I have setup a new domain on our network consisting of 2 domain controllers, dc1, dc2.
I can see the A records for the 2 controllers. But I need to do load balancing so that I can refer to the 2 dcs in single entry.
I have created two A records with same name for the different IPs, dc.domain.com. Is this the standards procedure?
Best Answer
Active directory already has a form of a DNS load balancing. You just look into wrong place.
A
record just says which controller has which IP address. Where clients go for each domain service (LDAP, Kerberos, Global Catalog LDAP, et cetera) is configured withSRV
records. And if you didn't do anything fancy, you will haveSRV
records in your domain already point to each domain controller for each service.Here is the typical structure of the Active Directory domain DNS zone:
If you create sites, you'll get additional records for them. That supposed to make some computer to preferably ask their local domain controller than the remote. Here
dc2
belongs to sitealter-site
and so any computer who is in that site will ask it first. If you leave everything default, both controllers will be in the default siteDefault-First-Site-Name
.You can alter the load distribution between controllers by altering those
SRV
records. See "100"'s? These are weights. If you set 67 for one DC and 33 for another, the first one will get 2/3 of requests and another will have 1/3. "0"'s in front of eachSRV
record are priorities; if you have larger priority servers accessible the lower priority will not be queiried at all. Please look forSRV
record description for details; there are plenty explanations in the Internet, including this site.There are few records which are "not symmetric". For example,
SOA
record has a particular DNS server name in it. But those are rarely used in this case and this doesn't constitute any bottlenecks.Also important note about
SYSVOL
. When clients login, after checking passwords (which involves the Kerberos service), they ask the domain for group policies, and they do this using the domain name, not a particular DC name, like this:\\example.com\SYSVOL
(and not, for example,\\dc1.example.com\SYSVOL
). You can see a domain apex has severalA
records, one for each domain controller (4th and 5th lines of the example). The client will use randomly selectedA
record to connect, so each DC will have roughly the same share.