Thursday, April 20, 2006

MS: Network Load Balancing (NLB): Configuration Best Practices for Windows 2000 and Windows Server 2003

General Considerations

• Some routers require a static ARP entry because they do not support the resolution of unicast IP addresses to multicast media access control addresses. For example, Cisco routers require an ARP (address resolution protocol) entry for every virtual IP address. While Network Load Balancing uses Level 2 Multicast for the delivery of packets, Cisco's interpretation of the RFCs is that Multicast is for IP Multicast. So, when the router doesn't see a Multicast IP address, it does not automatically create an ARP entry, and one has to manually have to add it on the router.

• Network Load Balancing can operate in two modes: unicast and multicast. Unicast support is enabled by default, which ensures that it operates properly with all routers. You might elect to enable multicast mode so that a second network adapter is not required for communications within the cluster. If Network Load Balancing clients access a cluster (configured for multicast mode) through a router, be sure that the router accepts an Address Resolution Protocol (ARP) reply for the cluster's (unicast) IP addresses with a multicast media access control address in the payload of the ARP structure. ARP is a TCP/IP protocol that uses limited broadcast to the local network to resolve a logically assigned IP address. Verify that all cluster hosts are operating in unicast or multicast mode, one or the other, but not both.

• If the cluster is operating in unicast mode (default setting), Network Load Balancing cannot distinguish between single adapters on each host. Therefore, any communication among cluster hosts is not possible unless each cluster host has at least two network adapters.

• You can configure Network Load Balancing on more than one network adapter. However, if you do bind NLB to a second network adapter ensure that you are configuring them correctly.

• Use only the TCP/IP network protocol on the adapter NLB is enabled for. Do not add any other protocols (for example, IPX) to this adapter.

• Enable Network Load Balancing Manager logging. You can configure Network Load Balancing manager to log each Network Load Balancing Manager event. This log can be very useful in troubleshooting problems or errors when using Network Load Balancing Manager. Enable Network Load Balancing Manager logging by clicking Log Settings in the Network Load Balancing Manager Options menu. Check the Enable logging box and specify a name and location for the log file.

• Verify that the following is true for cluster parameters, port rules, and host parameters:

• Cluster parameters and port rules are set identically on all cluster hosts.

• Port rules are set for all ports used by the load-balanced application. For example, FTP uses port 20, port 21, and ports 102465535).

• Always click Add after setting a port rule. Otherwise, the port rule will not appear in the list of rules, and the rule will not take effect.

• Ensure that the dedicated IP address is unique and the cluster IP address is added to each cluster host.

• Verify that any given load-balanced application is started on all cluster hosts on which the application is installed. Network Load Balancing is not aware higher level applications and does not start or stop applications.

• Verify that the following is true for the dedicated IP address and the cluster IP address:

• Except in the case of a virtual private network (VPN), both the dedicated IP address and the cluster IP address must be entered during setup in the Network Load Balancing Properties dialog box and also in the Internet Protocol (TCP/IP) Properties dialog box. Make sure that the addresses are the same in both places.

• When configuring a VPN load balancing cluster, you should not configure the dedicated IP address. On a VPN, only the cluster IP address should be present on each of the cluster hosts because clients running Windows 95, Windows 98, or Windows NT 4.0 may be unable to connect to the cluster if the dedicated IP address is configured on the Network Load Balancing cluster hosts. If you omit this step, the cluster will converge and appear to be working properly, but the cluster host will not accept and handle cluster traffic.

• Ensure that the dedicated IP address is always listed first (before the cluster IP address) in the Internet Protocol (TCP/IP) Properties dialog box. This will ensure that responses to connections originating from a host will return to the same host.

• Both the dedicated IP address and the cluster IP address must be static IP addresses. They cannot be DHCP addresses.

• Ensure that all hosts in a cluster belong to the same subnet and that the cluster's clients are able to access this subnet.

• No special cluster interconnect is used by Network Load Balancing. NLB uses the same network interface to maintain cluster state awareness.

• Do not enable Network Load Balancing on a computer that is part of a server-cluster cluster. Microsoft does not support this configuration.

