RE: [ActiveDir] Load balancing LDAP request among my DCs -> Correction :)

joe Wed, 15 Jun 2005 05:39:11 -0700

Title: Message

Exchange finds and uses DCs in a different way than most applications. It doesn't use the standard windows mechanism, it finds the first DC that way and then uses its own internal mechanisms (see DSACCESS docs) to find the rest. Generally it will only use DCs in its own site. I believe, but it has been a while since I read this, it will avoid the PDC by default. In larger environments I strongly recommend that Exchange servers, especially pools of Exchange servers go into their own dedicated sites with GCs that you want dedicated to Exchange. That way Exchange doesn't impact your "normal" DC/GCs and anything else doesn't impact your Exchange DC/GCs.

This obviously also brings up the idea of properly setting up subnets and sites in your directory. If that is done properly, any 2K/Xp clients in remote subnets will use the remote DCs and this doesn't require round robin (though it helps in the case of multiple DCs in a single site). If you find clients are not following the topology correctly it almost certainly goes back to a DNS problem and if it isn't a DNS problem, the local DC is probably having issues.

As for other applications, it completely depends on how they were written on what they will use. If they are Microsoft based applications and by that I mean on MS and at some level using the MS LDAP Libraries (this is to specifically exclude LDAP Applications that use say the iPlanet LDAP SDK or some other non-MS LDAP DLLs such as NET::LDAP from perl) and they use serverless binding, they will follow the proper processes for locating domain controller resources. If they are not MS based apps, then somewhere, they specify the DCs they are targeting and you need to understand what they are specifying.

Overall, the PDC is generally going to be one of your more busy machines. It does things no other DCs do especially with legacy clients. Large companies will often take the PDC and put it off into its own logical site to cut down the number of normal requests going to it and allow only legacy clients and clients that specifically need the PDC to connect to it.

Overall, all of this can be a large difficult problem, you have to break it up and slowly attack it but identifying what is going on and determining if it is correct behavior or not. If something isn't correct, you need to ascertain why it is happening. If it is correct, you need to account for it.

joe

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Wednesday, June 15, 2005 7:41 AM
To: [email protected]
Subject: RE: [ActiveDir] Load balancing LDAP request among my DCs -> Correction :)

Thanks Joe.

I confirm You that we do not have DNS server, but BIND 9 DNS. I will chek to activate the RR with the DNS admin.

I will follow your advice about network traffics. We have many services that need ldap/auth access to our DCs such as 10 Exchange 2003 servers (with ~ 30000 users), asp script, php script, and our whole computers connecting to our AD 2003 domain, and perhaps many other :(

But the DC wich receives more LDAP traffics is my PDC Emulator which is also GC.

I follow the excellent link forwarded by Neil . I put LdapSrvWeight and LdapSrvPriority values for my PDC emulator lower than the 3 others.. I will check if that works fine.

Regards,

Yann

De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de joe
Envoy� : mercredi 15 juin 2005 03:10
� : [email protected]
Objet : RE: [ActiveDir] Load balancing LDAP request among my DCs -> Corre ction :)

Any load balancing in AD isn't done based on how busy the DCs are. There is a roundrobin that can happen from DNS but if you use a non-MS DNS, roundrobining may not be on, I have seen this more than once in various locations.

Also note that a DC is given out for a client asking for a DC, it isn't given out per operation, so you could get a situation where a couple of clients happen to get the same DC and they are really busy clients.

You can also get the case of some clients hard coded to a specific DC.

When I say clients above, I don't mean workstations, I mean any service hitting a domain controller requesting something/anything.

If you have a specific DC that is getting the crap pounded out of it, get a network trace of the machine and look to see who is hitting it and try to ascertain why. Could be all clients at a certain site who point at a screwed up DNS server or it could be any number of things.

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Tuesday, June 14, 2005 3:40 AM
To: '[email protected]'
Subject: RE: [ActiveDir] Load balancing LDAP request among my DCs -> Corre ction :)

I understand you concerns and requirements but you include too many subjective words / phrases for my liking :)

i.e.

"heavy load"

"plenty of queries"

"deserve efficiently"

Best of luck with the SRV weight changes.

neil

-----Original Message-----
From: TIROA YANN [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: 13 June 2005 18:20
To: [email protected]
Subject: RE : [ActiveDir] Load balancing LDAP request among my DCs -> Corre ction :)

"busy" in term of all queries (LDAP, auth...) point to only one DC, that causes heavy load.These loads cause affected system resources  (memory, CPU, ..).

All my DCs have the same system resources (1Go RAM, biprocessor,etc..).

When monitoring DCs queries, always the same DC suffers of these queries ;(

Maybe, I have this simple picture of load balancing in my mind...

1 DC receives plenty of queries(LDAP or auth) that it can not deserve efficiently. I imagine that it can forward a certain amount (a ratio ?) of those queries to another DC less "busy".. But maybe is a "to simple" reflexion :)

Anyway, if DCs can not load-balanced LDAP queries, i will then chek your link and altering SRV record weights/priorities in DNS.

Regards,

Yann

De: [EMAIL PROTECTED] de la part de Ruston, Neil
Date: lun. 13/06/2005 17:52
�: '[email protected]'
Objet : RE: [ActiveDir] Load balancing LDAP request among my DCs -> Corre ction :)

Well, yes and no. DNS does load balance via round robin, as Jorge alluded to. DCs do not load balance based upon your requirements, where a request is forwarded to another DC if the receiver is "busy".

After all, what is the definition of busy??

neil

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of TIROA YANN
Sent: 13 June 2005 16:05
To: [email protected]
Subject: RE: [ActiveDir] Load balancing LDAP request among my DCs -> Correction :)

Ok, thanks for the reply. Your tip might tell me that AD2003 seems to be *UNABLE* (and not enable -> sorry for my english :)) , natively, to load balance such queries, strange ...... :(

I will chek your link for more informations.

Cheers,

Yann

-----Message d'origine-----
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] De la part de Ruston, Neil Envoy� : lundi 13 juin 2005 16:20 � : '[email protected]' Objet : RE: [ActiveDir] Load balancing LDAP request among my DCs

Have you considered altering SRV record weights/priorities in DNS?

Check out this article http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/df86810b-9fc5-49b8-a704-d01c042cf460.mspx - it may relate to the PDC but applies to DCs in general too.

neil

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of TIROA YANN
Sent: 13 June 2005 15:04
To: [email protected]
Subject: [ActiveDir] Load balancing LDAP request among my DCs

Hello,
I have a site with 4 DCs 2003.
It seems that one of my DC can not deal with a large number of LDAP queries, GC Response and NTLM/Kerberos Auth .... I misunderstand something but is my DC 2003 is able to check that it cannot deserve these queries and forward automatically these queries to another DC that is less busy ? In order wold, can AD 2003 natively load-balance queries to another less busy DC ? Regards, Yann

==============================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml

==============================================================================

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

==============================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml

==============================================================================

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

==============================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml

==============================================================================

RE: [ActiveDir] Load balancing LDAP request among my DCs -> Correction :)

Reply via email to