I needed to install Microsoft Network Load Balancing (NLB) on two Active Directory Domain controllers running Windows Server 2008 R2 SP1 to load balance Active Directory Federation Services AD FS 2.0 on TCP443.
Here is the my setup:
Generally the Network Load Balancing Virtual IP Addresses do not get registered in DNS automatically. However I found out that if Network Load Balancing is installed and configured on a DNS server, both the virtual network adaptor address and dedicated network adaptor address get registered in DNS.
For my two domain controllers QV1-DC1 and QV1-DC2 there were two A records for each... the servers IP address and my virtual NLB address. DNS round robin, which is enabled by default on all Windows DNS servers was distributing at random either the servers IP address or the virtual address.
The problem here is the virtual address was only listening on port 443 meaning no Active Directory queries could reach the domain controller for any hosts who resolved the virtual IP address.
I found a fix which allowed me register the IP addresses I want on each of my servers to DNS, instead of turning of dynamic DNS updates all together. This registry key is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\PublishAddresses
Now my two domain controllers only register their IP address in DNS, not the NLB Virtual IP.
I found the fix on the following KB Article:
http://support.microsoft.com/kb/246804
Subscribe to:
Post Comments (Atom)
What is the change you made in registry?
ReplyDeleteHe added a string value called publishaddresses with the IP
ReplyDeleteGreat Post....
ReplyDeleteDNS30 Professional Edition provides you an easy interface to interact with Amazon Route 53 service. It is a highly available and scalable DNS web service. Web Interface for the same is also available.
http://www.dns30.com/
Clint,
ReplyDeleteAwesome fix. Just what I was looking for.
But..... I have to ask is this all that you did? I have the exact same scenario. Two DC's that I want to put Fed Services on along with the NLB. I setup the NLB to ignore all but port 443. Because of the fix, the NLB IP is not getting registered in DNS. The issues, once I have the NLB configured and enabled, nothing can authenticate on my domain. DNS, netlogon, time-service and group policy processing all go down on the two DC's. Any suggestions?
Thanks,
Although I haven't tested it myself, I'd venture to say yes. The reason some of your clients are unable to authenticate is because DNS is randomly returning the NLB address to the clients when looking up the domain controllers' IP addresses. So, any client that unluckily received the NLB address in a DNS query reply would be unable to authenticate (because only 443 is allowed through your NLB).
DeleteOpening NLB to all traffic might fix it, but I feel that Clint's fix is a safer bet. The only problem is that you will need to remember to update the key in the event the DC's IP address has changed. It's not a common thing to change DC's IP addresses, but because it's so infrequent and this registry change is so obscure, it could cause a lot of headaches in the future.
This was a huge help with configuring NLB on two of our DCs. Thank you!
ReplyDeleteI had this same issue on my 2012 DCs. I have two Server 2012 domain controllers which also serve as my DNS servers. Installed NLB on them in order to set up Federation Services and everything broke. Logins, replication, group policy. Bunches of issues. Clint's fix works, BUT if you ever need to change the IP address of the DC/DNS server, then you will need to remember to change this registry key too. The fix I found was to go into my DNS Server properties, and choose to only listen for DNS requests on the IP address of the server (uncheck the cluster IP address). As soon as I did that, my duplicate entries went away and everything was good again.
ReplyDelete