Solved

Load balancing DC's?

Posted on 2009-05-05
8
738 Views
Last Modified: 2013-12-24
Hi Everyone

We have about 5 DC's in our main site. There are a plethora of applications that need a DC hardcoded into their code to for either LDAP queries, or authentication.

At the moment, they are all pointing to DC1.

Obviously, if DC1 goes down, then we are in trouble.

I woud like to look into load balancing across all 5 DC's. I guess I could create a DNS CNAME (ldap.kam.uk) that points to all the DC's, but if one of the DC's is down, this won't help much. Does anyone have any ideas how I can implement some redundancy?
0
Comment
Question by:kam_uk
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 3

Expert Comment

by:ISWSIMBX
ID: 24307153
The CNAME option will work, I would just put a very low TTL on them so that if one goes down or you have to take it offline for maintenance, the client will kick over to the next DC.
0
 
LVL 27

Assisted Solution

by:Jason Watkins
Jason Watkins earned 50 total points
ID: 24307368
Hi,

If you are looking to load balance authentication by those DCs, you should be alright as is.  If you DCs are in different sites, then you may have to tweak your DNS settings to make sure all DCs are available to users.

/F
0
 
LVL 3

Author Comment

by:kam_uk
ID: 24307400
Hi

Sorry, when I said load balance authentication, I wasn't referring to users authenticating, more the applications authenticating where they had a hard coded DC. They are unable to use SRV records.

ISWSIMBX - good idea about the TTL. What would you recommend? Also, wouldn't this generate more DNS traffic though?

Thanks!
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 3

Assisted Solution

by:ISWSIMBX
ISWSIMBX earned 50 total points
ID: 24307792
I believe the default value is 300 so I would go with around 100-150.  And yes, it will probably generate a bit more DNS traffic than before, but if it is only 5 DC's, then the amount of traffic increase should be pretty small.
0
 
LVL 6

Assisted Solution

by:mvgeertruyen
mvgeertruyen earned 100 total points
ID: 24307944
I'm not sure if it is an option for you but with minor changes to the applications you could offload the fault tolerance to the AD (small change = modify the binding from LDAP<server> to GC<domain> for example).. If your apps only require ldap then the above dns suggestions would be good; but then again you would need to modify the settings off the apps. All depends on the apps off course.
Some info on ldap binding without specifying a server:
http://msdn.microsoft.com/en-us/library/ms677945(VS.85).aspx
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 300 total points
ID: 24309016

> DNS CNAME (ldap.kam.uk) that points to all the DC's

You won't be able to do that with a CNAME. Usage is illegal, you aren't allowed multiple CNAME records for the same resource. You could create multiple Host (A) Records for the same name though.

However, this is one very very important factor you must be aware of when implementing this.

DNS couldn't care less if the address it's handing out is up or down. It will happily hand out an address for a DC that is down. The responses to the query will rotate using Round Robin, but that's the extent of it. It's a very basic form of load balancing.

Either the application must support fault tolerance and be aware of the possible DCs. Or you must create a monitoring system that modifies the "ldap.yourdomain.com" record to a DC, or a number of DCs that are active. In that instance the low TTL would come into play.

Chris
0
 
LVL 3

Author Comment

by:kam_uk
ID: 24335802
Thanks..

Just one final query...

Let's say I list a DC in the UK, Spain and Russia in this ldap.kam.uk record.

If an application in Russia attempts a connect to ldap.kam.uk, will it contact the Russia DC, or is the proximity of the DC completely irrelevant in this DNS example?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24335832

Generally irrelevant. However, NetMask Ordering will attempt to give you an answer within the same subnet as the client if it can. Otherwise it uses standard Round Robin rotation.

I believe NetMask ordering matches on 24-bit subnets by default.

Chris
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question