Security and Manageability

• Use Network Load Balancing Manager to configure NLB clusters. You can configure many Network Load Balancing options through either Network Load Balancing Manager or the Network Load Balancing Properties dialog box accessed through Network Connections. However, Network Load Balancing Manager is the preferred method. Using both Network Load Balancing Manager and Network Connections together to change Network Load Balancing properties can lead to unpredictable results. Only Windows Server 2003 NLB clusters can be configured by NLB manager. You can however manage clusters that contain both Windows Server 2003 and Windows 2000 or NT 4.0 servers.

• Ensure that applications that are load balanced are properly secured. The NLB security domain does not extend to applications. As such NLB will be totally unaware if security at the applications level is compromised.

• Use two or more network adapters in each cluster host if you would like to separate management functions from regular operations. Two network adapters, is not however a default requirement.

• Command line tool for managing NLB is "nlb.exe". NLB.exe exposes a mechanism for setting up NLB configuration parameters thru the command line. There are 2 additional configuration points not exposed but can be useful for monitoring NLB state. They are queryport and params Nlb.exe queryport retrieves the state of a given port rule using the same syntax as the enable/disable/drain command line options... the information returned includes the state of the port rule, enabled, disabled or draining if the port rule is found or an indication that the port rule was not found... if found, it also returns a count of packets accepted and dropped on that port rule. Nlb.exe - params retrieves the NLB configuration just the same as "nlb display", but rather than retrieving it from the registry, it queries it directly from the kernel-mode driver - this is the CURRENT state of NLB (the registry shows what the NEXT state of NLB would be if a reload or some other operation causing the driver to read the registry was performed - the registry MAY or MAY NOT be the current state of NLB)

• Enabling remote control has security implications and the user must ensure that the NLB cluster is secure (behind a firewall) if remote control is enables. The remote control mechanism uses the UDP protocol and is assigned port 2504. Remote control datagrams are sent to the clusters primary IP address. Since the Network Load Balancing driver on each cluster host handles them, these datagrams must be routed to the cluster subnet (instead of to a back-end subnet to which the cluster is attached). When remote control commands are issued from within the cluster, they are broadcast on the local subnet. This ensures that all cluster hosts receive them even if the cluster runs in unicast mode. As such the subnet the NLB clusters are hosted on should be secure. If remote control is enabled users can use nlb.exe to remotely manage their clusters.

High Availability

• Network Adapters and NIC teaming: Most vendors today offer redundant or fault tolerant adapters i.e. adapter teaming or adapter fault tolerance (AFT). These are supported with NLB, however refer to KB article 278431 for more information.

• Fault Tolerant/Load balancing Switches: Redundancy at the switch layer can easily be provided by striping the NLB cluster hosts across multiple switches and inter-connecting all the switches that contain a single NLB cluster. Additionally, to prevent switch flooding, only the ports connected to the Primary IP address (where all inbound traffic is sent) can be made hosts of a single VLAN.

• Fault tolerant Routers: Redundant routers are the most easily overcome using a VRP (virtual router protocol) or HSRP (hot router standby protocol). This allows the router to map the cluster's primary IP address and other multi-homed addresses to the corresponding media access control address. If your router does not meet this requirement, you can create a static ARP entry in the router or you can use Network Load balancing in its default unicast mode.

• Multiple NICs in cluster nodes

Windows 2000

• If you have 2 NICs on different subnets then the NIC to which NLB is bound should have default gateway and the routing tables need to be reconfigured to make all traffic go thru the NLB NIC. Default gateway setting on the other NIC should be blank.

• If you have 2 NICs on the same subnet you will need to configure the NIC to which NLB is bound with the default gateway. The other NIC should not have a default gateway configured. No need to hack routing tables.

• Recommendation is to use one NIC in each node unless there is a business need for 2 NICs

Windows Server 2003

• If you have 2 NICs different subnets you can choose to bind NLB to either or both NICs without any issues. All traffic will go thru the correct NIC (subnet)

• If you have 2 NICs on the same subnet traffic will be routed accordingly.


• The following tools can be used to troubleshoot NLB clusters:

• Event Viewer.

• NLB.exe Display & Query Commands.

• Ping.exe.

• Network Monitor.

• Network Monitor parser for NLB (part of Windows 2000 Server Resource Kit)

Refer to KB article 280503 for more information.

• Performance Monitor

• CPU Load

• Network Interface: packets/sec

• Web Service: connection attempts/sec.

No comments: