Thursday, April 19, 2012

RD Connection Broker HA and the RDP properties on the client.

In some earlier posts I discussed the new High Availability (HA) feature of the RD Connection Broker (RDCB) in Windows Server 2012 (formally known as Windows Server 8).

  1. RDS in WIN8 Feature highlight no. 1 Better High Availability of the RD Connection Broker
  2. How to configure High Availability for RD Connection Broker on Windows 8
  3. RD Connection Broker HA – SQL Permissions

In the blog post regarding the configuration of HA (no. 2 in de above list) I ended the blog with the comment that we would now be able to connect to the environment by using MSTSC and entering the DNS farm name as the destination host to connect to. Having read that you’re probably wondering how this works. Because we’re launching an RDP connection using MSTSC with the destination set to the DNS farm name that points to the brokers. Would that not result in launching an RDP session to the RDCB server and not to the RDSH server(s) behind it? Yes it would!

If, after completing the step in blog post no. 2, I would launch MSTSC and enter the DNS farm name as the destination host (as shown below):

image

That would result in the error below. Why? Because we’re actually launching an RDP session to one of the RDCB servers, and of course that’s denied for our end user.

image

What we need to do is configure some properties in an .RDP file so that it has knowledge of the fact that we’re trying to connect through a HA Connection Broker.

These are the properties that need to be added:

full address:s:FARM.LAB.LOCAL
workspace id:s:
FARM.LAB.LOCAL
use redirection server name:i:1
loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.Wortell_sLab_Ses
alternate full address:s:FARM.LAB.LOCAL

If we try that as our end user, the connection bar would still show the RDCB DNS farm name, but we’re now logged in on the RDSH server.

image

This also get’s automatically configured for your RemoteApps. RemoteApps integrated on the client are stored inside RDP files in the following location:

C:\Users\<username>\AppData\Roaming\Microsoft\Workspaces\<Workspace-ID>\Resource

Editing such a .RDP file in notepad would (amongst some other properties that I left out here) results in:

full address:s:FARM.LAB.LOCAL
alternate shell:s:||calc
remoteapplicationprogram:s:||calc
gatewayhostname:s:rdgw.lab.local
remoteapplicationname:s:Calculator
remoteapplicationcmdline:s:
workspace id:s:FARM.LAB.LOCAL
use redirection server name:i:1
loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.Wortell_sLab_Ses
alternate full address:s:FARM.LAB.LOCAL

RD WebAccess also automatically points to the RD Connection Broker farm

image

So that’s how to configure your .RDP files if you want to connect through a HA RD Connection Broker!

Good luck testing this. If you have any questions, let me know!

31 comments:

  1. I have configured RDS in WS2012. I am configuring a session to run MS Office and MS Access. When I use RD Web to access this two things happen that I am trying to stop. One is that I get a message that the publisher of the RemoteAPP program can not be identified,I get prompted for credentials and then a download starts of the RDP file. The RDP File name is something like cpub-MSACCESS-Dataops_S1-CmsRDSH.rdp. The collections name is DataOps_S1.

    In my reading, I have come across the statement that just publishing the apps does not give access but I am unsure where do I need to go to give access to MS Word, Excel, etc.?

    ReplyDelete
  2. Hi Teresa,

    Make sure you have SSL certificates configured properly, preferably by a CA that is publically trusted. With Windows Server 2012 you can centrally configure SSL certificates by using the RDMS in Server Manager. There should then be a Single Sign On (no additional prompt) when launching a Remote App and users should be able to select that they trust the publisher and don't want to be warned again upon their next logon. About your other question, yes publishing the apps just makes sure that they show up in RD Web Access (or by using the Web Feed URL) that does not imply that they are also allowed to run the application. Technologies like i.e. AppLocker (http://technet.microsoft.com/en-us/library/dd723678(v=ws.10).aspx) can be used to explicitly deny or allow access to certain applications. If you have any other questions feel free to drop me an email at info@themicrosoftplatform.net

    ReplyDelete
  3. Freek, I just left a comment in one of you earlier posts and finally read down to here that "this is my exact problem"! However, I get this error when users are connecting using a RemoteApp link within RDWEB. There is no RDP file for me to edit within RemoteApp, shouldn't this be automatic?

