Solved

DNS, Round Robin, Terminal Server farm  w/ NLB and Broker - No external Access

Posted on 2014-11-21
29
636 Views
Last Modified: 2014-12-01
We have load balance the terminal servers using NLB and use the session broker in our Windows 2008 R2 environment.
We had some issues with our DCs and DNS which were resolved replicated but one of the steps in best practice for DNS was enabling scavenging on the DNS. Now removing Stale DNS entries was a plus, since our records we're never maintained over the past 8 years. With that said, about an hour after enabling this, our external access to our internal farm was lost. I have an open MS case for this but it''s been two days between the TS department and networking department and still no answer. Our farm works great internally, it's external it fails. Port 3389 is open on our router, passes the rdp traffic to our ip of the cluster (NLB) , same as before ie ( no changes.) What could of possible went wrong?? Any information is appreciated.
0
Comment
Question by:TRSTeam
  • 18
  • 11
29 Comments
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
I don't see how dns scavenging impact external access to TS farm

When you setup NLB, it virtual IP entry must be created manually, so that entry doesn't get deleted after enabling scavenging

Also if you enabled scavenging with default interval (7 days), after enabling it 1st time and after Hour nothing should get deleted

You also must be already ensured that Host(A) records of your RD Session host servers are intact so that forwarding from NLB VIP to actual Hosts is happening.

There must be some different issue
You need to go step by step trouble shooting from firewalls to routers
0
 

Author Comment

by:TRSTeam
Comment Utility
Thank you for responding, I've confirmed the DNS entries for each of the terminal servers under the farm name are there. Internally the farm working perfect. Microsoft pointed us to view our router, should I look at the arp tables for the farm address. Does this sound right?
0
 

Author Comment

by:TRSTeam
Comment Utility
I have confirmed static  arp entry for farm is enabled.
0
 

Author Comment

by:TRSTeam
Comment Utility
Mahesh, you mentioned a virtual IP entry must be set. Are you referring to the IP Virtualization on each of the Session Host?
0
 

Author Comment

by:TRSTeam
Comment Utility
After researching, we can RDP externally  into the farm, establish a connection to one of the session servers,prompted for a username and password, hit  connect, then after a while errors out. After running wireshark, looks like we are receiving an internal address  of the session server from the broker, which an external pc will not communicate with.  How can we resolve this?
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
I am referring to NLB VIP which actually get appended to NLB adapter of RD Session host servers, check if VIP get assigned to NLB adapter in addition to its original IP

When you configure NLB, you must be provided virtual IP as NLB IP and must be granted static Host(A) record for this VIP
When you RDP to NLB VIP FQDN, the  request should automatically get routed to one of the session host server depending upon NLB properties
Have you installed and published RD Gateway Server on internet?
If RD Gateway server is installed, you can enable RD Gateway settings on RDP client and then you can connect to NLB VIP FQDN as session host server via RDP protocol from internet client and it should work

With 2008 R2, RDP requests are going to RD Session host server 1st and after that those requests are going to rd connection broker for final connection from where connection broker is unable to forward it to appropriate RD Session Host server and according to my this is creating problem

Hence check if you have followed below steps, (Add RD session host servers in connection broker load balancing)
http://technet.microsoft.com/en-in/library/cc753891.aspx
While adding RD Session host farm to RD Connection broker. ensure that you will add NLB FQDN as farm name
0
 

Author Comment

by:TRSTeam
Comment Utility
Thank you the responses. Yes the VIP is assigned on each of the sessions servers me there is a DNS entry for that VIP. This is a inherated environment which has worked for years. There is not a gateway installed,just Sonicwall router to sessions host and then broker. Internally the environment works, you can hit the farm using the FQDN. I guessing when the DNS servers were replicated maybe a policy or record was changed, and now external access is lost. Y
0
 

Author Comment

by:TRSTeam
Comment Utility
Thank you again for helping me on this issue.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
So your RD Session Host NLB VIP FQDN is directly published on internet, right?

