While working in security zones like DMZ, you might come across the need to configure a Windows Network Load Balancing (WNLB) cluster across two servers. Servers in DMZ are usually in a Workgroup mode unless you have a seperate active directory domain for centrally managing the DMZ Servers.
The NLB Clusters can be accessed by navigating to the Windows Network Load Balancing Manager (Start -> Administrative Tools -> Network Load Balancing Manager) of any Server participating in the NLB Cluster.
If the NLB Cluster is accessed using the local “Administrator” account then we have the following two scenarios:
- Local “Administrator” account on both Servers have the same Password: In this case the NLB Manager can access both the Servers participating in the NLB Cluster without any issues.
- Local “Administrator” account on both Servers have the different Passwords: In this case the NLB Manager can access only the local Server. But to access the Second Server, you will be prompted to enter the credentials. You can alternatively save these Credentials by navigating to NLB Manager -> Options -> Credentials.
If the NLB Cluster is accessed using any other user which is a part of the local “Administrators” group then only the local server will be accessible. But you will get an “Access Denied” message while accesing the second host in the NLB Cluster.
The Second host can be accessed by saving the Administrator account credetails by navigating to NLB Manager -> Options -> Credentials.
When a local administrator account is used, everything works fine as expected. This is because the Security Identifier (SID) of the local “Administrator” account is identical on all Servers. When you manually create an account on each Server and add it to the local “Administrators” Group then eventhough you might use the same username, its Security Identifier (SID) differs from Server to Server. SID which is a part of the “Administrators” Group on one Server is non existent on the other Server and hence the message “Access Denied“.
There are ways to clone a user SID and make it identical on both Servers, but these ways are not recommended by Microsoft. So the best option is to use the local “Administrator” account while in Workgroup mode.