TS Session Broker Load Balancing Step-by-Step Guide
Applies To: Windows Server 2008
Terminal Services Session Broker (TS Session Broker) is a role service in the Windows Server® 2008 operating system that enables you to load balance sessions between terminal servers in a farm, and allows a user to reconnect to an existing session in a load-balanced terminal server farm. TS Session Broker stores session state information that includes session IDs, their associated user names, and the name of the server where each session resides.
This step-by-step guide describes how to configure the new TS Session Broker Load Balancing feature.
Note
In Windows Server 2008, the name of the Terminal Services Session Directory feature was changed to TS Session Broker.
Note
In Windows Server 2008 R2, Terminal Services was renamed Remote Desktop Services. To find out what's new in this version and to find the most up-to-date resources, visit the Remote Desktop Services page on the Windows Server TechCenter.
What new functionality does this feature provide?
The new TS Session Broker Load Balancing feature enables you to evenly distribute the session load between servers in a load-balanced terminal server farm. With TS Session Broker Load Balancing, new user sessions are redirected to the terminal server with the fewest sessions.
Using TS Session Broker to load balance sessions involves two phases. In the first phase, initial connections are distributed by a preliminary load-balancing mechanism, such as Domain Name System (DNS) round robin. After a user authenticates, the terminal server that accepted the initial connection queries the TS Session Broker server to determine where to redirect the user.
In the second phase, the terminal server where the initial connection was made redirects the user to the terminal server that was specified by TS Session Broker. The redirection behavior is as follows:
A user with an existing session will connect to the server where their session exists.
A user without an existing session will connect to the terminal server that has the fewest sessions.
TS Session Broker Load Balancing sets a limit of 16 for the maximum number of pending logon requests to a particular terminal server. This helps to prevent the scenario where a single server is overwhelmed by new logon requests; for example, if you add a new server to the farm, or if you enable user logons on a server where they were previously denied.
The TS Session Broker Load Balancing feature also enables you to assign a relative weight value to each server. By assigning a relative weight value, you can help to distribute the load between more powerful and less powerful servers in the farm. For more information, see Configure TS Session Broker settings by using Terminal Services Configuration.
Additionally, a new "server draining" mechanism is provided that enables you to prevent new users from logging on to a terminal server that is scheduled to be taken down for maintenance. This mechanism provides for the ability to take a server offline without disrupting the user experience. If new logons are denied on a terminal server in the farm, TS Session Broker will allow users with existing sessions to reconnect, but will redirect new users to terminal servers that are configured to allow new logons. For more information, see Deny logons to a terminal server in a load-balanced farm.
You can enable TS Session Broker Load Balancing through Terminal Services Configuration, Group Policy, or Windows Management Instrumentation (WMI). If you are using DNS round robin to distribute initial connections, you must also configure DNS entries for each terminal server in the farm.
Note
While any load-balancing mechanism can be used to distribute the initial connections, DNS round robin is the easiest mechanism to deploy. Deploying TS Session Broker Load Balancing with a network level load-balancing solution such as Network Load Balancing (NLB) or a hardware load balancer avoids the limitations of DNS, while still taking advantage of TS Session Broker session-based load balancing, the per server limit on the number of pending logon requests, and the new "server draining" feature. The limitations of DNS round robin include the caching of DNS requests on the client, which can result in clients using the same IP address for each initial connection request, and the potential for a 30-second timeout delay if a user is redirected to a terminal server that is offline, but still listed in DNS.
About using DNS round robin
To configure DNS round robin, you must create a host resource record for each terminal server in the farm that maps to the terminal server farm name in DNS. (The farm name is the virtual name that clients will use to connect to the terminal server farm.) DNS uses round robin to rotate the order of the resource records that are returned to the client. This functionality helps to distribute initial connections across servers in the farm. The initial connection behavior is as follows:
An incoming Terminal Services client queries DNS and receives a list of IP addresses for the farm.
The client tries to connect to the first IP address in the list that was returned by DNS.
If the connection fails, the client will automatically try to connect to the next IP address (after a 30-second timeout delay). This provides a degree of fault tolerance if one of the terminal servers is unavailable.
The following diagram provides a more detailed representation of the traffic flow. In the diagrammed scenario, all terminal servers in the farm have host resource records in DNS that map to the terminal server farm name (“Farm1”). Therefore, any terminal server in the farm can act as a redirector and process the initial connection requests.
A user on the client computer starts the Remote Desktop Connection (RDC) client. In the Computer field, they specify the name of the terminal server farm (in this case, Farm1). The client contacts the DNS server to resolve the Farm1 name to an IP address.
The DNS server, which is configured to use round robin to load balance the initial connection requests, returns the IP addresses that are registered for Farm1 to the client.
The client sends the connection request to the first IP address in the list that is returned by DNS. In this example, this is the IP address of TerminalServer2 (10.0.0.3).
TerminalServer2, acting as the redirector, queries the TS Session Broker server to determine which terminal server the client should log on to.
The TS Session Broker server checks its database and does either of the following:
If the user has an existing session, the TS Session Broker server returns the IP address of the terminal server where the session exists to the redirector.
If the user does not have an existing session, the TS Session Broker server determines which terminal server in the farm has the lowest load (based on the number of sessions and the relative server weight value). The TS Session Broker server returns the IP address of the terminal server with the lowest load to the redirector.
The redirector (TerminalServer2) sends the client the IP address of the terminal server that the client should connect to (in this example, TerminalServer3).
The client sends the connection request to TerminalServer3. TerminalServer3 processes the logon request and the user starts a Terminal Services session.
TerminalServer3 notifies the TS Session Broker server of the successful logon.
Note
For information about how to configure dedicated redirectors that redirect user sessions but do not accept user logons, see Configure dedicated redirectors (optional).
TS Session Broker Load Balancing system requirements
To participate in TS Session Broker Load Balancing, the following system requirements apply:
- The TS Session Broker server and the terminal servers in the farm must be running Windows Server 2008. TS Session Broker is available in the Windows Server 2008 Standard operating system, as well as the Windows Server 2008 Enterprise and Windows Server 2008 Datacenter operating systems.
Note
Windows Server 2003-based terminal servers cannot use the TS Session Broker Load Balancing feature.
You must configure all terminal servers in the load-balanced farm identically, with the same available programs.
For clients to use TS Session Broker Load Balancing, they must be running Remote Desktop Connection (RDC) version 5.2 or later.
In addition, we recommend that you configure all terminal servers in the farm to restrict each user to a single session. To do this, use either of the following methods:
- Configure the Restrict Terminal Services users to a single remote session Group Policy setting. This policy setting is available in the Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Connections node of the Group Policy Management Console (GPMC) on a Windows Server 2008-based domain controller. It is a best practice to group the terminal servers that are in the same terminal server farm into a single organizational unit (OU), and then configure this policy setting in a Group Policy object (GPO) that applies to the OU.
Note
If you are using the Local Group Policy Editor, Policies is not part of the node path.
- Configure the Restrict each user to a single session setting on each terminal server by using Terminal Services Configuration. This setting appears under Edit settings, in the General section.
Checklist: Deploying TS Session Broker Load Balancing
To deploy TS Session Broker Load Balancing, you must complete the following tasks.
Note
This step-by-step guide describes how to configure TS Session Broker Load Balancing by using DNS round robin to distribute the initial connections. If you prefer, you can use NLB or a hardware load balancer to spread the initial connection and authentication load between multiple terminal servers in the farm.
Task | Reference |
---|---|
Install the TS Session Broker role service on the server that you want to use to track user sessions for a farm. |
Install the TS Session Broker role service |
Add the terminal servers in the farm to the Session Directory Computers local group on the TS Session Broker server. |
Add each terminal server in the farm to the Session Directory Computers local group |
Configure the terminal servers in the farm to join a farm in TS Session Broker, and to participate in TS Session Broker Load Balancing. |
Configure TS Session Broker settings for terminal servers in the farm |
Configure DNS round robin entries for terminal servers in the farm. |
Configure DNS for TS Session Broker Load Balancing |
Install the TS Session Broker role service
You must install the TS Session Broker role service on the server that you want to use to track user session information for a load-balanced terminal server farm. You can use a single TS Session Broker server to track user sessions across multiple farms, as there is minimal performance overhead.
The Windows Server 2008-based server where you install the TS Session Broker role service does not have to be a terminal server or have Remote Desktop enabled. It is considered a best practice to install the TS Session Broker role service on a back-end infrastructure server, such as a file server. If you install the role service on a server that is not a terminal server, the Terminal Services Session Broker service will not be affected when you need to perform maintenance on terminal servers in the farm.
When you install the TS Session Broker role service, the following changes occur on the local computer:
The Terminal Services Session Broker service is installed. By default, the service is set to Started and to Automatic.
The Session Directory Computers local group is created.
Installation prerequisites
The server where you install TS Session Broker must be a member of a domain.
Note
If you install the TS Session Broker role service on a domain controller, the Session Directory Computers group will be a domain local group and will be available on all domain controllers.
