Active Directory
A set of directory-based technologies included in Windows Server.
6,108 questions
Hello,
You can add the NetBIOS name in the SAN.
How to achieve high availability for Active Directory LDAPS (Secure LDAP)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 90%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDJ%3C/text%3E%3C/svg%3E)
Dileep Jose
1
Reputation point
We have around 50 applications currently configured with LDAP and we have around 20 Domain Controllers. As per the security best practice we have to migrate all these applications from LDAP to LDPAS.
Currently, all applications are connected using Domain's "NETBIOS" name so there no need to worry about high availability.
What is the best design approach to achieve high availability for LDAPS?
Prefer not to configure individual DC servers as LDAPS servers in the application.
Note: all the servers (DC and application servers) are enrolled in on-prem PKI.
5 answers
Sort by: Most helpful
-
Bastien Perez - Clidsys 6 Reputation points MVP2020-08-12T22:34:38.767+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Thameur-BOURBITA 32,621 Reputation points2020-08-12T22:42:53.39+00:00 Hi,
To ensure the high availability of LDAPS service you can choose one of the following solution:
- DNS round robin option , by creating many DNS records with same name but different domain controller IP, in this case you have to add the name of this DNS record in the SAN list in the certificate installed on each Domain controller
- Use the domain name domain.local , when you use the domain name , many domain controllers can be contacted by the client. In this case you have to add the domain name in the SAN list in the certificate installed on each Domain controller
- Install LDAP VIP (not free solution), the client will contact the VIP and behind the VIP there are many domain controllers. In this case you have to add the name of this DNS record of the VIP in the SAN list in the certificate installed on each Domain controller
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 28.999999999999996%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVW%3C/text%3E%3C/svg%3E)
Vicky Wang 2,646 Reputation points2020-08-17T06:59:55.367+00:00 Hi,
It depends on the application, but generally speaking the application owner is responsible for ensuring it uses an available and healthy domain controller.
reference:https://support.microsoft.com/en-us/help/931351/how-to-add-a-subject-alternative-name-to-a-secure-ldap-certificate
Hope this information can help you
Best wishes
Vicky
-
Vicky Wang 2,646 Reputation points
2020-08-19T08:19:24.66+00:00 Hi,
Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.
Best Regards,
Vicky -
Vicky Wang 2,646 Reputation points
2020-08-26T08:23:25.39+00:00 Hi,
Just want to confirm the current situations.
Please feel free to let us know if you need further assistance.
Best Regards,
Vicky