Solved

Load balancing DC's?

Posted on 2009-05-05
8
735 Views
Last Modified: 2013-12-24
Hi Everyone

We have about 5 DC's in our main site. There are a plethora of applications that need a DC hardcoded into their code to for either LDAP queries, or authentication.

At the moment, they are all pointing to DC1.

Obviously, if DC1 goes down, then we are in trouble.

I woud like to look into load balancing across all 5 DC's. I guess I could create a DNS CNAME (ldap.kam.uk) that points to all the DC's, but if one of the DC's is down, this won't help much. Does anyone have any ideas how I can implement some redundancy?
0
Comment
Question by:kam_uk
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 3

Expert Comment

by:ISWSIMBX
Comment Utility
The CNAME option will work, I would just put a very low TTL on them so that if one goes down or you have to take it offline for maintenance, the client will kick over to the next DC.
0
 
LVL 27

Assisted Solution

by:Jason Watkins
Jason Watkins earned 50 total points
Comment Utility
Hi,

If you are looking to load balance authentication by those DCs, you should be alright as is.  If you DCs are in different sites, then you may have to tweak your DNS settings to make sure all DCs are available to users.

/F
0
 
LVL 3

Author Comment

by:kam_uk
Comment Utility
Hi

Sorry, when I said load balance authentication, I wasn't referring to users authenticating, more the applications authenticating where they had a hard coded DC. They are unable to use SRV records.

ISWSIMBX - good idea about the TTL. What would you recommend? Also, wouldn't this generate more DNS traffic though?

Thanks!
0
 
LVL 3

Assisted Solution

by:ISWSIMBX
ISWSIMBX earned 50 total points
Comment Utility
I believe the default value is 300 so I would go with around 100-150.  And yes, it will probably generate a bit more DNS traffic than before, but if it is only 5 DC's, then the amount of traffic increase should be pretty small.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 6

Assisted Solution

by:mvgeertruyen
mvgeertruyen earned 100 total points
Comment Utility
I'm not sure if it is an option for you but with minor changes to the applications you could offload the fault tolerance to the AD (small change = modify the binding from LDAP<server> to GC<domain> for example).. If your apps only require ldap then the above dns suggestions would be good; but then again you would need to modify the settings off the apps. All depends on the apps off course.
Some info on ldap binding without specifying a server:
http://msdn.microsoft.com/en-us/library/ms677945(VS.85).aspx
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 300 total points
Comment Utility

> DNS CNAME (ldap.kam.uk) that points to all the DC's

You won't be able to do that with a CNAME. Usage is illegal, you aren't allowed multiple CNAME records for the same resource. You could create multiple Host (A) Records for the same name though.

However, this is one very very important factor you must be aware of when implementing this.

DNS couldn't care less if the address it's handing out is up or down. It will happily hand out an address for a DC that is down. The responses to the query will rotate using Round Robin, but that's the extent of it. It's a very basic form of load balancing.

Either the application must support fault tolerance and be aware of the possible DCs. Or you must create a monitoring system that modifies the "ldap.yourdomain.com" record to a DC, or a number of DCs that are active. In that instance the low TTL would come into play.

Chris
0
 
LVL 3

Author Comment

by:kam_uk
Comment Utility
Thanks..

Just one final query...

Let's say I list a DC in the UK, Spain and Russia in this ldap.kam.uk record.

If an application in Russia attempts a connect to ldap.kam.uk, will it contact the Russia DC, or is the proximity of the DC completely irrelevant in this DNS example?
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Generally irrelevant. However, NetMask Ordering will attempt to give you an answer within the same subnet as the client if it can. Otherwise it uses standard Round Robin rotation.

I believe NetMask ordering matches on 24-bit subnets by default.

Chris
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

CCModeler offers a way to enter basic information like entities, attributes and relationships and export them as yEd or erviz diagram. It also can import existing Access or SQL Server tables with relationships.
Creating and Managing Databases with phpMyAdmin in cPanel.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now