Load balancers and Active Directory
https://msdnshared.blob.core.windows.net/media/2016/08/0841.NinjaAwardTinySilver.pngSilver Award Winner
Introduction
Recently we faced a question in Directory Services forum which was indicating that what are the drawbacks and benefits of using a load balancer for Active Directory authentication. According to the information provided in that thread, it seems there are quite many applications around the world which are not AD aware and they strictly need to an IP address or name of a domain controller rather than querying DNS to find an available domain controller. Considering this concern, many administrators are worried about failures in this process and think about some failover or high availability features.
In this article we are going to talk about this process and whether this is a good approach or not.
Image 1: Active Directory and Load Balancers
Why even Load Balancers?
When someone indicates that “I need to consider using load balancers for my Active Directory”, we mostly ask why he needs this feature. Then we move on and ask my client the same question. In most cases all the customers have problems with their application. Actually their application is built in a way which has the lowest knowledge of Active Directory.
Based on Active Directory, clients contact their DNS servers in order to get a list of domain controllers. Although there are some other process involved in selecting a domain controller including Weight and Priority of DNS record and even Site location of the client, we simply imagine that client will contact one of the available domain controllers. As you know if one of the domain controllers are not available, clients will contact another domain controller in order to complete their authentication or other sort of LDAP requests.
Many applications are not designed in a way to understand all these DC locator process, Weight and Priority, Site location and even Round Robin. They simply must connect to a predefined domain controller by using IP or name. When there are such scenarios involved, administrators tend to use load balancers in order to create a Virtual IP and put all their domain controllers behind that load balancer in order to provide redundancy for their application.
A closer look at AD with Load Balancers
Firstly we want to mention a key point here! A third-party AD application which cannot work properly with features of Active Directory, is not a third-party AD application anymore! To be more precise, just because this so called AD-Integrated application is not capable of understanding DC locator and querying DNS, it does not mean that you have to add more complexity to your Active Directory structure and add a layer of unneeded modifications like introducing Load Balancers. Walk through the hallway of the company and inform them about their application’s inability. It is better to forget about that solution rather than implement dozens of other things in order to make that application AD aware. In addition, Active Directory have built-in Load Balancing features by its MultiMaster topology and DNS, which we mentioned them previously. Based on this, who on this lovely earth, would Load Balance an already Load Balanced structure?
Besides from this view, there are also some technical reasons supporting the idea of not to use any sort of Load Balancers for authentication. As you know SPNs plays a key role in Active Directory authentication and the key point about SPNs is that they are configured with the server name. For example, HTTP/Webserver indicates that HTTP is running and can be accessed on Webserver computer. When you run Active Directory authentication behind a load balancer you are putting yourself at a risk of having an SPN translated into a wrong name. Consider this as an example:
You have configured your domain controller behind a Load Balancer which its virtual name is “AD”. Now the thing to keep in mind is that “AD” is a virtual name which will be routed to DC1, DC2 and DC3 by client’s request. Very important note here is that clients do not know anything about the name of the domain controllers like DC1 and etc because they are only aware of “AD”, a virtual name of the load balancer or IP. Now when clients form an SPN, it will be sent to Kerberos by the virtual name and since Kerberos does not know anything about that virtual name and as a result requesting the ticket will be failed. This problem may result in KERB_APP_ERR_MODIFIED situation.
Image 2: Requesting a ticket
Image 3: Validating SPN
But what if you are not trying to load balance your Active Directory authentication and simply you want to have redundancy for your DNS service. In that case we think you can do this, but, but, if you are only going for DNS server. However, still you adding a layer of complexity to your DNS infrastructure and your DNS troubleshooting will be a bit confusing unless you have huge documentation skills.
Enough of bad parts! What solutions do I have?
Well the fairest solution is to walk to the vendor and ask them to change their design. You need to inform them that their product is not knowledgeable enough to understand AD and this will decrease the utilization of their product when there are AD involved.
Some of my friends also believe that you can keep load balancers and instead create more complicated SPNs to support the use of Load Balancers. AFAIK in order to utilize this method, you have to create an SPN for your virtual IP and then spread that SPN across your domain controllers. But honestly speaking I am not feeling very well about it.
Conclusion
In this article we talked about Load Balancers and whether they are effective to use or not in an Active Directory infrastructure. Although implementing a Load Balancer and configuring Domain Controllers behind a VIP may work in short time, but they will repeatedly generate Kerberos errors and difficulties and clients will fail because of their inability to follow appropriate SPN. Note that by client I mean an AD-unaware application which is trying to work with LDAP.
Nobody in world will consider implementing a Load Balancer for a services which has one the best built-in load balancers of the universe. If an application is strictly insisting to point to a domain controller, you do not have many choices. Either you have to let this happen and forget about load balancing or you have to walk to the vendor and ask them to modify their application.
Last but not least: network load balancing any AD service (LDAP, LDAPS, DNS, etc.) is not formally supported by Microsoft for the reasons discussed above: the load balancing for the AD services is supposed to be done by the client. If you absolutely need a load balanced LDAP solution and have it supported, consider LDS.