TECHPRO.MS

Overview of Windows Vista and Windows Server 2008 performance improvements

This is just an overview; I am including several links with more detail on Windows Vista and Windows Server 2008 networking. You can take this as far as you like; it is a very deep rabbit hole.

For simplicity I am going to compare Windows XP and Windows Vista. Please remember that Windows Server 2008 contains the updated networking stack that was introduced in Windows Vista so the comparison is still valid.

We have had a few support calls in Networking Support lately where people are comparing network performance between operating systems and they want to know two things:

1. Why is Windows Vista so much faster on the network when connecting to another Windows Vista or Windows Server 2008 system, especially for SMB?
2. How do I make Windows XP perform like Windows Vista?

Actually, the second question is usually asked more along the line of "why is my Windows XP computer broken and what can I do to "fix" it?" but I think you get the point.

Let me start by saying that there is nothing "wrong" with Windows XP.  It is not "broken" and does not need to be "fixed".

To answer question 2 first, you will never get Windows XP to perform exactly like Windows Vista from a networking perspective; the network stack is very different between the two. There are some changes that can be made to Windows XP that may affect performance. Notice that I said "changes". This is because in some of these changes there are potential tradeoffs to resources on the local system that could negatively impact overall system performance and could change the behavior of TCP in a way that may actually decrease performance on the network. In some instances making these changes on a large scale to several clients could even negatively impact the overall performance of your entire network. 

So why the difference?

I recently had a call from a customer who was seeing up to a 7 times performance improvement when transferring files between two systems running Windows Vista, compared to transferring the same files between two Windows XP systems. I found this fairly impressive since in the testing and studies I have read about the expected improvement was generally about 3.5 times. So I agreed to investigate to ensure that there was in fact not a problem with Windows XP. After reviewing much data and testing some changes on the Windows XP system we concluded that he was in fact seeing that much better performance across the wire for his Windows Vista systems.

To answer question one, what changed that could explain such a difference in performance? Well, a lot. Starting with Windows Vista we have a new network stack. The Cable Guy, aka Joe Davies (you may have noticed his name on the cover of some of the MS Press books), has written some good overviews of the new network stack, you can find them at the following links.

Next Generation TCP/IP Stack in Windows Vista and Windows Server 2008
http://technet.microsoft.com/en-us/library/bb878108.aspx
Performance Enhancements in the Next Generation TCP/IP Stack
http://technet.microsoft.com/en-us/library/bb878127.aspx

Some of the really cool stuff that has been added to the new network stack is:

• Receive Windows auto-tuning - Allows for tuning the maximum receive window size based on current network conditions.
• Compound TCP - This allows for more aggressive increase of the send window especially in high bandwidth and high delay networks.
• ECN Support - Allows routers that are experience congestion to mark packets so peers who receive these packets can lower their transmission rates.

I hope everyone reading this can appreciate how huge this is. More aggressive send and receive and more intelligent congestion avoidance! If you’re a network admin and you didn't already know about this and your still in your chair, check your pulse, you should be dancing about and people should be looking at you like you have lost your mind. This is part of the "magic" that will allow for more throughput while also avoiding congestion so fewer retransmitted packets. Yay!

But then you have to sit down and realize that these are changes to the very core of the networking stack and these changes which involve large amounts of code changes can never be made to Windows XP, the new stack is just too different.

But that's not all, act now and receive...

So besides the network stack there is another improvement. This is more at an application layer but very important for things like file copies.

Let me point out again that the better performance we saw was doing a file copy between Windows Vista or Windows Server 2008 connecting to another Windows Vista or Windows 2008 system. One reason this is significant is something called SMB2. SMB2 is only available starting with Windows Vista so even if you are on a Windows Vista client, if you connect to a Windows XP or Windows Server 2003 system you will not be able to take advantage of the improvements made in SMB2.

