Network Load Balancing, Windows 2000 Advanced Server

Article
12/09/2009

Network Load Balancing, a clustering technology included in the Microsoft® Windows® 2000 Advanced Server and Datacenter Server operating systems, enhances the scalability and availability of mission-critical, TCP/IP-based services, such as Web, Terminal Services, virtual private networking, and streaming media servers. This component runs within cluster hosts as part of the Windows 2000 operating system and requires no dedicated hardware support. To scale performance, Network Load Balancing distributes IP traffic across multiple cluster hosts. It also ensures high availability by detecting host failures and automatically redistributing traffic to the surviving hosts.

There are four models for configuring Network Load Balancing, each with advantages and disadvantages. This white paper explains each model, and provides step-by-step instructions on how to configure them. It also provides a comprehensive troubleshooting guide, frequently asked questions, Application Center 2000 details specific to Network Load Balancing, and other relevant information.

Introduction

Overview

With the move to more Internet-centric computing models, the need for highly available and scalable Internet services is greater than ever before. These services must run 24 hours a day, seven days a week, and be able to quickly and easily increase capacity to meet the often rapid growth in demand for Internet services.

To address these issues, Windows 2000® offers two clustering technologies designed for this purpose: Cluster service, which is intended primarily to provide failover support for critical line-of-business applications such as databases, messaging systems, and file/print services; and Network Load Balancing, which serves to balance incoming IP traffic among multi-host clusters.

Network Load Balancing provides scalability and high availability to enterprise-wide TCP/IP services, such as Web, Terminal Services, proxy, Virtual Private Networking (VPN), and streaming media services. It is available in two versions of Windows 2000 ie Windows® 2000 Advanced Server & Windows® 2000 Datacenter Server, or bundled free with Application Center 2000.

There are four models for configuring Network Load Balancing – Single Network Adapter (Unicast), Multiple Network Adapters (Unicast), Singe Network Adapter (Multicast), and Multiple Network Adapters (Multicast). Each model has advantages and disadvantages, and suits a particular scenario. This document will provide a comprehensive explanation of each model, and a detailed, step-by-step guide for how to configure them.

In addition to providing configuration information, this document includes a detailed troubleshooting guide for some of the most common problems that customers may encounter with Network Load Balancing, followed by a list of helpful Knowledge Base articles for further information.

The document concludes with a list of frequently asked questions, and where you can go to find out more information.

Note For an excellent technical overview on how Network Load Balancing works, refer to the For More Information section at the end of this document.

Application Center 2000

Application Center 2000 is Microsoft's deployment and management tool for high-availability Web applications built on the Windows 2000 operating system. Application Center 2000 makes managing groups of servers as simple as managing a single computer. One of the key ways it does this is through its integration with Network Load Balancing. By automating the configuration of NLB settings like cluster settings, IP addresses, and server affinity, it simplifies the process of setting up an NLB cluster.

However, it offers a significant amount of other benefits for NLB controlled servers, including aggregated performance monitors and event logs, simplified deployment of web applications, and a powerful eventing system (via Health Monitor) for performing automatic actions eg if an NLB host hits 85% CPU utilization for 15 minutes, take it offline. This last point is quite significant, because it allows Application Center 2000 controlled NLB hosts to offer a type of performance based load balancing.

Anyone using Network Load Balancing should consider the benefits available to them by using Application Center 2000. In addition to those listed above, Application Center 2000 includes the Network Load Balancing software, so you only need to purchase Windows 2000 Server, rather than Windows 2000 Advanced Server, which is normally required to use Network Load Balancing.

For more information, refer to https://www.microsoft.com/applicationcenter/.

Configuration

Network Load Balancing Models

Network Load Balancing can be configured using one of four different models. This section describes the models and sets forth the advantages and disadvantages of each, along with possible scenarios. The following section provides step by step examples of how to configure each model.

Important 1) It is worth noting that the most commonly deployed model is Single Network Adapter (Unicast), followed by Multiple Network Adapters (Unicast). 2) The terms virtual IP address (VIP), cluster IP address and primary IP address are often used interchangeably in Microsoft documentation. It is worth noting that the first VIP in an NLB cluster is called the primary IP address (or cluster IP address). Refer to the glossary for a more full explanation.

Single Network Adapter (Unicast)

Description

A single network adapter has two or more IP addresses bound to the cluster MAC address: one for cluster traffic (e.g. client access or cluster heartbeats), and another for dedicated traffic (e.g. server management).

Key Points

The adapter's original, built-in MAC address is disabled.
The cluster MAC address (which Network Load Balancing automatically generates) replaces this address.
The adapter becomes, in effect, the cluster adapter.
Both the dedicated IP address and the cluster IP address resolve to the cluster MAC address.
Because all cluster hosts share the same MAC address, and because the original MAC address is not used, ordinary network communication between this host and the other cluster hosts is not possible. However, the computer can still handle traffic originating from outside the subnet in which the cluster is located, and from inside the subnet if the source MAC address of the IP packet is different from the cluster MAC address.

Possible Scenarios

Intranet Servers – for low volume intranet servers.

Stand Alone Web Servers – for low volume web servers with little or no backend interaction (e.g. static content), and no requirement to interact with other cluster hosts.

Advantages

Only one network adapter is required; there is no need to install a second adapter.
Provides the most straightforward configuration, because unicast mode is the default.
Works with all routers.

Disadvantages

Ordinary network communication among cluster hosts is not possible.
Overall network performance may suffer, since both cluster traffic and dedicated traffic use the same network adapter.
Cluster traffic and dedicated traffic travel through the same network adapter, which may be a security risk eg if the cluster traffic is going to the Internet, there is a chance that the dedicated traffic may be "sniffed" from the Internet.

Multiple Network Adapters (Unicast)

Description

Two or more network adapters with one or more IP addesses bound to one MAC address per network adapter: one network adapter for cluster traffic (e.g. client access or cluster heartbeats), and another network adapter for dedicated traffic (e.g. server management or access to back end resources).

Key Points

The first network adapter is the cluster adapter.

The adapter's original, built-in MAC address is disabled.
The cluster IP address resolves to this adapter's cluster MAC address (which Network Load Balancing automatically generates).
If the cluster adapter's dedicated IP address is used, this IP address also resolves to the cluster MAC address.
The cluster adapter handles client-to-cluster traffic via a virtual IP address eg primary IP address. If the dedicated IP address is used, the cluster adapter can also handle traffic from outside the subnet, and from inside the subnet if the source MAC address of the IP packet is different from the cluster MAC address.

The second network adapter is the dedicated adapter.

This adapter's IP address resolves to the adapter's built-in MAC address.

Note the dedicated adapter is not necessarily related to the dedicated IP address. Refer to the glossary for a further explanation.
Network Load Balancing is disabled on this adapter.
The dedicated adapter handles network traffic specific to the computer, including traffic from both inside and outside the subnet in which the computer is located.

Possible Scenarios

Internet Web Servers: public web servers that require regular access to back-end resources (e.g. SQL Server databases). Client traffic travels through the cluster network adapter, and back-end traffic travels through the dedicated network adapter, providing increased performance and security.

Busy Intranet Servers: intranet web servers that require optimal client response time.

Application Center 2000: requires a dedicated back end adapter for management and replication traffic.

Advantages

Improved overall performance, since cluster and dedicated traffic travel through different network adapters.
Permits ordinary network communication among cluster hosts.
Works with all routers.
Improved security, since cluster and dedicated traffic travel through different network adapters.

Disadvantages

Requires a second network adapter per host.

Single Network Adapters (Multicast)

Description

A single network adapter has two or more IP addresses bound to two MAC addresses: one for cluster traffic (e.g. client access or cluster heartbeats), and another for dedicated traffic (e.g. server management).

Key Points

Network Load Balancing automatically generates a cluster MAC address for the network adapter.
The adapter's original, built-in MAC address is retained.
The cluster IP address resolves to the cluster MAC address.
The dedicated IP address resolves to the original MAC address.
Because both MAC addresses are used, there are no constraints on network traffic.

Possible Scenarios

Replicated Intranet Servers: intranet servers that replicate information between other web servers in the same subnet.

Advantages

As only one network adapter is required, there is no need to install a second adapter.
Permits ordinary network communication among cluster hosts.

Disadvantages

Because there is only one adapter, overall network performance may suffer, since both cluster traffic and dedicated traffic use the same network adapter.
Some routers may not support the use of a multicast MAC address mapped to a unicast IP address. See the Routers section under Advanced Issues for a solution.
Cluster traffic and dedicated traffic travel through the same network adapter, which may be a security risk eg if the cluster traffic is going to the Internet, there is a chance that the dedicated traffic may be "sniffed" from the Internet.

Multiple Network Adapters (Multicast)

Description

Two or more network adapters with one or more IP addresses bound to one or more MAC addresses per network adapter: one network adapter for cluster traffic (e.g. client access or cluster heartbeats), and another network adapter for dedicated traffic (e.g. server management or access to back end resources).

Key Points

The first network adapter is the cluster adapter.

The adapter's original, built-in MAC address is retained.
The cluster IP address resolves to this adapter's cluster MAC address (which Network Load Balancing automatically generates).
If the cluster adapter's dedicated IP address is used (usual for multicast), this IP address resolves to the adapter's original, built-in MAC address.
The cluster adapter, therefore, can handle both client-to-cluster traffic and traffic specific to the computer, including all traffic from both inside and outside the subnet in which the computer is located.

The second network adapter is the dedicated adapter.

This adapter's IP address resolves to the adapter's built-in MAC address.
Network Load Balancing is disabled on this adapter.
The dedicated adapter handles network traffic specific to the computer, including traffic from both inside and outside the subnet in which the computer is located.

Possible Scenarios

This model is suitable for a cluster in which ordinary network communication among cluster hosts is necessary, and in which there is heavy dedicated traffic from outside the cluster subnet to specific cluster hosts.

Advantages

Improved overall performance, since cluster and dedicated traffic travel through different network adapters.
Permits ordinary network communication among cluster hosts.
Cluster traffic and dedicated traffic travel through different network adapters, providing better security.

Disadvantages

Requires a second network adapter.
Some routers may not support the use of a multicast MAC address mapped to a unicast IP address. See the Routers section under Advanced Issues for a solution.

Step by Step Guides

Single Network Adapter (Unicast)

Network Diagram

Bb742454.nlbc01(en-us,TechNet.10).gif

IP Addresses

These IP settings are samples only, and are used throughout the guide. You should replace these with your own IP Addresses. In addition, if you require more than one clustered IP address eg you are hosting multiple web sites, you can configure additional virtual IP addresses. Simply enter these as additional IP addresses in TCP/IP Advanced properties. You don't need to enter them as NLB parameters, since NLB load balances all IP addresses bound to the NLB network adapter, other than the dedicated IP address.

Note It is not necessary to have your NLB Primary IP address on the same subnet as your dedicated IP address. In a low volume web server environment, for example, you may wish to have them on different subnets (e.g. 203.x.x.x for NLB traffic, and 192.168.0.x for back end traffic.