    ReplyDelete
  4. Hi Damian,

    Yes, Remote Apps and desktops that are published (and thus available in the RD Web Access as well as through the Control Panel (web feed URL) will contain these parameters automatically so that they will make an initial connection to the RD Connection Broker and will then be redirected to a RD Session Host within the Session Collection.

    Based on your comment I'm assuming that this is not working for you? Feel free to drop me an e-mail with some more details, I'd be happy to help you out.

    Kind regards,
    Freek Berson

    ReplyDelete
  5. Hi Freek,

    I've started playing with RDS 2012 in a test environment (session based, no vdi) and I couldn't find a clear answer regarding to rdp connection. If there is a session host farm is it better to rdp'd to farm (farm "a" DNS record) or rdp'd to connection broker?

    In my test env, I've created: 1x Connection Broker, 1x Web Access, 3 Session Hosts (2x collection)

    Thanks,

    Cem

    ReplyDelete
  6. Hi Cem,

    With RDS in Windows Server 2012 the RD Connection Broker always handles the initial connection. (similar to the RD Dedicated Redirector in Windows Server 2008 R2). That's why all published Remote Apps and Desktop in RD Web Access as well inside the RADC are configured to let users connect to the RD Connection Broker as the destination server. If you have multiple RD Connection Broker servers running in HA mode you can load balance those initial connections.
    Does that answer your question?

    ReplyDelete
  7. Hi Freek,

    Thanks for the article.

    We have a test setup that combines the Connection Broker and Gateway roles on each server.

    Does this setup still require to configure Remote Desktop Clients this way to use Connection Broker HA functionality correctly?

    Thanks,
    Melvin

    ReplyDelete
  8. Hi Melvin,

    Yes, using the RD Gateway does not change this. RD Connection Broker (farm) will always be the initial connection for end users. If you use RD Gateway the destination name of the RD Connection Broker DNS (farm) name will be resolved on the RD Gateway Server. Note that when using 1 RD connection Broker the initial connection will always be the FQDN of that RD Connection Broker. When you put the RD Connection Broker in HA mode (prepare for HA is enough, adding an additional RD Connection broker server is not necessary) you are able to customize the DNS name of the initial connection.

    ReplyDelete
  9. What about thin clients trying to rdp to rdsh going through broker?

    ReplyDelete
  10. Hi Bridgette,

    Thin clients that need to connect to a RDSH farm using the broker would also need to specify that parameter. I know that in the mean time some thin client suppliers already have thin client firmware available compatible with RDP8 and the RD Connection Broker in 2012.

    ReplyDelete
  11. Great post Freek.

    How is this behaviour changed with W2012 R2? I hear that RDP connections have been deprecated?

    ReplyDelete
  12. What do you mean exactly by RDP connections?

    ReplyDelete
  13. what if we created RDS host farm with a NLB virtual DNS address and client use that NLB to connect to the host servers instead of Broker farm DNSRR address with the customized MSTSC client setting?

    ReplyDelete
  14. Hi,
    Is it possible to disable the popup dialog that ask you if you want to connect?

    ReplyDelete
    Replies
    1. Yes. Set GPO Specify SHA1 thumbprints of certificates representing trusted .rdp publishers (Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client)
      http://blog.it-kb.ru/2014/08/24/windows-server-2012-r2-remote-desktop-connection-broker-rdp-client-certificate-warning-make-sure-that-you-trust-the-publisher-before-you-connect/

      Delete
  15. How do we add a connection to the broker server in Windows 8 native remote desktop client (metro) app? I can add a connection to say my office PC, perhaps I can modify this connection file but where does Win 8 store the .rdp file? It's not located in C:\Users\\AppData\Roaming\Microsoft\Workspaces\\Resource.

    Many thanks!

