your VM. 问题可能出在 VM 上的远程桌面服务、网络连接或主计算机上的远程桌面客户端。The issue can be with the Remote Desktop service on the VM, the network connection, or the Remote Desktop client on your host computer. 本文介绍解决 RDP 连接问题的一些最常见方法。This article guides you through some of the most common methods to resolve RDP connection issues.

如果对本文中的任何观点存在疑问,可以联系 Azure 支持上的 Azure 专家。If you need more help at any point in this article, you can contact the Azure experts on Azure support. 或者,也可以提出 Azure 支持事件。Alternatively, you can file an Azure support incident. 请转到 Azure 支持站点提交请求。Go to the Azure support site and submit your request.

快速故障排除步骤Quick troubleshooting steps

在执行每个故障排除步骤之后,请尝试连接到 VM:After each troubleshooting step, try reconnecting to the VM:

  1. 重置远程桌面配置。Reset Remote Desktop configuration.
  2. 检查网络安全组规则/云服务终结点。Check Network Security Group rules / Cloud Services endpoints.
  3. 查看 VM 控制台日志。Review VM console logs.
  4. 重置 VM 的 NIC。Reset the NIC for the VM.
  5. 检查 VM 资源运行状况。Check the VM Resource Health.
  6. 重置 VM 密码。Reset your VM password.
  7. 重新启动 VM。Restart your VM.
  8. 重新部署 VM。Redeploy your VM.

如需更详细的步骤和说明,请继续阅读余下的内容。Continue reading if you need more detailed steps and explanations. 请确保本地网络设备(如路由器和防火墙)未阻止出站 TCP 端口 3389,如 RDP 详细故障排除方案中所述。Verify that local network equipment such as routers and firewalls are not blocking outbound TCP port 3389, as noted in detailed RDP troubleshooting scenarios.

提示

如果门户中 VM 的“连接”按钮不可用,并且用户未通过 Express Route站点到站点 VPN 连接来连接到 Azure,则必须先为 VM 创建并分配一个公共 IP 地址,然后才能使用 RDP。If the Connect button for your VM is grayed out in the portal and you are not connected to Azure via an Express Route or Site-to-Site VPN connection, you need to create and assign your VM a public IP address before you can use RDP. 详细了解 Azure 中的公共 IP 地址You can read more about public IP addresses in Azure.

排查 RDP 问题的方法Ways to troubleshoot RDP issues

可以使用以下方法之一,对使用 Resource Manager 部署模型创建的 VM 进行故障排除:You can troubleshoot VMs created using the Resource Manager deployment model by using one of the following methods:

  • Azure 门户 - 如果需要快速重置 RDP 配置或用户凭据,并且没有安装 Azure 工具,则很适合使用此方法。Azure portal - great if you need to quickly reset the RDP configuration or user credentials and you don't have the Azure tools installed.
  • Azure PowerShell - 如果熟悉 PowerShell 提示符,可使用 Azure PowerShell cmdlet 快速重置 RDP 配置或用户凭据。Azure PowerShell - if you are comfortable with a PowerShell prompt, quickly reset the RDP configuration or user credentials using the Azure PowerShell cmdlets.

还可以查找有关针对使用 经典部署模型创建的 VM 进行故障排除的步骤。You can also find steps on troubleshooting VMs created using the Classic deployment model.

使用 Azure 门户进行故障排除Troubleshoot using the Azure portal

在执行每个故障排除步骤之后,请尝试再次连接到 VM。After each troubleshooting step, try connecting to your VM again. 如果仍然无法连接,请尝试下一步。If you still cannot connect, try the next step.

  1. 重置 RDP 连接Reset your RDP connection. 当“远程连接”已禁用或 Windows 防火墙规则阻止 RDP 时,此故障排除步骤可重置 RDP 配置。This troubleshooting step resets the RDP configuration when Remote Connections are disabled or Windows Firewall rules are blocking RDP, for example.

