rename-netadapter –name ethernet –newname "hypervinternal1" new-netipaddress...
Post on 02-Jan-2016
216 Views
Preview:
TRANSCRIPT
Better Networking, More NetGains: How Server 2012 Can Be Your Director of ProtocolMark Minasihelp@minasi.com@mminasi on twitter
MDC0B365
New PowerShell Toolsjust a few examples and pointers
• rename-netadapter –name ethernet –newname "hypervinternal1"
• new-netipaddress -interfacealias "ethernet" -ipv4address "10.1.1.1" -prefixlength 24 –defaultgateway 10.1.1.1
• get-netadapter|where {$_.linkspeed -eq "10 gbps"}
• disable-netadapter ethernet1• set-netadapter ethernet –macaddress "00-FF-
AA-CC-EE-11-22"
Seeing Everything PoSH Sees• Try out get-netadapter• Nice basic info
But add "| select * | ogv" and see the difference:
get-netadapter NIC2ISP | select *get-netadapter | select * | ogv• A whole heck of a lot more
info• Works for most PowerShell
cmdlets
RDMA Support• Class of NICs that run IP-ish protocols that aren't
routed -- goal is inexpensive high speeds• Examples: Intel NetEffect, Mellanox ConnectX-3• Run non-IP protocols Infiniband, RoCE, iWARP• As they are offload boards (like chimneys or receive
side scaling), they use very little CPU• Some are quite fast, up to 56 gigabits per second• Windows now lets you run SMB atop them, enabling
some very fast access to file shares that now act as shared storage for clusters
• MS sees these as essential in building scale-out file server clusters
Things to Know About LBFO• What will it offer you?• How it offers failover• How it offers bandwidth aggregation• Tell LBFO about your network switches• Tell LBFO if Hyper-V's involved• How to set up asymmetric "active/passive"
failover• Creating a team with GUI and PowerShell• What it looks like when created
What it Does• Take (for example) three NICs on your system,
each with names and IP addresses• Make them (in software) one NIC, one name, one
IP address• Benefits:
• Three times as much outbound bandwidth in many cases• With the right switches, three times the inbound bandwidth• If a NIC/switch fails, no problem… failover
• Real value propositions• Lets you get a little more performance out of an existing and unused NIC• Lets you team NICs from different vendors• Works even without teaming-aware switches
NIC Teaming• Load Balance and Failover (LBFO) is another
phrase, if you're Googling Binging searching the Web
• Can use any NICs or combination of NICs• Can mix speeds but don't unless you're going
"active/standby" (more on that soon…)• Can not use RDMA boards, SR-IOV, TCP chimney
boards• Up to 32 NICs on a team• Configure and control in either Server Manager
or PowerShell• Let's examine the benefits in more detail…
Benefits: How Failover Works• Suppose one of my three NICs dies;
teaming could help if…• It's UDP and the packet already went over another NIC – no trouble• It's TCP and went over another NIC… no problem• It's TCP and it went over the bad NIC… TCP will automatically retry and
knows about dead NICs, so the data gets there via the retry• It's UDP and the packet went over the bad NIC… depends on the
protocol
• Notice that none of this involves intelligence on the team's part… there are no new magic protocols that both sides must understand
Benefits: How Bandwidth Aggregation Works• LBFO does not spread a single TCP across NICs• TCP, one conversation: doesn't help at all• TCP, multiple conversations: each conversation
gets a NIC• UDP, a single packet: not at all• UDP, multiple packets: they'll end up spread
across NICs (e.g. 1000 DNS requests, 333/NIC)• Again, no new magic protocols, this really just
exploits existing TCP and UDP characteristics
Switches Affect Bandwidth Benefits• Outbound communications are spread
across NICs• Inbound comms go to just one NIC, unless
you have switches that are "teaming-smart"… but even with "dumb switches," inbound failover works
• With "smart switches," all inbound traffic gets spread amongst the NICs according to the switch's load distribution algorithm
• Thus, part of LBFO configuration requires telling the team what kind of switch you've got
Teaming Options• To get a team to work, you've got to tell it
three things• What kind of switches do you have?
("Teaming mode")• How shall I distribute outbound comms
between the NICs ("Load balancing")• Do you want to use one or more NICs only
in the case of emergency? ("Active/Standby" configs)
• Let's decode them…
"Teaming Mode“"so, tell me about your network switches…"
• Switch independent:• Allows connection to multiple switches – if multiple switches, then
"switch independent"• Doesn't require (or employ abilities of) teaming-smart switch, the
server does the work• This will always work, even if it's not optimally efficient, so if in doubt
you can't go wrong with this one
• Switch-dependent• "Static" teaming-smart switches… require configuration on the switch
• LACP (Link Aggregation Control Protocol)• "Dynamic" teaming-smart switches… usually no configuration
required
"Load Balancing" Optionshow shall I spread outbound communications between NICs?• This basically exists to maximize team throughput on
a Hyper-V system• Normally you wouldn't create LBFO teams in a Hyper-
V VM unless you're teaming two physical NICs that have been SR-IOV-ed to a VM (or to demonstrate NIC teaming for a class or something)
• So by default, use option "Address Hash"• But if a VM is teaming two or more SR-IOV NIC, use
option "Hyper-V switch"• Or if you are teaming two virtual NICs, use "Hyper-V
switch"
Active or Standbyusually active, but standby might make sense sometimes• Can set both NICs to active, that's the default• Or if you just want a NIC to be active on failure, set it
to Standby• Why do that? Well, consider teaming NICs of different
speeds• Possible, but not supported• The problem is that the team doesn't understand the
different speeds and so a 1 GB NIC will get as much traffic as a 10 GB NIC
• Standby, however, might make it sensible!
PoSH NIC Teaming• new-netLbfoTeam –name MyNicTeam
–teammembers Internal1,Internal2 –confirm:$false
• Options:• teamingmode = SwitchIndependent, Switchindependent, Lacp• Loadbalancingalgorithm= transportports, IPAddresses, MacAddresses,
HyperVPort
• get-netlbfoteam, set-netlbfoteam, remove-netlbfoteam exist as well
What You'll See After Teaming• The NICs that existed separately no longer
exist on the network• They do not respond to their IP addresses• You must apply IP addresses to the new
teamed NICs (or of course they can get addresses from DHCP)
One More Thing…• If you want to know more, there is a very
in-depth, great white paper on the Microsoft site
• Just search on "Windows Server 2012 NIC Teaming (LBFO) Deployment and Management" with the quotes and you'll find it
• Quite good, may take a couple of reads but it is worth it
IP Address Management (IPAM)• Provides a way to track static v4 and v6
addresses• Does it by talking to AD, DNS, NPS, DHCP• Shouldn't run on a DHCP server• Is a "feature," not a role
IPAM• Collects (or can be told) information on• Static v4, v6 ranges• DNS servers and zones• DHCP servers and scopes• NPS (quarantine) servers and policies
• Basically it beats the spreadsheets we use to keep track of "DNS1 has IP address 10.2.1.2" sort of stuff
• Expect to see much more functionality in future releases of Server
Prep the Servers for Scanning"provisioning" servers, in IPAM-speak• Need to loosen security for IPAM scan• Done with three GPOs; one for DNS, one for NPS/DCs,
one for DHCP• Granting the IPAM server access to things like remote
administration, remote registry, permission to read the DNS Server service etc
• Must have the same prefix and be suffixed _DNS, _DC_NPS, and _DHCP
• Then apply those policies to the NPS, DNS and DHCP servers
Then Put it to Work• Create GPOs or Invoke-
IpamGpoProvisioning -Domain bigfirm.com -GpoPrefixName PamGPOs -IpamServerFqdn pamserver.bigfirm.com -Force
• Identify the domain(s) managed• Discover servers• Choose servers to manage• Get the data
34
The keys to troubleshooting IPAM are- Use the PowerShell command to create the
policies and keep track of the prefix you picked
- Double-check that it LINKED the policies to the domain
- Run gpupdate/force and run RSOPs to ensure that (1) the policies didn't hit a snag and, again, (2) the policies are actually linked and error-free (no Sysvol mismatches)
- If it breaks, just delete the policies, remove the IPAM feature, and try again… the wizard's pretty helpful
- Never give up. Never surrender. Once you're sure the policies are in place, re-run discovery, and you will triumph!