Server 1

Primary IP Address – 192.168.0.10; Subnet mask – 255.255.255.0

Additional virtual IP Address (optional) – 192.168.0.11; Subnet mask – 255.255.255.0

Dedicated IP Address – 192.168.0.100; Subnet mask – 255.255.255.0

Default Gateway – 192.168.0.1

Server 2

Primary IP Address – 192.168.0.10; Subnet mask – 255.255.255.0

Additional virtual IP Address (optional) – 192.168.0.11; Subnet mask – 255.255.255.0

Dedicated IP Address – 192.168.0.101; Subnet mask – 255.255.255.0

Default Gateway – 192.168.0.1

Steps

On Server 1, from the Start Menu, select Settings, then Network and Dial-up Connections. Right mouse click on Local Area Connection, and select Rename. Change the name to "Front End." Now right mouse click, and select Properties.
Tick Network Load Balancing, and then click on Properties.

Note if Network Load Balancing does not appear in the list of components, it has been uninstalled. Refer to the Troubleshooting section below for information on how to re-install Network Load Balancing. You will see three tabs – Cluster Parameters, Host Parameters, and Port Rules.
Click on the Cluster Parameters tab.

Note   Settings in this tab should be identical between all cluster hosts. Specify the Primary IP address and subnet mask of the cluster as above.

Note   the Primary IP address has two roles: first, to identify the cluster for remote control operations and heartbeats; and second, as the first virtual IP address for load balancing. Additional virtual IP addresses (e.g. for multihomed web sites), do not need to be entered here, as NLB automatically load balances all IP addresses bound to the network adapter other than the dedicated IP address. You can also specify the Full Internet Name (i.e. DNS name), that maps to the Primary IP Address (e.g. mydomain.com.au), but this is optional. You can leave it blank. Ensure multicast support is NOT ticked. While enabling remote control is considered a possible security risk, you may do so here.

Note   If you enable remote control, it is vital, for reasons of security, that you use a firewall for the NLB UDP control ports (the ports receiving remote-control commands) in order to shield them from outside intrusion. By default, these are ports 1717 and 2504 at the cluster IP address.
Click on the Host Parameters tab.

Note   Settings in this tab should be unique between all cluster hosts (except initial cluster state).

Assign an appropriate priority ie unique host ID eg server 1 = Host ID 1, server 2 = Host ID 2, etc.

Important   Each cluster host must have a unique ID.

Note*    *the host with the highest host priority (1 being the highest) is the default host, and handles all of the network traffic not otherwise covered by port rules.

Now enter the dedicated IP address and subnet mask as above. Ensure the initial cluster state is active.

Note*   *If you leave this unticked, this host will not participate in the cluster.
Click on the Port Rules tab.

Note* *Rules in this tab should be identical between all cluster hosts, except for handling priority and unequal load weights.

The following steps explain how to configure HTTP and SSL port rules with no affinity, equal load, and multiple hosts (the most common scenario for web sites). For other port rules, and an explanation of what each port rule does, refer to the Port Rules section below. Click on the default rule located in the bottom part of the window (Start = 0, end = 65535, etc). Click Remove.

HTTP – Enter a port range of 80 to 80. Click TCP for Protocols. Click Multiple Hosts for Filtering Mode. Click None for Affinity. Tick Equal for Load Weight. Now click Add.

SSL – Enter a port range of 443 to 443. Click TCP for Protocols. Click Multiple Hosts for Filtering Mode. Click Single for Affinity.

Note You can also specify Class C. Refer to Port Rules below for more details. Tick Equal for Load Weight. Now click Add.
Click OK to accept these settings.
The next step is to configure TCP/IP settings for the network adapter. You should still be in the LAN Connection screen. Click on Internet Protocol and select Properties.
Click on "Use the following IP address", and enter the dedicated IP address, subnet mask and default gateway as above.

Note Both the dedicated IP address and the cluster's primary IP address must be static IP addresses, not DHCP addresses.

Now click on Advanced and add the Primary IP address and subnet mask as above. Also add the additional virtual IP address (optional).

Note Make sure that the dedicated IP address is always listed first (before the cluster IP address) in the Internet Protocol (TCP/IP) Properties dialog box, so that all outbound connections made on behalf of this host (for example, Telnet or FTP) are initiated with this address.
Click OK three times to accept the settings. You have now configured Network Load Balancing on Server 1. Repeat these steps for Server 2 using the correct dedicated IP address and host ID (e.g. 192.168.0.101 and 2).

Verification

From Server 1, open the command prompt and type "wlbs query". You should see a message saying "Host 1 converged as default with the following host(s) as part of the cluster: 1, 2". If not, refer to the Troubleshooting section below.
Now type "ping 192.168.0.101". You should receive the message "Request timed out". This is because you cannot communicate between cluster hosts on NLB enabled adapters when in Unicast mode.
The following must be done on both servers. Create a file called default.asp (see below), and place it in C:\Inetpub\wwwroot (this is the default location for web content). Now open Internet Services Manager and expand the MMC tree till you see Default Web Site. Right mouse click on it and select Properties. On the Web Site tab, you will see "HTTP Keep-Alives Enabled". Untick it.

Warning Only untick this for this test. It is required as we are only testing with a single client IP address, and without it disabled, we will not see an even load distribution. Ensure that you enable it again once the verification is completed. Open your Internet browser, and go to https://localhost/. You should see a Network Load Balancing testpage stating the server you are on.
The following must be done from a client machine in the 192.168.0.x subnet. Try pinging the following addresses: 192.168.0.10, 192.168.0.100, 192.168.0.101. You should receive valid replies for all of them. Open Internet Explorer and go to the following URL https://192.168.0.10/. You should see a Network Load Balancing testpage stating which server served the page. Press the F5 key several times and you will see the server change.

Note if you don't see the server change, check that you have temporarily disabled HTTP Keep-Alives.
On Server 1, open the command prompt and type "wlbs stop". This will stop load balancing on this server. Press F5 on the client machine to refresh Internet Explorer. The page should appear saying Server 2. On Server 2, open the command prompt and type "wlbs stop". This will stop load balancing altogether. Press F5 on the client machine to refresh Internet Explorer. The page should time out. On Server 1, open the command prompt and type "wlbs start". This will start load balancing on this server. Press F5 on the client machine to refresh Internet Explorer. The page should appear saying Server 1. On Server 2, open the command prompt and type "wlbs start". If your results differ to these, refer to the Troubleshooting section below.

Default.asp

Note use a text editor that preserves the formatting – e.g. Wordpad, and save as a text file called default.asp.

<%@ LANGUAGE = VBScript %> <% Option Explicit %> <HTML> <B>Network Load Balancing Test</B><P> <% Dim WshNetwork Set WshNetwork = CreateObject("Wscript.Network") Dim LocalMachine LocalMachine=WshNetwork.ComputerName Set WshNetwork = Nothing %> This page is served by: <%Response.Write LocalMachine%> </HTML>

Multiple Network Adapters (Unicast)

Network Diagram

Bb742454.nlbc08(en-us,TechNet.10).gif

IP Addresses

Note 1) It is not necessary to have your front end adapter on a different subnet to your back end adapter. In a high volume intranet environment, for example, you may wish to have them on the same subnets, and use the back end adapter to increase performance for client responses. 2) The above scenario assumes the Front End adapter is connected to the Internet, and therefore assigns the default gateway to that adapter, while leaving the Back End adapter without a default gateway (static routes are used). For more information on default gateways, refer to the Advanced Issues section below.

Server 1 – Front End Network Adapter (NLB enabled)

Primary IP Address – 10.0.0.10; Subnet mask – 255.255.255.0

Additional virtual IP Address (optional) – 10.0.0.11; Subnet mask – 255.255.255.0

Dedicated IP Address – 10.0.0.100; Subnet mask – 255.255.255.0

Default Gateway – 10.0.0.1

Server 1 – Back End Network Adapter (NLB disabled)

Dedicated IP Address – 192.168.0.100; Subnet mask – 255.255.255.0

Default Gateway – blank (use static routes for back end routing)

Server 2 – Front End Network Adapter (NLB enabled)

Primary IP Address – 10.0.0.10; Subnet mask – 255.255.255.0

Additional virtual IP Address (optional) – 10.0.0.11; Subnet mask – 255.255.255.0

Dedicated IP Address – 10.0.0.101; Subnet mask – 255.255.255.0

Default Gateway – 10.0.0.1

Server 2 – Back End Network Adapter (NLB disabled)

Dedicated IP Address – 192.168.0.101; Subnet mask – 255.255.255.0

Default Gateway – blank (use static routes for back end routing)

Steps

Front End Network Adapter

On Server 1, from the Start Menu, select Settings, then Network and Dial-up Connections. Right mouse click on Local Area Connection, and select Rename. Change the name to "Front End". Now right mouse click, and select Properties.
Tick Network Load Balancing, and then click on Properties.

Note if Network Load Balancing does not appear in the list of components, it has been uninstalled. Refer to the Troubleshooting section below for information on how to re-install Network Load Balancing. You will see three tabs – Cluster Parameters, Host Parameters, and Port Rules.
Click on the Cluster Parameters tab.

Note   Settings in this tab should be identical between all cluster hosts. Specify the Primary IP address and subnet mask of the cluster as above.

Note   the Primary IP address has two roles: first, to identify the cluster for remote control operations and heartbeats; and second, as the first virtual IP address for load balancing. Additional virtual IP addresses (e.g. for multihomed web sites), do not need to be entered here, as NLB automatically load balances all IP addresses bound to the network adapter other than the dedicated IP address. You can also specify the Full Internet Name (i.e. DNS name), that maps to the Primary IP Address (e.g. mydomain.com.au), although this is optional. Ensure multicast support is NOT ticked. While enabling remote control is considered a possible security risk, you may do so here.

Note   If you enable remote control, it is vital, for reasons of security, that you use a firewall for the NLB UDP control ports (the ports receiving remote-control commands) in order to shield them from outside intrusion. By default, these are ports 1717 and 2504 at the cluster IP address.
Click on the Host Parameters tab.

Note   Settings in this tab should be unique between all cluster hosts (except initial cluster state).

Assign an appropriate priority ie unique host ID eg server 1 = Host ID 1, server 2 = Host ID 2, etc.

Important   Each cluster host must have a unique ID.

Note   the host with the highest host priority (1 being the highest) is the default host, and handles all of the network traffic not otherwise covered by port rules. Enter the dedicated IP address and subnet mask as above.

Note   while it is possible to leave the dedicated IP address blank (some Microsoft documentation suggests this), by assigning one, it allows specific access to this front end network adapter eg for diagnosis. For more information on the dedicated IP address, refer to the Advanced Issues section below. Ensure the initial cluster state is active.

Note   If you leave this unticked, this host will not participate in the cluster.
Click on the Port Rules tab.

Note* * Rules in this tab should be identical between all cluster hosts, except for handling priority and unequal load weights.

