0

i'm having a problem using ldap based on Active Directory in a multi-site environment.

Basically I have several different environments(sites) and each of them have its own dedicated couple of domain controller servers. Each couple of domain controllers talks to the couples in other sites in order to keep all informations synchronized.

In each environment I have also several different linux servers(webservers,applications servers etc.) and, for authentication and authorization purposes, they have to contact the correct domain controllers which are dedicated to their environment.

My problem is that i can't find a way to specify into the configuration of those servers how to contact their "nearest" domain controller.

Until now i used the DNS A record domain.local which returns EVERY domain controller into the domain; the problem is that it returns also domain controllers not in the correct site and so unreachable.

The another way i thought is to create an CNAME record for each site which refer to the correct DCs.

DC-Site1 CNAME to DC1 and DC2
DC-Site2 CNAME to DC3 and DC4
DC-Site3 CNAME to DC5 and DC6
....

So using the record DC-SiteX.domain.local i'm able to contact the correct couple of domain controllers in the site.

The problem of this solution is that i have to hardly code into the configuration server which site it belongs. I don't like because i may move the servers to different site and i have to remember to update this configuration.

Usually how do you handle this situation?

Do you have an elegant solution for this problem?

Francesco
  • 11
  • 1
  • 3

5 Answers5

1

You are correct, using domain.local name will return list of all addresses of all domain controllers in the domain, but if you will try to ping domain.local (I mean actual name of your domain), DNS must return IP address of local domain controller.

I don't know if your domain controllers are also acting as DNS servers, but if so, check DNS Server Setting -> Advanced Tab -> Enable netmask ordering checkbox must be checked in.

Regarding CNAME, you can create several CNAMEs for one server, but not one CNAME for several servers, so you have to create two A records with the same name poining to different IPs of local domain controllers. But for this case you also need to make sure you have anabled roud robin in advanced DNS Server settings, so queries will be balanced beetween servers by DNS server.

Best regards, Sergey

Sergey Sypalo
  • 148
  • 6
  • Both enable netmask ordering and Enable round robin are enabled on all DNS (all DC have the DNS role). However it happens that using the "domain.local" A record sometimes the applications try to use domain controllers in different sites. – Francesco Nov 05 '15 at 11:20
  • Have you added all clients networks to appropriate sites in AD Sites and Services? Or you mean that clients from same network that is defined in AD Sites and Services and assigned to correct site sometimes picking up "incorrect" domain controller? – Sergey Sypalo Nov 05 '15 at 14:48
  • yes, i confirm that into the active directory sites and service there are all mappings between all subnets and all sites – Francesco Nov 05 '15 at 17:53
  • An example of the problem is the following: a apache webserver belongs to site A which have DC1 and DC2 as domain controller. Site B uses DC3 and DC4. Sometimes i found that the apache is trying to contact DC3 or DC4.. of course the apache IP belongs to a subnet which is mapped to site A (into AD sites and services) – Francesco Nov 05 '15 at 18:01
  • Take a look on this article - https://support.microsoft.com/en-us/kb/247811 Basically check DNS server, do you have ldap _srv records for "remote" domain controllers like DC3 and DC4 in _msdsc.domain.local -> dc -> _sites -> SiteA -> _tcp. Also make sense to check all DNS server structure for SVR records to make sure you do not have foreign SVR record in local site location – Sergey Sypalo Nov 06 '15 at 00:07
1

Do the unix servers have knowledge of the site they are in?

Does the AD controller has correctly updated the SRV DNS records (it does by default)?

If the unix server is aware to be, for example, in SITE1.EXAMPLE.ORG, it can ask AD controller which LDAP server is enabled on SITE1 with the following:

ldapsearch -v -H "ldap:///dc%3Dsite1%2Cdc%3Dexample%2Cdc%3Dorg" [...]

basically it is a ldapsearch to whatever server has a LDAP SRV registration on SITE1.EXAMPLE.ORG:

host -t SRV _ldap._tcp.site1.example.org.
473183469
  • 1,350
  • 1
  • 12
  • 23
  • @Daniel: It IS the responsibility of the client to: use DNS to determine which site it is in, determine the domain controllers for that site (or domain if no domain controllers/not in a site), and perform DNS/LDAP tests on the domain controllers to determine which domain controller is most suitable. The domain controller location process has always worked this way. Any application or computer/operating system that needs to integrate with Active Directory MUST also do this if there is any expectation that it will perform correctly and reliably. – Greg Askew Nov 05 '15 at 18:18
  • While this is old, I had to add a note about OpenLdap's support of SRV records. It works fine. Active Directory does not "own" SRVs and it supports the basic LDAP standard. So the above answer is accurate. Other than the fact that sites are typically contained inside the _sites subzone in AD DNS: `ldapsearch -v -H "ldap:///dc%3DSite1%2E%5Fsites%2Cdc%3Dexample%2Cdc%3Dcom"` – LeeM Feb 13 '20 at 02:00
0

This is a somewhat old post, but I wanted to offer the following information to anyone that comes across this. It is possible to control what A records and SRV records your domain controllers dynamically register and in what sites and configure the SRV record weight and priority. See the following Microsoft article: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/76bc11f0-8bc2-4d6c-a643-328f479aae1b

Justin Felix
  • 1
0

This is the responsibility of the application. Any application that needs to integrate with Active Directory must conform to how it works. This includes prioritizing the domain controllers to use by site/location preference, selecting an appropriate domain controller that is functional, and failing over to another domain controller if an error occurs.

In other words, the application needs to function just as a Windows client functions.

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
0

This gives me the correct SRV records for a specific site's domain controllers. There was a firewall involved so relying on the "client's IP" was ineffective.

windows command line tool

nslookup -type=SRV _ldap._tcp.$sitename$._sites.dc._msdcs.$domain.name$
englebart
  • 101
  • 1