    在 Azure 门户中选择 VM。Select your VM in the Azure portal. 在“设置”窗格中向下滚动到靠近列表底部的“支持 + 故障排除”部分。Scroll down the settings pane to the Support + Troubleshooting section near bottom of the list. 单击“重置密码”按钮。Click the Reset password button. 将“模式”设置为“仅重置配置”,然后单击“更新”按钮:Set the Mode to Reset configuration only and then click the Update button:

    在 Azure 门户中重置 RDP 配置

  2. 验证网络安全组规则Verify Network Security Group rules. 使用 IP 流验证来确认网络安全组中的规则是否阻止了传入或传出虚拟机的流量。Use IP flow verify to confirm if a rule in a Network Security Group is blocking traffic to or from a virtual machine. 还可以查看有效的安全组规则,确保入站“允许”NSG 规则存在并已针对 RDP 端口(默认值 3389)进行优化。You can also review effective security group rules to ensure inbound "Allow" NSG rule exists and is prioritized for RDP port(default 3389). 有关详细信息,请参阅使用有效的安全规则排查 VM 流量流问题For more information, see Using Effective Security Rules to troubleshoot VM traffic flow.

  3. 检查 VM 启动诊断Review VM boot diagnostics. 此故障排除步骤通过查看 VM 控制台日志确定 VM 是否报告问题。This troubleshooting step reviews the VM console logs to determine if the VM is reporting an issue. 并非所有 VM 都已启用启动诊断,因此,此故障排除步骤可能是可选的。Not all VMs have boot diagnostics enabled, so this troubleshooting step may be optional.

    本文未介绍具体的故障排除步骤,而是指出会影响 RDP 连接的更广泛问题。Specific troubleshooting steps are beyond the scope of this article, but may indicate a wider problem that is affecting RDP connectivity. 有关查看控制台日志和 VM 屏幕截图的详细信息,请参阅 VM 启动诊断For more information on reviewing the console logs and VM screenshot, see Boot Diagnostics for VMs.

  4. 重置 VM 的 NICReset the NIC for the VM. 有关详细信息,请参阅如何重置 Azure Windows VM 的 NICFor more information, see how to reset NIC for Azure Windows VM.

  5. 检查 VM 资源运行状况Check the VM Resource Health. 此故障排除步骤验证 Azure 平台上是否未出现任何可能影响 VM 连接的已知问题。This troubleshooting step verifies there are no known issues with the Azure platform that may impact connectivity to the VM.

    在 Azure 门户中选择 VM。Select your VM in the Azure portal. 在“设置”窗格中向下滚动到靠近列表底部的“支持 + 故障排除”部分。Scroll down the settings pane to the Support + Troubleshooting section near bottom of the list. 单击“资源运行状况”按钮。Click the Resource health button. A healthy VM reports as being Available:

    在 Azure 门户中查看 VM 资源运行状况

  6. 重置用户凭据Reset user credentials. 不确定或者忘了凭据时,可以使用此故障排除步骤重置本地管理员帐户的密码。This troubleshooting step resets the password on a local administrator account when you are unsure or have forgotten the credentials. 登录到 VM 后,应重置该用户的密码。Once you have logged into the VM, you should reset the password for that user.

    在 Azure 门户中选择 VM。Select your VM in the Azure portal. 在“设置”窗格中向下滚动到靠近列表底部的“支持 + 故障排除”部分。Scroll down the settings pane to the Support + Troubleshooting section near bottom of the list. 单击“重置密码”按钮。Click the Reset password button. 确保“模式”已设置为“重置密码”,然后输入用户名和新密码。Make sure the Mode is set to Reset password and then enter your username and a new password. Finally, click the Update button:

    在 Azure 门户中重置用户凭据

  7. 重新启动 VMRestart your VM. 此故障排除步骤可以解决 VM 本身存在的任何基本问题。This troubleshooting step can correct any underlying issues the VM itself is having.

