Step by Step Windows 2012 R2 Remote Desktop Services – Part 3

A step by step guide to build a Windows 2012 R2 Remote Desktop Services deployment.

Part 3 – Adding Session Hosts and Load Balancing session collections.

In part two I detailed how to do an advanced installation, using separate servers for each role. In case you missed it, or want to check it out, look at this post:
In part one I detailed how to do a single server installation. In case you missed it, or want to check it out, look at this post:

In this step by step guide we’ll be adding an extra RD Session Host server:
RDS Deployment - Add Session Host
ITWRDS05 will be the extra server. I used the same specs as in step 2 in this guide for the member servers, and used IPv4 and made it a member server of the domain.
If you’re building along and want to continue doing so for the next parts in this complete series, make snapshots of the servers before adding this extra server.

Software used in this guide:
Windows Server 2012 R2 ISO (evaluation can be downloaded here:

This guide will not focus on adding a member server to the domain.
And again some basic knowledge is assumed in this guide.

Installing the Remote Desktop Services Roles
Log on to the Domain Controller, and in Server Manager right-click the All Servers node and add the new server using the Add Servers command (or select the All Servers node, click Manage and click Add Servers).

RDS Deployment - Add Session Host 01
Now that all servers needed in this deployment scenario are present, click Remote Desktop Services.

Server Manager
RDS Deployment - Add Session Host 02
In Overview, right-click RD Session Host and click Add RD Session Host Servers.
Note that the Remove RD Session Host servers option is used to remove one or more Session Host servers from the deployment. This will not uninstall the RD Session Host role service from the selected server(s), unless you choose to do so in the wizard.

Select a server
RDS Deployment - Add Session Host 03
Click the newly added server and click the Add button.
Notice here that the only server missing to choose from is ITWRDS04, which is of course because this already is a RD Session Host in the current deployment.
Click Next.

Confirm selections
RDS Deployment - Add Session Host 04
Check Restart the destination server automatically if required.
Click Add.

View progress
RDS Deployment - Add Session Host 05
Wait until the RD Session Host role service is deployed and the new RD Session Host server has restarted.
Click Close.

If you want Web Access users to be able to log on to this server, you need to add this server to the Resource Group for which we configured a policy on the RD Gateway server in the previous guide.

On the RD Gateway server, open the RD Gateway Manager tool and expand the server node, expand the Polices node and click the Resource Authorization Policies node.

RD Gateway Manager
RDS Deployment - Add Session Host 13
Click Manage Local Computer Groups.

RDS Deployment - Add Session Host 14
Make sure the Resource group is selected and click Properties.

RDS Deployment - Add Session Host 15
Type the name of the new server and click Add.
The Note you see here refers to the Remote Desktop Session Host server farm principle in case you also publish Windows 2008(R2) Remote Desktop deployments. In Windows 2012(R2) the farm concept is handled by the RD Broker and the RD Session Collections.
Click OK to apply the settings to the resource group and click Close to close the group manager.

Now let’s see what we can do if we have multiple Session Hosts in our deployment.
Of course you could add a new collection using the new session host server, but that’s no different than what I explained in step 2 of this guide collection.
Let’s do some new stuff with the new session host instead.

Load balancing an existing collection
In Server Manager click Remote Desktop Services, and then click the existing collection “Full Desktop”. Scroll down to Host Servers if this section is not immediately visible.

RDS Deployment - Add Session Host 06
Click Tasks and click Add RD Session Host Servers.
Note that the Remove RD Session Host servers option is used to remove one or more servers from a load balanced session collection.

Specify RD Session Host servers
RDS Deployment - Add Session Host 07
Since there’s only the new server in the deployment which has the role but isn’t assigned yet, that’s the only server we see here.
Select the server and click the add button.
Click Next.

Confirm selections
RDS Deployment - Add Session Host 08
The Wizard confirms that you selected the server.
Click Add.

View progress
RDS Deployment - Add Session Host 09
Wait until the server is added to the collection.
Click Close.

That’s it. The Full Desktop collection is now load balanced over 2 Session Hosts.

To confirm this, and see how we can influence the load balancing properties go back to Server Manager and click Remote Desktop Services, then click the Full Desktop collection.

Full Desktop collection
RDS Deployment - Add Session Host 10
Click tasks, then select Edit Properties.

Session Collection
RDS Deployment - Add Session Host 11
In this load balancing setup both servers are equally weighted for sessions. You could re-balance this if hardware resources are not the same across all servers in the collection.
While you’re in this screen, review the other properties of this session collection.

In this example we load balanced a Full Desktop session collection, but the steps to take for doing so is exactly the same for load balancing a RemoteApp program collection.

Managing a load balanced collection
Load balancing a collection makes it possible to do maintenance on your servers without annoying your users. You can put a server in maintenance without disrupting functionality.

In the Host Servers section for the collection right-click the server you want to do maintenance on.
RDS Deployment - Add Session Host 12
Then select Do not allow new connections.
Of course, you will have to wait until existing sessions are completed, or instruct users to log off and log back on, in which case they will be redirected by the RD Broker to the other server. Yes, this is a new session, there is currently no way to migrate sessions to other hosts without annoying the user.

If you want to continue building along with this series, remove everything that’s installed in this guide. You can revert to snapshots, or remove everything manually.

–          Remove the server from the session collection.
–          Remove the server from the RD deployment, removing the role services as well.
–          Remove the server from the RD Gateway Resource group
–          Remove the server from the domain

And I will see you in the next part in which I will finally show a step by step guide on deploying and publishing a RemoteApps program collection.


