How to Configure Windows Network Load Balancing for pure Terminal Server environments

A lot of people have recently asked how to configure load-balancing in pure Terminal Server environments.

A lot of people have recently asked how to configure load-balancing in pure Terminal Server environments. This is a topic that Ron and I covered in our Terminal Server book, so I've pulled out that section for this article.

Microsoft Windows Network Load Balancing (“NLB”) is the “free” out-of-the-box software load balancing solution available for Windows 2003-based Terminal Servers. NLB is available with all editions of Windows Server 2003, although your Terminal Servers must be running at least the Enterprise edition of Windows to use the Session Directory. (We'll cover the Session Directory in an upcoming article.)

Network Load Balancing works by assigning a single virtual IP address to those multiple servers that can respond. You then assign a DNS name to the virtual IP address. RDP clients connect to this DNS name, and the system responds by automatically connecting the user to the least-busy server.

Under the hood, Network Load Balancing enables all of the configured nodes on a single subnet to detect incoming network traffic for the cluster's virtual IP address. (When using Windows NLB, all servers must be on the same subnet.) On each Terminal Server in the cluster, the Network Load Balancing driver acts as a layer residing between the cluster driver and the TCP/IP stack. A portion of the incoming network traffic can be received by the host.

Windows Network Load Balancing works at the network level by distributing the network client request between hosts. Windows NLB is limited to a maximum number of 32 possible hosts in any one cluster.

Also, as its name implies, Windows Network Load Balancing is only able to determine which server is the least-busy based on network load. If one server has failed but is still responding to the network, the NLB system will continue to send users to it.

Advantage of Load Balancing with Windows NLB

  • It’s the “free” solution that’s built-in to Windows.

Disadvantages of Load Balancing with Windows NLB

  • Load calculations are only based on network load.
  • You can’t natively load-balance more than 32 servers.
  • All servers must be located on the same subnet.
  • What if you need to load balance more than 32 Terminal Servers?

One major limitation of Windows Network Load Balancing is that you can only use it to load balance 32 servers. If you need more than 32 servers in your cluster, you must implement one of the following options:

  • Move to a third-party hardware (F5, etc.) or software (Citrix, WTS Gateway Pro, etc.) load-balancing solution as described later in this chapter.
  • Combine multiple groups of NLB clusters with round robin DNS servers.

Let’s take a closer look at this second option. In this case, your DNS servers should be configured with entries for both of the clusters’ virtual IP addresses in a round robin entry so that clients connect to either one in a one to one ratio. Make sure that each cluster has the same number of servers, or adjust your round robin ratio accordingly.

At this point you may be thinking that a DNS round robin solution could suffice for simple load balancing. Before you go down that path, remember that there are reasons why it’s called DNS round robin and not DNS load balancing.

If a server failure in an NLB cluster will be detected by the other servers (through the cluster’s heartbeat packets), new RDP connections will be distributed only among the remaining Terminal Servers. However, a DNS round robin scheme will continue to send connections to the server that has failed until a change is manually made to the DNS entry.

Configuring Windows Network Load Balancing

This article is not meant to an exhaustive study of Windows Network Load Balancing. However, we’ll cover some of the Terminal-Server specific items that you probably won’t find in other papers covering NLB.

There are only a few requirements that all servers must meet to use Windows NLB:

  • Have at least one network interface configured for Load Balancing.
  • Use TCP/IP.
  • Be on the same subnet.
  • Share a common (virtual) IP address.

In an ideal world, each of your Terminal Servers within in the cluster would have two network cards. The first would be used for the “front-end” RDP traffic between clients and server. The second would be used for “back-end” services and data access.

All versions of Windows Server 2003 come with Network Load Balancing installed. To use it, all you have to do is enable it on the network card that you intend to use for RDP connections (Control Panel | Network Connections | Right-click on your network card | Properties | Check the box next to the “Network Load Balancing” option).

Once you enable NLB, you must configure it (Network adapter properties | Highlight “Network Load Balancing” | Click the “Properties” button). There are several configuration options to understand when using NLB in a Terminal Server environment.

The Properties button leads you to a window with three tabs—Cluster Parameters, Host Parameters, and Port Rules.

Cluster Parameters
On the Cluster Parameters tab, you’ll first enter the virtual IP address, subnet mask, and DNS name that your cluster will use. These should be the same on all Terminal Servers in the cluster.

Then you’ll select a cluster operation mode. Windows NLB has the ability to work in two different modes: “unicast” and “multicast.”

