What's New in Windows Server 2012 Networking? (Part 5)

by [Published on 10 Oct. 2013 / Last Updated on 10 Oct. 2013]

In this article we’ll take a deeper dive into Network Policy and Access Services and NIC Teaming in Windows Server 2012.

If you would like to read the other parts in this article series please go to:

Introduction

We’re back again with another installment in this series of articles about the new and improved networking features in Windows Server 2012. In the first four installments, we talked about new and improved features in 801.1x authenticated wired and wireless, BranchCache, Data Center Bridging (DCB), DNS and DHCP, Hyper-V network virtualization, IP Address Management (IPAM), the low-latency workloads technologies (with a special focus on DCB).

Here’s our list again, showing the ones we’ve already addressed in past articles, those we’ll look at in this article, and those still to come in future articles:

Past articles:

  • 802.1x Authenticated Wired and Wireless Access
  • BranchCache
  • Data Center Bridging (DCB)
  • Domain Name System (DNS)
  • DHCP
  • Hyper-V network virtualization
  • IP Address Management (IPAM)
  • Low Latency Workloads technologies

This article:

  • Network Load Balancing
  • Network Policy and Access Services

Future articles:

  • NIC Teaming
  • Windows QoS
  • DirectAccess and Unified RRAS
  • Windows Firewall with Advanced Security

This time, we’ll take a deeper dive into Network Policy and Access Services and NIC Teaming in Windows Server 2012.

Network Policy and Access Services

Network Policy and Access Services (NPAS) has been around since Windows Server 2008. It encompasses the Network Policy Server (NPS), the Health Registration Authority (HRA) and the Host Credential Authorization Protocol (HCAP). NPAS is a server role that you use to configure and implement Network Access Protection (NAP) as well as RADIUS servers and proxies and 802.1X wireless access points and Ethernet switches.

Over on Windowsecurity.com, I wrote in detail about how NPAS works in Windows Server 2012 and how to install and configure it. You can find that article here.

I won’t go into detail here about those processes. What’s new in Windows Server 2012 is the support for Windows PowerShell to automate installation and some aspects of deployment and configuration, which

Another change in Windows Server 2012 is the removal of the Routing and Remote Access Service (RRAS) from NPAS. But don’t worry – RRAS isn’t gone; it’s just been relocated as a role service in the Remote Access server role (which really makes more sense).

Note that while NAP is supported in the Windows Server 2012 R2 Preview, it has been deprecated. Microsoft recommends that you replace NAP monitoring functionality with System Center Configuration Manager (SCCM) and/or manage out to Direct Access clients to ensure the health of remote systems even when they aren’t accessing resources on the corporate network. You can also use Web Application Proxy to provide remote users with access to specific internal applications and services.

Relevant cmdlets when working with the Network Policy Server in Windows Server 2012 include the following:

Export-NpsConfiguration
Get-NpsRadiusClient
Get-NpsRemediationServer
Get-NpsRemediationServerGroup
Get-NpsSharedSecretTemplate
Import-NpsConfiguration
New-NpsRadiusClient
New-NpsRemediationServer
New-NpsRemediationServerGroup
Remove-NpsRadiusClient
Remove-NpsRemediationServer
Remove-NpsRemediationServerGroup
Set-NpsRadiusClient

For more information about each one of these cmdlets and examples of the full command syntax, see Toby Meyer’s article titled New 2012 PowerShell Cmdlets: Role Focus on NPS (Radius) Server.

NIC Teaming

It was pretty exciting when we found out NIC teaming was coming to Windows Server. It’s the feature that supports grouping multiple network adapters into a “team” for failover purposes and also as a way to aggregate bandwidth – a real advantage with today’s bandwidth-hungry applications. The fault tolerance aspect is even more important. If you have two or more NICs teamed, and one of them fails, the other(s) will pick up the load and you won’t have an outage that could result in lost productivity and cost the company money. You can go a step further and plug different NICs on the team into different switches; then even the failure of a switch won’t disrupt communications. You can configure a NIC to be a standby adapter so it will take over if another NIC fails.

Of course, you could do NIC teaming in previous versions of Windows Server, but you had to do it through the NIC vendor’s management software (if the NIC supported it). It’s easier to work with now that it’s built into the operating system, and it will work with pretty much any NIC that’s supported by Windows Server 2012.