Update: Part 4 – Publishing RemoteApps is now published.


25+ years experience in Microsoft powered environments. Enjoy automating stuff using powershell. In my free time (hah! as if there is any) I used to hunt achievements and gamerscore on anything Xbox Live enabled (Windows Mobile, Windows 8, Windows 10, Xbox 360 and Xbox One). Recently I picked up my Lego addiction again.

Tagged with: , ,
Posted in Remote Desktop, Step-by-Step guide, Windows 2012 R2
216 comments on “Step by Step Windows 2012 R2 Remote Desktop Services – Part 3
  1. GMH77 says:

    Hey Arjan,
    This was so far a very helpfull blogg on how to implement and configure RDS 2012.
    I like it alot so thank you for using your time on this :)

    I have a issue where i try to connect to broker.domain.local from a client in the same network.
    I dont want to use RemoteApps,

    I just want high availablity for regular RDP sessions, but when I try to use RDP i get:
    “The connection was denied because the user account is not authorized for remote login”

    When I use RemoteApp, its all good, the users is able to logon and no problem.

    I have a server with Conenction Broker, LIcensing, Web Access and Gateway and four servers that is Session Host

    • Arjan Mensch says:

      Hi GMH,
      Don’t connect to the broker. Create round robin A-records for your session hosts instead and connect to the round robin A-record (also known as farm-record).
      Besides that, if you created a RemoteApp session collection with all the session hosts in it, you cannot use the same collection for Remote Desktop.

      • glennmh says:

        Thank you Arjan,
        I don’t want to use remoteApp at all for this solution – all users should get directly connected to a “terminal server session” or now called session host? Correct?

        So I will create an A record named “RDSH” pointing to “SrvNameSH01, 002, 003 and 004” ips?

        The I will have to configure gateway manager and Rap policy for the farm, right?

        I also have to remove the connection to remoteApp?

      • Arjan Mensch says:

        Hi Glenn,
        Yes correct about everything, but you do need a Session Collection, but it needs to be configured for Remote Desktop sessions, not for RemoteApps. The round robin dns entry should be in de RAP along with the real hostnames. The Broker doesn’t need to be there.

  2. GMH77 says:

    Back again :)
    What if I have already configured the RD connection Broker, dosent mather? Just connect to the GW ip? (On the same machine has the broker doh..

  3. Derek Romano says:

    One issue I am having is when we disable connections to one server users will still get connected to that server anyway and it will say logins have been disabled.

    Our setup
    One Server for RDGateway and RDWeb
    2 x Servers with Connection Broker and Session host roles
    DNS Round robin is enabled and A Record is created pointing to both IPs of the 2 CB / SH Servers

    When I ping its returning the IP of the server we disabled new connections on, also when we ping that FQDN from the Gateway server we get the same IP.

    My guess would be its something to do with the fact DNS is resolving the farm name to the IP of the Server that is not allowing new connections. How do we work around this issue?

    This is internal test so its bypassing the gateway i would guess as thats the default setting.

    I tried unchecking that option to make local connections go through the gateway but I get an error when launching the full desktop saying, Your computer can’t connect to the remote computer because no certificate was configured to use at the Remote Desktop Gateway server.

    • Arjan Mensch says:

      Hi Derek,
      The problem here is that you have combined the Broker and Session host roles.
      You should configure different DNS records (round robin) for the sessionhost functionality. Those 2 entries make up your session host “farm”. Now if a user connects to a server that is disabled for new logons, the broker will redirect the user to the correct server.

  4. Emil Abbas says:


    I am bored with GPO settings:/
    i dont know what ti implement for basic settings.
    I want to install three 2012r2 servers with broker+sh on per server.
    What GPO’s i must link on OU where this servers reside.

    • Arjan Mensch says:

      Hi Emil,
      Best practice would be to create an OU for your RDS hosts and move the RDS Host accounts to this OU.
      Then create your GPO’s linked to that OU and configure loopback processing on the GPO so the user settings get propagated even if the GPO applies to a OU with computer accounts.

  5. Eli says:

    Hi I know this article has been up for a while but hoping you may be able to help with an issue I’m running into. I followed the previous 2 parts fine. but when I try to add an additional session host like in this Part. but when I to the step in server manager to ” add RD Session host servers” I get a compatibility Check failed. ” the RD Session host role service is not installed on the server” and my options are to Exclude or cancel . clicking either takes me back to the previous menu in the wizard to choose a different server.

    Im confused because in the wizard at the top it clearly says ” the wizard allows you to add rd session host servers. Select the severs on to which to INSTALL rd session host role service.

    I was hoping you could provide some insight on this. thanks again.

    • Arjan Mensch says:

      Hi Eli,

      If you use the RD overview to add extra session hosts it will install the session host role. Does the eventlog on the server you are trying to add show any errors?

    • Torsten says:

      Eli, did you get an answer to this? I have the same issue on a Server 2012R2 freshly installed onto an existing domain. There appears to be a group policy setting affecting the server’s security settings. The only thing that’s obvious is IE Intranet security is set to maximum.

      • Arjan Mensch says:

        Hi Torsten,
        Is it possible to test a freshly installed server that is moved to a test OU in AD on which policies are blocked? That would confirm or rule out domain policies.

    • Frank says:

      Hi Arjen,

      I have used your step by step guide to build our new RDP enviroment and so far it works great, however i have come across a few limitations RDP server 2012R2 brings. I hope you have any ideas on the issues im facing.

      our setup is:
      2 connection broker servers in HA
      1 Gatway server
      1 Webaccess server
      15 session host servers

      The default setup allows only one collection for a full desktop session spread out over the host servers. My company would like our users the choice of having the session started with a lower resolution (purpose to make stuff bigger :) ).

      The other is we have HP thinclients and default USB drive redirection is disabled, however a few users do have access. Also customizing this would require a second collection.

      Ideal would be to create multiple collections with the above settings directing you to all sessions host servers. I have found its possible for a collection pointing to a single server but using this means loadbalancing is gone.

      Any thoughts would be appeciated.


  6. Aaron says:

    Hello, thank for for this terrific guide! I followed this guide but combined a few roles to save resources. My setup:

    –1 New 2012 R2 DC
    –1 New 2012 R2 server hosting broker, gateway and web server roles
    –2 New 2012 R2 session servers
    –1 SSL wildcard cert (seems to be working fine)

    From outside I am able to login to the web logging at Login works, click full desktop and login to desktop session works fine. My scenario is we have existing thin clients, many are older. I want to use the RDP client to connect to the FQDN outside address. I have checked on the Gateway properties within the Remote Desktop client. When I initiate a session, I am placed on to the web server, meaning my session foes directly to the web server. I do not have port 3389 open to any server at the firewall. I am not redirected to a session server. I have opened ports TCP 443 and UDP 3391 to the Gateway / Web server.

    How do I get an RDP client from outside the LAN to be able to receive a session from the “farm.” We are only looking for full desktop sessions, not RemoteApp sessions.

    Thank you for any assistance.

    • Arjan Mensch says:

      Hi Aaron.
      I’m typing this on a public computer with no resources at hand to check my setup, so this response is unverified:
      – If you want your TCs to connect to the outside address you might want to disable “do not use gateway for local addresses” in the app settings of IIS that hosts your WebAccess pages
      – If you want clients to connect using RDP I suggest using the Remote Applications app found in control panel. Your clients would connect to https://url/webaccess/webfeed/webfeed.aspx
      If you want your clients to use MSTSC.exe you must create an RDP file for those users with the Gateway option enabled.

      • Aaron says:

        Thank you for the quick response. We are trying to use the native RDP (mstsc.exe) from Windows 7 Embedded, Windows 8.1 desktop and older thin client devices that have older RDP versions. They currently hit Windows 2003 terminal servers so we want to deliver a similar desktop experience with minimal for the user to change, i.e., change the current IP address for the FQDN on the RDP client software. When we do this we get a session from the web server. If we login to the RdWeb site, pass logon credentials and download the RDP shortcut and manually run it we get a session from the session server. So when the .rdp file comes down from the web server everything works as expected. When we try to copy all the settings from that rdp file to a new one and save it we get connected to the web server and not the session server. How can we make the typical remote desktop client whether on a thin client or Windows machine work with the gateway services?

      • Arjan Mensch says:

        Hi Aaron,
        Best practice for internal clients: create a DNS round robin A-record that is on your cert. Create the round robin for all your session hosts. Connect the RDP file to this round robin file. Each session that is received directly by a session host will be redirected to the broker which in turn will redirect your client to the most suitable session host

  7. Yinka says:

    Hi Arjan,

    Very nice and detailed post. Kudos for the time spent on putting this together.

    I have a small setup and am wondering if this is possible, if so you can just give an highlight on how:

    1. Can i Load balance between two nodes SERVER A and SERVER B with each servers hosting all the roles (RD Connection Broker, Session Host, Web Access and Licensing etc. no need of RD Gateway, its being used internally) such that if SERVER A goes down, SERVER B will accept connections etc.

    I currently have one server setup with a few users doing remote apps. which is working fine and wondering how i can have redundancy should server A goes down. Keep in mind like i said, my present server is hosting all the roles including licensing.

    2. If that is possible, would it mean that i will have to separate the License Server role?



    • Arjan Mensch says:

      Hi Yinka,
      Yes you can load balance that way. Your WebAccess roles need to be load balanced using a virtual IP (Microsoft NLB works fine, or any third party load balancer will probably work as well).
      Confure the Broker in HA mode and you sessions are load balanced as well.
      I’s separate the license role which would work on any DC as well, and seprate the sql instance for the broker,

  8. Rogier says:

    Hello Arjan, great and crystal clear tutorial. Thx alot.

    After building a working 2012 R2 RDS farm, I started to create a VDI farm with multiple collections for Windows 7 SP1 and Windows 8.1.
    Unfortunantly I have a problem connecting to my Windows 7 VDI desktops externally, but I cant find a solution that solves my problem. Hope you can help me out. ;-)

    My setup:

    Our RDS/VDI farm has 1 RDWEB/GW, 1 RDS host, 2 HA RDBrokers and 1 RDVH.
    All servers are Windows Server 2012 R2. The domain internally and externally is the same “”. Connecting via RDWeb to our 2012R2 RDS host works great, as well as connecting to our Windows 8.1 VDI desktops. This works internally as well as externally.
    We use a Comodo Possitive SSLwildcard certificate for “*”.

    I also created a collection for Windows 7 SP1 desktops. The Windows 7 master image has SP1 installed as well as all Windows Updates (including KB2592687). When I login externally via RDWeb and connect to the Windows 7 desktop pool, I get an certificate warning that “” is using an non trusted certificate. We are able to logon to Windows 8.1 VDI desktops with no certificate warning, as well as our 2012 R2 RDS hosts. Only with Windows 7 SP1 VDI desktops we get this certificate warning. After pressing “yes” on the certificate warning the connection tries to establish but it hangs for hours on “The remote connection is starting…” and nothing happens.

