In this post I will go step by step to include everything you need to do to build an RDS farm that will include x2 RDS Broker Server, x2 RDS Session Hosts and x1 SQL Server.  I will go over how to achieve HA for the entire environment and what you will need to do to get everything up and running.

Design Overview

For this deployment I want to use the below:

2x RDS Broker Server

2x RDS Session Hosts

Users are to connect to the RDS Broker Servers as below and then redirected to the RDS Session Hosts.  From there they can then connect to other target servers.

As the clients will be connecting to the RDS Broker Servers we need to add DNS Round Robin for the RDS Broker Servers in DNS.  For example we have rdsbroker1.domain.com with IP 10.10.20.10 and rdsbroker2.domain.com with IP 10.10.20.11.  We would add a new DNS name for the RDS Broker Cluster of:

rdsbrokercluster.domain.com IP 10.10.20.10

rdsbrokercluster.domain.com IP 10.10.20.11

In Microsoft DNS please ensure DNS Round Robin is also enabled.

Installing the RDS Server Roles

First do a basic installation of Windows Server 2019 Standard on x5 servers.  Once your servers are ready all we need to add all of the servers into one single console for the RDS deployment.

Open the Server Manager and click 3. Add other servers to manage

Add in all the soon to be broker and session host servers and click ok

Click 4. Create a server group, give it a name and add the soon to be RDS servers to it and click ok

Here is the group, click on it

You will see all the RDS servers available

The deployment of an RDS infrastructure is facilitated by the tool built into the server managers, in a single command the following roles will be installed:
• Remote Desktop Session Host
• Broker
• Remote Desktop Access via the Web

From server manager click add roles and features

Click next

Select Remote Desktop Services installation and click Next

Select a standard deployment and click next

Select session-based deployment and click Next

Click Next

Add the first broker server and click Next (we will add the second in later when we configure HA)

Select install the RD Web Access role on the RD connection broker

Select the session host and click Next

Add the RD Session host servers and click Next

Confirm is all ok and select Restart if required, click Deploy

Roles are deployed

Create a collection to specify the hosts and who can access them
Open server manager and click Remote Desktop Services, click collections and click Create Session Collection

Click next

Name the collection

Select your session host servers and click Next

Add the groups that are allowed to login to the host servers

Enter path of user profile disk folder (the NTFS and share permissions must allow full control for the RDS server AD objects – we will come back to this later)

Confirm all is correct and click create

Configurations are applied

Select the collection and click Tasks, Edit properties

Edit the session properties so that sessions can expire

Select the security options

Select any server weighting

Configure client settings and click ok

Open RDS Licensing

Add the license servers (I used the session hosts)

Click Add

Licensing configuration is applied

Right click on RD Licensing and click select RD licensing mode

Select the license mode and click Apply> Ok

From the session host where we install the license server role click Tools> Remote Desktop Services> Remote Desktop Licensing Manager

Right click and Activate server

Select Automatic Connection

Enter company details

Enter email

Click Next to add licenses

Select Enterprise Agreement

Enter agreement number

Enter license details and click Next

License is installed

Go to License server and open RDS License Console.  Right click license server and click Review configuration

Click add to group

Repeat on any additional license servers (I split 50:50 between my session hosts)

Preparing for the RDS Broker HA Configuration

First we need to create the user profile disk folder on a server and share.  This needs to be highly available so I store mine on a replicated DFS folder.  On a file server create a folder for RDS profiles and share. The RDS session hosts need full control.

Do the same for NTFS permissions

Create AD security group and add broker servers

For the purpose of this guide and because we do not want to focus on SQL too much we will just use a standalone SQL Express database.  However for highly available setups the best solution is to use Always On Availability Groups as in my guide here.

