Need to loadbalance DNS for Linux LDAP with more than one MS server
We have numerous Linux servers that require MS Active Directory LDAP/DNS, but can configure only a single DC for LDAP (i don't know Linux, so please don't recommend Linux-based solutions). We use MS AD for DNS/LDAP, we will not be introducing anything else. We require a solution usin MS AD.
There must be a way to loadbalance LDAP/DNS for Linux servers (MS does not recommend putting a loadbalancer in front of servers requiring DNS/AD support i'm told). Besides pointing some Linux servers to one DC while others to another DC (just makes more SPoF's), how can we remove a single point of failure by allowing our Linux servers to have more than one MS DC available since they can only configure one LDAP server?
There must be a way to loadbalance LDAP/DNS for Linux servers (MS does not recommend putting a loadbalancer in front of servers requiring DNS/AD support i'm told). Besides pointing some Linux servers to one DC while others to another DC (just makes more SPoF's), how can we remove a single point of failure by allowing our Linux servers to have more than one MS DC available since they can only configure one LDAP server?
Often you can just configure the LDAP setting to point to your AD domain name. There is 1 A record with the domain name for each DC. So if you have 3 DCs, there will be 3 A records matching your domain name, and each one will point at a different DC's IP.
Keep in mind though that if one of the DCs isn't reachable, when the query returns that DC you may get an auth failure, unless your application can use all the results returned. This is simple DNS load balancing, not meant for high availability where it is monitoring which endpoints aren't reachable and excluding those from being used.
Keep in mind though that if one of the DCs isn't reachable, when the query returns that DC you may get an auth failure, unless your application can use all the results returned. This is simple DNS load balancing, not meant for high availability where it is monitoring which endpoints aren't reachable and excluding those from being used.
WE have a Citrix Netscaler to properly Load Balance LDAP queries for linux and some 3rd party apps. DNS Round Robin is not really that suitable.
You can put a load balancer in front of LDAP/LDAPS, and that really is the most robust solution if you have a good load balancer. DNS round robin or static hosts file entries do not handle failover well or at all.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@Aardvark, if yo change the CNAME to A then at least also change the NAME to an IP address.
(A cannot return a name).
ldap CNAME will work IF there is no ldap A record.
if there are A records, the IP addresses also need updates when a host changes address or migrates, with CNAME this saves one small headache.
And if you don't want a loadbalancer as hardware, try creating one with haproxy. No rocket science. (tcp mode can be used for LDAP as well).
(A cannot return a name).
ldap CNAME will work IF there is no ldap A record.
if there are A records, the IP addresses also need updates when a host changes address or migrates, with CNAME this saves one small headache.
And if you don't want a loadbalancer as hardware, try creating one with haproxy. No rocket science. (tcp mode can be used for LDAP as well).
@Aardvark, if yo change the CNAME to A then at least also change the NAME to an IP address.Just a typo.
(A cannot return a name).
ldap CNAME will work IF there is no ldap A record.Correct, just pointing out you cannot round robin a CNAME as the name needs to be unique.
Which Linux are you using? You could configure an openldap as a proxy that configured to query one of many DCs.
There are various ways to get the AD integration fir Linux where multiple DCs can be listed.
Samba 4 if available do you.
Look for AD integration and the Linux flavor you use.
There are various ways to get the AD integration fir Linux where multiple DCs can be listed.
Samba 4 if available do you.
Look for AD integration and the Linux flavor you use.
ASKER
Thanks everyone, i'll read all the comments tomorrow.
ldap.mydomain.local CNAME dc1.mydomain.local
ldap.mydomain.local CNAME dc2.mydomain.local
ldap.mydomain.local CNAME dc3.mydomain.local
where dc1, dc2, dc3 is one of the DC nodes.
This will only loadbalance if queries to dns are done frequently.
there is a chance that this will happen.
Now loadbalancing is quite something differently from failover...
failover is removing SPOF's .... by providing alternatve paths to the data
loadbalancing is spreading the load over many concurrent servers. so Q1 will go to DC1, next query will go to DC2 etc. etc. (roundrobin scheduling).
the latter can happen if a client system reconnects everytime it does a query... THat may happen if PAM + LDAP is used.
When there is an intermediate service like with AD (sssd, samba etc.) then there will mostly be ONE connect when the service starts and a reconnect on query timeout.So failover is easy, loadbalancing IS NOT.
For that AD needs to support it in a better way.