Home / server / Questions / 436313
In Process
Mani
Asked: 2012-10-10 01:10:52 +0800 CST

How to restrict user to have single session on Windows terminal servers

  • 772

I have two windows 2008 R2 Terminal servers and have given users access to both server to keep redundancy/ load sharing.
How to restrict users from logging on both servers at same time?

windows-server-2008

3 Answers

    1. Setup an NLB cluster for the servers.

    2. Set up Session Broker

    3. Enable the GPO setting "Restrict Terminal Services users to a single remote session" in the GPO that applies to the servers.

    These three things working together will accomplish your goal.

    • 1

  2. From what you have described there appears to be nothing to stop all the users simultaneously logging onto either server. That would of course not provide load sharing. Consider allowing each user to log onto only one server, rather then letting the user choose one. To cover the possibility of either server going down you could also create three scripts, to be run as required.

    1. Set all user accounts to log onto server A
    2. Set all user accounts to log onto server B
    3. Set user accounts spread across the servers, perhaps using a list of who is assigned to which server
    • 0

  3. If both servers are in domain, you should set up the Remote Desktop Conection Broker and make a Remote Desktop Server Farm

    The Broker's work is to forward users to mostly free servers. It is not a 'weak link'. The connection process goes like this:

    • User discovers IP address from DNS name. This DNS name is associated with all servers in your farm, so, you need to create those DNS records manually with small TTL - about 5 mins. So you will have secords like

    TERMINAL-FARM 172.16.16.1 TERMINAL-FARM 172.16.16.2 TERMINAL-FARM 172.16.16.3 etc - The RDS server asks Broker if he need to redirect this user to other server. If the broker is down, it just accepts the connection and works like server is not farm member

    • Broker looks up if user already have session opened on any farm membet RDS server. If so, it tells RDS to redirect user to this server. Then Broker looks up for all RDS servers' LoadIndicator* and tells RDS server to redirect user or to accept the connection.

    • If Broker told RDS server to move user to other server, the RDS server responses user to switch to connect to another IP-address (when redirecting, IP addresses are used, not DNS names)

    • The RDP client reconnects to the server that it was told to connect to. If client uses RDP encryption, then he is asked for password again, if TLS encryption, then user authenticates automatically.

    LoadIndicator is a numeric value for each server in farm. Ordinary is computed by formula LoadIndicator = (ServerWeight * ( LoggedOnUsers + PendingRedirections)). If server is in Drain mode, LoadIndicator has a very big value (65535 I think), so connections are never redirected to server in Drain mode

    • 0