Showing posts with label core. Show all posts
Showing posts with label core. Show all posts

Tuesday, May 28, 2013

Windows Server 2012 SuperFeature: DHCP App-Level Failover/Loadbalance

Foreward


One of my favorite additions to Windows Server for the 2012 version is application level load balancing and fail-over. This all new implementation does away with the previous solutions: "scope-splitting" and Windows clustering, neither of which I have ever felt comfortable recommending to a client. Splitting scopes doesn't do enough to prevent outages, and clustering is too complex to be a DHCP solution.

Fortunately, Microsoft recognized this gap in their product and released this new app level failover solution that aims to be as simple and straightforward as possible. I've deployed this a couple of times now and I'm blown away. Here's a high level overview of the implementation:

  • A single implementation can have two servers, no more. 
  • Servers can be configured in load-balancing or hot standby mode. 
  • Servers can reside across routing boundaries. (Enables unified management as well!)
  • Failover/Loadbalance Limited to IPv4
  • DHCP supported on server core
  • (Optional) Replication encryption 
  • Limit of one replication relationship type between two partners
And best of all,
  • Easy to set up and maintain.  (With a couple caveats I'll list below)

Hot Standby vs. Load Balancing


The hot standby option utilizes one DHCP server to service requests while the other waits to step in should the primary fail. A percentage (generally single digit) of the scope in question needs to be dedicated to the passive standby server for slack address space to allocate in a failover event where the backup hasn't yet asserted primary status. Microsoft states that hot standby is useful for multiple multi-site deployments wherein the primary would be onsite and a secondary would be located offsite should the primary fail. Here are a couple scenarios well suited to hot standby:

Multi-Site, Single Backup



Two sites backing each other up


The load balancing strategy splits client servicing based off of a MAC address hashing algorithm and will still respond to client requests that the other member in the pair should service in a situation where the client has gone unanswered. Provided you're using a datacenter licensing model and virtualization, most folks will want to utilize load balancing with two DHCP servers per site, generally on different hosts connected to different switches. If needed, load distribution mechanisms like F5s will work with this tech.

Two Sites Each Independently Load Balanced


Now let's set up DHCP failover or load balancing:


Assumptions


  • Basic knowledge re: Windows server 2012 and DHCP
  • Two 2012 servers ready to go and fully patched
Since we need to set up at least two servers, we'll do this twice, once with the GUI and once with Powershell.

DHCP Server Setup (GUI)


  1. Install the DHCP server role by using server manager and selecting Manage->Add Roles and Features


  2. After bypassing the intro screen, select "Role Based or Feature Based Installation" and select your server.


  3. Select the "DHCP Server" role. Admin tools will be auto-selected as needed. 


  4. Click "Next" through the rest of the Wizard. Once it completes, you'll be notified that DHCP configuration needs to be completed.


  5. Launch the DHCP Post-Install configuration wizard and complete the DHCP setup by authorizing the DHCP server. 

 

DHCP Server Setup (Powershell)

Where (Servername) is the FQDN of the server you wish to install, execute the following on a domain connected computer with proper rights on the target machine:
  1. Load the servermanager module: 
    Import-Module Servermanager
  2. Install DHCP: 
    install-windowsfeature -ComputerName servername.domain.lan -name dhcp -IncludeManagementTools
  3. When complete, authorize in AD: 
    Add-DhcpServerInDC -DnsName servername.domainname.lan
Note that in step #3 you must specify the -ipaddress parameter (i.e. -ipaddress 10.0.0.10) if your server has either multiple NICs or has messed up registration in DNS. See here for more info.

Prep for Server Pairing


After authorization, the DHCP services need be restarted due to group add/creates. Do that or reboot the servers in question, whichever is easier. Set up your DHCP scopes as you normally would on one of the two servers. (More info, ignore the 80/20 part) 

Configure DHCP Server Pair (GUI)

  1. Open up the DHCP management GUI and right click on the scope you would like to load balance and select "Configure Failover..."


  2. On the "Introduction to DHCP Failover" screen, select all scopes you would like to configure (or "Select all" for all) and click "Next".


  3. On the "Specify the partner server to use for failover" screen select the other DHCP server. This can be looked up provided the server has been registered in Active Directory. 


