Configuring HA for the Remote Desktop Connection Broker in a 2012 RDS Farm

Applies to: Windows Server 2012 and 2012 R2

One of the biggest issues with Remote Desktop Services on Windows 2008 R2 was the limitation of only having a single active RD Connection Broker server per RDS farm. Yes, you still could have multiple broker servers, however they would run in an Active/Passive mode. This was a major problem since it would limit the size of the farm. The more servers, resources, and users added to the farm put a strain on the single active RD broker server. In most cases, you would have to create multiple RDS farms to get around this problem. This has changed with RDS for 2012. You can now have multiple active brokers in a single RDS farm.

As per Microsoft, the RD Connection Broker provides the following functionality:

http://technet.microsoft.com/en-us/library/cc772245.aspx

Allows users to reconnect to their existing sessions in a load-balanced RD Session Host server farm. This prevents a user with a disconnected session from being connected to a different RD Session Host server in the farm and starting a new session.
Enables you to evenly distribute the session load among RD Session Host servers in a load balanced RD Session Host server farm.
Provides users access to virtual desktops hosted on RD Virtualization Host servers and to RemoteApp programs hosted on RD Session Host servers through RemoteApp and Desktop Connection.

When a farm is created, there is a small SQL database which resides on the RD Connection Broker server located in the directory c:\windows\rdcbDb\

This database contains information about the farm. Since it resides on a single machine, no other broker server would be able to read or modify the database. In order to configure HA, we will need to run a wizard which will take this database and place it on a SQL server. Once there, multiple broker servers can talk to the database directly. The following is a step by step guide on how to configure HA (Active/Active) for the RD Connection Broker servers in a 2012 RDS farm.

Requirements:

SQL Server (for this example, SQL 2012 is being used.)
Access to DNS – A new host record will be required in DNS. This record will be used to round robin the RD broker servers.

Please remember to add each of the servers being used in the RDS Farm to Server Manager in order to have the ability to configure them.

Create a new Host record in DNS which will be used for DNS round robin for the broker servers. Do this for each of the IP addresses of the RD Connection Broker servers which will be used for HA. In this example we are using the DNS name of RDFarm.DemoLab.int.
From Active Directory Users and Computers, create a new Security Group. For this example, we used the group name “RD Brokers”
Add each broker server’s computer account to this new group. The broker servers in this example are RDBROKER01 and RDBROKER02.

From the SQL server, add the newly created security group as a new SQL login. On the Server Roles for this login, add the role dbcreator.

On each of the Broker Servers, install the SQL client tools. This can be found with the SQL installation media.
From Server Manager, go to the Remote Desktop Services Group, right click on RD Connection Broker and choose Configure High Availability.

A wizard will be launched. On the before you begin screen, hit next.

On the next screen, you will need to enter information for the SQL server, database, database location and the DNS name for High Availability for the RD Connection broker farm to be accessible on. The information entered is as follows:

Database Connection String: (In this example the database name will be RDFarm)

DRIVER=SQL Server Native Client 11.0;SERVER=DC01;Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;Database=RDFarm

Folder to store database files: (This is from a default installation of SQL for demo purposes. Please check with your SQL admin on the correct location.)

C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA

DNS Round Robin Name: Enter the DNS Round Robin name the RD Brokers will be accessed one. (This should be placed into DNS prior to proceeding)

RDFarm.DemoLab.int

If the DNS name is not resolvable, you will be notified and prompted to continue. If you do so, you must ensure this information is added into DNS. If you get this pop-up, this means the DNS host record for RDFarm.DemoLab.int was never added. Please ensure this new host record is added to DNS.

Verify the items on the confirmation screen and hit Configure.

Once completed, hit close.

HA is now enabled for the RD Connection Brokers in the farm. Before we begin adding additional brokers, we must first change the permissions to the newly created database. Within SQL, go to the properties of login RD Brokers which we added early. Within there, select user mappings. Select the RD Farm database and set the database role membership to db_owner. Hit OK to exit.

With the correct database permissions configured, we are ready to add another RD Connection Broker. Go to Server Manager\Remote Desktop Services, right click on RD Connection Broker and choose Add RD Connection Broker Server to add your new broker server(s). And don’t forget to add the new brokers IP addresses to your DNS Round Robin Name as well make sure to add the broker server’s computer accounts to the Active Directory computer group you created earlier.

On the before you begin screen, hit next.

Select and add the designated broker server and hit next.

On the confirmation screen, hit Add.

Once the configuration is completed, we will now need to reapply the certificates for Single-Sign On and Publishing. This certificate will be required on all broker servers. Select the option configure certificates.

As you can see it now lists an error for the broker certificates. Since I have already pre-created my certificates, highlight Enable Single-Sign On and hit the button “select existing certificate”.

Locate the certificate, enter the password and select the checkbox to allow the certificate to be added to the Trusted Root Certification Authorities certificate store on the destination computers and hit OK.

Hit Apply to assign the certificate.

Do the same for the RD Connection Broker – Publishing certificate. Once completed with the certificate installation, hit OK.

Now that the certificates are applied, close out of the wizard.

The RDS Farm is now configured with two highly available RD Connection broker servers. Should you be using a RD Gateway server for the environment, take a look at the steps to configure the RD Gateway server(s) for a RD Farm with HA enabled on the Broker servers.

2012 R2, HA, High Availability, Microsoft, network resources, RD Connection Broker, RD Gateway, RDS, Remote Desktop Services, Resource Authorization Policy, SQL, Windows Server 2012

This entry was posted on February 2, 2014, 6:09 pm and is filed under MICROSOFT. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

#1 by Jo on June 13, 2014 - 4:40 pm

Hi Eddie

Another great step by step guide. Thank you
I have managed to setup RD connection broker HA using SQL 2012 in my lab. only issue I have is with the firewall. Have opened 1433 still don’t work?.For now I have disable domain firewall setting on my SQL box.

Instead of using DNS round robin can you setup as NLB?
But if you setup as NLB and add the 2 RD connection brokers to the NLB cluster. you can only connect to the brokers session not the RDHS servers in collection or do you add the RDHS servers to the NLB?

“Create a new Host record in DNS which will be used for DNS round robin for the broker servers. Do this for each of the IP addresses of the RD Connection Broker servers which will be used for HA. In this example we are using the DNS name of RDFarm.DemoLab.int.”

Many thanks

Jo

- #2 by Eddie Kwasnik on June 16, 2014 - 2:54 pm
  
  Jo,
  
  Thanks! When a connection is made to the farm, it is the broker’s responsibility to send the user to the specific RDSH server. So the user never initially connects to a specific RDSH server but instead the connection starts out with the Broker and the broker passes the session off to the specific RDSH server. I’m not a huge fan of DNS Round Robin since DNS will not be aware if a server went offline. I prefer using a load balancer (hardware or software based)for the RD Connection brokers since it would know when a server was offline or unavailable. Also, how are you trying to connect to the published resource in the collection? are you connecting via RD Web Access?
  
  Thanks,
  Eddie
  
#3 by Jo on June 21, 2014 - 4:38 pm

Hi Eddie

In our current 2008R2 environment. we deploy the RDP icon to user desktop via GPO.
After reading your post. Now I understand in 2012. the broker’s responsibility to send the user to the specific RDSH server. We do have a hardware load balancer. If we use hardware load balancer.
during the setup of connection broker HA . Do we specify the load balancer FQDN in the following step? “DNS Round Robin Name:” ?
is there anything thing I need to be aware of using Hardware load balancer ?

” DNS Round Robin Name: Enter the DNS Round Robin name the RD Brokers will be accessed one. (This should be placed into DNS prior to proceeding)
RDFarm.DemoLab.int replace with hardwareloadbalancer.DemoLab.int ”

Thanks

Jo

- #4 by Eddie Kwasnik on June 23, 2014 - 9:06 am
  
  Jo,
  
  The load balancer would replace the need of using the DNS round robin name. So you would use the FQDN for the VIP in the Load balancer instead of the dns round robin name.
  
  Eddie
  
  - #5 by Jo on June 24, 2014 - 5:57 am
    
    Hi Eddie
    
    So you don’t change the FQDN round robin DNS name “RDFarm.DemoLab.int” with the FQDN for the VIP in the Load balancer ?
    
    I download the RDP file in my lab
    it looks like this
    
    full address:s:RDFarm.DemoLab.int
    workspace id:s:RDFarm.DemoLab.int
    use redirection server name:i:1
    loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.RDFARM
    alternate full address:s:RDFarm.DemoLab.int
    
    Many Thanks
    
    Jo
  - #6 by Eddie Kwasnik on June 24, 2014 - 9:30 am
    
    Hi Jo,
    
    The DNS Round Robin FQDN is just a pointer to the RD Connection Brokers. So if you use a hardware load balancer, the FQDN for the VIP would be the same, just a pointer to the RD Connection Brokers but with the load balancer, it will be able to detect if one of the connection brokers is offline or not. The purpose of the load balancing is simply to ensure one of the connection brokers is not overloaded with users trying to access their RemoteApps/Desktops. So to answer your question, use the FQDN for the VIP of the Load balancer used for the connection brokers.
    
    Thanks,
    Eddie
#7 by Hong Zheng on July 29, 2014 - 1:56 pm

Hi Eddie,
Before adding the second Broker, has the broker server role has already installed on the server? or the process installs this role automatically. What about he webAccess role? The first broker is also WebAccess server, I’d like to install WebAccess on second broker too and configure WebAccess farm at the same time. Is it possible?
Hong

- #8 by Eddie Kwasnik on July 29, 2014 - 2:45 pm
  
  The process will add the role to the second server for you. And yes, you can definitely install the RD Web Access role on the second broker as well.
  
  Eddie
  
#9 by Nanda Kumar on September 30, 2014 - 3:01 am

I need to do Virtual machine based RDS with HA. So i tried the steps mentioned above and done collection creation with one desktop. Collection alone can see in other machine when one shutdown but the desktop in that collection is not shown under collection. But i can see that desktop in Hyperv manager and failover cluster manager (because of cluster i hope). Please let me know whether the above setup will support Virtual machine based desktop deployment or need to do anthing additionally to achieve.

- #10 by Eddie Kwasnik on September 30, 2014 - 8:32 am
  
  Are you not seeing the desktop in the collection from one of the broker servers? Or is it not showing up on either broker?
  
#11 by Mikey on November 10, 2014 - 3:06 pm

Hi

Can you use SQL Express for the HA purposes?
Which link talks about HA requirements?

Thank you

- #12 by Eddie Kwasnik on November 11, 2014 - 10:38 am
  
  You should be able to; however, by using SQL express you will lose the HA options for the sql database itself which you would have with the full version of SQL.
  
  Eddie
  
#13 by KC on March 4, 2015 - 4:47 pm

Hi- I have the CB HA setup using “Always On”. I would like to switch this to use SQL mirroring – do I need to setup again the Connection Broker environment or could I just update the exisiting connection string to use mirroring?

- #14 by Eddie Kwasnik on March 5, 2015 - 8:11 am
  
  You should be able to update it. Since Microsoft will be getting rid of mirroring, they do recommend using “Always On”
  
#15 by Scott Lundy on April 7, 2015 - 6:10 pm

Hi Eddie,

We have a RDS 2012 R2 environment that is used for session hosts only. We have two collections setup and I don’t quite understand how to direct certain user groups to the correct collection. All the SH’s are VM’s The environment looks like this:
Cloud Collection:
Cloud01 – Broker and SH
Cloud02 – SH
Cloud03 – SH
Cloud04 – SH
StCloud Collection – VM’s on a different timezone
StCloud01 – SH
StCloud02 – SH
StCloud03 – SH
StCloud04 – SH

I have a DNS entry called Cloud that points to Cloud01.

How do I get our AD security group STC to only get brokered to the STCloud collection and get the AD security Cloud group brokered to the Cloud collection. When I add those groups to the User groups to the collection, the STCloud group gets denied access. Is this because the Broker is in the Cloud collection? Am I supposed to not have the broker assosciated with a collection?

- #16 by Eddie Kwasnik on April 13, 2015 - 8:41 am
  
  Scott,
  
  I would first start by removing the broker from the collection. This may be causing the access denied error. Let me know how it goes.
  
  Eddie
  
  - #17 by Scott on April 20, 2015 - 2:42 pm
    
    Hey Eddie,
    
    I reomved the broker and everything is working.
    
    What is up with temp profiles? We are having a terrible time trying to figure out why we are randomly getting them. There is no pattern and it is random who will get one. Out of 200 RDS users we get about 15 of them a day. We have a physical SSD server housing the upd’s. Is there something we can do to prevent this from happening? Is there a GPO associated with this?
  - #18 by Eddie Kwasnik on April 20, 2015 - 2:56 pm
    
    Glad its working. Any errors on the servers when the user gets a temp profile?
#19 by No Opposition CBE (@YorksJAT) on August 26, 2016 - 1:22 pm

You missed a really VITAL piece of information out:

“From Active Directory Users and Computers, create a new Security Group. For this example, we used the group name “RD Brokers”
Add each broker server’s computer account to this new group. The broker servers in this example are RDBROKER01 and RDBROKER02.”

!!!!!!!========> REBOOT THE BROKER SERVERS <==========!!!!!!!

Without this when you try and configure high availability SQL Server does not see the members of the group and rejects the individual machine logins. After a reboot all is well, but it took hours trying to figure out why it didn't work, and dozens of forums suggest this is a common problem, with very few having a clue why or suggesting an actual working resolution.

Please update this article as it is a great piece but burned 2 hours of my life I'll never get back for that one sentence.

#20 by Markoz on November 16, 2016 - 7:55 am

Hello,

great article! Can a SQL Server be on the same server as one of the connection brokers? Can we use SQL Express?

Thank you!