PC Review


Reply
Thread Tools Rate Thread

LDAP on multiple Windows 2003 Domain Controllers

 
 
Degen Ende
Guest
Posts: n/a
 
      27th Mar 2006
This one may be a stupid question, but that's why we have newsgroups,
right?

We're replacing our 2 Active Directory Global Catalog Servers, and
there's an issue or two that needs to be addressed. Now, being that I'm
a former Novell guy, some of my terms or even my train of thought may
be misguided, but I'll do my best for it to make sense.

We believe we know the proper steps for replacing DC1 and DC2 with DCA
and DCB. Basically, turn them all on, then set DCA to the Primary
Catalog Server and take down DC1 in a couple days/hours/whenever things
are done replicating. Then, just take down DC2 and we're good to go,
because DCB should already be a secondary/failover/etc.

My problem is that various home-built applications are authenticating
to DC1 specifically, and they do not allow for failover. In other
words, it's DC1 for authentication or no authentication at all. This is
a problem, I believe, with the applications that have been constructed
in-house, but management feels that adjusting such programs are
insurmountable and therefore it's become my headache.

What has been suggested is we run Network Load Balancing between DCA
and DCB and create a virutal server, DC1, so our applications will
still point to the same name and authentication will occur.

My question is can I do this? Does this make sense? I know for AD
authentication I don't have to do anything. DCB should take over
anytime I put a fork in DCA's power supply. Will NLB work for LDAP
authentication, or do my programs just suck?

To add to the mix, does anyone know if a Cisco Load Balancing (CLB)
device will help me at all? Or, will the CLB work for LDAP but screw
with my AD authen?

Any assistance/suggestions/advice would be outstanding.

 
Reply With Quote
 
 
 
 
Joe Richards [MVP]
Guest
Posts: n/a
 
      7th Apr 2006
My first statement to your management would be to fix the crap apps. Is this the
first time they thought about this being a problem? What would have happened if
DC1 puked normally? Is it fine for the apps to just stop? What if someone sets
up a DOS attack on it? Hardcoding to a specific machine is moronic, doing it in
such a way that it can't even be configured to which machine is the hardcoded
one is an offense worthy of being slapped and then fired.

In the meanwhile, set up a CNAME for the old DC and have it point at whatever
you want. I wouldn't go through a bunch of hoops to try and make this fault
tolerant since they obviously don't care about it being fault tolerant.

Trying to do load balancing etc can also cause issues with auth etc with the app
depending on how it auths. If using kerberos it will get a wee bit confused
because the servers responding will not be the name of the server being
requested. You don't cluster or load balance DCs, the idea behind the core
design is that it is simple to do automatic location it isn't necessary.

joe


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



Degen Ende wrote:
> This one may be a stupid question, but that's why we have newsgroups,
> right?
>
> We're replacing our 2 Active Directory Global Catalog Servers, and
> there's an issue or two that needs to be addressed. Now, being that I'm
> a former Novell guy, some of my terms or even my train of thought may
> be misguided, but I'll do my best for it to make sense.
>
> We believe we know the proper steps for replacing DC1 and DC2 with DCA
> and DCB. Basically, turn them all on, then set DCA to the Primary
> Catalog Server and take down DC1 in a couple days/hours/whenever things
> are done replicating. Then, just take down DC2 and we're good to go,
> because DCB should already be a secondary/failover/etc.
>
> My problem is that various home-built applications are authenticating
> to DC1 specifically, and they do not allow for failover. In other
> words, it's DC1 for authentication or no authentication at all. This is
> a problem, I believe, with the applications that have been constructed
> in-house, but management feels that adjusting such programs are
> insurmountable and therefore it's become my headache.
>
> What has been suggested is we run Network Load Balancing between DCA
> and DCB and create a virutal server, DC1, so our applications will
> still point to the same name and authentication will occur.
>
> My question is can I do this? Does this make sense? I know for AD
> authentication I don't have to do anything. DCB should take over
> anytime I put a fork in DCA's power supply. Will NLB work for LDAP
> authentication, or do my programs just suck?
>
> To add to the mix, does anyone know if a Cisco Load Balancing (CLB)
> device will help me at all? Or, will the CLB work for LDAP but screw
> with my AD authen?
>
> Any assistance/suggestions/advice would be outstanding.
>

 
Reply With Quote
 
 
 
Reply

Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LDAP on multiple Windows 2003 Domain Controllers Degen Ende Microsoft Windows 2000 Active Directory 5 28th Mar 2006 07:19 PM
LDAP on multiple Windows 2003 Domain Controllers Degen Ende Microsoft Windows 2000 Networking 0 27th Mar 2006 08:24 PM
Allow a domain user to change local permissions on domain machineswithout allowing full rights on domain controllers none Microsoft Windows 2000 Active Directory 1 5th Aug 2005 05:36 AM
SSL LDAP on Domain Controllers Travis Microsoft Windows 2000 Security 0 21st Jan 2004 09:21 PM
Unable to get list of Domain Controllers "The list of domain controllers for domain is unavailable because: Not enough storage is available to complete this operation." John Foutch Microsoft Windows 2000 Active Directory 0 31st Jul 2003 06:44 PM


Features
 

Advertising
 

Newsgroups
 


All times are GMT +1. The time now is 02:43 PM.