I know that load balancing or fail over of LDAP on a Windows domain controller is generally not a good idea due to the Kerberos and SPN issues.
BUT, I have lots of non-windows applications that use LDAP for authentication and authorization. They are just pointed to a single domain controller right now, would be nice to have a VIP and a pool with all my DC's behind it.
So whats the deal here when I see this?:
https://devcentral.f5.com/questions/ad-dcs-behind-f5
Does the F5 do something special? Does it just fall back to NTLM? Or does it just use a simple LDAP bind to AD? (or SLDAP bind).
Whats the best way for non-windows clients to utilize LDAP? Should they just be designed out of the box to use the DNS locator SRV records? Should AD-LDS be deployed and load balance that?
Is there something I am missing?
Best Answer
Yes, applications who want to interact with Active Directory really should be designed to use proper DC location procedures (which are well documented); unfortunately, quite often they aren't.
You can usually work around this by pointing your LDAP application to the Active Directory domain name instead of a specific DC, because each DC automatically registers AN A record for the domain name pointing to its IP address, so this will work as a DNS round robin; however, this can and will cause two significant issues:
A slightly better solution is to create your own DNS record for LDAP applications as a CNAME record pointing to a specific DC, such as
ldap.example.com
pointing todc1.example.com
, and set a slow TTL on it (f.e. 60 seconds); you can then configure your application to useldap.example.com
for all its LDAP needs. If/when DC1 goes down, you can then remapldap.example.com
todc2.example.com
, and the slow TTL will ensure the application becomes aware of the change as soon as possible, thus minimizing downtime.In any case, it's really better to avoid load balancing solution, because LDAP is simply not designed to work with them and they could load to any sort of issues.