    After hours of googling I cant find the solution.

    Hope you are familiar with my problem and you can help me out?

    Many thanks for your help.

    Grtz Rogier

    • Arjan Mensch says:

      Hi Rogier,
      No clue what could cause that. I’m running several Windows 7 pooled and personal collections with no problems at all.
      My images are also fully up to date. RDP version in my Windows 7 boxes is 6.3.9600.16415. Note that not all RDP updates are applied through Windows Update. You might have to download one or more updates manually. I based my version on this table:

  9. Rohan says:

    Hi Arjan,

    In this we have two Session Server, so we can access through Gateway Name. how can we design if we want to put the two server behind the F5 load balancer. can you help on this.

    • Arjan Mensch says:

      Hi Rohan,
      I have no experience using the F5 as a loadbalancer for sessions. I’m not even sure if you can. You can use the F5 for loadbalancing the Web Access and Gateway roles though.
      I think you need to search the F5 community for a definitive answer to this one.

  10. Rohan says:

    Hi Arjan,

    Added Two Server in the Session Host, when i connect with one server and logoff and try to connect again, it will send me on the same server. i’m using server IP address to connect the servers

    • Arjan Mensch says:

      Hi Rohan,
      That is normal behaviour. The Broker determines where your session should go based on server availability, business, sessions, etc.
      If both servers are equal and no sessions exist, chances are you connect to the server you previously connected to. Load dividing by the Broker is not a round-robin process.

  11. Rohan says:

    Thanks Arjan,

    As we know if Redirector(RDCB) Goes down, user not able to Login to the Terminal Server(RDSH).

    If we Configure the add another RDCB on it, than how it work. will another server be a part of Exiting farm and how the connection being down with the SQL Server.

    or it’s fine to go with Single RDCB but that’s pointing to single point of failure even we have two RDSH server


  12. Rohan says:

    Adding on this.

    As per the above scenario, one (RDCB) and two (RDSH). Can we create two entries in the DNS as below? Rather than separate Zone. – –

    • Arjan Mensch says:

      Hi Rohan. You don’t need 2 entries if you have 1 CB. If you have 2 CBs, create 1 zone with 2 empty a-records, pointing to the ip-addresses of the CBs. If you have just 1 CB, then only 1 entry is needed.

      • Rohan says:

        single DNS entry for 2 session host, you mean to say if we have 1 CB and 3 or 4 SH server we need single entry for connection broker.

        and connection broker internally redirect the request with the Session host server as per the load.

      • Arjan Mensch says:

        Almost. In case of multiple Session Hosts, I’d create Round Robin DNS for the Session Hosts.
        A user connects to the Round Robin DNS name, gets redirected to the CB, and the CB redirects the user to the correct Session Host. A user session ALWAYS gets redirected to the CB.

  13. Steve Gross says:

    I have been struggling to produce a flawless RemoteApp deployment. Now I’m down to one last problem, but it’s a major one.

    There are two distinct user groups for my deployment. One group is remote web users. The second group is local users accessing via a thin client.

    If I set the Session security to “Negotiate”, then the deployment works correctly for Remote users, but local thin client users get prompted for a second set of credentials; moreover, once they type in the password again, it never works. If I set the Session security to “RDP Security Layer” or “TLS”, the local users work fine but the remote users hang and never can run the Remote Apps.

    Advice and suggestions welcome. Thanks.

  14. Rohan says:

    UPD support the NFS Share??

  15. bkleef says:

    Arjan you should check this out (didn’t wrote the article):

  16. Dallas Bunton Jr says:

    We have 1 CB and 2 session hosts and in DNS we have 2 records for farmname 1 for each ip address of the session hosts. I can connect using the farmname and in my tests i keep going to the same session host. How do i know everything is ok and how does the CB come into play?

    • Arjan Mensch says:

      Hi Dallas,
      You can test this setup by disabling logons to that first server. You can do this in server manager.
      User -> connects to farm -> round robin DNS points to a session host -> session host asks CB where to put this session -> if resources and connections are allowed session stays on that host, if not, session is redirected by CB to another host.

  17. NK says:

    Hi Arjan,

    First of thank you for the getting everything through step by step. we have deployed everything using your steps. I have couple of question we have setup the process for web right now but we want to have the users access it from any devices not just the web only like ipad using the remote desktop client or android. Can you please guides us what need to enable to get this works from any devices.

  18. Sean-Ryan Sullivan says:

    I know this is an older article but I had a few questions that I can’t seem to find the answers to. 1) If I want to load balance multiple SH Application servers, do the same exact apps need to be installed on each SH? Does the CB know that the same apps are installed on each SH? and 2) If they are setup on the CB as being load balanced, do I still need to setup a round robin DNS entry for the farm name? It appeared according to this article that the CB performs all the load balancing between the SH’s.

    I currently have 2 RDS servers where both are SH’s but one of the two has all the other roles as well. My plan is to create a new server with just the CB, Web Access, and gateway roles and implement my existing SH’s (while removing the CB roles from the one) and create a new load balanced collection.

    Any help would be greatly appreciated.

  19. Adrian Graves says:

    I found this artical a great help , i have a quick question . If we had a application installed on only one server in the farm is it possible to share it amongs the other 3 servers to present it to the users the same as a Citrix session ?

  20. Tony says:

    Hi, Can you use server 2012R2 RDS as the old fashioned terminal server, so that people can just rdp to it.

  21. alessio says:

    Hello Arjan,
    just wanted to understand the role of CB in 2012r2 with a simple three servers setup: two RDSH and one CB (with web service installed).
    I’ve read that with 2012r2 the role is different from 2008r2, in the meaning all the connections pass trhough the CB and later distributed to the avaialble RDSH. So teoretically a DNS RoundRobin of the RDSH should not be necessary.
    Is that correct? If so, why do I get “connection denied because the user is not authorized for remote login” when I connect directly to the CB?

    many thanks

    • Arjan Mensch says:

      Hi alessio,

      The CB is not a session host, that is why you are denied.
      Always connect to a session host, using either round robin DNS farm name, or directly to the session host.
      When a session host receives a connection it always checks with the broker if it’s ok to set up the session. If the broker says another server is a better option for the session, the user gets redirected to the correct session host.
      To recap: don’t connect to the broker.

      • alessio says:

        Arjan, thanks for your quick answer!
        well I know It’s now a session host, either I did not install the service on that server, only Broker and it’s web part. My wondering was why is not redirecting to my RDSH servers
        For what I’ve read before jumping to your page, with 2012R2 the broker plays a more central role and clients should connect directly to him, via its web page or rdp and once the connection is set the broker redirects to the session hosts.
        Right now I’ve found this technet page that might explain why it’s not working:

        we are trying to use some old sunray2 thin clients, so why we wanted a more “direct” connection

        thanks for your help!

      • Joel Chema says:

        Hi Arjan
        May you please explain the DNS farm name a bit more. I couldn’t find that in your blog.
        Are you taking about creating a Internal DNS zone name & adding all the 3 session host server in the zone? Is this for RDP session load balancing reason?
        Or if you can explain how to create the DNS Farm name?
        Thanks in advance

  22. YES says:


    I am having trouble with multiple rdp session (saved on network location) trying to connect a 2012 server and can’t remember the password. When password entered manually it works? Have enabled delegate NTLM setting in local GPO with. Followed all mentioned below:
    When using remote desktop connection to connect to windows server 2008, 2008 R2, sbs 2008, vista or windows 7 and would use saved credentials. This doesn’t work when you start the connection you get the following error:

    “Your system administrator does not allow the use of saved credentials to logon to the remote computer computername/ipadress because its identity is not fully verified. Please enter new credentials.” “The logon attempt failed”

    Solution: This happens when trying to connect to a computer / server in another domain and no trust relationships exists. Windows then steps back to use NTLM and the default domain machine policy prohibits use of saved credentials. You can change this domain based or for a individual machine:

    Start local group policy editor, start – run – gpedit.msc
    Go to Local Computer Policy –> Computer Configuration –> Administrative Templates –> System –> Credentials Delegation
    Edit “Allow Delegating Saved Credentials with NTLM-only Server Authentication”
    Enable the policy, click Show and enter the value “TERMSRV/*” into the list.

    Do the same thing for the following policies:
    “Allow Delegating Saved Credentials”, “Allow Delegating Default Credentials with NTLM-only Server Authentication” en “Allow Delegating Default Credentials”

    Close the policy editor,
    open a command prompt and use “gpupdate /force” to apply the policy directly
    – See more at:

    But DOESn’T work at all. Please help.

  23. jaz says:


    1 server RDCB,RDG,RDWS,RDLS hostname
    3 server RDSH host name, ,

    I just want high availability of my all RDSH servers

    if i add a record on my DNS of all mt RDSH server with single name like

    question is

    1 How many certificate I need as per my understanding we need wild certificate right ?
    3 how client can access my RDS from outside with which name? (should I point my public IP to one of my RD host server with nat or what ?
    4 what I need to do with public dns point to ?

    Thanks is advanced

    • Arjan Mensch says:

      Hi Jaz,
      This is all answered in the blog series, but in short you don’t need a wildcard as I show in the series, you should deploy webaccess / gateway to allow outside access, and create public dns entries for those (can be the same).
      Add all session hosts round robin to DNS and make sure the farm name is an FQDN that has a public A-record as well (so no internal domain names). Don’t ever open public ports to RDS session hosts..

      • Jaz says:

        Thanks arjan for reply

        I am still confuse,

        You mean to say that public ip should be nat with gateway ip address ?

        Gateway fqdn name

        Also created Round robin with same name

  24. beninmaliBen says:

    Hi, we can’t add any servers to our collection, we get an error stating “Unable to retrieve the session collection properties” any ideas?

  25. Joel Chema says:

    Actually, I think I figured it out. thanks anyway

  26. adam says:

    We have been having fits with free Adobe Reader on our 2012 R2 RDS server. It is utilizing VHD for user profiles. Is there a solution?

    • Arjan Mensch says:

      Hi adam,

      Yes there is, but it’s not a nice one ;)

      Create a file called “acroct.ini”.
      Using a text editor, enter the following into the file:

      Depending on your configuration, this is where you need to place the file for it to work:
      – C:\Windows
      – C:\users\\Windows
      – \Windows

      The problem is the way Acrobat Reader renders the fonts. This leaves Z@xxx.tmp files in the user’s profile, which are locked by some dll. The .ini solution should fix that.

