0

So my question is - is there any concern to add a CNAME for one domain controller to provide to copiers and other internal sites/applications?

I read that Active Directory doesn't truly "need" a load balancer so if that's true then providing a "VIP" via CNAME to one specific IP would accomplish my goals.

Example: CNAME Ldap.example.com 10.1.1.2
Existing: domain controller: A dc1.example.com 10.1.1.2

Or is there a better way to accomplish what I'm after?

Thank you!

Grim
  • 1
  • 1
  • Curious to know the use case; seems it could also be accomplished with setup of AD Sites to ensure a VIP would be able to hit the "nearest" DC at any time. – Semicolon Jan 31 '23 at 19:44
  • 1
    Kerberos authentication is going to require an SPN registration for that alias. – twconnell Feb 04 '23 at 00:37
  • Sorry all! I'm not sure why I didn't get email notifications I'm just thinking I could give copiers one specific DNS name instead of the local AD/DNS server as one example. This is more of a "nice to have" but I figured some type of "VIP" type setup would be ideal in case the "local DC" is down. The other scenario I can more readily think of as well is internally we use GCDS (Google's Directory Sync Service and you have to specify an IP or hostname in the config file to query AD with). I'll have to look at adding a SPN registration for the alias but theoretically that will work? – Grim Feb 08 '23 at 12:32

1 Answers1

0

This depends on the application. If your application(s) only need to query for the occasional infrequently changed attribute or authenticate users, that may work.

Active Directory technically does not support using a load balancer. This is due to how the primary mechanism for interacting with AD using LDAP (DirectorEntry) contains a reference to the specific domain controller it is using. This is particularly important for creating objects and updating attributes.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82