How to achieve high availability for Active Directory LDAPS (Secure LDAP)

Dileep Jose 1 Reputation point
2020-08-12T15:03:42.897+00:00

We have around 50 applications currently configured with LDAP and we have around 20 Domain Controllers. As per the security best practice we have to migrate all these applications from LDAP to LDPAS.
Currently, all applications are connected using Domain's "NETBIOS" name so there no need to worry about high availability.

What is the best design approach to achieve high availability for LDAPS?

Prefer not to configure individual DC servers as LDAPS servers in the application.
Note: all the servers (DC and application servers) are enrolled in on-prem PKI.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,644 questions
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Bastien Perez - Clidsys 6 Reputation points MVP
    2020-08-12T22:34:38.767+00:00

    Hello,
    You can add the NetBIOS name in the SAN.

    0 comments No comments

  2. Thameur-BOURBITA 33,006 Reputation points
    2020-08-12T22:42:53.39+00:00

    Hi,

    To ensure the high availability of LDAPS service you can choose one of the following solution:

    • DNS round robin option , by creating many DNS records with same name but different domain controller IP, in this case you have to add the name of this DNS record in the SAN list in the certificate installed on each Domain controller
    • Use the domain name domain.local , when you use the domain name , many domain controllers can be contacted by the client. In this case you have to add the domain name in the SAN list in the certificate installed on each Domain controller
    • Install LDAP VIP (not free solution), the client will contact the VIP and behind the VIP there are many domain controllers. In this case you have to add the name of this DNS record of the VIP in the SAN list in the certificate installed on each Domain controller
    0 comments No comments

  3. Vicky Wang 2,731 Reputation points
    2020-08-17T06:59:55.367+00:00

    Hi,

    It depends on the application, but generally speaking the application owner is responsible for ensuring it uses an available and healthy domain controller.

    reference:https://support.microsoft.com/en-us/help/931351/how-to-add-a-subject-alternative-name-to-a-secure-ldap-certificate

    Hope this information can help you

    Best wishes

    Vicky

    0 comments No comments

  4. Vicky Wang 2,731 Reputation points
    2020-08-19T08:19:24.66+00:00

    Hi,
     
    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.
     
    Best Regards,
    Vicky

    0 comments No comments

  5. Vicky Wang 2,731 Reputation points
    2020-08-26T08:23:25.39+00:00

    Hi,
     
    Just want to confirm the current situations.
     
    Please feel free to let us know if you need further assistance.
     
    Best Regards,
    Vicky 

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.