Windows cluster network configuration best practices

To start working as a cluster, find some information to see:

Tip: This article provides server cluster requirements and best practices for the network infrastructure of a Microsoft Windows 2000 or Windows Server 2003 server cluster. To make the cluster run properly, you must meet these requirements. The best practice is to make some suggestions from deployment feedback and on-site issues.

Cluster Network requirements
This section describes the network infrastructure requirements of Server clusters. If you want the server cluster solution to run properly, you must meet these requirements.
General requirements
This section describes the requirements applicable to the deployment of all Server clusters.
All cluster hardware configurations must be selected from the "cluster hardware compatibility list" (HCL. The network interface controller (NIC) and any other components used in the authenticated cluster configuration must have a Windows logo and be included in the Microsoft hardware compatibility list.
Note: The cluster configuration built using the recorded but not shown in the cluster HCl is not a qualified configuration.
Two or more independent networks must be connected to multiple nodes in the cluster to avoid spof. Two local networks (LAN) must be used; cluster configurations with a single network are not supported.
Each cluster network failure must be independent of all other cluster networks. That is to say, the two cluster networks cannot have shared components that can cause both networks to fail at the same time. For example, in most cases, if you use a multi-port Nic to connect a node to two cluster networks, this requirement is not met because the port is not independent. Likewise, two networks that share one vswitch may also experience spof. The easiest way to ensure that your cluster meets this requirement is to use physically independent components to build a cluster network.
All adapters used to connect multiple nodes to the same cluster network must use the same communication configuration, for example, the same "Speed", "duplex mode", "Traffic Control", and "media type ". If the adapter is connected to a vswitch, the endpoint configuration of the vswitch must match the endpoint configuration of these adapters.
Each cluster network must be configured as an IP subnet, And the subnet number must be different from that of other cluster networks. For example, a cluster can use two networks configured as the following subnet addresses: 10.1.x.x and 10.2.x.x. The mask is 255.255.0.0. The node address can be dynamically specified by DHCP, but we recommend that you manually configure the static address (see "cluster network best practices ). You cannot use apipa to configure the cluster network. In addition, apipa cannot be used for computers connected to multiple networks.
To support internal communication between cluster nodes, you must configure at least two cluster networks to avoid spof. That is to say, the "cluster service" of these network roles must be configured as "only for internal cluster communication" or "all communications ". Generally, a network is dedicated to connecting to internal cluster communication (see "cluster network best practices ).
Currently, Nic groups cannot be used on all cluster networks. At least one cluster network that supports internal communication between cluster nodes cannot be grouped. Generally, a network that cannot be grouped is a network dedicated to this type of communication. It is acceptable to use the NIC group on other cluster networks. However, if a communication problem occurs in a group network, Microsoft Product Support Services may require that the group be disabled. If this operation can solve the problem, you must seek further help from the provider of the group solution.
The cluster node must belong to a region. The domain configuration must meet the following requirements to avoid spof during authentication:
This domain must have at least two domain controllers. If you use DNS to resolve domain names, you must configure at least two DNS servers. The DNS server should support dynamic updates. Each domain controller and cluster node must have one primary DNS server and at least one secondary DNS server. If the domain controller is also a DNS server, for primary DNS resolution, each domain controller should point to itself. For secondary resolution, it should point to other DNS servers, at least two domain controllers must be configured as a Global Catalog server.
Geographically dispersed Clusters
This section describes additional requirements for geographically dispersed clusters:
Nodes in a cluster can be located in different physical networks. However, dedicated network connections and public network connections between cluster nodes must use a single, non-route LAN similar to the virtual LAN (VLAN) technology.
The round-trip communication latency between any two cluster nodes cannot exceed 500 milliseconds.
For a LAN, each VLAN fault must be independent of all other cluster networks.
Due to the complexity of geographically dispersed clusters, any problem requires help from hardware manufacturers or hardware vendors. Generally, some third-party software and driver clusters are required to work properly. Microsoft Product Support Services may not know how these components interact with Windows clustering.
Cluster Network Best Practices
This section describes the best network practices for deploying Server clusters.
Hardware planning suggestions
Use the same Nic In all cluster nodes; that is, each adapter has the same manufacturer, model, and firmware version.
Retain a network dedicated for internal communication between cluster nodes. This is a private network. Use other networks to communicate with clients. These are public networks. Do not use Nic groups on a private network.
Network interface controller configuration suggestions
Manually select the speed and duplex mode for each cluster Nic. Do not use automatic detection. When some adapters lose data packets, the network settings are automatically negotiated. All adapters in a network must be configured to use the same speed and duplex mode. If the adapter is connected to a vswitch, make sure that the endpoint configuration of the vswitch matches the endpoint configuration of these adapters.
For private networks, use static IP addresses for all nodes. Select an address from the following range:

10.0.0.0-10.255.255.255 (Class A Network) 172.16.0.0-172.31.255.255 (Class B Network) 192.168.0.0-192.168.255.255 (Class C Network)

For public networks, use static IP addresses for all nodes. Dynamic configuration using DHCP is not recommended. The cluster operation will be interrupted because you cannot renew the lease term.
Do not configure the DNS server, WINS server, or default gateway on a private Nic.
The wins or DNS server should be configured on the public Nic. If the network name resource is deployed on a public network, the DNS server should support dynamic updates; otherwise, the system will prompt you to update the ing from the name to the IP address during failover.
If the cluster node uses a public Nic to communicate with clients or services on the remote subnet, you must configure the default gateway on these NICs. Note that in a group with multiple public networks, configuring nodes in multiple networks as a default gateway may cause Routing Problems.
On each cluster node, set the network connection sequence:
Public Network-highest priority
Private Network
Remote network connection-lowest priority
Change the default name of each network connection to clearly indicate the purpose of each network. For example, you can change the name of a private network connection from a local network connection (X) to a private cluster network.
Dedicated LAN should be independent. Only cluster nodes can be connected to a dedicated subnet. If multiple clusters exist, use the same subnet for the dedicated network of all clusters. However, other network infrastructures (such as domain controllers, WINS servers, and DHCP servers) cannot be placed in a dedicated subnet.
To create an independent network segment, you can use a switch with the ability to create VLAN segments or use a hub. For a 2-node server cluster, you can also use a crossover cable.
You should disable the TCP/IP media Detection policy to ensure that the TCP/IP configuration and the corresponding cluster network configuration will not expire if the cable is disconnected or the media detection is lost. Add the following registry values to each node:

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters Value: disabledhcpmediasense Data Type: REG_DWORD Data: 1

Cluster service configuration suggestions
Set the VPC role to "for internal cluster communication only ". Make sure that the role of each public network is set to "all communications" (this is the default value ).
Configuring Intranet cluster communication gives the highest priority to private networks.
Implementation of best practices
This section describes how to implement best practices:
Configure the network interface controller before configuring the cluster service
Configure the speed of each Nic as follows:

Open Control Panel ". Open "network connection ". Right-click And then select "properties ". Click "configuration" and select "advanced ". Use the drop-down list to set the required network speed. Make sure that other settings (such as "duplex mode") are associated with all The adapters are the same. Configure the "Internet Protocol" settings for the private Nic as follows: Return "network connection ". Open the "attributes" of the corresponding connection object ". Make sure that the "Internet Protocol (TCP/IP)" check box is selected. Highlight "Internet Protocol" and select "properties ". Click the "use the following IP Address" radio button, and then enter 1 Static addresses. Make sure that no default gateway is configured for the private network.