Next Setup new 2019 server and install SQL Express, I used SQL Server Express 2019 (latest available).   Install SQL Management Studio and login. Then add a new login for RDS servers

Click search

Select the RDS Server Broker group

Select dbcreator in roles

Login is added to the list

Click New Database

Name the database

Database is added

Modify the login you created to make it db owner

On the RDS servers install the SQL client from the install media

Next on your SQL servers add the broker server accounts to the Remote Management Users group

Configure RDS Broker Servers for HA

Go to RDP Overview and right click the connection broker, then click Configure High Availability

Click Next

Select dedicated database server

Enter RDS broker cluster name and input connection string and click next

The connection string I used for this setup is:

DRIVER=SQL Server Native Client 11.0;SERVER=VMMGTRDSSQL101;Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;DATABASE=RDSHA

If you are using multiple subnets and SQL Availability Groups, your string should look more like the below – using the DNS name of your SQL listener

DRIVER=SQL Server Native Client 11.0;SERVER=aglinuxrds;MultiSubnetFailover=True;Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;DATABASE=RDSHA

If this doesn’t work try this, MultiSubnetFailover=Yes changes from True at one of the client versions

DRIVER=SQL Server Native Client 11.0;SERVER=aglinuxrds;Trusted_Connection=Yes;MultiSubnetFailover=Yes;APP=Remote Desktop Services Connection Broker;DATABASE=RDSHA;

If you have any problems at this stage first check your SQL server is listening on port 1433

Powershell (from the SQL server)

tnc 127.0.0.1 -port 1433

If not, open SQL configuration manager and click SQL Server Network Configuration>Protocols>TCP/IP and ensure the right IPs are enable and port 1433 is added as below

Click Configure

The task is executed, click close

Adding a broker server

From the deployment overview Right click on the RD Connection Broker click add RD Connection Broker Server

Click Next

Add the second RDS Broker server and click Next

Click Add

The wizard should complete

If you have any issues at this stage connecting to the database check the SQL server log

I was seeing this

Check that the logins are still applied as db_owner – for some reason mine had dropped out even though it was definitely set and worked for the first server

Here is a PowerShell script you can use to test your SQL connection (Should just return True or False)

function Test-SQLConnection
{    
    [OutputType([bool])]
    Param
    (
        [Parameter(Mandatory=$true,
                    ValueFromPipelineByPropertyName=$true,
                    Position=0)]
        $ConnectionString
    )
    try
    {
        $sqlConnection = New-Object System.Data.SqlClient.SqlConnection $ConnectionString;
        $sqlConnection.Open();
        $sqlConnection.Close();

        return $true;
    }
    catch
    {
        return $false;
    }
}


 
Test-SQLConnection "DRIVER=SQL Server Native Client 11.0;SERVER=VMMGTRDSSQL101;Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;DATABASE=RDSHA" 

Create a certificate to secure the connection to the RDS Broker server

Open IIS on the RDS Broker server and go to Server Certificates

Click Create New Certificate Request> Make bit length 2048

Save the request file

Click Finish

Go to the certificate authority server and issue the certificate using the request file from the RDS Broker.  Simply open the command line and enter the following:

certreq -submit -attrib "CertificateTemplate:WebServer" wintelbastionreq.txt

Save the certificate output as a .cer file and copy it back onto the RDS Broker.

Go to IIS again and Server Certificates, then click complete certificate request.  Select the .cer file you just collected from the CA and select the Personal Store.

Open the certificate console by going to Start>Run certlm.msc

You will see the certificate installed in the personal computer store

Right click on the certificate and click Export

Select .PFX and click Next

Specify a password and select SHA256

Save the .pfx file

Go back to the RDS Deployment Overview> Select Tasks> Properties> Certificates. Click Select existing certificate and enter the path to the .pfx file you just saved and enter the password you specified

The certificate is deployed to both RDS Broker servers and now used to secure the connection

Connecting clients to RDS Broker

I just wanted to use a normal RDP connection for clients to connect to the brokers and then be redirected to the session hosts.  To do this first you need to check the below registry entry:

Check registry entry for your collection (may differ to actual collection name).  Mine was as below:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\CentralPublishedResources\PublishedFarms\Domain_-_Wintel_Bas

Copy collection name from registry.

Create an .rdp file open in Notepad and add these lines to it:

use redirection server name:i:1
loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.Domain_-_Wintel_Bas
full address:s:WINTELBASTION.DOMAIN.COM

Brokers should now redirect to Sessions hosts