Announcement

Collapse
No announcement yet.

AD Domain Controller Failover and RHEL

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • AD Domain Controller Failover and RHEL

    Hi All,

    We're bringing up a mixed-OS cloud whose users are managed by a Windows 2008 Active Directory Domain Controller. Everything appears to be working fine right now, I'm able to authenticate against both Windows and RHEL5 hosts using my AD credentials.

    What we're trying to do next is to enable failover for the DC. I'm a bit confused as to whether there is a best practice for this. I understand that it's possible to enable High-Availability by installing a 2nd DC and having it replicate with the 1st DC and updating the DNS (to be clear, we're running DNS on a separate RHEL machine runing named).

    However, as I understand, the DNS is only applicable for Windows clients. My Windows hosts leverage DNS SRV records to find the appropriate DCs to authenticate against, however all of my RHEL hosts (which are the majority of the cloud) are manually configured to point to point to a specific DC (via a FQDN). If I have DC1.example.com and DC2.example.com, but all my RHEL hosts are configured to point to DC1, how should I handle a failover situation? Or is there a way to configure RHEL hosts to dynamically discover the DCs from the DNS SRV entries as well?

    Thanks for any pointers.

    Edit: I just realized this might be in the wrong forum. Sorry, could a mod move it for me?
    Last edited by paulpham; 24th August 2010, 00:50.

  • #2
    Re: AD Domain Controller Failover and RHEL

    Moved to AD forum

    Can you add multiple srv records to your penguins so they at least know of the existence of the second DC?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: AD Domain Controller Failover and RHEL

      That might work, but I'm not sure where I would do that. Currently the DC is configured in /etc/ldap.conf and I've only listed the one dc1. Is it possible to list more than one DC in my ldap.conf? Or does anyone know how to force my RHEL5 boxes to discover the DCs?

      Edit: Checked the ldap.conf for some help, it seems you can list multiple hosts there, which is good. This solution should work fine practically, so consider this thread solved.

      However, I'm still curious if anyone has a more elegant solution to this problem? At the end of the day, it feels like a hack; I'm ending up having to 'hardcode' my Domain Controller IPs/Hostnames into a configuration file at server pxeboot. It would be nice if there were a way for RHEL hosts to autodiscover the domain controllers.

      One suggestion I heard today was to run Windows 2008 Enterprise in cluster mode, sharing the same hostname for all DCs. Has anyone tried this in practice?
      Last edited by paulpham; 25th August 2010, 02:40. Reason: new info

      Comment


      • #4
        Re: AD Domain Controller Failover and RHEL

        Sometimes it's helpful to just think out loud on a forum, I guess.

        Ossian was right; for those of you who are interested, basically all you need to do is set up your DNS records properly with the SRV records and priorities for your Domain Controllers (both LDAP and Kerberos).

        Then in your /etc/ldap.conf, /etc/openldap/ldap.conf, and /etc/krb5.conf you'll basically just want to omit any reference to a URI or hostname. DNS will take care of the rest. No more hardcoding!

        Thanks Ossian!

        Comment


        • #5
          Re: AD Domain Controller Failover and RHEL

          Given I know sod all about linux it was more a lucky guess than anything else, but I won't object to the praise
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment

          Working...
          X