Archive for January, 2017

NIC Teaming, also known as load balancing and failover (LBFO), allows multiple network adapters on a computer to be placed into a team for the following purposes:

  • Bandwidth aggregation
  • Traffic failover to prevent connectivity loss in the event of a network component failure

In this example we’ll create virtual switch,add this switch to VM and enable NIC teaming for new switch:

On Hyper-V console click Virtual Switch Manager


Create Virtual switch


Choose Switch type

External:Gives virtual machines access to a physical network to communicate with servers and clients on an external network,also it communicates connections between Hyper-V VM’s on the same Hyper-V server

Internal:Allows communication between virtual machines on the same Hyper-V server, and between the virtual machines and the management host operating system.

Private:Only allows communication between virtual machines on the same Hyper-V server.

And click create Virtual Switch


Choose adapter,click apply and ok


Now when we added Neywork adapter to Hyper-V switch,let’s add it to VM

Right-Click VM-Settings


Add Hardware-Network Adapter-Add


Specify Virtual Switch-Apply-Ok


Select adapter-Advanced-Enable this network adapater to be part of team



Creating new Switch:

New-VMSwitch -Name External -NetAdapterName 'ethernet'

Adding New Network adapter to VM:

get-vm -VMName dc | Add-VMNetworkAdapter -SwitchName 'external'

Enabling NIC teaming for VM:

Set-VMNetworkAdapter -VMName dc -AllowTeaming on

In this blog we’ll create VPN server wich will be leveraging IPsec Tunnel Mode with Internet Key Exchange version 2 (IKEv2).With the functionality provided by the IKEv2 Mobility and Multihoming protocol (MOBIKE), this tunneling protocol offers inherent advantages in scenarios where the client moves from one IP network to another (for example, from WLAN to WWAN).For example, this permits a user with an active IKEv2 VPN tunnel to disconnect a laptop from a wired connection, walk down the hall to a conference room, connect to a wireless network, and have the IKEv2 VPN tunnel automatically reconnected with no noticeable interruption to the user.



Installing Certificates to VPN server and VPN client 

Creating certificate templates

In Certification Authority (CA),from CA console,right click Certificate Templates-Manage

1 (1)



Right-Click IPSec template-Duplicate template



On Request Handling tab click Allow private key to be exported



Click Extension tab-Application Policies-Edit




Remove IP Security IKE intermediate




then click Add and choose Server Authentication




Click Key Usage-Edit



Ensure that Digital signature is selected. If it is, click Cancel. If it is not, select it, and then click OK.


In the security tab-click Object Types-Computers-Add Domain Computers



Make sure Read,Enroll and Auto-Enroll is selected



In General tab give template a name



Now,right click Certification Template-New-Certificate Template to issue




Choose new template




Enrolling certificate on VPN server

On VPN server:start-run-mmc-Add/remove snap-in



Click Certificates-Add-Computer Account




Right click Personal-All tasks-Request New Certificate




Check certificate templates-Properties



Click Subject tab-Subject Name-Common name (from drop-down menu)-FQDN for VPN server-Add

Alternative Name-choose DNS-set FQDN for VPN server-ADD



New certificate should be created




This certificate should be exported and then imported to client machine


Exporting certificate

Right-click certificate-All tasks-Export




Export private key




Set password and specify file in which certificate should be saved.

Copy file to client computer


Importing file on client machine

This certificate should be imported to Trusted Root Certification Authority on client.

Start-run-mmc-add Certificate snap-in-local computer

Right click Trusted Root Certification Authorities-All task-import




Browse to copied file and enter password


Installing Roles


On Server install Network Policy Server and Remote Access roles



Open Routing and Remote Access console-right click server icon-Configure and Enable Routing and Remote Access




Remote access (dial-up or VPN)




Check VPN




Select internet facing interface




Define VPN address pool






We are not using RADIUS,intead we’ll use NPS




Right click Remote Access Logging-Launch NPS



Click Network Access Policies



Right click Connections to Microsoft Routing and Remote Access Server-Properties


Check Grant access


Click Constraints-Select Microsoft:Secured password (EAP-MSCHAP v2)



If it’s not selected add it




Enable user VPN access

In ADUS right click user-Dial-in-Allow access




Client setting

In hosts file add entry for VPN server (name must be equal to one specified in SSL certificate)


Creating VPN client connection





Use my insternet connection (VPN)




I’ll set up an internet connection later



In Internet address type VPN server name



Specify username/password



In Security tab,for Type of VPN select IKEv2-Data encryption-Require encryption-Authentication:Microsoft:Secured password (EAP-MSCHAP v2)