Either you put gateway server
OR
Follow steps provided in article provided in last post, add NLB VIP FQDN (which is published on internet) in RD Connection broker load balancing and enable IP redirection.
Ensure that on internal AD DNS server, dns zone reflecting to public NLB FQDN  is created and it is pointing to public IP of NLB VIP, so that RD Connection broker should hopefully able to redirect request again to one of the RD Session host server

Ex:
NLB VIP internal IP: 10.1.1.10
NLB VIP external: 125.24.2.90
NLB FQDN on internet: ts.publicdomain.com
So here in internal DNS you need to zone named publicdomain.com and add Host(A) record (ts) pointing to NLB VIP external IP: 125.24.2.90

As per my understanding this will help RD Connection broker to find out RD Session hosts on internet again and should be able to connect to any one RD Session host again hopefully
0
 

Author Comment

by:TRSTeam
Comment Utility
yes sir ts-farm.domain.com is a public, I reviewed the policy and VIP is not enabled, let me follow the steps i the above link, will update shortly, thanks again!
0
 

Author Comment

by:TRSTeam
Comment Utility
Just want to clarify, when you mention VIP you are not referring to RD IP Virtualization? You are referring to NLB Cluster ip address which is on each session host.

in your example
Ex:
 NLB VIP internal IP: 10.1.1.10 - confirmed
 NLB VIP external: 125.24.2.90 - confirmed( ts-farm.domainname.com has a public ip pointing to the firewall from the public DNS provider)
 NLB FQDN on internet: ts.publicdomain.com - this is where i'm a little confused, this this the same as above? if so confirmed

 So here in internal DNS you need to zone named publicdomain.com and add Host(A) record (ts) pointing to NLB VIP external IP: 125.24.2.90

DNS server has a domainname.com zone, in DNS there is the ts-farm.domainname.com entry for the internal NLB,
but not one for the ts-farm.domainname.com external address located on this public dns records.
I need to add this correct.

as a test I added the public IP for ts-farm.domainname.com but had the same results.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Yes, I am referring to NLB Cluster ip address

OK
1st Please configure connection broker load balancing as stated in link because currently connection broker is not configured for redirection
Do not forget to add ts.publicdomain.com as farm name in connection broker load balancing.
After that, According to my understanding you need to create ts.publicdomain.com in internal dns pointing to public IP.
If publicdomain.com dns zone is already got created on DNS, just add host record as ts pointing to public IP
Why I am thinking like this, because you don't have RD gateway server through which external client can understand private IP of session host servers and connect

If above doesn't work,
then change ts.publicdomain.com pointing to private IP (NLB VIP) and check.

If nothing get worked, then you don't have any option other than deployment of RD gateway server
0
 

Author Comment

by:TRSTeam
Comment Utility
We have progress! Using your above post seems work. The only down fall is, it's a hit or miss connection, I really believe it's allowing one session through at a time.  Again I was able to RDP externally into the farm, and the NLB / broker worked well.
Any ideas on multiple sessions?
0
 

Author Comment

by:TRSTeam
Comment Utility
it's about 5% of the time connecting, I had a question on this statement
"then change ts.publicdomain.com pointing to private IP (NLB VIP) and check."

on in DNS I should not have a public ip for my farm ts-farm.domainname.com and a internal dns entry ex ts-farm poing to my NLB VIP? Should be one or the other?

as of now,
I have a public address and a internal NLB address for my ts-farm.domainname.com

Thank you for all the help you have provided
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
If you have configured single connection limits on sessions , it means you can connect to one RDP session at a time from single computer.
But if you have another computer, it will also able to connect to another session.
Check Session host manager properties, also check if you have applied any connection limitations through GPO

RD Gateway is the server role which allows you to connect to your internal servers with internal IP\hostnames via RD Gateway server and RD gateway server is published on internet.
publicdomain.com zone should exists on internet dns servers (your internet domain provider) and also your internal DNS server
In reality Internal dns zone entry ts.publicdomain.com should point to internal VIP of NLB, however, since you don't have RD gateway installed, your client sitting on internet may not get connected to session host servers with private IP
That is why I suggested you to make ts.publicdomain.com entry to point NLB VIP public IP
If its not worked, then I said replace above internal entry with internal NLB VIP and check.
0
 

Author Comment

by:TRSTeam
Comment Utility
Yes confirmed on setting on GPO. Single session is enabled, but I tried with different users to access, not the same username. It work about 3-4 times this morning for my account , but now back to not working, still think its a configuration issue. Is there any way you  can team viewer in? Review this settings? my personal email is sudsboi03@yahoo.com and I can provide team viewer information.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
If GPO setting is enabled for single session, it will be applied to terminal server (because its computer based GPO) and then no matter who logged on to server, setting will enforced
Not possible to look over team viewer

However you can tell now what is exact issue left so that I can help
0
 

Author Comment

by:TRSTeam
Comment Utility
OK it's not the single sessions gpo, this just isn't connecting with a new user. I'm aware of how single sessions gpo policy works but this isn't it.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Please let me know what are the issues left now

Ensure that domain users group is added to Remote Desktop users local group on both TS servers
Also ensure that allow user to logon through remote desktop services user right is enabled in local security policy \ group policy for domain users, so that all users can connect to RDS servers
0
 

Author Comment

by:TRSTeam
Comment Utility
Yes sir, domain users are set, again this work fine within the network, if the permissions were off, it'd fail in general.

