Accomplished systems and network administrator with 10+ years of experience managing server infrastructures and data-center operations.
This article will talk about load balancing terminal servers with relation to Windows Server 2008 R2 servers. Normally, load balancing is a technique for distributing load over a number of servers. In the Microsoft Remote Desktop or Terminal Services world, load balancing is really about managing the number of sessions being distributed over a number of terminal servers. For example, if one server has two remote desktop sessions and each session is running high-CPU intensive applications, and a second server has 20 remote desktop sessions with each session running "notepad", the next connection to the Remote Desktop (terminal services) load balancing farm will be re-directed to the first server because it has less connections (regardless of actual load on the server). This load balancing mechanism is called Remote Desktop Connection Broker.
Remote Desktop Connection Broker
The RD Connection Broker does more than just distribute the number of remote desktop connections. If you accidentally disconnect from a session, and you reconnect again, it will put you back to your original disconnected session regardless of the number of connections on that server.
To use the RD Connection Broker, you must install the RD Connection Broker role on a server which is part of the same domain as your terminal servers (Remote Desktop Servers).
There will be a group called Session Broker Computers on the server that is running the RD Connection Broker role, or in Active Directory if the RD Connection Broker role is installed on a domain controller. You need to add the terminal servers which will be part of the RD Connection Broker farm as members of this group.
Configuring the Terminal Servers to Connect to the RD Connection Broker
In order for the terminal servers to be part of the Connection Broker farm, you need to make a few changes to the Remote Desktop Session Host Configuration.
To configure the terminal servers to talk to an RD Connection Broker server:
- Open up Remote Desktop Session Host Configuration.
- Double click on Member of farm in RD Connection Broker.
The Relative weight of this server in the farm setting determines the number of sessions that should connect to this server. The minimum setting is 1. You can use this value to “drain” users over a period of time so that all users connections go to other terminal servers in the Connection Broker farm. This will then make this server have no user connections (except yourself). This server is then available for maintenance.
You also need to select the “IP Address redirection (recommended)” setting and your clients must be able to access ALL the terminal servers in the RD Connection Broker farm directly or through the firewall.
The other option is “Use Token Redirection”. It is good in theory, but doesn’t work with most load balancers. The Token Redirection option allows Connection Broker to be used in conjunction with another load balancer which supports Connection Broker’s Token Redirection, and this allows access to the other terminal servers in the Connection Broker farm by clients whose firewall may not permit access to all of the terminal servers in the farm directly.
Check/Tick Farm member.
The RD Connection Broker server name is the FQDN (fully qualified domain name of the server with the Connection Broker service). This name can be an internal FQDN hostname which gets resolved by the local DNS server.
The Farm Name is the FQDN of the terminal server farm. The farm name can either be setup on and internal DNS server or an external DNS server. The farm name has multiple entries in the DNS server with multiple IP address assignments. These IP addresses are of the terminal servers in the terminal server farm. For example, let's say MyFarm1 is the name of terminal server farm. There are 2 terminal servers with IP addresses of 192.168.1.5, and 192.168.1.6 respectively. There would be the following entries in the DNS server:
MyFarm1 Host(A) 192.168.1.5
MyFarm1 Host(A) 192.168.1.6
Obviously the DNS server has to support DNS Round Robin.
Round Robin DNS Load Balancing
RD Connection Broker requires the use of another load balancing mechanism to distribute the initial load from the client to the terminal servers.
For this article, I will describe the use of DNS Load Balancing. With DNS load balancing, you need to host your domain names with a Domain Name registrar which supports Round Robin DNS if the servers are to be accessed by external clients. Otherwise, Windows own DNS servers support Round Robin DNS.
With Round Robin DNS, you can set up multiple identical hostnames that have different IP addresses. The round robin DNS mechanism allows clients which request an IP address from a host name to get all the IP addresses, or just one of the IP addresses that was assigned to the host. If only one IP address is returned, subsequent requests by clients will result in other IP addresses being returned in a “round robin” fashion.
So for our terminal servers which are part of the connection broker farm, you need to create identical host entries (identical host records) for the farm name with the corresponding IP address of each terminal server in the farm. These identical host records are actually the DNS name for the RD Connection Broker Farm .e.g. rdfarm.mydomain.com .
When a user runs the Remote Desktop client, it should be configured to connect to the fully qualified domain name (FQDN) of the farm name e.g rdfarm.mydomain.com. The RD client first tries to resolve the farm name ( rdfarm.mydomain.com ) to a DNS server. If it resolves, it will either return one IP address, or all of the addresses for the hostname. This is called DNS load balancing, as the IP address that is returned first is not necessary the same one the subsequent times. This is called Round Robin DNS Load Balancing.
RD Connection Broker in Action
When the RD Client connects to the terminal server by way of the IP address that it was given from the round robin DNS server, the terminal server authenticates the user via Active Directory, and then checks with the server that has the Remote Desktop Connection Broker role as to whether the user connection should stay on the original server, or be redirected to another server in the farm.
If the Connection Broker says redirect to another server, the terminal server sends a message back to the RD Client with the IP address of the server that it needs to connect to. Therefore, if the client is on an external network, the client's outbound firewall rules need to open up port 3389 for all the IP addresses of the terminal servers. Likewise, the firewall on the network for which the terminal servers belong to need to allow inbound connections to the terminal servers.