  27. Joel Chema says:

    Hi Arjan,
    Me again, bumped into an issue.
    so my setup has 3 session hosts servers. I have already applied the wildcard certificate using the sever manager for webaccess,gateway,connectionbroker.
    I am using a DNS round robin session host farm for RDP.
    What I am noticing is, when I am trying to rdp using a the farm name, I am getting certificate error saying that the certificate was issued from the session host and the certificate has the internal fqdn of the session host server name and doesn’t have the wildcard cert name although I imported the wildcard cert in each session host servers local computer personal store.
    any suggestion?

    • Rei says:

      Hello Joel,
      I am stuck in this same place you are. I have battled this for quite a time to the best of my ability to no avail. I see that you did not get any reply to your question. Have you been able to do any progress. Any help is good.
      T H A N K Y O U ! !

      • Arjan Mensch says:

        Hi Rei, and sorry Joel for missing this one,
        You should not connect to the farm name, or use round robin for the session hosts.
        You should connect to a session host name. The session host will always redirect the session to the broker and the broker then determines which session host will handle the session.
        So loadbalancing sessions is no longer handled by DNS round robin (which isn’t loadbalancing at all!!) but by the broker.
        Do not let your users connect to the broker or the dns farm name. Both won’t work.

      • jeffchowdhury says:

        Hey Rei
        Apologies for the late reply, I didn’t see your response.
        I found another article in TechNet which asked to do the same, get users to connect to one of the session host server for RDP. otherwise just use the WebAccess for Remote apps.

  28. Hasnain Naseem says:

    HI Arjan,
    I saw your demos on DaaS it is great and it helps me Alot Thank You for this.but i have one question ..
    Can you please tell me that how many users can be handle by one session host ?
    for example: if i Deploy DaaS service for 5000 users so how many session host will i need on deployment ?
    i want also make load balacing between multiple session hosts if you tell me how many session hosts i need for making DaaS environment for 5000 users so i will be very Thank full to you…

    • Arjan Mensch says:

      Hi Hasnain,
      It totally depends on the kind of applications that will run on the session hosts. Take Azure for example. Azure Remote Apps by default runs on A3 machines. That’s 4 cores, 7GB of ram, and depending on the plan that VM will host 10 sessions, or 5.
      Whenever I need to calculate on on-premise hardware however I stick by the ancient rule of thumb: 4cpu 30GB memory for 20 sessions, and work from there.
      Loadbalancing over the session hosts is handled by the connection broker.
      Word of caution however. 5000 Sessions is pushing the limits for Microsoft RDS. The server manager will disappoint you when 500+ concurrent sessions are reached, so look for other ways to manage sessions (powershell!).
      Microsoft recommends using partner software like Citrix of Dell Wyse vWorkspace (my favorite) when reaching 1000+ expected sessions.

      • Hasnain Naseem says:

        Thank you for the suggestion Arjan i will work on that. if i get any query or problem so i will contact you…once again Thank you

  29. Hasnain says:

    HI Arjan i need to ask a one more question from you..if i simply deploy RDS for 500 user’s so how much Cpu’s i required means how much RAM or Processor i have only two session host server .. can you help please .. i will be very thankfull to you .

    • Arjan Mensch says:

      Hi Hasnain,
      That would be near impossible I think. We calculate the number of servers by dividing the number of concurrent sessions by 20 (20 sessions per server). Depending on applications we then allow for 2-4 (v)CPUs and 20-32GB memory per server..

  30. Den says:

    Hi, I’m trying to make HA RDS Farm but with round robin DNS functionality it seems to be not very HA at least not that responsive as I want it to be… so I have two Connection Brokers configured in HA (should be fine but I haven’t tested yet what happens if one CB is down), I have one RDGW server and two RDSH servers. In my DNS server I have two records, say: pointing to RDSH1 and another pointing to RDSH2. when do nslookup for I of course get two IP addresses, but when I do ping to it stick with one IP address and doesn’t switch between two very often. So if I shutdown RDSH1 we will never be able to connect to RDSH2 using round robin DNS record. Some users will be lucky, but this doesn’t look like a solution. I think should be another way where we connect to a broker (otherwise what’s the point of that broker???) and broker determines which RDSHxx is alive which one is least loaded and so on…
    Thank you!

    • Arjan Mensch says:

      Hi Den.

      This has been answered a few times before. The brokers handle session loadbalancing and redirection. Do NOT use dns farm name or dns round robin or whatever dns trick you can think of. That’s not HA and doesn’t work. As long as your deployment has 2 or more session hosts, you’re fine.

      • Den says:

        Hi, thanks for that, I’ve seen those answers… I’ll rephrase my question: can we automatically redirect users to RDSH if one for that they have got a shortcut is down? Obviously, we can create as many shortcuts as we want for each RDSH in the deployment, but then it comes to tenths of servers and hundredths of PCs… How do you deal with that? Thanks.

      • Arjan Mensch says:

        Hi Den,

        Your best config for that would be to use the webaccess role and configure the remote desktop and apps program on each PC. That would put the published desktop RDP from webaccess into the user’s startmenu and will always work, no matter if one of the session hosts was down.

  31. Scott says:

    Hi, We have an RDS environment that has 7 collections in it with 35 Hosts. Everything works great, but last month we started to experience an annoying problem. One of the hosts will just stop accepting connections randomly and the users get “stuck” trying to login. It basically times out. The suspect host already has quite a few users on it. We have found the only way to resolve this is to reboot the server and all is well again. What could be causing this? We never lose the network connection to the hosts. We are thinking that it was caused by the last round of updates from M$ as that is when the issues started. Any feedback would be great

    • Arjan Mensch says:

      Hi Scott,
      The users that cannot logon anymore, is the session established at all or is it the client that times out before a session is established?