    在 Azure 门户中选择 VM,并单击“概述”选项卡。Select your VM in the Azure portal and click the Overview tab. Click the Restart button:

    在 Azure 门户中重启 VM

  8. 重新部署 VMRedeploy your VM. 此故障排除步骤可将 VM 重新部署到 Azure 中的另一台主机,从而解决平台或网络的任何基本问题。This troubleshooting step redeploys your VM to another host within Azure to correct any underlying platform or networking issues.

    在 Azure 门户中选择 VM。Select your VM in the Azure portal. 在“设置”窗格中向下滚动到靠近列表底部的“支持 + 故障排除”部分。Scroll down the settings pane to the Support + Troubleshooting section near bottom of the list. 单击“重新部署”按钮,然后单击“重新部署”:Click the Redeploy button, and then click Redeploy:

    在 Azure 门户中重新部署 VM

    完成此操作后,会丢失临时磁盘数据,系统会更新与 VM 关联的动态 IP 地址。After this operation finishes, ephemeral disk data is lost and dynamic IP addresses that are associated with the VM are updated.

  9. 验证路由Verify routing. 使用网络观察程序的下一跃点功能确认路由未阻止将流量路由到虚拟机或从虚拟机路由流量。Use Network Watcher's Next hop capability to confirm that a route isn't preventing traffic from being routed to or from a virtual machine. 还可以查看有效路由,以了解网络接口的所有有效路由。You can also review effective routes to see all effective routes for a network interface. 有关详细信息,请参阅使用有效路由排查 VM 流量流问题For more information, see Using effective routes to troubleshoot VM traffic flow.

  10. 确保任何本地防火墙或计算机上的防火墙允许发往 Azure 的出站 TCP 3389 流量。Ensure that any on-premises firewall, or firewall on your computer, allows outbound TCP 3389 traffic to Azure.

如果仍遇到 RDP 问题,可以开具支持请求或阅读更详细的 RDP 故障排除概念和步骤If you are still encountering RDP issues, you can open a support request or read more detailed RDP troubleshooting concepts and steps.

使用 Azure PowerShell 进行故障排除Troubleshoot using Azure PowerShell

如果尚未执行该操作,请安装并配置最新的 Azure PowerShellIf you haven't already, install and configure the latest Azure PowerShell.

以下示例使用 myResourceGroupmyVMmyVMAccessExtension 之类的变量。The following examples use variables such as myResourceGroup, myVM, and myVMAccessExtension. 请将这些变量名称和位置替换为自己的值。Replace these variable names and locations with your own values.

备注

使用 Set-AzVMAccessExtension PowerShell cmdlet 重置用户凭据和 RDP 配置。You reset the user credentials and the RDP configuration by using the Set-AzVMAccessExtension PowerShell cmdlet. 在以下示例中, myVMAccessExtension 是在重置过程中指定的名称。In the following examples, myVMAccessExtension is a name that you specify as part of the process. 如果以前使用过 VMAccessAgent,可以使用 Get-AzVM -ResourceGroupName "myResourceGroup" -Name "myVM" 检查 VM 的属性,从而获取现有的扩展名称。If you have previously worked with the VMAccessAgent, you can get the name of the existing extension by using Get-AzVM -ResourceGroupName "myResourceGroup" -Name "myVM" to check the properties of the VM. 若要查看名称,请查看输出的“Extensions”节中的内容。To view the name, look under the 'Extensions' section of the output.

在执行每个故障排除步骤之后,请尝试再次连接到 VM。After each troubleshooting step, try connecting to your VM again. 如果仍然无法连接,请尝试下一步。If you still cannot connect, try the next step.

  1. 重置 RDP 连接Reset your RDP connection. 当“远程连接”已禁用或 Windows 防火墙规则阻止 RDP 时,此故障排除步骤可重置 RDP 配置。This troubleshooting step resets the RDP configuration when Remote Connections are disabled or Windows Firewall rules are blocking RDP, for example.

