Configuring Windows 2008 R2 Remote Desktop Farm with Connection Broker
In my previous article about Windows 2008 R2 Remote Desktop Services (RDS) I set up a single server with the RD Session Host and Web Access roles. Now I will expand on this and add an additional Session Host/Web Access server to create an RDS server farm for redundancy. I will use the RD Connection Broker role to provide session reconnection and load balancing features. Both of my RD servers are members of an Active Directory domain. This is a requirement for using the Connection Broker role.
Install RD Connection Broker Role
The Connection Broker role can be installed on a separate server or on one of your Session Hosts. For the highest reliability and in larger environments I would recommended installing the Connection Broker on a separate server. That way you can bring down either of your Session Hosts for maintenance while ensuring that the Connection Broker service is available for the remaining server(s). I will be installing the Connection Broker role on a server that was previously configured with the RD Licensing role. In this example my Session Host/Web Access servers are named RD1 and RD2, and my Connection Broker is named DC2. All of the configuration will be done using a Domain Administrator account.
Go into Server Manager.
In the left pane highlight Roles, then on the right under Role Services select “Add Role Services”.
Check Remote Desktop Connection Broker, then click Next.
Click Install at the confirmation, then click Close once the install completes.
Install RD Session Host and Web Access Roles on Second Server
On the second Session Host/Web Access server follow the steps in the article Installing and Configuring Remote Desktop Services under the section “Install Remote Desktop Session Host and Web Access Roles”.
Add Web Access and Connection Broker Servers to TS Web Access Group on Session Host Servers (RD1 & RD2)
Now on both Session Host servers we’ll need to make sure that our Web Access and Connection Broker servers are included in the TS Web Access Computers group. Since the Session Host/Web Access servers are dual role, I’ll specify both itself and the other server in the pair. Doing this will allow both Web Access servers to enumerate all of the applications published on your RDS farm.
On each of your RD Session Hosts go to Start > Administrative Tools > Computer Management.
Open Local Users and Groups and select the Groups sub-folder on the left, then double click the “TS Web Access Computers” group in the center.
Click Add.
Click Object Types.
To allow us to add computers to the group we need to check Computers in the Object Types and click OK.
Now in the “Enter the object names to select” field type the names of your RD Web Access and Connection Broker servers. Specify the names of each separated by a semicolon. Click Check Names to verify the names you entered, then click OK.
Click OK back at the TS Web Access Computers properties dialog box. Be sure and repeat the section above on all of your Session Hosts.
Aaron Walrath - Another IT Guy's Meanderings 
Your walkthrough was very simple and helped alot. We are up and running. Thanks for posting it!
I have got to the final steps – Finally, we need to make sure and configure each Web Access server to use Connection Broker
and I get the following error – RD Web Access was not able to access the RD Connection Broker server specified. Ensure that the computer account of the RD Web Access server is a member of the TS Web Access Computers security group on the RD Connection Broker server.
any ideas
Hi Mika,
I’d start and make sure that the RD Web Access servers are in the TS Web Access group on the Connection Broker.
I’m not sure of your exact configuration but one thing to watch out for is that it is really necessary to host the Connection Broker role on its own separate server. In testing RDS I encountered major problems getting the Connection Broker to work properly when I was attempting to host the role on another server that was also a Session Host and possibly Web Access. I guess this is Microsoft’s way of selling more Windows licenses!
Best wishes,
Aaron
Excellent post!
Nice and clear article, the only question that remains is how to publish the remoteapp website. Because its listing on https://srv1/rdweb and https://srv2/rdweb
When I publish it to one server and that server is down, the remoteapp site isn’t reachable anymore.
My idea was to use the connection broker as frontend remoteapp server and the two session hosts as backend.
Anyone any idea?
Hmm I think i figured it out myself:
Internal dns records is for both servers the same. For example ts.domain.local
When i publish the website i should do it to https://ts.domain.local/rdweb
But the question remains, will the request be routed to the server that is online?
Hi Joris,
The RDS Connection Broker only handles routing the client connections to active servers running the Session Host role. So for the Web Access component, you would set up some kind of load balancing system to handle the Web/HTTP requests for the website. The best solution would be to use some type of dedicated load balancer or configure Windows NLB on the Web Access servers, that way requests would only be routed to the Web Access server(s) that are available. In my environment I use standard Linux based load balancers running HAProxy / Keepalived. For me this works much better than trying to get NLB running, there is some switch configuration necessary for it and I’ve never had much luck with that. There is a good article documenting what I have set up for Debian Linux here:
http://www.howtoforge.com/setting-up-a-high-availability-load-balancer-with-haproxy-keepalived-on-debian-lenny
Yes, you could configure DNS in a round robin configuration with two A records with the same hostname but different IP addresses. But as you mentioned requests would still be routed to a server even if it was offline. If availability isn’t a huge issue you could just manually remove the DNS record for the server that was down, or maybe set up a script to automate the process somewhat. But it would be much weaker than using load balancers or NLB, where the failover time would be a matter of seconds.
Best Wishes,
Aaron
Windows 2008 R2 Connection Broker cannot enable logging the log file is not created.
