Better Networking, More NetGains: How Server 2012 Can Be Your Director of ProtocolMark Minasihelp@minasi.com@mminasi on twitter

MDC0B365

Topics• New PowerShell tools• NIC teaming• IP Address Manager (IPAM)• DHCP failover

New PowerShell Toolsjust a few examples and pointers

• rename-netadapter –name ethernet –newname "hypervinternal1"

• new-netipaddress -interfacealias "ethernet" -ipv4address "10.1.1.1" -prefixlength 24 –defaultgateway 10.1.1.1

• get-netadapter|where {$_.linkspeed -eq "10 gbps"}

• disable-netadapter ethernet1• set-netadapter ethernet –macaddress "00-FF-

AA-CC-EE-11-22"

Seeing Everything PoSH Sees• Try out get-netadapter• Nice basic info

But add "| select * | ogv" and see the difference:

get-netadapter NIC2ISP | select *get-netadapter | select * | ogv• A whole heck of a lot more

info• Works for most PowerShell

cmdlets

RDMA Support• Class of NICs that run IP-ish protocols that aren't

routed -- goal is inexpensive high speeds• Examples: Intel NetEffect, Mellanox ConnectX-3• Run non-IP protocols Infiniband, RoCE, iWARP• As they are offload boards (like chimneys or receive

side scaling), they use very little CPU• Some are quite fast, up to 56 gigabits per second• Windows now lets you run SMB atop them, enabling

some very fast access to file shares that now act as shared storage for clusters

• MS sees these as essential in building scale-out file server clusters

NIC Teaming

(Known to its friends as "load balancing and failover" or LBFO)

Things to Know About LBFO• What will it offer you?• How it offers failover• How it offers bandwidth aggregation• Tell LBFO about your network switches• Tell LBFO if Hyper-V's involved• How to set up asymmetric "active/passive"

failover• Creating a team with GUI and PowerShell• What it looks like when created

What it Does• Take (for example) three NICs on your system,

each with names and IP addresses• Make them (in software) one NIC, one name, one

IP address• Benefits:

• Three times as much outbound bandwidth in many cases• With the right switches, three times the inbound bandwidth• If a NIC/switch fails, no problem… failover

• Real value propositions• Lets you get a little more performance out of an existing and unused NIC• Lets you team NICs from different vendors• Works even without teaming-aware switches

NIC Teaming• Load Balance and Failover (LBFO) is another

phrase, if you're Googling Binging searching the Web

• Can use any NICs or combination of NICs• Can mix speeds but don't unless you're going

"active/standby" (more on that soon…)• Can not use RDMA boards, SR-IOV, TCP chimney

boards• Up to 32 NICs on a team• Configure and control in either Server Manager

or PowerShell• Let's examine the benefits in more detail…

Benefits: How Failover Works• Suppose one of my three NICs dies;

teaming could help if…• It's UDP and the packet already went over another NIC – no trouble• It's TCP and went over another NIC… no problem• It's TCP and it went over the bad NIC… TCP will automatically retry and

knows about dead NICs, so the data gets there via the retry• It's UDP and the packet went over the bad NIC… depends on the

protocol

• Notice that none of this involves intelligence on the team's part… there are no new magic protocols that both sides must understand

Benefits: How Bandwidth Aggregation Works• LBFO does not spread a single TCP across NICs• TCP, one conversation: doesn't help at all• TCP, multiple conversations: each conversation

gets a NIC• UDP, a single packet: not at all• UDP, multiple packets: they'll end up spread

across NICs (e.g. 1000 DNS requests, 333/NIC)• Again, no new magic protocols, this really just

exploits existing TCP and UDP characteristics

Switches Affect Bandwidth Benefits• Outbound communications are spread

across NICs• Inbound comms go to just one NIC, unless

you have switches that are "teaming-smart"… but even with "dumb switches," inbound failover works

• With "smart switches," all inbound traffic gets spread amongst the NICs according to the switch's load distribution algorithm

• Thus, part of LBFO configuration requires telling the team what kind of switch you've got

Teaming Options• To get a team to work, you've got to tell it

three things• What kind of switches do you have?

