I spent several hours today trying to set up load balancing for my test lab today. It was a total pain because we have no documentation on how to do this and the information out there on the web is all over the place on this topic. It actually boils down to some simple things you need to know. Hopefully this blog post saves people a LOT of time and headache!
For purposes of this blog post this is what I did:
1) I am using Windows Network Load Balancing (NLB)
2) I am running NLB on my SharePoint web farm servers
3) I am running the Web Content Server on the same server as my SharePoint web servers.
4) My SharePoint web servers/Web Content Servers are running in Hyper-V VMs.
5) I configure each VM to have two network adapters. The first one was configured as the “Management” network adapter and was configured to use DHCP to get an IP Address. The other one was configured to have a static IP address by the process to set up NLB.
You could do the following differently:
1) Deploy the SharePoint web servers and Web Content Servers separately and load balance them separately.
2) Deploy the servers on physical hosts instead of in VMs.
3) Set up a NLB server that is not running on the SharePoint web servers or the Web Content Servers but load balances the traffic for them.
4) Use a single network adapter per computer. You don’t need separate network adapters for “Management” and “NLB”.
5) You could use a hardware load balancer instead of Windows NLB.
These are the important things you need to know (i.e. the “gotchas”):
1) If you are trying to load balance Hyper-V VMs you need to enable MAC Address Spoofing (always wondered what that option was for!):
In VM guest Settings for a network adapter in you will see this checkbox:
You can also configure this setting on a guest VM in the VMM console:
2) After setting up NLB, you need to add SPNs to Active Directory for the server names (for each node in the cluster) and the virtual NLB server name for the app pool accounts of the Share Point and Web Content Server web sites. You use SetSPN.exe in a command window to do this as follows:
SetSPN.exe -A HTTP/servername domain\username SetSPN.exe -A HTTP/fullyqualifiedservername domain\username
where servername is the name of the server you want to create a SPN for and domain\username is the account that your Web Content Server web site app pool or SharePoint web site app pool is configured as.
Thus, for my environment where I was using the same account (contoso\svcsmdataaccess) for both the SharePoint and the Web Content Server sites, I entered the following commands:
SetSPN.exe –A HTTP/sp1 contoso\svcsmdataaccess
SetSPN.exe –A HTTP/sp1.contoso.com contoso\svcsmdataaccess
SetSPN.exe –A HTTP/sp2 contoso\svcsmdataaccess
SetSPN.exe –A HTTP/sp2.contoso.com contoso\svcsmdataaccess
SetSPN.exe –A HTTP/sp contoso\svcsmdataaccess
SetSPN.exe –A HTTP/sp.contoso.com contoso\svcsmdataaccess
If you used different accounts for the two app pools you will need to do the above six commands for both app pool accounts.
You only need to create the SPNs in AD once. You don’t need to run this on each server or anything like that.
3) You need to configure the SharePoint and Web Content Server web sites on all of the servers to useAppPoolCredentials = True.
You do this by going into the IIS Manager and selecting the web site on the left hand nav.
Double click on Configuration Editor.
In the Section drop down control at the top navigate to system.webServer/security/authentication/windowsAuthentication:
Change useAppPoolCredentials to True:
Other than that the process is pretty straightforward and well documented on TechNet.
Here are the steps that I went through:
0) Installed SharePoint as a Web Farm. Installed the SharePoint site for the Self-Service Portal on one web server in the farm. SharePoint automatically takes care of deploying it to the other web servers in the farm. Installed the Web Content Server role on both servers.
1) Shut down the VMs and added two additional network adapters to the VMs connected to the same External network that the existing (DHCP) network adapter was.
2) Configured the new network adapters to allow MAC spoofing as described above.
3) Started the VMs.
4) Renamed the network adapters in both VMs in Windows to ‘Management’ and ‘NLB’ for clarity on which network adapter was doing what.
5) Installed the Network Load Balancer feature on both of the VMs. (Server Manager/Features –> Add Features)
6) On the first node of the load balancer, opened the Network Load Balancing Manager from Start –> Administrative Tools.
7) Right click on the top level node in the navigation tree on the left and choose ‘New Cluster’.
8) Enter the host name of the first node (sp1.contoso.com) and click Connect.
9) Choose the NLB adapter and click Next.
10) Go through the rest of the wizard specifying the static IP address for the host network adapter (192.168.2.121) and the IP address for the cluster (192.168.2.120) and the DNS name (sp.contoso.com) for the cluster.
11) Log into the second node of the cluster. Launch the Network Load Balancing Manager.
12) Right click on the top level tree node and choose ‘Connect to Existing’. Enter the name of the first node of the cluster (sp1.contoso.com) and click Connect. Choose the cluster name (sp.contoso.com) and click Finish.
13) Right click on the cluster and choose ‘Add Host to Cluster’. Enter the name of the second node of the cluster (sp2.contoso.com) and click Connect. Choose the NLB adapter and click next.
14) As before, enter the static IP address for this node of the cluster (192.168.1.122).
15) In the end your cluster should look something like this:
16) Create DNS entries for the new IP addresses:
Note: This also shows the IP addresses from the DHCP network adapters (.109 and .112).
SP1.contoso.com – 192.168.2.120
SP1.contoso.com – 192.168.2.121
SP2.contoso.com – 192.168.2.122
17) Now configure the SPNs as described above.
18) Configure the useAppPoolCredentials = True on each of the web sites (SharePoint and Web Content Server) on each of the servers as described above.
19) Run iisreset on an elevated command prompt on all the web servers.
20) One last trick – you might as well configure the SharePoint site to get the Web Content Server content from the load balanced URL just in case the Web Content Server running on the SharePoint server is not available but a Web Content Server somewhere else in the NLB cluster is. To do that go to the SharePoint on each server and double click ‘Application Settings’.
Change the SMPortal_WebContentServer_URL setting from something like http://SP1:85/ContentHost/ClientBin to be http://SP:85/ContentHost/ClientBin where SP1:85 would be your web server name and port and SP would be the name of your virtual cluster.
Hope that helps. Let us know if it is helpful in the comments below.
BTW – You can follow the same procedure above (steps 1-15) to create a NLB cluster in front of your SM management servers!
Thank you, Travis. I guess this is one of the most important portal related blog posts!
Travis... This is some "dirty" stuff! (Dirty meaning awesome). Question for you... Are larger customers with thousdands of end users noticing poor web performance with the SSP without the NLBs?
I havent heard any complaints about performance for the portal. SharePoint itself isnt the fastest web site in the world but it seems to work pretty well for what we need it for. The Silverlight web parts take a little bit of time on the initial download but after that they are pretty quick.
Using NLB is really for two reasons:
1) Performance - spread the load onto multiple servers (probably not a good reason for any organization less than about 20,000 people I would guess.
2) High availability - this allows you to take one server out of the NLB cluster temporarily for maintenance, reboot, etc. while still offering the service seamlessly to customers. This is more broadly applicable to customers ranging from smaller customers to really big ones.
This is awesome Travis. Thank you.
For a non-default port, does the port have to be included in the SPN? E.g., if your portal had been set up on 8080, then you would have had "SetSPN.exe –A HTTP/sp1:8080 contoso\svcsmdataaccess". Right?
Am I correct to set SPN for all used names for all servers (NLB as well) including BIOS name, FQDN, and web-site name?
Thanks in advance,
Is it applicable (and mandatory or useful) for Reporting ans Analysis Services as well?