Deploying Windows 2016 RDS FARM Help needed

Deploying new 2016 RDS farm

The following are in place

  • 1 Connection broker
  • 1 RDHS
  • We are not pushing remote apps or allowing outside RDS connections directly to the FARM. So RD Gateway and Web Access is not configured. RDS will be used internally only for now
  • Domain\users are added to the RDHS and Connection Broker's remote desktop group
  • A DNS record of with the IP address of the connection broker

When i tested with a standard user account, using the address, I log directly into the connection broker. I do not get directed to the RDHS. I'm not sure why it's not redirecting me

Am I supposed to have the DNS record point to the RDHS? I'm not sure what I am doing wrong
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Install and use RDWA.

The issue is that  in 2012 and later, RDS introduced the concept of "collections." You need to define the collection in server manager. And then when you connect, the collection name MUST be specified for the connection broker to properly redirect.

And... Drumroll... The GUI does not provide a way to find or specify what collections re in your environment. Microsoft decided to use RDWA for that... Even internally.

If you use RDWA, the dot-RDP files it generates have the collection name property specified and properly formatted and things work. The only other way to do this is to manually save then edit an RDP file in a text editor like notepad. Which gets ugly fast.
iamuserAuthor Commented:
The collection is set in server manage with the 1 RDHS.

For 2008R2 our users are using RDP and connecting. Very simple. Okay so the options here is to use RDWA or manually edit an RDP file.

How do the clients get access to the RDWA? Is it via a web browser then?
Cliff GaliherCommented:
Web browser  or add the feed to the modern windows 10 app or add the feed to the remote desktops and apps control panel setting. The feed is an xml file served up by RDWA.
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

iamuserAuthor Commented:
So they just made the RDP client useless for Remote desktop services

I tried look for a how to guide on editing the normal RDP client to allow it to be used with the farm but I can't find anything; Do you happen to know where I can find this info?
Cliff GaliherCommented:
So they just made the RDP client useless for Remote desktop services

How so?  The Remote Desktop Client has *always* been driven by a set of RDP settings.  Whether you open it and manually type in a bunch of memorized settings, or distribute .rdp files saved from the GUI, or distribute .rdp files downloaded from the RDWA website, or launch from an .rdp file pulled from an XML feed...its all still ends up being the RDC.  In a brand new 2016 RDS environment, with a collection of session host desktops, published via RDWA, and subscribed to in Windows 10's control see the remote desktop in your start launched an the TRADITIONAL RD client.  How is that useless?

Useless is a very strong word.  The workflow has changed (but creating a 'farm" changed to "collections" "change" is inevitable.)  This is just another change.  You learn to work with it.  Or you choose a different solution (Citrix is still around, and Citirix Receiver is a perfectly valid endpoint client that many businesses love.)  I'm not telling you that you HAVE to use remote desktop.  You just asked why you were connecting to the connection broker instead of getting redirected.  The answer to THAT question is because you aren't using the workflow as intended.  RDWA is an intentional part of that workflow now.
iamuserAuthor Commented:
When I meant RDP Client was useless, I meant it as in the standard way that it's being used in our environment. Currently, staff opens normal RDP client and types in the name of the farm (Which is a VIP/DNS record to Physcial LB). The LB then handles all the sticky sessions and server redirection. Now it involves a few extra steps for the staff. Plus

You are correct it is a big change, I setup RDWA and tested it. I noticed that when RDP opens from within RDWA, it shows the FQDN of the connection broker which I do not want. I am looking for a way to change that. (yes downloading the client from RDWA I can edit the RDP file to show the name that I want but then I would have to push the client out to each system)
Cliff GaliherCommented:
" it shows the FQDN of the connection broker which I do not want."

That is how RDS works now.  The connection broker handles the session balancing and redirection.  Full-stop.  As for the client showing the FQDN specifically, that is also by design.  A major issue in 2008 R2 was that farms were notoriously difficult to secure properly and certificates were being used improperly, exposing the private key, making MitM attacks relatively trivial.  The new architecture essentially expects every step to be secured with trusted certificates, so you *WANT* the initial connection to be the RDCB FQDN as the client should know, validate, and trust the RDCB before following its redirection.

Note that this is quite apart from RDWA. They are different issues.  Even if you decide to manually deploy .rdp files or edit existing files, proper trust is baked into RDS in such a way that this is the new normal.
iamuserAuthor Commented:
I have wildcard SAN's and I'm not against securing it. And currently the certs are installed

Ex. I downloaded the client from the RDWA portal, I went in and edited RDP file, changed the FQDN of the connection broker line from to (I have a DNS record of pointed to the IP of the connection broker). Running client now shows me Which is much nicer and the connection is still secure due to the wildcard cert. I'm not seeing a way to do the same directly from the RDWA
Cliff GaliherCommented:
Does it actually matter?!?  It matters to you, but be honest in asking WHY it matters to you (and only you can answer that.)  Does it help users? (when they are going to use RDWA and therefore don't need to remember any particular name?) Does it make the system more secure? I don't see how. Does it reduce future admin work. It's another DNS record and alternate configuration to document  maintain, and migrate... So I don't see how.

Maybe there is a valid reason. I am not saying there isn't. But I see... Far too often.... Here where people try to do something simply because they always have...vut technology evolved and habits have to evolve with them. So challenging by asking g the "why" is important.

Short answer is there is no supported way to change the published name without breaking other things.  There are unsupported edits to change what is published, but it tends to have side-effects worse than what is trying to be fixed. I can't in good conscience recommend that path.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
iamuserAuthor Commented:
great thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.