AD Multi-NIC Misconfiguration Causing LDAP Query Failures and RPC Errors — What Vendors Missed and How We Fixed It

  AD Multi-NIC Misconfiguration Causing LDAP Query Failures and RPC Errors — What Vendors Missed and How We Fixed It Environment: Active Directory server with multiple NICs (Multi-NIC configuration) Other servers in the environment: single NIC VMware Horizon View VDI environment joined to the same domain Symptom Servers attempting LDAP queries against the AD server were intermittently failing. Symptoms included: LDAP query timeouts RPC errors on domain-joined servers VDI: VM provisioning failures and user assignment errors in Horizon View DB cluster: inability to resolve domain-joined DB servers for cluster connectivity checks The failures were inconsistent — some queries succeeded, others did not — which made the root cause difficult to isolate. What We Tried First We opened an SR with the solution vendor. They could not identify the cause. We escalated to Microsoft and worked through the issue collaboratively. That's where the actual root cause was found. Th...
댓글 쓰기

VMware Horizon Agent “Protocol Error” — Fixed by Windows Firewall Configuration

 

🖥️ VMware Horizon Agent “Protocol Error” — Fixed by Windows Firewall Configuration

Overview

Recently, I encountered an issue where several Horizon Agent–based virtual desktops in our environment showed the status “Starting other services” or “Protocol Error” in the Horizon Administrator console.
Even after reinstalling the Agent (version 2206), the problem persisted.

Symptoms

  • Horizon Agent status: “Starting other services”“Protocol error”

  • Horizon main services appeared to be running normally

  • Event Viewer showed Event ID 7000 for services such as:

    • PASVC – failed to start

    • LUFAV – not installed

  • Reinstalling the Agent (even using Repair mode) did not solve the issue

Root Cause

After deeper inspection, we discovered that on the affected VMs:

Windows Defender Firewall (Domain Profile)
→ “Block all incoming connections, including those in the list of allowed apps”
was checked (enabled).

This setting silently blocks all inbound traffic, even for applications explicitly allowed through the firewall.
As a result, Horizon Agent could not open required communication ports (TCP 4172, 8443, etc.) to the Connection Server, triggering the protocol initialization failure.

Resolution

  1. Open Windows Defender Firewall → Domain Network Settings

  2. Uncheck the option:
    “Block all incoming connections, including those in the list of allowed apps.”

  3. Wait a few seconds, or restart the Horizon Agent service.

✅ After this change, the Horizon Agent status immediately switched to “Available.”

Verification

If you want to confirm this through logs:

Log TypeLocationKey Event IDs / Indicators
Firewall Policy ChangeEvent Viewer → Applications and Services Logs → Microsoft → Windows → Windows Firewall with Advanced Security → FirewallEvent ID 2004, 2005, 2033, 2034
Firewall Blocking ActivityApplications and Services Logs → Microsoft → Windows → Windows Defender Firewall → OperationalEvent ID 5152, 5157 (blocked packets or connections)
Group Policy UpdatesApplications and Services Logs → Microsoft → Windows → GroupPolicy → OperationalEvent ID 8006, 8007
Horizon LogsC:\ProgramData\VMware\VDM\logs\debug-*.logErrors such as Error 10060, Socket connect failed

Recommended Preventive Actions

  • Disable “Block all incoming connections” via GPO

    • Computer Configuration → Windows Defender Firewall → Domain Profile

  • Ensure required ports are allowed:

    • TCP 4172, UDP 4172 (PCoIP)

    • TCP 8443 / 22443 (Blast)

    • TCP 32111 (USB Redirection)

    • TCP 9427 (RTAV)

  • Add exclusions in EDR or antivirus for:

    • vmblastsvc.exe

    • wsnm.exe

    • vmware-viewagent.exe

Conclusion

This issue was not caused by VMware itself, but by an overly restrictive Windows Firewall configuration that prevented Horizon Agent from establishing its communication channels.
Once the firewall’s “block all inbound connections” setting was disabled, all affected VMs returned to a normal “Available” state without reinstalling the Agent.

Keywords: VMware Horizon, Horizon Agent, Protocol Error, Windows Firewall, Block All Incoming Connections, Event ID 7000, PASVC Service, LUFA Service, Blast, PCoIP, Connection Server

댓글

댓글 쓰기

이 블로그의 인기 게시물

Troubleshooting VMware Horizon Client vdpConnect_Failure Issue

  Introduction VMware Horizon Client is a widely used solution for virtual desktop infrastructure (VDI). However, users may encounter various connection issues, one of which is the vdpConnect_Failure error. This error often results in a black screen followed by a disconnection, preventing users from accessing their virtual desktop. In this article, we will explore the possible causes of this issue and provide step-by-step solutions to resolve it. Common Causes of vdpConnect_Failure 1. RPC Server Unavailable One of the most common reasons for vdpConnect_Failure is the unavailability of the Remote Procedure Call (RPC) server . This can occur due to: The RPC service being stopped or disabled Network issues preventing communication with the server Firewall blocking required ports 2. Display Protocol Issues (Blast/PCoIP/RDP) Horizon Client uses different display protocols such as Blast, PCoIP, or RDP . If there are misconfigurations or compatibility issues with the selected protocol, ...
자세한 내용 보기

vSphere HA Agent on a Host Cannot Reach Management Network Addresses of Other Hosts in vCenter

Troubleshooting: vSphere HA Agent on a Host Cannot Reach Management Network Addresses of Other Hosts in vCenter If you're encountering an issue where the vSphere High Availability (HA) agent on a specific host in your vCenter cluster cannot connect to the management network addresses of other hosts, it can prevent vSphere HA from functioning correctly. This means virtual machines (VMs) might not restart automatically in the event of a host failure. Here's a breakdown of troubleshooting steps you can take to resolve this: 1. Verify Network Connectivity:  * Ping Tests: From the problematic host, initiate ping tests to the management network IP addresses of your vCenter Server and other ESXi hosts within the cluster. This will help determine basic network reachability.  * vMotion Network: Ensure the network configuration used for vMotion is correct. If vMotion traffic is isolated on a dedicated VLAN, verify the VLAN settings, including switch configurations, are accurate.  *...
자세한 내용 보기