("Teaming mode")• How shall I distribute outbound comms

between the NICs ("Load balancing")• Do you want to use one or more NICs only

in the case of emergency? ("Active/Standby" configs)

• Let's decode them…

"Teaming Mode“"so, tell me about your network switches…"

• Switch independent:• Allows connection to multiple switches – if multiple switches, then

"switch independent"• Doesn't require (or employ abilities of) teaming-smart switch, the

server does the work• This will always work, even if it's not optimally efficient, so if in doubt

you can't go wrong with this one

• Switch-dependent• "Static" teaming-smart switches… require configuration on the switch

• LACP (Link Aggregation Control Protocol)• "Dynamic" teaming-smart switches… usually no configuration

required

"Load Balancing" Optionshow shall I spread outbound communications between NICs?• This basically exists to maximize team throughput on

a Hyper-V system• Normally you wouldn't create LBFO teams in a Hyper-

V VM unless you're teaming two physical NICs that have been SR-IOV-ed to a VM (or to demonstrate NIC teaming for a class or something)

• So by default, use option "Address Hash"• But if a VM is teaming two or more SR-IOV NIC, use

option "Hyper-V switch"• Or if you are teaming two virtual NICs, use "Hyper-V

switch"

Active or Standbyusually active, but standby might make sense sometimes• Can set both NICs to active, that's the default• Or if you just want a NIC to be active on failure, set it

to Standby• Why do that? Well, consider teaming NICs of different

speeds• Possible, but not supported• The problem is that the team doesn't understand the

different speeds and so a 1 GB NIC will get as much traffic as a 10 GB NIC

• Standby, however, might make it sensible!

PoSH NIC Teaming• new-netLbfoTeam –name MyNicTeam

–teammembers Internal1,Internal2 –confirm:$false

• Options:• teamingmode = SwitchIndependent, Switchindependent, Lacp• Loadbalancingalgorithm= transportports, IPAddresses, MacAddresses,

HyperVPort

• get-netlbfoteam, set-netlbfoteam, remove-netlbfoteam exist as well

Team Building with PowerShell

22

Seeing a Team with PowerShell

What You'll See After Teaming• The NICs that existed separately no longer

exist on the network• They do not respond to their IP addresses• You must apply IP addresses to the new

teamed NICs (or of course they can get addresses from DHCP)

Two Versions of the Truth

One More Thing…• If you want to know more, there is a very

in-depth, great white paper on the Microsoft site

• Just search on "Windows Server 2012 NIC Teaming (LBFO) Deployment and Management" with the quotes and you'll find it

• Quite good, may take a couple of reads but it is worth it

IP Address Management (IPAM)• Provides a way to track static v4 and v6

addresses• Does it by talking to AD, DNS, NPS, DHCP• Shouldn't run on a DHCP server• Is a "feature," not a role

IPAM• Collects (or can be told) information on• Static v4, v6 ranges• DNS servers and zones• DHCP servers and scopes• NPS (quarantine) servers and policies

• Basically it beats the spreadsheets we use to keep track of "DNS1 has IP address 10.2.1.2" sort of stuff

• Expect to see much more functionality in future releases of Server

Prep the Servers for Scanning"provisioning" servers, in IPAM-speak• Need to loosen security for IPAM scan• Done with three GPOs; one for DNS, one for NPS/DCs,

one for DHCP• Granting the IPAM server access to things like remote

administration, remote registry, permission to read the DNS Server service etc

• Must have the same prefix and be suffixed _DNS, _DC_NPS, and _DHCP

• Then apply those policies to the NPS, DNS and DHCP servers

Always choose this!

Then Put it to Work• Create GPOs or Invoke-

IpamGpoProvisioning -Domain bigfirm.com -GpoPrefixName PamGPOs -IpamServerFqdn pamserver.bigfirm.com -Force

• Identify the domain(s) managed• Discover servers• Choose servers to manage• Get the data

33

34

The keys to troubleshooting IPAM are- Use the PowerShell command to create the

policies and keep track of the prefix you picked

- Double-check that it LINKED the policies to the domain

- Run gpupdate/force and run RSOPs to ensure that (1) the policies didn't hit a snag and, again, (2) the policies are actually linked and error-free (no Sysvol mismatches)

- If it breaks, just delete the policies, remove the IPAM feature, and try again… the wizard's pretty helpful

- Never give up. Never surrender. Once you're sure the policies are in place, re-run discovery, and you will triumph!

DHCP Failoversimple, easy to set up two=node DHCP cluster

DHCP Failover• Over the years, we've wanted fault tolerant

DHCP• We've cobbled together some sorta useful

answers over the years• Microsoft's offered a few partial solutions• But now, it's here, and it's pretty easy to

set up• Supports only two nodes, IPv4 only• Cluster modes (besides "all OK") we'll see:• Communications Interrupted• Partner Down

How it Works, Basically• Two DHCP servers share a scope• They share IP addresses in their scope• If one DHCP server goes offline, the other goes

to "Communications Interrupted" mode and hands out very short-lived leases from its partner's pool of addresses

• If it becomes clear that the partner's not coming back, the remaining partner may move to "Partner Down" mode, when it takes the whole scope's range of addresses, and hands them out with longer, normal lease times

Divvying up IPs: Two Modes• Hot Standby Mode• One server – perhaps a local one – is "primary" in this failover

relationship, other secondary• Secondary does essentially nothing unless the primary dies• Divided 95%/5%

• Load Sharing Mode• Two basically equal partners share a subnet• A DHCPReq is assigned to one or the other server based on ranges of

MAC hashes

More Details• You define two time periods• Auto state switching interval: how long for one partner can be offline

before the other one seizes the whole scope in PD mode (by default, forever)

• Maximum Client Lead Time (MCLT): lease times to use while one partner's temporarily filling in for the other partner (by default, an hour) in CI mode

• You set a flag, "AutoStateTransition," to control whether the partner gives up eventually

Restated…• Say DHCP1 goes down• DHCP2 moves to CI mode, handing out leases

from DHCP1's addrs with MCLT leases• If AutoStateTransition's false or the admin never

forces PI, things stay that way forever• Otherwise, DHCP2 waits for Auto State Switching

Interval (ASSI) to run out, and then goes to PD mode

• DHCP2 then takes control of the whole pool (which it kind of had already) but now gives out leases with the old longer duration

Secure Partner Communication• Optional part of node-node "heartbeat"

communications• Uses SHA2 hash• It's a hash of a short "message" that you

supply at setup• "I'm alive" timestamps are encrypted using

the shared secret; if you don't use it, the "heartbeat" info is in cleartext and thus could be faked

• Comms listen on TCP port 647

Steps• Set up two DHCP servers in a domain• Authorize them• Choose a name for the cluster, as each

two-node team needs a name• Set up a scope on one of them• Right-click the scope, choose "Failover

Options"

Managing the Cluster• At this point, the GUI kind of leaves us

hanging – there's very little feedback about cluster state and there's no way to reconfigure a cluster short of deleting it and rebuilding it

• We can, however, use PowerShell• get-dhcpserverv4failover lets us view

status• set-dhcpserverv4failover lets you• Failover to "Partner Down"• Change Maximum Client Lead Time and Auto-State Switching Interval

(ASSI)• Enable/disable automatic failover after ASSI

Sample Failover

Useful Commands• set-dhcpserverv4failover clustername

–autostatetransition boolean enables/disables automatic failover (transition from CI to PD)

• -maxclientleadtime hh:mm:ss changes MCLT• -PartnerDown forces a failover• -StateSwitchInterval hh:mm:ss changes the

automatic state switch interval• set-dhcpserverv4failover scope1clus

–autostatetransition $true –StateSwitchInterval 02:00:00 –maxclientleadtime 00:20:00

Example Forced Failover• set-dhcpserverv4failover scope1clus

–partnerdown –computer Dhcp1.bigfirm.com

• Dunno why this stuff's not in the GUI, but DHCP failover's pretty nice anyway

Thank You• I hope this was useful• Find me at help@minasi.com• Newsletters at www.minasi.com• Info on two-day Server 2012 classes in

Chicago next week, Dallas, San Francisco, DC, Atlanta and Stamford, CT there also

• Tweeting on mminasi• Please don't forget an eval!

Track resourcesLearn more about Windows Server 2012 R2 Preview, download the datasheet and evaluation bits on http://aka.ms/WS2012R2Learn more about System Center 2012 R2 Preview, download the datasheet and evaluation bits on http://aka.ms/SC2012R2

msdn

Resources for Developers

http://microsoft.com/msdn

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Resources for IT Professionals

http://microsoft.com/technet

Complete an evaluation on CommNet and enter to win!

Evaluate this session

Scan this QR code to evaluate this session and be automatically entered in a drawing to win a prize

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.