none
AD servers on load balancer

    Question

  • Windows 2008 R2

    this requirement arouse from the inability of Oracle's OBI system to use more than one DC in it's list.

    i have 3 DC in my network/domain, can i put all 3 DC behind a load balancer so that OBI and similar AD-based systems will only have 1 ip address to deal with?


    edit: i'd like to add my DC are also DNS and DHCP servers
    • Edited by Reno Mardo Wednesday, February 24, 2016 6:10 AM
    Wednesday, February 24, 2016 6:08 AM

Answers

  • hi, it needs either a FQDN or the ip address of any DC.

    Well firstly, AD has its own type of load balancing built in and there is no need to load balance an already load balanced service. For now the problem is not about the load balancing, but it is related the product. No matter it is Cisco , Oracle and other big bosses of silicon valley, this product is simply not AD aware. The best solution for you is too call the vendor and inform them about this big problem. In that case you may be required to upgrade or even migrate to another solution.

    Talking about problems, a lot of services run as system in domain controllers. As a matter of fact you will have DC1\System and DC2\System and so on. When clients generate requests for Kerberos they first query the DNS server and asks for kerberos SRV record, once they are located, they will request their kerberos ticket using the DNS name of that domain controller. When there are VIP and other type of load balancers involved, you are dealing with a virtual name which will be translated to different names. This will lead to KERB-APPERR-MODIFIED. There are many other problems which I am not aware of it but they might show themselves when you are not expecting.

    For now I think you should point that application to a single domain controller.


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Thursday, February 25, 2016 4:43 AM
    Moderator

All replies

  • Hi

     can i put all 3 DC behind a load balancer so that OBI and similar AD-based systems will only have 1 ip address to deal with >>> I don't recommend put DC's behind a load balancer.So just configure prefered dns certain DC,if need set alternate another.

    Even so need,you should configure ports,

    https://support.microsoft.com/en-us/kb/832017#4


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Wednesday, February 24, 2016 6:48 AM
  • Hiya,

    if you just write in the domain name and not a specific DC, will Oracle OBI system be able to handle that?

    Wednesday, February 24, 2016 6:49 AM
  • hi, it needs either a FQDN or the ip address of any DC.
    Wednesday, February 24, 2016 7:09 AM
  • If you need to spread authentication and LDAP traffic to multiple DCs, then it should be enough to use domain name to refer to DC and enable round-robin on DNS server. If your goal is to secure that oracle can reliably access domain services when some of domain controllers fail, then you have to look at other options depending on what your application uses DC for. Accessing DC through a load balancer is, in general, not a good idea. Kerberos won't work, but if your application uses DC only for information retrieval using plain LDAP queries, then load balancing may be an option. A better solution (imo) will be securing availability of domain controller by running it on a highly-available VM in Hyper-V cluster.

    Gleb.

    Wednesday, February 24, 2016 7:24 AM
  • Hi,

    Active directory services does not support binding of multiple DCs to a single virtual IP, this kind of infrastructure will lead to Kerberos authentication failure when accessing one of the computer in the NLB.

    Please see similar thread about this:

    Load balancing Domain Controllers?

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/d7ecf820-2e4b-4933-b602-7e857d3d8fd7/load-balancing-domain-controllers?forum=winserverDS

    And the recommendations against the following blog:

    Load balancing Domain Controllers?

    http://blog.joeware.net/2010/02/19/1980/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 25, 2016 2:25 AM
    Moderator
  • hi, it needs either a FQDN or the ip address of any DC.

    Well firstly, AD has its own type of load balancing built in and there is no need to load balance an already load balanced service. For now the problem is not about the load balancing, but it is related the product. No matter it is Cisco , Oracle and other big bosses of silicon valley, this product is simply not AD aware. The best solution for you is too call the vendor and inform them about this big problem. In that case you may be required to upgrade or even migrate to another solution.

    Talking about problems, a lot of services run as system in domain controllers. As a matter of fact you will have DC1\System and DC2\System and so on. When clients generate requests for Kerberos they first query the DNS server and asks for kerberos SRV record, once they are located, they will request their kerberos ticket using the DNS name of that domain controller. When there are VIP and other type of load balancers involved, you are dealing with a virtual name which will be translated to different names. This will lead to KERB-APPERR-MODIFIED. There are many other problems which I am not aware of it but they might show themselves when you are not expecting.

    For now I think you should point that application to a single domain controller.


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Thursday, February 25, 2016 4:43 AM
    Moderator
  • i'm not getting this DNS round robin. i have two DC, so with DNS round robin i'll have

    DC1 in 192.168.1.1

    DC1 in 192.168.1.2

    DC2 in 192.168.1.1

    DC2 in 192.168.1.2

    right? won't it create problems as the FSMO holder is DC1 only.

    Monday, February 29, 2016 1:52 PM
  • Hi,

    Mahdi Tehrani is right. Round robin is enabled by default on DNS properties, this setting will ensure that authentication is load balanced among existing DCs in the clients site. If you involve other type of load balancers, this will lead to some potential issues. You’d better call the vendor of OBI system to get a better solution. Thanks for your understanding.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 2, 2016 2:10 AM
    Moderator
  • i did checked with Oracle and this is what they suggested. a load balancer.

    their OBI system is really weird, as you cannot give it a list of DC to use. only one at a time, by name or ip address, and should it need changing the whole OBI system needs to restarted.

    anyway thanks all.

    Wednesday, March 2, 2016 5:45 AM
  • Hi,

    Thanks for your understanding.

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 3, 2016 2:51 AM
    Moderator