  4. On the "Create a new failover relationship" page configure the following:
    1. Relationship name: Configure a name for this partnership; you may want to manipulate this via Powershell so take that into account when considering a very complex name. 
    2. Maximum Client Lead Time: This determines two three things: A) The lease time for a new client request if the server responsible for that client is down and the other answers the request and B) The amount of time one server will wait for a dead partner server before it takes control of the entire IP address block. C) (added 8/5/13) The amount of time one server that had been down must be available to the other before "Partner Down" status will automatically be changed to "Normal" status. (See comments for an example of this) The default of 1 hour is generally good but you may want to tweak depending on your setup. 
    3. Mode= Load Balance / Load Balance Percentage: This determines how much of the total load each server will take. 
    4. Mode= Hot Standby / Role of Partner Server/Addresses reserved for standby server: This determines if the partner sever is the primary or the standby and how much of each scope is reserved for distribution should the primary go down. Be careful that you have enough reserved here so that you won't run out of IP addresses prior to switching to "Partner Down" mode while also ensuring you won't run out of IPs on the primary server due to reserved addresses on the standby.
    5. State Switchover Interval: Selecting this enables either server to enter "Partner Down" state should communication be interrupted for the number of minutes specified after the option (default 60) resulting in the remaining server taking full responsibility for the scope(s). If this is not selected, an admin must manually choose to put the server into partner down state.
    6. Enable Message Authentication and Shared Secret: I highly recommend checking this box and specifying a long (14+ character) shared secret. This will encrypt messages between the two servers by using SHA-256. Should you wish to change the crypto, navigate to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters\" in the registry and add/change "FailoverCryptoAlgorithm".


  5. You'll then be met with a failover summary screen. Verify the info and click "Finish". 


  6. You will be shown the failover setup process. 



Configure DHCP Server Pair (Powershell) 


This time around you don't need to do configuration twice, so this section would be in lieu of the previous. Refer to the section above for full descriptions, I'll just do mappings here:

Load Balanced


Add-DhcpServerv4Failover [-Name] (String) [-ScopeId] (IPAddress[]) [-PartnerServer] (String) [-AutoStateTransition (Boolean)] [-ComputerName (String)] [-LoadBalancePercent (UInt32)] [-MaxClientLeadTime (TimeSpan)] [-SharedSecret (String)] [-StateSwitchInterval (TimeSpan)]


Where:

-Name = Name above
-ScopeID = The IP of the scope to be partnered
-PartnerServer = DHCP Server 2
-AutoStateTransition = "State Switchover Interval" above. Note that if the "StateSwitchInterval" argument is used in the powershell command then this value is assumed TRUE, otherwise the default is FALSE
-ComputerName = DHCP Server 1
-Load Balance Percent = The % to be serviced by DHCP Server 1
-Max Client Lead Time = Same as outlined in the GUI section
-SharedSecret = Same as outlined in the GUI section
-StateSwitchInterval = Int; specifies how long to wait until auto transition to Partner Down. Makes AutoStateTransition assumed to be true.

Failover


Add-DhcpServerv4Failover [-Name] (String) [-ScopeId] (IPAddress[]) [-PartnerServer] (String) [-AutoStateTransition (Boolean)] [-ComputerName (String)] [-MaxClientLeadTime (TimeSpan)] [-ReservePercent (UInt32)] [-ServerRole (String)] [-SharedSecret (String)] [-StateSwitchInterval (TimeSpan)]


Where:
-ReservePercent = Same as outlined in the GUI section
-ServerRole = Active or Standby

Important Usage Notes!


  • Server Options are NOT replicated! Take this into account when setting up replication; you may want to specify options at a scope level so that if they are changed you don't need to manually do it on each server. 


  • There have been some reports of replication breaking custom options. See here for more info. 
  • How do "Communication Interrupted" and "Partner Down" states get initiated and what effect do they have? Refer to this handy flowchart I whipped up for reference:  


References: 



MSFT DHCP Team Blog: Hot-Standby
MSFT DHCP Team Blog: Failover Load Balance
Technet: Step by Step Configure DHCP for Failover
MSFT Doco: Understand and Troubleshoot DHCP Failover in Win8 Beta (Still Relevant)

Closing


Thanks for taking the time to read; should you have any questions leave them in the comments!