NOTE: Even though Token Redirection in theory should be used if clients cannot open up the ports for all the IP addresses, IT WILL NOT WORK unless you are running a Load Balancer which supports token redirection. The Microsoft’s Network Load Balancing feature (NLB) does not seem to support Token Redirection. It will seem to work, but it does not return you to your disconnected session sometimes. So be warned!
Logging in Twice - Double Windows Logon Screen
If an older version of the RD client is used to connect to the terminal server farm, it may prompt for the user to enter the username and password again as you get “redirected” to another server.
You can just re-enter the username and password, or upgrade your Remote Desktop Client which will make it support Network Level Authentication (NLA), which does the authentication behind the scenes to prevent this double logon screen. The Remote Desktop Session Host Configuration must have it’s RDP-TCP properties configured so that the Security Layer setting is either Negotiate or SSL (TLS1.0).
Setting up terminal services load balancing requires adding the right roles to the right servers and making a few configurations to the servers and DNS. It does not cost any extra money to have it all set up and functioning correctly.
NOTE: Terminal Services is a terminology used for Windows 2008 and earlier. With Windows Server 2008R2, Microsoft changed the terminology to Remote Desktop Services. I used both names in my article as many people still refer to the technology as terminal services.
- How to Setup Remote Desktop Connection Broker Load Balancing in Windows 2016
This article will show how to load balance the Remote Desktop Session Host Servers by creating an RD Session Host Farm and using Remote Desktop Connection Broker to manage the load balancing of the user sessions in Windows 2016.
- How to Remote Desktop through a Proxy Server to a Terminal Server
Connecting to a terminal server via a web proxy server.
- Remote Desktop via Proxy Server to a Remote Desktop Server
This article will outline the principles of setting up your server infrastructure so as to be able to remote desktop via Proxy server to a Remote Desktop Server. The seasoned professional will be able to then apply these concepts.
- What is a Remote Desktop Gateway and How to Use One
A Remote Desktop Gateway server is a Windows 2008R2 server which typically is located in a corporate or private network. It acts as the gateway into which RDP connections from an external network connects through to access a Remote Desktop server.
This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.
Questions & Answers
Question: Why do we need to connect remote desktop server with load balancing servers (RD Connection Broker) and how does it happen?
Answer: We need to do this when you have a lot of Remote Desktop clients connecting in. If you only have one server the many remote connections will take up too much of a windows server resources and user sessions will be slow. It is also good to have redundancy.
sengstar2005 (author) from Sydney on July 21, 2016:
Hi Jay, Have you tried making the relative weight the same value ie. 5 , across all your RDS servers in the farm?
sengstar2005 (author) from Sydney on July 20, 2016:
Hi Jay, check your relative weight setting. If you make them the same value on each RDS server in the farm it should distribute the connections evenly. Since you have 5 terminal server licenses per server, perhaps try using a value of 5 for each server.
Jay on July 17, 2016:
Hey great article :) thanks for sharing ,i just want to clarify something i have configured RDS farm in my environment there are 3 servers and i have 5 terminal license on each server ,when i am taking rdp it connects priority1 server ,and same as for every other user till terminal limit is full den only it connects to 2nd priority here my question is how can divides the user session ,because i don't want to give full load on server,i want to divide the traffic parallely plz suggest
sengstar2005 (author) from Sydney on October 27, 2013:
We are currently looking at seeing if Splunk (www.splunk.com) will be able to manage logs and identify issues across multiple servers. I would suggest you look at Splunk to see if it does what you need.
TPWinn on October 18, 2013:
Are there any tools (MS or external) that allow an admin to create reports across the entire farm? We are trying to isolate some RD refresh and freezing issues across a 5 server farm and the problems may or may not be tied to a specific server in the farm or a specific remote site connecting in. I can go into the 'Remote Desktop Services Manager' and add all servers to a group and visually see the information I need in the 3 tabs 'User, Sessions and Processes' but I can see no way to export or report this information for historical analysis.
Any insight would be greatly appreciated.
sengstar2005 (author) from Sydney on September 20, 2013:
It shouldn't let the same account log into different servers in the RDS farm. I think there's probably a config problem.
PatOC on September 17, 2013:
I have 4 RDSH servers in the farm. The connection broker is allowing multiple sessions for a user if those users get connected to different servers. Is this a known problem or do I have a configuration issue? RDSH Connection Broker settings are set to restrict each user to a single session as is the restriction on the session host.
Noel-R on August 19, 2013:
If the RDP-TCP properties configured so that the Security Layer setting is either Negotiate or SSL (TLS1.0). Users who must change their passwords are prompted with this message.
"You must change your password before logging on the first time. Please update your password or contact your system administrator or technical support."
And given no opportunity to log into the network to change their password. Is there a workaround for this issue? It can be hard to manage if home based users passwords expire.
This change did indeed fixed the issue where clients that are directed to one of the two servers we have in the farm must log in a second time.
sengstar2005 (author) from Sydney on January 23, 2013:
Hi Gareth, when you mentioned web based apps I am assuming you meant the "Apps" which you normally run from the RDS server which is published on the RemoteApp and RD web page.
When you click on a published App it launches the RD client locally, which connects to the RDS server to run the app. The session broker will balance these RD sessions launched from the RD web page also.
Gareth on January 21, 2013:
Quick question, I have 12 rds servers in a farm using rds apps, this works perfectly, there is a need for the web based apps. do I need to install Network load balancing or will the broker balance the rdweb connections as well. im trying to figure this one out. yes im using round robin dns entry's as well.
let me know thanks a mil