Oval Piston
asked on
RDS with Connection Broker sends login to server even when logons are disabled.
I setup a test RDS environment on 2012 R2. It's configured with a gateway, connection broker, web access, sql server, and two session hosts, configured in high availability - 6 VMs in total.
The one collection is configured for Full Desktops with both session hosts as members. I only want to have one collection.
When I RDP to a server via the webaccess.domain.com, it opens up RDP and connects fine.
However, when I do a "change logon /disable" on the host I was just connected to, the connection broker still thinks logons are enabled and sends my login id to that server, which shows "Remote logins are disabled".
I know I can set the logon state in the collection using Server Manager manually under 'Allow New Connections', but I need to have the CB know the logon state without an admin manually changing the logon state using Server Manager. Or, maybe another way, is to tell the CB the logon state.
What I've also found is if I have both servers with logons enabled in the Collection (both showing True for 'Allow New Connections') and by using 'change logon /enable', then if I disable logons in the collection, the CB *still* keeps sending me to the server I just disabled logons on.
The one collection is configured for Full Desktops with both session hosts as members. I only want to have one collection.
When I RDP to a server via the webaccess.domain.com, it opens up RDP and connects fine.
However, when I do a "change logon /disable" on the host I was just connected to, the connection broker still thinks logons are enabled and sends my login id to that server, which shows "Remote logins are disabled".
I know I can set the logon state in the collection using Server Manager manually under 'Allow New Connections', but I need to have the CB know the logon state without an admin manually changing the logon state using Server Manager. Or, maybe another way, is to tell the CB the logon state.
What I've also found is if I have both servers with logons enabled in the Collection (both showing True for 'Allow New Connections') and by using 'change logon /enable', then if I disable logons in the collection, the CB *still* keeps sending me to the server I just disabled logons on.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Do you mean you want to disable new logins to all hosts?
You would need to stop the Connection Broker for that.
Also note that Disabling New Connections as above will still allow Administrator accounts to connect! This only applies for non-administrator accounts.
You would need to stop the Connection Broker for that.
Also note that Disabling New Connections as above will still allow Administrator accounts to connect! This only applies for non-administrator accounts.
ASKER
No, not to all hosts. There are three different states of login on a session host: 1) enable, 2) disable only new connections allow reconnections to disconnected sessions, and 3) disable new logons and disable reconnections.
The powershell command you gave works for #2 above. So I'm asking if the powershell command has an option for #3 (all logon types disabled).
The powershell command you gave works for #2 above. So I'm asking if the powershell command has an option for #3 (all logon types disabled).
That is only for local Remote Desktop settings. It doesn't apply for the Session Collection. You need to work with the Session Collection options. You could kill the sessions after you Disable New Connections to go around that.
ASKER
So you're saying the powershell command only allows for 'Enable' and "Disable new allow reconnections"?
The command does not update the GUI in Server Manager though.
The command does not update the GUI in Server Manager though.
Hm.. I haven't tested myself but it seems odd. Does the setting apply and stops new Connections though?
ASKER
Running the powershell command does have the effect of the CB redirecting the request to the other session host that has its logons set to enabled.
Good stuff. Maybe restarting the Server Manager we'll also update the status as well?
The important thing is that it works :)
The important thing is that it works :)
ASKER
If it's a cluster of connection brokers, I assume the powershell command is sent to the cluster's IP?
the command is using the DNS of the connection broker so it wouldn't matter if it's in a cluster or not it will still go to the right place and the cluster will handle everything else
ASKER
The command only works if it's given the fqdn of a cb, not broker.mydomain.com.
Hm.. Try to use the Gateway dns then and let me know if that works.
ASKER
Tried giving it the gateway FQDN and also the gateway DNS and both of them gave an error "A Remote Desktop Services deployment does not exist on "
How many CBs do you have?
ASKER
one
You mentioned above that the command works for the CB. Then you asked about a cluster so I thought you had more. If you run the command on your CB you should be ok.
I am pretty sure the Server Manager will update the status it just might take some time and might need a refresh.
I am pretty sure the Server Manager will update the status it just might take some time and might need a refresh.
ASKER
What I'm trying to figure out is that if I have multiple CBs, how to point to a single FQDN that's *not* an actual CB server.
There are two ways to create a CB cluster, from within Windows and from just adding another CB in the RDS deployment.
If I add "Failover Clustering", it creates a single FQDN that essentially points to both CBs. Then, if a CB goes down, the FQDN will get pointed to the other CB.
Since the PS cmd uses an actual FQDN to a CB as its last parameter, adding another CB from within the RDS deployment won't allow a single FQDN that points to both, like "Failover Clustering" does. That's what I'm trying to do...use a single FQDN that will point to both for the PS cmd.
It looks like that can't be done.
There are two ways to create a CB cluster, from within Windows and from just adding another CB in the RDS deployment.
If I add "Failover Clustering", it creates a single FQDN that essentially points to both CBs. Then, if a CB goes down, the FQDN will get pointed to the other CB.
Since the PS cmd uses an actual FQDN to a CB as its last parameter, adding another CB from within the RDS deployment won't allow a single FQDN that points to both, like "Failover Clustering" does. That's what I'm trying to do...use a single FQDN that will point to both for the PS cmd.
It looks like that can't be done.
So the system you are talking about was not available to you when we were testing..
My suggestion would be to create a test environment to be able to test but even if you can't run the PS command on a single FQDN to apply on both CBs you could just run the command once for each CB. It's hard to imagine a system to have more than a handful of CBs anyway and you could just script your PS to do all f these at once. This shouldn't really be a problem.
My suggestion would be to create a test environment to be able to test but even if you can't run the PS command on a single FQDN to apply on both CBs you could just run the command once for each CB. It's hard to imagine a system to have more than a handful of CBs anyway and you could just script your PS to do all f these at once. This shouldn't really be a problem.
ASKER
Refreshing the 'Allow New Connections' still shows 'True', even if I run with the
Open in new window
parameter. How do get it updated?