Remote Desktop Session Broker Load Balancing

Updated on October 8, 2018

Introduction

This article will talk about load balancing terminal servers with relation to Windows Server 2008 R2 servers.
Normally, load balancing is a technique for distributing load over a number of servers.
In the Microsoft Remote Desktop or Terminal Services world, load balancing is really about managing the number of sessions being distributed over a number of terminal servers. For example, if one server has two remote desktop sessions and each session is running high-cpu intensive applications, and a second server has 20 remote desktop sessions with each session running "notepad", the next connection to the Remote Desktop (terminal services) load balancing farm will be re-directed to the first server because it has less connections (regardless of actual load on the server). This load balancing mechanism is called Remote Desktop Connection Broker.

Remote Desktop Connection Broker

The RD Connection Broker does more than just distribute the number of remote desktop connections. If you accidentally disconnect from a session, and you reconnect
again, it will put you back to your original disconnected session regardless of the number of connections on that server.

To use the RD Connection Broker, you must install the RD Connection Broker role on a server which is part of the same domain as your terminal servers (Remote Desktop Servers).

There will be a group called Session Broker Computers on the server that is running the RD Connection Broker role, or in Active Directory if the RD Connection Broker role is installed on a domain controller. You need to add the terminal servers which will be part of the RD Connection Broker farm as members of this group.

Configuring the terminal servers to connect to the RD Connection Broker

In order for the terminal servers to be part of the Connection Broker farm, you need to make a few changes to the Remote Desktop Session Host Configuration.

To configure the terminal servers to talk to an RD Connection Broker server:

1. Open up Remote Desktop Session Host Configuration
2. Double click on Member of farm in RD Connection Broker

Remote Desktop Session Host Configuration

RD Connection Broker settings

The Relative weight of this server in the farm setting determines the number of sessions that should connect to this server. The minimum setting is 1. You can use this value to “drain” users over a period of time so that all users connections go to other terminal servers in the Connection Broker farm. This will then make this server have no user connections (except yourself). This server is then available for maintenance.

You also need to select the “IP Address redirection (recommended)” setting and your clients must be able to access ALL the terminal servers in the RD Connection Broker farm directly or through the firewall.

The other option is “Use Token Redirection”. It is good in theory, but doesn’t work with most load balancers. The Token Redirection option allows Connection Broker to be used in conjunction with another load balancer which supports Connection Broker’s Token Redirection, and this allows access to the other terminal servers in the Connection Broker farm by clients whose firewall may not permit access to all of the terminal servers in the farm directly.

Check/Tick Farm member.

The RD Connection Broker server name is the FQDN (fully qualified domain name of the server with the Connection Broker service). This name can be an internal FQDN hostname which gets resolved by the local DNS server.

The Farm Name is the FQDN of the terminal server farm. The farm name can either be setup on and internal DNS server or an external DNS server. The farm name has multiple entries in the DNS server with multiple IP address assignments. These IP addresses are of the terminal servers in the terminal server farm. For example, let's say MyFarm1 is the name of terminal server farm. There are 2 terminal servers with IP addresses of 192.168.1.5, and 192.168.1.6 respectively. There would be the following entries in the DNS server:

MyFarm1 Host(A) 192.168.1.5
MyFarm1 Host(A) 192.168.1.6

Obviously the DNS server has to support DNS Round Robin.

Round Robin DNS Load balancing

RD Connection Broker requires the use of another load balancing mechanism to distribute the initial load from the client to the terminal servers.

For this article, I will describe the use of DNS Load Balancing. With DNS load balancing, you need to host your domain names with a Domain Name registrar which supports Round Robin DNS if the servers are to be accessed by external clients. Otherwise, Windows own DNS servers support Round Robin DNS.

With Round Robin DNS, you can set up multiple identical hostnames that have different IP addresses. The round robin DNS mechanism allows clients which request an IP address from a host name to get all the IP addresses, or just one of the IP addresses that was assigned to the host. If only one IP address is returned, subsequent requests by clients will result in other IP addresses being returned in a “round robin” fashion.

So for our terminal servers which are part of the connection broker farm, you need to create identical host entries (identical host records) for the farm name with the corresponding IP address of each terminal server in the farm. These identical host records are actually the DNS name for the RD Connection Broker Farm .e.g. rdfarm.mydomain.com .

When a user runs the Remote Desktop client, it should be configured to connect to the fully qualified domain name (FQDN) of the farm name e.g rdfarm.mydomain.com. The RD client first tries to resolve the farm name ( rdfarm.mydomain.com ) to a DNS server. If it resolves, it will either return one IP address, or all of the addresses for the hostname. This is called DNS load balancing, as the IP address that is returned first is not necessary the same one the subsequent times. This is called Round Robin DNS Load Balancing.

RD Connection Broker in Action

When the RD Client connects to the terminal server by way of the IP address that it was given from the round robin DNS server, the terminal server authenticates the user via Active Directory, and then checks with the server that has the Remote Desktop Connection Broker role as to whether the user connection should stay on the original server, or be redirected to another server in the farm.

