Solved

Load balancing DC's?

Posted on 2009-05-05
8
740 Views
Last Modified: 2013-12-24
Hi Everyone

We have about 5 DC's in our main site. There are a plethora of applications that need a DC hardcoded into their code to for either LDAP queries, or authentication.

At the moment, they are all pointing to DC1.

Obviously, if DC1 goes down, then we are in trouble.

I woud like to look into load balancing across all 5 DC's. I guess I could create a DNS CNAME (ldap.kam.uk) that points to all the DC's, but if one of the DC's is down, this won't help much. Does anyone have any ideas how I can implement some redundancy?
0
Comment
Question by:kam_uk
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 3

Expert Comment

by:ISWSIMBX
ID: 24307153
The CNAME option will work, I would just put a very low TTL on them so that if one goes down or you have to take it offline for maintenance, the client will kick over to the next DC.
0
 
LVL 27

Assisted Solution

by:Jason Watkins
Jason Watkins earned 50 total points
ID: 24307368
Hi,

If you are looking to load balance authentication by those DCs, you should be alright as is.  If you DCs are in different sites, then you may have to tweak your DNS settings to make sure all DCs are available to users.

/F
0
 
LVL 3

Author Comment

by:kam_uk
ID: 24307400
Hi

Sorry, when I said load balance authentication, I wasn't referring to users authenticating, more the applications authenticating where they had a hard coded DC. They are unable to use SRV records.

ISWSIMBX - good idea about the TTL. What would you recommend? Also, wouldn't this generate more DNS traffic though?

Thanks!
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 3

Assisted Solution

by:ISWSIMBX
ISWSIMBX earned 50 total points
ID: 24307792
I believe the default value is 300 so I would go with around 100-150.  And yes, it will probably generate a bit more DNS traffic than before, but if it is only 5 DC's, then the amount of traffic increase should be pretty small.
0
 
LVL 6

Assisted Solution

by:mvgeertruyen
mvgeertruyen earned 100 total points
ID: 24307944
I'm not sure if it is an option for you but with minor changes to the applications you could offload the fault tolerance to the AD (small change = modify the binding from LDAP<server> to GC<domain> for example).. If your apps only require ldap then the above dns suggestions would be good; but then again you would need to modify the settings off the apps. All depends on the apps off course.
Some info on ldap binding without specifying a server:
http://msdn.microsoft.com/en-us/library/ms677945(VS.85).aspx
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 300 total points
ID: 24309016

> DNS CNAME (ldap.kam.uk) that points to all the DC's

You won't be able to do that with a CNAME. Usage is illegal, you aren't allowed multiple CNAME records for the same resource. You could create multiple Host (A) Records for the same name though.

However, this is one very very important factor you must be aware of when implementing this.

DNS couldn't care less if the address it's handing out is up or down. It will happily hand out an address for a DC that is down. The responses to the query will rotate using Round Robin, but that's the extent of it. It's a very basic form of load balancing.

Either the application must support fault tolerance and be aware of the possible DCs. Or you must create a monitoring system that modifies the "ldap.yourdomain.com" record to a DC, or a number of DCs that are active. In that instance the low TTL would come into play.

Chris
0
 
LVL 3

Author Comment

by:kam_uk
ID: 24335802
Thanks..

Just one final query...

Let's say I list a DC in the UK, Spain and Russia in this ldap.kam.uk record.

If an application in Russia attempts a connect to ldap.kam.uk, will it contact the Russia DC, or is the proximity of the DC completely irrelevant in this DNS example?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24335832

Generally irrelevant. However, NetMask Ordering will attempt to give you an answer within the same subnet as the client if it can. Otherwise it uses standard Round Robin rotation.

I believe NetMask ordering matches on 24-bit subnets by default.

Chris
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

As technology users and professionals, we’re always learning. Our universal interest in advancing our knowledge of the trade is unmatched by most industries. It’s a curiosity that makes sense, given the climate of change. Within that, there lies a…
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question