A good quick overview of SMB2 is actually on the Performance Team blog.
http://blogs.technet.com/askperf/archive/2008/05/30/two-minute-drill-overview-of-smb-2-0.aspx

Some of the changes made in SMB2 include;

• Sending multiple SMB commands in the same packet which reduces the number of packets sent between a client and server
• Larger buffer sizes
• Increased scalability in terms of the number of shares, users, and simultaneously open files
• Support for Durable Handles - These are handles that can survive a network disconnect.

So this also translates to a much improved user experience for anything using SMB 2, such as file copies.

In summary

As I mentioned this was just an overview but I wanted to make sure everyone understands why they may be seeing some difference in the performance of legacy systems and Windows Vista and Windows server 2008 and also help explain why these changes won't be back ported to the legacy systems.

References:

For a comparison of Windows XP and Windows Vista networking performance, see the results of the the analysis done by The Tolly Group.  This can be downloaded from the following link.
http://www.microsoft.com/downloads/details.aspx?FamilyID=04cad8b9-9f9f-453a-893a-458d22dbb3c5&DisplayLang=en
Mark Russinovich's blog "Inside Vista SP1 File Copy Improvements."
http://blogs.technet.com/markrussinovich/archive/2008/02/04/2826167.aspx
Next Generation TCP/IP Stack in Windows Vista and Windows Server 2008
http://technet.microsoft.com/en-us/library/bb878108.aspx
Performance Enhancements in the Next Generation TCP/IP Stack
http://technet.microsoft.com/en-us/library/bb878127.aspx
SMB2 Two Minute Drill on the Performance Team blog.
http://blogs.technet.com/askperf/archive/2008/05/30/two-minute-drill-overview-of-smb-2-0.aspx

- Clark Satter

948745  MS08-034: Vulnerability in WINS could allow elevation of privilege

951376  MS08-030: Vulnerability in Bluetooth stack could allow remote code execution

953979  Device Manager may not show any devices and Network Connections may not show any network connections after you install Windows XP Service Pack 3 (SP3)

- Mike Platts

Our friends over at the Network Monitor Blog have information on how to get the beta for Netmon 3.2.  There are some really cool new features in this release.  Find more information here:

http://blogs.technet.com/netmon/archive/2008/06/12/network-monitor-3-2-beta-has-released.aspx

- Mike Platts

951851  The WebClient service stop responding when you try to map a network drive to a WebDAV shared folder from a Windows Server 2003-based computer

950092  Third-party vendors may be unable to achieve IPv6 Ready Logo Phase-2 certification in Windows Server 2003

- Mike Platts

949429  The virtual IP address of a Windows Server 2008 NLB cluster is bound to the NetBIOS host name of a particular server or of multiple servers

947028  How to restrict SSTP connections to a specific IP address in Windows Server 2008

950826  You cannot establish an IPsec connection between a Linux operating system and a Windows Vista operating system when you initiate the connection from the Linux operating system

950319  On a multiprocessor computer that is running Windows Vista or Windows Server 2008, a network connectivity failure occurs randomly when you run certain utilities

953791  Device Manager and Network Connections may be blank after you install Windows XP Service Pack 3

- Mike Platts

949821  Two options in the “Customize Advanced Key Exchange Settings” dialog box are truncated on a computer that is running the Russian version of Windows Vista Service Pack 1 (SP1) or the Russian version of Windows Server 2008

949825  The Notify window in the DNS Manager is clipped in the Italian version of Windows Server 2008

949796  If you are running the Czech version of Windows Server 2008, you cannot locate the "Add" and "Remove" buttons on the "Server Farm" tab in the TS Gateway Manager component

942835  When client computers try to access resources on a Windows Server 2003-based file server, the Server service on the file server may stop responding

- Mike Platts

The Purpose

Hello,

Our names are David Pracht and Steve Martin.  As Networking Support Professionals at Microsoft we support IPSec but historically it has not been a high call generator.  We designed this lab to explore an increasingly popular scenario – IPSec Domain Isolation. While it can be the most difficult scenario to deploy it is also very tempting to have the ability to protect all the traffic in your network without requiring specific application support.  The reality is somewhere in between and we wanted to see if we could identify where people might encounter issues and document in a series of posts any problems we uncover while attempting to setup this scenario.