My issue, we still can not access our farm externally.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
I don't think your existing scenario will work correctly.
If possible install RD gateway server and publish it on external network with public IP FQDN instead of RD Session host servers
No need to publish RD Session Host servers to internet

While connecting from client you need to specify RD gateway server details in RDP client and then you can RDP to internal NLB virtual IP \ FQDN, it must work seamlessly

Check below articles
http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
http://sharepointgeorge.com/2009/remote-desktop-services-windows-2008-r2-part-2-gateway/
0
 

Author Comment

by:TRSTeam
Comment Utility
MS just finishing trying an RD gateway but failed., same results. MS says we either have to use the broker or NLB but not both technologies.
0
 

Author Comment

by:TRSTeam
Comment Utility
Gateway was installed internally though not externally, not sure at this point where we go or what the solution is
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
As I highlighted earlier, you need to publish Rd Gateway server on internet
Open TCP 443 from internet to RD gateway server
From Gateway server open AD auth ports towards Domain controllers and you should good to go
You do require public IP and public domain and SSL certificate for this external host pointing to external FQDN of RD gateway server
U can unpublish existing RD Session host and use that IP for Gateway
Also ensure you will use Split DNS, means check if public domain do exists in intranet and on internet
Ex:
RDgateway.publicdomain.com should exists on internet and intranet as well and should be resolved on public IP from internet and through private ip from intranet
You might need to create publicdomain.com zone on intranet dns server to achieve this

As far as I know 2008 R2 Session broker alone cannot do load balancing, some solution need to be in place (NLB OR DNS round Robin OR hardware load balancer )
0
 

Author Comment

by:TRSTeam
Comment Utility
I just want to follow up on this to help people experiencing the same issue. In the end it's the Broker service combined with the NLB service. We took the took the broker out of the loop and external access works. The down fall is , NLB does a poor job managing TS services. Today was first full day back in full operation and our servers were very uneven. We can't be the only company who has had a broker + NLB setup. We only have 7 TS host and 1 broker. Doesn't make sense. MS recommends we move away from NLB and setup a RD GW and RD Broker.
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
Comment Utility
RD GW is required any how

Either you need dns round robin (all the RD Session host server should have same host(A) record to point to respective server IP
EX:
tsfarm.company.com - points server1.company.com IP
tsfarm.company.com - points to server2.company.com IP

OR
NLB would be required

OR
you can use session broker load balancing

http://www.virtualizationadmin.com/articles-tutorials/vdi-articles/general/remote-desktop-server-farms-explained-part1.html
0
 

Author Comment

by:TRSTeam
Comment Utility
this wasnt the answer to the above question actually, after the policy was removed we also found the setting in the NLB needed to changed from filtering mode single to None, this allowed the incoming request to be balanced instead of looking a the public IP of the incoming farm request and assigining the same server. Also the internal Round Robin needed to state internal farm name and all the IPs of the TS session host
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Filtering mode single means if multiple requests are generated from single machine \ client, request will redirected to same NLB member, however if multiple users trying to connect to NLB from multiple clients, NLB will load balance those requests across multiple hosts

Round robin will come in picture only if you are not using NLB
Also round robin will work only if NLB is not deployed, In addition to NLB, if you created multiple DNS Host records (farm Name for round robin) as well pointing to multiple IP addresses of session host servers, NLB has no way to identify those host records (farm Name) and it will load balance requests across multiple servers with their real server FQDNs

In case of pure DNS round robin, you would create same host record (Farm name) pointing to multiple IPs of session host servers and you also are connecting to session host servers with farm name
0
 

Author Comment

by:TRSTeam
Comment Utility
NLB was looking at the public IP and assigning those users to the same host, which in the end overloaded the host. Setting it to "none" resolved the issue. Not sure if having the round robin setting fixed it but it seem to all start working when that was created
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now