Load balancing / redundancy for Windows domain controllers FOR LDAP/LDAPS ONLY - dns

Where I work there are many apps that query Active Directory using LDAP/LDAPS and which can only be configured with a single name to query.
Obviously if that name is a domain controller there's a single point of failure. What's the best way of achieving redundancy? I think I need something like a load balancer that knows if a domain controller's up or down. The domain controllers must be in separate sites. A solution would also need to be handle LDAPS.
We're currently trying a DNS alias ldap. which is DNS round robin ie it resolves to multiple domain controllers, combined with a BMC Patrol script that polls the domain controllers and deletes their ldap. record if they're offline. But in testing we're having a peculiar (to me) result where an ldap query to ldap. succeeds and the domain controller sends the answer, but then sends a referral to a name LDAP://domaindnszones. and a couple of (unix) apps crack up at that point and try to do the second query authenticating as "root", which fails.
I'd be grateful for any thoughts... thanks in advance.

Doing this with a load balancer is not uncommon if you have apps that just want to do simple binds. You'll want to load balance port 636 for LDAP/S if you can make that a requirement for your apps. If you have multiple domains in your forest, port 3269 is the global catalog LDAP/S port.
As far as certificates go, you have two options:
Put an SSL cert on each DC with just the DC's hostname, and then put a cert on the load balancer for the VIP (e.g. ldap.contoso.com). Have the load balancer do re-encryption.
Put an SSL cert on each DC that has the DC's hostname in it, and a subject alternate name (SAN) of ldap.contoso.com. Simply pass the traffic through the load balancer.
For #2, it's important to note that AD will only bind to a certificate that has the DC's hostname either in the subject name field or the /first/ subject alternate name field.

Related

Different name servers for different subdomains

Let's say I have a website example.com which I bought via a common domain registry nomcheap.com.
I want all traffic to a specific subdomain app.example.com to go to name server ns1.appserver.com so I can serve a specific user app.
I also want all other traffic (www.example.com, hello.example.com, *.example.com, etc.) to go to a different name server from a different provider ns1.squaresites.com so I can serve a general website (think something like a commerce Wordpress site).
None of the name servers are provided by the original domain registry nomcheap.com.
Is this possible? If so, any suggestions on how?
To point a subdomain to a name servers you need to create an NS record for the subdomain:
app.example.com NS ns1.appserver.com
This will make all queries go to ns1.appserver.com
*.example.com NS ns1.squaresites.com
The second record should catch all subdomains that don't have their own records (of any kind).
Delegating name server DNS responses can be done was the answer by #Lanexbg describes.
Realize that chaining your DNS lookups this way adds more time to DNS resolution and adds another potential point of failure in the resolution process. If the parent's name servers are down, they won't able to deliver the NS records to tell the client's resolver to continue the lookup process through a delegated name server.
Consider if using DNS "A" or "CNAME" records at the parent's DNS server would be acceptable alternative.
For more detail on how DNS resolution is delegated see this answer on serverfault.com:
How exactly should I set up DNS to delegate authority for subdomains?

Point azure hosted root domain to aws classic load balancer

I'm need to point an Azure hosted root domain/naked domain (example.com) to an AWS Elastic Load Balancer. Classic ELB's don't have IP's while A records can only point to IP's. Azure doesn't support the non-standard ALIAS/ANAME records that allow a CNAME-like configuration for A records.
Azure DNS provides a way to point to Azure cloud hosted websites using a combination of pointing the A record to the website's IP and creating a TXT record containing the DNS name of the website.
AWS Route 53 provides the ALIAS record type for connecting root domains to Load Balancers.
Is there a way to do this without resorting to using an extra server instance with a static (elastic) IP address just to do 301 redirects to www.example.com?
EDIT:I should add that since asking this question I found out that AWS network load balancers support both static and elastic IPs but we are on OpsWorks Chef 11 stacks which only supports classic load balancers.
Azure doesn't support the non-standard ALIAS/ANAME records
Note that these are not non-standard records, because they aren't record types at all. They are configuration entries that allow the nameservers to generate and return a standard A or AAAA record (or other standard types, in Route 53) based on information obtained dynamically by the nameserver, rather than based on static configuration.
But, there isn't another good solution to this. That's why these options exist.
A workaround is to use a service like http://wwwizer.com.
But your easiest and most straightforward solution is to host the domain on Route 53. This doesn't require changing your registrar -- you only have to change the authoritative nameservers. If you have subdomains that need their DNS hosted elsewhere for operational reasons, you can always delegate them. But this is a limitation of the fundamental design of DNS.