DHCP Failover• Over the years, we've wanted fault tolerant
DHCP• We've cobbled together some sorta useful
answers over the years• Microsoft's offered a few partial solutions• But now, it's here, and it's pretty easy to
set up• Supports only two nodes, IPv4 only• Cluster modes (besides "all OK") we'll see:• Communications Interrupted• Partner Down
How it Works, Basically• Two DHCP servers share a scope• They share IP addresses in their scope• If one DHCP server goes offline, the other goes
to "Communications Interrupted" mode and hands out very short-lived leases from its partner's pool of addresses
• If it becomes clear that the partner's not coming back, the remaining partner may move to "Partner Down" mode, when it takes the whole scope's range of addresses, and hands them out with longer, normal lease times
Divvying up IPs: Two Modes• Hot Standby Mode• One server – perhaps a local one – is "primary" in this failover
relationship, other secondary• Secondary does essentially nothing unless the primary dies• Divided 95%/5%
• Load Sharing Mode• Two basically equal partners share a subnet• A DHCPReq is assigned to one or the other server based on ranges of
MAC hashes
More Details• You define two time periods• Auto state switching interval: how long for one partner can be offline
before the other one seizes the whole scope in PD mode (by default, forever)
• Maximum Client Lead Time (MCLT): lease times to use while one partner's temporarily filling in for the other partner (by default, an hour) in CI mode
• You set a flag, "AutoStateTransition," to control whether the partner gives up eventually
Restated…• Say DHCP1 goes down• DHCP2 moves to CI mode, handing out leases
from DHCP1's addrs with MCLT leases• If AutoStateTransition's false or the admin never
forces PI, things stay that way forever• Otherwise, DHCP2 waits for Auto State Switching
Interval (ASSI) to run out, and then goes to PD mode
• DHCP2 then takes control of the whole pool (which it kind of had already) but now gives out leases with the old longer duration
Secure Partner Communication• Optional part of node-node "heartbeat"
communications• Uses SHA2 hash• It's a hash of a short "message" that you
supply at setup• "I'm alive" timestamps are encrypted using
the shared secret; if you don't use it, the "heartbeat" info is in cleartext and thus could be faked
• Comms listen on TCP port 647
Steps• Set up two DHCP servers in a domain• Authorize them• Choose a name for the cluster, as each
two-node team needs a name• Set up a scope on one of them• Right-click the scope, choose "Failover
Options"
Managing the Cluster• At this point, the GUI kind of leaves us
hanging – there's very little feedback about cluster state and there's no way to reconfigure a cluster short of deleting it and rebuilding it
• We can, however, use PowerShell• get-dhcpserverv4failover lets us view
status• set-dhcpserverv4failover lets you• Failover to "Partner Down"• Change Maximum Client Lead Time and Auto-State Switching Interval
(ASSI)• Enable/disable automatic failover after ASSI
Useful Commands• set-dhcpserverv4failover clustername
–autostatetransition boolean enables/disables automatic failover (transition from CI to PD)
• -maxclientleadtime hh:mm:ss changes MCLT• -PartnerDown forces a failover• -StateSwitchInterval hh:mm:ss changes the
automatic state switch interval• set-dhcpserverv4failover scope1clus
–autostatetransition $true –StateSwitchInterval 02:00:00 –maxclientleadtime 00:20:00
Example Forced Failover• set-dhcpserverv4failover scope1clus
–partnerdown –computer Dhcp1.bigfirm.com
• Dunno why this stuff's not in the GUI, but DHCP failover's pretty nice anyway
Thank You• I hope this was useful• Find me at help@minasi.com• Newsletters at www.minasi.com• Info on two-day Server 2012 classes in
Chicago next week, Dallas, San Francisco, DC, Atlanta and Stamford, CT there also
• Tweeting on mminasi• Please don't forget an eval!
Track resourcesLearn more about Windows Server 2012 R2 Preview, download the datasheet and evaluation bits on http://aka.ms/WS2012R2Learn more about System Center 2012 R2 Preview, download the datasheet and evaluation bits on http://aka.ms/SC2012R2
msdn
Resources for Developers
http://microsoft.com/msdn
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Resources for IT Professionals
http://microsoft.com/technet
Evaluate this session
Scan this QR code to evaluate this session and be automatically entered in a drawing to win a prize
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
top related