SYSCO INFOTECH: Study Matrial(2008R2)

Syntax:
1.FSMO Role Transfer :
2.Load balancing

1.FSMO Role Transfer :

What are the considerations for the FSMO placement in Active Directory?

Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory.

In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC.

Windows Server 2003 Active Directory is a bit different than the Windows 2000 version when dealing with FSMO placement. In this article I will only deal with Windows Server 2003 Active Directory, but you should bear in mind that most considerations are also true when planning Windows 2000 AD FSMO roles.

Single Domain Forest

In a single domain forest, leave all of the FSMO roles on the first domain controller in the forest.

You should also configure all the domain controller as a Global Catalog servers. This will NOT place additional stress on the DCs, while allowing GC-related applications (such as Exchange Server) to easily perform GC queries.

Multiple Domain Forest

In a multiple domain forest, use the following guidelines:

In the forest root domain:

If all domain controllers are also global catalog servers, leave all of the FSMO roles on the first DC in the forest.
If all domain controllers are not also global catalog servers, move all of the FSMO roles to a DC that is not a global catalog server.

In each child domain, leave the PDC emulator, RID master, and Infrastructure master roles on the first DC in the domain, and ensure that this DC is never designated as a global catalog server (unless the child domain only contains one DC, then you have no choice but to leave it in place).

Configure a standby operations master - For each server that holds one or more operations master roles, make another DC in the same domain available as a standby operations master. Making a DC as a standby operation master involves the following actions:

The standby operations master should not be a global catalog server except in a single domain environment, where all domain controllers are also global catalog servers.
The standby operations master should have a manually created replication connection to the domain controller that it is the standby operations master for, and it should be in the same site.
Configure the RID master as a direct replication partner with the standby or backup RID master. This configuration reduces the risk of losing data when you seize the role because it minimizes replication latency.

To create a connection object on the current operations master:

In Active Directory Sites and Services snap-in, in the console tree in the left pane, expand the Sites folder to see the list of available sites.
Expand the site name in which the current role holder is located to display the Servers folder.
Expand the Servers folder to see a list of the servers in that site.
Expand the name of the server that is currently hosting the operations master role to display NTDS Settings.
Right-click NTDS Settings, click New, and then click Connection.
In the Find Domain Controllers dialog box, select the name of the standby operations master then click OK.
In the New Object-Connection dialog box, enter an appropriate name for the connection object or accept the default name and click OK.

To create a connection object on the standby operations master perform the same procedure as above, and point the connection to the current FSMO role holder.

Note regarding Windows 2000 Active Directory domains: If the forest is set to a functional level of Windows 2000 native, you must locate the domain naming master on a server that hosts the global catalog. If the forest is set to a functional level of Windows Server 2003, it is not necessary for the domain naming master to be on a global catalog server.

See Also >> What's New in Group Policy?

Server performance and availability

Most FSMO roles require that the domain controller that holds the roles be:

Highly available server - FSMO functions require that the FSMO role holder is highly available at all times. A highly available DC is one that uses computer hardware that enables it to remain operational even during a hardware failure. For example, having a RAID1 or RAID5 configuration enables the server to keep running even if one hard disk fails.

Although most FSMO losses can be dealt with within a matter of hours (or even days at some cases), some FSMO roles, such as the PDC Emulator role, should never be offline for more than a few minutes at a time.

What will happen if you keep a FSMO role offline for a long period of time? This table has the info:

FSMO Role	Loss implications
Schema	The schema cannot be extended. However, in the short term no one will notice a missing Schema Master unless you plan a schema upgrade during that time.
Domain Naming	Unless you are going to run DCPROMO, then you will not miss this FSMO role.
RID	Chances are good that the existing DCs will have enough unused RIDs to last some time, unless you're building hundreds of users or computer object per week.
PDC Emulator	Will be missed soon. NT 4.0 BDCs will not be able to replicate, there will be no time synchronization in the domain, you will probably not be able to change or troubleshoot group policies and password changes will become a problem.
Infrastructure	Group memberships may be incomplete. If you only have one domain, then there will be no impact.

Not necessarily high capacity server - A high-capacity domain controller is one that has comparatively higher processing power than other domain controllers to accommodate the additional work load of holding the operations master role. It has a faster CPU and possibly additional memory and network bandwidth. FSMO roles usually do not place stress on the server's hardware.

One exception is the performance of the PDC Emulator, mainly when used in Windows 2000 Mixed mode along with old NT 4.0 BDCs. That is why you should:

Increase the size of the DC's processing power.
Do not make the DC a global catalog server.
Reduce the priority and the weight of the service (SRV) record in DNS to give preference for authentication to other domain controllers in the site.
Do not require that the standby domain controller be a direct replication partner (Seizing the PDC emulator role does not result in lost data, so there is no need to reduce replication latency for a seize operation).
Centrally locate this DC near the majority of the domain users.

