Remote Access (RD Web) to second remote desktop server not working

I have an environment where there are two RD Session Host computers (Windows Server 2012 R2) each with published applications. One of the servers (SERVER1) is configured with RD Connection Broker, RD Session Host, RD Gateway, RD Licensing, and RD Web Access. The other (SERVER2) only has the RD Session Host role. I have two collections, one for each server. I can remote desktop to either server without issue. My problem is publishing RemoteApp programs. All of the RemoteApp programs on the server with all of the RD roles installed (SERVER1) works fine. I cannot however run any of the published RemoteApp programs on the server with only the RD Session Host role installed (SERVER2). The error I receive is "RemoteApp Disconnected. This computer can't connect to the remote computer..." The problem is obvious, I think. When I click on the published RemoteApp I can see that it is attempt to connect to "SERVER1" instead of "SERVER2" as it should. The question is, how do I fix this? Do I need an additional role installed on "SERVER2?"
Brian ThorPresidentAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Does this issue occur internally or only externally? Keep in mind that all initial connections go to the RDCB first for load balancing or to reconnect disconnected sessions. So seeing a connection to Server1 is not necessarily a sign of an issue.
Brian ThorPresidentAuthor Commented:
It does happen both internally and externally.
Cliff GaliherCommented:
Then chances are you've misconfigured the rdgateway settings and it is not able to connect to any other RDSH server besides itself. Check those settings, DNS, and firewall.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Brian ThorPresidentAuthor Commented:
Cliff,

Thanks for your response. I have checked DNS; both forward and reverse lookups are correct. The firewall for both RDSH servers are managed by the same group policy. I am able to connect to either locally or through RD Gateway. My only (known) problem is publishing applications hosted on SERVER2. Do you have any ideas for other specific settings to check?
Cliff GaliherCommented:
At that point I'd start wireshark and see what is going on. The .rdp file should list the RDGateway, the RDCB, and the collection name. The actual connection should go through the RDGateway to the RDCB. The RDCB would look up the collection and issue a redirect to the second server, and then the final connection would be established.  That's the workflow and you should be able to see that in network captures.  You should also be seeing logged events and you can always turn on more logging on each role to see what is happening.
Brian ThorPresidentAuthor Commented:
I am attaching the RDP file for you to examine. I don't see any evidence of a reference to the collection. All references to the internal server names are to REMOTE1. REMOTE2 is the only server which publishes this application. It seems like something has to be wrong on the process of publishing the application but I can't figure out what it might be.
Sage-50-Accounting-2015--Work-Resour.txt
dew_associatesCommented:
Try opening the "properties" for your application collection experiencing the problem. Navigate to security and untick "Allow connections only from computers running Remote Desktop with Network Level Authentication". Now test the connection again.
Brian ThorPresidentAuthor Commented:
I tried unchecking "Allow connections only from computers running Remote Desktop with Network Level Authentication" however this did not resolve the problem.
dew_associatesCommented:
The only thing that I can think of is that during setup you plugged in erroneous information.  I looked at your text file again, shouldn't the alternate address be REMOTE2?
Brian ThorPresidentAuthor Commented:
I agree with your assessment that the correct address should be REMOTE2. The problem is that I don't know to make that change, if it is in fact correct. My only option is to publish or not the application, as far as I know.
dew_associatesCommented:
What settings do you see when you open the Remote Desktop Connection client
Brian ThorPresidentAuthor Commented:
Dennis,

If I manually configure a remote desktop connection I can access REMOTE2 through the RD Gateway computer without problem. The problem is that the application publishing feature is showing the Remote Computer as REMOTE1.internaldomain.local when it should be showing as REMOTE2.internaldomain.local. Hopefully that answers your question, in a round about way.
dew_associatesCommented:
Let's separate these issues. It appears that you are using a software package (Peechtree maybe) to publish that has nothing to do with the server software. Am I close?
Brian ThorPresidentAuthor Commented:
Correct.
dew_associatesCommented:
Your will need to dig into the app, not the server side and redirect where the Peachtree app is pointing.
Brian ThorPresidentAuthor Commented:
Dennis,

