Active directory servers and failure cases

[Adrian Conlon <Ad...@arup.com>]

Hi List,

We've got a problem with Active Directory failure resiliency, and I wonder if anyone has any good ideas.

We've got a number of active directory servers available that are (as I understand it) mirrors of each other.  Every now and then these servers go wrong (or certainly stops responding).

At the moment, I've configured an Authority Group, with a single Authority Connection, that uses a single Domain Controller.

What I'd like to be able to do is associated multiple domain controllers with a single authority connection, such that the connection spreads the load across all of the available domain controllers and tries the next available controller if one stops responding.

Does that sound possible?  Indeed, is it a good idea?  Or have I missed something in the currently available ManifoldCF configuration that would allow this already?

Thanks,

Adrian
____________________________________________________________
Electronic mail messages entering and leaving Arup  business
systems are scanned for acceptability of content and viruses

RE: Active directory servers and failure cases

[Adrian Conlon <Ad...@arup.com>]

No problem Karl, I’m starting to suspect that this might be a configuration issue within the AD setup I’m having to use.

If I can find out who they are, I’ll ask the AD experts within my company for their opinion, then see where that leads.

If I find out anything useful, I’ll report it back into the list in case it’s of use.

Thanks for your help so far: that trick with the domain as a host was a good one to try.

Adrian

From: Karl Wright [mailto:daddywri@gmail.com]
Sent: 12 October 2015 13:18
To: user@manifoldcf.apache.org
Subject: Re: Active directory servers and failure cases

"Does the error message make any sense?"

Hmm, no, it doesn't.  But if I drop the error message into Google, I do get this:

https://social.technet.microsoft.com/Forums/windows/en-US/ebff2363-5685-44a6-a22b-5fa6785d86c9/ldapsearch-example-with-sasl-bind

I don't know if that's helpful or not...  But if you can figure out what exactly we're doing wrong with the LDAP connection, I can maybe make the needed changes to get it working with your system?

I wish I could be of more help, but I'm definitely not an AD expert.

Karl


On Mon, Oct 12, 2015 at 8:09 AM, Adrian Conlon <Ad...@arup.com>> wrote:
Hi Karl,

That’s interesting.

I just tried what you suggested and it seems that things are *almost*, but not quite set up to work in that way in the company I work for.

So, the domain is “global.arup.com<http://global.arup.com>” and when I ping “global.arup.com<http://global.arup.com>”, the IP address I get back is the same as one of the AD servers I spoke about in the initial email. That would imply that some kind of load balancing is taking place around the AD servers.

However, when I try to use “global.arup.com<http://global.arup.com>” as an AD server, I get the following connection status:

Threw exception: 'Authentication problem authenticating admin user 'stgserver': [LDAP: error code 49 - 80090303: LdapErr: DSID-0C0904BD, comment: The digest-uri does not match any LDAP SPN's registered for this server., data 0, v1db1&#0;]'

If I use the name of the server pointed to by “global.arup.com<http://global.arup.com>” (in this instance, “globalad5”), then the connection status becomes “connection working”.

Does the error message make any sense?

Adrian

From: Karl Wright [mailto:daddywri@gmail.com<ma...@gmail.com>]
Sent: 12 October 2015 12:48
To: user@manifoldcf.apache.org<ma...@manifoldcf.apache.org>
Subject: Re: Active directory servers and failure cases

Hi Adrian,

In some installations I've seen evidence that AD itself can be configured to do "load balancing" of the kind you describe.  In such installations, if you access the domain controller through DNS, e.g. "thedomain.com<http://thedomain.com>", you reach one of a number of different machines, automatically.

The exact place I've seen this is in the context of a large network that was being crawled using JCIFS, which had multiple domain-based DFS roots.  Resolving each such root required a back-and-forth with a domain controller, of which we eventually realized there were more than one.  (And at least one of them was out of synch, which caused us no end of trouble.)

MCF doesn't try to recreate that kind of load balancing, since it would appear to be a duplication of effort, but it's possible that our current AD authority doesn't play well in such an environment.  If that's the case, we should fix it, rather than create our own idea of a load balancer.

Thanks,
Karl


On Mon, Oct 12, 2015 at 7:39 AM, Adrian Conlon <Ad...@arup.com>> wrote:
Hi List,

We’ve got a problem with Active Directory failure resiliency, and I wonder if anyone has any good ideas.

We’ve got a number of active directory servers available that are (as I understand it) mirrors of each other.  Every now and then these servers go wrong (or certainly stops responding).

At the moment, I’ve configured an Authority Group, with a single Authority Connection, that uses a single Domain Controller.