We can see that IKEv2 is used,client got address from our VPN pool (







Nano Server is a remotely administered server operating system optimized for private clouds and datacenters,it  has no local logon capability.In this post we create basic nano server image,without going deep in configuration,in this one we’ll configure DNS server in Nano server

Import nano server CMD-lets

From Windows Server 2016 installation disk browse to NanoServer\NanoServerImageGenerator,

Set-ExecutionPolicy RemoteSigned
Import-Module .\NanoServerImageGenerator.psm1

Create Nano Image (with DNS packages) 

New-NanoServerImage -MediaPath d:\ -BasePath C:\nano\ -TargetPath C:\nano\nano_dns.vhdx -Package microsoft-nanoserver-dns-package -InterfaceNameOrIndex ethernet -Ipv4Address -Ipv4SubnetMask -Ipv4Gateway -DeploymentType guest -E
nableRemoteManagementPort -Ipv4Dns -Edition Datacenter -MaxSize 10GB -ComputerName nano_dns -AdministratorPassword (ConvertTo-SecureString "Pass
word01" -AsPlainText -Force)

All available packages are available in Windows Server 2016 installation DVD,Nanoserver\Packages folder


Create Hyper-V VM and start it

New-VM -Name 'nano-dns' -MemoryStartupBytes 1gb -VHDPath 'C:\nano\nano_dns.vhdx' -Generation 2 -switchname 'new virtual switch'

start-vm nano-dns

Establish connection to Nano Server and Extract the DNS Role

set-item wsman:\localhost\client\trustedhosts ""
Enter-PSSession -ComputerName -Credential administrator
Enable-WindowsOptionalFeature -Online -FeatureName dns-server-full-role
Import-Module DnsServer

Creating Forward lookup zone and A record

Add-DnsServerPrimaryZone -ZoneName -ZoneFile
Add-DnsServerResourceRecordA -Name www -ZoneName -IPv4Address

From client computer (where Preferred DNS server is set as Nano Server),test DNS resolution:



This lab consists of:

Remote desktop gateway server ( – server which enables authorized remote users to connect to resources on an internal corporate or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client

Remote Desktop Web Access server ( – enables users to access RemoteApp and Desktop Connection through a Web browser

Remote Desktop Connection Broker server ( server allows users to reconnect to their existing sessions in a load-balanced RD Session Host server farm,enables users to evenly distribute the session load among RD Session Host servers in a load-balanced RD Session Host server farm,povides users access to virtual desktops hosted on RD Virtualization Host servers and to RemoteApp programs hosted on RD Session Host servers through RemoteApp and Desktop Connection.

Remote Desktop Session Host server ( – hosts Windows-based programs or the full Windows desktop for Remote Desktop Services clients. Users can connect to an RD Session Host server to run programs, to save files, and to use network resources on that server.

License server ( provides Remote Desktop Services client access licenses (RDS CALs) for users or computers that are connecting to the RD Session Host server

Installing Remote Desktop roles 

Add all servers to server group


Add roles-Remote Desktop Service Installation


Standard deployement


Session-based desktop deployement


In RD connection broker windows-choose RD broker server,click arrow to add it to the right


Do the same for RD Web access server


and repeat procedure for RD Session Host



PowerShell alternative:

Import-Module RemoteDesktop
New-SessionDeployment -ConnectionBroker -SessionHost -WebAccessServer

Adding Licenseing Server

After installing click Server Manager-Remote Desktop Service-Overview


Select Licensing server


Or use PowerShell:

add-RDServer -Server -Role RDS-LICENSING -ConnectionBroker

Add RD Gateway server

Click RD Gateway and select Gateway server



With Powershell:

Add-RDServer -Server '' -Role RDS-GATEWAY -ConnectionBroker -GatewayExternalFqdn

-GatewayExternalFqdn specifies SSL certificate name (during adding RD Gateway server self-signed SSL certificate will be created)

Configure RD Deployement

In Overview window-Click Task-Edit Deployement Process



Select Licensing mode



Creating certificates

I used self signed SSL certificates,for every server i clicked Create New Certificate


Specify certificate name (do the same for all remaining servers)


Transfering RD Connection Broker database to SQL database

By default,RD Connection Broker database is stored in Windows Internal Database (WID),now we’ll create configure our Remote Desktop Service into SQL database.

Create AD Security Group and add RD Broker server to it,then on RD Broker server ( install SQL Server 2012 SP1 Native Client (ENU\x64\sqlncli.msi).