      • Scott says:

        The session never gets established. This happens to me also from my Surface tablet and I can ping the server. I can login to the server through the console(these are VM’s esx 6.0) and have found that if I restart the RDS service it allows users to login again, but it kicks everyone off the server. There servers are not overloaded, sometime they only have a couple of users connected to them. Thanks!

      • Scott says:

        So I have another symptom. When we notice a server does not have anyone on it, we open a console session and see there are a bunch of “ghost sessions” on it with 4 processes running and no user name. So in the task manager under users, we see a bunch of unnamed sessions with 4 processes running. These cannot be logged off but after 15 minutes or so they drop off.

  32. Ernesto Villalobos says:

    Hello! Thank you in advanced for taking the time to read all of our questions and reply them.

    I have the following scenario:

    1x Web Access Server
    1x Broker Server
    1x Gateway Server
    2x Session Host Servers

    I posses a SSL certificate under the name which contains inside two other subdomains: and

    I have installed this certificate on all servers; I followed all of the steps on the previous part but I do have an issue:

    I can connect internally and even run my APP (paint or calculator), but externally I can access the website, authenticate and even see the apps listed; once I try to open the rdp file that downloads, I authenticate (or at least asks for authentication) and then gives an error about gateway being temporarily unavailable.

    Do you have any ideas on what might be causing this issue? I only posses one public IP at the moment and I am redirecting 443 to the webaccess server and udp 3391 to the gateway server. Still wont work.

    Thanks again!

    • Arjan Mensch says:

      Hi Ernesto,
      If you have the Gateway Role and the Webaccess Role you MUST have 2 external IP’s or find another way to redirect webaccess:443 to the webaccess-server and gateway:443 to the gateway-server. Webaccess must be reachable on 443, Gateway must be reachable on 443, and optionally UDP 3391.
      If you only have 1 external IP, you can host the Webaccess and Gateway roles on the same machine, but both roles MUST use the same certificate / FQDN then.

      • Ernesto Villalobos says:

        Thank you so much for your help, I will be doing that.

      • Sam says:

        I went through whole thread and like to clarify a few things that piggy back to your answer on this thread.
        If I had following resources, what would be best setup?
        a. 2 Public IP to map to outside world and 1 wildcard certificate to use on all hosts where needed.
        b. 4 Windows 2012R2 servers. One of it is running as domain controller and TS license server. Let’s call them TS1, TS2, TS3 and DC1
        c. A Barracuda load balancer that could load balance whatever I tell it to balance.

        Avoid single point of failures.

        Would this work?
        1. Assign Session Host role to all 3 TS.
        2. Assign Broker role to TS1 and TS2
        3. Assign Web Access role to TS1 and TS2
        4. Assign Gateway role to TS1 and TS2
        5. Configure load balance policy for HTTPS for Web access traffic. Let’s assume the load balancer VIP is x.x.x.x. Map that x.x.x.x address to a public IP(A.A.A.A) for external access.
        6. Configure load balance policy for RDP for the Gateway. Let’s say VIP is x.x.x.y. Map a public IP(A.A.A.B) for external access via TCP/3389.
        7. On public DNS map to Gateway VIP public NAT address. People who uses native RDP client would come through this DNS record.
        8. On public DNS map to Web Access public NAT address. People would come through Web Access interface uses this DNS mapping.

        Would this work? OR is there a better way to achieve this? Right now I have Barracuda doing RDP load balance for the session host IPs and have lots of intermittent connection issues. People sometimes get connections while sometimes not. Trying to simplify it without loosing redundancy.

      • Arjan Mensch says:

        Hi Sam,
        That would be a viable way to go. Best would be to have 4 extra servers, 2 for broker and 2 for combined webaccess / gateway.

  33. tejamama says:


    I have set-up two RDSH, one of the servers being a RDCB, a session based full remote desktop deployment with intention to evenly use resources between the the two RDSH.

    right now, i am connecting to the RDCB which is also one of the session host server’s , and the sessions are being redirected across the two.

    we are connected via VPN to our local network and access these server’s, in this scenario, do i need a RDGW at all ? articles on the internet point to 2008 R2 and kind of mix up the deployment scenarios between the two, which is adding up to the confusion. could you please explain?

    Secondly, i’ve created a upd share and intend to make it HA share ( can i use failover clustering for this HA share ?) can more than one server simultaneously access the share using failover clustering here?). Thanks.

  34. Maxim says:

    Hi Arjan, if you’re still around.

    I’d like to get an advice. I have a setup of two NLB-enabled RDG servers united in a RDG-farm with several unlinked RDSH servers behind, of either 2012R2 or 2008R2 OS version. I have discovered that one of the RDG servers constantly throws errors “Http transport: IN channel could not find a corresponding OUT channel” whenever some user connects through it. NLB states everything is OK and that server is listed as one that has the least priority. Therefore all connections are going through the second server if at all. Should I disable NLB in some way (leave that host as the only one actively accepting connections), connections are stable. As soon as I re-enable NLB, HTTP connections drop. The NLB settings are as follows:
    – NLB cluster mode: Unicast
    – Port balancing rules: TCP/443 – multiple hosts, single IP affinity; UDP/3391 – multiple hosts, single IP affinity.
    Both RDG servers have a single network interface. Also should I set cluster to multicast, it stops working – apparently for multicast NLB I need extra setup on network level, which I might not be able to perform.
    How should I set up NLB so that the servers will not drop RDP connections?

