Solved

DNS, Round Robin, Terminal Server farm  w/ NLB and Broker - No external Access

Posted on 2014-11-21
29
780 Views
Last Modified: 2014-12-01
We have load balance the terminal servers using NLB and use the session broker in our Windows 2008 R2 environment.
We had some issues with our DCs and DNS which were resolved replicated but one of the steps in best practice for DNS was enabling scavenging on the DNS. Now removing Stale DNS entries was a plus, since our records we're never maintained over the past 8 years. With that said, about an hour after enabling this, our external access to our internal farm was lost. I have an open MS case for this but it''s been two days between the TS department and networking department and still no answer. Our farm works great internally, it's external it fails. Port 3389 is open on our router, passes the rdp traffic to our ip of the cluster (NLB) , same as before ie ( no changes.) What could of possible went wrong?? Any information is appreciated.
0
Comment
Question by:TRSTeam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 18
  • 11
29 Comments
 
LVL 37

Expert Comment

by:Mahesh
ID: 40459774
I don't see how dns scavenging impact external access to TS farm

When you setup NLB, it virtual IP entry must be created manually, so that entry doesn't get deleted after enabling scavenging

Also if you enabled scavenging with default interval (7 days), after enabling it 1st time and after Hour nothing should get deleted

You also must be already ensured that Host(A) records of your RD Session host servers are intact so that forwarding from NLB VIP to actual Hosts is happening.

There must be some different issue
You need to go step by step trouble shooting from firewalls to routers
0
 

Author Comment

by:TRSTeam
ID: 40459834
Thank you for responding, I've confirmed the DNS entries for each of the terminal servers under the farm name are there. Internally the farm working perfect. Microsoft pointed us to view our router, should I look at the arp tables for the farm address. Does this sound right?
0
 

Author Comment

by:TRSTeam
ID: 40460089
I have confirmed static  arp entry for farm is enabled.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:TRSTeam
ID: 40460101
Mahesh, you mentioned a virtual IP entry must be set. Are you referring to the IP Virtualization on each of the Session Host?
0
 

Author Comment

by:TRSTeam
ID: 40460155
After researching, we can RDP externally  into the farm, establish a connection to one of the session servers,prompted for a username and password, hit  connect, then after a while errors out. After running wireshark, looks like we are receiving an internal address  of the session server from the broker, which an external pc will not communicate with.  How can we resolve this?
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40460391
I am referring to NLB VIP which actually get appended to NLB adapter of RD Session host servers, check if VIP get assigned to NLB adapter in addition to its original IP

When you configure NLB, you must be provided virtual IP as NLB IP and must be granted static Host(A) record for this VIP
When you RDP to NLB VIP FQDN, the  request should automatically get routed to one of the session host server depending upon NLB properties
Have you installed and published RD Gateway Server on internet?
If RD Gateway server is installed, you can enable RD Gateway settings on RDP client and then you can connect to NLB VIP FQDN as session host server via RDP protocol from internet client and it should work

With 2008 R2, RDP requests are going to RD Session host server 1st and after that those requests are going to rd connection broker for final connection from where connection broker is unable to forward it to appropriate RD Session Host server and according to my this is creating problem

Hence check if you have followed below steps, (Add RD session host servers in connection broker load balancing)
http://technet.microsoft.com/en-in/library/cc753891.aspx
While adding RD Session host farm to RD Connection broker. ensure that you will add NLB FQDN as farm name
0
 

Author Comment

by:TRSTeam
ID: 40460580
Thank you the responses. Yes the VIP is assigned on each of the sessions servers me there is a DNS entry for that VIP. This is a inherated environment which has worked for years. There is not a gateway installed,just Sonicwall router to sessions host and then broker. Internally the environment works, you can hit the farm using the FQDN. I guessing when the DNS servers were replicated maybe a policy or record was changed, and now external access is lost. Y
0
 

Author Comment

by:TRSTeam
ID: 40460582
Thank you again for helping me on this issue.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40460612
So your RD Session Host NLB VIP FQDN is directly published on internet, right?