Regardless of the mode you choose, NLB creates a new virtual MAC address assigned to the network card that has NLB enabled, and all hosts in the cluster share this virtual MAC. Then, all incoming packets are received by all servers in the cluster, and each server’s NLB drivers are responsible for filtering which packets are for that server and which are not.

When in unicast mode, NLB replaces the network card’s original MAC address. When in multicast mode, NLB adds the new virtual MAC to the network card, but also keeps the card’s original MAC address.

Both unicast and multicast modes have benefits and drawbacks. One benefit of unicast mode is that it works out of the box with all routers and switches (since each network card only has one MAC address). The disadvantage is that since all hosts in the cluster all have the same MAC and IP address, they do not have the ability to communicate with each other via their NLB network card. A second network card is required for communication between the servers.

Multicast mode does not have the problem that unicast operation does since the servers can communicate with each other via the original addresses of their NLB network cards. However, the fact that each server’s NLB network card operating in multicast mode has two MAC addresses (the original one and the virtual one for the cluster) causes some problems on its own. Most routers reject the ARP replies sent by hosts in the cluster, since the router sees the response to the ARP request that contains a unicast IP address with a multicast MAC address. The router considers this to be invalid and rejects the update to the ARP table. In this case you’ll need to manually configure the ARP entries on the router. (Don’t worry if you’re lost at this point. Just be aware that if you’re using multicast mode, you’ll need to get one of your network infrastructure people involved.)

The bottom line is that you don’t want to use unicast in a Terminal Server environment unless you have two network cards. (That way, you can still connect to a specific Terminal Server if you need to via another adapter and another IP address.) If your servers have only a single network card, then you’ll want to use the multicast mode.

Host Parameters
The “Host Priority” is a unique number assigned to each server in the cluster. This number (an integer) identifies the node in the cluster and determines the order in which traffic is delivered to the servers by default. The priority is organized by lowest to highest with the lowest number handling all traffic not otherwise handled by the set of load balancing rules.

Port Rules
The Port Rules tab allows you to configure how load-balancing works within the cluster. By default, a rule is created that equally balances all TCP/IP traffic across all servers. To use NLB for a Terminal Server cluster, you’ll need to change some settings.

First add a new rule (Port Rules tab | Add button) that will specify how RDP traffic is to be load-balanced. Configure the port range for 3389 to 3389 to ensure that this new rule only applies to RDP traffic. Select the “TCP” option in the protocols area and the “Multiple Host” as your filtering mode.

The “Affinity” determines if a specific client’s requests will continue to be routed to a specific server (such as the first server they were connected to) based on the client’s IP address. If you’re using the Session Directory then a specification here is not required or can be set to “none.” If you are not using the Session Directory, set this rule to “single affinity” so that a client will always be serviced by the same server and users can reconnect to their disconnected sessions.

Finally, the “Load weight” setting determines the amount of users/load this server should handle. The cluster algorithm will divide the server’s load weight setting by the total of all the servers’ settings to calculate a load index value for each server, allowing you to route more connections to larger servers.

A simple example is a two-server cluster, the first server having a quad processor configuration and the second having a dual processor configuration. Through load testing, you have determined that the quad can handle exactly twice the number of users as the dual. One server (the dual) can be configured with a load weight of 50 while the other server (the quad) can be configured with a load weight of 100. In this configuration, the second server would receive twice as much traffic as the first. The default load weight setting is “Equal” and assumes all servers in the cluster can handle an equal amount of load.

Baseline NLB Configuration

As we discussed earlier, NLB clustering is extremely complex. Nevertheless, you should be able to create a basic configuration for lab testing fairly simply. The following settings will work for almost every environment and allow you to easily configure RDP load balancing:

Cluster Parameters Tab 
Cluster IP Address Common IP shared between all servers
Subnet Mask Common Subnet
DNS name of cluster
Shared DNS name (should refer to the Common cluster IP)
Operation mode Unicast
Host Parameters Tab
Priority/Host ID Start at 1 and work up as you add servers. Each must be unique
Dedicated IP IP Address of NIC that will accept load balanced requests
Subnet Mask Subnet mask of NIC configured for Load Balancing.
Default State Started
Port Rules Tab
Cluster IP Address If only using one, leave the default at “All”
Port Range 3389 to 3389 (or whatever port you're using for RDP)
Protocols Default of  “Both” will work so will “TCP”
Filtering  Multiple Hosts, Affinity set to None. (If you’re not using Session Directory you can set this to “single.”)

Leave the remaining settings at their default values. (You can also use these settings for load balancing your web servers. Just change the port rule from 3389 to 80.)

