Load Balancing IIS with NLB and DFS

I’m in the middle of a PKI (ADCS) project, and realized that I need a reliable web server. Here’s what I found out about clustering IIS.

Quick Notes

  • MSCS works with IIS in active\passive mode. However, NLB is active\active.
  • NLB is a port-level clustering solution and is not aware of CPU\RAM load or application health. If the networking stack is up then the server gets traffic.
  • NLB is a mesh topology and doesn’t use a dispatcher.
  • NLB doesn’t replicate content. DFS can though!

How It Works

In a NLB cluster, all members share the same MAC and IP Address. This means that all hosts receive incoming traffic for the cluster’s IP address (called the VIP or Virtual IP Address).┬áNLB is actually first and foremost a driver which sits on the TCP stack and selectively filters out packets so that the hosts ignore traffic not assigned to them. The hosts communicate with each other and elect which members will handle incoming requests and sessions via broadcasts to the cluster’s MAC address. This broadcast can either be a unicast (broadcast to the entire subnet), or IGMP Multicast (broadcast only to ports with other cluster members). If you’re using VMWare, and in most other situations, IGMP Multicast is the way to go.

Setting Up a Cluster – Server 1

  1. Rename the interface you’re using for NLB traffic from “Local Area Network #” to “NLB Interface”.
  2. Install IIS
    Dos command:

    Powershell -executionpolicy bypass -command "Import-Module ServerManager; Add-WindowsFeature net-framework-core"
    PKGMGR.EXE /l:log.etw /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASP;IIS-ISAPIExtensions;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-Security;IIS-WindowsAuthentication;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-WebServerManagementTools;IIS-IIS6ManagementCompatibility;IIS-Metabase
  3. Install the NLB feature
    Dos command:

    Ocsetup.exe NetworkLoadBalancingFullServer
  4. Create the cluster
    Powershell Commands:

    Import-Module NetworkLoadBalancingClusters
    New-NlbCluster -ClusterName "Cluster1" -ClusterPrimaryIP <VIP> -SubnetMask <VIPSubnetMask> -OperationMode "igmpmulticast" -interfaceName "NLB Interface" -force
  5. Set port rules for port 80
    Powershell Commands:

    Get-NLBClusterPortRule | Remove-NlbClusterPortRule -Force
    Add-NlbClusterPortRule -mode multiple -affinity single -startport 80 -endport 80 -protocol tcp -interfaceName "NLB Interface"
  6. Disable unneeded protocols, Set the DNS, gateway, and interface metrics
    Dos commands:

    nvspbind.exe /d "NLB Interface" ms_tcpip6
    nvspbind.exe /d "NLB Interface" ms_netbt
    nvspbind.exe /d "NLB Interface" ms_smb
    nvspbind.exe /d "NLB Interface" ms_lltdio
    nvspbind.exe /d "NLB Interface" ms_rspndr
    nvspbind.exe /d "NLB Interface" ms_pppoe
    
    netsh interface ipv4 add dnsserver name="NLB Interface" address=xxx.xxx.xxx.xxx index=1
    netsh interface ipv4 add dnsserver name="NLB Interface" address=xxx.xxx.xxx.xxx index=2
    netsh interface ipv4 add address "NLB Interface" gateway=xxx.xxx.xxx.xxx gwmetric=2
    netsh interface ipv4 set interface "NLB Interface" metric=2
    netsh interface ipv4 set interface "eth0, LAN Network" metric=1
  7. Install DFSR and Create a DFSR Replication Group, then add the current system’s wwwroot as a replicated folder.
    Dos Commands

    Powershell -executionpolicy bypass -command "Import-Module ServerManager; Add-WindowsFeature File-Services,FS-DFS,FS-DFS-Replication"
    dfsradmin RG New /rgname:"Cluster1 Replication Group"
    dfsrAdmin RG Set Schedule full /RGName:"Cluster1 Replication Group"
    dfsradmin member new /rgname:"Cluster1 Replication Group" /memname:%computername%
    dfsradmin RF New /rgName:"Cluster1 Replication Group" /RfName:wwwRoot
    dfsradmin Membership Set /RgName:"Cluster1 Replication Group" /RfName:wwwRoot /MemName:%computername% /LocalPath:C:\inetpub\wwwroot /MembershipEnabled:true /IsPrimary:true

Server 2

  1. Install IIS (same as above)
  2. Install the NLB feature (same as above)
  3. Add the host to the cluster
    Powershell Commands:

    #Add host
    (Get-NLBCluster -hostname nlb1.domain.com) | Where-Object {$_.Name -eq "Cluster1"} | `
    	Add-NLBClusterNode -NewNodeName "nlb2" -newNodeInterface "NLB Interface" -force
    
    #remove default Dedicated IP
    (Get-NlbClusterNodeDip -nodename nlb2) | Remove-NlbClusterNodeDip -force
  4. Set the gateway and interface metrics (same as above)
  5. Add the host to the DFS Replication Group, add inetPub as replicated folder, and add connections between the hosts.
    Dos Commands:

    Powershell -executionpolicy bypass -command "Import-Module ServerManager; Add-WindowsFeature File-Services,FS-DFS,FS-DFS-Replication"
    dfsradmin member new /rgname:"Cluster1 Replication Group" /memname:%computername%
    dfsradmin Membership Set /RgName:"Cluster1 Replication Group" /RfName:wwwRoot /MemName:%computername% /LocalPath:C:\inetpub\wwwroot /MembershipEnabled:true /IsPrimary:false
    
    dfsradmin conn new /rgname:"Cluster1 Replication Group" /SendMem:nlb1 /RecvMem:%computername% /ConnEnabled:true
    dfsradmin conn new /rgname:"Cluster1 Replication Group" /SendMem:%computername% /RecvMem:nlb1 /ConnEnabled:true

Testing

Open the Network Load Balancing GUI from Administrative Tools and stop both hosts. Opening your VIP in internet explorer should fail. Next, try enabling each host separately and visiting the VIP. The VIP should work after each test once convergence takes place.

Once again, have fun doing good things. JP

Configuring NLB with PowerShell

It’s actually possible to do most NLB configuration in PowerShell. Here are some leads and a sample script.

First, let’s install the NLB Role (this is a DOS command)

Ocsetup.exe NetworkLoadBalancingFullServer

Next, this powershell script will create an NLB Cluster on the current host. It assumes your NLB interface is named “NLB”. Note: DedicatedIP is optional and not all that useful.

Import-Module NetworkLoadBalancingClusters
#create the cluster
New-NlbCluster -ClusterName "" -ClusterPrimaryIP  -SubnetMask  -DedicatedIP  -DedicatedIPSubnetMask  -OperationMode "igmpmulticast" -interfaceName "NLB" -force
#Remove all cluster port rules
Get-NLBClusterPortRule | Remove-NlbClusterPortRule -Force
#Add a new port rule allowing port 80
Add-NlbClusterPortRule -mode multiple -affinity single -startport 80 -endport 80 -protocol tcp -interfaceName "NLB"

The following powershell script will add the current host (referred to as nlb2) to the cluster on NLB1.domain.com.

Import-Module NetworkLoadBalancingClusters

#Add host
(Get-NLBCluster -hostname nlb1.domain.com) | Where-Object {$_.Name -eq ""} | `
	Add-NLBClusterNode -NewNodeName "nlb2" -newNodeInterface "NLB" -force

#remove default DIP
(Get-NlbClusterNodeDip -nodename nlb2) | Remove-NlbClusterNodeDip -force

#add proper DIP
Add-NlbClusterNodeDip -hostname nlb2 -interfacename "NLB" -IP  -subnetmask 

Finally, we can change some settings on the interfaces (more dos).

REM Disable unneeded protocols
nvspbind.exe /d "NLB" ms_tcpip6
nvspbind.exe /d "NLB" ms_netbt
nvspbind.exe /d "NLB" ms_smb
nvspbind.exe /d "NLB" ms_lltdio
nvspbind.exe /d "NLB" ms_rspndr
nvspbind.exe /d "NLB" ms_pppoe

REM Set DNS Servers on NLB Interface
netsh interface ipv4 add dnsserver name="NLB" address=xxx.xxx.xxx.xxx index=1
netsh interface ipv4 add dnsserver name="NLB" address=xxx.xxx.xxx.xxx index=2

REM Set Gateway on NLB Interface
netsh interface ipv4 add address "NLB" gateway=xxx.xxx.xxx.xxx gwmetric=2

REM Set Interface Metrics on Interfaces
netsh interface ipv4 set interface "NLB" metric=2
netsh interface ipv4 set interface "eth0, LAN Network" metric=1

Hope this helps you do something cool! JP