Domain Isolation vs. Server Isolation

IPSec provides technological support to implement a number of scenarios that improve enterprise network security:

■ Secure Server to Server: IPSec can be used to encrypt traffic between two servers.  An example of this is Outlook Web Access and Exchange.  All communications between the OWA server and the Exchange server could be authenticated and encrypted.

■ Server Isolation: IPSec can be used to isolate a server from unauthenticated (and possibly rogue) clients.  A good example of this is a line of business application server.  The application server would only grant access to machines that belong to the domain.  All other clients would not be able to even establish a TCP connection; guaranteeing the application server is isolated from the unknown clients.

■ Domain isolation: IPSec can be used to isolate domain members from non-domain members.  All domain members would be able to connect to each other securely.  Non-domain members would not be able to connect to any domain machine, as they are not successfully authenticated.  However, domain members may be able to connect to non-domain servers.

Why Domain Isolation is becoming more popular

Despite the historical difficulties in deploying an administering IPSec it has some compelling features and is becoming easier to implement.

Here are some of the benefits provided by IPSec:

■ Defense-in-depth against vulnerabilities in upper-layer protocols and applications.

IPSec protects upper layer protocols, services, and applications.  With IPSec enabled, initial communication packets to access an application or service running on a server, for example, will not be passed to the application or service until trust has been established through IPSec authentication and the configured protection on packets for the application or service have been applied.  Therefore, attempts to attack applications or services on servers must first penetrate IPSec protection.

■ Requiring peer authentication prevents communication with untrusted or unknown computers.

IPSec security requires peers to authenticate their computer-level credentials prior to sending any IP-based data.  By requiring peer authentication using credentials based on a common trust model, such as membership in an Active Directory domain, untrusted or unknown computers cannot communicate with domain members.  This helps protect domain member computers from the spread of some types of viruses and worms being propagated by untrusted or unknown computers.

■ IP-based network traffic is cryptographically protected.

IPSec provides a set of cryptographic protections for IP-based traffic based on your choice of AH, ESP without encryption, or ESP with encryption.  Your IP-based network traffic is either tamper proofed (using AH or ESP with no encryption), or tamper proofed and encrypted (with ESP and encryption).  Requiring cryptographic protection of IP traffic helps prevent many types of network attacks.

■ Applications do not need to be changed to support IPSec.

IPSec is integrated at the Internet layer of the TCP/IP protocol suite, providing security for all IP-based protocols in the TCP/IP suite. With IPSec, there is no need to configure separate security for each application that uses TCP/IP.  Instead, applications that use TCP/IP pass the data to IP in the Internet layer, where IPSec can secure it.  By eliminating the need to modify applications, IPSec can save application development time and costs.

In short if you need security IPSec is the way to protect you network.

Why Domain Isolation is difficult to implement

In the past with Windows Server 2003 and Windows XP, all these scenarios rely on machine-level authentication, which is what the IKE protocol that is supported by these operating systems supports.

Note: In addition to IKE Windows Vista and Windows Server 2008 support a new keying protocol called AuthIP.

IPSec policy configuration in many scenarios, such as server isolation and domain isolation, consists of a set of rules to protect most of the traffic on the network and another set of rules for protected traffic exceptions.

Exceptions are needed for unprotected communication with network infrastructure servers such as DHCP, DNS, and Domain Controllers.  For example: When a computer is starting, it must be able to obtain an IP address, use DNS to find a domain controller, and then log in to its domain before it can begin to use Kerberos authentication to authenticate itself as an IPSec peer.

In some cases, there are dozens or even hundreds of exceptions, which makes it difficult to deploy IPSec protection on a private network and to maintain it over time.  There is an optional feature called “Fallback to Clear” but the 3 second delay it introduced was often too long for networking scenarios like obtaining an IP address to complete.

