How To Configure Network Load Balancing In Windows Server 2016

High availability is one of the major key points to provide continue services in nowadays. It helps to increase the production and reputation of the service providers. Nowadays, everyone wants the required services on-demand. Organizations use different technologies and solutions to provide high availability and redundancy. Network Load Balancing (NLB) is one of the most popular high availability and redundancy feature used in Windows-based networks. Here, we will explain a detailed step by step guide to install and configure Network Load Balancing in Windows Server 2016.

For this, we will use the following systems. So, please take a quick look to understand the systems and their configurations and roles:

  1. DC1
    • Role: NLB Node1
    • IP Address: 10.0.0.100
  2. SERVER1
    • Role: NLB Node2
    • IP Address: 10.0.0.101
  3. CLIENT1
    • Role: Web client
    • IP Address: 10.0.0.102

Installing the Network Load Balancing Feature on NLB nodes

Perform the following steps on the NLB nodes that are going to participate in the NLB cluster.

  1. Using the Server Manager console, launch the Add Roles and Features Wizard.
  2. Click Next until the Select server roles page is displayed and then select the Web Server (IIS) server role.Installing IIS Web Server Role
  3. On the Select features page, select the Network Load Balancing feature and proceed to next.Selecting Network Load Balancing feature on Windows Server 2016
  4. On the rest of the pages, accept the default selections and complete the installation process.
  5. Using the similar steps, install the Web Server (IIS) server role and Network Load Balancing feature on the second NLB node that is SERVER1.

Configuring Network Load Balancing in Windows Server 2016

After installing Network Load Balancing feature on all the participating NLB nodes, the next step is to configure Network Load Balancing. For this, you need to perform the following steps:

  1. On the Server Manager console of the DC1 NLB node, click Tools and select Network Load Balancing Manager.
  2. Select and right-click Network Load Balancing Clusters and then click New Cluster.Network Load Balancing Manager
  3. On the New Cluster: Connect dialog box, type DC1.mcsalab.local in the Host field and then click Connect. Verify that the Interface name is listed and then proceed to next.Connecting new NLB Cluster Node
  4. On the New Cluster: Host Parameters dialog box, set the priority value as 1. This NLB node will reply the clients’ queries, first. Before clicking Next, also ensure that the default status has set as Started.Configure NLB Prioroty Value
  5. On the New Cluster: Cluster IP Addresses dialog box, click Add to add a new Cluster IP address.

    Note: The Cluster IP address is the new virtual IP address on which the host service, in this case, IIS will run.

  6. On the Add IP Address dialog box, specify a Cluster IP Address such as 10.0.0.250, and click OK.Adding Cluster IP address
  7. Click Next to proceed on the New Cluster: Cluster Parameters dialog box, select a cluster operation mode. For example, Unicast and then click Next.Specifying NLB Cluster Operation Mode
  8. On the New Cluster: Port Rules dialog box, click Finish and wait until the DC1 NLB node is added successfully. The Icon Color of the added NLB node should be green .Adding NLB Cluster node to Network Load Balancing Manager
  9. Select and right-click the added cluster and then select Add Host To Cluster.Adding NLB Host to Cluster
  10. On the Add Host to Cluster: Connect dialog box, type SERVER1, and then click Connect to add one more NLB node.

    Important: If you get the Host unreachable error while connecting SERVER1 as the NLB node, move on to SERVER1 and open the Network Load Balancing Manager console. Repeat the same steps as you used to add the DC1 NLB node.

  11. On the Add Host to Cluster: Host Parameters dialog box, set the priority value as 2 and proceed to next.
  12. Accept the default selections on the rest of the pages and complete the wizard.
  13. Finally, verify that the second NLB nodes DC1 is added successfully.

Configuring Default Website to Test the NLB Configuration

To test the NLB cluster, use an NLB-Aware application such as IIS service role with the Cluster IP address. Hence, we will use the Default Website on NLB node1 (DC1) and NLB node2 (SERVER1). The Website will be mapped with the cluster IP address “10.0.0.250”.

To do so, first, you need to perform the following steps on DC1 (NLB node1).

  1. Open the Internet Information Services (IIS) Manager console.
  2. Expand the Sites node, select and right-click the Default Web Site.
  3. Select Add the Virtual Directory. In the Alias box, type a name. In the Physical path box, type \\DC1\C$\Intetpub\wwwroot and then click OK.

    Actaully, we will add the same shared directory on both the NLB nodes so the same content can be displayed when a NLB node from the configured NLB cluster is failed.

  4. Double-click Directory Browsing and click Enable.
  5. Right-click Default Web Site, select Manage Website and then select Restart.Configure NLB with IIS Server in Windows Server 2016
  6. Close the Internet Information Services (IIS) Manager window.
  7. Repeat the same steps to activate Default Website on SERVER1 NLB node.Configure IIS Server in Windows Server 2016
  8. Optionally, if you want to access the Website through the hostname such as www.mcsalab.local, add the www DNS host record with the 10.0.0.250 IP address.

