S
Shan McArthur
Hello,
I have an architectural question about Windows 2003 and load balancing that
is not covered in the design guides.
Scenario:
- Dual Windows 2003 web servers in a remote data center.
- Multiple sites (some with SSL) = multiple IP addresses (multi-homed
servers).
- Desire for fault-tolerance and load balancing.
- Both servers are domain controllers in the same AD forest/domain.
- Both servers have a single NIC
Initial thoughts:
- configure NLB in multicase mode
- add all IP addresses to both servers and port rules to balance each
address accordingly.
- should be a no-brainer.
Initial experiences:
- configured NLB with no problems.
- domain communication became disrupted between the servers
- domain controller configuration complicated the issue significantly
- had to back-out because I knew something would blow sooner or later.
Problems encountered:
- name resolution between the machines was an issue. I tried everything
from cleaning the DNS, setting the NIC to not auto-update the DNS, adding
custom host and lmhost entries on each server. Nothing worked.
- observed that since the machines were domain controllers, AD automatically
registered all IP addresses (including clustered addresses) in the DNS, even
if the setting was disabled in the NIC configuration. For name resolution,
DNS returns round-robin DNS results. However from machine1 attempting to
NET VIEW machine2, if a cluster address was used, it saw the address as it's
own and no communication went out on the wire, and the communication failed.
- dcdiag complained that LDAP was not responding on the other machine.
ADSIEdit would work if I connected to the dedicated IP address of the other
server.
- the network load balancing manager refused to connect to ANY ip address on
either server. I could not manage the cluster.
- netdiag complained about the DNS registrations not being correct and the
NetBT tests failed.
- the design of NLB for a multi-homed machine is not correct. I have found
that it is impossible to have multiple dedicated IP addresses and a smaller
number of shared addresses. I have found that the only way to configure it
is to have all IP addresses except the single dedicated IP address
registered in NLB, then set up custom port rules for each address and for
the non-shared addresses, set the balance to 100% on one server and 0% on
the other server. This is a real nightmare! Adding another address to a
working cluster is a real pain.
- when I backed out and removed the NLB from the first server, the NLB was
still configured on the second server and as a result, the first server was
unable to obtain any of it's mulit-homed IP addresses. Even after removing
NLB from the second server, I ended up having to reboot the first server to
get the IP addresses back. Very bad design!
Probable Issues:
- Name resolution for domain controllers and integration with the DNS is a
huge issue. NLB does not appear to take this into consideration.
- there is no way to specify WHICH IP addresses are to be registered
automatically in DNS; it is an all-or-nothing setting. Furthermore, for
domain controllers, it looks like the setting has no effect and all IP
addresses are registered despite the IP setting.
Possible Solution:
- Since I cannot seem to find any way to make this work, I am wondering if I
add a second NIC to each server, and unbind the network client and server on
the NLB NICs if this will solve the problem.
- I assume that with a second NIC in each server that it will be possible
for all the NetBIOS traffic between the servers to go through that NIC
without any complications of the NLB.
Does anyone else have some advise on making this work? I know that adding
another two servers to the mix to be seperate domain controllers is not
economically feasible, so I want to get it working with the existing two
servers being domain controllers.
Microsoft: there are a number of design deficiencies in NLB; please see what
you can do to improve it. Specifically, make it easier to manage a
multi-homed machine with a mix of shared and unshared IP addresses. Also
make it easier to turn NLB on and off without having to reboot a server
because the IP address is shared. Also remove the requirement for the
shared cluster IP addresses to have to be listed in the IP address list. If
a cluster member is disabled, it is not possible for it to use the other
server as it sees the address as local and NEVER goes out on the network.
Finally, please work out the DNS address registration issues and NetBT
traffic issues for communication betweek cluster members.
Thanks,
Shan McArthur
I have an architectural question about Windows 2003 and load balancing that
is not covered in the design guides.
Scenario:
- Dual Windows 2003 web servers in a remote data center.
- Multiple sites (some with SSL) = multiple IP addresses (multi-homed
servers).
- Desire for fault-tolerance and load balancing.
- Both servers are domain controllers in the same AD forest/domain.
- Both servers have a single NIC
Initial thoughts:
- configure NLB in multicase mode
- add all IP addresses to both servers and port rules to balance each
address accordingly.
- should be a no-brainer.
Initial experiences:
- configured NLB with no problems.
- domain communication became disrupted between the servers
- domain controller configuration complicated the issue significantly
- had to back-out because I knew something would blow sooner or later.
Problems encountered:
- name resolution between the machines was an issue. I tried everything
from cleaning the DNS, setting the NIC to not auto-update the DNS, adding
custom host and lmhost entries on each server. Nothing worked.
- observed that since the machines were domain controllers, AD automatically
registered all IP addresses (including clustered addresses) in the DNS, even
if the setting was disabled in the NIC configuration. For name resolution,
DNS returns round-robin DNS results. However from machine1 attempting to
NET VIEW machine2, if a cluster address was used, it saw the address as it's
own and no communication went out on the wire, and the communication failed.
- dcdiag complained that LDAP was not responding on the other machine.
ADSIEdit would work if I connected to the dedicated IP address of the other
server.
- the network load balancing manager refused to connect to ANY ip address on
either server. I could not manage the cluster.
- netdiag complained about the DNS registrations not being correct and the
NetBT tests failed.
- the design of NLB for a multi-homed machine is not correct. I have found
that it is impossible to have multiple dedicated IP addresses and a smaller
number of shared addresses. I have found that the only way to configure it
is to have all IP addresses except the single dedicated IP address
registered in NLB, then set up custom port rules for each address and for
the non-shared addresses, set the balance to 100% on one server and 0% on
the other server. This is a real nightmare! Adding another address to a
working cluster is a real pain.
- when I backed out and removed the NLB from the first server, the NLB was
still configured on the second server and as a result, the first server was
unable to obtain any of it's mulit-homed IP addresses. Even after removing
NLB from the second server, I ended up having to reboot the first server to
get the IP addresses back. Very bad design!
Probable Issues:
- Name resolution for domain controllers and integration with the DNS is a
huge issue. NLB does not appear to take this into consideration.
- there is no way to specify WHICH IP addresses are to be registered
automatically in DNS; it is an all-or-nothing setting. Furthermore, for
domain controllers, it looks like the setting has no effect and all IP
addresses are registered despite the IP setting.
Possible Solution:
- Since I cannot seem to find any way to make this work, I am wondering if I
add a second NIC to each server, and unbind the network client and server on
the NLB NICs if this will solve the problem.
- I assume that with a second NIC in each server that it will be possible
for all the NetBIOS traffic between the servers to go through that NIC
without any complications of the NLB.
Does anyone else have some advise on making this work? I know that adding
another two servers to the mix to be seperate domain controllers is not
economically feasible, so I want to get it working with the existing two
servers being domain controllers.
Microsoft: there are a number of design deficiencies in NLB; please see what
you can do to improve it. Specifically, make it easier to manage a
multi-homed machine with a mix of shared and unshared IP addresses. Also
make it easier to turn NLB on and off without having to reboot a server
because the IP address is shared. Also remove the requirement for the
shared cluster IP addresses to have to be listed in the IP address list. If
a cluster member is disabled, it is not possible for it to use the other
server as it sees the address as local and NEVER goes out on the network.
Finally, please work out the DNS address registration issues and NetBT
traffic issues for communication betweek cluster members.
Thanks,
Shan McArthur