    ReplyDelete
  16. Hi Freek, any thoughts on this: https://social.technet.microsoft.com/Forums/en-US/e46599e4-4d62-4e41-995b-ce1af3a17d9e/how-to-create-a-custom-rdp-file-for-connecting-to-a-2012-r2-rdsh-farm?forum=winserverTS

    Kind regards,

    Matthijs

    ReplyDelete
  17. Hi Matthijs,

    Yes its possible to create a .RDP for this scenario. You just need to make sure you add the correct value for loadbalanceinfo. Feel free to send me an email if you need further assistance.

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. Hi,

      I use 1xBroker (RDB), 2 Session Hosts (RDSH1,RDSH2), without Gateway. Collection name is "RDSCollection". All are 2012 R2 servers. When I try to connect from internet, I always "get" RDSH1. Redirection to RDSH2 is not working - blank screen for a few seconds, then disconnect). How should I set internal and external DNS settings to work properly. I do not want to use RD Gateway. Thanks for advance. AJ

      Delete
  18. Hey Freek,

    So, I found the solution.
    It was in the comments in another article about the same config:
    http://microsoftplatform.blogspot.nl/2012/04/how-to-configure-high-availability-for.html

    The solution was to use the following registry key to get the values needed for the custom RDP:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\CentralPublishedResources\PublishedFarms\Wortell_Session\RemoteDesktops

    Bedankt en de groeten! ;-)

    ReplyDelete
  19. Dear Freek,

    It is really help the article.

    however I got confuse on below

    "What we need to do is configure some properties in an .RDP file so that it has knowledge of the fact that we’re trying to connect through a HA Connection Broker."

    just need info which & where .RDP file must be edited.

    please help.

    Thanks
    Danushka

    ReplyDelete
    Replies
    1. Danuska, please send me an email to info@themicrosoftplatform.net

      Delete
  20. I have some issues with a farm that, for the most part, works well. On occasion, one or two users will log in with temp user, which I think has to do with SMB 2.0, but, reviewing events, I see ID 802 repeatedly, yet the users seem to be able to log in regardless. From your page, it would appear that the farm name is incorrect, but, opening in notepad reveals the farm name is correct. When pinging the farm name as written or the FQDN, the response is correct. Some of the information you have listed above do not exist in my rdp file. If required for correct functionality, I'm unsure where to place them in the file. Any help would be appreciated.

    ReplyDelete
  21. I have the following scenario:

    Requirements:
    - Only session based RDP connections and must be load balanced across multiple RDSH (scalable)
    - Only need to be accessible on the inside of the network
    - No wish for RemoteApp or RDWeb
    - No HA requirements
    - End user must use a single netbios name to connect to the farm
    - Reconnection must work

    I'm thinking of:
    1 Connection Broker
    4 Remote Desktop Services Host servers
    Create DNS Round Robin using the 4 RDSH IP/hostnames on an A-record named my farm name (defined in local policies area) ?

    Question:
    Will I archive the requirements?
    I’m insecure on how the end-users will actually connect to the farm (CB/RDSH directly etc)

    Thank you very much in advance.

    ReplyDelete
    Replies
    1. Hi Martin,

      >>1 Connection Broker
      That will cover your requirements. Do make sure that an RD Web Access server is always part of a RDS deployment (since Server 2012). I would advise to have that installed in the Connection Broker server and just not use it, that's totally fine.

      >>Create DNS Round Robin using the 4 RDSH IP
      No need to do that, the RD Connection Broker will perform the load balancing for you. If you provide your users with the correct .RDP file, their initial connection will go to the broker server and the broker will redirect to the session host with the least load. This process is fully transparant to the end user.

      If you have more questions, feel free to contact me via email!

      Kind regards,
      Freek Berson

      Delete
  22. i have just implement farm yesterday. I have create one additional session server with only os and av. Add it to session server group in farm. And put it to drain mode(no new user login). connect mstsc with this new drain server and it work as redirector.

    ReplyDelete
    Replies
    1. Redirector server request Is being transferred to other server by broker server as it in maintenance mode.

      Delete
    2. This comment has been removed by the author.

      Delete