With Windows Server 2012, you can have as many as 32 network adapters in a team. The NICs on a team don’t have to all be made by the same vendor, but Microsoft recommends they all be rated for the same transfer speed. Of course, keeping them from the same vendor means you may be able to use the same driver, which takes away one layer of complexity.

Windows Server 2012 supports both static (also known as “generic”) and dynamic teaming when operating in switch dependent mode. In this mode, the network adapters that are members of the team generally all have to be connected to the same switch. You’ll have to do more configuration of the switch and the host.

With switch independent mode, you can use any switch, including those that are not classed as intelligent switches. Windows Server 2012 will do all the management of traffic distribution. So what’s the catch? Well, inbound traffic doesn’t get distributed across all the NICs; it comes to just one NIC. Depending on your scenario, this can work fine – or not.

With the dynamic mode, links between the computer and switch are identified and teams can be created automatically. LACP (Link Aggregation Control Protocol) has to be enabled on the switch port.

There are a couple of different ways that outgoing traffic can be distributed across the links, by using either the Hyper-V switch port to identify machines or by using a hashing algorithm to keep packets that are part of the same TCP stream all on the same NIC, based on source and destination MAC addresses, IP addresses and TCP ports. When TCP ports are used together with IP addresses, it’s called a 4-tuple hash. This only works with TCP and UDP traffic and doesn’t work with IPsec-protected traffic. In those cases, the 2-tuple hash (IP addresses and MAC addresses) is used for IP traffic; if the traffic isn’t IP, MAC addresses alone are used.

One very useful feature of Windows Server 2012’s NIC teaming implementation is that it works inside a virtual machine. This is almost a necessity, given the widespread use of virtualization on today’s business networks. This means that a VM can have virtual NICs connected to multiple Hyper-V switches.

There are some caveats in regard to NIC teaming, though, as it doesn’t play nicely with all Windows Server 2012 networking features. Specifically, there are incompatibilities with SR-IOV (Single Root I/O Virtualization), RDMA (Remote Direct Memory Access) and TPC Chimney.

To configure NIC teaming, you can use either Server Manager, lbfoadmin, or PowerShell. Those who are more comfortable with the graphic interface will find NIC teaming settings under Local Server | Properties | Remote Desktop | NIC Teaming Administration. It may be faster and more efficient to simply type lbfoadmin in the Run box to open the NIC Teaming management interface.

If you’re a PowerShell aficionado, you can use the following cmdlets:

NetLbfoTeam

NetLbfoTeamMember

NetLbfoTeamNic

Configuring NIC teaming on your Windows Server 2012 server is fairly simple with Server Manager, just select your server from the list, click Teams | Tasks | New Team and type a name for the new team in the dialog box that appears. Then select the NICs that you want to put in the team. Be sure to uncheck the Default check box if you’re using VLANs. Then type in the VLAN ID. You can click the Advanced button to choose a mode such as switch independent, static teaming or LACP (the default is switch independent so you don’t need to do the advanced configuration if that’s what you want to use). If you need to make changes later, just select Modify team from the Tasks list.

The new virtual NIC appears in your Network Connections list in Control Panel. If you look at the properties of the virtual NIC, you’ll see the usual bindings such as IPv4, IPv6, File and Printer Sharing, QoS Packet Scheduler and so forth. But if you look now at the properties of the physical NICs that are part of the team, you’ll notice that they only have one binding: the Microsoft Network Adapter Multiplexor Protocol.

For a set of screenshots that show the step-by-step process of configuring NIC teaming, check out Brien Posey’s article here on WindowsNetworking.com, titled NIC Teaming in Windows Server 2012.

Summary

Two more features down, and now we only have three more to go. Next time around, we’ll be looking at Windows Quality of Service (QoS), DirectAccess and Unified RRAS and Windows Firewall with Advanced Security as implemented in Windows Server 2012. Of course, unlike the completely new features we’ve seen, all three of these have been around for a while in previous versions of the operating system, but Microsoft has made some changes that should enhance the experience of Windows Server administrators. So be sure to join us again for Part 6 when we start wrapping up this series.

See you then – Deb.

If you would like to read the other parts in this article series please go to:

Advertisement

Featured Links