Hi,
Has anyone come across this before? or know how to confirm TS Connection Broker is working correctly.
I have setup Windows 2008 R2 Connection Broker but cannot enable logging as per
http://support.microsoft.com/kb/327508
The log file is not created.
I have tried this on 2 servers with no luck.
I need to be able to confirm that it is actually working as when I set it up in test environment it seems to work but in production it does not work.
Both setups don’t show the log file though.
I have re-installed the TS Connection Broker with still no luck. Also created the log file manually and it does not populate. Also tried debug mode in command promt this does nothing as well.
Windows Event logs show nothing related.
Any ideas?
Many thanks
Reuben
Great guide! Thanks a lot!
Hi there, really good guide thank you… One question though… If I am connecting via a browser to “https://rdfarm.domain.local/rdweb” should the end result session be inside the browser? I can only get the session to be an external “mstsc” session rather than an ActiveX object within the browser.
thanks
john
Hi John,
The behavior you are describing is the same that I get with the resulting terminal session displaying outside the browser. For me this was the desired outcome so I have not looked into whether it is possible for the session to appear within the browser.
Cheers,
Aaron
How does one determine if the Web access role is required for a particular configuration? If I were building an environment with multiple RD Session Host Servers in a single farm. Would I be required to use the RDS Web Access Role in conjunction with Session Broker or would Session Broker be able to provide needed functionality to connect RDS clients without RD Web Access?
I have configured everything except the Web Access Role. I have two RD Session Host Servers in a farm and a Session Broker Setup following the provided instructions. Using RDC to connect to the Session Broker, my remote desktop connections end there and do not connect to the Server farm or Session hosts? What would be a logical troubleshooting path to determine what is configured incorrectly? This is driving me batty!
Fantastic step by step! I am trying to work through the SSO issue, any luck with that yet? I have one each of my session host (which are also Web access servers) configured in remote app to use the certificate I issued to the farm name (not sure if that is correct) ideas?
Thanks for the guide.
I am setting up this server for aprox 100 users. What is everyone doing for User Profiles? Profile redirection?
Any help would be greatly appreciated.
Helpful information. Lucky me I found your web site by chance, and I am stunned why this coincidence didn’t happened in advance! I bookmarked it.
After spending two days trying to follow Microsoft’s Step-by-Step I found this article and had my RemoteApp Farm up and going in about two hours. SWEET!!
Hello,
We have three RDS servers
RDS1 –> RD Connection Broker
RDS2 and RDS3 are our session host servers.
Now the issue I am facing is, when I am trying to login via mstsc
StartMenu –> Run –> Mstsc and write the farm name remote.xxx.xxx, then it does not redirect to RDS2 or RDS3, but it made me login on RDS1.
Remote.xxx.xxx is resolved the IP address of RDS1 only since its our TS Web Access Server.
Please help me in this
I’ve had the same issue! Have not found a way (yet) however had to remove the server from the “Farm” in order to RDP to it. Anyone out there?
Go to the console session of the arm member, by IP address.
Guys… please remember that connection broker is a role that decides where to redirect.. but you first gotta have a host in redirection mode which is where the initial RDP connection is made (you point your farm dns name to that server’s ip), then forwarded to the Connection broker. Alternatively, and somewhat more pedestrian, you create a dns records for the ‘farm’ dns name – one A record for each member of the farm.. and make sure that in session host configuration snapin of all the members they are listed as farm members of the ‘farm’ name with connection broker specified there. also make sure connection broker has all farm members in its local group Session Broker Computers and that all hosts have the connection broker & web access servers listed in their ts web access group.
same issue here too..unable to RDP to host using host name or ip address.. unless you remove that server from the FARM. Anyone has any update on this???
To RDP to a specific session host, use mstsc via windows 7, type …. mstsc /admin /v:servername(or ipaddress). The /Admin is what makes it work but is only an available switch with WIndows 7. XP doesnt work.
what is the recommended approach for user profiles? Should I be using a SMB file share on a completely isolated server for the user profiles? I would like users to keep the same profile regardless of which TS they log onto.
Hello experts,
I have following setup, but not able to access RDWeb from the host name.
DC server: windows 2008 with service pack 2
App server: windows 2008 server R2 with Sp1
i have installed remote desktop services and all its related things.. finally i can able to connect using the local IP address but not through host name . Please help me to troubleshoot the problem.
Regards
Salman
Thank you for a fantastic article. However, how does one configure the RD Web Server or Connection Gateway for external clients? I have all of my Remote Desktop servers on the inside of my firewall, and have both the Desktop Broker and RD Web Access roles on a single server, and have 443/TCP redirected to this host. However, when I authenticate, and select one of the RemoteApp links, the Remote Desktop Client shows I’d be connecting to the internal FQDN of the RD Gateway Server. How can I change this to a public FQDN?
I must thank you for the efforts you have put in writing this website. I am hoping to check out the same high-grade blog posts by you later on as well. In truth, your creative writing abilities has encouraged me to get my very own site now ;)
This is a great start to installing the farm I, like many others wanted to use a TS farm without a TS gateway and have it work from the outside. Here is how to do that:
http://ent-admin.blogspot.com/2013/05/access-terminal-server-farm-behind.html