Supporting SSL for multiple catch-all sites in IIS

Scenario
We have a multi-tenant SaaS application deployed on a VM hosted with a service provider. We have multiple domains pointing to this VM (let us call them abc.com and xyz.com). Each of our tenant gets a unique sub-domain URL from one of these domains.
In our IIS installation no domains are explicitly defined - as a result, when a request hits the IIS, as no domains are defined, all requests are automatically routed to the default site.
With this arrangement, we are able to serve a any number of sub-domains for each of the primary domains pointing to the VM without having to explicitly create these sub-domains. For example, t1.abc.com, t2.abc.com, t3.xyz.com, t4.xyz.com are all served by our application without having to create these sub-domains in IIS instance.
In our application, when we get the request, by checking the requested URL, we can easily identify the tenant from which the request is coming. All further data access is automatically restricted to the data created by the particular tenant.
Issue
We need to provide secure communication to all our application users through SSL. We can purchase wildcard SSL for each of the domains (viz abc.com, xyz.com). Now the issue is, how do we deploy multiple SSLs on a single website/application defined in IIS?
This will require us to have two separate sites defined in IIS for abc.com and xyz.com. Unfortunately, these will not be "catch-all" sites for the corresponding sub-domains. By default, IIS allows only one "catch-all" site.
From what I understand from some of the posts, we can have multiple "catch-all" site (for separate domains) in IIS, provided each of them is bound to a separate IP address. Though I could not find any document providing the steps for the same. Can someone point me to the document / steps for doing this?
It is not necessary to have 2 separate boxes for abc.com and xyz.com domains. You can request your CA to combine all DNS records into single SSL certificate with all required Subject Alternative Names SAN.
We also ran into this problem before and SAN certificate worked really well with our multi-tenant configuration. I would also recommend to use load balancer like Nginx for SSL offload to serve your client faster and even more secure. In this case you can just point new client to the Load Balancer.

Configure DNS for Windows Service Bus Namespace DNSEntry

Windows Service Bus 1.0 supports DNS-registered namespaces using New-SbNamespace -AddressingScheme DNSRegistered.
New-SbNamespace command
My Scenario:
All machines on same domain (cromwell.local)
2 Compute Nodes
1 SQL Node on separate server
2 namespaces (NamespaceA & NamespaceB for example)
Should the DNS entry (I'm leaning CName - not a DNS guru) each point to a compute node? That doesn't seem to give with the whole gateway/redirect situation.
It doesn't matter what kind of entry, as long as you have a host name that maps to an IP (or set of IPs, if you're using a clustered install). The host name can be a simple name (e.g. my-server) or a fully qualified domain name (e.g my-server.mydomain.com). What's important is that the name can be resolved by both parties, and that you pass the same host name to the server when creating the namespace.
One important thing to consider is that the hostname you use must match the CN name ofthe server's ssl certificate, to avoid auth issues (due to CN name matching). If you're using a default install on a domained-joined machine, you should use a hostname with the same domain name (since in default installs on a domain the server uses a *.yourdomain cert). For all the other scenarios (workgroup machines, hostname that doesn't match the domain) you'll need to provide your own cert. This decision will impact the namespaces you'll be able to have on the server (since all of them will need to match the certificate CN somehow), so weight well your options.
Based on the scenario you describe, I recommend you do the following:
Your DNS name should point to the IP of both compute nodes (I'm assuming these are the machines running service bus server. Besides the DNS redirection, this will also give you DNS-based load balancing
You can only have one namespace per DNS name, so when creating Namespace A you need to pass the CNAME you created on the first step. If you need to have more namespaces, you'll need to create more CNAMEs (which could be a problem with your certificate, depending the hostname / domain names you're picking)
PS. Service Bus Server doesn't really support a 2-node configuration. You should either go to one node for simplicity, or three, if you want a highly-available server.

automatic sub-domain registration

I'm new at DNS world, did some readings in the Internet and wanted to know if I came to the right conclusions. I want to build a system where users are able to create new sub-domains of existing registered domains automatically:
My system provides services to different companies, these services are hosted in my system or some cloud provider. Lets call my system "services" and some company "company1". I want to offer "company1" my services and have its users access these services through "company1" new sub-domain, when "company1" has an already registered domain company1.com. I want "company1" admin user be able to control and choose the sub-domain via my system when he registers his company in my system, and have the whole thing automatic. If i understand correctly:
if the admin would want to use a sub-domain like services.company1.com this will be a problem since I would need to update the authoritative name-servers of company1.com which I don't know who they are, and even if I have a way to know them (and from reading a bit I see that I do have a way), I don't know if every such name server will allow such updates from some external source, connectivity issues etc
if the admin would like to use a sub-domain like company1.services.com then I can achieve this by having my own dns server which I will register the services.com domain for and actually manage all these company sub-domains in my own dns server. This means though that all companies will have to have a sub-domain under my domain services.com
Please correct me if I have a wrong view on how DNS works.
thanks!
services.company1.com
To provide this kind of domain name to your customer, you will need their collaboration. A lot of companies provides this kind of feature by asking you to point an alias (CNAME Record) to a specific server.
Examples of concrete usage
blog.company1.com. 3600 IN CNAME domains.tumblr.com.
shop.company1.com. 3600 IN CNAME myapp.herokuapp.com.
git.company1.com. 3600 IN CNAME bitbucket.org.
Here's some links to the documentation of companies offering this feature:
BitBucket
Heroku
Tumblr
Sample client zone file
So in your case your customer DNS zone will contain something like that:
services.company1.com. 3600 IN CNAME domains.services.com.
where domains.services.com. will be the server that handles the subdomain authentication
company1.services.com
To provide to your customers company1.services.com, you don't have to manage your own DNS server, you just have to be able to add a wildcard record to point all the subdomains to your application. It will be the role of your application to filter your service per subdomains.
Sample service zone file
For example (where 0.0.0.0 is your service IP address):
*.services.com. 3600 IN A 0.0.0.0

Resources