RDS configuration has two servers.
Windows Server 2016
Internal DNS name: s1.corp.domain.com
IPv4 Address (public): 126.96.36.199
IPv4 Address (private): 10.10.10.100
RDS Roles: RD Gateway, RD Web Access, RD Connection Broker, RD Session Host
Windows Server 2019
Internal DNS name: s2.corp.domain.com
IP Address (private): 10.10.10.200, fd12:5678::101
RDS Roles: RD Web Access, RD Connection Broker, RD Session Host, RD Licensing
rds.domain.com > 188.8.131.52
rds.corp.domain.com > 10.10.10.100, 10.10.10.200
The external RD Gateway address is rds.domain.com. High Availability is configured. The DNS name for the RD Connection Broker cluster as set in the RDS Deployment Properties window is rds.corp.domain.com. A multi SAN certificate is properly installed and assigned to each RDS service. Only a single session type collection is configured (Collection1). A single host server (S2) is assigned to Collection1.
When an external user connects to rds.domain.com, the gateway properly picks a connection broker based on a DNS lookup to rds.corp.domain.com. If S2 is chosen as the connection broker, the Remote Desktop Client quickly completes the connection and the user's remote desktop appears. However if S1 is chosen as the connection broker, the Remote Desktop Client proceeds as normal for a moment then hangs on Configuring remote session and never completes the connection.
The event log on S1 shows progress.
Event log Microsoft-Windows-TerminalServices-SessionBroker/Operational
Event ID 800
RD Connection Broker received connection request for user DOMAIN\user.
Hints in the RDP file (TSV URL) = tsv://MS Terminal Services Plugin.1.Collection1
Initial Application = NULL
Call came from Redirector Server = s1.corp.domain.com
Redirector is configured as Virtual machine redirector
Followed by event ID 801
RD Connection Broker successfully processed the connection request for user DOMAIN\user Redirection info:
Target Name = S2
Target IP Address = 10.10.10.200
Target Netbios = S2
Target FQDN = s2.corp.domain.com
Disconnected Session Found = 0x0
Nothing else is logged at this point though. A successful/complete login would have a couple more entries - Event 787 and 818. In addition nothing is logged on S2 in the Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational event log. A successful connection would have several entries here.
Using TCPView, I can confirm that the tssdis.exe (connection broker) process on S1 is in fact contacting S2. Likewise the TCP connection is also visible on S2. But yet something is not allowing the connection to fully complete. After about 5 minutes, event ID 819 is logged on S1.
This connection request has timed out. User could not log on to the end point within the alloted time. Remote Desktop Connection Broker will stop monitoring this connection request.
This appears to be a similar problem to what is reported here
I have tried every possible fix that I can find but nothing has resolved this yet. I do have a temporary workaround. This only works though because there is only one RDSH in use at the moment. I can edit the internal DNS record for rds.corp.domain.com to only point to 10.10.10.200 (S2). This forces the gateway to direct all connections to the connection broker on S2. When S2 is the connection broker it is able to successfully complete the connection to the session host also running on S2.
The bottom line... A connection broker connecting to a session host on a different server doesn't work. A connection broker connecting to a session host on the same server does work.