The following steps explain how to configure HTTP and SSL port rules with no affinity, equal load, and multiple hosts (the most common scenario for web sites). For other port rules, and an explanation of what each port rule does, refer to the Port Rules section below. Click on the default rule located in the bottom part of the window (Start = 0, end = 65535, etc). Click Remove.

HTTP – Now enter a port range of 80 to 80. Click TCP for Protocols. Click Multiple Hosts for Filtering Mode. Click None for Affinity. Tick Equal for Load Weight. Now click Add.

SSL – Enter a port range of 443 to 443. Click TCP for Protocols. Click Multiple Hosts for Filtering Mode. Click Single for Affinity.

Note You can also specify Class C. Refer to Port Rules below for more details. Tick Equal for Load Weight. Now click Add.
Click OK to accept these settings.
The next step is to configure TCP/IP settings for the network adapter. You should still be in the LAN Connection screen. Click on Internet Protocol and select Properties.
Click on "Use the following IP address", and enter the dedicated IP address, subnet mask and default gateway as above.

Note Both the dedicated IP address and the cluster's primary IP address must be static IP addresses, not DHCP addresses.

Now click on Advanced and add the Primary IP address and subnet mask as above. Also add the additional virtual IP address (optional).

Note Make sure that the dedicated IP address is always listed first (before the cluster IP address) in the Internet Protocol (TCP/IP) Properties dialog box, so that all outbound connections made on behalf of this host (for example, Telnet or FTP) are initiated with this address.
Click OK three times to accept the settings. You have now configured Network Load Balancing on Server 1. Repeat these steps for Server 2 using the correct host ID (e.g. 2).

Back End Network Adapter

On Server 1, from the Start Menu, select Settings, then Network and Dial-up Connections. Right mouse click on Local Area Connection 2, and select Rename. Change the name to "Back End". Now right mouse click and select Properties. Ensure Network Load Balancing is unticked. Now click on Internet Protocol and select Properties.
Click on "Use the following IP address", and enter the Back End Dedicated IP address and subnet mask. Leave the default gateway blank.

Note use static routes for back end routing. For more information on default gateways, refer to the section under Advanced Issues.
Click OK twice to accept the settings. You have now configured Back End TCP/IP properties on Server 1. Repeat these steps for Server 2 using the correct dedicated IP address (e.g. 192.168.0.101).

Verification

From Server 1, open the command prompt and type "wlbs query". You should see a message saying "Host 1 converged as default with the following host(s) as part of the cluster: 1,2". If not, refer to the Troubleshooting section below.
Now type "ping 192.168.0.101". You should receive a valid reply. This is because the dedicated IP address is not bound to the NLB network adapter. Now type "ping 10.0.0.101". You should receive the message "Request timed out". This is because you cannot communicate between cluster hosts on NLB enabled adapters when in Unicast mode.
The following must be done on both servers. Create a file called default.asp (see below), and place it in C:\Inetpub\wwwroot (this is the default location for web content). Now open Internet Services Manager and expand the MMC tree till you see Default Web Site. Right mouse click on it and select Properties. On the Web Site tab, you will see "HTTP Keep-Alives Enabled". Untick it. WARNING: Only untick this for this test. It is required as we are only testing with a single client IP address, and without it disabled, we will not see an even load distribution. Ensure that you enable it again once the verification is completed. Open your Internet browser, and go to https://localhost/. You should see a Network Load Balancing testpage stating the server you are on.
The following must be done from a client machine in the 10.0.0.x subnet. First, type "ping 10.0.0.10". You should receive a valid reply. Open Internet Explorer and go to the following URL https://10.0.0.10/. You should see a Network Load Balancing testpage stating which server served the page. Press the F5 key several times and you will see the server change.

Note if you don't see the server change, check that you have temporarily disabled HTTP Keep-Alives.
On Server 1, open the command prompt and type "wlbs stop". This will stop load balancing on this server. Press F5 on the client machine to refresh Internet Explorer. The page should appear saying Server 2. On Server 2, open the command prompt and type "wlbs stop". This will stop load balancing altogether. Press F5 on the client machine to refresh Internet Explorer. The page should time out. On Server 1, open the command prompt and type "wlbs start". This will start load balancing on this server. Press F5 on the client machine to refresh Internet Explorer. The page should appear saying Server 1. On Server 2, open the command prompt and type "wlbs start". If your results differ to these, refer to the Troubleshooting section below.

Default.asp

Note use a text editor that preserves the formatting – e.g. Wordpad, and save as a text file called default.asp.

Single Network Adapter (Multicast)

The primary difference between this and the Single Network Adapter (Unicast) guide is ticking the "Multicast Support enabled" box. During verification, you will also be able to ping other cluster hosts from within the cluster using the dedicated IP address.

Note Some routers (e.g. Cisco), have problems with multicast MAC addresses used in Network Load Balancing. See Advanced Issues below for more details.

Network Diagram

Bb742454.nlbc17(en-us,TechNet.10).gif

IP Addresses

Server 1

Primary IP Address – 192.168.0.10; Subnet mask – 255.255.255.0

Additional virtual IP Address (optional) – 192.168.0.11; Subnet mask – 255.255.255.0

Dedicated IP Address – 192.168.0.100; Subnet mask – 255.255.255.0

Default Gateway – 192.168.0.1

Server 2

Primary IP Address – 192.168.0.10; Subnet mask – 255.255.255.0

Additional virtual IP Address (optional) – 192.168.0.11; Subnet mask – 255.255.255.0

Dedicated IP Address – 192.168.0.101; Subnet mask – 255.255.255.0

Default Gateway – 192.168.0.1

Steps

On Server 1, from the Start Menu, select Settings, then Network and Dial-up Connections. Right mouse click on Local Area Connection, and select Rename. Change the name to "Front End". Now right mouse click, and select Properties.
Tick Network Load Balancing, and then click on Properties.

Note if Network Load Balancing does not appear in the list of components, it has been uninstalled. Refer to the Troubleshooting section below for information on how to re-install Network Load Balancing. You will see three tabs – Cluster Parameters, Host Parameters, and Port Rules.
Click on the Cluster Parameters tab.

Note   Settings in this tab should be identical between all cluster hosts. Specify the Primary IP address and subnet mask of the cluster as above.

Note   the Primary IP address has two roles: first, to identify the cluster for remote control operations and heartbeats; and second, as the first virtual IP address for load balancing. Additional virtual IP addresses (e.g. for multihomed web sites), do not need to be entered here, as NLB automatically load balances all IP addresses bound to the network adapter other than the dedicated IP address. You can also specify the Full Internet Name (i.e. DNS name), that maps to the Primary IP Address (e.g. mydomain.com.au), but this is optional. Ensure multicast support IS ticked. While enabling remote control is considered a possible security risk, you may do so here.

Note   If you enable remote control, it is vital, for reasons of security, that you use a firewall for the NLB UDP control ports (the ports receiving remote-control commands) in order to shield them from outside intrusion. By default, these are ports 1717 and 2504 at the cluster IP address.
Click on the Host Parameters tab.

Note*   *Settings in this tab should be unique between all cluster hosts (except initial cluster state).

Assign an appropriate priority ie unique host ID eg server 1 = Host ID 1, server 2 = Host ID 2, etc.

Important   Each cluster host must have a unique ID.

Note   the host with the highest host priority (1 being the highest) is the default host, and handles all of the network traffic not otherwise covered by port rules. Now enter the dedicated IP address and subnet mask as above. Ensure the initial cluster state is active.

Note   If you leave this unticked, this host will not participate in the cluster.
Click on the Port Rules tab.

Note* *Rules in this tab should be identical between all cluster hosts, except for handling priority and unequal load weights.

The following steps explain how to configure HTTP and SSL port rules with no affinity, equal load, and multiple hosts (the most common scenario for web sites). For other port rules, and an explanation of what each port rule does, refer to the Port Rules section below. Click on the default rule located in the bottom part of the window (Start = 0, end = 65535, etc). Click Remove.

HTTP – Enter a port range of 80 to 80. Click TCP for Protocols. Click Multiple Hosts for Filtering Mode. Click None for Affinity. Tick Equal for Load Weight. Now click Add.

SSL – Enter a port range of 443 to 443. Click TCP for Protocols. Click Multiple Hosts for Filtering Mode. Click Single for Affinity.

Note You can also specify Class C. Refer to Port Rules below for more details. Tick Equal for Load Weight.

Now click Add.
Click OK to accept these settings.
The next step is to configure TCP/IP settings for the network adapter. You should still be in the LAN Connection screen. Click on Internet Protocol and select Properties.
Click on "Use the following IP address", and enter the dedicated IP address, subnet mask and default gateway as above.

Note* *Both the dedicated IP address and the cluster's primary IP address must be static IP addresses, not DHCP addresses.

Now click on Advanced and add the Primary IP address and subnet mask as above. Also add the additional virtual IP address (optional).

Note Make sure that the dedicated IP address is always listed first (before the cluster IP address) in the Internet Protocol (TCP/IP) Properties dialog box, so that all outbound connections made on behalf of this host (for example, Telnet or FTP) are initiated with this address.
Click OK three times to accept the settings. You have now configured Network Load Balancing on Server 1. Repeat these steps for Server 2 using the correct dedicated IP address and host ID (e.g. 192.168.0.101 and 2).

Verification

From Server 1, open the command prompt and type "wlbs query". You should see a message saying "Host 1 converged as default with the following host(s) as part of the cluster: 1, 2". If not, refer to the Troubleshooting section below.
Now type "ping 192.168.0.10". You should receive a valid reply. Now type "ping 192.168.0.101". You should receive a valid reply. This is because multicast is enabled.
The following must be done on both servers. Create a file called default.asp (see below), and place it in C:\Inetpub\wwwroot (this is the default location for web content). Now open Internet Services Manager and expand the MMC tree till you see Default Web Site. Right mouse click on it and select Properties. On the Web Site tab, you will see "HTTP Keep-Alives Enabled". Untick it.

Warning Only untick this for this test. It is required as we are only testing with a single client IP address, and without it disabled, we will not see an even load distribution. Ensure that you enable it again once the verification is completed. Open your Internet browser, and go to https://localhost/. You should see a Network Load Balancing testpage stating the server you are on.
The following must be done from a client machine in the 192.168.0.x subnet. First, type "ping 192.168.0.10". You should receive a valid reply. Open Internet Explorer and go to the following URL https://192.168.0.10/. You should see a Network Load Balancing testpage stating which server served the page. Press the F5 key several times and you will see the server change.

Note if you don't see the server change, check that you have temporarily disabled HTTP Keep-Alives.
On Server 1, open the command prompt and type "wlbs stop". This will stop load balancing on this server. Press F5 on the client machine to refresh Internet Explorer. The page should appear saying Server 2. On Server 2, open the command prompt and type "wlbs stop". This will stop load balancing altogether. Press F5 on the client machine to refresh Internet Explorer. The page should time out. On Server 1, open the command prompt and type "wlbs start". This will start load balancing on this server. Press F5 on the client machine to refresh Internet Explorer. The page should appear saying Server 1. On Server 2, open the command prompt and type "wlbs start". If your results differ to these, refer to the Troubleshooting section below.

