NLB
We have converged! Got NLB working with two new servers - SERVER6 and SERVER7. Used the W2K3 Enterprise Edition demo that comes with the MS Press books.

SERVER 6 - 10.0.0.11, Class A sub, DNS server: 10.0.0.1
SERVER 7 - 10.0.0.12, Class A sub, DNS server: 10.0.0.1

Installed IIS on both. Create a simple web page ("Hello World1" on SERVER6 and "Hello World2" on SERVER 7...I'll explain reasoning later).

Added host records on SERVER3 (I still like to think SERVER3 as my "PDC" it's the role holder of all FSMO, it has AD integrated DNS zones) for SERVER 6 and SERVER7. Also added a host RR named www with IP 10.0.0.100, also PTR RR for same.

Setting up the cluster: start on SERVER6 by adding a new cluster in NLB manager on of 10.0.0.100
Then add SERVER7 as a host. ("Converged" is good. Red Xs are baaaad).

Then on SERVER 7: connect to existing cluster. Then add SERVER7 as a host.

Test it out by entering www.matrix.com in a browser - this is the cool bit! Either the "Hello World1" on SERVER6 *OR* the "Hello World2" on SERVER7 will display. That was the point of creating two slightly different web pages...you can tell visually if NLB is working or not.

OK, so that's NLB done. Might do some more messing around with it but next trick is to remove NLB and add a full cluster. Apparently I need a virtual SCSI disk for this.

IpSec
IPsec (is it pronounced "IP SEC" or "IP (note the pause) SEC"? Anyway, it's working between my laptop and desktop with pre-shared keys (also limited it to just to telnet!) but in the matrix.com I still issues.

Had a fun time with IPsec between DCs. Assigned the policy and testing by pinging. No luck. So I deleted the ploicy. Big mistake! The policy is then cached. This is where the Ipsec Monitor snap-in, a report only tool, comes in useful. After consulting the built-in help files it turns out that the tricl is to unassign the ploisy THEN delete it. After loads of GPUPATE, replication, multiple reboots and tearing out still-remaining hairs I copped the answer. As I'd erronously assigned the policy as the Default Domain Policy (oops) - Ipsec Monitor told me so - I assigned a new policy (all traffic to CLIENT2). The thing is: only ONE POLICY can be assigned at a time! So that's it: assigning a meaningless policy will get rid of a disastrous one!

This autoenrollment is a bit tricky. I thought the problem lay with adding in SERVER4 (Enterprise CA) to a Cert Publishers Group but it's already in there! I'd like to set up users with certs automatically - I can do it via a browser but that means logging in a a user... Problem is probably a permissions thing. Will investigate further.

And Finally...
Also, haven't looked at adding the secondary DNS for SERVER5 for a while....
In other news my 70-293 exam is booked for April 7th, 12 noon. Yup, it's High Noon...