Installation procedure
Membership in the local Administrators group is the minimum required to complete this procedure.
To install TS Session Broker
Open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager.
If the Terminal Services role is already installed:
Under Roles Summary, click Terminal Services.
Under Role Services, click Add Role Services.
On the Select Role Services page, select the TS Session Broker check box, and then click Next.
If the Terminal Services role is not already installed:
Under Roles Summary, click Add Roles.
On the Before You Begin page of the Add Roles Wizard, click Next.
On the Select Server Roles page, select the Terminal Services check box, and then click Next.
Review the Terminal Services page, and then click Next.
On the Select Role Services page, select the TS Session Broker check box, and then click Next.
On the Confirm Installation Selections page, click Install.
On the Installation Results page, confirm that the installation succeeded, and then click Close.
Add each terminal server in the farm to the Session Directory Computers local group
For terminal servers to use TS Session Broker, you must add the computer account for each terminal server in the farm to the Session Directory Computers local group on the TS Session Broker server.
Membership in the local Administrators group is the minimum required to complete this procedure.
Important
You must perform this procedure on the server where you installed the TS Session Broker role service.
To add terminal servers to the Session Directory Computers local group
On the TS Session Broker server, click Start, point to Administrative Tools, and then click Computer Management.
In the left pane, expand Local Users and Groups, and then click Groups.
In the right pane, right-click the Session Directory Computers group, and then click Properties.
Click Add.
In the Select Users, Computers or Groups dialog box, click Object Types.
Select the Computers check box, and then click OK.
Locate and then add the computer account for each terminal server that you want to add.
When you are finished, click OK.
Configure TS Session Broker settings for terminal servers in the farm
You can configure a terminal server to join a farm in TS Session Broker and to participate in TS Session Broker Load Balancing by using Group Policy or the Terminal Services Configuration tool. However, you must use Terminal Services Configuration to configure the following settings:
The IP addresses to be used for reconnection.
The relative weight of the server when using TS Session Broker Load Balancing.
For information about how to configure the settings by using Group Policy, see Configure TS Session Broker settings by using Group Policy. Configuring the settings by using Group Policy is a recommended best practice.
For information about how to configure the settings by using Terminal Services Configuration, see Configure TS Session Broker settings by using Terminal Services Configuration.
Important
Group Policy settings take precedence over configuration settings in the Terminal Services Configuration snap-in and those that are made by using the Terminal Services WMI provider.
Configure TS Session Broker settings by using Group Policy
To assign TS Session Broker settings through Group Policy, it is a best practice to group the terminal servers that are in the same terminal server farm into a single OU in Active Directory Domain Services (AD DS). Then, configure the TS Session Broker settings in a GPO that applies to the OU.
Note
For the TS Session Broker settings to be effective on a server, the server must have the Terminal Server role service installed.
The following procedure describes how to configure TS Session Broker Group Policy settings by using the Group Policy Management Console (GPMC) on a Windows Server 2008-based domain controller.
To change Group Policy settings for a domain or an OU, you must be logged on as a member of the Domain Admins, Enterprise Admins, or the Group Policy Creator Owners group, or have been delegated the appropriate control over Group Policy to complete this procedure.
To apply TS Session Broker settings to an Active Directory OU
To start the GPMC, click Start, point to Administrative Tools, and then click Group Policy Management.
In the left pane, locate the OU that contains the terminal servers.
To modify an existing GPO for the OU, expand the OU, and then click the GPO.
To create a new GPO, follow these steps:
Right-click the OU, and then click Create a GPO in this domain, and link it here.
In the Name box, type a name for the GPO, and then click OK.
In the left pane, click the new GPO.
In the right pane, click the Settings tab.
Right-click Computer Configuration, and then click Edit.
In the left pane, under Computer Configuration, expand Policies, expand Administrative Templates, Windows Components, Terminal Services, and Terminal Server, and then click TS Session Broker.
In the right pane, double-click the Join TS Session Broker policy setting, click Enabled, and then click OK.
Double-click the Configure TS Session Broker farm name policy setting, and then do the following:
Click Enabled.
In the TS Session Broker farm name box, type the name of the farm in TS Session Broker that you want to join, and then click OK.
Important
TS Session Broker uses a farm name to determine which servers are in the same terminal server farm. You must use the same farm name for all servers that are in the same load-balanced terminal server farm. Although the farm name in TS Session Broker does not have to be registered in AD DS, it is recommended that you use the same name that you will use in DNS for the terminal server farm. (The terminal server farm name in DNS represents the virtual name that clients will use to connect to the terminal server farm.) If you type a new farm name, a new farm is created in TS Session Broker and the server is joined to the farm. If you type an existing farm name, the server joins the existing farm in TS Session Broker.
