Thanks for the info. I have gotten the NLB working in unicast mode with no problems. Due to the issue with unicast in vSphere (http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cm d=displayKC&externalId=1556), I tried to get it to work with multicast to no avail. With multicasting, it works fine across the vSwitches, but seems to stop dead at the physical switches in the blade system. I have made the necessary adjustments for unicast to work, but would be interested to hear any pointers on what is necessary for multicasting to be a viable option. The switches in the (HP) blade system are Cisco Catalyst 3120G's, and I turned off igmp snooping on the VLAN in question. The blade system switches connect directly to the core, which is doing layer 3 switching (and is the default gateway for most everything). While connected to the switch in the blade system, I cannot ping the NLB address-nor any further down the chain, obviously.
Bill Mayo From: Steven Peck [mailto:sep...@gmail.com] Sent: Monday, February 28, 2011 5:34 PM To: NT System Admin Issues Subject: Re: Windows 2008 R2 NLB >From within VMware the default network configuration will allow for NLB. If you've made changes then you may run into a problem. Configuration tab > Networking Pick a switch > Properties edit vSwitch > Security Default should be Promiscuous - Reject MAC Address Changes - Accept Forged Transmits - Accept Some security docs suggest you change the last two to Reject will will 'break' MS NLB at the guest level. We found out when we made these changes in one of our environments. Steven Peck http://www.blkmtn.org On Mon, Feb 28, 2011 at 1:26 PM, Mayo, Bill <bem...@pittcountync.gov> wrote: That looks helpful. Thanks, Michael! From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Monday, February 28, 2011 4:13 PM To: NT System Admin Issues Subject: RE: Windows 2008 R2 NLB There is probably a simple howTO out there for this, but this is an excerpt from a High-Availability Exchange class I teach, that gives the "500 foot view" of how to set this up, granted it's based on Hyper-V. It should be enough to get you going: Configuration Documentation All servers running Server 2008 R2 Enterprise (evaluation) Exchange 2010 RTM + UR3 (evaluation) CAS+HT installed on Mail01, Mail02 MB installed on MBX01, MBX02 No UM, no Edge No Internet AD01 172.16.3.5 Mail01 172.16.3.10 Mail02 172.16.3.15 MBX01 172.16.3.20 MBX02 172.16.3.25 mail.smithcons.com 172.16.30.30 TEC-DAG 172.16.3.100 Domain Setup Boot AD01 Add mail.smithcons.com to DNS on AD01 - 172.16.30.30 NLB Preparation Add new NIC to Mail01, Mail02 Mark all NICs on Mail01, Mail02 for MAC Spoofing Boot Mail01, Mail02 Verify that all "Automatic" services have started on Mail01, Mail02 Install NLB Cluster Add NLB Feature Configure NICs: Mail01 - 172.16.30.10 Mail02 - 172.16.30.15 No gateway, no DNS, no WINS Rename lower-numbered Local Area Connection (LAC) to CorporateNetwork Rename other LAC to NLBNetwork Update binding order to put CorporateNetwork first Create NLB cluster on Mail01 Use NLB network 172.16.30.30 mail.smithcons.com Allow cluster to converge Add Mail02 to cluster Allow cluster to converge ...resolve inevitable issues Test NLB Cluster https://mail01/owa https://mail02/owa https://mail.smithcons.com/owa Drainstop both servers, illustrate cluster no longer works, individuals do Resume servers Configure NLB for HT Discuss round-robin vs. NLB for HT Discuss issue with doing LB of internal SMTP On the Default receive connector on each HT, change to use CorporateNetwork IP and the non-load-balanced IP from the NLBNetwork Create a new receive connector on each HT, for the load-balanced IP as Custom, port 25 Set Permission Groups for each new receive connector to "Anonymous Users" Remove Anonymous Users from the Default receive connector on each HT Mark that the new receive connectors can relay email to any internal user: Get-ReceiveConnector "Incoming SMTP NLB" | Add-AdPermission -user "NT Authority\Anonymous Logon" -ExtendedRights ms-Exch-SMTP-Accept-Any-Recipient Remove the default IP port configuration from the cluster and add port 25 and optionally 587 Show that it works (drainstop, etc.etc.) Configure NLB for CAS Add ports 80, 443, 110, 143 Import SSL certificate using Certificates MMC Get-ExchangeCertificate to obtain thumbprint Enable-ExchangeCertificate -thumb ### -Services IIS, SMTP Set-OutlookProvider EXPR -CertPrincipalName 'msstd:*.smithcons.com' Restart-Service MSExchangeTransport Iisreset /noforce Configure profile for Outlook 2007 on AD01; illustrate Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Mayo, Bill [mailto:bem...@pittcountync.gov] Sent: Monday, February 28, 2011 2:35 PM To: NT System Admin Issues Subject: Windows 2008 R2 NLB I am trying to setup an NLB cluster in Windows Server 2008 R2 and having some difficulties. I am trying to use the same methodology that I have before with Windows 2003, without success. It appears that there are several changes in 2008 that affect NLB. I am using 2 NICs that are on different subnets, the second of which does not have a gateway. The second NIC is the one that has the NLB attached. I have found info on turning on forwarding but that did not resolve it. It looks like you can actually setup an NLB in 2008 with only one NIC, and I even found an article where the person was putting both NICs on the same subnet, which I thought was a no-no. Basically, what I need is some information on best practices regarding how to setup each NIC (same or different subnet, gateway or not, which NIC to use to create the NLB). Bill Mayo P.S. I am also working in vSphere, which I understand adds some issues with unicast, but I think if I can figure out the correct way to setup the NICs I can handle that. If anyone has any all-in-one info on 2008 R2 NLB in vSphere, that would be even better. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin