NLB on DC's for DNS load balancing

I am working in an environment that has a mix of current Windows servers, IBM
Mainframes, and HP Mainframes. The mainframe can only use a single DNS
address, so I have a single point of falure. If that DC goes down, then the
mainframes will be unable to perform a number of their functions. What I
want to do is install Network Load Balancing on two of my domain controllers,
then tell the Mainframes to use the resulting virtual IP address as their DNS
server. I have three questions:

1. Will this work at all?
2. If it does work, are there any serious security concerns associated with
this design?
3. It it will work securely, are there any special considerations I should
take into account durring implimentation, such as port settings?

In message <66F50DCD-2B94-4EDD-98E0-(E-Mail Removed)> BSweeney
<(E-Mail Removed)> wrote:

>I am working in an environment that has a mix of current Windows servers, IBM
>Mainframes, and HP Mainframes. The mainframe can only use a single DNS
>address, so I have a single point of falure. If that DC goes down, then the
>mainframes will be unable to perform a number of their functions. What I
>want to do is install Network Load Balancing on two of my domain controllers,
>then tell the Mainframes to use the resulting virtual IP address as their DNS
>server. I have three questions:
>
>1. Will this work at all?
>2. If it does work, are there any serious security concerns associated with
>this design?
>3. It it will work securely, are there any special considerations I should
>take into account durring implimentation, such as port settings?

I can't say I've ever tried it, I don't have that much guts on my DCs.

One question I do have, is there a need to have the mainframes talk
directly to your AD servers? If not, I'd feel more comfortable looking
at a couple lower end servers to act as DNS servers which forward to
your existing DNS infrastructure.

--
If quitters never win, and winners never quit,
what fool came up with, "Quit while you're ahead"?

I haven't eliminated that idea, which also crossed my mind. For licensing
reasons, I am trying not to deploy any additional servers, and I don't really
have any other servers that are viable candidates. I may try it in a virtual
environment today with that format, however.

"DevilsPGD" wrote:

> In message <66F50DCD-2B94-4EDD-98E0-(E-Mail Removed)> BSweeney
> <(E-Mail Removed)> wrote:
>
> >I am working in an environment that has a mix of current Windows servers, IBM
> >Mainframes, and HP Mainframes. The mainframe can only use a single DNS
> >address, so I have a single point of falure. If that DC goes down, then the
> >mainframes will be unable to perform a number of their functions. What I
> >want to do is install Network Load Balancing on two of my domain controllers,
> >then tell the Mainframes to use the resulting virtual IP address as their DNS
> >server. I have three questions:
> >
> >1. Will this work at all?
> >2. If it does work, are there any serious security concerns associated with
> >this design?
> >3. It it will work securely, are there any special considerations I should
> >take into account durring implimentation, such as port settings?
>
> I can't say I've ever tried it, I don't have that much guts on my DCs.
>
> One question I do have, is there a need to have the mainframes talk
> directly to your AD servers? If not, I'd feel more comfortable looking
> at a couple lower end servers to act as DNS servers which forward to
> your existing DNS infrastructure.
>
> --
> If quitters never win, and winners never quit,
> what fool came up with, "Quit while you're ahead"?
>

In message <95F8DD3D-9C2C-4BD5-BE7C-(E-Mail Removed)> BSweeney
<(E-Mail Removed)> wrote:

>I haven't eliminated that idea, which also crossed my mind. For licensing
>reasons, I am trying not to deploy any additional servers, and I don't really
>have any other servers that are viable candidates. I may try it in a virtual
>environment today with that format, however.

Licensing wouldn't have to be an issue, a couple BSD or Linux boxes
would do the trick (I know, I know, possibly naughty words here)

Finding the hardware might be more of an issue, plus the skillset to
manage the boxes, so it may well be more trouble then it's worth.

Another thought, if you had licenses but not hardware, these machines
would be reasonable candidates for virtualization if you can handle the
relatively minor performance impact.

--
If quitters never win, and winners never quit,
what fool came up with, "Quit while you're ahead"?

Actually, we run about 70 of our servers off VMWare, including all but one of
our local DC's. Whichever boxes run this solution will almost certainly be
virtual. I'll be performing a test run today in a virtual environment. I'll
let you know how it goes.

"DevilsPGD" wrote:

> In message <95F8DD3D-9C2C-4BD5-BE7C-(E-Mail Removed)> BSweeney
> <(E-Mail Removed)> wrote:
>
> >I haven't eliminated that idea, which also crossed my mind. For licensing
> >reasons, I am trying not to deploy any additional servers, and I don't really
> >have any other servers that are viable candidates. I may try it in a virtual
> >environment today with that format, however.
>
> Licensing wouldn't have to be an issue, a couple BSD or Linux boxes
> would do the trick (I know, I know, possibly naughty words here)
>
> Finding the hardware might be more of an issue, plus the skillset to
> manage the boxes, so it may well be more trouble then it's worth.
>
> Another thought, if you had licenses but not hardware, these machines
> would be reasonable candidates for virtualization if you can handle the
> relatively minor performance impact.
>
> --
> If quitters never win, and winners never quit,
> what fool came up with, "Quit while you're ahead"?
>

Ok, I built up two DC's, each with DNS, and created a domain on a private
VMWare network with IP addresses of 192.168.109.128 and 192.168.109.129
respectively. I then added each of the DC's as a node in an NLB cluster with
a cluster IP address of 192.168.109.130 and manually created the host records
for the cluster in DNS. I added a virtual XP machine to the domain, and
statically assigned an IP address of 192.168.109.131 and configured
192.168.109.130 as the only DNS server. I created a number of false host
records in DNS then began my tests. Here are the results:

1. Attempted to ping "Test1" with both nodes of the cluster active. Ping
successfully resolved 192.168.109.132.

2. Disabled the nic on DC1 and attempted to ping "Test2" with only one node
of the cluster active. Ping successfully resolved 192.168.109.133.

3. Enabled the nic on DC1, and disabled the nic on DC2, then attempted to
ping "Test3" with only one node of the cluster active. Ping successfully
resolved 192.168.109.134.

4. Disabled nics on both DC's, then attempted to resolve "Test4". This
failed of course, but had to be done for good measure.

So, I proved that I can load balance DNS, but I'm not sure about how it will
impact active directory. Both DC's resolve to their unique IP's, so AD
should not be affected, but it is hard to say what would and would not happen
in a live environment with numerous transactions and regular AD replication
taking place. I suspect those problems would be resolved by implimenting the
registry key defined in KB article 898867. Either way, I'm probably going to
try this in my live environment.

If anyone thinks that would be a bad idea for any particular reason then now
would be a great time to make your voice heard

"BSweeney" wrote:

> Actually, we run about 70 of our servers off VMWare, including all but one of
> our local DC's. Whichever boxes run this solution will almost certainly be
> virtual. I'll be performing a test run today in a virtual environment. I'll
> let you know how it goes.
>
> "DevilsPGD" wrote:
>
> > In message <95F8DD3D-9C2C-4BD5-BE7C-(E-Mail Removed)> BSweeney
> > <(E-Mail Removed)> wrote:
> >
> > >I haven't eliminated that idea, which also crossed my mind. For licensing
> > >reasons, I am trying not to deploy any additional servers, and I don't really
> > >have any other servers that are viable candidates. I may try it in a virtual
> > >environment today with that format, however.
> >
> > Licensing wouldn't have to be an issue, a couple BSD or Linux boxes
> > would do the trick (I know, I know, possibly naughty words here)
> >
> > Finding the hardware might be more of an issue, plus the skillset to
> > manage the boxes, so it may well be more trouble then it's worth.
> >
> > Another thought, if you had licenses but not hardware, these machines
> > would be reasonable candidates for virtualization if you can handle the
> > relatively minor performance impact.
> >
> > --
> > If quitters never win, and winners never quit,
> > what fool came up with, "Quit while you're ahead"?
> >

In message <0766EDBF-0AAE-4E91-AB86-(E-Mail Removed)> BSweeney
<(E-Mail Removed)> wrote:

>If anyone thinks that would be a bad idea for any particular reason then now
>would be a great time to make your voice heard

How did it go?

