Active Directory authentication load balancing and failover

active-directory load-balancing ldap authentication
29,169

Solution 1

Active Directory already has load balancing techniques built into it. Your Windows client knows how to locate the redundant domain controllers in its own site, and how to use another one if the first one is unavailable. There's no need to perform additional load balancing, like "clustered" DCs, etc. as long as you have redundant DCs.

In a way, you can think of an Active Directory Site as a "load balancer," because clients in that site will randomly pick one of the DCs in the same site. If all the DCs in a site fail or if the site has no DCs, then the clients will pick another site (either next-closest site or at random.)

You can load balance Active Directory-provided DNS service for domain-joined clients by putting a VIP on a hardware load balancer, and having that VIP load balance between several of the domain controllers. Then on your clients, put that VIP as the preferred DNS server in the TCP/IP configuration.

I'm doing that right now for a global infrastructure and it's working great.

But that only applies to DNS service.

Don't try to load balance your domain controllers for authentication. It's asking for trouble. You would at the least have to do a lot of complex custom SPN work and you'd be throwing yourself way out of Microsoft support boundaries. From this blog, which you should read, I will quote him:

Go back to the vendors and tell them you don’t consider them to be AD Integrated and you will find a different solution.

Now as for applications that ask you to type in the IP address of a domain controller? Well, I'll just reiterate my comment:

Whoever wrote an application that forces you to hardcode the IP address of a domain controller into it doesn't know what he or she is doing.

Solution 2

there has never been a good reason to hardcode an IP or use an IP to resolve AD queries. There are no best practices for bad practices.

Solution 3

Several of the other answers to this question seem to assume there is no other world than Microsoft aware applications. Unfortunately this isn't the case, as evidence by the original question:

What are best practices for those applications that force you to hardcode a DC's IP?

While Microsoft does not support or recommend using a NLB solution in front of Active Directory there does indeed appear to be some options for authenticating non-Microsoft AD aware applications.

Share:
29,169
Derrick
Author by

Derrick

Updated on September 18, 2022

Comments

  • Derrick
    Derrick over 1 year

    For applications that authenticate against an Active Directory DC, obviously it would be best to just point them to the main domain DNS record rather than a specific DC for failover, load balancing, etc.

    What are best practices for those applications that force you to hardcode a DC's IP? We could hard code a load balancer's IP address instead so if one DC went down that application would still be able to authenticate. Are there any better alternatives?

    • Michael Hampton
      Michael Hampton almost 11 years
      Find the application's developer and have them fix it.
    • Derrick
      Derrick almost 11 years
      It's mostly for some legacy apps and old NAS boxes that we're not quite ready to replace yet.
  • mfinni
    mfinni almost 11 years
    "There are no best practices for bad practices." Quote of the day, sir.
  • Dscoduc
    Dscoduc over 6 years
    The original question was "What are best practices for those applications that force you to hardcode a DC's IP?". To suppose there are no legitimate apps out there that don't support dynamic discovery is a bad assumption. Plenty of non-Windows applications exist that would like to auth against Active Directory. So what is the best way to make these applications work where dynamic DC discovery isn't an option?
  • Ryan Ries
    Ryan Ries about 6 years
    @Dscoduc Get better applications.
  • Dscoduc
    Dscoduc almost 5 years
    To follow up on this qyestion and my posted answer - my company has implemented a robust F5 LDAP Local Traffic Manager solution that successfully fronts Active Directory for non-Windows systems incapable of leveraging the DCLocator service. We have six LTM's handling traffic all over the world without any issues.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

SVN + SASL + ActiveDirectory: How to
Java ldap authentication issue
ldapsearch - Strong(er) authentication required - Transport encryption required
Can a single user have multiple credential sets using MS Active Directory
How to work around a "logon workstations" restriction to the Domain Controller stopping authentication via LDAP
Central Authentication For Windows, Linux, Network Devices
Disable LDAP authentication on Ubuntu
Authenticating Apache HTTPd against multiple LDAP servers with expired accounts
How can I set up Redmine => Active Directory authentication?
Which field to use when authenticating against Active Directory?