Double-click the Configure TS Session Broker server name policy setting, and then do the following:
Click Enabled.
In the TS Session Broker server name box, type the name of the server where you installed the TS Session Broker role service, and then click OK.
Double-click the Use TS Session Broker load balancing policy setting, click Enabled, and then click OK.
Optionally, if you are using a hardware load balancer that supports token redirection, double-click Use IP Address Redirection and configure the setting. See the Group Policy Explain text for more information.
Note
To configure TS Session Broker settings by using local Group Policy, use the Local Group Policy Editor. To start the Local Group Policy Editor, click Start, click Run, type gpedit.msc, and then click OK. To configure local Group Policy settings, you must be a member of the Administrators group on the local computer or you must have been delegated the appropriate authority.
Configure TS Session Broker settings by using Terminal Services Configuration
You can configure a terminal server to join a farm in TS Session Broker and to participate in TS Session Broker Load Balancing by using Terminal Services Configuration.
Note
The following steps are only applicable if the Terminal Server role service is installed.
Membership in the local Administrators group is the minimum required to complete this procedure.
To configure TS Session Broker settings by using Terminal Services Configuration
Start Terminal Services Configuration. To do this, click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration.
In the Edit settings area, under TS Session Broker, double-click Member of farm in TS Session Broker.
On the TS Session Broker tab, click to select the Join a farm in TS Session Broker check box.
In the TS Session Broker server name or IP address box, type the name or the IP address of the TS Session Broker server.
Note
The TS Session Broker server is the server where you installed the TS Session Broker role service.
- In the Farm name in TS Session Broker box, type the name of the farm that you want to join in TS Session Broker.
Important
TS Session Broker uses a farm name to determine which servers are in the same terminal server farm. You must use the same farm name for all servers that are in the same load-balanced terminal server farm. Although the farm name in TS Session Broker does not have to be registered in AD DS, it is recommended that you use the same name that you will use in DNS for the terminal server farm. (The terminal server farm name in DNS represents the virtual name that clients will use to connect to the terminal server farm.) If you type a new farm name, a new farm is created in TS Session Broker and the server is joined to the farm. If you type an existing farm name, the server joins the existing farm in TS Session Broker.
To participate in TS Session Broker Load Balancing, select the Participate in Session Broker Load-Balancing check box.
Optionally, in the Relative weight of this server in the farm box, modify the server weight. By default, the value is 100. The server weight is relative. Therefore, if you assign one server a value of 100, and one a value of 200, the server with a relative weight of 200 will receive twice the number of sessions.
Verify that you want to use IP address redirection. By default, the Use IP address redirection (recommended) setting is enabled. If you clear the check box, the server switches to token redirection mode.
In the Select IP addresses to be used for reconnection box, click to select the check box next to each IP address that you want to use. When you select the IP addresses to use, consider the following:
Only the first selected IPv4 address will be used by clients that are running RDC 5.2 and earlier.
Using IPv6 addresses is not recommended if the terminal server farm contains servers that are running Windows Server 2003.
When you are finished, click OK.
Configure DNS for TS Session Broker Load Balancing
To configure DNS round robin for TS Session Broker Load Balancing, you must map the IP address of each terminal server in the farm to the terminal server farm name in DNS.
The following procedure provides the steps to configure DNS on a Windows Server 2008-based domain controller.
You must be a member of the Domain Admins, Enterprise Admins, or the DnsAdmins group to complete this procedure.
To add DNS entries for each terminal server in the farm
Click Start, point to Administrative Tools, and then click DNS.
Expand the server name, expand Forward Lookup Zones, expand the domain name, and then click the appropriate zone.
Right-click the zone, and then click New Host (A or AAAA).
In the Name (uses parent domain name if blank) box, type the terminal server farm name.
The farm name is the virtual name that clients will use to connect to the terminal server farm. For management purposes, it is recommended that you use the same farm name that you specified when you configured the terminal servers to join a farm in TS Session Broker.
Important
Do not use the name of an existing server for the farm name.
In the IP address box, type the IP address of a terminal server in the farm.
Click Add Host, and then click OK when you receive the message that the host record was successfully created.
Repeat steps four through six for each terminal server in the farm. For each DNS entry, ensure that you specify the same farm name in the Name (uses parent domain name if blank) box. For example, if you have three terminal servers in a farm named FARM1, with IP addresses of 192.168.1.20, 192.168.1.21, and 192.168.1.22, the entries would look similar to the following:
Farm1 Host(A) 192.168.1.20
Farm1 Host(A) 192.168.1.21
Farm1 Host(A) 192.168.1.22
When you are finished, click Done.