Note: In Windows Server 2003 and XP this was addressed by the Simplified IPSec Policy Configuration update.

914841 How to simplify the creation and maintenance of Internet Protocol (IPsec) security filters in Windows Server 2003 and Windows XP

http://support.microsoft.com/default.aspx?scid=kb;EN-US;914841

Summary

That sums up why we are taking on this adventure and hopefully we will be able to provide some insight for other people planning to implement IPSec Domain Isolation.

Next post – We will define our scenario and see what issues come up that we will need to address.

David Pracht – Support Escalation Engineer

Steve Martin – Support Engineer

950876  Group Policy settings are not applied on member computers that are running Windows Server 2008 or Windows Vista SP1 when certain SMB signing policies are enabled

951058  The "Automatically restore this connection when computer starts" option may not work on a Windows Server 2008-based computer when CHAP authentication is used

950749  MS08-028: Vulnerability in the Microsoft Jet Database Engine could allow remote code execution

950574  A Windows Server 2003-based DHCP server does not respond correctly to DHCP INFORM requests if the requests are forwarded from the IP Helper API or from relay agents

946775  IP packets that are transferred over aggregated links may be dropped by the Multilink feature on a Windows XP-based computer

951624  A 30-second delay occurs during the initialization of some network-based applications when Windows XP Service Pack 2 starts

- Mike Platts

Prior to SP3, the 802.1x service for XP is the Wireless Zero Configuration Service.  This service handles the 802.1x needs for both wired and wireless connections.  This has been problematic since not everyone uses wired 802.1x.  Also, because the wired 802.1x engine listens passively for EAP Identity traffic, we are not fully compliant with the IEEE spec, which state the client should initiate authentication by sending an EAPOL-Start frame.

With SP3, we have separated the wireless service from the wired service and created a new Dot3Svc (Wired AutoConfig).  This service is set as a manual start as opposed to being automatic.  The default behavior of the Dot3Svc is now compliant with the IEEE specification.

In most environments, this is not a problem since most folks are not using 802.1x on their wired networks.  However, if the network has 802.1x deployed, having the service set to manual creates the unfortunate side effect of preventing the client from connecting back to the network after the required reboot has occurred. 

One of the suggested workarounds was to set the service type to Automatic in a GPO and push this out to all the clients prior to deploying SP3, but unfortunately you cannot do this.  Because Dot3Svc is a new service and does not exist on systems prior to SP3, XP cannot consume the necessary settings from a GPO and apply them after the service has been installed.

So to address this issue, you need to take the following steps:

Step 1: Pre-deployment

1.  Create a file called dot3svc_start.reg and put it in \\<domainname>\sysvol\<domainname>\scripts\

a. Add the following to the file

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dot3svc]

“Start”=dword:00000002

2. Create a file called dot3svc.bat and put it in \\<domainname>\sysvol\<domainname>\scripts\

a. Add the following to the file

regedit /s \\<domainname>\sysvol\<domainname>\scripts\dot3svc_start.reg

3. Using a GPO, add dot3svc.bat to the Shutdown scripts object.

4. In the same GPO, set the dot3svc to Automatic

Step 2: Deployment

1. Confirm the clients process the shutdown script.  All that needs to be done is to confirm the Dot3svc registry key exists after a reboot.

2. Deploy SP3 using normal procedures. 

Step 3: Post Deployment

1. After you have confirmed SP3 installs correctly and the dot3svc service starts, remove the scripts/GPO.

For more information on the Dot3Svc, see http://support.microsoft.com/kb/949984

Ask a DNS administrator and he’ll tell you there is no such thing as being “too careful” with DNS data! One of the dreaded things is to check the box for Auto Scavenging. A slight mis-configuration can lead to useful DNS entries getting deleted.

