Forum Discussion
Sio_85109
Nimbostratus
NimbostratusTerminal Server Maintenance
Hi there,
We have a pool of W2K3 terminal servers configured to use session directory sitting behind a pair of BIG-IP load balancers with msrdp persistence working. I'm looking for a way of easily removing a node from the terminal server farm to perform regular maintenance patching.
My udnerstanding (which is very little) is that a cookie string in the token sent from the terminal server node is used to identify whether the server is using session directory or not:
cookie: msts= (this server is session directory enabled)
cookie: msth= (this server is not using sesion directory)
If I remove one of these terminal servers from the session directory and the BIGIP's are left untouched, will the load balancers still send client connections to this host?
I do not have direct access to the load balancers and they are bound to strict change control process so I'd like to stay away from any additional configuration work on these if possible.
Any help would be most appreciated.
Sio
- JRahm
Admin
The load balancers aren't session directory aware in the sense that you are describing. BigIP can persist on the rdp username, assuming it is sent in the first request, or it can persist using the token, but it will send the traffic to the server (if available) either way.
You could disable the terminal service on your server while performing maintenance, this will cause the monitor on the BigIP to timeout, and it will not send any more connections.
The other options you have would need change on the BigIP, and since you don't have that access...
In our environment we give operator role access to the platform teams so they can enable/disable the terminal servers on their own for maintenance windows. 
Sio_85109Thanks for the response. Our users are third party partners who will be logging on from workstations outside of our administrative domain. We also have no control over what RDP clients they choose to use connect to the terminal servers so they may not necessarily be sending valid credntials through on first request. So it would seem we are using tokens passed from BigIP to the servers (or vice versa?).
Ideally we'd like to be able to "drainstop" RDP connections to a terminal server where by all new connections to the terminal server are stopped and existing connections (both active and disconnected) are left untouched. Our maintenance windows will be timed to take place when all users have logged off (either intentionally or forced log off due to idle timeout). This is possible with W2K3 terminal server if using Microsoft's Network Load Balancing (NLB) however this sort of defeats the purpose of having the BigIPs. (Microsoft's NLB is also frowned upon if not laughed at in our Telco environment).
I'd like to make this as semmless as possible for the end user so I'd like to stay away from disabling terminal services if possible (the terminal servers are used 24/7).
I'd be interested in finding out what other options are available. The BigIP's we have deployed are relatively new and we've had a few teething issues as our network teams get farmilair with the kit. Server maintenance is not one of their priorities so I'd like to be able to politely suggest some way of working in a maintenance plan that isn't going to be too painful for them to implement.
Thanks again for your response. It's great to see you guys have an active and thoroughly informative forum.
Sio- JRahmIf you want drainstop functionality, you will either need to put that task on your network team, or they need to give you access as an operator so you can disable pool members (your servers) and change their attribute while disabled to active connections only.
- Sio_85109Thanks again for your response. I'll get on to our network team to see if we can work out a solution where server admins can have operator access on the BigIPs. Not sure this is going to get very far but I will try. The network teams are actually our client (large Telco) and I don't have a lot of confidence that they will approve any form of access for the server admins. No harm in aksing though.
Failing this it looks like I will have to look at disabling RDP access on the servers for our maintenance window. Not the most elegant soulution but it will work.
Thanks for your help! 
shinchey_84363Posted By Sio on 02/08/2008 6:55 PM
Thanks for the response. Our users are third party partners who will be logging on from workstations outside of our administrative domain. We also have no control over what RDP clients they choose to use connect to the terminal servers so they may not necessarily be sending valid credntials through on first request. So it would seem we are using tokens passed from BigIP to the servers (or vice versa?).
Ideally we'd like to be able to "drainstop" RDP connections to a terminal server where by all new connections to the terminal server are stopped and existing connections (both active and disconnected) are left untouched. Our maintenance windows will be timed to take place when all users have logged off (either intentionally or forced log off due to idle timeout). This is possible with W2K3 terminal server if using Microsoft's Network Load Balancing (NLB) however this sort of defeats the purpose of having the BigIPs. (Microsoft's NLB is also frowned upon if not laughed at in our Telco environment).
I'd like to make this as semmless as possible for the end user so I'd like to stay away from disabling terminal services if possible (the terminal servers are used 24/7).
I'd be interested in finding out what other options are available. The BigIP's we have deployed are relatively new and we've had a few teething issues as our network teams get farmilair with the kit. Server maintenance is not one of their priorities so I'd like to be able to politely suggest some way of working in a maintenance plan that isn't going to be too painful for them to implement.
Thanks again for your response. It's great to see you guys have an active and thoroughly informative forum.
Sio
Muhammad_57196l