Once your cluster is up and running:

  • Check that each server’s dedicated IP address must be unique, and the cluster IP address must be identical for each server in the cluster.
  • Verify that any load-balanced applications are installed and configured on all cluster servers. Remember that Windows NLB is not aware higher level applications and does not start or stop applications or services on each server.
  • Ensure that the dedicated IP address is always listed first (before the cluster IP address) in the Internet Protocol (TCP/IP) Properties dialog box to ensure that responses to connections originating from a host will return to the same host.
  • Make sure that both the dedicated IP address and the cluster IP address are static IP addresses. They cannot be DHCP addresses.
  • Do not enable Network Load Balancing on a computer that is part of a “real” Microsoft cluster services cluster. Microsoft does not support this configuration.

Limitations of Windows Network Load Balancing

Even though it’s “free,” Network Load Balancing has some weaknesses. In addition to the disadvantages listed previously, some people want load-balancing tools to check the health of individual servers or create load indexes based on CPU utilization or the number of active sessions. For this functionality, you’ll need to turn to third-party tools. There are hardware- and software-based solutions for load balancing Windows 2003 Terminal Servers.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

This message was originally posted by ALEX on November 30, 2004
Originally (before Session Directory) there was a problem with NLB Session Affinity when connecting from Terminal Server to Terminal Server - Q243523. Session Directory fixed the situation for named users (reconnection to particular disconnected session), however did not address reconnection from particular client when connecting from another TS box. Note: Citrix load balancing will work for both win2k and win2k3 in the above scenario.
This message was originally posted by JSekel on November 30, 2004
Wouldn't multicast create much more broadcast traffic (that everything plugged into the switch would then see) than a unicast implementation.

I know of a scenario at my end where there are (heavily used) NLB web servers set for multicast that crush all the servers on the switch.

Does Unicast solve this? My basic understanding of it says yes, which then brings the question of, how much overhead does the resending of the traffic really put on the servers? With todays servers laughing at loads of 16 months ago, does it really matter?

BTW, informative as usual guys.
Multicast mode alone would flood the frames to every port on the cluster segment in a switched environment. However, If IGMP multicast mode is selected, and if the cluster is separated from the clients by an IGMP (or CGMP) aware router, only ports with connected members of the multicast group would get the frames.
Has anyone else experienced a serious imbalance when it comes to MS NLB and TS? I have about 20 users and it doesn't do a good job of balancing the connections between our two servers.

Right now I have about 15 stacked up on one and only 5 on the other.

I've read somewhere that it has to do with the algorythm used which doesn't work well with small numbers of users.

Any thoughts?
I want to configure a net with 4 application server (in cluster), and 2 state server, to ensure the avaliability of the application.
It is posible in Windows Server 2003? How?
I hope i understood IGMP.

As far as i am informed all devices (Network adapters in servers, switches (probably different vendors) and clients have to be IGMP aware.

My second problem is, that if a customer is using terminal services for all user almost ALL devices are within the IGMP group.
So this would mean, that although IGMP is activated packets will move to allmost all ports.

Am i right?

Greetings from germany.

Christian Schroeder
If i have 2 x TS 2003 Ent servers. How can i keep the same profile for each user assuming that based on network load a user could be directed to any of the 2 servers?

i would recommend the use of a roaming ts profile
Use a roaming profile so no matter which server they hit they get the same settings
Will this Work with the Citrix Webinterface as well?
I do ask because the topic was ...pure Terminal Server environments


It is very nice article, but i am very new to implement this.
I have 2 Terminal server with 2 NICs.

Server 1; NIC1:, NIC2:
Server 2; NIC1:, NIC2:

I ahve session directory working on

I am using 192.168.101.x segment for our LAN.
10.0.0.x is just for clustering.

Can you please help me to setup network load balancing for my Terminal
I want to setup for cluster, (i mean user will connect
using this IP).

I tried to put cluster IP, but i am getting this error:

""Primary cluster IP address( not added to TCPIP properties""

Can anybody help me to setup this.

your aproach to NLB is wrong....
follow this article and rearrange your NLB....
You are not the only one experiencing the problem, it is happening also to me.
The NLB is rightly configured, and I can see the same MAC for the NLB and the 2 servers original IPs; I haven't configure the dedicated IP, because I have a second NIC, configured with a different IP.
When I try to connect to the NLB IP, I get connection to one of the servers; I checked it from 4 different clients.
But everything changes when you configure it without affinity. What I'm not sure is about the secondary effects of this.
Any ideas???
Thanks in advanced.
Kepa. (
Yes - but we woulnd't recommend it as the best option obviously.  We would recommend our NetScaler box or some other GSLB solution...the key is a HW LB solution. 
Could you give an example configuration with two NICs with only one of them enabled for NLB?  I've been playing with it and cannot figure out whether the second (NLB) NIC can be configured with only the
"cluster IP" and not a second physical IP address.
Can you give an example where you configure the NLB for TS using two NIC's - one regular and the
second NIC only for NLB?  I cannot figure out how to use only the "cluster IP" address on the second
NIC.  I opened the Network Load Balancing Manager, created a New Cluster, and tried to add the
system I was on, but only the first NIC showed up - the one I'm already using that has an IP
address.  In my reading it sounded like you could have Unicast and the NLB NIC would only be
identified by the "cluster or virtual IP".  Have I missed something here?  Thanks