  35. Bikram says:

    Hi Arjan,
    I deployed RDS infrastructure successfully by following your article. Great article. Thank you. Keep up a good work. I have a simple question. I have 3 session host servers and we use some accounting software which be updated frequently. How do I rdp to each server without going through broker and update them separately? Is there a way to bypass the broker/gateway so that I can just rdp to them?

    • Arjan Mensch says:

      Hi Bikram. I suggest to do this internally only since you will go through gateway and broker when accessing rdp externally. In your RDP client connect to console, that should do the trick.

  36. Brad says:

    Hi Arjan,

    Thanks for the great blog and very valuable information.

    In a few replies above, you mentioned in both replies to not use the farm name or do DNS round robin, but rather leave it up to the broker.

    However this seems to contradict information I’ve read elsewhere online, in that the RDP client should be configured to connect to the farm name.

    In our case, we have 2x RDSH servers, and 1x RDCB server.

    Can you please clarify?

    Thank you

    • Arjan Mensch says:

      Hi Brad, if you instruct clients to connect to a farm name, and a host is down, clients have a chance of being inable to connect.
      Use a downloaded rdp file from the webaccess site, or use the native app that connects to the webfeed. Both methods have an rdp file that redirects the client to the broker and then to an available rds host.

  37. Michael says:

    Hi Arjan,Thank for the excellent explanation

    I have a server RD Gateway and a server for RD station, rd web, Broker.
    I created a application collection that domain user access to app on web and wcx.
    I want to set this scenario so that users can connect to the App only on web But they can not connect to the server by mstsc.exe .

    I tried but I can not find a solution!!

    Help me please, What’s your solution?


  38. Steve says:

    I forgot one of those steps when rebuilding just now. Thanks for keeping this up and searchable.

  39. cli says:

    Does the public certificate needs the session host names in it? I’m getting a certificate error “the identity of the remote computer cannot be verified.” I have just the gateway, rdweb and broker on the pubic certificate for years without any certs error but now i’m getting certificate errors because the certifcate names does not match the session host names. I thought as long as you have the broker’s name in the certificate, the session host names are not required. The strangest thing is that not all client get this message. any ideas? thanks.

    • cli says:

      I end up buying a wildcard certs and still it does not work. Still getting the cert error for each session host. any help? Thanks.

  40. Cesar Mejia Tamayo says:

    Hello, excellent post I have implemented an RDS farm: 4 servers that have these roles rd web access, 4 rd session host, 4 rd gateway, and one that has the role of licensing and connection broker. the problem I have is that when you start a session by terminal of the domain some sessions enter without problem and others remain in black screen and some client computers do not connect the requested session access is denied, Error : Current async message was dropped by async dispatcher, because there is a new message which will override the current one. Thank you

  41. Cesar Mejia Tamayo says:

    thanks for the answer, I confirm my architecture and could you tell me what’s wrong?

    Server 1 Session Host RD, RD Web Acccess

    Server 2 Session Host RD, RD Web Acccess

    Server 3 Session Host RD, RD Web Acccess

    Server 4 Session Host RD, RD Web Acccess

    Server 5 Session Host RD, RD Gateway, RD Licesing, RD Connection Broker

    the problem that throws me is the requested session access is denied and some sessions remain in black screen

    • Arjan Mensch says:

      Again, do not combine any of the roles with the session host role in this setup. Combine RDWA and RDGW and seperate the broker. Add the license role to a DC or some other server.
      This is all in the guides.

  42. wcs1236 says:

    Hi Arjan, I’ve been reading through your guide and the questions and answers and I’m confused about your advice to use, or not use round robin for connecting to a session host farm. It looks like in some of your earlier responses you say to create a round robin for the farm name in DNS, but then in later responses you say not to connect to the dns farm name but directly to a rdsh name and let the CB handle creating the session.

    The issue I’m having is I have all (14 session host servers) of my session host servers configured with round robin in my DNS to a single farm name. If all of my session host servers are up and running, this works fine, but if only 3 or 4 of my session host servers are up, the connection will hang as it looks for an available session host server to connect to.

    So, if I can’t connect to the session farm name, where should I point the RDP client to try and connect? If I try and connect to a single session host name and it’s not running, the connection fails.


    • wcs1236 says:

      I think I’ve figured out my round robin issue. It looks like windows 2012 remote desktop really wants you to use the RDWeb to access RDP, rather than using mstsc.exe from the local workstation. However, I have a very heterogeneous environment of thin clients, Macs, windows 7, 8, and 10, so using a standard configuration of the mstsc.exe is what worked in all of these environments.

      By downloading the RDP from RDWeb and evaluating the RDP file it created I think I found my resolution.

      The solution I found was to remove my DNS round robin farm name, point all of my RDP clients to my CB Farm name and add the following lines to the individual RDP files based on the farm they needed to connect.

      use redirection server name:i:1
      loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.

      Early testing appears to be working very well.

      For anyone else reading this, if you are unaware of how to edit the RDP file, just right click on your RDP file, select ‘open with’ and choose ‘Notepad’. Make sure when you’re done editing the file that it still has open with default program of Remote Desktop Connection

      • wcs1236 says:


        loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.YOURFARMNAME

      • Arjan Mensch says:

        Hi wcs,

        I was about to mention that it would work without round robin by simply downloading the rdp file and distributing that.

        Cheers for solving it yourself and thanks for posting your solution!

  43. We really like your blog, it has unique articles, Have a great day!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog Authors

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 410 other followers

Blog Stats
  • 2,934,940 hits
%d bloggers like this: