Limit User Access to Single Session across all Servers
We have 3 RDS Servers set up that staff log into. Each staff member is assigned a server to log into, but occassionally they're asked to change it up, or to move to another if theres an issue on theirs. Also we have people who connect via Android and iPad we have one of the 3 servers set up to be accessible to tablet users.
Our issue exists primarily with these tablet users. They're not so great at remembering to log off when they flip to another app on their device and can forget to go back and save & close the document they have open and when they get back to work and back to their normal server, we're called in to close and save the file and end their session for them.
So what I've been working on is to set up Single Session access. Which I have working for me at this stage. Using the following GPO, if I already have a session open on that server and log in again, my first session is taken over by the second.
Thats cool, but I can still log into another server and my session on the first one remains.
Is there a way to limit my access to one session across all servers?
Our issue exists primarily with these tablet users. They're not so great at remembering to log off when they flip to another app on their device and can forget to go back and save & close the document they have open and when they get back to work and back to their normal server, we're called in to close and save the file and end their session for them.
So what I've been working on is to set up Single Session access. Which I have working for me at this stage. Using the following GPO, if I already have a session open on that server and log in again, my first session is taken over by the second.
Computer Configuration>Administrati
Thats cool, but I can still log into another server and my session on the first one remains.
Is there a way to limit my access to one session across all servers?
ASKER
breadtan, thanks for the response.
All of our users are set by GPO to have Outlook and our CRM login open when they log in. It the first thing all of them do when they log in so we automate it for them. Unless theres an absolute better way to get this going, we won't be changing this.
And we want all of our users to log off when they're finished working so that resources are freed up not only for other users, but for the other processes that happen outside them - eg: SQL DB data transfer, backups, replication etc etc. Its just messy when people don't log out. We also have a cycle of server restarts to prevent/minimise leaks etc.
Since asking this question I've researched down the line of creating an RDS Farm and serving to users from there. Will this provide what we want?
All of our users are set by GPO to have Outlook and our CRM login open when they log in. It the first thing all of them do when they log in so we automate it for them. Unless theres an absolute better way to get this going, we won't be changing this.
And we want all of our users to log off when they're finished working so that resources are freed up not only for other users, but for the other processes that happen outside them - eg: SQL DB data transfer, backups, replication etc etc. Its just messy when people don't log out. We also have a cycle of server restarts to prevent/minimise leaks etc.
Since asking this question I've researched down the line of creating an RDS Farm and serving to users from there. Will this provide what we want?
Probably you are already having a small farm already. RDS centralization user into thin client is already streamlining the deployment and importantly the enforcement checks.
http://community.spiceworks.com/how_to/show/4975
What I like is the flexibility of powershell to assist for automation from operation perspective though go should be best leveraged first where possible.
http://blogs.msdn.com/b/powershell/archive/2009/01/09/managing-remote-desktop-services-aka-terminal-services-using-windows-powershell.aspx
But you probably have to review long term refresh of high resilient hardware and application delivery controller to optimize performance and maintain user experience.
For sensitive and critical service you may ant to segregate and not do a big bang till the team is comfortable and high availability is assured....
http://community.spiceworks.com/how_to/show/4975
What I like is the flexibility of powershell to assist for automation from operation perspective though go should be best leveraged first where possible.
http://blogs.msdn.com/b/powershell/archive/2009/01/09/managing-remote-desktop-services-aka-terminal-services-using-windows-powershell.aspx
But you probably have to review long term refresh of high resilient hardware and application delivery controller to optimize performance and maintain user experience.
For sensitive and critical service you may ant to segregate and not do a big bang till the team is comfortable and high availability is assured....
ASKER
I'm just one in the chain in our IT dept. There is a hardware lifecycle plan in place built with redundancy and DR in mind, but thats not my area of expertise.
I've just been asked to investigate single user session logins and how we might be able to enforce it across multiple devices and multiple servers. with the use of the single session GPO setting i'm able to limit logins on the one server with multiple devices, now its looking wider to multiple servers.
Upon my further research it looks like farms are the way to go but I just want to confirm that before I go back to my manager. Is it possible on Farms? Is it something just happens on a farm or is there a setting of some description on there too that needs to be set?
I've just been asked to investigate single user session logins and how we might be able to enforce it across multiple devices and multiple servers. with the use of the single session GPO setting i'm able to limit logins on the one server with multiple devices, now its looking wider to multiple servers.
Upon my further research it looks like farms are the way to go but I just want to confirm that before I go back to my manager. Is it possible on Farms? Is it something just happens on a farm or is there a setting of some description on there too that needs to be set?
Possible, it is just extension of bigger server pool. Extracted below
http://allcomputers.us/windows_server/windows-server-2008-r2---understanding-remote-desktop-services-(part-3)---rd-connection-broker---rd-licensing.aspx
To track user sessions in a load-balanced RD Session Host server farm, an RD Connection Broker server stores information in its local database for each and every session. This session information includes where the session resides, its state, the session ID, and the username associated with the session. Using this information, the RD Connection Broker redirects users with an already existing session to the correct RD Session Host server or virtual desktop.
With RD Connection Broker Load Balancing, users with existing sessions are still redirected to those sessions if they attempt to reconnect to them. However, for new session connections, the RD Connection Broker will attempt to distribute the session load between more-powerful and less-powerful servers in the farm based on an assigned server weight value and which server has the least load.
To configure RD Connection Broker Load Balancing, an administrator must create an A or AAAA record for each RD Session Host in a farm. The hostname for the record is then set to the farm’s name and the IP address to the RD Session Host server that is being added. The RD Connection Broker then uses round-robin DNS to distribute a user’s initial connection to an RD Session Host server farm. After the user has connected and authenticated to the initial RD Session Host server, that server then queries the RD Connection Broker for where to redirect the user to. The final RD Session Host server that is returned from the RD Connection Broker is based on the following two decisions:
Does the user have an existing session? If so, redirect that user to the RD Session Host server where that session exists.
If the user doesn’t have an existing session, which RD Session Host server has the least load? Redirect that user to the RD Session Host server with the least load.
http://allcomputers.us/windows_server/windows-server-2008-r2---understanding-remote-desktop-services-(part-3)---rd-connection-broker---rd-licensing.aspx
To track user sessions in a load-balanced RD Session Host server farm, an RD Connection Broker server stores information in its local database for each and every session. This session information includes where the session resides, its state, the session ID, and the username associated with the session. Using this information, the RD Connection Broker redirects users with an already existing session to the correct RD Session Host server or virtual desktop.
With RD Connection Broker Load Balancing, users with existing sessions are still redirected to those sessions if they attempt to reconnect to them. However, for new session connections, the RD Connection Broker will attempt to distribute the session load between more-powerful and less-powerful servers in the farm based on an assigned server weight value and which server has the least load.
To configure RD Connection Broker Load Balancing, an administrator must create an A or AAAA record for each RD Session Host in a farm. The hostname for the record is then set to the farm’s name and the IP address to the RD Session Host server that is being added. The RD Connection Broker then uses round-robin DNS to distribute a user’s initial connection to an RD Session Host server farm. After the user has connected and authenticated to the initial RD Session Host server, that server then queries the RD Connection Broker for where to redirect the user to. The final RD Session Host server that is returned from the RD Connection Broker is based on the following two decisions:
Does the user have an existing session? If so, redirect that user to the RD Session Host server where that session exists.
If the user doesn’t have an existing session, which RD Session Host server has the least load? Redirect that user to the RD Session Host server with the least load.
Adding some more....and checklist..but more for deployment which may not be your team's role
http://technet.microsoft.com/en-us/library/gg749904(v=ws.10).aspx
There are two RD Connection Broker components to consider in a load-balanced RD Session Host server farm.