Could you give an example configuration with two NICs with only one of them enabled for NLB?  I've been playing with it and cannot figure out whether the second (NLB) NIC can be configured with only the
"cluster IP" and not a second physical IP address.
You cannot do what you're suggesting. Each NIC retains its original IP address, and the cluster IP address is then shared among all the servers/NICs in the NLB group.

If you configure your NLB Cluster for Unicast mode, then the NLB will overwrite the real MAC address of each adapter with a virtual MAC address associated with the virtual IP address. However, this is only really for old switches that cannot handle the newer multicast (preferred) way of doing things.

Somebody help me to configure Citrix Web Interface of two servers running MFPS 4.0 with NLB or give me a usefull link. I have only one NIC on each server. And when i'm trying to make cluster, server don't see network at all.Exactly, i can log in to domain, but system can't find my roaming profile. A can ping my VIP, dedicated IP, and that is all i can! NTLM don't show any trouble! Please help!
I have a Windows 2003 Server with an Intel Pro/100+ Dual Port Server network adapter.  The user wants me to load balance both ports on this one card.  Is this possible?  If so, how do I go about doing it?
Hi ,
I have 2 servers and on each server having 1 NIC.
I seted my NLB to unicast.
When one of my server stop or fail then NLB is still with that IP and taking time on other IP.
Thanks in Advance
- I have 2 W2K3 Servers configured at, each with one NIC only
- I have setup NLB with virtual IP
- I can add first host fine in the cluster, but cannot add the second host, it complains about "no interface available"
any suggestions?
I need to know if this could be the issue with encryption software on a DNS RR "cluster" for our W2K3STS?
We use a host name that has two different ip addresses in DNS instead of NLB through a clsutered single IP.
When PGP is attempted by the thin client users the server reboots.
Doesn't encryption communicate by MAC address?
And, as a result, shouldn't NLB be used in order to virtualize the MAC?
(I need someone of your KB to justify my reasoning to change the methodolgy in order for PGP to function in this scenario)

Does anyone know how to get the real mac address if you have the nlb configured in unicast mode without changing it? It must be stored somewhere...



I have worked hard to provide all the windows NLB related info at one place.

I am sure it would be worth a visit.


I have a problem. My boss wants me to create a NLB cluster of web servers. The servers are on the same subnet but connected on different switches 'cause they are located on different sites.

I try to create my clusters but it doesn't work? Can someone help me?

This Usually happens when you are cloning systems.  Each network connection has its own unique id that is assigned by windows but is copied when the systems were cloned.  Delete the adapter from hardware manager on the second system and add it back.  This should fix the problem.

I'm a little unclear as to what the static IP address should be on the TCP/IP Protocol...

My Scenario:
2 Terminal Servers (ts1 and ts2) - each has 2 NIC's, NIC #2 is my NLB interface

ts1 has a static x.x.x.36 on NIC1
ts2 has a static x.x.x.37 on NIC1

.38 will be my virtual IP.

Do I se NIC #2 on both servers to .38 AND set .38 in the NLB configuration?   This is what I've tried, and while I get distributed connections to each server, only one allows login - the other always says something to the effect of "The domain cannot be reached" - but if I disconnect the opposite server from the LAN, the one that was complaining works every time.

 Totally lost, any help is greatly appreciated.


u have to set up your primary IP address as real NIC address, so after u go into Properties (TCP/IP) u have to set up on NIC#2, let's say .36, and after that go to Advanced and add additional address there, in your case .38

 Hope That Helps


Is there any specific mac-range which will be used by NLB for its virtual-mac . 
What would be the virtual mac range used in NLB servers.Is it specific to some server types or Windows server version specific ? Thanks for your help.
i have the bl460 c class server two nos. i had windows server 2003 enterprise edition. i try to configure the nlb for blade1&blade2 using nic2nd cards. but nlb error msg was hot is unreachable but the first&2nd blade also ping fine.i had using the netgear gigabite swith for dedticately. how to resolve this issue..
any idea? Thanks!