    以下示例将在 ChinaNorth 位置和名为 myResourceGroup 资源组中重置名为 myVM 的 VM 上的 RDP 连接:The follow example resets the RDP connection on a VM named myVM in the ChinaNorth location and in the resource group named myResourceGroup:

    Set-AzVMAccessExtension -ResourceGroupName "myResourceGroup" `
        -VMName "myVM" -Location chinanorth -Name "myVMAccessExtension"
    
  2. 验证网络安全组规则Verify Network Security Group rules. 此故障排除步骤验证网络安全组中是否存在允许 RDP 流量的规则。This troubleshooting step verifies that you have a rule in your Network Security Group to permit RDP traffic. RDP 的默认端口为 TCP 端口 3389。The default port for RDP is TCP port 3389. 创建 VM 时,可能不会自动创建允许 RDP 流量的规则。A rule to permit RDP traffic may not be created automatically when you create your VM.

    首先,将网络安全组的所有配置数据分配到 $rules 变量。First, assign all the configuration data for your Network Security Group to the $rules variable. 以下示例将在名为 myResourceGroup 的资源组中获取关于名为 myNetworkSecurityGroup 的网络安全组的信息:The following example obtains information about the Network Security Group named myNetworkSecurityGroup in the resource group named myResourceGroup:

    $rules = Get-AzNetworkSecurityGroup -ResourceGroupName "myResourceGroup" `
        -Name "myNetworkSecurityGroup"
    

    现在,查看针对此网络安全组配置的规则。Now, view the rules that are configured for this Network Security Group. 验证是否存在一个允许使用 TCP 端口 3389 进行入站连接的规则,如下所示:Verify that a rule exists to allow TCP port 3389 for inbound connections as follows:

    $rules.SecurityRules
    

    以下示例显示了一个允许 RDP 流量的有效安全规则。The following example shows a valid security rule that permits RDP traffic. 可以看到 ProtocolDestinationPortRangeAccessDirection 已正确配置:You can see Protocol, DestinationPortRange, Access, and Direction are configured correctly:

    Name                     : default-allow-rdp
    Id                       : /subscriptions/guid/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/myNetworkSecurityGroup/securityRules/default-allow-rdp
    Etag                     : 
    ProvisioningState        : Succeeded
    Description              : 
    Protocol                 : TCP
    SourcePortRange          : *
    DestinationPortRange     : 3389
    SourceAddressPrefix      : *
    DestinationAddressPrefix : *
    Access                   : Allow
    Priority                 : 1000
    Direction                : Inbound
    

    如果不存在允许 RDP 通信的规则,请创建网络安全组规则If you do not have a rule that allows RDP traffic, create a Network Security Group rule. 允许 TCP 端口 3389。Allow TCP port 3389.

  3. 重置用户凭据Reset user credentials. 不确定或者忘了凭据时,可以使用此故障排除步骤重置指定的本地管理员帐户的密码。This troubleshooting step resets the password on the local administrator account that you specify when you are unsure of, or have forgotten, the credentials.

    首先,通过将凭据分配到 $cred 变量来指定用户名和新密码,如下所示:First, specify the username and a new password by assigning credentials to the $cred variable as follows:

    $cred=Get-Credential
    

    接下来,更新 VM 上的凭据。Now, update the credentials on your VM. 以下示例将在 ChinaNorth 位置中和名为 myResourceGroup 的资源组中更新名为 myVM 的 VM 上的凭据:The following example updates the credentials on a VM named myVM in the ChinaNorth location and in the resource group named myResourceGroup:

    Set-AzVMAccessExtension -ResourceGroupName "myResourceGroup" `
        -VMName "myVM" -Location ChinaNorth -Name "myVMAccessExtension" `
        -UserName $cred.GetNetworkCredential().Username `
        -Password $cred.GetNetworkCredential().Password
    
  4. 重新启动 VMRestart your VM. 此故障排除步骤可以解决 VM 本身存在的任何基本问题。This troubleshooting step can correct any underlying issues the VM itself is having.

