RDS: Members of an RD Gateway server farm should be available on the network and configured identically

  • Article

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Remote Desktop Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2008 R2, Windows Server 2012

Product/Feature

Remote Desktop Services

Severity

Warning

Category

Configuration

Issue

At least one Remote Desktop Gateway (RD Gateway) server in the RD Gateway server farm is not available on the network or is not running the same version of the operating system as the other members of the RD Gateway server farm.

Impact

If some of the members of an RD Gateway server farm are not available on the network or are not running the same version of the operating system, users might experience different functionality depending on the RD Gateway server through which they connect.

Resolution

Ensure that all the RD Gateway servers in the RD Gateway server farm are available on the network, are running the same version of the operating system, and are configured identically.

The RD Gateway servers that are added to the RD Gateway server farm must be domain members, and they must each have identical authorization policies Remote Desktop connection authorization policies (RD CAPs) and Remote Desktop resource authorization policies (RD RAPs).

Use the following to help verify the RD Gateway servers in an RD Gateway server farm are available and configured correctly:

  • Verify all RD Gateway server farm members are available on the network

  • Verify all RD Gateway server farm members are members of the Active Directory domain

  • Verify the operating system and version on the RD Gateway server farm members are the same

  • Verify the RD CAPs, on all RD Gateway server farm members, are configured the same

  • Verify the RD RAPs, on all RD Gateway server farm members, are configured the same

Membership in the local Administrators group, or equivalent, on the RD Gateway server that you plan to configure, is the minimum required to complete this procedure.

To verify RD Gateway server farm members are available on the network

  1. On the RD Gateway server farm member open an elevated Command Prompt window. To open a Command Prompt, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. Type ipconfig /all at a command prompt on the RD Gateway server farm member. Make sure that the RD Gateway server farm member has an IP address in the correct IP address range, and does not have an Automatic Private IP Addressing (APIPA) address (an IP address in the 169.254.x.x range).

  3. Type ping localhost to verify that TCP/IP is installed and correctly configured on the local computer. If the ping is unsuccessful, this may indicate a corrupt TCP/IP stack or a problem with the network adapter.

  4. Type ping ip*_address*, where ip_address is the IP address assigned to the computer. If you can ping the localhost address but not the local IP address, there may be an issue with the routing table or with the network adapter driver.

  5. Ping another RD Gateway server farm member. If you cannot ping the RD Gateway server farm member, this indicates a potential problem with the RD Gateway server farm member, or the network in between the RD Gateway server farm members.

  6. Repeat steps 1 – 5 on each RD Gateway server farm member to verify network availability for all members of the RD Gateway server farm.

To verify the RD Gateway server farm members are members of the Active Directory domain

  1. Open System Properties on the RD Gateway server farm member. To open System Properties, click Start, click Control Panel, and then click System and Security.

  2. On the Control Panel\System and Security page, click System.

  3. On the System page, under Computer name, domain and workgroup settings click Change Settings.

  4. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  5. On the System Properties property sheet, on the General tab, verify the RD Gateway server farm member is a member of the correct domain. If the RD Gateway server is not a member of the domain:

    1. On the System Properties property sheet, on the General tab, click Change.

    2. In the Computer Name/Domain Changes dialog box, click Domain and type the Active Directory domain name.

    3. Click OK.

    4. When prompted, type your domain name and password to join the computer to the domain.

    5. Restart the computer when prompted.

  6. Repeat steps 1 – 5 on each RD Gateway server farm member to verify all members of the RD Gateway server farm are members of the Active Directory domain.

To verify the operating system and version on the RD Gateway server farm members are the same

  1. Open About Windows on the RD Gateway server. To open About Windows, click Start, and then click Run . . . .

  2. On the Run page, type winver, and then click OK.

  3. On the About Windows page note the server operating system and version. Verify the server operating system and version is the same on the other RD Gateway server farm members.

  4. Click OK to close About Windows.

  5. Repeat steps 1 – 4 on each RD Gateway server farm member to verify the RD Gateway server farm members are running the same operating system and version.

To verify the RD CAPs, on all RD Gateway server farm members, are configured the same

  1. Open RD Gateway Manager. To open RD Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RD Gateway Manager.

  2. In the console tree, expand the node that represents the local RD Gateway server, which is named for the computer on which the RD Gateway server is running.

  3. In the console tree, expand Policies, and then click Connection Authorization Policies.

  4. In the results pane, in the list of Connection Authorization Policies, right-click the RD CAP that you want to check, and then click Properties.

  5. On the General tab, check the policy name, and verify the policy is enabled. Verify this policy name is the same on the other RD Gateway server farm members.

  6. On the Requirements tab, do the following:

    • Under Supported Windows authentication methods, note the specified methods. Verify the authentication methods are the same used by the other RD Gateway server farm members.

    • In User group membership: (required), note the name of the user groups so that you can ensure that the specified user groups exist in Active Directory Domain Services or Local Users and Computers. Verify the specified user groups are the same on the other RD Gateway server farm members.

    • Under Client computer group membership (optional), verify a client computer group is specified. If so, note the name of the client computer group, so that you can ensure that the specified client computer group exists in Active Directory Domain Services or Local Users and Computers. Verify the specified computer group is the same on the other RD Gateway server farm members.

  7. On the Device Redirection tab, note the device redirection options selected. Verify the specified device redirection options are the same on the other RD Gateway server farm members.

  8. On the Connection Timeout tab, do the following:

    • Check Disconnect after the maximum idle time: and the associated timeout value. If these options are set, note the values, so you can ensure that the specified disconnect after the maximum idle time options are configured the same on all RD Gateway server farm members.

    • Check User session timeout: and the associated values. If these options are set, note the values, so you can ensure that the specified user session timeout options are configured the same on all RD Gateway server farm members.

  9. Click OK to close RD CAP properties.

  10. Repeat steps 1 – 9 on each RD CAP on all RD Gateway server farm members to verify the RD CAPs on all members of the RD Gateway server farm are configured the same.

To verify the RD RAPs, on all RD Gateway server farm members, are configured the same

  1. Open RD Gateway Manager. To open RD Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RD Gateway Manager.

  2. In the console tree, expand the node that represents the local RD Gateway server, which is named for the computer on which the RD Gateway server is running.

  3. In the console tree, expand Policies, and then click Resource Authorization Policies.

  4. On the General tab, check the policy name, and verify the policy is enabled. Verify this policy name is the same on the other RD Gateway server farm members.

  5. On the User Groups tab, note the name of the user groups so that you can ensure that the specified user groups exist in Active Directory Domain Services or Local Users and Computers. Verify the specified user groups are the same on the other RD Gateway server farm members.

  6. On the Network tab, note the network resources options configured. Verify the specified network resources options are configured the same on the other RD Gateway server farm members.

  7. On the Allowed Ports tab, note the ports configured. Verify the specified ports are configured the same on the other RD Gateway server farm members.

  8. Click OK to close RD RAP properties.

  9. Repeat steps 1 – 8 on each for each RD RAP on all RD Gateway server farm member to verify the RD RAPs on all members of the RD Gateway server farm are configured the same.

Additional references

See Also

Concepts

Best Practices Analyzer for Remote Desktop Services: Configuration
Best Practices Analyzer for Remote Desktop Services