Recently we faced a question in Directory Services forum which was indicating that what are the drawbacks and benefits of using a load balancer for Active Directory authentication. According to the information provided in that thread, it seems there are quite many applications around the world which are not AD aware and they strictly need to an IP address or name of a domain controller rather than querying DNS to find an available domain controller. Considering this concern, many administrators are worried about failures in this process and think about some failover or high availability features.
In this article we are going to talk about this process and whether this is a good approach or not.
Image 1: Active Directory and Load Balancers
Based on Active Directory, clients contact their DNS servers in order to get a list of domain controllers. Although there are some other process involved in selecting a domain controller including Weight and Priority of DNS record and even Site location of the client, we simply imagine that client will contact one of the available domain controllers. As you know if one of the domain controllers are not available, clients will contact another domain controller in order to complete their authentication or other sort of LDAP requests.
Many applications are not designed in a way to understand all these DC locator process, Weight and Priority, Site location and even Round Robin. They simply must connect to a predefined domain controller by using IP or name. When there are such scenarios involved, administrators tend to use load balancers in order to create a Virtual IP and put all their domain controllers behind that load balancer in order to provide redundancy for their application.
Besides from this view, there are also some technical reasons supporting the idea of not to use any sort of Load Balancers for authentication. As you know SPNs plays a key role in Active Directory authentication and the key point about SPNs is that they are configured with the server name. For example, HTTP/Webserver indicates that HTTP is running and can be accessed on Webserver computer. When you run Active Directory authentication behind a load balancer you are putting yourself at a risk of having an SPN translated into a wrong name. Consider this as an example:
You have configured your domain controller behind a Load Balancer which its virtual name is “AD”. Now the thing to keep in mind is that “AD” is a virtual name which will be routed to DC1, DC2 and DC3 by client’s request. Very important note here is that clients do not know anything about the name of the domain controllers like DC1 and etc because they are only aware of “AD”, a virtual name of the load balancer or IP. Now when clients form an SPN, it will be sent to Kerberos by the virtual name and since Kerberos does not know anything about that virtual name and as a result requesting the ticket will be failed. This problem may result in KERB_APP_ERR_MODIFIED situation.
Image 2: Requesting a ticket
Image 3: Validating SPN
Some of my friends also believe that you can keep load balancers and instead create more complicated SPNs to support the use of Load Balancers. AFAIK in order to utilize this method, you have to create an SPN for your virtual IP and then spread that SPN across your domain controllers. But honestly speaking I am not feeling very well about it.
In this article we talked about Load Balancers and whether they are effective to use or not in an Active Directory infrastructure. Although implementing a Load Balancer and configuring Domain Controllers behind a VIP may work in short time, but they will repeatedly generate Kerberos errors and difficulties and clients will fail because of their inability to follow appropriate SPN. Note that by client I mean an AD-unaware application which is trying to work with LDAP.
Nobody in world will consider implementing a Load Balancer for a services which has one the best built-in load balancers of the universe. If an application is strictly insisting to point to a domain controller, you do not have many choices. Either you have to let this happen and forget about load balancing or you have to walk to the vendor and ask them to modify their application.
Last but not least: network load balancing any AD service (LDAP, LDAPS, DNS, etc.) is not formally supported by Microsoft for the reasons discussed above: the load balancing for the AD services is supposed to be done by the client. If you absolutely need a load balanced LDAP solution and have it supported, consider LDS.