Configuring Multicast NLB for DirectAccess

Introduction

DirectAccess in Windows Server 2012 R2 includes support for load balancing using either Windows Network Load Balancing (NLB) or an external physical or virtual load balancer. There are advantages and disadvantages to each, but NLB is commonly deployed due to its cost (free!) and relative ease of configuration. NLB has three operation modes – Unicast, Multicast, and IGMP Multicast. It may become necessary to change the NLB operation mode depending on the environment where DirectAccess is deployed. This article describes when and how to make those changes.

Default Configuration

When NLB is first configured, the default cluster operation mode is set to Unicast. In this configuration, all nodes in the NLB cluster share the same MAC address. The NLB kernel mode driver prevents the switch from learning the MAC address for any node in the cluster by masking it on the wire. When a frame is delivered to the switch where the NLB cluster resides, without a MAC address to switch port mapping the frame is delivered to all ports on the switch. This induces switch flooding and is by design. It is required for all nodes in the cluster to “see” all traffic. The NLB driver then determines which node will handle the request.

NLB on Hyper-V

Unicast NLB typically works without issue in most physical environments. However, enabling NLB when the DirectAccess server is running on a virtual machine requires some additional configuration. For Hyper-V, the only thing that is required is to enable MAC Address Spoofing on the virtual network adapter as I discussed here. No other changes are required.

NLB on VMWare

For VMware environments, it will be necessary to change the cluster operation mode from unicast to multicast. This is because the VMware hypervisor proactively informs the virtual switch of the virtual machine’s MAC address on startup and during other virtual networking events. When this occurs, all traffic for the NLB Virtual IP Address (VIP) will be delivered to a single node in the cluster. In multicast operation mode, all nodes in the NLB cluster retain their original MAC address and a unique MAC address is assigned to the cluster VIP. As such, there’s no need to prevent the switch from learning the virtual machine’s MAC address.

Configuring Multicast NLB

To enable Multicast NLB, first enable load balancing for DirectAccess using the Remote Access Management console as usual. DO NOT perform the initial configuration of NLB outside of the Remote Access Management console! Before adding another member to the array, open the Network Load Balancing Manager, right-click the cluster and choose Cluster Properties. Select the Cluster Parameters tab and change the Cluster operation mode to Multicast.

Configuring Multicast NLB for DirectAccess

When opening the Network Load Balancing Manager locally on the DirectAccess server, you may receive the following error message:

“Running NLB Manager on a system with all networks bound to NLB might
not work as expected. If all interfaces are set to run NLB in “unicast”
mode, NLB manager will fail to connect to hosts.”

Configuring Multicast NLB for DirectAccess

If you encounter this error message it will be necessary to run the NLB Manager on another host. You can install the NLB Manager on a Windows Server 2012 R2 system by using the following PowerShell command.

Install-WindowsFeature RSAT-NLB

Optionally you can download and install the Windows Remote Server Administration Tools (RSAT) on a Windows desktop client and manage NLB remotely.

Once this change has been made you can add additional DirectAccess servers to the array using the Remote Access Management console.

Additional Configuration

If you cannot communicate with the cluster VIP from a remote subnet, but can connect to it while on the same subnet, it might be necessary to configure static ARP entries on any routers for the subnet where the NLB cluster resides. Often this is required because routers will reject responses to ARP requests that are from a host with a unicast IP address but have a multicast MAC address.

DirectAccess Configuration Load Error after Enabling NLB in Hyper-V

When the Windows Server 2012 R2 DirectAccess server is deployed on a virtual machine running in Microsoft Hyper-V, a complete loss of network connectivity immediately after enabling Network Load Balancing (NLB) may occur. In addition, the Remote Access Management console may report the following error .

Configuration Load Error
Settings for <da_hostname> cannot be retrieved.
Domain controller <dc_hostname> cannot be reached for localhost.
Try to reload the configuration.

DirectAccess Configuration Load Error after Enabling NLB in Hyper-V

This issue may be caused by incorrect virtual network adapter settings on the Hyper-V host. To resolve this issue, open the Hyper-V management console, right-click the DirectAccess guest virtual machine and choose Settings. Expand the virtual network adapter and select Advanced Features, then select the option to Enable MAC address spoofing. Repeat these steps for each virtual network adapter assigned to the DirectAccess server virtual machine. Apply the settings and restart the DirectAccess server.

DirectAccess Configuration Load Error after Enabling NLB in Hyper-V

Microsoft System Center Virtual Machine Manager 2012 Cookbook

Recently I had the opportunity to read Microsoft System Center Virtual Machine Manager 2012 Cookbook by Edvaldo Cardoso published by Packt Publishing. I really enjoy their “cookbook” series as they take complex concepts like virtual machine management and break it down in to detailed, step-by-step guidance that can be consumed in easily digestible chunks. The style lends itself well to following along in a virtual lab, working through the steps outlined in each chapter to configure a component or enable a specific feature. My specific goal with this title was to learn how to implement the Hyper-V network virtualization features of Hyper-V with System Center 2012. The book met my needs perfectly. Of course the entire book will be helpful to datacenter administrators interested in leveraging the power of server and network virtualization in their organizations. If you working with System Center Virtual Machine Manager 2012 today, or are planning to deploy it in the future, you’ll definitely want to have this book in your reference library.
Microsoft System Center Virtual Machine Manager 2012 Cookbook

Networking and DirectAccess Sessions at TechEd 2012

This year I had the privilege of attending both TechEd North America and TechEd Europe, and presenting a session on Forefront TMG and UAG at both events. With the release of Windows 8 and Windows Server 2012 due later this year, there were many sessions about the technologies included in the new client and server operating systems. When I wasn’t delivering my session or spending time with the Microsoft team in the learning center, I attended a number of sessions on security and networking. If you were unable to attend, or perhaps missed any of these sessions, they are now all available online on MSDN Channel 9. [ North America | Europe ] Here is a list of my favorite sessions:

  • IPv6 Bootcamp: Get Up to Speed Quickly
  • Windows Server 2012 DirectAccess: How to Quickly and Easily Deploy Your Next Generation Remote Access Solution
  • Overview of Hyper-V Networking in Windows Server 2012
  • Windows Server 2012 NIC Teaming and Multichannel Solutions
  • Networking for Hybrid Cloud: BranchCache and Cross Premise Connectivity
  • Hyper-V Network Virtualization for Scalable Multi-Tenancy in Windows
  • Extending Enterprise Networks to Windows Azure using Windows Azure Virtual Networks
  • Demystifying Microsoft Forefront Edge Security Technologies: TMG and UAG
  • Ok, I have to admit that I’m somewhat biased about that last session on the list. 😉 However, Windows Server 2012 does have a lot of new networking features and capabilities that make it a compelling solution for remote access and hybrid cloud connectivity. Have a look at some of these sessions and start evaluating Windows 8 and Windows Server 2012 today!

    %d bloggers like this: