AD LDS load balancing and HA

  • 131 Views
  • Last Post 01 August 2016
BrianB posted this 01 August 2016

We are currently using another LDAP solution besides AD for various reasons. I want to move that LDAP solution to AD LDS. We currently front our LDAP servers with F-5’s for load balancing and GTM for failover. I also would not want to use a proxy for AD LDS for AD authentication because this LDAP would be a “For-life” instance and I would not want to have accounts in our prod forest that are only partially affiliated with the institution.

  For those that are using AD LDS, what are you using for load balancing and HA? I know that AD LDS has the concept of Sites and SRV records, but in most cases, clients that use our LDAP solution have no understanding of the concept of SRV and sites and would just need to point to an LDAP server/VIP. Is there anything that could break if we decided to use F-5 VIP to front our AD LDS? Are you using a different solution for LB and HA?   Thank you,   Brian Britt    

bdesmond posted this 01 August 2016

I’ve put this behind an F5 or similar many times. You can potentially do re-encryption, or you need to have a separate cert on each AD LDS server with the subject name as the hostname

of the server and then the first SAN as ldap.contoso.com or whatever the VIP is.



 



Thanks,

Brian Desmond

 

(w) 312.625.1438 | (c) 312.731.3132



 

show

Close