Default.asp

Note use a text editor that preserves the formatting – e.g. Wordpad, and save as a text file called default.asp.

Multiple Network Adapters (Multicast)

The primary differences between this and the Multiple Network Adapters (Unicast) guide is ticking the "Multicast Support enabled" box. During verification, you will also be able to ping other cluster hosts from within the cluster using the Front End dedicated IP address.

Note Some routers (e.g. Cisco), have problems with multicast MAC addresses used in Network Load Balancing. See Advanced Issues below for more details.

Network Diagram

Bb742454.nlbc24(en-us,TechNet.10).gif

IP Addresses

Server 1 – Front End Network Adapter (NLB enabled)

Primary IP Address – 10.0.0.10; Subnet mask – 255.255.255.0

Additional virtual IP Address (optional) – 10.0.0.11; Subnet mask – 255.255.255.0

Dedicated IP Address – 10.0.0.100; Subnet mask – 255.255.255.0

Default Gateway – 10.0.0.1

Server 1 – Back End Network Adapter (NLB disabled)

Dedicated IP Address – 192.168.0.100; Subnet mask – 255.255.255.0

Default Gateway – blank (use static routes for back end routing)

Server 2 – Front End Network Adapter (NLB enabled)

Primary IP Address – 10.0.0.10; Subnet mask – 255.255.255.0

Additional virtual IP Address (optional) – 10.0.0.11; Subnet mask – 255.255.255.0

Dedicated IP Address – 10.0.0.101; Subnet mask – 255.255.255.0

Default Gateway – 10.0.0.1

Server 2 – Back End Network Adapter (NLB disabled)

Dedicated IP Address – 192.168.0.101; Subnet mask – 255.255.255.0

Default Gateway – blank (use static routes for back end routing)

Steps

Front End Network Adapter

On Server 1, from the Start Menu, select Settings, then Network and Dial-up Connections. Right mouse click on Local Area Connection, and select Rename. Change the name to Front End. Now right mouse click, and select Properties.
Tick Network Load Balancing, and then click on Properties.

Note if you Network Load Balancing does not appear in the list of components, it has been uninstalled. Refer to the Troubleshooting section below for information on how to re-install Network Load Balancing. You will see three tabs – Cluster Parameters, Host Parameters, and Port Rules.
Click on the Cluster Parameters tab.

Note   Settings in this tab should be identical between all cluster hosts. Specify the Primary IP address and subnet mask of the cluster as above.

Note   the Primary IP address has two roles: first, to identify the cluster for remote control operations and heartbeats; and second, as the first virtual IP address for load balancing. Additional virtual IP addresses (e.g. for multihomed web sites), do not need to be entered here, as NLB automatically load balances all IP addresses bound to the network adapter other than the dedicated IP address. You can also specify the Full Internet Name (i.e. DNS name), that maps to the Primary IP Address (e.g. mydomain.com.au), although this is optional. Ensure multicast support IS ticked. While enabling remote control is considered a possible security risk, you may do so here.

Note   If you enable remote control, it is vital, for reasons of security, that you use a firewall for the NLB UDP control ports (the ports receiving remote-control commands) in order to shield them from outside intrusion. By default, these are ports 1717 and 2504 at the cluster IP address.
Click on the Host Parameters tab.

Note*   *Settings in this tab should be unique between all cluster hosts (except initial cluster state).

Assign an appropriate priority ie unique host ID eg server 1 = Host ID 1, server 2 = Host ID 2, etc.

Important   Each cluster host must have a unique ID.

Note   the host with the highest host priority (1 being the highest) is the default host, and handles all of the network traffic not otherwise covered by port rules. Enter enter the dedicated IP address and subnet mask as above. Ensure the initial cluster state is active.

Note   If you leave this unticked, this host will not participate in the cluster.
Click on the Port Rules tab.

Note* *Rules in this tab should be identical between all cluster hosts, except for handling priority and unequal load weights.

The following steps explain how to configure HTTP and SSL port rules with no affinity, equal load, and multiple hosts (the most common scenario for web sites). For other port rules, and an explanation of what each port rule does, refer to the Port Rules section below. Click on the default rule located in the bottom part of the window (Start = 0, end = 65535, etc). Click Remove.

HTTP – Enter a port range of 80 to 80. Click TCP for Protocols. Click Multiple Hosts for Filtering Mode. Click None for Affinity. Tick Equal for Load Weight. Now click Add.

SSL – Enter a port range of 443 to 443. Click TCP for Protocols. Click Multiple Hosts for Filtering Mode. Click Single for Affinity.

Note You can also specify Class C. Refer to Port Rules below for more details. Tick Equal for Load Weight. Now click Add.
Click OK to accept these settings.
The next step is to configure TCP/IP settings for the network adapter. You should still be in the LAN Connection screen. Click on Internet Protocol and select Properties.
Click on "Use the following IP address", and enter the dedicated IP address, subnet mask and default gateway as above.

Note* *Both the dedicated IP address and the cluster's primary IP address must be static IP addresses, not DHCP addresses.

Now click on Advanced and add the Primary IP address and subnet mask as above. Also add the additional virtual IP address (optional).

Note Make sure that the dedicated IP address is always listed first (before the cluster IP address) in the Internet Protocol (TCP/IP) Properties dialog box, so that all outbound connections made on behalf of this host (for example, Telnet or FTP) are initiated with this address.
Click OK three times to accept the settings. You have now configured Network Load Balancing on Server 1. Repeat these steps for Server 2 using the correct dedicated IP address and host ID (e.g. 10.0.0.101 and 2).

Back End Network Adapter

On Server 1, from the Start Menu, select Settings, then Network and Dial-up Connections. Right mouse click on Local Area Connection 2, and select Rename. Change the name to Back End. Now right mouse click, and select Properties. Ensure Network Load Balancing is unticked. Click on Internet Protocol and select Properties.
Click on "Use the following IP address", and enter the Back End Dedicated IP address and subnet mask. Leave the default gateway blank.

Note use static routes for back end routing. For more information on default gateways, refer to the section under Advanced Issues.
Click OK twice to accept the settings. You have now configured Back End TCP/IP properties on Server 1. Repeat these steps for Server 2 using the correct dedicated IP address (e.g. 192.168.0.101).

Verification

From Server 1, open the command prompt and type "wlbs query". You should see a message saying "Host 1 converged as default with the following host(s) as part of the cluster: 1,2". If not, refer to the Troubleshooting section below.
Now type "ping 192.168.0.101". You should receive a valid reply. This is because the Back End dedicated IP address is not bound to the NLB network adapter. Now type "ping 10.0.0.101". You should receive a valid reply. This is because you are using multicast on the Front End network adapter.
The following must be done on both servers. Create a file called default.asp (see below), and place it in C:\Inetpub\wwwroot (this is the default location for web content). Now open Internet Services Manager and expand the MMC tree till you see Default Web Site. Right mouse click on it and select Properties. On the Web Site tab, you will see "HTTP Keep-Alives Enabled". Untick it.

Warning Only untick this for this test. It is required as we are only testing with a single client IP address, and without it disabled, we will not see an even load distribution. Ensure that you enable it again once the verification is completed. Open your Internet browser, and go to https://localhost/. You should see a Network Load Balancing testpage stating the server you are on.
The following must be done from a client machine in the 10.0.0.x subnet. First, type ping 10.0.0.10. You should receive a valid reply. Open Internet Explorer and go to the following URL https://10.0.0.10/. You should see a Network Load Balancing testpage stating which server served the page. Press the F5 key several times and you will see the server change.

Note if you don't see the server change, check that you have temporarily disabled HTTP Keep-Alives.
On Server 1, open the command prompt and type "wlbs stop". This will stop load balancing on this server. Press F5 on the client machine to refresh Internet Explorer. The page should appear saying Server 2. On Server 2, open the command prompt and type "wlbs stop". This will stop load balancing altogether. Press F5 on the client machine to refresh Internet Explorer. The page should time out. On Server 1, open the command prompt and type "wlbs start". This will start load balancing on this server. Press F5 on the client machine to refresh Internet Explorer. The page should appear saying Server 1. On Server 2, open the command prompt and type "wlbs start". If your results differ to these, refer to the Troubleshooting section below.

Default.asp

Note use a text editor that preserves the formatting – e.g. Wordpad, and save as a text file called default.asp.

Port Rules

Explanation

Following is a brief explanation of the function of each port rule.

Note Port rules should be identical between all cluster hosts, except for handling priority and unequal load weights.

PortRange – this is the TCP/IP port/s you need to define a rule for. This may be a single port (e.g. Start 80-End 80 for HTTP), or a range of ports (e.g. Start 137-End 139 for NetBIOS).

Protocols – specify which protocol.

Note NLB only supports TCP/ UDP.

Filtering Mode – defines how many hosts will participate in load balancing for this rule. There are three options: 1) Multiple means all active hosts participate. This is the most common setting, and provides excellent availability. Once chosen, you can then specify Affinity and Load Weight (see below). 2) Single means only the active host with the highest Handling priority participates. When you select it, the Handling Priority field will become active. This could be useful, for example, if you had an FTP site that users uploaded files to. This would ensure that at any one time, only one server will receive FTP uploads. If it fails, then the host with the next highest handling priority would take over. 3) Disabled means the port will be explicitly denied. This could be useful if you wanted to allow all ports except a select few.

Affinity – defines "stickyness", or whether a client is returned to the same host for each request. It can be set for None (default), Single (single IP address), or Class C. None is useful for stateless scenarios eg static web content. Single allows stickyness for most applications eg SSL, while still offering a good degree of load balancing. Class C is useful for Internet clients that come through proxy servers with different Class C IP addresses, but offers the least degree of load balancing.

Note in the US, AOL users come through Class B proxy servers, so this can cause NLB stickyness to break. Application Center 2000 supports cookie based stickyness, which solves this problem.

Load Weight – if you choose Equal, all cluster hosts will receive equal load. If you deselect it, the load weight number field becomes active, allowing you to allocate a greater proportion of the load to a particular server (e.g. if one server is a 2way Pentium III 700Mhz, and the other is a single Pentium II 350Mhz, you might allocate a load weight of 100 to the first host, and 25 to the second host).

Note the load weight is a ratio, not a percentage, so in the example above, we could also have specified 40 for the first host, and 10 for the second. However, it must be an integer between 0 and 100.

Note NLB only filters incoming TCP/IP traffic. It doesn't affect outgoing traffic, and so no outbound port rules need to be configured.

Examples

The following table provides some examples (not exhaustive) of how to configure Port Rules for some TCP based services. They are not, however, the only way to configure them, especially for mode, priority and load. In addition, Class C affinity could also be used instead of Single.

Name	Scenarios	Start	End	Protocol	Mode	Priority	Load	Affinity
HTTP	Static content or stateless applications.	80	80	TCP	Multiple		Equal	None
HTTP (unequal)	As above, but one server is twice as powerful as the other.	80	80	TCP	Multiple		20/10	None
HTTP (sticky)	Stateful web applications.	80	80	TCP	Multiple		Equal	Single
SSL	Secure web sites.	443	443	TCP	Multiple		Equal	Single
FTP (Read)	Users downloading FTP files.	20 1024*	21 65,535*	TCP TCP	Multiple Multiple		Equal Equal	Single Single
FTP (Write)	Users uploading FTP files. Ensures all files live on one server.	20 1024*	21 65,535*	TCP TCP	Single Single	1 1
TFTP	Trivial FTP	69	69	TCP	Multiple		Equal	None
SMTP	SMTP mail servers	25	25	TCP	Multiple		Equal	None
Telnet	Telnet sessions	23	23	TCP	Multiple		Equal	None
VPN (PPTP)	Load Balanced PPTP servers.	0	65,535	Both	Multiple		Equal	Single
Windows Media	Streaming media services (e.g. ASF).	0	65,535	Both	Multiple		Equal	Single
Terminal Services	Terminal Server client sessions.	3389	3389	TCP	Multiple		Equal	Single
Winsock Proxy	Winsock applications	1024	5000	Both	Multiple		Equal	Single
NBT	Accessing printer or file (read only) shares.	139	139	Both	Multiple		Equal	Single

* Passive Mode FTP

IIS FTP uses port 21 for control, and port 20 for data. It also supports passive-mode FTP, which is where a client is responsible for making all connections with the server, and can request a dynamic port (1024-65,535) be used for data transfer. If you don't wish to support passive-mode FTP, and thereby avoid having to open a huge range of ports for it, you can remove the FTP port rules starting at 1024 and ending at 65,535. For more information on passive-mode FTP, refer to the Internet standard draft for FTP (RFC 959).

Advanced Issues

Dedicated IP Address (DIP)

The dedicated IP address, also known as the DIP, refers to a cluster host's unique IP address used for network traffic not associated with the cluster. While the term is normally used in the context of the NLB adapter, it can also be used to refer to the IP address of the dedicated adapter, as this is also used for network traffic not associated with the cluster. In this section, we will focus on the DIP on the NLB enabled network adapter.

A question commonly arises about when to use a DIP. The answer is to see what benefit you will gain by being able to communicate directly with that particular network adapter on the dedicated IP address. In the case of a single network adapter model, you want to be able to contact the server directly eg Terminal Services, and since it has no back end network adapter, it makes sense to use a DIP. In the case of a dual (or more) network adapter model, you might want to be able to monitor the network adapter eg a highly available web server, or do server publishing via an ISA server. On the other hand, for a VPN cluster with dual NICs, there is a security benefit in not enabling the DIP on the public network, and it also means the servers are not addressable individually by the Internet – they can only be addressed as a cluster. Thus, a client will never know which server has answered its request.

In the case of this whitepaper, we have used a DIP in each model. However, you need to weigh up the advantages and disadvantages of each in your specific situation.

Default Gateways

For single network adapter models, a single default gateway is defined, with the option of a backup default gateway using a higher metric. However, in the case of multiple network adapter models, it is generally considered best practice to only define a default gateway (with possible secondary default gateways) on one of the network adapters, and use persistent routes for the second network adapter ie "route –p add ipaddress mask gateway". This avoids the problems that can sometimes occur when multiple default gateways are defined. For more information on this, refer to the following KB article:

159168 Multiple Default Gateways Can Cause Connectivity Problems

While there is no definitive rule about which network adapter should have the default gateway, if the front end network adapter is connected to the Internet, for security reasons you will generally want it to have the default gateway. This ensures that there is no risk on a Internet-destined packet going to the internal network. In addition, it is much simpler to configure static routes for your internal network, as it is a known quantity.

Following is an example of the ipconfig settings and route table for Server 1 in the Multiple Network Adapters (Unicast) model. This assumes the gateway for the back end network is 192.168.0.1.

Static Routes

Type the following commands at the command prompt:

"route delete 192.168.0.0" <enter>

"route add –p 192.168.0.0 mask 255.255.255.0 192.168.0.1"

<enter>

This will route all traffic for the 192.168.0.x Class C subnet to the 192.168.0.1 default gateway via the 192.168.0.100 interface.

IP Configuration

Ethernet adapter Back-end:

Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.0.100 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : blank

Ethernet adapter Front-end:

Connection-specific DNS Suffix . :

IP Address. . . . . . . . . . . . : 10.0.0.10 Subnet Mask . . . . . . . . . . . : 255.255.255.0 IP Address. . . . . . . . . . . . : 10.0.0.100 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.0.0.1

Route Table

Network Destination	Netmask	Gateway	Interface	Metric
0.0.0.0	0.0.0.0	10.0.0.1	10.0.0.100	1
10.0.0.0	255.255.255.0	10.0.0.100	10.0.0.100	1
10.0.0.10	255.255.255.255	127.0.0.1	127.0.0.1	1
10.0.0.100	255.255.255.255	127.0.0.1	127.0.0.1	1
10.255.255.255	255.255.255.255	10.0.0.100	10.0.0.100	1
127.0.0.0	255.0.0.0	127.0.0.1	127.0.0.1	1
192.168.0.0	255.255.255.0	192.168.0.1	192.168.0.100	1
192.168.0.100	255.255.255.255	127.0.0.1	127.0.0.1	1
192.168.0.255	255.255.255.255	192.168.0.100	192.168.0.100	1
224.0.0.0	224.0.0.0	10.0.0.100	10.0.0.100	1
224.0.0.0	224.0.0.0	192.168.0.100	192.168.0.100	1
255.255.255.255	255.255.255.255	10.0.0.100	10.0.0.100	1
Default Gateway: 10.0.0.1
Persistent Routes:
192.168.0.0	255.255.255.0	192.168.0.1		1

Multiple Front End Network Adapters

For high traffic servers using Network Load Balancing, it can be worthwhile to send client responses via a second dedicated front end network adapter, connected either to a different hub, or to a different port on the same switch.

Note it is also possible to do this using the dedicated network adapter if it is on the same subnet as the front end network adapter.

This has the following benefits:

Routing outbound packets through network adapters that are not attached to the front end hub improves use of the hub's capacity.
Use of the capacity for multiple upstream pipes from the switch to the network is improved, because multiple cluster hosts can simultaneously send traffic to different upstream pipes.
Using two network adapters to separate each cluster host's inbound and outbound network traffic improves the cluster hosts' handling of network traffic.

To implement this, the default gateway should be configured as follows: the default gateway address should be set on the additional front end network adapter (or dedicated adapter if it's on same subnet); do not set the gateway address for the NLB front end adapter in the TCP/IP configuration dialog. This will result in requests to the cluster flowing through the NLB front end adapter, and the appropriate host will reply through its additional front end network adapter (or dedicated adapter if its on same subnet), because this network adapter has the gateway information associated with it. Optionally, you could also set the metric on the front end network adapter to 2, to ensure all traffic goes through the additional front end network adapter (or dedicated adapter if its on same subnet).

Switches

(for more information on this, refer to KB Article 193602)

Switches aim to reduce broadcasts of network packets by learning which MAC address (Layer 2 switch) or IP address (Layer 3 switch) lives on which port. It can then intelligently direct the right packet to the right port. Since NLB relies on all hosts receiving packets directed to the cluster MAC or IP address, it could potentially cause packets to not reach all hosts in the cluster. There are two common ways to address this.

Note in multicast mode, the cluster uses a multicast MAC address mapped to a unicast IP address (see Routers section below for possible issues with this), whereas in unicast mode, it maps a unicast MAC address to a unicast IP address. The switch does not associate the multicast MAC addresses to a port, and so the switch sends frames to this MAC address on all ports.

Mask the MAC Address

The default setting for NLB in unicast mode is to mask the cluster MAC address (i.e. MaskSourceMac=1). This forces the cluster to use a "dummy" MAC address when sending packets through the switch. The switch maps the dummy MAC address to a port, but sends traffic to the real cluster MAC address to all ports in the switch. If a switch does not have a MAC address associated to a port, it sends the frames to all ports. This is called port "flooding", and provided only cluster hosts are on the switch, is not a major problem (the switch effectively becomes a hub). However, if other non-NLB computers are on the same switch, you can minimize the impact of port flooding by using a VLAN or a hub (see below). This configuration has the highest bandwidth, and completely eliminates collisions. However, it only works for Layer 2 switches.

Use a Hub

Reconfigure MaskSourceMAC = 0 on all NLB hosts. Connect all of the cluster network adapters to a hub, which is in turn uplinked to a switch port. This configuration permits the switch to learn the NLB cluster MAC address, eliminating port flooding without the requirement to use a VLAN. This configuration has a bandwidth limitation on the hub. However, it automatically improves the pipelining of traffic, minimizes collisions, and works for both Layer 2 and Layer 3 switches.

If you have an additional front end network adapter, or a dedicated network adapter on the same subnet as the front end one, connect this to a free switch port, as it provides better performance compared to connecting it to the hub. Refer to the "Multiple Front End Network Adapters" section in Advanced Issues above for more details.

Routers

Network Load Balancing can operate in two modes: unicast and multicast. Unicast support is enabled by default, which ensures that it operates properly with all routers. You might elect to enable multicast mode so that a second network adapter is not required for communications within the cluster. If Network Load Balancing clients access a cluster (configured for multicast mode) through a router, be sure that the router accepts an Address Resolution Protocol (ARP) reply for the cluster's (unicast) IP addresses with a multicast media access control address in the payload of the ARP structure. ARP is a TCP/IP protocol that uses limited broadcast to the local network to resolve a logically assigned IP address.

This allows the router to map the cluster's primary IP address and other multihomed addresses to the corresponding media access control address. If your router does not meet this requirement, you can create a static ARP entry in the router or you can use Network Load balancing in its default unicast mode.

Some routers require a static ARP entry because they do not support the resolution of unicast IP addresses to multicast media access control addresses. For example, Cisco routers require an ARP (address resolution protocol) entry for every virtual IP address. While Network Load Balancing uses Level 2 Multicast for the delivery of packets, Cisco's interpretation of the RFCs is that Multicast is for IP Multicast. So, when the router doesn't see a Multicast IP address, it does not automatically create an ARP entry, and you have to add it.

Firewalls

If Your firewall is proxying client traffic and making it appear as if all connections are originating from the same client IP address, and if the load balancing rule is configured with Single affinity, all traffic will be handled by the same cluster host. To resolve this, turn off address translation (proxying) on the firewall, or change affinity from Single to None.

Global Distribution

To accomplish global distribution or even local distribution beyond a single subnet, two common solutions can available.

Round Robin DNS (RRDNS)

Description: Use Round Robin DNS to direct users to multiple NLB clusters on different subnets. Given the high availability of each cluster, this can be a very effective solution eg www.microsoft.com do this.

Advantages: Simple, easy, and inexpensive.

Disadvantages: 1) There are inherent issues with clients caching DNS resource records, so if an entire segment failed, clients might "stick" on a failed virtual IP address until their dns cache expired, or a new session establishment was initiated. 2) standard DNS is not dynamic, so it can't direct users based on factors like latency, distance or load.
Intelligent DNS distributors

Description: These are advanced DNS hardware solutions, and can direct users based on many factors eg latency, distance or load.

Advantages: These have network and server "awareness" to provide the best response to a client.

Disadvantages: Cost and configuration complexity.

Redundant Network Connections

The objective of NLB is to provide a robust and resilient platform for serving IP based protocols and services. However, this can all break down if the underlying network infrastructure isn't robust. Typically, this can be broken down into three components:

Network Adapters – Most vendors today offer redundant or fault tolerant adapters ie adapter teaming or adapter fault tolerance (AFT). These are fully supported with NLB, however refer to KB article 278431 for more information.
Switches – redundancy at the switch layer can easily be provided by striping the NLB cluster hosts across multiple switches and inter-connecting all the switches that contain a single NLB cluster. Additionally, to prevent switch flooding, only the ports connected to the Primary IP address (where all inbound traffic is sent) can be made hosts of a single VLAN.
Routers – redundant routers are the most easily overcome using a vrp (virtual router protocol) or hrsp (hot router standby protocol).

Best Practices

The following are a series of best practices in relation to Network Load Balancing. Many of them are mentioned elsewhere, but have been included together in one place for easy reference.

Use two or more network adapters in each cluster host whenever possible. A second network adapter can boost overall network performance and speed up access to back-end databases.
If the cluster is operating in unicast mode (the default), ordinary network communication among cluster hosts is not possible unless each cluster host has at least two network adapters.
If you do employ a second network adapter, make sure that you install Network Load Balancing on only one adapter (called the cluster adapter).
TCP/IP is the only network protocol that should be present on the cluster adapter. You must not add any other protocols (for example, IPX) to this adapter.
Make sure cluster parameters and port rules are set identically on all cluster hosts.
Make sure host parameters are unique for each cluster host.
Make sure that port rules are set for all ports used by the load-balanced application (for example, FTP, which uses port 20, port 21, and ports 1024-65535).
Always click the Add button after setting a port rule. Otherwise, the port rule will not appear in the list of rules, and the rule will not take effect.
Make sure that any given load-balanced application is started on all cluster hosts on which the application is installed. Network Load Balancing does not start programs.
Both the dedicated IP address and the cluster IP address, entered during setup in the Network Load Balancing Properties dialog box, must also be entered in the Internet Protocol (TCP/IP) Properties dialog box. Make sure that the addresses are the same in both places.
Make sure that the dedicated IP address is always listed first (before the cluster IP address) in the Internet Protocol (TCP/IP) Properties dialog box.
Both the dedicated IP address and the cluster IP address must be static IP addresses. They cannot be DHCP addresses.
Where possible, avoid having more than one default gateway. Use static routes to route traffic on the network adapter that doesn't have a default gateway (usually the internal or back end adapter).
Make sure that all hosts in a cluster belong to the same subnet and that the cluster's clients are able to access this subnet.
No cluster interconnect is used by Network Load Balancing other than the subnet in which the cluster is located.
Make sure that all cluster hosts are operating in either unicast or multicast mode, but not both.
Be aware that Network Load Balancing command line commands begin with wlbs.
Be aware that Network Load Balancing exists as a service on Windows 2000 Advanced Server. It does not install in the form of a setup program (such as, Setup.exe.)

Application Center 2000

One of the benefits of Application Center 2000 is that it automates many of the steps normally associated with setting up a Network Load Balancing cluster. However, you do need to first configure your network adapters to ensure Application Center 2000 can work correctly. The following section explains how to do this, as well as provide some additional tips when using Network Load Balancing with Application Center 2000.

Note You don't need to configure the Network Load Balancing properties. Application Center 2000 will do this for you when you create a cluster. If you have already configured Network Load Balancing, Application Center can import your settings, as long as you support two network adapters.

Configuring Your Network Adapters

Application Center 2000 uses model three listed above ie Multiple Network Adapters (Unicast). This is because it requires two network adapters (if you use NLB for load balancing) – one for Network Load Balancing, and one for management traffic, and because it disables multicast by default. There are two reasons for a dedicated management network adapter:

Application Center 2000 configures Network Load Balancing in unicast mode, which means NLB network adapters can't communicate with other hosts in the same subnet for non-NLB traffic.
Application Center 2000 management services eg replication engine, require reliable connections, and front end network adapters can be reset with IP address changes or deletions.

Note It might be helpful to rename your two network adapters to indicate their role eg Front End for Network Load Balancing, and Back End for management traffic.

The following table describes the steps necessary to configure the TCP/IP properties of your network adapters. The steps refer to a cluster controller and cluster member. These are terms specific to Application Center 2000. There is only one cluster controller per Application Center 2000 cluster, while there can be many cluster hosts. A cluster controller is the only server that can make changes to the cluster configuration, while the cluster hosts contain a read only copy of the cluster configuration. It is very similar to the Primary Domain Controller/ Backup Domain Controller relationship in Windows NT 4.0. Hence, you need to nominate one of your servers as the cluster controller. This will be the server that you create your Application Center 2000 cluster on. If you wish, you can make another server the cluster controller at a later time.

Note The following steps assume you have not already configured Network Load Balancing. If you have, Application Center 2000 can import your NLB configuration. You will be prompted during Cluster Creation that setup has found existing settings, and will ask if you wish to keep them or overwrite them.

Below are two sets of sample IP addresses, based on whether your network adapters are on the same or different subnets. The IP addresses used in the table below are sample ones. Substitute these values with your own ones.

Network Adapters on Same Subnet

This is usually the case where both your front end and back end network adapters live on the internal network eg intranet. In this case, you assign the back end adapter the default gateway, and leave the front end adapter's default gateway blank. You could also use DHCP to assign TCP/IP information to the back end network adapter ie IP address, default gateway, DNS server, etc.

Note 1) If both adapters are on the same subnet and you don't assign a default gateway to the back end adapter, you will get an error message. 2) While it is possible to also assign the default gateway to the front end adapter, there is no real benefit in doing so. In general, it is cleaner to have a single default gateway specified per machine. Refer to the Default Gateways section under Advanced Issues for more details.

Cluster Controller

Front End Network Adapter

Public (Dedicated) IP Address – 192.168.0.104; Subnet mask – 255.255.255.0; Default Gateway – blank

Cluster (Primary) IP Address – 192.168.0.100; Subnet mask – 255.255.255.0

Back End Network Adapter

Private (Dedicated) IP Address – 192.168.0.106; Subnet mask – 255.255.255.0; Default Gateway – 192.168.0.1

Cluster Member

Front End Network Adapter

Public (Dedicated) IP Address – 192.168.0.103; Subnet mask – 255.255.255.0; Default Gateway – blank

Back End Network Adapter

Private (Dedicated) IP Address – 192.168.0.105; Subnet mask – 255.255.255.0; Default Gateway – 192.168.0.1

Network Adapters on Different Subnets

This is usually the case where your front end network adapter is connected to the Internet, and your back end network adapter is connected to your internal network. The front end network has a default gateway pointing to the Internet. While it is possible to use DHCP assigned IP addresses for the back end network adapter, this can result in having two default gateways configured, which is not ideal (refer to the Default Gateways section in Advanced Issues). As a result, we recommend not assigning a default gateway for the back end NIC, and using static persistent routes to the back end network ie "route –p add ipaddress mask gateway". If you wish to use DHCP, create a new scope for Application Center 2000 servers that doesn't have a default gateway.

Cluster Controller

Front End Network Adapter

Public (Dedicated) IP Address – 10.0.0.100; Subnet mask – 255.255.255.0; Default Gateway – 10.0.0.1

Cluster (Primary) IP Address – 10.0.0.10; Subnet mask – 255.255.255.0

Back End Network Adapter

Private (Dedicated) IP Address – 192.168.0.100; Subnet mask – 255.255.255.0; Default Gateway – blank (use static routes for back end routing)

Cluster Member

Front End Network Adapter

Public (Dedicated) IP Address – 10.0.0.101; Subnet mask – 255.255.255.0; Default Gateway – 10.0.0.1

Back End Network Adapter

Private (Dedicated) IP Address – 192.168.0.101; Subnet mask – 255.255.255.0; Default Gateway – blank (use static routes for back end routing)

Tasks	Detailed steps
Complete the following task on the cluster controller and the cluster host.
1. Configure the front end network adapter with the public IP address.	Right-click Front End and then click Properties. In the Front End Properties dialog box, click Internet Protocol (TCP/IP) and then click Properties. In the Internet Protocol (TCP/IP) Properties dialog box, click Use the following IP address. In the IP address box type the public IP address for your server, in the Subnet mask type 255.255.255.0. Leave the default gateway blank. In the Internet Protocol (TCP/IP) Properties dialog box click OK. In the Front End Properties dialog box click OK.
2. Configure the back end network adapter with the private IP address.	Right-click Back End and then click Properties. In the Back End Properties dialog box, click Internet Protocol (TCP/IP) and then click Properties. In the Internet Protocol (TCP/IP) Properties dialog box, click Use the following IP address. In the IP address box type the private IP address for your server, and in the Subnet mask type 255.255.255.0. Enter the default gateway. In the Internet Protocol (TCP/IP) Properties dialog box click OK. In the Back End Properties dialog box click OK.
Complete the following tasks on the cluster controller only.
3. On the cluster controller's front end network adapter, add the cluster IP address and subnet mask.	Right-click Front End and then click Properties. In the Front End Properties dialog box, click Internet Protocol (TCP/IP) and then click Properties In the Internet Protocol (TCP/IP) Properties dialog box, click Advanced. In the Advanced TCP/IP Settings dialog box on the IP Settings tab under IP addresses, click Add. In the TCP/IP Address dialog box in the IP address box, type the cluster IP address and in the Subnet Mask box 255.255.255.0 and then click Add. In the Advanced TCP/IP Settings dialog box click OK. In the Internet Protocol (TCP/IP) Properties dialog box click OK. In the Front End Properties dialog box click OK.
Complete the following tasks on the cluster controller and the cluster host.
4. Verify that both network adapters are properly configured by using the ping command.	On the Accessories menu, click Command Prompt. At the prompt, type IPCONFIG and then press ENTER. Verify that the IP addresses for the front end and back end networks are correct. At the command prompt, type ping and then the IP addresses for the following: Controller public IP address Host public IP address Cluster IP address Controller private IP address Host private IP address After each ping, four replies appear from the IP address. By pinging each IP address, you can verify that the IP address was configured correctly. Close the Command Prompt window.

Following are some additional things to be aware of about network settings.