    以下示例重启 myResourceGroup 资源组中名为 myVM 的 VM:The following example restarts the VM named myVM in the resource group named myResourceGroup:

    Restart-AzVM -ResourceGroup "myResourceGroup" -Name "myVM"
    
  5. 重新部署 VMRedeploy your VM. 此故障排除步骤可将 VM 重新部署到 Azure 中的另一台主机,从而解决平台或网络的任何基本问题。This troubleshooting step redeploys your VM to another host within Azure to correct any underlying platform or networking issues.

    以下示例重新部署 ChinaNorth 位置和 myResourceGroup 资源组中名为 myVM 的 VM:The following example redeploys the VM named myVM in the ChinaNorth location and in the resource group named myResourceGroup:

    Set-AzVM -Redeploy -ResourceGroupName "myResourceGroup" -Name "myVM"
    
  6. 验证路由Verify routing. 使用网络观察程序的下一跃点功能确认路由未阻止将流量路由到虚拟机或从虚拟机路由流量。Use Network Watcher's Next hop capability to confirm that a route isn't preventing traffic from being routed to or from a virtual machine. 还可以查看有效路由,以了解网络接口的所有有效路由。You can also review effective routes to see all effective routes for a network interface. 有关详细信息,请参阅使用有效路由排查 VM 流量流问题For more information, see Using effective routes to troubleshoot VM traffic flow.

  7. 确保任何本地防火墙或计算机上的防火墙允许发往 Azure 的出站 TCP 3389 流量。Ensure that any on-premises firewall, or firewall on your computer, allows outbound TCP 3389 traffic to Azure.

如果仍遇到 RDP 问题,可以开具支持请求或阅读更详细的 RDP 故障排除概念和步骤If you are still encountering RDP issues, you can open a support request or read more detailed RDP troubleshooting concepts and steps.

对使用经典部署模型创建的 VM 进行故障排除Troubleshoot VMs created using the Classic deployment model

重要

经典 VM 将于 2023 年 3 月 1 日停用。Classic VMs will be retired on March 1, 2023.

如果从 ASM 使用 IaaS 资源,请在 2023 年 3 月 1 日之前完成迁移。If you use IaaS resources from ASM, please complete your migration by March 1, 2023. 我们建议你尽快进行切换,以利用 Azure 资源管理器中的许多增强功能。We encourage you to make the switch sooner to take advantage of the many feature enhancements in Azure Resource Manager.

有关详细信息,请参阅在 2023 年 3 月 1 日之前将 IaaS 资源迁移到 Azure 资源管理器For more information, see Migrate your IaaS resources to Azure Resource Manager by March 1, 2023.

执行每个故障排除步骤后,请尝试重新连接到 VM。After each troubleshooting step, try reconnecting to the VM.

  1. 重置 RDP 连接Reset your RDP connection. 当“远程连接”已禁用或 Windows 防火墙规则阻止 RDP 时,此故障排除步骤可重置 RDP 配置。This troubleshooting step resets the RDP configuration when Remote Connections are disabled or Windows Firewall rules are blocking RDP, for example.

    在 Azure 门户中选择 VM。Select your VM in the Azure portal. 单击“...更多”按钮,然后单击“重置远程访问”:Click the ...More button, then click Reset Remote Access:

    在 Azure 门户中重置 RDP 配置

  2. 验证云服务终结点Verify Cloud Services endpoints. 此故障排除步骤验证云服务中是否存在允许 RDP 流量的终结点。This troubleshooting step verifies that you have endpoints in your Cloud Services to permit RDP traffic. RDP 的默认端口为 TCP 端口 3389。The default port for RDP is TCP port 3389. 创建 VM 时,可能不会自动创建允许 RDP 流量的规则。A rule to permit RDP traffic may not be created automatically when you create your VM.

    在 Azure 门户中选择 VM。Select your VM in the Azure portal. 单击“终结点”按钮以查看当前为 VM 配置的终结点。Click the Endpoints button to view the endpoints currently configured for your VM. 验证终结点存在,它们允许 TCP 端口 3389 上的 RDP 通信。Verify that endpoints exist that allow RDP traffic on TCP port 3389.

    以下示例显示了允许 RDP 流量的有效终结点:The following example shows valid endpoints that permit RDP traffic:

    在 Azure 门户中验证云服务终结点

    如果不存在允许 RDP 通信的终结点,请创建云服务终结点If you do not have an endpoint that allows RDP traffic, create a Cloud Services endpoint. 允许使用 TCP 连接到专用端口 3389。Allow TCP to private port 3389.

  3. 检查 VM 启动诊断Review VM boot diagnostics. 此故障排除步骤通过查看 VM 控制台日志确定 VM 是否报告问题。This troubleshooting step reviews the VM console logs to determine if the VM is reporting an issue. 并非所有 VM 都已启用启动诊断,因此,此故障排除步骤可能是可选的。Not all VMs have boot diagnostics enabled, so this troubleshooting step may be optional.

    本文未介绍具体的故障排除步骤,而是指出会影响 RDP 连接的更广泛问题。Specific troubleshooting steps are beyond the scope of this article, but may indicate a wider problem that is affecting RDP connectivity. 有关查看控制台日志和 VM 屏幕截图的详细信息,请参阅 VM 启动诊断For more information on reviewing the console logs and VM screenshot, see Boot Diagnostics for VMs.

  4. 检查 VM 资源运行状况Check the VM Resource Health. 此故障排除步骤验证 Azure 平台上是否未出现任何可能影响 VM 连接的已知问题。This troubleshooting step verifies there are no known issues with the Azure platform that may impact connectivity to the VM.

    在 Azure 门户中选择 VM。Select your VM in the Azure portal. 在“设置”窗格中向下滚动到靠近列表底部的“支持 + 故障排除”部分。Scroll down the settings pane to the Support + Troubleshooting section near bottom of the list. 单击“资源运行状况”按钮。Click the Resource Health button. A healthy VM reports as being Available:

    在 Azure 门户中查看 VM 资源运行状况

  5. 重置用户凭据Reset user credentials. 不确定或者忘了凭据时,可以使用此故障排除步骤重置指定的本地管理员帐户的密码。This troubleshooting step resets the password on the local administrator account that you specify when you are unsure or have forgotten the credentials. 登录到 VM 后,应重置该用户的密码。Once you have logged into the VM, you should reset the password for that user.

    在 Azure 门户中选择 VM。Select your VM in the Azure portal. 在“设置”窗格中向下滚动到靠近列表底部的“支持 + 故障排除”部分。Scroll down the settings pane to the Support + Troubleshooting section near bottom of the list. 单击“重置密码”按钮。Click the Reset password button. 输入用户名和新密码。Enter your username and a new password. 最后,单击“保存”按钮: Finally, click the Save button:

    在 Azure 门户中重置用户凭据

  6. 重新启动 VMRestart your VM. 此故障排除步骤可以解决 VM 本身存在的任何基本问题。This troubleshooting step can correct any underlying issues the VM itself is having.

    在 Azure 门户中选择 VM,并单击“概述”选项卡。Select your VM in the Azure portal and click the Overview tab. Click the Restart button:

    在 Azure 门户中重启 VM

  7. 确保任何本地防火墙或计算机上的防火墙允许发往 Azure 的出站 TCP 3389 流量。Ensure that any on-premises firewall, or firewall on your computer, allows outbound TCP 3389 traffic to Azure.

如果仍遇到 RDP 问题,可以开具支持请求或阅读更详细的 RDP 故障排除概念和步骤If you are still encountering RDP issues, you can open a support request or read more detailed RDP troubleshooting concepts and steps.

排查特定的 RDP 错误Troubleshoot specific RDP errors

尝试通过 RDP 连接到 VM 时,可能会遇到特定的错误消息。You may encounter a specific error message when trying to connect to your VM via RDP. 以下是最常见的错误消息:The following are the most common error messages:

其他资源Additional resources

如果未发生上述任何错误但仍无法通过远程桌面连接到 VM,请阅读详细的远程桌面故障排除指南If none of these errors occurred and you still can't connect to the VM via Remote Desktop, read the detailed troubleshooting guide for Remote Desktop.