Remote Desktop Session Broker Load Balancing
This article will talk about load balancing terminal servers with relation to Windows Server 2008 R2 servers.
Normally, load balancing is a technique for distributing load over a number of servers.
In the Microsoft Remote Desktop or Terminal Services world, load balancing is really about managing the number of sessions being distributed over a number of terminal servers. For example, if one server has two remote desktop sessions and each session is running high-cpu intensive applications, and a second server has 20 remote desktop sessions with each session running "notepad", the next connection to the Remote Desktop (terminal services) load balancing farm will be re-directed to the first server because it has less connections (regardless of actual load on the server). This load balancing mechanism is called Remote Desktop Connection Broker.
Remote Desktop Connection Broker
The RD Connection Broker does more than just distribute the number of remote desktop connections. If you accidentally disconnect from a session, and you reconnect
again, it will put you back to your original disconnected session regardless of the number of connections on that server.
To use the RD Connection Broker, you must install the RD Connection Broker role on a server which is part of the same domain as your terminal servers (Remote Desktop Servers).
There will be a group called Session Broker Computers on the server that is running the RD Connection Broker role, or in Active Directory if the RD Connection Broker role is installed on a domain controller. You need to add the terminal servers which will be part of the RD Connection Broker farm as members of this group.
Configuring the terminal servers to connect to the RD Connection Broker
In order for the terminal servers to be part of the Connection Broker farm, you need to make a few changes to the Remote Desktop Session Host Configuration.
To configure the terminal servers to talk to an RD Connection Broker server:
1. Open up Remote Desktop Session Host Configuration
2. Double click on Member of farm in RD Connection Broker
Remote Desktop Session Host Configuration
RD Connection Broker settings
The Relative weight of this server in the farm setting determines the number of sessions that should connect to this server. The minimum setting is 1. You can use this value to “drain” users over a period of time so that all users connections go to other terminal servers in the Connection Broker farm. This will then make this server have no user connections (except yourself). This server is then available for maintenance.
You also need to select the “IP Address redirection (recommended)” setting and your clients must be able to access ALL the terminal servers in the RD Connection Broker farm directly or through the firewall.
The other option is “Use Token Redirection”. It is good in theory, but doesn’t work with most load balancers. The Token Redirection option allows Connection Broker to be used in conjunction with another load balancer which supports Connection Broker’s Token Redirection, and this allows access to the other terminal servers in the Connection Broker farm by clients whose firewall may not permit access to all of the terminal servers in the farm directly.
Check/Tick Farm member.
The RD Connection Broker server name is the FQDN (fully qualified domain name of the server with the Connection Broker service). This name can be an internal FQDN hostname which gets resolved by the local DNS server.
The Farm Name is the FQDN of the terminal server farm. The farm name can either be setup on and internal DNS server or an external DNS server. The farm name has multiple entries in the DNS server with multiple IP address assignments. These IP addresses are of the terminal servers in the terminal server farm. For example, let's say MyFarm1 is the name of terminal server farm. There are 2 terminal servers with IP addresses of 192.168.1.5, and 192.168.1.6 respectively. There would be the following entries in the DNS server:
MyFarm1 Host(A) 192.168.1.5
MyFarm1 Host(A) 192.168.1.6
Obviously the DNS server has to support DNS Round Robin.
Round Robin DNS Load balancing
RD Connection Broker requires the use of another load balancing mechanism to distribute the initial load from the client to the terminal servers.
For this article, I will describe the use of DNS Load Balancing. With DNS load balancing, you need to host your domain names with a Domain Name registrar which supports Round Robin DNS if the servers are to be accessed by external clients. Otherwise, Windows own DNS servers support Round Robin DNS.
With Round Robin DNS, you can set up multiple identical hostnames that have different IP addresses. The round robin DNS mechanism allows clients which request an IP address from a host name to get all the IP addresses, or just one of the IP addresses that was assigned to the host. If only one IP address is returned, subsequent requests by clients will result in other IP addresses being returned in a “round robin” fashion.
So for our terminal servers which are part of the connection broker farm, you need to create identical host entries (identical host records) for the farm name with the corresponding IP address of each terminal server in the farm. These identical host records are actually the DNS name for the RD Connection Broker Farm .e.g. rdfarm.mydomain.com .
When a user runs the Remote Desktop client, it should be configured to connect to the fully qualified domain name (FQDN) of the farm name e.g rdfarm.mydomain.com. The RD client first tries to resolve the farm name ( rdfarm.mydomain.com ) to a DNS server. If it resolves, it will either return one IP address, or all of the addresses for the hostname. This is called DNS load balancing, as the IP address that is returned first is not necessary the same one the subsequent times. This is called Round Robin DNS Load Balancing.
RD Connection Broker in Action
When the RD Client connects to the terminal server by way of the IP address that it was given from the round robin DNS server, the terminal server authenticates the user via Active Directory, and then checks with the server that has the Remote Desktop Connection Broker role as to whether the user connection should stay on the original server, or be redirected to another server in the farm.
If the Connection Broker says redirect to another server, the terminal server sends a message back to the RD Client with the IP address of the server that it needs to connect to. Therefore, if the client is on an external network, the client's outbound firewall rules need to open up port 3389 for all the IP addresses of the terminal servers. Likewise, the firewall on the network for which the terminal servers belong to need to allow inbound connections to the terminal servers.
NOTE: Even though Token Redirection in theory should be used if clients cannot open up the ports for all the IP addresses, IT WILL NOT WORK unless you are running a Load Balancer which supports token redirection. The Microsoft’s Network Load Balancing feature (NLB) does not seem to support Token Redirection. It will seem to work, but it does not return you to your disconnected session sometimes. So be warned!
Logging in twice - double Windows logon screen
If an older version of the RD client is used to connect to the terminal server farm, it may prompt for the user to enter the username and password again as you get “redirected” to another server.
You can just re-enter the username and password, or upgrade your Remote Desktop Client which will make it support Network Level Authentication (NLA), which does the authentication behind the scenes to prevent this double logon screen. The Remote Desktop Session Host Configuration must have it’s RDP-TCP properties configured so that the Security Layer setting is either Negotiate or SSL (TLS1.0).
Setting up terminal services load balancing requires adding the right roles to the right servers and making a few configurations to the servers and DNS. It does not cost any extra money to have it all set up and functioning correctly.
NOTE: Terminal Services is a terminology used for Windows 2008 and earlier. With Windows Server 2008R2, Microsoft changed the terminology to Remote Desktop Services. I used both names in my article as many people still refer to the technology as terminal services.
- How to Remote Desktop through a Proxy Server to a Terminal Server
Connecting to a terminal server via a web proxy server.
- Remote Desktop via Proxy Server to a Remote Desktop Server
This article will outline the principles of setting up your server infrastructure so as to be able to remote desktop via Proxy server to a Remote Desktop Server. The seasoned professional will be able to then apply these concepts.
- What is a Remote Desktop Gateway and How to Use One
A Remote Desktop Gateway server is a Windows 2008R2 server which typically is located in a corporate or private network. It acts as the gateway into which RDP connections from an external network connects through to access a Remote Desktop server.