Some of the common questions that may come to an Administrator’s mind when thinking about scavenging is – How many static records do I have? Do I really have aged records lingering? Well, the answers to these questions are easy to find. Just open each record in the DNS console and look at the time stamp. This is easy if you have 20 records. That’s far from practical in the real world, though.

What one really needs is data in an organized form, say in Excel. Unfortunately the format of “dnscmd enumrecords” is not exactly ready to be imported as data. Let’s look at a sample output of “dnscmd /enumrecords contoso.com @ /Type A /additional”:

Returned records: @ [Aging:3570365] 600 A 192.168.0.3 [Aging:3570365] 600 A 192.168.0.1 [Aging:3570365] 600 A 192.168.0.4 [Aging:3570365] 600 A 192.168.0.2 2K-A [Aging:3558828] 1200 A 192.168.0.14 clusdfs [Aging:3570365] 1200 A 192.168.0.31 cluster [Aging:3570365] 1200 A 192.168.0.30 contoso-dca [Aging:3570521] 3600 A 192.168.0.1 CONTOSO-DCB [Aging:3570521] 3600 A 192.168.0.2 CONTOSO-DCC [Aging:3570413] 1200 A 192.168.0.3 CONTOSO-DCD [Aging:3570394] 1200 A 192.168.0.4 R2-A [Aging:3570365] 1200 A 192.168.0.11 R2-B [Aging:3570365] 1200 A 192.168.0.12 R2-C [Aging:3570496] 1200 A 192.168.0.13 R2-E [Aging:3570365] 1200 A 192.168.0.199 R2-F [Aging:3570365] 1200 A 192.168.0.19 R2-G [Aging:3570365] 1200 A 192.168.0.20 rat-r2 [Aging:3562303] 1200 A 192.168.0.254 test 3600 A 10.1.1.10 VISTA-A [Aging:3558828] 1200 A 192.168.0.17 VISTA-B [Aging:3570365] 1200 A 192.168.0.51 XP-A [Aging:3562227] 1200 A 192.168.0.15 XP-B [Aging:3562227] 1200 A 192.168.0.16 Command completed successfully.

We do get the name of the record, time stamp, TTL, type & IP address. This data cannot be directly imported into Excel, however; it needs to be formatted with delimiters so that Excel can import it. We have chosen to use a “,” (comma) in this case.

Some points to keep in mind are:

1. Observe the first few lines of the data in the example above. Each “Same as parent folder” is on a separate line with the Record name missing in subsequent lines.
2. For static records, the text “[Aging:xxxxxxxx]” is missing.
3. We have tried to accommodate more types of records like SRV, NS, SOA, MX, and CNAME, though typically one would be interested in the A records.

We will achieve the desired result in two steps using two VBScripts. The scripts perform the following functions:

1. Put in the delimiter “,” to separate the data on each line. In our example, the script is named “changetocsv.vbs”.
2. Perform a calculation to convert the “Aging” number to a readable date format and then open the file in Excel, provided Excel is installed on the machine being used. We will name this script “openexcel.vbs”.

Note that both scripts manipulate contents of the file. Each script should be run only once on a file. Here is a summary of how the overall process will work:

• Create a directory/folder to hold the exported DNS data and script files.
• Copy the contents of both scripts given below and place them in the folder created.
• Export the data from DNS using the dnscmd.exe utility included with Windows Server.
• At a Command Prompt in the folder created, run each script against the exported data to format it for and import it into Excel.

Detailed steps:

1.  Create a folder, such as C:\dnsdata, in which to store each of the scripts below.  Eg: changetocsv.vbs and openexcel.vbs.

2.  At a Command Prompt, run the following command:

dnscmd /enumrecords contoso.com @ /Type A /additional > c:\dnsdata\dns.csv

Note: For more information on dnscmd.exe, run ‘dnscmd /?’ at a Command Prompt.

3.  Save the below script as “changetocsv.vbs” in the directory created. This script will read the raw output taken from dnscmd command, format it by inserting comma delimiters, and then save it as the same filename specified at the command prompt when it is run.

Const ForReading = 1 Const ForWriting = 2 strFileName = Wscript.Arguments(0) Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.OpenTextFile(strFileName, ForReading) strText = objFile.ReadAll objFile.Close strNewText = Replace(strText, " [Aging:", ",") strNewText1 = Replace(strNewText, "] ", ",") Set objFile = objFSO.OpenTextFile(strFileName, ForWriting) objFile.WriteLine strNewText1 objFile.Close 'please modify Rtype array as per the record requirements Rtype = Array("A", "SRV", "NS", "SOA","MX","CNAME") For i = 0 To UBound(Rtype) rrtype = " "+Rtype(i) +" " Set objFile = objFSO.OpenTextFile(strFileName, ForReading) strText = objFile.ReadAll objFile.Close strNewText = Replace(strText, rrtype, ","+Rtype(i)+",") Set objFile = objFSO.OpenTextFile(strFileName, ForWriting) objFile.WriteLine strNewText objFile.Close Next Set objFile = objFSO.OpenTextFile(strFileName, ForReading) strText = objFile.ReadAll objFile.Close strNewText = Replace(strText, " ", ",,") Set objFile = objFSO.OpenTextFile(strFileName, ForWriting) objFile.WriteLine strNewText objFile.Close

4.  The script takes one argument. At the command prompt while in the directory created earlier, run the following command:

C:\dnsdata> changetocsv.vbs dns.csv

This command modifies the content of dns.csv and overwrites the same file.

5.  (optional) View the modified dns.csv. If you open the new version of dns.csv, you will see that it has been changed, similar to our example below:

Returned,,records: @,3570365,600,A,192.168.0.3 ,3570365,600,A,192.168.0.1 ,3570365,600,A,192.168.0.4 ,3570365,600,A,192.168.0.2 2K-A,3558828,1200,A,192.168.0.14 clusdfs,3570365,1200,A,192.168.0.31 cluster,3570365,1200,A,192.168.0.30 contoso-dca,3570521,3600,A,192.168.0.1 CONTOSO-DCB,3570521,3600,A,192.168.0.2 CONTOSO-DCC,3570413,1200,A,192.168.0.3 CONTOSO-DCD,3570394,1200,A,192.168.0.4 R2-A,3570365,1200,A,192.168.0.11 R2-B,3570365,1200,A,192.168.0.12 R2-C,3570496,1200,A,192.168.0.13 R2-E,3570365,1200,A,192.168.0.199 R2-F,3570365,1200,A,192.168.0.19 R2-G,3570365,1200,A,192.168.0.20 rat-r2,3562303,1200,A,192.168.0.254 test,,3600,A,10.1.1.10 VISTA-A,3558828,1200,A,192.168.0.17 VISTA-B,3570365,1200,A,192.168.0.51 XP-A,3562227,1200,A,192.168.0.15 XP-B,3562227,1200,A,192.168.0.16 Command,,completed,,successfully.

Thanks to the new formatting, the file could now be easily opened in Excel as a csv file. However, the “aging” number (second column) needs to be converted to a readable date. The Aging number in the DNS data gives hours since 1/1/1600 00:00, while Excel is configured with 1/1/1900 00:00 as starting point. So we need to remove a constant from the aging number to normalize it and then specify the format. In the following script, we remove constant 2620914.50 and divide the result by 24 since Excel understands “days” rather than “hours”.

6.  Save the script file below to “openexcel.vbs”. This script will modify the comma delimited file, dns.csv in our example, to convert the number mentioned for Aging to a date format and opens the file in Excel automatically.