You must use static IP addresses for the NLB network adapter on the cluster controller.
Always enter the public (dedicated) IP address as the first IP address in TCP/IP properties for the front end network adapter, and assign the cluster (primary) IP address as an additional IP address. This is because, by default, Windows 2000 only registers the first IP address on the adapter with DNS and WINS, so that any server specific traffic for the front end adapter that is from outside the cluster subnet uses this IP address eg telnet ie the dedicated IP address.
Ensure that all back end network adapters are connected on the same subnet and that all hosts can communicate with each other over this adapter.
You only need to define the cluster (primary) IP address on the cluster controller, as its settings will be replicated to other hosts.
Application Center 2000 configures the front-end network adapter with a metric one higher than the current highest metric on the machine, just in case the back end network adapter is on same subnet. This ensures all back end traffic goes via the back end network adapter.

Additional Tips

Make Manual NLB Changes only on the Cluster Controller

If you wish to change any of the NLB settings defined by the Create Cluster wizard, you MUST make these changes on the cluster controller. If you make changes on a cluster host, these changes will be overwritten by those on the cluster controller next time a synchronization occurs.

Note during an Application Center 2000 synchronisation, NLB remote control settings are NOT replicated ie UDP port number, password, enabled. These need to be set manually on each host. Refer to KB article 279160 for more information.

Adjustable Settings via MMC

The following settings can be changed from the Application Center 2000 MMC. Any other settings eg port rules, need to be done on the cluster controller via NLB Properties. They will then be replicated to other cluster hosts.

NLB Client Affinity(per cluster)

When Application Center 2000 creates a cluster using the Create Cluster wizard, it sets NLB affinity to Intranet, which is equivalent to Single. You can change this setting by right mouse clicking on the cluster name, selecting Properties, and choosing the desired NLB client affinity setting under Load Balancing.

Custom = None; Intranet = Single; Internet = Class C.

None is useful for stateless scenarios eg static web content. Single allows stickyness for most applications eg SSL, while still offering a good degree of load balancing. Class C is useful for Internet clients that come through proxy servers with different Class C IP addresses.

Note Application Center 2000 has a feature called Request Forwarding that addresses this issue of client affinity using cookies. It is disabled by default.

Cluster IP Addresses (per cluster)

If you wish to add additional cluster (virtual) IP addresses eg for multiple virtual web sites, you can do this by clicking on the cluster name, and clicking the "Edit IP Addresses" icon. This allows you to add or remove additional cluster (virtual) IP addresses. If the additional addresses are for web sites, you will need to make sure you bind the new addresses to the virtual web site using the Internet Services Manager MMC.

Note You can't remove the cluster (primary) IP address.

Dedicated IP Address (per host)

This is normally set when you run the Create Cluster wizard. However, you can change this setting by right mouse clicking on the server name, selecting Properties, and entering the Dedicated IP address.

Server Load Weight (per host)

This is set to "Average Load" when you run the Create Cluster wizard. However, you can change this setting by right mouse clicking on the server name, selecting Properties, and adjusting the sliding bar. There are 100 positions on the bar, since the maximum ratio weight you can give a server is 100. For example, if one server is a 2way Pentium III 700Mhz, and the other is a single Pentium II 350Mhz, you might allocate a load weight of 100 to the first host, and 25 to the second host).

Port Rules

When you run the Create Cluster wizard, it creates a generic port rule – Start (0) End (65535) Protocol (Both) Mode (Multiple) Load (Equal) Affinity (Single). You can add new port rules and delete the default one – just rehost to do it on the cluster controller, which will then replicate it to other hosts. For more information, refer to the Port Rules section above.

Note Application Center 2000 does not support single host failover port rules for NLB.

How to Stop Application Center 2000 From Managing NLB Setting

The simplest way to gain complete control over your Network Load Balancing settings while still having the server participate in an Application Center 2000 cluster (General/Web cluster or COM+ routing cluster) is to select "Other Load Balancing". This ensures that Application Center 2000 will not try to replicate any NLB settings.

Other

Application Center 2000 sets the initial NLB active state to 0 so it can control when an NLB host comes online. It does this on a per host basis.
Application Center 2000 sets the unique host ID to 32 for the cluster controller, and works backwards for each cluster host added. This is to avoid any conflicts with existing host IDs.
If you wish to use multicast, you must enable it manually on the cluster controller.

Troubleshooting

Tools

Following are some useful tools for troubleshooting NLB problems:

Network Properties ie NLB & TCP/IP.
Event Viewer.
WLBS.exe Display & Query Commands.
Ping.exe.
Network Monitor.
Network Monitor parser for NLB (part of Windows 2000 Server resource kit) – refer to KB article 280503 for more information.
Performance Monitor - CPU Load; Network Interface: packets/sec; Web Service: conn. attempts/sec.

Common Problems

The sections below describe common problems that you may encounter when installing and initially using Network Load Balancing. Each topic describes the likely reasons for each problem and one or more suggested remedies. To avoid many of these problems, you should test your network and all network adapters for proper operation before installing Network Load Balancing. Be sure to follow all installation steps and check that the cluster parameters and port rules are identically set for all cluster hosts. If a problem occurs, always check the Windows event log for a message from the Network Load Balancing driver.

Can't Ping Primary IP Address

Problem: There is no response when using ping to access the cluster's primary IP address from an outside network.

Verify that you can use ping to access the dedicated IP addresses for the cluster hosts from a computer outside the router. If this test fails and you are using multiple network adapters, the problem is unrelated to Network Load Balancing. If you are using a single network adapter for both the dedicated and cluster IP addresses, consider the following causes:

Cause: If you are using multicast support, you may find that your router has difficulty resolving the primary IP address into a multicast MAC address using the ARP protocol.

Solution: To check this, verify that you can use ping to access the cluster from a client on the cluster's subnet and to access the cluster hosts' dedicated IP addresses from a computer outside the router. If these tests are successful, the router is probably at fault. You should be able to add a static ARP entry to the router to circumvent the problem. You can also turn off Network Load Balancing multicast support and use a unicast network address without a switching hub.
Cause: When using Network Load Balancing in either multicast or unicast mode, routers need to be able to accept proxy ARP responses (IP-to-network address mappings that are received with a different network source address in the Ethernet frame).

Solution: Make sure that your router has proxy ARP support turned on. You can also set a static ARP entry to keep proxy ARP support disabled in the router.
Cause: If you are using unicast support, the cluster adapter could not change its MAC address. You can check this by doing an ipconfig /all, and seeing if the cluster MAC address starts with 02-bf. If it doesn't, then the network adapter has failed to change its MAC address to the cluster MAC address. This problem only occurs when using a unicast MAC address (rather than a multicast address), and is rare.

Solution: Either switch to a different cluster adapter, or use multicast support.

Can't Ping Dedicated IP Address

Problem: There is no response when using ping to access a server's dedicated IP address from an outside network.

Cause: You may have configured the dedicated IP address in Network Load Balancing properties, but not in TCP/IP properties.

Solution: Verify that the dedicated IP address has been entered into TCP/IP properties.
Cause: The dedicated IP address appears second in the list of IP addresses.

Solution: Verify that the dedicated IP address is entered in the initial TCP/IP properties screen, rather than in the Advanced section. The Primary address should be added in the Advanced section. This is to ensure that all outbound connections made on behalf of this host (for example, Telnet or FTP) are initiated with this address.

Can't Ping Another Cluster Host

Problem: There is no response when using ping to access another server's dedicated IP address in the cluster.

Cause: In unicast mode, this is expected behaviour. By default, Network Load Balancing does not allow communication between cluster hosts, as the dedicated IP address MAC address is overwritten by the cluster MAC address.

Solution: Enable multicast , or install a second network adapter for intra-cluster communication.

Network Load Balancing is not Listed

Problem: Network Load Balancing is not listed as an available component to be installed in the LAN Connection properties.

Cause: If you have Windows 2000 Server, not Advanced Server, you will not see Network Load Balancing listed, since it does not come with Windows 2000 Server by default.

Solution: Install Windows 2000 Advanced Server.

Note Network Load Balancing is now included with Application Center 2000, so you can install Application Center 2000 on Windows 2000 Server to obtain access to the Network Load Balancing component.
Cause: If you have Windows 2000 Advanced Server, a user may have previously uninstalled the Network Load Balancing component.

Solution: From the Start Menu, click on Control Panel, then Network and Dial up Connections. Right mouse click on a Local Area Connection, and select Properties. Click Install, then double click on Service, and select Network Load Balancing.

Note Installing or uninstalling NLB affects all network adapters. To disable it for a single adapter, simply unselect it.

Error saying NLB not Installed

Problem: Error message erroneously states that Network Load Balancing is not installed.

Cause: A user performed a Network Load Balancing query command when not logged on as a host of a group with administrative rights.

Solution: Ensure that the user belongs to a group with administrative rights and perform the query again.

Load Balancing is Uneven

Problem: Network Load Balancing is not evenly distributing requests between active hosts, even though port rules are set to equal load.

Cause: Network Load Balancing uses a statistical algorithm to ensure that the entire IP address space is evenly distributed among all active hosts.

Solution: Increase the number of client IP addresses accessing the Network Load Balancing cluster. If you are only testing with a small number of client IP addresses, you may see a slightly skewed distribution of load. As the number of client IP addresses increases, you will see the load even out.

Note for demonstration purposes where you are using a single client workstation, you can disable the HTTP Keep-Alive setting to get better server distribution. Open Internet Services Manager and expand the MMC tree till you see Default Web Site. Right mouse click on it and select Properties. On the Web Site tab, you will see "HTTP Keep-Alives Enabled". Untick it.

Warning Only untick this for this test. It is required as we are only testing with a single client IP address, and without it disabled, we will not see an even load distribution. Ensure that you enable it again once the verification is completed.

Load Balancing is not Working

Problem: Network Load Balancing is not load balancing programs, and the default host handles all network traffic.

Cause: A port rule is missing. By default, Network Load Balancing directs all incoming network traffic not governed by port rules to the default host, which is the host with the highest priority or unique host ID (1 being the highest). This ensures that the program you do not want load balanced behaves properly.

Solution: To load-balance a program across the cluster, create identical port rules on every cluster host for the TCP/IP port(s) serviced by the program.

Load Balanced Program is not Working

Problem: A load-balanced program does not appear to work correctly when running Network Load Balancing.

Cause: Not all of the program's ports are being load balanced. Some programs require multiple ports to perform their functions. For example, FTP uses ports 20 and 21. If the ports are not load balanced (usually with one port rule), the program will not work correctly.

Solution: Check that the applicable port rule covers all ports used by the program and be sure to enable client affinity, either (Single or Class C).
Cause: The program does not start on all cluster hosts.

Solution: Network Load Balancing does not start or control programs. Check that the program has started on every cluster host. If a program fails, you can disable its associated port range using the wlbs disable command.