I don't think it is the app. To confirm I published Calc and WordPad on REMOTE2. I first confirmed that these apps are not published on REMOTE1. I am experiencing the same problem with these apps as with Peachtree. Something is not working correcting in the publishing process.
Cliff GaliherCommented:
I think you are operating under some erroneous information. For starters, you will *not* see server2 in the rdp file.  Here is why:

Let's say you build a collection with more than one server. It has five servers for this example. And you publish a simple app such as calc for that collection. You don't want all users who launch that remoteapp going to server2.  Even more importantly, if a user was in the middle of a task and accidentally got disconnected, you *do* want them to end up on the same server they were on before.

In 2008, this type of configuration was known ass a farm, and required multiple moving pieces. You had to configure round robin DNS. You had to have a broker. And one of the session hosts would redirect to the broker which would then redirect to another session host to maintain existing sessions. It was rather messy.

So in 2012 things work much differently. GONE is round robin DNS. The .rdp file will always point to the connection broker first. That's why you see server1 in the .rdp file. When the connection broker gets a connection request, it sees if the user already has a session for that collection and if so, will redirect there. That's one less redirection than in 2008. And if not, it does load balancing by picking a server it things has the least sessions based on other connection requests it has received.  So the "server2" reference won't occur until the connection broker issues a redirect. It will never be in the .rdp file.

Architecturally this is simpler to expand a farm just by adding a new server to the collection. No messing with round robin DNS to add it to the farm. No worrying about poor load balancing because of missed entries. And a server down for maintenance doesn't cause issues as it could with 2008.  So this is actually a better design.

But the downside is you have to know the process for troubleshooting. You can't wing it.

Your .rdp file has a reference to server1 (as it should since that's your broker.)

And while you say you don't see a collection reference, the line for the load balancing plugin does reference the "accounting" collection. That will be what the RDCB will use to find server2 and will issue a redirect. Again, that will get logged, and again, if that isn't happening, you need to turn on extra logging and wireshark the connection.

From what I can tell, the published app has what it needs in the .rdp file. The problem is occurring further down the process of establishing connections, which is why, much earlier on, I mentioned that the issue could be DNS, firewall, etc. My troubleshooting steps remain unchanged based on your other efforts which I've gotten caught up on reading.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Brian ThorPresidentAuthor Commented:
Cliff,

Thank you for the explanation. Please go one step further. Do both servers (REMOTE1 and REMOTE2) have to offer the same applications? In this environment they aren't separate for load balancing. The idea was to have two different machines setup for two user groups. One group of users will use REMOTE1, the other group will use REMOTE2. Will this work? Are you aware of any documentation for this configuration?
Cliff GaliherCommented:
All machines in a collection need to have the same apps for load valancing. Load valancing occurs per collection. So those need to be the same. But if the servers will be different, simply define different collections. Users connecting to an app published in collection 1 will never get load balanced over to a server in collection 2, even if both collections happen to have that app. That's why collections are defined the way they are, so you can scale different apps based on use case. This is normal and acceptable. No special configuration required.
Brian ThorPresidentAuthor Commented:
Okay. I believe I have configured this as you suggest. I have two collections with different apps in each collection. As an administrator I am a member of both AD groups which are assigned to the two collections. I removed myself from the group assigned to the collection on REMOTE1. When I login to the RDWeb page I no longer see the resources published on REMOTE1. I still see the resources published on REMOTE2 however I am still unable to launch those applications. The same error exists.
Cliff GaliherCommented:
Which is why you will have to go through the troubleshooting I've suggested. There is no shortcut and guessing is clearly going nowhere. I didn't make those suggestions idly.
Seth SimmonsSr. Systems AdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.