Load balancing DC's?

Posted on 2009-05-05
Medium Priority
Last Modified: 2013-12-24
Hi Everyone

We have about 5 DC's in our main site. There are a plethora of applications that need a DC hardcoded into their code to for either LDAP queries, or authentication.

At the moment, they are all pointing to DC1.

Obviously, if DC1 goes down, then we are in trouble.

I woud like to look into load balancing across all 5 DC's. I guess I could create a DNS CNAME (ldap.kam.uk) that points to all the DC's, but if one of the DC's is down, this won't help much. Does anyone have any ideas how I can implement some redundancy?
Question by:kam_uk
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +2

Expert Comment

ID: 24307153
The CNAME option will work, I would just put a very low TTL on them so that if one goes down or you have to take it offline for maintenance, the client will kick over to the next DC.
LVL 27

Assisted Solution

by:Jason Watkins
Jason Watkins earned 200 total points
ID: 24307368

If you are looking to load balance authentication by those DCs, you should be alright as is.  If you DCs are in different sites, then you may have to tweak your DNS settings to make sure all DCs are available to users.


Author Comment

ID: 24307400

Sorry, when I said load balance authentication, I wasn't referring to users authenticating, more the applications authenticating where they had a hard coded DC. They are unable to use SRV records.

ISWSIMBX - good idea about the TTL. What would you recommend? Also, wouldn't this generate more DNS traffic though?

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more


Assisted Solution

ISWSIMBX earned 200 total points
ID: 24307792
I believe the default value is 300 so I would go with around 100-150.  And yes, it will probably generate a bit more DNS traffic than before, but if it is only 5 DC's, then the amount of traffic increase should be pretty small.

Assisted Solution

mvgeertruyen earned 400 total points
ID: 24307944
I'm not sure if it is an option for you but with minor changes to the applications you could offload the fault tolerance to the AD (small change = modify the binding from LDAP<server> to GC<domain> for example).. If your apps only require ldap then the above dns suggestions would be good; but then again you would need to modify the settings off the apps. All depends on the apps off course.
Some info on ldap binding without specifying a server:
LVL 71

Accepted Solution

Chris Dent earned 1200 total points
ID: 24309016

> DNS CNAME (ldap.kam.uk) that points to all the DC's

You won't be able to do that with a CNAME. Usage is illegal, you aren't allowed multiple CNAME records for the same resource. You could create multiple Host (A) Records for the same name though.

However, this is one very very important factor you must be aware of when implementing this.

DNS couldn't care less if the address it's handing out is up or down. It will happily hand out an address for a DC that is down. The responses to the query will rotate using Round Robin, but that's the extent of it. It's a very basic form of load balancing.

Either the application must support fault tolerance and be aware of the possible DCs. Or you must create a monitoring system that modifies the "ldap.yourdomain.com" record to a DC, or a number of DCs that are active. In that instance the low TTL would come into play.


Author Comment

ID: 24335802

Just one final query...

Let's say I list a DC in the UK, Spain and Russia in this ldap.kam.uk record.

If an application in Russia attempts a connect to ldap.kam.uk, will it contact the Russia DC, or is the proximity of the DC completely irrelevant in this DNS example?
LVL 71

Expert Comment

by:Chris Dent
ID: 24335832

Generally irrelevant. However, NetMask Ordering will attempt to give you an answer within the same subnet as the client if it can. Otherwise it uses standard Round Robin rotation.

I believe NetMask ordering matches on 24-bit subnets by default.


Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we’ll look at how to deploy ProxySQL.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This is a high-level webinar that covers the history of enterprise open source database use. It addresses both the advantages companies see in using open source database technologies, as well as the fears and reservations they might have. In this…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question