Additional information
Configure dedicated redirectors (optional)
When you register the IP address of each terminal server in the farm to a single terminal server farm name in DNS, incoming Terminal Services clients will try to connect to the first IP address for the farm name that is returned by DNS. The terminal server that receives this initial connection request acts as the redirector.
To increase session redirection performance in a large terminal server farm, you can configure terminal servers to be dedicated redirectors. These servers will process incoming requests, but will not accept user sessions. To configure dedicated redirectors, you must do the following:
Create DNS round robin entries for the terminal servers that you want to use as dedicated redirectors. When you do so, you must map the IP address of each terminal server that you are using as a dedicated redirector to the terminal server farm name in DNS. (The farm name is the virtual name that clients will use to connect to the terminal server farm.) The farm name must not match an existing server name in AD DS.
Configure the servers to deny new user logons. For more information about how to deny new user logons, see Deny logons to a terminal server in a load-balanced farm.
Because these dedicated redirectors have no user sessions, they do not require roaming profiles or any installed programs. This enables a faster logon experience, and makes the server easier to manage and more reliable.
The following diagram provides a more detailed representation of the traffic flow. In the diagrammed scenario, two terminal servers are deployed as dedicated redirectors. (In a large terminal server farm, you may want to have more than two dedicated redirectors.) The terminal servers will redirect initial connection requests, but will not host any sessions (that is, they are configured to deny new user logons). Only the two redirectors have host resource records in DNS that map to the terminal server farm name. All terminal servers in the farm (including the redirectors) are configured to use the same farm in TS Session Broker (in the Terminal Services Configuration settings).
A user on the client computer starts the RDC client. In the Computer field, they specify the name of the terminal server farm (in this case, Farm1). The client contacts the DNS server to resolve the Farm1 name to an IP address.
The DNS server, which is configured to use round robin to load balance the initial connection requests, returns the IP addresses that are registered for Farm1 (in this case, the IP addresses of the two redirectors).
The client sends the connection request to the first IP address in the list that is returned by DNS. In this example, this is the IP address of Redirector2 (10.0.0.3).
The redirector (Redirector2) queries the TS Session Broker server to determine which terminal server the client should log on to.
The TS Session Broker server checks its database and does either of the following:
If the user has an existing session, the TS Session Broker server returns the IP address of the terminal server where the session exists to the redirector.
If the user does not have an existing session, the TS Session Broker server determines which terminal server in the farm has the lowest load (based on the number of sessions and the relative server weight value). The TS Session Broker server returns the IP address of the terminal server with the lowest load to the redirector.
Redirector2 sends the client the IP address of the terminal server that the client should connect to (in this example, TerminalServer5).
The client sends the connection request to TerminalServer5. TerminalServer5 processes the logon request and the user starts a Terminal Services session.
TerminalServer5 notifies the TS Session Broker server of the successful logon.
Note
In the diagram, TS Session Broker is installed on a separate server. You can install TS Session Broker on one of the terminal servers that will act as a dedicated redirector.
Deny logons to a terminal server in a load-balanced farm
In Windows Server 2008, you can configure a terminal server to deny logon requests from new users. With the ability to deny logons from new users to specific servers in a farm, you can maintain your terminal server environment without disrupting end-user service. If you configure a terminal server to deny new logons, the following behavior occurs:
- Users with existing sessions can still reconnect to the server. Only new logons to that server are denied. However, an administrator can still log on to the server locally to perform maintenance on the server.
Note
An administrator can also connect remotely by starting the RDC client from the command line with the /admin option (mstsc /admin).
- If you are using TS Session Broker Load Balancing, TS Session Broker will redirect new users to other servers in the farm, where new user logons are enabled.
Before you take a server down for maintenance, you can notify users with existing sessions to log off from the server by using Terminal Services Manager to send a message.
To deny new user logons
Click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration.
In the Edit settings area, double-click User logon mode under General.
On the General tab, click either of the following:
Allow reconnections, but prevent new logons
Allow reconnections, but prevent new logons until the server is restarted
Click OK.
When you are finished doing maintenance, ensure that Allow all connections is selected.
Additional references
For information about how to configure a load-balanced terminal server farm by using TS Session Broker and NLB, see the Step-by-Step Guide for Configuring Network Load Balancing with Terminal Services in Windows Server 2008.
For information about Terminal Services Session Directory in Windows Server 2003, see Session Directory and Load Balancing Using Terminal Server.