Const ForReading = 1 Const ForWriting = 2 strfile= wscript.Arguments(0) Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.OpenTextFile(strfile, ForReading) Do Until objFile.AtEndOfStream strLine = objFile.ReadLine If not strLine = "" Then arrItems = Split(strLine, ",") intDatevalue = 0 If not(arrItems(1))="" Then intDateValue = (arrItems(1) - 2620914.50)/24 End if intItems = Ubound(arrItems) ReDim Preserve arrItems(intItems + 1) If intDateValue > 0 Then arrItems(intItems + 1) = intDateValue Else arrItems(intItems + 1) = "" End If strNewLine = Join (arrItems, ",") strNewText = strNewText & strNewLine & vbCrLf End If Loop objFile.Close Set objFile = objFSO.OpenTextFile(strfile, ForWriting) objFile.Write strNewText objFile.Close Set objExcel = CreateObject("Excel.Application") objExcel.Visible = True Set objWorkbook = objExcel.Workbooks.Open(strfile) Set objRange = objExcel.Cells(1, 6) Set objRange = objRange.EntireColumn objRange.NumberFormat = "m/d/yyyy hh:mm:ss AM/PM"

7.  The script takes one argument. At the command prompt, run the following command:

C:\dnsdata> openexcel.vbs c:\dnsdata\dns.csv

The script modifies the content of dns.csv and overwrites the same file with modified content. The above script opens the resultant file in Excel, provided Excel is available J.

IMPORTANT: Please give full path name of the file otherwise the Excel will give an error while attempting to open the file dns.csv.

The columns are Name, Aging, TTL, Type, IP address & Time Stamp. Blanks in Time Stamp indicate a static record. Below is the result after running both scripts on our example data:

8.  Once the file is open, save the resultant as dns.xls and use that for all future reference.

Thanks “Scripting Guy” for your archives (http://www.microsoft.com/technet/scriptcenter/resources/qanda/all.mspx ) without which the VB scripts would not have been possible.

Contributed by Rajeev Narshana & Kapil Thacker

951088  Error message when you use SMB-to-NFS gateway software that exposes mounted NFS shared folders as SMB shared folders on a Windows Server 2008-based computer: "Stop 0x0000007E"

951016  Description of User Account Control and remote restrictions in Windows Vista

951830  When you disable and then re-enable the LAN-side network adapter on a Windows XP SP3-based computer that is configured as a Connection Sharing host, a client computer on the network cannot access the Internet

946480  List of fixes that are included in Windows XP Service Pack 3

Windows Server 2008 is here, along with a new version of Network Load Balancing (NLB).  Just as in previous versions, NLB continues to provide an excellent option for scaling many kinds of applications and promoting higher availability.  And while the deployment and configuration of NLB is fairly straightforward, it’s important to ensure the network environment is ready for NLB. 

Unicast

If you choose to deploy NLB using unicast, all of the NLB adapters will share a Cluster MAC address, in addition to the Virtual IP (VIP) address.  The idea behind the shared MAC is that when a host communicates with the MAC address for the NLB Cluster, all of the NLB nodes will respond, making it impossible for the switch to associate the MAC address to a particular port.  This in turn will cause the switch to simply flood the frames destined to the Cluster MAC out all of its ports, ensuring that all of the NLB nodes receive the frames.  Problems may arise when using multi-layer switches or virtual network environments if the switch does associate the Cluster MAC or the Virtual IP to a specific port.  In this case, only one NLB node will receive traffic destined to the Virtual IP address of the Cluster, preventing the remaining NLB nodes from sharing the load.  One way to get around this issue is to employ a hub.  By connecting all the NLB nodes into a hub, and then connecting the hub to a port on the switch, all of the NLB nodes will receive the traffic destined to the Cluster.  Another solution is to configure port mirroring on the switch to ensure traffic sent to one of the NLB ports is replicated to all of them.

As mentioned earlier, unicast NLB relies on switch “flooding” behavior to function properly.  If you want to limit the flooded traffic on your network, you  can create a separate VLAN encompassing only the ports the NLB nodes are connected to.