On SQL server expand Security-Login-New Login


Select Windows Authentication-Object Type-Group-Location-your domain,enter AD Security Group where RD Connection Broker is added.We now gave RD Connection Broker login rights to SQL server


Create new empty Database

In SQL Server management studio click new query and enter following query

use master
create database RDP

Database named RDP will be created


Right Click RD Connection Broker-Configure High Availability


Dedicated Database Server


In DNS name specify DNS name of RD Connection Broker server

Connection String:DRIVER=SQL Server Native Client 11.0;SERVER=sql\remote_services;Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;DATABASE=RDP

SERVER=sql\remote_services (SQL is server name,remote_services is SQL instance name-created during SQL Server installation)

Folder to store database (this is default database location for SQL Server 2014):

C:\Program Files\Microsoft SQL Server\MSSQL12.REMOTE_SERVICES\MSSQL\DATA


After wizard finishes,we’ll see next picture


Creating RD policy

If this task is performed remotely (not directly in RD Gateway server) we need to install RSAT

Install-WindowsFeature  RSAT-RDS-Tools -IncludeManagementTools -IncludeAllSubFeature

In server manager click Remote Desktop Services-Servers-Right click RD Gateway server-RD Gateway manager


Click Resource Authorization Policies-Disable all existing policies


Click Manage Local Computer


Create Group


In Network resources specify RD Connection server and RD Session host server


Remote clients will now be able to reach session host server when accessing from outside network

Right click Resource Authorization Policies-Create New Policy-Custom


In User Groups specify AD Group whose members will be connection through RD Gateway


In Network resource tab,select Resource group we just created


Creating Remote Desktop Session Collection

In order to publish desktop connection to remote users we need to publish it first.

In Server Manager click Remote Desktop Services-Collection-Task-Create Session Collection


Specify name and RD Session host server


Specify AD Group whose users will have remote access


We can also specify User Profile Disk.User profile disks centrally store user and application data on a single virtual disk that is dedicated to one user’s profile. When the user logs on, their profile disk is attached to their session and detached when the user logs out. With this process, there is no copying of files on logon or logoff


PowerShell alternative:

New-RDSessionCollection -CollectionName 'test' -SessionHost -ConnectionBroker

Set-RDSessionCollectionConfiguration -CollectionName test -UserGroup 'test\domain users' -EncryptionLevel High -ConnectionBroker -AutomaticReconnectionEnabled $true


We can edit collection clicking on it-Task-Edit Properties




Now,from client computer in web browser enter RD Gateway server address






Using RD Session Broker remote client has connected to RD Session host



The Network Load Balancing (NLB) feature distributes traffic across several servers by using the TCP/IP networking protocol. By combining two or more computers that are running applications into a single virtual cluster, NLB provides reliability and performance for web servers and other mission-critical servers.

The servers in an NLB cluster are called hosts, and each host runs a separate copy of the server applications. NLB distributes incoming client requests across the hosts in the cluster.

In this example we’ll create NLB cluster from 2 nodes (nlb1 and nlb2) which will be hosting IIS site

Installing NLB Cluster and IIS roles

invoke-command nlb1,nlb2 {Install-WindowsFeature nlb -IncludeAllSubFeature -IncludeManagementTools}
invoke-command nlb1,nlb2 {Install-WindowsFeature nlb -IncludeAllSubFeature -IncludeManagementTools}

Creating NLB cluster

On any cluster node run following PowerShell command:

New-NlbCluster -InterfaceName ethernet -ClusterName 'iis_cluster' -ClusterPrimaryIP -SubnetMask -OperationMode Unicast

NLB cluster named IIS with IP,unicast mode is created

There are following operation modes:

Unicast – Each NLB cluster node replaces its real (hard coded) MAC address with a new one (generated by the NLB software) and each node in the NLB cluster uses the same (virtual) MAC

Multicast – NLB adds a layer 2 MAC address to the NIC of each node. Each NLB cluster node basically has two MAC addresses, its real one and its NLB generated address.

IGMP multicast  ensures that traffic intended for an NLB cluster passes through only those ports serving the cluster hosts and not all switch ports

Adding NLB node:

Add-NlbClusterNode -NewNodeName nlb1 -NewNodeInterface 'Ethernet' -InterfaceName 'Ethernet'

Setting NLB cluster ports and port filtering mode

Filtering modes:

The None option specifies that multiple connections from the same client IP address can be handled by different cluster hosts

The Single Direct traffic to a single host.

Multiple Hosts: Distribute traffic between the Network Load Balancing (NLB) cluster servers.


Get-NlbClusterPortRule | Set-NlbClusterPortRule -NewIP -newProtocol tcp -NewStartPort 80 -NewEndPort 80 -newmode multiple


Setting load weight

The load weight applies only for the Multiple hosts filtering mode. When using the Multiple hosts filtering mode,the load weight specifies the relative amount of load-balanced network traffic that this node should handle for the associated port rule.
Allowed values range from 0 (zero) to 100. To prevent a host from handling any network traffic, set the load weight to 0 (zero).