Either you put gateway server
OR
Follow steps provided in article provided in last post, add NLB VIP FQDN (which is published on internet) in RD Connection broker load balancing and enable IP redirection.
Ensure that on internal AD DNS server, dns zone reflecting to public NLB FQDN  is created and it is pointing to public IP of NLB VIP, so that RD Connection broker should hopefully able to redirect request again to one of the RD Session host server

Ex:
NLB VIP internal IP: 10.1.1.10
NLB VIP external: 125.24.2.90
NLB FQDN on internet: ts.publicdomain.com
So here in internal DNS you need to zone named publicdomain.com and add Host(A) record (ts) pointing to NLB VIP external IP: 125.24.2.90

As per my understanding this will help RD Connection broker to find out RD Session hosts on internet again and should be able to connect to any one RD Session host again hopefully
0
 

Author Comment

by:TRSTeam
ID: 40460727
yes sir ts-farm.domain.com is a public, I reviewed the policy and VIP is not enabled, let me follow the steps i the above link, will update shortly, thanks again!
0
 

Author Comment

by:TRSTeam
ID: 40460752
Just want to clarify, when you mention VIP you are not referring to RD IP Virtualization? You are referring to NLB Cluster ip address which is on each session host.

in your example
Ex:
 NLB VIP internal IP: 10.1.1.10 - confirmed
 NLB VIP external: 125.24.2.90 - confirmed( ts-farm.domainname.com has a public ip pointing to the firewall from the public DNS provider)
 NLB FQDN on internet: ts.publicdomain.com - this is where i'm a little confused, this this the same as above? if so confirmed

 So here in internal DNS you need to zone named publicdomain.com and add Host(A) record (ts) pointing to NLB VIP external IP: 125.24.2.90

DNS server has a domainname.com zone, in DNS there is the ts-farm.domainname.com entry for the internal NLB,
but not one for the ts-farm.domainname.com external address located on this public dns records.
I need to add this correct.

as a test I added the public IP for ts-farm.domainname.com but had the same results.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40460781
Yes, I am referring to NLB Cluster ip address

OK
1st Please configure connection broker load balancing as stated in link because currently connection broker is not configured for redirection
Do not forget to add ts.publicdomain.com as farm name in connection broker load balancing.
After that, According to my understanding you need to create ts.publicdomain.com in internal dns pointing to public IP.
If publicdomain.com dns zone is already got created on DNS, just add host record as ts pointing to public IP
Why I am thinking like this, because you don't have RD gateway server through which external client can understand private IP of session host servers and connect

If above doesn't work,
then change ts.publicdomain.com pointing to private IP (NLB VIP) and check.

If nothing get worked, then you don't have any option other than deployment of RD gateway server
0
 

Author Comment

by:TRSTeam
ID: 40461398
We have progress! Using your above post seems work. The only down fall is, it's a hit or miss connection, I really believe it's allowing one session through at a time.  Again I was able to RDP externally into the farm, and the NLB / broker worked well.
Any ideas on multiple sessions?
0
 

Author Comment

by:TRSTeam
ID: 40461403
it's about 5% of the time connecting, I had a question on this statement
"then change ts.publicdomain.com pointing to private IP (NLB VIP) and check."

on in DNS I should not have a public ip for my farm ts-farm.domainname.com and a internal dns entry ex ts-farm poing to my NLB VIP? Should be one or the other?

as of now,
I have a public address and a internal NLB address for my ts-farm.domainname.com

Thank you for all the help you have provided
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40461422
If you have configured single connection limits on sessions , it means you can connect to one RDP session at a time from single computer.
But if you have another computer, it will also able to connect to another session.
Check Session host manager properties, also check if you have applied any connection limitations through GPO

RD Gateway is the server role which allows you to connect to your internal servers with internal IP\hostnames via RD Gateway server and RD gateway server is published on internet.
publicdomain.com zone should exists on internet dns servers (your internet domain provider) and also your internal DNS server
In reality Internal dns zone entry ts.publicdomain.com should point to internal VIP of NLB, however, since you don't have RD gateway installed, your client sitting on internet may not get connected to session host servers with private IP
That is why I suggested you to make ts.publicdomain.com entry to point NLB VIP public IP
If its not worked, then I said replace above internal entry with internal NLB VIP and check.
0
 

Author Comment

by:TRSTeam
ID: 40462194
Yes confirmed on setting on GPO. Single session is enabled, but I tried with different users to access, not the same username. It work about 3-4 times this morning for my account , but now back to not working, still think its a configuration issue. Is there any way you  can team viewer in? Review this settings? my personal email is sudsboi03@yahoo.com and I can provide team viewer information.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40462616
If GPO setting is enabled for single session, it will be applied to terminal server (because its computer based GPO) and then no matter who logged on to server, setting will enforced
Not possible to look over team viewer

However you can tell now what is exact issue left so that I can help
0
 

Author Comment

by:TRSTeam
ID: 40462624
OK it's not the single sessions gpo, this just isn't connecting with a new user. I'm aware of how single sessions gpo policy works but this isn't it.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40462645
Please let me know what are the issues left now

Ensure that domain users group is added to Remote Desktop users local group on both TS servers
Also ensure that allow user to logon through remote desktop services user right is enabled in local security policy \ group policy for domain users, so that all users can connect to RDS servers
0
 

Author Comment

by:TRSTeam
ID: 40462666
Yes sir, domain users are set, again this work fine within the network, if the permissions were off, it'd fail in general.

