Remote Desktop Problem on Windows Server 2008 R2

Revised this question to be more concise, consolidating several revisions.

Symptoms:

From a domain-member Windows 7 Client:

• Domain credentials to a domain controller => success
• Domain credentials to a member server (by hostname or FQDN) => success
• Domain credentials to a member server (by IP) => fail
• Local credentials to a member server (by either) => success

From a non-domain-member Windows 7 Client:

• Domain credentials to a domain controller => success
• Domain credentials to a member server => fail
• Local credentials to a member server => success
• (Identical behavior from a Mac RDC 2.1 client)

Server Configuration Details:

• Windows 2008 R2 Datacenter w/ SP1
• The domain in question is a subdomain of a Windows 2008 domain (forest root).
• Root has DCs in both Site A and Site B, subdomain only has DCs in Site B.
• RDP is operating normally on all root member-servers and DCs.
• No remote desktop settings are defined by GPOs.
• Network level authentication is enabled; all clients are compatible and the certificate exchange/SSL handshake completes successfully.
• Not catching any errors in netlogon log.

1. Event Viewer and dcdiag indicate that AD is working properly. I can authenticate for UNC, but not RDP. 2. The two settings are not defined in the GPO. I did however discover an interesting twist. I'll update the question with that.

Thanks for the response. GPO modeling on the member server matches the policy in the GC. Nothing is defined except that RDP should be enabled. The interesting twist is that it works fine by hostname, but not by IP, even though they resolve to the same address (see Update 2).

Just to clarify, if you RDP to these machines using either the host name or the fqdn, it will prompt for credentials and log you in to the desktop. If you run "mstsc /v <IP Address>" it will prompt you for credentials but give you the message that the credentials are invalid?

Correct, mstsc /v <IP>, enter credentials, and it repeats the prompt with this error: "The credentials that were used to connect to <IP> did not work. Please enter new credentials." : "The logon attempt failed"

for the failed attempt, what's the event logs say? security got a specific failure? Do you have IPSec policies in place? On the member boxes are you set for NLA auth only? wondering if either NLA or IPSec could be denying connection based on certificate not matching name you use to access. Is your RDP client set to deny connections that don't auth to server (although that results in a diff error then you said in update 2)?

Enable netlogon debugging and look at the debug file for the error. Also look in the security logs to see the authentication error. I don't know the significance of using an IP address to simply connect mstsc to a machine as opposed to using the FQDN. I didn't think there was a difference - once the connection is made and you pass the credentials, the machine you are authenticating to takes care of the rest. The fact that you use an ip address or an FQDN shouldn't matter.

Stangely, I don't see anything in any of the logs (both client and server-side). There aren't any IPSec policies. Both the DCs and member servers require NLA - tried allowing connections without NLA, but the Windows 7 and 2008 R2 clients attempt it by default. The RDP client is configured to warn on a certificate error - I permanently accepted the cert when I first connected.

I also found this thread that references your problem and says there is a hotfix available. Its at the bottom of the page - social.technet.microsoft.com/Forums/en-US/winserverTS/thread‌​/…