best way to publish ldap server info

when applications etc need ldap server info we usually publish the ip of the global catalog server
this is a problem when we retire DCs running ldap
what would be the best way to do this in the future that would leave changing DCs and Global catalog servers easier
should we create dns records or can srv records be used
LVL 1
dougdogAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SpankinIAM SpecialistCommented:
I understand it's for hardcoding ldap info in some applications or connecting from outside of your internal network, correct? Prefered way is to always use DC locator service and base on AD subnet definitions if possible.

For the first scenario you can create A-record i.e. ldap.example.com and point it to all your domain controllers' IPs. When you retire one of domain controllers you simply delete IP from DNS record while the a-record is still working with other IPs.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dougdogAuthor Commented:
when I create an A record it can only point to 1 ip address
SpankinIAM SpecialistCommented:
you probably need to add multiple same a-records, each for different IP (not a DNS expert, sorry:))
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

footechCommented:
Typical best practice nowadays is to have all of your DCs as GCs.  So whether it's using port 389 or 3268 (or the SSL variants), then it wouldn't make a difference which DC you used.  As Spankin noted, it's best if the application uses the DC locator process, but if that's not possible, then with the above condition met you could just point the app at your domain name.  There are already multiple records for the domain (you'll see them as "same as parent") which point at the IPs of each of the DCs.
dougdogAuthor Commented:
its for the likes of printers sonicwalls server applications etc that you have to enter ldap server
dougdogAuthor Commented:
example a sonicwall will ask what us the ldap address
if I enter the ip of a dc that's great
but after a few years when that dc gets removed I need to go round all devices etc and remember to change the ip to the new dc
SpankinIAM SpecialistCommented:
If it accept names and it's in your internal network, than like footech mentioned, domain name would be ideal to use in your case. Domain name is a-record that holds all domain controllers in your domain, when they are demoted, they automatically vanish from domain name DNS entry.
dougdogAuthor Commented:
so what entry do I put in?
do u mean create multiple a records like
ldap1.company.com pointed at 1st DC
ldap2.company.com etc pointed at 2nd DC
SpankinIAM SpecialistCommented:
If that's in your internal network, you don't have to create new entries. Your domain name holds all domain controller hostnames. Use nslookup and type your domain name there and you will see how that looks like - you should see IPs of all your domain controllers that have their DNS records published.

If for some reason you want to exclude some of domain controllers from being used by the application then you can create additional a-record and point multiple IP addresses there in this way:
ldap.company.com - DC_1_IP
ldap.company.com - DC_2_IP
Reference here: https://support.microsoft.com/en-us/kb/168321
dougdogAuthor Commented:
so what would I enter for the ldap server name in an application?
you mean just use the domain name and it will then lookup an ldap server
footechCommented:
Yes.
You can see this works with a utility like ldp.exe.  When it asks for a server, just use the domain name.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.