Posted by at 4 comments:
Labels: , , ,

Monday, February 4, 2013

Installing nVidia Consumer Drivers on Server 2012 Core for RemoteFX


I'm wanting to establish Microsoft RemoteFX in my lab, and to do so, one needs a dedicated 3d accelerator. Obviously, nVidia didn't make the drivers with Server 2012 (now 2016 as well, see below) Core in mind. To accomplish this, we need do the following:

1> Download the newest drivers from nVidia. (Note the later half of these points will probably work on ATI cards as well, you just need to unpack the drivers)
2> Execute the driver setup directly on core server the and select a temporary directory. 
3> Hit "OK"; the installer will crash because it's uncomfortable in the lovely world of server core.
4> Navigate to the display.driver directory underneath the extracted files in the temporary directory you selected earlier. You should find the .inf files in this directory. For nVidia it is nv_disp.if. Update 5/3/2015: the .inf file is now nv_dispi.inf, thanks bearkiter.
5> From cmd.exe, execute "pnputil -i -a nv_disp.inf"
6> The screen will blank! Don't be afraid. After completion, you should see a screen that looks like the shot below. (yes the borders are gone)
7> Assuming it's OK to do so execute "Shutdown /r /t 0" to reboot the machine.

I'm working on another article to cover VDI/RemoteFX. Stay tuned. Update: Article here.



Update 2/3/2017: Confirmed working on Windows 2016! Consumer grade hardware works in the lab as well.
Posted by at 19 comments:
Labels: , , , ,

Tuesday, December 4, 2012

Reccomended Network Adapter DNS Settings for a Domain Controller\DNS Server

DNS client settings for your domain controller

This comes up at nearly every client I've been to, and I have yet to see any comprehensive article from MS on the topic. There is always quite a bit of confusion surrounding what you should set the preferred DNS servers to in the network adapter of the DNS server itself. Here are some quick guidelines to save you some time:

Do:

  • Use another DNS server in the same domain as the primary, secondary, etc...
  • Use the loopback address, but not as the preferred server. Set it as the last server in the order. (Use the Advanced tab if you have more than two servers)
  • Clear the automatically added ::1 as the primary and only DNS server for the IPv6 stack unless you actively use IPv6. If so, then the same rule applies knowing that ::1 is the loopback address for IPv6.
    • Bonus, here's the command: netsh interface ipv6 delete dnsservers "Local Area Connection" ::1 where "Local Area Connection" is the name of the connection in question. It may say something to the effect of "No DNS Servers" after you execute the command, but that tingling just lets you know it's working like Denorex.

Example: 

My lab has two DNS servers in one domain: 192.168.1.30 and 192.168.1.110. Here is the IP config of the 1.30 machine:


Where there another DNS server in the domain that would be listed BEFORE 127.0.0.1. Note that the DNS servers list does not include ::1 as the preferred server since I removed that with the command listed above.


Do Not:

  • Use the server's own IP as the primary. Why? If something becomes wrong with the zone configuration or the replication of the records you could inadvertently isolate domain controllers from each other and give entirely inconsistent results to clients making troubleshooting the troublesome DC more difficult.
  • Use the loopback address as anything but the last entry.

Discussion: Some prefer to set the server's own DNS as preferred to reduce network traffic, and while I don't recommend that myself I will stress one final thing:
Whatever you decide to do with settings, be consistent. Lack of consistency inevitably costs time and money, usually when you don't have either.
Posted by at 4 comments:
Labels: , , , , , ,

Tuesday, March 27, 2012

0 to DC in 60 Minutes: Virtual Windows 2k8r2 Core as DC in existing Domain

Let's build a Server Core 2k8r2 machine on VMWare ESXi 4.1 and join it to an existing domain. This should be fun. This guide assumes you have already prepared the domain for 2k8 DCs. If you need help there, see this great blog. The moral of the story is that you need to perform adprep.exe /forestprep on the schema master, /domainprep and /domainprep /gpprep on the infrastructure master, and /rodcprep on the domain naming master.

We'll build it from scratch; no image. First, lets' configure the VMWare machine.

VMWare Settings

Unless noted, settings are default. (i.e. if a component is omitted it's default) 

Memory: 4096GB
CPUs: 2
SCSI Controller 0: LSI Logic SAS (Paravirtual would require a driver disk for setup)
Network Adapter: Proper VLAN, Paravirtual or E1000. I generally use E1000 for domain controllers. 
Hard Disk 0: 40GB for core
Hard Disk 1: (optional) 20GB for logs, 3rd party apps if necessary

Mount your Win2k8r2 ISO on the CD/DVD drive and make sure it's Connected/Connected at Power on. Start the VM. 

Installing Winders

Note: Select x64 or x86 as you prefer. Feel free to add a x64 machine in with DCs that are only x86. 

When navigating through the installer select the correct version. In this exercise I'll be selecting "Windows Server 2008 R2 Standard (Server Core Installation)". If prompted for the type of installation, select "Custom (advanced)". Select Disk 0 as the install target. The install should go quick, and the first thing you'll be prompted to do is select an Administrator password. Use "password" and never change it. (Hah Hah! You see what I did there?) 

Using the console, log on to our new server as administrator and then we'll go point by point; unless noted otherwise commands are assumed to be executed from a command prompt on the target server. 

Configuration

Install VMWare tools (or HyperV if you desire) 

  • Mount the CD: (Right Click VM->Guest->Install VMWare Tools)
  • Assuming D:  msiexec.exe /i "D:\Vmware Tools.msi" /qn
  • The server will automatically reboot after installation; log back on after it comes up. 

Set IP Addressing information

  • netsh int ipv4 set address name="Local Area Connection" static 192.168.11.99 255.255.255.0 192.168.11.254
    • Where: "Local Area Connection" is the name of the connection, "static" defines the IP as static, "192.168.11.99" defines the IP, "255.255.255.0" defines the mask, and "192.168.11.254" represents the default gateway
  • netsh int ipv4 add dnsserver "Local Area Connection" 192.168.11.103 index=1
  • netsh int ipv4 add dnsserver "Local Area Connection" 192.168.11.100 index=2 
    • Where: "Local Area Connection" is the name of the connection, "192.168.11.103" represents the IP of the DNS server, and "index=1" is the priority of the server

Rename the computer and join it to the domain

  • netdom renamecomputer %computername% /newname:COMPUTERNAME
    • Where: "renamecomputer" is the command we're issuing, "%computername%" is the necessary part of the argument that specifies the current name of the computer, (feel free to use the variable, it'll work) and "/newname:COMPUTERNAME" is the new computer name. Replace with your naming standard. For enterprise scalability I recommend naming your servers after your neighbor's kids. 
  • shutdown /r /t 0 
    • This will shutdown and restart the computer; "t 0" specifies wait for 0 seconds. After the reboot you'll still need to use the VMWare/HyperV console because we haven't opened RDP ports yet. 
  • netdom join %computername% /Domain:DOMAINNAME /UserD:username /PasswordD:password
    • Where: This command joins the computer to the domain. Specify the NETBIOS domain name (a couple configs may need the DNS Name) and a username/pass that can add machines to the domain. Note that the extra D after user and password is NOT a typo. 
  • shutdown /r /t 0

Enable RDP and open appropriate Firewall holes

  • Cscript %windir%\system32\SCRegEdit.wsf /ar 0
    • Enables RDP
  • netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes
    • Allows RDP through firewall 
  • netsh advfirewall firewall set rule group="Remote Administration" new enable=yes
    • Allows "Manage This Computer" functionality remotely
  • netsh advfirewall firewall set rule group="Remote Event Log Management" new enable=yes
    • Allows browsing through Event Logs remotely

Configure Disks: (Optional)  In my example I'm assigning the virtual CD/DVD-Rom to J: and then creating a partition for my second disk, formatting it, and setting it to D:

  • diskpart
  • list volume
    • Volumes will be listed. You need to find the DVD-Rom, which will list its Fs type as "UDF". In my case it's volume 0, but I'll refer to it in the next example as "X"
  • select volume X
    • Use the correct volume number. 
  • assign letter=X
    • We put our server standard to J to keep it away from common HDD letters. 
  • list disk
    • now we will look for the disk # representing the secondary disk; it should be the disk with the size and free space reporting the same size. In my case it's Disk 1, but I'll use X in the command
  • select disk X
    • Use the correct disk number for X
  • create partition primary
    • Creates a "standard" partition
  • assign letter=D
    • Replace "D" with whatever drive letter you want
  • select partition 1
    • Select the partition we just creatd
  • format fs=ntfs label="Data" QUICK
    • Format the volume, replace the label with whatever you desire; QUICK is a quick format

