Active Directory Multi Site. Choose nearest DCs into Linux/Not-Microsoft applications

i'm having a problem using ldap based on Active Directory in a multi-site environment.

Basically I have several different environments(sites) and each of them have its own dedicated couple of domain controller servers. Each couple of domain controllers talks to the couples in other sites in order to keep all informations synchronized.

In each environment I have also several different linux servers(webservers,applications servers etc.) and, for authentication and authorization purposes, they have to contact the correct domain controllers which are dedicated to their environment.

My problem is that i can't find a way to specify into the configuration of those servers how to contact their "nearest" domain controller.

Until now i used the DNS A record domain.local which returns EVERY domain controller into the domain; the problem is that it returns also domain controllers not in the correct site and so unreachable.

The another way i thought is to create an CNAME record for each site which refer to the correct DCs.

DC-Site1 CNAME to DC1 and DC2
DC-Site2 CNAME to DC3 and DC4
DC-Site3 CNAME to DC5 and DC6
....

So using the record DC-SiteX.domain.local i'm able to contact the correct couple of domain controllers in the site.

The problem of this solution is that i have to hardly code into the configuration server which site it belongs. I don't like because i may move the servers to different site and i have to remember to update this configuration.

Usually how do you handle this situation?

Do you have an elegant solution for this problem?

Both enable netmask ordering and Enable round robin are enabled on all DNS (all DC have the DNS role). However it happens that using the "domain.local" A record sometimes the applications try to use domain controllers in different sites.

Have you added all clients networks to appropriate sites in AD Sites and Services? Or you mean that clients from same network that is defined in AD Sites and Services and assigned to correct site sometimes picking up "incorrect" domain controller?

yes, i confirm that into the active directory sites and service there are all mappings between all subnets and all sites

An example of the problem is the following: a apache webserver belongs to site A which have DC1 and DC2 as domain controller. Site B uses DC3 and DC4. Sometimes i found that the apache is trying to contact DC3 or DC4.. of course the apache IP belongs to a subnet which is mapped to site A (into AD sites and services)

Take a look on this article - support.microsoft.com/en-us/kb/247811 Basically check DNS server, do you have ldap _srv records for "remote" domain controllers like DC3 and DC4 in _msdsc.domain.local -> dc -> _sites -> SiteA -> _tcp. Also make sense to check all DNS server structure for SVR records to make sure you do not have foreign SVR record in local site location

While this is old, I had to add a note about OpenLdap's support of SRV records. It works fine. Active Directory does not "own" SRVs and it supports the basic LDAP standard. So the above answer is accurate. Other than the fact that sites are typically contained inside the _sites subzone in AD DNS: ldapsearch -v -H "ldap:///dc%3DSite1%2E%5Fsites%2Cdc%3Dexample%2Cdc%3Dcom"