Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Load Balancing DC's

Posted on 2009-05-12
Medium Priority
Last Modified: 2012-05-06
hi AD guys,

A little while ago, I raised a questions about applications needed a domain controller to point to for LDAP purposes..

The solution seemed to be to create a DNS entry named and have the applications point to there.

However, I just thought of something...

If I ping (my domain name) then I am returned the address of a DC.

Instead of creating a DNS entry named and pointing to my DC's, do I have this already in the form of ""?

Was just wondering.
Question by:kam_uk
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 71

Accepted Solution

Chris Dent earned 1000 total points
ID: 24369848

Yep you do already have it.

The only reason to use a specific name is if you want to reduce the number of DCs that respond. You should see that resolves to the IP addresses for all of your DCs (across all sites).


Author Comment

ID: 24369886
Thanks Chris...and just to confirm, it is strictly round robin only - the closest DC is not taken into account.

For instance, if I am in the UK and have 5 DC's in UK, Germany, US, Japan and Australia (all in the same domain for the sake of argument)..if I used the name, it would randomly come back with *any* of those DC's?
LVL 71

Expert Comment

by:Chris Dent
ID: 24369920

Yep, correct :)

It rotates the order unless NetMask Ordering gets a chance to come into play.

That would happen if a DC had this IP:

And the system performing the query had this one:

It's very limited, if it's not in the same range you don't get a matched response, just standard Round Robin.


Author Comment

ID: 24372652
Thanks Chris.

Out of interest, how does it "rotate the order" that per connecting client, or per per's say I have 10 clients.

Client1 attempts a connection to and gets the DC at
Client2 attempts a connection to - would it get or another one

or is it

Client1 attempts a conncetionand gets
Client1 attempts -another- connection and gets another DC
Client2 attempts a connection and gets

Hope that makes sense
LVL 71

Expert Comment

by:Chris Dent
ID: 24372752

It's a global rotation, memorising order per client would be a lot of work :)

No matter the order, if NetMask Ordering can play it will promote any "close" entries to the top of the list.

You can see it in action using a made up record and NsLookup.

Imagine you had a client on the IP And that you had this record set configured in DNS:

host IN A
host IN A
host IN A
host IN A
host IN A

While you're in the same classful subnet as some of those records (NetMask Ordering defaults to 24 bit subnets, but can be changed to other Classful subnets, 8 bit and 16 bit). You will find that this response order is used when repeatedly queried:,,,,,,,,,,,,

Go a bit slow (a second or two between each query), because it won't rotate the order exceptionally quickly. More likely down to NsLookup behaviour than anything else.

If there was only one record in the same subnet as the client it would always respond with that address. e.g.,,,,,,,,,

If you were to query that set of records from a different machine, one that isn't on any matching range you'd get this behaviour:,,,,,,,,,


Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question