--
If quitters never win, and winners never quit,
what fool came up with, "Quit while you're ahead"?

It hasn't yet. The mainframe team wants me to wait until a scheduled outage
that they have next week before I can set it up, since the information flow
to the DC's in question will probably be interupted durring the setup. I'll
post again as soon as I get it going.

"DevilsPGD" wrote:

> In message <0766EDBF-0AAE-4E91-AB86-(E-Mail Removed)> BSweeney
> <(E-Mail Removed)> wrote:
>
> >If anyone thinks that would be a bad idea for any particular reason then now
> >would be a great time to make your voice heard
>
> How did it go?
>
> --
> If quitters never win, and winners never quit,
> what fool came up with, "Quit while you're ahead"?
>

Hi BSweeney,

Running NLB on a DC will absolutely kill you. The only time you ever want
to do this is for running NLB clustered web servers or with applications that
are specifically designed for this. Do Not Do This!!!!

If you are looking for DNS redundancy, create a secondary zone and allow the
DNS on the Mainframe to update that as the primary. You should also have a
seperate, internal DNS zone that is AD integrated for the servers and
workstations in your domain. From there your workstations can look to the
higher-level DNS on the Mainframe/ secondary for those resources.

--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Project+
Chicago, IL

Remember: Marking helpful answers helps everyone find the info they need
quickly.


"BSweeney" wrote:

> It hasn't yet. The mainframe team wants me to wait until a scheduled outage
> that they have next week before I can set it up, since the information flow
> to the DC's in question will probably be interupted durring the setup. I'll
> post again as soon as I get it going.
>
> "DevilsPGD" wrote:
>
> > In message <0766EDBF-0AAE-4E91-AB86-(E-Mail Removed)> BSweeney
> > <(E-Mail Removed)> wrote:
> >
> > >If anyone thinks that would be a bad idea for any particular reason then now
> > >would be a great time to make your voice heard
> >
> > How did it go?
> >
> > --
> > If quitters never win, and winners never quit,
> > what fool came up with, "Quit while you're ahead"?
> >

Ryan,

Thank you for the feedback. Our DNS environment is fine. My problem is that
the Mainframes do not support primary and secondary IP addresses when
specifying DNS servers. If the physical server that the mainframe is pointed
to goes down, then the mainframe has no access to DNS. What you reccomended
does not resolve that key issue. I have two questions:

1. What would you reccomend to resolve this problem.

2. While I am not arguing with you, can you tell me WHY running NLB on the
DC/DNS server is bad. It appeared to work well in my lab environment, though
I realize that my lab is a far cry from my live environment.

"Ryan Hanisco" wrote:

> Hi BSweeney,
>
> Running NLB on a DC will absolutely kill you. The only time you ever want
> to do this is for running NLB clustered web servers or with applications that
> are specifically designed for this. Do Not Do This!!!!
>
> If you are looking for DNS redundancy, create a secondary zone and allow the
> DNS on the Mainframe to update that as the primary. You should also have a
> seperate, internal DNS zone that is AD integrated for the servers and
> workstations in your domain. From there your workstations can look to the
> higher-level DNS on the Mainframe/ secondary for those resources.
>
> --
> Ryan Hanisco
> MCSE, MCTS: SQL 2005, Project+
> Chicago, IL
>
> Remember: Marking helpful answers helps everyone find the info they need
> quickly.
>
>
> "BSweeney" wrote:
>
> > It hasn't yet. The mainframe team wants me to wait until a scheduled outage
> > that they have next week before I can set it up, since the information flow
> > to the DC's in question will probably be interupted durring the setup. I'll
> > post again as soon as I get it going.
> >
> > "DevilsPGD" wrote:
> >
> > > In message <0766EDBF-0AAE-4E91-AB86-(E-Mail Removed)> BSweeney
> > > <(E-Mail Removed)> wrote:
> > >
> > > >If anyone thinks that would be a bad idea for any particular reason then now
> > > >would be a great time to make your voice heard
> > >
> > > How did it go?
> > >
> > > --
> > > If quitters never win, and winners never quit,
> > > what fool came up with, "Quit while you're ahead"?
> > >