"Does the error message make any sense?" Hmm, no, it doesn't. But if I drop the error message into Google, I do get this:
https://social.technet.microsoft.com/Forums/windows/en-US/ebff2363-5685-44a6-a22b-5fa6785d86c9/ldapsearch-example-with-sasl-bind I don't know if that's helpful or not... But if you can figure out what exactly we're doing wrong with the LDAP connection, I can maybe make the needed changes to get it working with your system? I wish I could be of more help, but I'm definitely not an AD expert. Karl On Mon, Oct 12, 2015 at 8:09 AM, Adrian Conlon <[email protected]> wrote: > Hi Karl, > > > > That’s interesting. > > > > I just tried what you suggested and it seems that things are **almost**, > but not quite set up to work in that way in the company I work for. > > > > So, the domain is “global.arup.com” and when I ping “global.arup.com”, > the IP address I get back is the same as one of the AD servers I spoke > about in the initial email. That would imply that some kind of load > balancing is taking place around the AD servers. > > > > However, when I try to use “global.arup.com” as an AD server, I get the > following connection status: > > > > *Threw exception: 'Authentication problem authenticating admin user > 'stgserver': [LDAP: error code 49 - 80090303: LdapErr: DSID-0C0904BD, > comment: The digest-uri does not match any LDAP SPN's registered for this > server., data 0, v1db1�]'* > > > > If I use the name of the server pointed to by “global.arup.com” (in this > instance, “globalad5”), then the connection status becomes “connection > working”. > > > > Does the error message make any sense? > > > > Adrian > > > > *From:* Karl Wright [mailto:[email protected]] > *Sent:* 12 October 2015 12:48 > *To:* [email protected] > *Subject:* Re: Active directory servers and failure cases > > > > Hi Adrian, > > > > In some installations I've seen evidence that AD itself can be configured > to do "load balancing" of the kind you describe. In such installations, if > you access the domain controller through DNS, e.g. "thedomain.com", you > reach one of a number of different machines, automatically. > > > > The exact place I've seen this is in the context of a large network that > was being crawled using JCIFS, which had multiple domain-based DFS roots. > Resolving each such root required a back-and-forth with a domain > controller, of which we eventually realized there were more than one. (And > at least one of them was out of synch, which caused us no end of trouble.) > > > > MCF doesn't try to recreate that kind of load balancing, since it would > appear to be a duplication of effort, but it's possible that our current AD > authority doesn't play well in such an environment. If that's the case, we > should fix it, rather than create our own idea of a load balancer. > > > > Thanks, > > Karl > > > > > > On Mon, Oct 12, 2015 at 7:39 AM, Adrian Conlon <[email protected]> > wrote: > > Hi List, > > > > We’ve got a problem with Active Directory failure resiliency, and I wonder > if anyone has any good ideas. > > > > We’ve got a number of active directory servers available that are (as I > understand it) mirrors of each other. Every now and then these servers go > wrong (or certainly stops responding). > > > > At the moment, I’ve configured an Authority Group, with a single Authority > Connection, that uses a single Domain Controller. > > > > What I’d like to be able to do is associated multiple domain controllers > with a single authority connection, such that the connection spreads the > load across all of the available domain controllers and tries the next > available controller if one stops responding. > > > > Does that sound possible? Indeed, is it a good idea? Or have I missed > something in the currently available ManifoldCF configuration that would > allow this already? > > > > Thanks, > > > > Adrian > > ____________________________________________________________ > Electronic mail messages entering and leaving Arup business > systems are scanned for acceptability of content and viruses > > >