Verifying Network Load Balancing Configuration

To verify that your NLB Cluster is configured successfully and functioning properly, perform the following steps:

  1. Type 10.0.0.250 in the Internet explorer and verify that you are able to access the Default Website.Testing NLB configuration
  2. Close the Internet Explorer.
  3. On the DC1 node, open the Network Load Balancing Manager window, select and right-click DC1(Ethernet), select Control Host and then select Stop to stop this node temporary.Stopping NLB service
  4. Switch back to CLIENT1 and try again to open the Default Website. The Default Website should still be displayed. However, this time, the SERVER1 NLB node will serve the Website.Validating NLB Configuration In Windows Server
  5. Now, stop the SERVER1 NLB node also and try to reopen the Default Website on the CLIENT1.
  6. Now, it should not be displayed as both the NLB nodes are stopped. However, if you are still able to open the Default Website on CLIENT1, this might be because of cached web pages. To resolve this, reboot the CLIENT1 machine and try again.

That’s all you need to install and configure Network Load Balancing (NLB) in Windows Server 2016. Please drop your queries and suggestions in the comment box, we will catch you soon to take a look.

Posted in Windows Server 2016 Tagged with: , ,

How To Secure Accounts If an RODC is Stolen

In the previous post, we have discussed the benefits of using a Read-Only Domain Controller (RODC). We have also explained how to deploy RODC server. The same topology will be used for this post. So, we recommend you to have a quick look what topology we are going to use. Sometimes things may not go in the way as we expect. For example, what would happen if someone has stolen one of your the entire RODC server? Being a server administrator, it is your responsibility to secure all the user and computer accounts whose password were cached on the stolen RODC. In this post, we will explain how to secure accounts if someone has stolen your RODC server.

Steps To Secure Accounts if the RODC is Stolen

To secure accounts and reset the current credentials that are cached on an RODC if the RODC is stolen, you need to perform the following steps:

  1. Sign in to Primary Domain Controller server and open the Active Directory Users and Computers
  2. Expand the Domain Controllers node to list all the available DCs.
  3. In the details pane, select and right-click the RODC server which has been stolen and then select the Delete option. In our example, it is SERVER1 that we have deployed in the previous post.Secure Accounts if RODC is stolen
  4. Click Yes to confirm the deletion.
  5. In the Deleting Active Directory Domain Controller dialog box, read and understand all the available options carefully. Here, you can select the following check boxes depending on your choice and the types of accounts (users or computers) that have been stolen:
  • Reset all passwords for user accounts that were cached on this read-only domain controller.
  • Reset all passwords for computer accounts that were cached on this read-only domain controller.
  • Export the list of accounts that were cached on this read-only domain controller to this file.
  1. Refer the following figure to understand the preceding options.reset all passwords for user accounts that were cached on RODC
  2. Specify a file name where the RODC cached credentials will be stored and then click Delete. You can refer this file later to reset the credentials of stolen users and computers accounts.
  3. Click OK to confirm the selection. Ensure that the RODC server is removed from the Domain Controllers node in the Active Directory Users and Computers console.
  4. Close the Active Directory Users and Computers console.

That’s all you need to secure accounts if the RODC is stolen. Hope, it helped you and you would share the article to encourage us.

Posted in Windows Server 2016 Tagged with: ,

How To Install And Configure RODC In Windows Server 2016

There are two types of domain controllers – writable and read-only domain controllers. Writable Domain Controllers have rights to modify and customize the Active Directory database. Whereas, Read-Only Domain Controller (RODC) that provides the same functionalities as provided by a writable domain controller. However, neither they can modify Active Directory database, nor they, can store the user’s credentials in their database until unless manually allowed by an administrator. Remote branch offices where the physical security is a major concern is the most suitable place to deploy an RODC. In this post, we will explain a step by step guide to install and configure RODC in Windows Server 2016 server.

RODC Password Replication Policies

To understand the concept of the RODC, you have to understand the two types of RODC password replication policies. Actually, these are built-in groups that control which user accounts’ password can be stored and/or which user accounts’ password cannot be stored by an RODC server. These are:

  1. Allowed RODC Password Replication Group.
  2. Denied RODC Password Replication Group.

By default, the Denied RODC Password Replication Group contains the following members whose passwords are not allowed to be cached by an RODC server:

  • Enterprise Domain Controllers
  • Enterprise Read-Only Domain Controllers
  • Group Policy Creator Owners
  • Domain Admins
  • Cert Publishers
  • Enterprise Admins
  • Schema Admins
  • Domain-wide krbtgt account
  • Account Operators
  • Server Operators
  • Backup Operators
  • Administrators

By default, the Allowed RODC Password Replication Group does not contain any members.