If the Connection Broker says redirect to another server, the terminal server sends a message back to the RD Client with the IP address of the server that it needs to connect to. Therefore, if the client is on an external network, the client's outbound firewall rules need to open up port 3389 for all the IP addresses of the terminal servers. Likewise, the firewall on the network for which the terminal servers belong to need to allow inbound connections to the terminal servers.

NOTE: Even though Token Redirection in theory should be used if clients cannot open up the ports for all the IP addresses, IT WILL NOT WORK unless you are running a Load Balancer which supports token redirection. The Microsoft’s Network Load Balancing feature (NLB) does not seem to support Token Redirection. It will seem to work, but it does not return you to your disconnected session sometimes. So be warned!

Logging in twice - double Windows logon screen

If an older version of the RD client is used to connect to the terminal server farm, it may prompt for the user to enter the username and password again as you get “redirected” to another server.

You can just re-enter the username and password, or upgrade your Remote Desktop Client which will make it support Network Level Authentication (NLA), which does the authentication behind the scenes to prevent this double logon screen. The Remote Desktop Session Host Configuration must have it’s RDP-TCP properties configured so that the Security Layer setting is either Negotiate or SSL (TLS1.0).

Conclusion

Setting up terminal services load balancing requires adding the right roles to the right servers and making a few configurations to the servers and DNS. It does not cost any extra money to have it all set up and functioning correctly.

NOTE: Terminal Services is a terminology used for Windows 2008 and earlier. With Windows Server 2008R2, Microsoft changed the terminology to Remote Desktop Services. I used both names in my article as many people still refer to the technology as terminal services.

Comments

    0 of 8192 characters used
    Post Comment

    • sengstar2005 profile imageAUTHOR

      sengstar2005 

      2 years ago from Sydney

      Hi Jay, Have you tried making the relative weight the same value ie. 5 , across all your RDS servers in the farm?

    • sengstar2005 profile imageAUTHOR

      sengstar2005 

      2 years ago from Sydney

      Hi Jay, check your relative weight setting. If you make them the same value on each RDS server in the farm it should distribute the connections evenly. Since you have 5 terminal server licenses per server, perhaps try using a value of 5 for each server.

    • profile image

      Jay 

      2 years ago

      Hey great article :) thanks for sharing ,i just want to clarify something i have configured RDS farm in my environment there are 3 servers and i have 5 terminal license on each server ,when i am taking rdp it connects priority1 server ,and same as for every other user till terminal limit is full den only it connects to 2nd priority here my question is how can divides the user session ,because i don't want to give full load on server,i want to divide the traffic parallely plz suggest

    • sengstar2005 profile imageAUTHOR

      sengstar2005 

      4 years ago from Sydney

      Hi,

      We are currently looking at seeing if Splunk (www.splunk.com) will be able to manage logs and identify issues across multiple servers. I would suggest you look at Splunk to see if it does what you need.

    • profile image

      TPWinn 

      5 years ago

      Are there any tools (MS or external) that allow an admin to create reports across the entire farm? We are trying to isolate some RD refresh and freezing issues across a 5 server farm and the problems may or may not be tied to a specific server in the farm or a specific remote site connecting in. I can go into the 'Remote Desktop Services Manager' and add all servers to a group and visually see the information I need in the 3 tabs 'User, Sessions and Processes' but I can see no way to export or report this information for historical analysis.

      Any insight would be greatly appreciated.

    • sengstar2005 profile imageAUTHOR

      sengstar2005 

      5 years ago from Sydney

      It shouldn't let the same account log into different servers in the RDS farm. I think there's probably a config problem.

    • profile image

      PatOC 

      5 years ago

      I have 4 RDSH servers in the farm. The connection broker is allowing multiple sessions for a user if those users get connected to different servers. Is this a known problem or do I have a configuration issue? RDSH Connection Broker settings are set to restrict each user to a single session as is the restriction on the session host.

    • profile image

      Noel-R 

      5 years ago

      If the RDP-TCP properties configured so that the Security Layer setting is either Negotiate or SSL (TLS1.0). Users who must change their passwords are prompted with this message.

      "You must change your password before logging on the first time. Please update your password or contact your system administrator or technical support."

      And given no opportunity to log into the network to change their password. Is there a workaround for this issue? It can be hard to manage if home based users passwords expire.

      This change did indeed fixed the issue where clients that are directed to one of the two servers we have in the farm must log in a second time.

    • sengstar2005 profile imageAUTHOR

      sengstar2005 

      5 years ago from Sydney

      Hi Gareth, when you mentioned web based apps I am assuming you meant the "Apps" which you normally run from the RDS server which is published on the RemoteApp and RD web page.

      When you click on a published App it launches the RD client locally, which connects to the RDS server to run the app. The session broker will balance these RD sessions launched from the RD web page also.

    • profile image

      Gareth 

      5 years ago

      Quick question, I have 12 rds servers in a farm using rds apps, this works perfectly, there is a need for the web based apps. do I need to install Network load balancing or will the broker balance the rdweb connections as well. im trying to figure this one out. yes im using round robin dns entry's as well.

      let me know thanks a mil

    working

    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, turbofuture.com uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: https://turbofuture.com/privacy-policy#gdpr

    Show Details
    Necessary
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the googleapis.com or gstatic.com domains, for performance and efficiency reasons. (Privacy Policy)
    Features
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Marketing
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Statistics
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)