My issue, we still can not access our farm externally.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40462848
I don't think your existing scenario will work correctly.
If possible install RD gateway server and publish it on external network with public IP FQDN instead of RD Session host servers
No need to publish RD Session Host servers to internet

While connecting from client you need to specify RD gateway server details in RDP client and then you can RDP to internal NLB virtual IP \ FQDN, it must work seamlessly

Check below articles
http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
http://sharepointgeorge.com/2009/remote-desktop-services-windows-2008-r2-part-2-gateway/
0
 

Author Comment

by:TRSTeam
ID: 40463134
MS just finishing trying an RD gateway but failed., same results. MS says we either have to use the broker or NLB but not both technologies.
0
 

Author Comment

by:TRSTeam
ID: 40463151
Gateway was installed internally though not externally, not sure at this point where we go or what the solution is
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40463779
As I highlighted earlier, you need to publish Rd Gateway server on internet
Open TCP 443 from internet to RD gateway server
From Gateway server open AD auth ports towards Domain controllers and you should good to go
You do require public IP and public domain and SSL certificate for this external host pointing to external FQDN of RD gateway server
U can unpublish existing RD Session host and use that IP for Gateway
Also ensure you will use Split DNS, means check if public domain do exists in intranet and on internet
Ex:
RDgateway.publicdomain.com should exists on internet and intranet as well and should be resolved on public IP from internet and through private ip from intranet
You might need to create publicdomain.com zone on intranet dns server to achieve this

As far as I know 2008 R2 Session broker alone cannot do load balancing, some solution need to be in place (NLB OR DNS round Robin OR hardware load balancer )
0
 

Author Comment

by:TRSTeam
ID: 40465631
I just want to follow up on this to help people experiencing the same issue. In the end it's the Broker service combined with the NLB service. We took the took the broker out of the loop and external access works. The down fall is , NLB does a poor job managing TS services. Today was first full day back in full operation and our servers were very uneven. We can't be the only company who has had a broker + NLB setup. We only have 7 TS host and 1 broker. Doesn't make sense. MS recommends we move away from NLB and setup a RD GW and RD Broker.
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40466171
RD GW is required any how

Either you need dns round robin (all the RD Session host server should have same host(A) record to point to respective server IP
EX:
tsfarm.company.com - points server1.company.com IP
tsfarm.company.com - points to server2.company.com IP

OR
NLB would be required

OR
you can use session broker load balancing

http://www.virtualizationadmin.com/articles-tutorials/vdi-articles/general/remote-desktop-server-farms-explained-part1.html
0
 

Author Comment

by:TRSTeam
ID: 40473711
this wasnt the answer to the above question actually, after the policy was removed we also found the setting in the NLB needed to changed from filtering mode single to None, this allowed the incoming request to be balanced instead of looking a the public IP of the incoming farm request and assigining the same server. Also the internal Round Robin needed to state internal farm name and all the IPs of the TS session host
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40474127
Filtering mode single means if multiple requests are generated from single machine \ client, request will redirected to same NLB member, however if multiple users trying to connect to NLB from multiple clients, NLB will load balance those requests across multiple hosts

Round robin will come in picture only if you are not using NLB
Also round robin will work only if NLB is not deployed, In addition to NLB, if you created multiple DNS Host records (farm Name for round robin) as well pointing to multiple IP addresses of session host servers, NLB has no way to identify those host records (farm Name) and it will load balance requests across multiple servers with their real server FQDNs

In case of pure DNS round robin, you would create same host record (Farm name) pointing to multiple IPs of session host servers and you also are connecting to session host servers with farm name
0
 

Author Comment

by:TRSTeam
ID: 40474196
NLB was looking at the public IP and assigning those users to the same host, which in the end overloaded the host. Setting it to "none" resolved the issue. Not sure if having the round robin setting fixed it but it seem to all start working when that was created
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question