Understanding RODC Lab Setup Topology

Now, you have the basics of RODC. Here, we are going to install and configure RODC in Windows Server 2016. Before doing this, let’s understand the lab setup infrastructure, we are going to follow:

We have a Writable domain controller named as DC1.MCSALAB.local that runs on Windows Server 2016 and configured with 10.0.0.100/8 IPv4 address. We will use anothe server named SERVER1 to configure as RODC server. SERVER1 is configured with 10.0.0.101/8 IPv4 address and runs on Windows Server 2016.

Deploying RODC on Windows Server 2016

Preparing Primary Domain Controller To Deploy an RODC

We assume that you have already deployed DC1 as the primary domain controller, click here if you have not done yet and then proceed to next.

Now, create a user account named RODCAdmin on the Primary server and make it member of Allowed RODC Password Replication Group. Also make it a member of the Server Operators group so it can be logged in locally to the RODC domain controller. Alternatively, you can modify the Default Group Policy to assign allow login locally permission to this user account.

RODC Password Replication Group

Configuring RODC In Windows Server 2016

Now, you are set to install and configure RODC for one of your branch offices. To install and configure RODC in Windows Server, you need to perform the following steps:

  1. Switch on to the server that you want to configure as RODC, in this case SERVER1. Configure the TCP/IP settings as mentioned in the following figure.Configure TCP/IP Settings
  2. Make the SERVER1 as the member of MCSALAB.LOCAL domain and reboot the system.Make server as member of Primary Domain Server

    Note: If you get error, ensure that DC1 and SERVER1 are able to communicate to each other.

  3. Once the SERVER1 is rebooted, sign in as MCSALAB\Administrator account.
  4. Open the Server Manager console and launch the Add Roles and Features Wizard.
  5. Accept the default selections until the Select server roles page displays. Here, select the Active Directory Domain Services check box and complete the Active Directory installation process.Installing RODC on Windows Server 2016 server
  6. On the Server Manager console, click the Promote this server to a domain controller link.Configure an RODC server in Windows Server 2016
  7. On the Deployment Configuration page, make sure that the Add a domain controller to an existing domain option is selected and then click Next.Adding a domain controller to existing domain
  8. On the Domain Controllers Options page, select the following check boxes, set the desired DSRM password and then click Next to proceed.
    • Domain Name System (DNS) server
    • Global Catalog (GC)
    • Read only domain controller (RODC)

    Install and Configure RODC in Windows Server 2016

  9. On the RODC Options page, specify the following options:
    • A delegated Administrator account that will be responsible to manage the RODC.
    • Accounts that are allowed to replicate passwords to the RODC.
    • Accounts that are denied from replicating the passwords to the RODC.
  10. For the testing purpose, add RODCAdmin as the delegated administrator account that we have created earlier and click Next to proceed.Specifying RODC delegated account
  11. On the Additional Options page, you can complete the Domain Controller installation using the Install From Media (IFM). Click here if you are interested to know how to configure ADC using IFM, else click Next to leave it now.Installing RODC using IFM in Windows Server 2016
  12. On the Paths page, click Next and proceed to the Prerequisites Check page. Verify that all the prerequites checks passed succefully and click Install to begin the installation. You may ignore the prerequisties warnings.RODC prerequisites checks
  13. The system will reboot once the installation process of RODC completes. Sign in to MCSALAB\RODCAdmin delegated administrator account that we have added during the RODC installation.
  14. Now, you have successfully installed and configured RODC on SERVER1.

Verifying RODC Configuration

In order to verify and test that our RODC server is configured successfully and functioning properly, we will explore some of the RODC verification tasks.

How to view the current credentials that are cached on an RODC?

To view the credentials that are cached on an RODc, you need to perform the following steps on the DC1 primary writable domain controller.

  1. Open the Active Directory Users and Computers window, expand the Domain Controllers node, and then open the Properties of your RODC server (SERVER1).
  2. Select the Password Replication Policy tab and click Advanced.Viewing RODC password replication policies
  3. On the Advanced dialog box, you will see the accounts whose credentials are cached on this RODC.Accounts whose passwords are stored on the RODC server

    Note: By default, the only credentials that are cached on an RODC are for the computer account of the RODC itself and a krbtgt account.

    Wait a minute! Where is your RODCAdmin account?

  4. To view the RODCAdmin account, select the Accounts that have been authenticated to this Read-Only Domain Controller option and view the result.Viewing accounts that have been authenticated to RODC server
  5. To add the specific users, groups, and computers into Allowed list or Denied list, click Add and select the desired RODC policy.Adding users and groups to RODC allowed and denied list
  6. Close the Properties dialog box and all other active Windows.

That’s all you need to install and configure RODC in Windows Server 2016. The same steps can also be used to deploy an RODC on Windows Server 2012/R2 server. If you are more serious and interested to learn about RODC server, click here to know how to secure your Active Directory accounts if the RODC server of your organization is stolen.

Posted in Windows Server 2016 Tagged with: ,