Microsoft Windows Server 2008 R2: Understand the RD Connection Broker
The RD Connection Broker is the travel agent, traffic cop, concierge and matchmaker when it comes to matching virtual machine requests with users.
Remote Desktop (RD) Connection Broker is the “brains” behind connection routing that sends connection requests to the right virtual machine (VM) or session. It’s an essential component for a Microsoft Virtual Desktop Infrastructure (VDI) deployment, but it also supports session connection brokering and RD Session Host farm deployments.
Among its myriad functions are:
- Determining the most appropriate resource (RD Session Host server or a pooled or personal VM) to send a connection based on the user’s identity, the contents of the RDP file used to make the connection, and the load on the VM and session host servers
- Creating VM pools and assigning personal VMs to users
- Storing connection information for connections to both VMs and sessions
- Serving as a resource for RD Web Access to gain RemoteApp information from RD Session Host servers
- Providing information on which RemoteApp programs are available through RD Web Access and which VMs are available
The Sum of Its Parts
The RD Connection Broker role service includes several components. There are two resource plug-ins (a VM and session plug-in) that determine the resource to which an incoming connection should go.
Each resource plug-in may be associated with filter plug-ins that provide the rules governing connection details handled by the resource plug-in. For example, the rule set could govern how connections to RD Session Host server farms are load balanced. Load-balancing logic may also be stored in the resource plug-in itself. The goal of a filter plug-in is to selectively replace logic in the resource plug-in.
The RD Connection Broker service also includes an extensible architecture that supports third-party resource plug-ins and filter plug-ins. There’s a brokering service that handles communication with the resource plug-ins and the clients. There’s also a database that keeps track of all connections made through RD Connection Broker, including the VM or session to which a user was connected and the state of this connection (active or disconnected).
Although it’s not part of the RD Connection Broker role service, the redirector (an RD Session Host Server in drain mode) is an integral part of connection brokering for VMs. This receives the initial request from the client and sends the correct IP address of the VM back to the client to make the connection. For session connection brokering, each RD Session Host may take turns being a redirector for incoming connections, or you can dedicate one server to perform this role.
When the user clicks an RDP file (stored on the client computer or published using RD Web Access), the contents of this RDP file are parsed to determine connection parameters. Session connection brokering and VM connection brokering follow slightly different paths.
Working with VDI
In a VDI scenario, connection brokering happens when a user activates an RDP file to request a connection to a pooled or personal VM. This is indicated by the loadbalanceinfo entry shown in the image of a pooled VM RDP file (see Figure 1).
Figure 1 A user-generated request that starts the connection-brokering process.
The number “1” in this line indicates that the resource is a pooled VM. The name following the “1” is the name of the VM pool as configured in RD Connection Broker. If this number was a “2,” that would indicate a personal VM. Other lines in the RDP file containing data specific for connecting to a pooled or personal VM are:
- use redirection server name:i:1—This entry is set to 1, which tells the client to authenticate the VM using the endpoint name returned by the broker instead of using the name of the redirector (eliminating the need for certificate deployment for server authentication)
- full address:s:<alternative name of the redirector for RDP 6.1 or older clients goes here>
- alternate full address:s:<name of the redirector goes here>—This field is used in RDP 7 connections in place of the full address field used with previous versions of RDP
You should install the redirector on the same server as the RD Virtualization Host server. It’s conceptually simpler this way and there’s no reason to dedicate a server to be a redirector. The connection request is initially sent to an RD Session Host server in redirection mode (via the redirector), which passes the request to RD Connection Broker.
Once RD Connection Broker gets the request for a VM, it activates the VM resource plug-in. This checks the database to see if there’s already a disconnected session to that specific VM. If so, it sends the IP address of that connection to the redirector, which passes the info on to the user. Then the user connects directly to the VM.
If there’s no existing session, then RD Connection Broker will request that a VM be prepared. That request will go to the RD Virtualization Host server supporting that VM pool. You can have pooled VMs spread across multiple RD Virtualization Host servers. In this case, RD Connection Broker checks each RD Virtualization Host server until it finds one that can accommodate the request.
If the request is to a personal VM, RD Connection Broker takes the user’s credentials and checks Active Directory. There it will retrieve the user’s personal VM name. Then it contacts the RD Virtualization Host server that houses that VM and requests that it prepare the VM.
Once the VM is ready, it sends the IP address back to RD Connection Broker. Then it passes it to the redirector, which passes it on to the user. Then the user can connect directly to the VM.
Down on the Server Farm
RD Connection Broker functions a bit differently in an RD Session Host Server scenario. When it receives a session-connection request, an initial load-balancing mechanism (Network Load Balancing [NLB], Round Robin DNS [RRDNS] or a hardware load balancer) will send the request to the redirector (one of the RD Session Host servers in a farm).
Then the request goes to the RD Connection Broker. You can also use a dedicated redirector—a dedicated RD Session Host server—to pass the connection request to RD Connection Broker.
RD Connection Broker then activates its session plug-in. The session plug-in first examines the database to see if there’s already a disconnected session for that user on one of its farm members.
If so, it gathers the farm member IP address and the disconnected session ID. It will send this information to the redirector. The redirector passes the information to the user, who makes a direct connection to the farm server.
If there’s no disconnected session found, RD Connection Broker determines the farm server that’s best suited to house a new session. It bases this “decision” on the current session loads of all farm members. The farm member with the lowest session load relative to its weight in the farm (you can weight servers to accommodate for different hardware capabilities) gets the connection.
Then RD Connection Broker completes the cycle by passing the IP address of the chosen farm server to the redirector, which passes it to the user, who connects directly to the farm server.
Using RD Connection Broker
The Microsoft Windows Server 2008 R2 Remote Desktop Services Resource Kit gives you step-by-step instructions for setting up pooled and personal VMs and RD Session Host server farms with RD Connection Broker.
Here are the specific steps for using RD Connection Broker in these scenarios:
- Allow RD Session Host servers and RD Virtualization Host servers to communicate with the RD Connection Broker.
- Add the RD Virtualization Host server and RD Session Host farm server computers to the Session Broker computers group on RD Connection Broker.
- If implementing VDI, configure the RD Session Host role service on the RD Connection Broker server to act as the VM redirector.
- If implementing an RD Session Host server farm, configure RD Session Host servers to join an RD Connection Broker farm.
- Configure the initial load-balancing mechanism (RRDNS, NLB or a hardware load balancer) you’ll use to route RD Session Host farm connection requests to the redirector, which will then pass the connection request to RD Connection Broker. (You could also configure a dedicated redirector.)
- Allow RD Web Access to communicate with RD Connection Broker by adding RD Web. Access server computers to the TS Web Access Computers group on RD Connection Broker.
- Configure pooled or personal VMs in RD Connection Manager on RD Connection Broker.
- Configure RemoteApp sources in RD Connection Manager on RD Connection Broker.
As you can see, RD Connection Broker has a central role in VDI and RD Session Host farm deployments. It can function in both a VDI and an RD Session Host farm scenario. These setup steps ought to help you implement pooled and personal VMs and RD Session host server farms.
RD Connection Broker Q&A
Q. Are there tools available to help troubleshoot issues with RD Connection Broker?
A. Use the RD Connection broker event log: Events pertaining to RD Connection Broker are located at Applications and Services Logs\Microsoft\Windows\RemoteApp and Desktop Connection Management. You can also retrieve data from the RD Connection Broker database.
Q. I’m using RD Connection Broker as the RemoteApp source in RD Web Access, but RD Web Access isn’t showing any icons. Why?
A. This can happen for several reasons:
- RD Connection Broker looks at only one farm member when it gathers RemoteApp information. It could be that one of your farm members—the one that RD Connection Broker is using to gather RemoteApp data—doesn’t have RD Connection Broker added to its TS Web Access Computers group. Ensure all farm members have the RD Connection Broker computer added to the TS Web Access Computers group.
- Ensure that RD Connection Broker is added to the Windows Authorization Access Group in Active Directory Users and Computers.
- If you try to use the same machine as both an RD Session Host server that’s part of a farm and also an RD Connection Broker server, RD Web Access won’t show any RemoteApps. Only combine these role services if the RD Session Host role service will be configured in redirection mode.
- There’s a known bug where Windows Management Instrumentation (WMI) permissions for the Terminal Services namespace disappear, leaving RD Web Access unable to query RD Connection Broker as a RemoteApp source. Re-adding the RD Web Access server to the TS Web Access Computers group on RD Connection Broker resolves this issue for a while (but will most likely happen again over time). See this TechNet Forum thread for more details and possible work-arounds.
Q. In RemoteApp and Desktop Connections on Windows 7, I can’t set up a new connection. If I already had a connection established, I can’t update the connection. I get the following error: “An error occurred. Contact your workplace administrator for assistance.” How can I correct this?
A. Do not add a period (.), an asterisk (*) or a question mark (?) to the end of your Display Name in RD Connection Manager. These are seen as wildcard characters. On the RD Connection Broker server, open RD Connection Manager, right-click Remote Desktop Connection Manager and click Properties. Remove the symbol from the Display Name.
Kristin Griffin is a Remote Desktop Services MVP. She moderates a Microsoft forum dedicated to helping the server-based computing community (bit.ly/ntnw7g) and maintains an RDS blog at blog.kristinlgriffin.com. She’s a contributor to Mark Minasi’s “Mastering Windows Server 2008” (Sybex, 2008) and “Mastering Windows Server 2008 R2” (Sybex, 2010). She also coauthored “Microsoft Windows Server 2008 Terminal Services Resource Kit” (Microsoft Press, 2008) and “Microsoft Windows Server 2008 R2 Remote Desktop Services Resource Kit” (Microsoft Press, 2010) with Christa Anderson.