Multicast

You can also opt to deploy NLB using multicast.  With multicast, each NLB node effectively has two MAC addresses: a physical MAC and a multicast MAC.  Switches typically do not associate ports with a multicast MAC address, so the traffic will be flooded out all ports.  The flooding of the multicast traffic may cause unintended network performance issues.  To resolve these issues, you can configure the switch with static mappings of the multicast MAC and the ports that the NLB nodes are connected to.

NLB Manager

One other point to keep in mind when deploying Windows Server 2008 Network Load Balancing is that the NLB Manager from Windows Server 2003 cannot be used to manage Windows Server 2008 NLB nodes.  You can manage the Windows Server 2008 nodes with the NLB Manager on a Windows Server 2008 server or with Windows Vista if you have the Remote Server Administration Tools (RSAT) installed.

For more information on deploying NLB, including upgrading from Windows Server 2003 NLB, check out the following article:

http://technet2.microsoft.com/windowsserver2008/en/library/d7c4efd2-3cf0-4b3d-9207-4746cab1f9aa1033.mspx?mfr=true

- Baruch Frost

Here are the latest Networking-related Knowledge Base articles:

951764  How to enable the port scalability feature for RPC proxies and for applications in Windows Server 2008

950499  You may be unable to use the "netsh interface" context in some Server Core installations of Windows Server 2008

951598  On a computer that is running an Itanium-based version of Windows Server 2008, the Ftp.exe utility crashes when you run the "mput" command

947557  The WINS automatic scavenging process may not start as expected at the expiration of the configured interval on a Window Server 2008-based computer

951745  After you install a non-English-language Input Method Editor on a Windows Vista-based computer, you cannot enter any numeric character in the WEP box when you try to join a secure wireless network

951025  The Server service and the Workstation service do not start in Windows 2000, and you receive a "The specified file could not be found" error message

951656  UPnP devices may not be displayed in the "My Network Places" folder after you restart a Windows XP-based computer

- Mike Platts

The latest Service Pack for Windows XP, SP3, is now available for download.  Of note in this release, Windows XP with Service Pack 3 will have the ability to be a NAP (Network Access Protection) client.  Also, Wi-Fi Protected Access 2 (WPA2) support is now included (previously available as a separate download for Windows XP SP2).

Windows XP SP3 Released to Web (RTW), now available on Windows Update and Microsoft Download Center

Service Pack 3 Resources for IT Professionals (Microsoft TechNet)

How to obtain the latest Windows XP service pack (Microsoft KnowledgeBase)

List of fixes that are included in Windows XP Service Pack 3 (Microsoft KnowledgeBase)

Thanks to Boyd Benson for his assistance with this post.

-Mike Platts

Here are the latest Networking-related KB articles:

948927  Error message when you use SmartCard-only authentication to log on to a Windows Vista-based client computer in a wireless network environment: "Cannot connect to <SSID>: Please contact network administrator"

950923  The SNMP Event Log Extension Agent does not initialize correctly on a computer that is running Windows Vista with Service Pack 1 or Windows Server 2008

949127  You cannot establish a wireless connection by using EAP authentication on a Windows XP-based client computer if the Service Set Identifier (SSID) includes a comma

- Mike Platts

As you may know, Service Pack 2 for Windows Server 2003 included the Scalable Networking Pack (or SNP) which allowed for increased performance in many situations by allowing some TCP functionality to be handled by the network driver and network adapter instead of the Windows TCP/IP stack itself.  This functionality was enabled by default in Service Pack 2.

There have been some problems seen in some environments where Windows Server 2003 SP2 has been deployed on systems that support the SNP features.  Issues like this have been discussed in several previously published Knowledge Base articles.

There is now a new update available that will turn off the Scalable Networking Pack features on Windows Server 2003 Service Pack 2 systems.  The article lists a number of symptoms that have been seen when Windows Server 2003 SNP is enabled and links to download the update for x86, x64, and Itanium-based systems:

An update to turn off default SNP features is available for Windows Server 2003-based and Small Business Server 2003-based computers