What I’d like to be able to do is associated multiple domain controllers with a single authority connection, such that the connection spreads the load across all of the available domain controllers and tries the next available controller if one stops responding.

Does that sound possible?  Indeed, is it a good idea?  Or have I missed something in the currently available ManifoldCF configuration that would allow this already?

Thanks,

Adrian

____________________________________________________________
Electronic mail messages entering and leaving Arup  business
systems are scanned for acceptability of content and viruses

Re: Active directory servers and failure cases

[Karl Wright <da...@gmail.com>]

"Does the error message make any sense?"

Hmm, no, it doesn't.  But if I drop the error message into Google, I do get
this:

https://social.technet.microsoft.com/Forums/windows/en-US/ebff2363-5685-44a6-a22b-5fa6785d86c9/ldapsearch-example-with-sasl-bind

I don't know if that's helpful or not...  But if you can figure out what
exactly we're doing wrong with the LDAP connection, I can maybe make the
needed changes to get it working with your system?

I wish I could be of more help, but I'm definitely not an AD expert.

Karl


On Mon, Oct 12, 2015 at 8:09 AM, Adrian Conlon <Ad...@arup.com>
wrote:

> Hi Karl,
>
>
>
> That’s interesting.
>
>
>
> I just tried what you suggested and it seems that things are **almost**,
> but not quite set up to work in that way in the company I work for.
>
>
>
> So, the domain is “global.arup.com” and when I ping “global.arup.com”,
> the IP address I get back is the same as one of the AD servers I spoke
> about in the initial email. That would imply that some kind of load
> balancing is taking place around the AD servers.
>
>
>
> However, when I try to use “global.arup.com” as an AD server, I get the
> following connection status:
>
>
>
> *Threw exception: 'Authentication problem authenticating admin user
> 'stgserver': [LDAP: error code 49 - 80090303: LdapErr: DSID-0C0904BD,
> comment: The digest-uri does not match any LDAP SPN's registered for this
> server., data 0, v1db1&#0;]'*
>
>
>
> If I use the name of the server pointed to by “global.arup.com” (in this
> instance, “globalad5”), then the connection status becomes “connection
> working”.
>
>
>
> Does the error message make any sense?
>
>
>
> Adrian
>
>
>
> *From:* Karl Wright [mailto:daddywri@gmail.com]
> *Sent:* 12 October 2015 12:48
> *To:* user@manifoldcf.apache.org
> *Subject:* Re: Active directory servers and failure cases
>
>
>
> Hi Adrian,
>
>
>
> In some installations I've seen evidence that AD itself can be configured
> to do "load balancing" of the kind you describe.  In such installations, if
> you access the domain controller through DNS, e.g. "thedomain.com", you
> reach one of a number of different machines, automatically.
>
>
>
> The exact place I've seen this is in the context of a large network that
> was being crawled using JCIFS, which had multiple domain-based DFS roots.
> Resolving each such root required a back-and-forth with a domain
> controller, of which we eventually realized there were more than one.  (And
> at least one of them was out of synch, which caused us no end of trouble.)
>
>
>
> MCF doesn't try to recreate that kind of load balancing, since it would
> appear to be a duplication of effort, but it's possible that our current AD
> authority doesn't play well in such an environment.  If that's the case, we
> should fix it, rather than create our own idea of a load balancer.
>
>
>
> Thanks,
>
> Karl
>
>
>
>
>
> On Mon, Oct 12, 2015 at 7:39 AM, Adrian Conlon <Ad...@arup.com>
> wrote:
>
> Hi List,
>
>
>
> We’ve got a problem with Active Directory failure resiliency, and I wonder
> if anyone has any good ideas.
>
>
>
> We’ve got a number of active directory servers available that are (as I
> understand it) mirrors of each other.  Every now and then these servers go
> wrong (or certainly stops responding).
>
>
>
> At the moment, I’ve configured an Authority Group, with a single Authority
> Connection, that uses a single Domain Controller.
>
>
>
> What I’d like to be able to do is associated multiple domain controllers
> with a single authority connection, such that the connection spreads the
> load across all of the available domain controllers and tries the next
> available controller if one stops responding.
>
>
>
> Does that sound possible?  Indeed, is it a good idea?  Or have I missed
> something in the currently available ManifoldCF configuration that would
> allow this already?
>
>
>
> Thanks,
>
>
>
> Adrian
>
> ____________________________________________________________
> Electronic mail messages entering and leaving Arup  business
> systems are scanned for acceptability of content and viruses
>
>
>

RE: Active directory servers and failure cases

[Adrian Conlon <Ad...@arup.com>]

Hi Karl,

That’s interesting.