2.Configure Network Load balancing:

Configure Network Load Balancing Parameters

To configure Network Load Balancing parameters, you must configure the cluster parameters, host parameters, and port rules.

For additional information about how to set up TCP/IP for Network Load Balancing, click the article number below to view the article in the Microsoft Knowledge Base:

323431 How To Set Up TCP/IP for Network Load Balancing in Windows Server 2003

Configure Cluster Parameters

Click Start, click Control Panel, and then double-click Network Connections.
Right-click Local Area Connection, and then click Properties.
In the Local Area Connection Properties dialog box, click to select the Network Load Balancing check box, and then click Properties.
Click the Cluster Parameters tab, and then type values in the IP address, Subnet mask, and Full Internet name check boxes.
Under Cluster operation mode, click Multicast to specify whether a multicast media access control address is used for cluster operations. If you select this option, Network Load Balancing converts the cluster network address into a multicast address when this is needed. It also makes sure that the cluster Internet Protocol (IP) addresses resolve to this multicast address as part of the Address Resolution Protocol (ARP). The network adapter to which the Network Load Balancing driver is bound retains its original media access control address. For more information, see the "Network Load Balancing clusters" Windows Server 2003 Help and Support Center topic.
Click to select the Allow remote control check box to turn on remote-control operations. Type the password in the Remote password and Confirm password boxes.

WARNING: The Network Load Balancing remote control option presents many security risks. Microsoft recommends that you do not turn on remote control and instead use Network Load Balancing Manager or other remote management tools such as Windows Management Instrumentation (WMI).

For additional information about the use of Remote Control in Network Load Balancing, see the "Network Load Balancing parameters: Network Load Balancing Clusters" Windows Server 2003 Help and Support Center topic.

Configure Host Parameters

Click Start, click Control Panel, and then double-click Network Connections.
Right-click Local Area Connection, and then click Properties.
In the Local Area Connection Properties dialog box, click Network Load Balancing, and then click Properties.
Click the Host Parameters tab.
Type a value in the Priority (Unique host identifier) box.
Under Dedicated IP configuration, type values in the IP address and Subnet mask boxes.
Under Initial host state, specify the host state with regard to the Network Load Balancing cluster when Windows is started.

IMPORTANT: You may have a problem if you are working from a computer that has a single network adaptor that is bound to Network Load Balancing in Unicast mode. You cannot use Network Load Balancing Manager on this computer to configure and manage other hosts because a single network adapter in Unicast mode cannot have intra-host communication. However, you can communicate with computers that are outside the cluster.

To make sure that Network Load Balancing Manager is displaying the most recent host information, right-click the cluster, and then click Refresh. You must do so because the host properties that Network Load Balancing Manager displays are a copy of the host properties that were configured the last time Network Load Balancing Manager connected to that host. When you click Refresh, Network Load Balancing Manager reconnects to the cluster and displays updated information.

NOTE: You can also open the Network Load Balancing Properties dialog box through the Network Connections tool. However, Network Load Balancing Manager is the preferred method. If you use the Network Connections tool, you must make the same configuration changes on every cluster host. Using both Network Load Balancing Manager and the Network Connections tool together to change Network Load Balancing properties may create unpredictable results.

The parameters that are set in the Network Load Balancing Properties dialog box are recorded in the registry on each host. Changes to Network Load Balancing parameters are applied when you click OK in the Network Load Balancing Properties dialog box. Clicking OK stops Network Load Balancing (if it is running), reloads the parameters, and then restarts cluster operations.

Configure Port Rules

Before you continue, review the "Port Rules" section of the "Checklist: Enabling and configuring Network Load Balancing" Windows Server 2003 Help and Support Center topic. Without a complete understanding of the topics that are addressed in this section, you cannot properly configure port rules.

Configuring port rules includes the creation, editing, and removal of port rules.

To create port rules:

Click Start, click Control Panel, and then double-click Network Connections.
Right-click Local Area Connection, and then click Properties.
In the Local Connection Properties dialog box, click Network Load Balancing, and then click Properties.
Click the Port Rules tab, and then click ADD.
Type values for the Port range, Protocols, Filtering mode, Affinity, Load weight, and Handling priority boxes by using information from the installation check list.
Click OK.

To edit port rules:

Click Start, click Control Panel, and then double-click Network Connections.
Right-click Local Area Connection, and then click Properties.
In the Local Connection Properties dialog box, click Network Load Balancing, and then click Properties.
Click the Port Rules tab.
In the list of rules, double-click the rule to display the rule's parameters in the Configuration area above the list of rules.
Modify the Port range, Protocols, and Filtering mode parameters as necessary.
Click OK.

To remove port rules:

Click Start, click Control Panel, and then double-click Network Connections.
Right-click Local Area Connection, and then click Properties.
In the Local Area Connection Properties dialog box, click Network Load Balancing, and then click Properties.
Click the Port Rules tab, click the rule that you want to remove, and then click Remove.

IMPORTANT: The number and type of rules must be exactly the same for each host in the cluster. You can make sure of this by using Network Load Balancing Manager to configure port rules (see the second note below). If you are using Network Load Balancing Manager, when you add additional hosts, they automatically inherit the cluster port rules from the initial host.

If a host tries to join the cluster with a different number of rules, or with different rules from the other hosts, it is not accepted as part of the cluster. The rest of the cluster then continues to handle the traffic as before. At the same time, a message is entered into the Windows event log. When this occurs, see the Event log to determine which host is in conflict with the other cluster hosts, resolve the conflict, and then restart Network Load Balancing on that host.

To allow Network Load Balancing to properly handle IP fragments, avoid using None when you select UDP or Both for your protocol setting.

NOTE: When you are using Network Load Balancing Manager, you must be a member of the Administrators group on the host that you are configuring, or you must have been delegated the appropriate authority. As a security best practice, consider using "Run as" to perform this procedure. If you are configuring a cluster or host by running Network Load Balancing Manager from a computer that is not part of the cluster, you do not have to be a member of the Administrators group on that computer.

You can also open the Network Load Balancing Properties dialog box through the Network Connections tool. However, Network Load Balancing Manager is the preferred method. If you use the Network Connections tool, you must make the same configuration changes on every cluster host. Using both Network Load Balancing Manager and the Network Connections tool together to change Network Load Balancing properties may lead to unpredictable results.

If all your hosts are running a product in Windows Server 2003, you can specify port rules to apply to only specific IP addresses. This is useful when you create virtual clusters. If you are not running Windows Server 2003, you must apply the port rules to all IP addresses. For more information about virtual clusters, see "Understanding Virtual Clusters".

The list of all currently installed port rules is sorted by port range.

The parameters that are set in the Network Load Balancing Properties dialog box are recorded in the registry on each host.

Changes to Network Load Balancing parameters are applied when you click OK in the Network Load Balancing Properties dialog box. Clicking OK stops Network Load Balancing (if it is running), reloads the parameters, and then restarts cluster operations.

If you are working from a computer that has a single network adaptor that is bound to Network Load Balancing in Unicast mode, you cannot use Network Load Balancing Manager on this computer to configure and manage other hosts because a single network adapter in Unicast mode cannot have intra-host communication. However, you can communicate with computers that are outside the cluster.

To make sure that Network Load Balancing Manager is displaying the most recent host information, right-click the cluster, and then click Refresh. You must do so because the host properties that Network Load Balancing Manager displays are a copy of the host properties that were configured the last time Network Load Balancing Manager connected to that host. When you click Refresh, Network Load Balancing Manager reconnects to the cluster and displays updated information.

Enable Multicast Support

To start Network Load Balancing Manager, type nlbmgr at a command prompt, and then press ENTER.
If Network Load Balancing Manager does not already list the cluster, connect to the cluster.
Right-click the cluster, and then click Cluster Properties.
On the Cluster Parameters tab, in Cluster operation mode, click Multicast. If appropriate, you can also enable Internet Group Management Protocol (IGMP) support by clicking to select the IGMP multicast check box.

IMPORTANT: If you are working from a computer that has a single network adaptor that is bound to Network Load Balancing in Unicast mode, you cannot use Network Load Balancing Manager on this computer to configure and manage other hosts because a single network adapter in Unicast mode cannot have intra-host communication. However, you can communicate with computers that are outside the cluster.

NOTE: When you are using Network Load Balancing Manager, you must be a member of the Administrators group on the host that you are configuring, or you must have been delegated the appropriate authority. As a security best practice, consider using "Run as" to perform this procedure. If you are configuring a cluster or host by running Network Load Balancing Manager from a computer that is not part of the cluster, you do not have to be a member of the Administrators group on that computer.

You can also open the Network Load Balancing Properties dialog box through the Network Connections tool. However, Network Load Balancing Manager is the preferred method. If you use the Network Connections tool, you must make the same configuration changes on every cluster host. Using both Network Load Balancing Manager and the Network Connections tool together to change Network Load Balancing properties may lead to unpredictable results.

You can only enable IGMP support when your cluster is configured for multicast mode. If you enable IGMP support, the permitted multicast IP address is restricted to the standard class D range. This is 224.0.0.0 to 239.255.255.255.

Enable Internet Group Management Protocol (IGMP) Support

To start Network Load Balancing Manager, type nlbmgr at a command prompt, and then press ENTER.
If Network Load Balancing Manager does not already list the cluster, connect to the cluster.
Right-click the cluster, and then click Cluster Properties.
On the Cluster Parameters tab, click to select the IGMP multicast check box to enable IGMP support on all the hosts in the cluster.

Manage Existing Clusters from Network Load Balancing Manager by Using a Host List

From the Windows interface:

To start Network Load Balancing Manager, type nlbmgr at a command prompt, and then press ENTER.
On the File menu, click Load Host List.
Locate your host list text file, click it, and then click Open.

IMPORTANT: If you are working from a computer that has a single network adaptor that is bound to Network Load Balancing in Unicast mode, you cannot use Network Load Balancing Manager on this computer to configure and manage other hosts because a single network adapter in Unicast mode cannot have intra-host communication. However, you can communicate with computers that are outside the cluster.

For security reasons, make sure that only users in the local Administrators group have access to the host list file.

NOTE: When you are using Network Load Balancing Manager, you must be a member of the Administrators group on the host that you are configuring, or you must have been delegated the appropriate authority. As a security best practice, consider using "Run as" to perform this procedure. If you are configuring a cluster or host by running Network Load Balancing Manager from a computer that is not part of the cluster, you do not have to be a member of the Administrators group on that computer.

The host list text file is a text file that you create by using Notepad or any other similar tool. The file must list the name of each host. Each host name must be separated by a line break. You can include comments in the host list by preceding the comment with a semicolon (;).

You can use this procedure to connect to multiple hosts and all Network Load Balancing clusters on those hosts. The clusters and hosts are then displayed in Network Load Balancing Manager. This is particularly useful when a host's Network Load Balancing network adapter is having connectivity problems, but another network adapter is available on that host. You can also use this procedure to detect and diagnose problems such as cluster hosts that are converging separately.

At a command prompt:

Click Start, point to All Programs, point to Accessories, and then click Command Prompt.
At the command prompt, type nlbmgr /hostlist host-list, and then press ENTER, where host-list is the fully qualified path to a text file that you create using Notepad or any other similar tool. The file must list the name of each host. Each host name must be separated by a line break.

IMPORTANT: For security reasons, make sure that only users in the local Administrators group have access to the host list file.

NOTE: To run Nlb.exe from a remote computer, you must enable remote control on the host that is running Network Load Balancing. The Network Load Balancing remote control option presents many security risks. Only use remote control on a secure computer inside your firewall. Because of the many security risks remote control presents, Microsoft recommends that you do not enable the remote control feature. Instead, use other remote management tools such as Network Load Balancing Manager or Windows Management Instrumentation (WMI).

When you are using Nlb.exe, you must be a member of the Administrators group on the host that you are configuring, or you must have been delegated the appropriate authority. As a security best practice, consider using "Run as" to perform this procedure. If you are configuring a cluster or host by running Nlb.exe from a computer that is not part of the cluster, you do not have to be a member of the Administrators group on that computer.

To view the complete syntax for this command, type nlbmgr /help at a command prompt, and then press ENTER.

Make sure that only users in the local Administrators group have access to the host list file.

You can include comments in the host list by preceding the comment with a semicolon (;).

You can use this procedure to connect to multiple hosts and all Network Load Balancing clusters on those hosts. The clusters and hosts are then displayed in Network Load Balancing Manager. This is particularly useful when a host's Network Load Balancing network adapter is having connectivity problems, but another network adapter is available on that host. You can also use this procedure to detect and diagnose problems such as cluster hosts that are converging separately.

Troubleshooting

The number and type of rules must be exactly the same for each host in the cluster. If a host tries to join the cluster with a different number of rules from the other hosts, it is not accepted as part of the cluster, and the rest of the cluster continues to handle the traffic as before. At the same time, a message is logged in the Windows Event log. If this occurs, view the Event log to determine which host is in conflict with the other cluster hosts, resolve the conflict, and then restart Network Load Balancing on that host.

You must also add the cluster IP address or addresses to the TCP/IP settings of the local area connection:

Click Start, click Control Panel, and then double-click Network Connections.
Right-click Local Area Connection, and then click Properties.
In the Local Area Connection Properties dialog box, click Internet Protocol, and then click Properties.
Click Advanced.
Click ADD.
Add the cluster IP and subnet mask addresses.
Confirm your changes.

SYSCO INFOTECH

Pages

Study Matrial(2008R2)

No comments:

Post a Comment