AD LDS High availability

Question

We are currently using CAS for multiple directory authentication. AD for internal users, AD LDS for external users. I've read that NLB is a possible solution, but wondering if this is possible with SRV records, and how about you would correctly configure that. With our AD directory, I can bind with olddomain.local, and hit any of the DCs in the domain. We don't want to hardcode servernames into CAS, so the end goal is to bind with LDSdomain.gov.

nslookup -type=srv _ldap._tcp.LDSdomain.gov

returns

_ldap._tcp.LDSdomain.gov SRV service location:
      priority       = 0
      weight         = 100
      port           = 1025
      svr hostname   = server01
_ldap._tcp.LDSdomain.gov SRV service location:
      priority       = 0
      weight         = 200
      port           = 1025
      svr hostname   = server02

I was able to get the SRV records working. So in my LDSDomain.gov zone, I had created 2 A records, explicitly stating the host names. My problem was that I should have left it blank so it defaults to (same as parent folder). Once you have that, I can connect by LDSDomain.gov. I am playing with shortening the TTL's. Thanks everyone for comments and suggestions! — cluckinchicken, Apr 13 '12 at 13:07

Jim B · Accepted Answer · 2012-04-13T15:26:13.660

1

NLB is your best option here. With DNS or an SCP clients can choose a random server to connect to. LBS can be configured to fail-over when required. While you can configure multiple AD LDS instances to be a single configuration set, sometimes (more often than I'd like) applications will use the "random server" to make multiple updates to attributes in a form. Eg I add user jsmith , If someone else is adding user jsmith no conflict will be reported because I'm on a different instance. When replication occurs one of these gets renamed as cnf:GUID and now has to be sorted out. This is the same as regular AD however there is generally some admin noticing that user jsmith can't log in. I've seen crappy apps using LDS with DNS that have lots of cnf object sticking around due to lack of maintenance. NLB solves that problem by allowing fail-over instead of round robin. It's typically pretty tough to overload LDS.

edited Apr 13 '12 at 15:26

answered Mar 26 '12 at 20:36

Jim B

23,938
4
35
58

I'll check out implementing NLB tomorrow, and see how that goes. Thanks for your comment! – cluckinchicken Mar 26 '12 at 22:47
Good details, I didn't know about those pitfalls of a simple SCP. – mfinni Mar 27 '12 at 13:35
1

@mfinni it's more a pitfall of crappy applications than the SCP – Jim B Mar 27 '12 at 16:36
@Jim B I started to get into NLB but was told that's not what we want to use. I had read as well this was a good option, so hopefully that helps someone. – cluckinchicken Apr 13 '12 at 13:08
So if you don't want to use NLB, you can certainly use a hardware loadbalancer. – Jim B Apr 13 '12 at 15:27

score 0 · Answer 2 · edited Apr 13 '17 at 12:14

0

I believe a Service Connection Point is what you want. See also : Active Directory Lightweight Directory Services (AD LDS) best practice for clustering

edited Apr 13 '17 at 12:14

Community

1

answered Mar 26 '12 at 17:18

mfinni

35,711
3
50
86

I looked at the Service Connection Point link, before posting here. My SCP objects were automatically created, but still not working. Any other ideas on getting SCP to work? – cluckinchicken Mar 26 '12 at 21:29
1

I haven't done it myself; I like Jim's answer below. FYI - an important part of asking good questions is to briefly explain anything you've already researched or tried. Because you didn't say anything about SCP, I didn't know if you knew about it. – mfinni Mar 27 '12 at 13:37
Yeah, my bad. I'll make sure to do that in the future. – cluckinchicken Mar 27 '12 at 18:11

AD LDS High availability

2 Answers2