I just tried what you suggested and it seems that things are *almost*, but not quite set up to work in that way in the company I work for.

So, the domain is “global.arup.com” and when I ping “global.arup.com”, the IP address I get back is the same as one of the AD servers I spoke about in the initial email. That would imply that some kind of load balancing is taking place around the AD servers.

However, when I try to use “global.arup.com” as an AD server, I get the following connection status:

Threw exception: 'Authentication problem authenticating admin user 'stgserver': [LDAP: error code 49 - 80090303: LdapErr: DSID-0C0904BD, comment: The digest-uri does not match any LDAP SPN's registered for this server., data 0, v1db1�]'

If I use the name of the server pointed to by “global.arup.com” (in this instance, “globalad5”), then the connection status becomes “connection working”.

Does the error message make any sense?

Adrian

From: Karl Wright [mailto:daddywri@gmail.com]
Sent: 12 October 2015 12:48
To: user@manifoldcf.apache.org
Subject: Re: Active directory servers and failure cases

Hi Adrian,

In some installations I've seen evidence that AD itself can be configured to do "load balancing" of the kind you describe.  In such installations, if you access the domain controller through DNS, e.g. "thedomain.com<http://thedomain.com>", you reach one of a number of different machines, automatically.

The exact place I've seen this is in the context of a large network that was being crawled using JCIFS, which had multiple domain-based DFS roots.  Resolving each such root required a back-and-forth with a domain controller, of which we eventually realized there were more than one.  (And at least one of them was out of synch, which caused us no end of trouble.)

MCF doesn't try to recreate that kind of load balancing, since it would appear to be a duplication of effort, but it's possible that our current AD authority doesn't play well in such an environment.  If that's the case, we should fix it, rather than create our own idea of a load balancer.

Thanks,
Karl


On Mon, Oct 12, 2015 at 7:39 AM, Adrian Conlon <Ad...@arup.com>> wrote:
Hi List,

We’ve got a problem with Active Directory failure resiliency, and I wonder if anyone has any good ideas.

We’ve got a number of active directory servers available that are (as I understand it) mirrors of each other.  Every now and then these servers go wrong (or certainly stops responding).

At the moment, I’ve configured an Authority Group, with a single Authority Connection, that uses a single Domain Controller.

What I’d like to be able to do is associated multiple domain controllers with a single authority connection, such that the connection spreads the load across all of the available domain controllers and tries the next available controller if one stops responding.

Does that sound possible?  Indeed, is it a good idea?  Or have I missed something in the currently available ManifoldCF configuration that would allow this already?

Thanks,

Adrian

____________________________________________________________
Electronic mail messages entering and leaving Arup  business
systems are scanned for acceptability of content and viruses

Re: Active directory servers and failure cases

[Karl Wright <da...@gmail.com>]

Hi Adrian,

In some installations I've seen evidence that AD itself can be configured
to do "load balancing" of the kind you describe.  In such installations, if
you access the domain controller through DNS, e.g. "thedomain.com", you
reach one of a number of different machines, automatically.

The exact place I've seen this is in the context of a large network that
was being crawled using JCIFS, which had multiple domain-based DFS roots.
Resolving each such root required a back-and-forth with a domain
controller, of which we eventually realized there were more than one.  (And
at least one of them was out of synch, which caused us no end of trouble.)

MCF doesn't try to recreate that kind of load balancing, since it would
appear to be a duplication of effort, but it's possible that our current AD
authority doesn't play well in such an environment.  If that's the case, we
should fix it, rather than create our own idea of a load balancer.

Thanks,
Karl


On Mon, Oct 12, 2015 at 7:39 AM, Adrian Conlon <Ad...@arup.com>
wrote:

> Hi List,
>
>
>
> We’ve got a problem with Active Directory failure resiliency, and I wonder
> if anyone has any good ideas.
>
>
>
> We’ve got a number of active directory servers available that are (as I
> understand it) mirrors of each other.  Every now and then these servers go
> wrong (or certainly stops responding).
>
>
>
> At the moment, I’ve configured an Authority Group, with a single Authority
> Connection, that uses a single Domain Controller.
>
>
>
> What I’d like to be able to do is associated multiple domain controllers
> with a single authority connection, such that the connection spreads the
> load across all of the available domain controllers and tries the next
> available controller if one stops responding.
>
>
>
> Does that sound possible?  Indeed, is it a good idea?  Or have I missed
> something in the currently available ManifoldCF configuration that would
> allow this already?
>
>
>
> Thanks,
>
>
>
> Adrian
>
> ____________________________________________________________
> Electronic mail messages entering and leaving Arup  business
> systems are scanned for acceptability of content and viruses
>