I configured two Windows 2003 servers with NLB using Multicast. I can ping the VIP from its own subnet but can't from any other networks. I can also ping the physical address from different subnets just fine. Any ideas?

 Also, should I be using Multicast or Unicast? I'm setting this up for Web Interface 4.6.

You need to setup a static arp entry for your virtual IP address and Multicast MAC address.  This should be done on all routers that server the network where the servers are connected.

I am hosting a webservice in my windows machine, and i would like to install another server applicarion on the machine. and o would like to know if i can load balance between the webserver and the another  server application installed on the same machine.

can i have cluster of the above services on my machines.

Plese let me know ,


I am using NLB with IIS for web publishing. On Web servers, i have some problems to access internet web site. I can open sites only with one server up.

How can i correct It ?

 Thanks a lot

too many annoying ads
i want ot connect three PC with server 2003 OS, but while connecting it shows time out error?
I have NLB setup with 3 servers, in unicast mode.  The users are connecting remotely with Thin clients that were used for Citrix but are now used for Terminal Services.  They connect into via RDP to a cluster VIP called TSVR.  Whenever they are minimizing an application, the screen seems to refresh down like they are connecting via Dial-up, any ideas of what could fix this.  Please email reponses back to

I have NLB setup with 'A' and 'B' servers having windows 2003 server. But before configuring NLB on these 2 server,  MSCS cluster was installed there with a  domain name and cluster name CLUSTER1 and  'A' as the domain controller.

Now i configured the NLB with primary host 'A' and cluster name CLUSTER2.SAHU.COM and added 'B' as another host.

All are ok, NLB is created, but while I am connecting cluster with host name "A" from server 'A',its giving an error " host unreachable or error in connection to B.SAHU.COM"............................................ (this the only error)..................


but i saved the host names from FILE MENU, and load the host name from that file, its working well without any error/warnning....................(why so please let me know)... 


yeah even I have checked the "wlbs display and wlbs query" from command prompt and got the result from both the servers as bellow

WLBS Cluster Control Utility V2.4 (c) 1997-2003 Microsoft Corporation.
Host 1 has entered a converging state 4 time(s) since joining the cluster
  and the last convergence completed at approximately: 5/6/2008 2:06:10 PM
Host 1 converged as DEFAULT with the following host(s) as part of the cluster:
1, 2


 WLBS Cluster Control Utility V2.4 (c) 1997-2003 Microsoft Corporation.
Host 1 has entered a converging state 4 time(s) since joining the cluster
  and the last convergence completed at approximately: 5/6/2008 2:06:10 PM
Host 2 converged as DEFAULT with the following host(s) as part of the cluster:



NOW one more thing is i m using single network addaptor with multicast mode.  now helpme guide me to avoid thiserror and writee me some test case to test the work perfomance of NLB CLUSTER


Thank You



I configured session directory and NLB for windows 2003. Session directory works fine,but after NLB configuration ,i am not able to access the servers with cluster IP.Please suggest how i can ressolve it.

Below are my settings:

Network Load Balancing configuration
_ -------------------------------------------
a) network connections->  Local Area Connection -> Network Load Balancing.

b) Click Properties -> cluster parameters

*  ip address -> cluster ip
* subnet mask
* full ethernet name -> cluster name. domain 

* cluster operation mode -> multicast

c) Second Tab -> Host parameters

* Priority -> start as 1 and increment with numbers as the servers get added.
* Dedicatied IP -> provide the dedicated ip of the server
* subnet mask

d) In the third tab i.e. Port Rules fill the following information

* Add new port rule
* Cluster IP Address(virtual ip).
* Port range 3389 to 3389.
* Filtering host --> multiple host.
*Affinity -> none
Note: A window comes which says that the IP address should be entered in TCP/IP component too.
* Open network connections-> right click on Local Area Connection ->TCP/IP properties -> advanced -> add the cluster ip
* Two entries would be present at that point, one is the dedicated IP and second the cluster IP




dear,i have congfigerd the NLB beetween two server but the proble is virtual ip of NLB is ping only both server not any server ip is mask is secound server ip is mask is virtual ip is mask is but it's ip only server not any client  help me..


One thing that I always suggest is not to use Multicast while using NLB in Windows. It doesn't work well. SO When you use Unicast and still face issues you can come back here and let us know. We'll try and help. 


I have two server 192.168.1 and 192.168.2I have one NIC in each server.I have entered as the cluster server on both servers.I have changed the the Host paramater to point to each NIC's IP.I used as the Full internet name.I added as a A record in DNS.I cannot ping or Please mail any suggestions ?