loadbalancing Domain Controllers

I have never put domain controllers behind load balancer, but I have heard that some environments put Domain Controllers behind the load balancer, I am not sure what is the benefit of doing that.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Zephyr ICTCloud ArchitectCommented:
The only possible benefit there might be, is non-windows applications/services in front of the F5 using AD authentication or something ...

Putting DC's behind load balancers doesn't seem like a good idea to me and really not necessary either because AD is built with some form of load-balancing incorporated and are redundant on their own.

Load balancers only make sense for IIS kind of applications..
jskfanAuthor Commented:
Based on what element a user will authenticate to DC1 or DC2 or DC3 if all DCs are in the same Active Directory Site ?

I know when DCs are in different site it is another story
Zephyr ICTCloud ArchitectCommented:
Well, I don't know the semantics or details, I just know it's based on DC-Locator and the AD-specific srv-records... Sorta like round-robin I'm thinking.

So there's no need to put "another" load-balancer in front of it.
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

jskfanAuthor Commented:
But Still not clear..

if we have 10 DCs in one Active Directory Site.
If User1 logins in to the domain, then based on what element, that this users will be authenticated by DC1 or DC7 or DC9
Zephyr ICTCloud ArchitectCommented:
The client will send out an LDAP ping during the location process, the DC that replies first to this ping will be the one that will be used to log into the domain... That's basically the gist, nothing special about it.

It all comes down to which DC replies the fastest.

You can read more about how the process works here, it's not recent but it will give you an idea on how it works.
jskfanAuthor Commented:
OK...so there is no such Load Balancing..
Any available DC will respond..

Usually if you get authenticated by DC04, most of your future logins will be authenticated by DC04, till probably DC04 is rebooted ...it remembers your credentials...
If that's the case, I believe implementing  Load balancer will make sense, it will force each login to go to a separate DC.
Zephyr ICTCloud ArchitectCommented:
Well, you're entitled to your opinion of course, I'm not convinced :-)

If you want to read up on it, here's a nice blog post someone wrote regarding load balancers and domain controllers.
we have some of our DC's behind a Citrix Netscaler to host a VIP for LDAP servers for various third party applications .
Zephyr ICTCloud ArchitectCommented:
@compdigit yes, third party apps using ldap authentication for sure we have plenty of those using an F5 load balancer, but for regular clients?
If by regualr clients you mean workstations than NO!!!. AD with multi DC's can send login request to any DC depending on site.  This is the beautiful of AD it is "smart" out of the  box...

Like I mentioned before we only us load balance LDAP /LDAPs for thrid party applications that is it..
jskfanAuthor Commented:
The scenario is all DCs are in one AD site..

Would the authentication be load balanced between all DCs even without Load balancer in place??
Zephyr ICTCloud ArchitectCommented:
If we are talking workstations/clients then yes, the DCs are "load balanced" on that site, If one DC should fails a request would be broadcasted by the client, the first of the other DCs to respond is than the DC the client would use... This is of course high level, there's a little more to it.
jskfanAuthor Commented:
I guess you are talking about fault tolerance.

Load balancing means the Load is somewhat distributed evenly between DCs..

if 100 users login at the same time then if we have 4 DCs , each 50 users should be authenticated by 1 DC
I guess it is not possible without Load Balancer.
Zephyr ICTCloud ArchitectCommented:
Who's to say they will not be somewhat evenly dispersed over the DCs? It's not that 100 clients, in your example, will have the same DC when they send out a broadcast, I doubt it very much.

There's probably a way to test this :-)
jskfanAuthor Commented:
Do you think a client that is in the same subnet as DC1 will go to another subnet where DC2 is located and get authenticated ?
We are talking all DCs are in one Active Directory site
As of now, no load balancing is required for AD site, if you have multiple DCs in same site and DCs behind load balancer, there is no guarantee that client will get authenticated via specific DC, because of DNS random behavior it will again throw your client to any DC
You are just increasing one additional layer / step before DCs

If you really want to control client authentication traffic across multiple DCs in same site, you need to play with DNS SRV records weight or priority

By default all DCs are assigned with 0 priority and 100 weight as values
As a fact client can pickup any DC out of available within same site
You need to either differentiate weight  or priority of SRV records (0 - 65535)

Check below article to set up above
The article is old but still applies to all latest DC versions and working as expected

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jskfanAuthor Commented:
Thank you Guys..I will come back to this topic later,
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.