LDAP on multiple Windows 2003 Domain Controllers

Discussion in 'Microsoft Windows 2000 Advanced Server' started by Degen Ende, Mar 27, 2006.

  1. Degen Ende

    Degen Ende Guest

    This one may be a stupid question, but that's why we have newsgroups,
    right?

    We're replacing our 2 Active Directory Global Catalog Servers, and
    there's an issue or two that needs to be addressed. Now, being that I'm
    a former Novell guy, some of my terms or even my train of thought may
    be misguided, but I'll do my best for it to make sense.

    We believe we know the proper steps for replacing DC1 and DC2 with DCA
    and DCB. Basically, turn them all on, then set DCA to the Primary
    Catalog Server and take down DC1 in a couple days/hours/whenever things
    are done replicating. Then, just take down DC2 and we're good to go,
    because DCB should already be a secondary/failover/etc.

    My problem is that various home-built applications are authenticating
    to DC1 specifically, and they do not allow for failover. In other
    words, it's DC1 for authentication or no authentication at all. This is
    a problem, I believe, with the applications that have been constructed
    in-house, but management feels that adjusting such programs are
    insurmountable and therefore it's become my headache.

    What has been suggested is we run Network Load Balancing between DCA
    and DCB and create a virutal server, DC1, so our applications will
    still point to the same name and authentication will occur.

    My question is can I do this? Does this make sense? I know for AD
    authentication I don't have to do anything. DCB should take over
    anytime I put a fork in DCA's power supply. Will NLB work for LDAP
    authentication, or do my programs just suck?

    To add to the mix, does anyone know if a Cisco Load Balancing (CLB)
    device will help me at all? Or, will the CLB work for LDAP but screw
    with my AD authen?

    Any assistance/suggestions/advice would be outstanding.
     
    Degen Ende, Mar 27, 2006
    #1
    1. Advertisements

  2. My first statement to your management would be to fix the crap apps. Is this the
    first time they thought about this being a problem? What would have happened if
    DC1 puked normally? Is it fine for the apps to just stop? What if someone sets
    up a DOS attack on it? Hardcoding to a specific machine is moronic, doing it in
    such a way that it can't even be configured to which machine is the hardcoded
    one is an offense worthy of being slapped and then fired.

    In the meanwhile, set up a CNAME for the old DC and have it point at whatever
    you want. I wouldn't go through a bunch of hoops to try and make this fault
    tolerant since they obviously don't care about it being fault tolerant.

    Trying to do load balancing etc can also cause issues with auth etc with the app
    depending on how it auths. If using kerberos it will get a wee bit confused
    because the servers responding will not be the name of the server being
    requested. You don't cluster or load balance DCs, the idea behind the core
    design is that it is simple to do automatic location it isn't necessary.

    joe


    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition
    www.joeware.net


    ---O'Reilly Active Directory Third Edition now available---

    http://www.joeware.net/win/ad3e.htm



    Degen Ende wrote:
    > This one may be a stupid question, but that's why we have newsgroups,
    > right?
    >
    > We're replacing our 2 Active Directory Global Catalog Servers, and
    > there's an issue or two that needs to be addressed. Now, being that I'm
    > a former Novell guy, some of my terms or even my train of thought may
    > be misguided, but I'll do my best for it to make sense.
    >
    > We believe we know the proper steps for replacing DC1 and DC2 with DCA
    > and DCB. Basically, turn them all on, then set DCA to the Primary
    > Catalog Server and take down DC1 in a couple days/hours/whenever things
    > are done replicating. Then, just take down DC2 and we're good to go,
    > because DCB should already be a secondary/failover/etc.
    >
    > My problem is that various home-built applications are authenticating
    > to DC1 specifically, and they do not allow for failover. In other
    > words, it's DC1 for authentication or no authentication at all. This is
    > a problem, I believe, with the applications that have been constructed
    > in-house, but management feels that adjusting such programs are
    > insurmountable and therefore it's become my headache.
    >
    > What has been suggested is we run Network Load Balancing between DCA
    > and DCB and create a virutal server, DC1, so our applications will
    > still point to the same name and authentication will occur.
    >
    > My question is can I do this? Does this make sense? I know for AD
    > authentication I don't have to do anything. DCB should take over
    > anytime I put a fork in DCA's power supply. Will NLB work for LDAP
    > authentication, or do my programs just suck?
    >
    > To add to the mix, does anyone know if a Cisco Load Balancing (CLB)
    > device will help me at all? Or, will the CLB work for LDAP but screw
    > with my AD authen?
    >
    > Any assistance/suggestions/advice would be outstanding.
    >
     
    Joe Richards [MVP], Apr 7, 2006
    #2
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Robert Cohen

    Determining Domain Controllers for users

    Robert Cohen, Oct 14, 2003, in forum: Microsoft Windows 2000 Advanced Server
    Replies:
    2
    Views:
    296
    Robert Cohen
    Oct 15, 2003
  2. Danny Sanders

    Re: Windows and Linus Domain controllers

    Danny Sanders, Apr 16, 2004, in forum: Microsoft Windows 2000 Advanced Server
    Replies:
    0
    Views:
    225
    Danny Sanders
    Apr 16, 2004
  3. Guest

    What'd be impact if I change the IPs on domain controllers

    Guest, Oct 14, 2004, in forum: Microsoft Windows 2000 Advanced Server
    Replies:
    1
    Views:
    209
    Guest
    Oct 14, 2004
  4. Guest

    What'd be impact if I change IPs on all domain controllers

    Guest, Oct 14, 2004, in forum: Microsoft Windows 2000 Advanced Server
    Replies:
    1
    Views:
    222
    Doug Gabbard
    Oct 15, 2004
  5. Shana
    Replies:
    2
    Views:
    341
Loading...

Share This Page