Make sure that there is no value in the "use the following DNS server address" box. Click "advanced ". On the DNS tab, confirm that no value is defined. Make sure that the "register the connection address in DNS" and "use the DNS suffix for this connection in DNS registration" check boxes are not selected. Note: If the cluster node is a DNS server, the IP address 127.0.0.1 will appear in the list and remain in the list.
Configure the network connection sequence as follows:
Return "network connection ". Select "advanced ". Select "Advanced Settings ". In the connection box, sort the network connection order as follows:
Public Network
Private Network
Remote Access Connection
Follow these steps to change the default name of the network connection:
Return "network connection ". Right-click the network connection object. Select "RENAME ". Edit the name value.
The name of the connection object used to represent a network (such as a private network) must be consistent across all nodes. If the name of the connection object is inconsistent, "cluster service" selects a name and changes other names to match the name.
Configure the cluster network attributes After configuring the cluster service
Windows 2000
When installing the cluster software, a "Configure cluster network" dialog box appears for each network (in any order ). For a public network, make sure that the name and IP address match the network interface of the public network. Select the check box "enable this network for cluster use ". Select "all communications (hybrid network. For a private network, make sure that the name and IP address match the network interface of the private network. Select the check box "enable this network for cluster use ". Select the "for internal cluster communication only" option.
The default configuration during installation is to set the public network adapter to "all communications" and the dedicated (signal) network adapter to "only for internal cluster communication ". Microsoft recommends that you retain this default configuration. To ensure proper installation and operation of your cluster, you must configure at least one network as "Internal cluster communication" or "all communications ".
Windows Server 2003
The Windows Server 2003 cluster Configuration Wizard does not allow you to change network settings during configuration. By default, "All communications" is enabled for all networks ". This ensures that the cluster works properly. To comply with the best practices, you should set one of the following methods as a private network and set the private network as the preferred network for internal cluster communication:

Set the private network role to "Internal cluster communication" as follows ": In cluster manager, double-click the cluster name. You will see a cluster Configuration folder. Double-click the cluster configuration folder and double-click networks. Folder to view all available cluster networks. Select the network to be configured for the dedicated cluster communication, and then select "properties ". In the "attributes" of this network, you will see some roles (for example, "only used Client Access "). For private networks, Make sure to select the "enable this network for cluster use" check box and "use only for internal Communication role. Configure the private network as the preferred network for internal cluster communication as follows: In "Cluster Manager", select a cluster and then select "properties ". From the network priority tab, make sure that the private network is at the top. If not, use the "Move Up" button to increase its priority.

Follow these steps to change the default name of the network connection:
Return "network connection ". Right-click the network connection object. Select "RENAME ". Edit the name value.
The name of the connection object used to represent a network (such as a private network) must be consistent across all nodes. If the name of the connection object is inconsistent, "cluster service" selects a name and changes other names to match the name.
IPSec
Although Internet Protocol Security (IPSec) can be used for applications that can implement failover in the server cluster, IPSec is not designed for failover scenarios, therefore, we recommend that you do not use IPsec for applications in the server cluster.
The main problem is that, in case of failover, the Internet Key Exchange (IKE) Security Association (SAS) will not be transferred from one server to another, because they are stored in the local database on each node.
In an IPsec-protected connection, an Ike SA is created during Phase 1 negotiation. Two IPSec SA instances are created in the second stage. A timeout value is associated with Ike and IPSec SA. If you do not use the CMK to keep it confidential, the system uses the ike sa key material to create an IPSec SA. In this case, the client must wait for the default timeout time or validity period of the inbound IPSec SA, and then wait for the timeout time or validity period related to the ike sa.
The default timeout value of Security Association idle timer is 5 minutes. In case of failover, the client must wait at least 5 minutes until all resources are online, you can use IPsec to re-establish the connection.
Although no IPSec is designed for the cluster environment, you can also use IPsec if the importance of secure connections exceeds the risk of client downtime caused by failover.
Netbios
In Windows Server 2003, the cluster service does not require NetBIOS. However, if NetBIOS is disabled, some services will be affected. You should be aware of the following situations:
By default, NetBIOS is enabled in the "ip address" resource of the cluster when the cluster is configured. Once the cluster is created, you should disable NetBIOS by deselect the check box on the parameter page of the "cluster IP Address" resource attribute page.
When creating other "ip address" resources, You Should deselect the "NetBIOS" check box.
When NetBIOS is disabled, you cannot use the "Browse" function of the "Cluster Manager" when enabling a connection to a cluster. "Cluster Manager" uses NetBIOS to enumerate all clusters in the domain.
Print and file service will be disabled-No virtual names will be added as the redirection endpoint.
If the cluster name is specified, the Cluster Manager cannot work. The "Cluster Manager" calls getnodeclusterstate. The latter uses the Remote Registry API, and the Registry API uses the Named Pipe Based on the virtual name in turn.