Get-NlbClusterNode -NodeName nlb1 | Get-NlbClusterPortRule | Set-NlbClusterPortRuleNodeWeight -LoadWeight 50

Setting NLB node priority

Each cluster host is assigned a unique host priority in the range of 1 to 32, where lower numbers denote higher priorities.
The host with the highest host priority (lowest numeric value) is called the default host. It handles all client traffic for the virtual IP addresses
that is not specifically intended to be load-balanced.
This ensures that server applications not configured for load balancing only receive client traffic on a single host.
If the default host fails, the host with the next highest priority takes over as default host.

This command sets priority 32 for node nlb1

Set-NlbClusterNode -HostName nlb1 -HostPriority 32 -InterfaceName ethernet


The Affinity can be set only when Multiple hosts filtering mode is applied.

The Network option specifies that NLB direct multiple requests from the same TCP/IP Class C address range to the same cluster host. Enabling Network affinity instead of Single affinity ensures that clients that use multiple proxy servers to access the cluster have their TCP connections directed to the same cluster host.

Get-NlbClusterPortRule | Set-NlbClusterPortRule  -NewAffinity single
Get-NlbClusterNode -NodeName nlb1 | fl * 
Invoke-Command nlb2 {get-nlbclusternode -NodeName nlb2 | fl * }


Because nlb2 has highest priority (1) requests are redirected this node

Test NLB:

on nlb1:

del C:\inetpub\wwwroot\iisstart.htm
echo "This page is hosted on nlb1 node :-)" > C:\inetpub\wwwroot\index.html

On nlb2:

del C:\inetpub\wwwroot\iisstart.htm
echo "This page is hosted on nlb1 node :-)" > C:\inetpub\wwwroot\index.html




Stop nlb2 node from nlb1


Invoke-Command nlb2 {Stop-NlbClusterNode -HostName nlb2}



With Role based access control we configure detailed control over what task users can perform in IPAM

Built-in IPAM roles:


Type Name Description
Role DNS record administrator Manages DNS resource records
Role IP address record administrator Manages IP addresses but not IP address spaces, ranges, blocks, or subnets.
Role IPAM administrator Manages all settings and objects in IPAM
Role IPAM ASM administrator Completely manages IP addresses
Role IPAM DHCP administrator Completely manages DHCP servers
Role IPAM DHCP reservations administrator Manages DHCP reservations
Role IPAM DHCP scope administrator Manages DHCP scopes
Role IPAM MSM administrator Completely manages DHCP and DNS servers
Access scope Global By default, all objects in IPAM are included in the global access scope. All additional scopes that are configured are subsets of the global access


Adding custom role

sometimes,built-in roles won’t meet our requirements,in that case we can create custom role.

Click Access Control-Right click Roles-Add user role



Enter role name and define what action can be done within that role,in this example user can create zone and invoke zone transfer and configure preferred DNS server.




Creating Access policy

Now map user to IPAM role:

Right click Access Policies-Add access policy




Click Add-select domain and add user (in my example this user is standard domain user with no specific privileges)



In Access Settings click new and choose role



Click Add settings




Optionally,we can specify Access Scope.

An access scope determines the objects that a user has access to. You can use access scopes to define administrative domains in IPAM. For example, you might create access scopes based on geographical location. By default, IPAM includes an access scope of Global. All other access scopes are subsets of the Global access scope. Users or groups that are assigned to the Global access scope have access to all objects in IPAM that are permitted by their assigned role.

In this example i didn’t create any access scope


Log in to IMAP server with user,according to role setting,user can create DNS zone,but can’t delete it





In this post  we installed IPAM,in this one we’ll perform some basic tasks

Adding DNS record

In IPAM console click DNS Zones-right-click zone-Add DNS record


New-Choose record type


Type value,optionally add PTR record-Add resource record




See zone details

In the left pane click Tree view-Forward lookup zone


Select zone in left pane,on Current view choose resource Records


Managing IP address

To find-out first available address,IPAM looks at DHCP range,in my case i have configured DHCP range,and one DHCP client.IPAM will provide next available address.

Click IP Address Range-Right click on DHCP range-Find and Allocate Available IP Address





Or by PowerShell:

Add-IpamAddress -IpAddress -PassThru

Creating DNS Zone

On left pane click DNS And DHCP servers-Right click DNS server-Create DNS zone


Enter zone type (forward or reverse) and name






Delete IPAM database

Browse to one of the following locations: IP Address Blocks, IP Address Inventory, or IP Address Range Groups.
Click TASKS, and then click Purge Utilization Data.



The Purge Utilization Data dialog box opens.
In Purge all utilization data on or before, click Select a date.
Choose the date for which you want to delete all database records both on and before that date.
Click OK. IPAM deletes all the records that you have specified.