RD Connection Broker server. This is the server that runs the Remote Desktop Connection Broker service and tracks user sessions for one or more load-balanced RD Session Host server farms. RD Connection Broker uses a farm name to determine which servers are in the same RD Session Host server farm.
RD Session Host servers that use RD Connection Broker. These are RD Session Host servers that are members of a farm in RD Connection Broker. To participate in RD Connection Broker, a server must meet the following criteria:
The server must have the RD Session Host role service installed.
The server must be a member of an Active Directory domain.
The server must be a member of the Session Broker Computers local group on the RD Connection Broker server.
The server must be a member of a load-balanced RD Session Host server farm.
If you are using the RD Connection Broker Load Balancing feature, you can configure load-balancing settings together with other RD Connection Broker settings.
http://technet.microsoft.com/en-us/library/gg749904(v=ws.10).aspx
There are two RD Connection Broker components to consider in a load-balanced RD Session Host server farm.
RD Connection Broker server. This is the server that runs the Remote Desktop Connection Broker service and tracks user sessions for one or more load-balanced RD Session Host server farms. RD Connection Broker uses a farm name to determine which servers are in the same RD Session Host server farm.
RD Session Host servers that use RD Connection Broker. These are RD Session Host servers that are members of a farm in RD Connection Broker. To participate in RD Connection Broker, a server must meet the following criteria:
The server must have the RD Session Host role service installed.
The server must be a member of an Active Directory domain.
The server must be a member of the Session Broker Computers local group on the RD Connection Broker server.
The server must be a member of a load-balanced RD Session Host server farm.
If you are using the RD Connection Broker Load Balancing feature, you can configure load-balancing settings together with other RD Connection Broker settings.
ASKER
In leymans terms, rather than a copy and paste from a website (I found all the same stuff in my research, but didn't get the answers out of it I was looking for - too technical for me!)...... Is it possible on perform on farms? Is it something just happens on a farm or is there a setting of some description on there too that needs to be set?
I don't see anything that is not even if it is going for farm as a whole. The gpo still apply just that the number of servers increased. In short, it should stay as discussed leaving those implementation detail of such scaling.
Pardon me as I thought you needed the technical details room sieve out any compliance or caveat or prerequisites
Pardon me as I thought you needed the technical details room sieve out any compliance or caveat or prerequisites
ASKER
We're not looking at increasing the number of RDS servers we have, we have 3 at present. Physical devices - 2 in one blade server and 1 in the other one. But we provisioned manual load balancing across them - splitting staff up in terms of geographic location, workflow and the hours they work. So at this stage we don't have a farm as such.
We have the one server available for access via their tablets - which is where the issues occur - with staff who don't use that one server normally.
I just want to how best we can implement single session use across these 3 servers. If farms are the way to go, then thats what I'll recommend.
We have the one server available for access via their tablets - which is where the issues occur - with staff who don't use that one server normally.
I just want to how best we can implement single session use across these 3 servers. If farms are the way to go, then thats what I'll recommend.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If a user specifies a different program to start when the user connects to the RD Session Host server, a new session will be created on the RD Session Host server for the user, even if the RD Session Host server is configured to restrict users to a single session. A user can specify a program to start on connection on the Programs tab under Options in Remote Desktop Connection. However, you can prevent a user from starting a program on connection; for more information about preventing a user from starting a program on connection
Can be prevented by GPO
http://technet.microsoft.com/en-us/library/cc770821.aspx
Furthermore, I was thinking that this may help
http://technet.microsoft.com/en-us/library/cc753593
Allow reconnections, but prevent new logons. If you select this setting, a user who already has a remote session running on the RD Session Host server can reconnect to that session. However, a new user—that is, a user that does not currently have a remote session running on the RD Session Host server—will not be able to connect to the RD Session Host server. If the RD Session Host server is restarted, no users will be able to connect to the RD Session Host server.