Note WLBS stands for Windows Load Balancing Service, the former name of Network Load Balancing in Windows NT 4.0. For reasons of backward compatibility, WLBS continues to be used in certain instances.
Cause: The program should not be load balanced. Programs that update a file on the current cluster host may not work correctly when load balanced, because multiple instances of the program may conflict when attempting to update a common file. For example, e-mail, groupware, and database servers often have this problem.

Solution: Do not load balance a program until its data-sharing requirements are thoroughly understood and met.
Cause: The program is not a TCP/IP service.

Solution: Network Load Balancing load balances programs by distributing incoming client requests among the cluster hosts. If a server program is not structured as a TCP/IP service that receives client requests, it will not benefit from using Network Load Balancing, and you will not observe load balancing.
Cause: Your firewall is proxying client traffic and making it appear as though all connections are originating from the same client IP address. If the load-balancing rule is configured with Single affinity, all traffic is handled by the same cluster host.

Solution: Turn off address translation (proxying) on the firewall or change affinity from Single to None. Note that you may need Single affinity in order to provide session support.

Convergence Doesn't Complete

Problem: After the cluster hosts start, they begin converging but never report that convergence has completed.

Cause: Either a different number of port rules or incompatible port rules on different cluster hosts were entered.

Solution: Open the Network Load Balancing Properties dialog box on each cluster host and verify that all hosts have identical port rules.
Cause: Some hosts are configured for unicast, and some for multicast.

Solution: Ensure all hosts are configured for either unicast or multicast, not both.

Web Server Doesn't Respond

Problem: One web server in the cluster is not responding to requests, even though it pings correctly.

Cause: The web server has been configured incorrectly.

Solution: This is not an NLB issue. Check all web site settings via the Internet Information Services MMC, including the IP address the site is bound to, and that it can be browsed from the local server. If multiple virtual web sites are being used, ensure each site is bound to the correct IP address.

Multiple Default Hosts

Problem: After the cluster hosts start, Network Load Balancing reports that convergence has finished, but more than one host is a default host.

Cause: The cluster hosts have become hosts of different subnets, so that all hosts are not accessible on the same network.

Solution: Be sure that all cluster hosts can communicate with each other.
Cause: Different MAC addresses are being used across the cluster, and the cluster's primary IP address was not assigned when setting up TCP/IP for Network Load Balancing. In this case, TCP/IP will not detect an address conflict, and multiple clusters will exist.

Solution: Be sure to use one primary IP address for the cluster and a corresponding MAC address on all hosts within the same cluster, specifying the cluster's primary IP address in the TCP/IP configuration.
Cause: Different clusters are running on the same subnet.

Solution: If you use different primary IP addresses, each with unique corresponding MAC addresses, on various cluster hosts, you can create multiple clusters on the same subnet. This is a not a problem unless this behavior was not intended.

IP Address Conflict

Problem: After installing Network Load Balancing and restarting a cluster host, the error "The system has detected an IP address conflict with another system on the network..." is displayed.

Cause: You added a virtual IP address into TCP/IP before enabling NLB, and then added the same virtual IP address as the Primary IP address under NLB configuration.

Solution: Enter the virtual IP address into the NLB properties first, then add it TCP/IP properties.
Cause: You've disabled NLB, but forgotten to remove the virtual IP address from TCP/IP properties.

Solution: Remove the virtual IP address from TCP/IP properties.
Cause: Someone else on the network is using the same IP address as the virtual IP address.

Solution: Choose another virtual IP address, or get the other person to stop using it.
Cause: Two different cluster primary IP addresses were entered in the TCP/IP configuration in the Internet Protocol (TCP/IP) Properties dialog box on different hosts.

Solution: Be sure to use one primary cluster IP address for all cluster hosts.
Cause: Two different cluster network addresses were entered in the Network Load Balancing Properties dialog box on different hosts.

Solution: Be sure to use one cluster network address for all cluster hosts.
Cause: The network adapter could not change its network address. You can check this by doing an ipconfig /all, and seeing if the cluster MAC address starts with 02-bf. If it doesn't, then the network adapter has failed to change its MAC address to the cluster MAC address. This problem occurs only when using a unicast network address (instead of a multicast address), and is rare.

Solution: Either switch to a different type of network adapter or use Network Load Balancing multicast support.

Network Not Working

Problem: The network does not appear to work for one or more of the cluster hosts.

Cause: The Network Load Balancing driver did not load successfully when the computer started. This problem can arise because another networking driver on which Network Load Balancing depends failed to load, or because the Network Load Balancing driver file has been corrupted.

Solution: Run the wlbs query command to verify that the driver loaded. If the command reports an error, check the Windows event log to see why the driver failed to load.

Note WLBS stands for Windows Load Balancing Service, the former name of Network Load Balancing in Windows NT 4.0. For reasons of backward compatibility, WLBS continues to be used in certain instances.
Cause: You may have a network problem unrelated to Network Load Balancing.

Solution: To verify that Network Load Balancing is not at fault, temporarily disable Network Load Balancing by following the procedures in Disabling Network Load Balancing. If the problem persists, the network problem is not related to Network Load Balancing.
Cause: If you are using a switching hub to interconnect the cluster hosts, you must use Network Load Balancing multicast support; otherwise, the switching hub is likely to behave erratically when the same unicast network is used on multiple switch ports.

Solution: Check that you have selected multicast support in the Network Load Balancing Properties dialog box. If you do not want to use multicast support, you can interconnect the cluster hosts with a hub or coaxial cable instead of a switch.

Strange Network Behaviour

Problem: The network behaves in a strange and unpredictable manner. Traffic may alternate unexpectedly between the cluster hosts.

Cause: Unicast network addresses are causing problems with the switching hub. If you are using a switching hub to interconnect the cluster hosts, you must use Network Load Balancing multicast support; otherwise, the switch is likely to behave erratically when the same unicast network is used on multiple switch ports.

Solution: Check that you have selected multicast support in the Network Load Balancing Properties dialog box. If you do not want to use multicast support, you can interconnect the cluster hosts with a hub or coaxial cable instead of a switch.

Telnet Fails

Problem: When using Telnet or attempting to browse a computer outside the cluster from a cluster host, there is no response. Using ping to access the outside computer, however, is successful.

Cause: The TCP/IP configuration is incorrect. If you are using a single network adapter, the dedicated IP address must be entered before the cluster IP addresses in the TCP/IP configuration within the Internet Protocol (TCP/IP) properties dialog box. Otherwise, the cluster IP address can be selected as the source address, and the outside computer will respond to the cluster IP address instead of to the dedicated IP address. In this case, responses are directed only to the default host. (Note that you will not observe this problem on the default host.)

Solution: Check the TCP/IP configuration to make sure that the dedicated IP address is first in the list. You can also use multiple network adapters to avoid this problem.

TCP/IP Program is not Working

Problem: A TCP/IP program running on one of the cluster hosts does not appear to work correctly when running Network Load Balancing. This program is not being load balanced.

Cause: One or more of the program's ports are being inadvertently load balanced. If you create a port rule with a very large port range, you may inadvertently load balance ports for other programs.

Solution: Be sure that the port rules handle ports only for the intended programs.

Remote Control is not Working

Problem: When invoking the Network Load Balancing remote-control commands from a computer outside the cluster, there is no response from one or more cluster hosts.

Cause: The cluster adapters are not accessible from an outside computer. If you have multiple network adapters on a cluster host, the dedicated network adapter may be on a separate subnet from the cluster adapter. If you issue a remote-control command from an outside computer on this subnet, the cluster adapters and Network Load Balancing driver will not receive the command.

Solution: Be sure that the cluster adapters on the cluster hosts can be accessed by the outside computer.
Cause: Remote-control commands are sent to a secondary cluster IP address. Commands must be sent to the cluster's primary IP address (assigned in the Network Load Balancing Properties dialog box).

Solution: Be sure that you send remote commands to this IP address.
Cause: Network Load Balancing UDP control ports are protected by a firewall. By default, remote-control commands are sent to UDP ports 1717 and 2504 at the cluster IP address.

Solution: Be sure that these ports have not been blocked by a router or firewall. You can also change the port number by modifying the corresponding Network Load Balancing parameter.

Remote Control is not Working with Dedicated IP Address

Problem: When using the dedicated IP address of a host to specify it as a target for a remote-control command, there is no reply. Specifying the host by its priority (ID), however, is successful.

Cause: The target host probably has several dedicated IP addresses (on different dedicated network adapters).

Solution: Use the dedicated address specified in the Network Load Balancing Properties dialog box when issuing remote-control commands.

Switching Hub Disrupts Cluster Communication

Problem: Using a switching hub to connect the computers in a cluster disrupts cluster communications.

Cause: In changing Network Load Balancing to operate in unicast mode from multicast, the switch may have used the cluster's MAC address.

Solution: Restart the switch.

Useful Knowledge Base Articles

293827 NLB and IPSEC Does Not Work with Hardware Offload Adapter

281237 Cannot Load NLB WMI Provider on a Computer with a Name that Starts with a Numeric Character

280805 Terminal Services Client Cannot Connect to NLB Cluster Address

280503 Network Monitor NLB Parsers Included in the Server Resource Kit

280307 NLB Cluster no Longer Responds to SNMP Requests

278431 NIC Teaming with NLB May Cause Network Problems

276987 Connections to All Hosts Are Terminated When NLB Load Weight Is Adjusted

269156 System Error 52 When You Connect to an NLB Cluster Name

269004 Wlbs.exe Remote Control Commands Fail From Load Balanced Servers

268437 "NLB Failed to Start" Error Message If NLB Is Not Installed

268258 Host with Initial Cluster State Turned Off May Stop

266375 Network Load Balancing WMI Provider Memory Leak

264645 IP Address Conflict Switching Between Unicast and Multicast NLB

261957 Network Load Balancing Temporarily Fails in Switched Environment

258699 Client Sessions May Be Lost Accessing a Web Farm Program

258609 WLBS Cluster Appears to Stop Servicing Clients

256910 IP Address Assignment for NLB with Multiple Network Adapters

256124 How to Configure an IP Address for NLB with One Network Adapter

248346 L2TP Sessions Lost When Adding a Server to an NLB Cluster

247297 NLB Connection to a Virtual IP Address Not Made Across a Switch

243523 Using Terminal Server with Windows Load Balancing Service

240690 Testing NLB with Homer Shows All Traffic Handled by Single Host

238747 Windows Load Balancing Service Does Not Work on Token Ring

238219 How NLB Hosts Converge When Connected to a Layer 2 Switch

235305 Windows 2000 Interoperability Between MSCS and NLB

234151 WLBS Does Not Detect Program or Service Problems

233279 How WLBS Handles the Dedicated IP Address

232190 Description of Network Load Balancing Features

229064 Load Balanced Service May Not Work Properly

227812 Only TCP/IP Can Be Bound to Virtual Network Adapter in WLBS Host

222085 How to Scale Microsoft Print Services Using WLBS

219285 Load Balancing FTP with WLBS

219277 Load Balancing HTTP with WLBS