none
Direct Access: How do you handle NLS in Multi-Site deployments?

    Question

  • Let´s say you have Offices in the US and in Europe. You create a DA Multi-Site deployment with DA Servers in the US and Europe and you end up with 2 dialin possibilities. Each Entry Point can be redundant again (you create DA NLBs on each Site).

    But how do you handle the Network Location Server? As far as I can see the NLS is configured globally for the whole Environment and not only for each Site. So you can configure just a single URL for the NLS.

    Let´s say we place the NLS in the US. Then the Connection between the US and Europe goes down, which does not allow the Client Systems in Europe to connect to the NLS. They will now try to connect to the corporate Network via DA. But how to prevent this?

    Just installing a 2nd NLS and using DNS round Robin is not a solution in my Point of view. With DNS round Robin you still have no influence to which NLS the Client Systems are connecting.

    So my question is: How do you handle this Scenario? If there are differences in DA Versions, I´m mainly interested in Server 2012 deployments.

    Friday, November 15, 2013 1:07 PM

All replies

  • Hi,

    so assuming your US clients use a DNS server in the US and your European clients use a DNS server in Europe you can configure the same DNS name on both but with different IPs pointing then to the US or the European NLS.

    If you can't do that you have to configure multiple GPOs with different DNS names for NLS. 

    I like the first approach because then users travel between locations use always the local NLS.

    How do you differentiate for the DA servers between the US and Europe?

     

    Regards,

    Lutz

    Friday, November 15, 2013 2:47 PM
  • Thanks for your Response.

    There are multiple Offices in the US and Europe in this Scenario. Some have local DCs with their own DNS Servers. But basically they all share the same DNS entries (all Zones are replicated in the AD). I would need to create a new DNS Zone only for the NLS Servers which is not replicated in AD to achieve what you mean, right? Then you have to be careful when you deploy new Domain Controllers to not miss something. This was on my list as one of the 3 possible Solutions we could think of. But I was curious how others do it, maybe in a more elegant and less error prone way.

    About the DA Setup:

    The Installation is a Multi-Site deployment with 2 Entry Points (US and Europe) and each Entry Point consists out of a DA NLB Cluster for redundancy. The DA config Wizard automatically creates 3 GPOs for you then. One for Windows 8 Systems, because they can and will auto-select their Entry Point (AFAIK based on latency). And 2 GPOs for each Entry Point (US and Europe) for Windows 7 Systems, because you have to assign them a fixed entry Point.

    I don´t want to tinker with the GPOs, because whenever you make changes to your DA configuration, they get rewritten by the Management Console and I´m sure it will then overwrite your Settings.

    I wonder why the NLS must be configured on the Top Level of the configuration and cannot be configured for each Site. But then the GPO for Windows 8+, which NLS should it include. Maybe that´s the Problem and they gave us only the Option to configure a single NLS DNS Name for the whole DA Environment.

    It would be nice though to be able to configure multiple NLS DNS names, like we can do with the Probes for the DA Client to check corporate connectivity. This way we could place 2 or 3 NLS Servers in different countries / continents and DA is just checking all of them before it activates DA.

    Friday, November 15, 2013 3:11 PM
  • How about some reserved address space that is duplicated at each site but not routed between sites.

    This way you could have one or more NLS at each site with the same IP address and indeed replicated DNS records that resolve identical IP's

    For a specific function like this, this approach should work pretty seamlessly.

    Remember that an NLS only needs to host a non content site that returns an HTTP 200 message to the client to determine on network presence. To this end these NLS don't even need to be full blown servers, core instances running just IIS would suffice. (Although many admins brought up on windows still struggle with the good old command line interface)

    Hope this give you some ideas.

    I don't believe there is any "MS best practice" for what you are trying to do here. Might be something to mention to their product group as a potential product enhancement.

    regards
    Rob

    Monday, November 25, 2013 4:14 PM
  • Thank you for your contribution Rob.

    The split address space as I understand it would still require that within a Countries offices, the addresses are routed, so we don´t end up with one NLS in each Office.

    In the end it´s a solution similar to the DNS solution: You need to keep track of it, don´t forget when your network topology changes in some way (when you have new DCs with the DNS solution and when you introduce new Subnets somewhere in the reserved address space solution).

    I´m aware of the NLS functionality, but thanks for mentioning it again. It was not clear to me in the beginning when I started with DA too, so I think it can´t be mentioned often enough :-)

    The best solution I can think of, which will prevent that you break functionality by accident and you don´t need to keep DA in mind all the time when you make changes to your Network Topology or your DNS Servers is, if DA would allow the same as for the probes for the Network Connectivity Assistant. There you can add multiple URLs which are checked.

    If we had the same for the NLS, that would be the perfect solution in my point of view. But it would require changes on the DA Server functionality and on the Client side to implement this. If it is implemented, you could enter for example 3 NLS Servers. As long as the connectivity to one of them works, DA is deactivated. If all fail, DA kicks in.

    Now I really want to propose this to the Product group as you mentioned. But I have absolutely no Idea how to get in touch with the DA people? I hoped they are also reading here, but maybe they are not :-)

    Monday, December 02, 2013 9:56 AM