Activate the Server (important to do before we bring it into the domain)

  • slmgr.vbs -ato
    • If you receive an error, you may have used the wrong ISO and you'll have to switch the product key. To do so, contact MSFT, get the new key, then do: 
    • slmgr.vbs -ipk PRODUCT KEY HERE
    • slmgr.vbs -ato 

Update the Server

  • Use the sconfig tool or this method to fully update the server prior to install.

Create the Unattended Answer File for DCPromo

If you don't have an unattended answer file from an earlier DCPromo (which is likely or you probably wouldn't be here) you will have to create one from scratch. This isn't so tough as it would seem. The guidelines for the unattended answer file can be found here. Feel free to use mine as a starting point; here is my final file with the appropriate information obfuscated. Note that my example changes the default locations for the Database Path, LogPath, and SYSVOL path. This is not necessary and if those lines are omitted they will be installed to the default locations. Also note that if you're not adding this DC to an existing domain but rather creating a new one, this file should be quite different. 

[DCINSTALL] 
UserName=userName
UserDomain=NETBIOSDomainName
Password=passwordHere
SiteName=Site-Name-Here
ReplicaOrNewDomain=replica
DatabasePath="D:\NTDS" 
LogPath="D:\NTDS" 
SYSVOLPath="D:\SYSVOL" 
InstallDNS=yes
ConfirmGC=yes
SafeModeAdminPassword=passwordHere
ReplicaDomainDNSName=FQDomainName.lan
RebootOnCompletion=no

After you have completed the creation of your unattended answer file, place it in a temp folder on the target machine. For the purposes of this guide, we will assume \\ComputerName\c$\temp\dcpromo.txt

Promote the Machine to a Domain Controller


  • dcpromo.exe /answer:c:\temp\dcpromo.txt
    • Remember that we're assuming c:\temp\dcpromo.txt for where the unattended file was placed; if you don't 
    • If all is successful towards the end you should see "Active Directory Domain Services is now installed on this computer for the domain "domain.name.here"
  • shutdown /r /t 0

 Test the new DC

  • dcdiag /c /v /f:c:\temp\dcdiag.txt
    • This performs all DC Diagnostic tests (/c) and logs verbosely (/v) to c:\temp\dcdiag.txt . If you're not confident troubleshooting this output add an /i to the command line after /c, which will suppress unimportant error messages.
    • After running, review the log for errors. It is normal to see a couple warning messages from the File Replication Service right around the time of the DC promotion.
That's it, you're done! Feel free to comment or e-mail with questions or comments.

Update 5/20/2013: I wanted to note that I've successfully used this methodology for Windows 2012 core as well, despite dcpromo being deprecated. The only change to note since the article was written is to ensure you use e1000e (or VMXNet3) rather than e1000 if you're using a VMWare VM.
Posted by at No comments:
Labels: , , ,

Monday, May 12, 2008

Using server Core as a domin controller

A couple quick notes:

1. Core obviously doesn't have a GUI, so your dcpromo wizard is gone. The easiest way to circumvent this is by using an unattended file. See: http://www.petri.co.il/creating-unattend-installation-file-dcpromo-windows-server-2008.htm

2. Set all interfaces to static addresses (IPv6 included! P.S. Stay tuned for a bunch of IPv6 setup info) using the netsh command. http://www.petri.co.il/configuring-windows-server-2008-networking-settings.htm and http://technet.microsoft.com/en-us/library/bb878102.aspx

Here's a big catch that really disappointed me: when creating an unattend.txt file for dcpromo purposes, you CANNOT use an already existing DC! What the hell?! It would stand to reason that the smartest approach Msft could take on this would be to allow you to create a file from a already installed and tweaked server, but as it stands that's not possible. The only chance you get to create an unattend.txt file is right at the end of the initial DCPromo. That being said, even if you aren't sure about your DCPromo setup on a non-core machine, utilize the "Export Settings" anyhow. At least then you'll have a baseline to start from and you won't have to do the whole thing from scratch like me. Yuck.
Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)