1

I think I am getting lost in network failover land. I am trying to set up a Windows Domain Controller and DNS, while providing resilients and failover. I have two Domain Controllers and DNS servers. AD1 and AD2. Both are talking to each other, exchanging forest and DNS zone information. I was reading this Automatic failover for domain controller explaining how Domain Controller failover works with SRV records. However my issue is with my linux clients. Currently we have all linux clients targetting at AD1's IP address for authentication purposes. I want to however target a global name of "AD", which is a DNS entry to round robin/netmask order between AD1 and AD2.

I think I might be on the wrong track to solution out this DC/DNS failover in my infrastructure. Because when I do a failover test by shutting down AD2, client's on the same network segment as AD2 cannot authenticate. Times out.

Do I have to explicitly put each AD servers IP in the ldap.conf file on each linux client? I was hoping to only have to put the global name of "AD" and have DNS take care of the rest.

Thank you all!

Community
  • 1
Jim
  • 978
  • 7
  • 20
  • 32

1 Answers1

1

If you're domain name is corp.mydomain.com you should be able to set the Linux boxes to the same domain name as opposed to dc01.corp.mydomain.com your root domain name by default will resolve to any of the DCs currently setup.

If you run a nslookup for corp.mydomain.com you should get the IPs of all of your DCs.

Brent Pabst
  • 6,059
  • 2
  • 23
  • 36
  • So pointing uses at a CNAME AD.corp.mydomain.com --> corp.mydomain.com won't work? – Jim Nov 29 '12 at 18:12
  • How do I keep users on one network to authenticate against the AD server on the same network? – Jim Nov 29 '12 at 18:22
  • Adding a CNAME as you mentioned should work, albeit not required. However, if you are saying even with that CNAME clients cannot connect that is possible. Remember DNS hands back IPs and that list does not get updated when a server goes offline. I'm not sure about the Linux side as much but its possible that they are not trying the other IPs returned in the initial DNS query. – Brent Pabst Nov 29 '12 at 18:32
  • Ok, I removed CNAME from the linux client, am using corp.mydomain.com. Still times out. – Jim Nov 29 '12 at 18:34
  • Like I said, this could be a Linux config issue where it does not try the other IP addresses returned from the original DNS lookup. You would need to open another question on that topic. But you could easily test this by running a `nslookup corp.mydomain.com` query to see what DNS results you get back on your Linux box. – Brent Pabst Nov 29 '12 at 18:52
  • Is the SRV record suppose to remove failed Domain Controllers from being resolvable?? – Jim Nov 29 '12 at 21:03
  • Generally no, the SRV records are set only periodically, not to mention most DNS clients cache all results – Brent Pabst Nov 29 '12 at 23:51