Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
LDAP Authentication HA ?
Users viewing this topic:
none
|
Logged in as: Guest
|
Login | |
|
LDAP Authentication HA ? - 29.Dec.2011 8:51:18 PM
|
|
|
online_pc_support
Posts: 16
Joined: 2.Sep.2010
Status: offline
|
At the moment we are using a product called Mailcleaner to scan all emails for SPAM, viruses etc. Fantastic product. We are just in the workings of making Exchange 2010 highly available. With a DAG, CAS array etc. However the last piece to the puzzle is that for people to login to their spam quarantines, and for the system to actually check that their email addresses are valid, it does an LDAP query to 1 x IP address. Obviously we have multiple DCs in our environment, however I can only point this LDAP query to 1 x IP. I am aware that I could use a Kemp load balancer, however this is a very expensive solution when all I want to do is make an LDAP query Highly Available. Does anyone know of a good virtual appliance, or other solution that would allow this query to failover? Look forward to your response Thanks, Scott
|
|
|
RE: LDAP Authentication HA ? - 3.Jan.2012 1:50:40 PM
|
|
|
online_pc_support
Posts: 16
Joined: 2.Sep.2010
Status: offline
|
That is a brilliant solution :o) Will try and put that together is a test lab and see how I get on. On another note, I know this is a little bit off topic but I have been searching the Internet and cannot find an answer to another question on my mind. When you create a DAG, I have named mine DAG01, you have to assign it a static IP on one network. I have 2 x Networks. Internal Network 192.168.0.0 /24 Replication Network 10.0.0.0 /24 I have 2 x Exchange Servers holding all roles EX01 - 192.168.0.11 & 10.0.0.11 EX02 - 192.168.0.12 & 10.0.0.12 The static IP address I have assigned to the DAG on the Internal Network is 192.168.0.10 Now as we were just discussing, most deployments have a load balancer in front so the load balancer (be it a Kemp Load Master or other solution) checks to see if OWA is working on both 192.168.0.11 and 192.168.0.12 and will balance the requests between the servers. Lets say for example that EX02 goes offline, the balancer site check will detect this and only forward requests to EX01, full failover and HA Now this is brilliant in a full production environment with lots of clients + resources for a virtual or physical load balancing set. However if you are looking for just failover, is there anything wrong with pointing clients to your clustered DAG01 IP (which in my case is 192.168.0.10)? Then if one of the servers goes offline the other server will accept the requests. I know this will not check the status of the connection, so lets say IIS crashesz on EX01, some requests will fail. However apart from this, and the fact that the servers will be randomly accepting connections, one server may have 95% of the load and the other taking 5%, is there any other disadvantages of doing this ? Look forward to your response Thanks again for all of your advise Scott
|
|
|
RE: LDAP Authentication HA ? - 3.Jan.2012 2:58:35 PM
|
|
|
travis.sheldon
Posts: 359
Joined: 16.Sep.2010
Status: offline
|
Pointing the clients to the DAG IP will not work the way you're expecting. Remember with Exchange 2010 all requests go through CAS..nothing but public folders access goes directly to the mailbox servers from the clients end. With that in mind, the DAG IP also isn't "really" used..it's a placeholder for just internal DAG communication (AFAIK) for the cluster service. You'd need to use a load balanced solution with affinity. Imagine if you authenticate to CAS1 and then the next request from your machine goes to CAS2 -- at the moment, CAS2 has no token or authorization for your request so the request would get discarded.
|
|
|
RE: LDAP Authentication HA ? - 7.Jan.2012 1:36:38 PM
|
|
|
online_pc_support
Posts: 16
Joined: 2.Sep.2010
Status: offline
|
Brilliant. I tested the load balancing solution that you suggested Travis, using CentOS with Piranha. The only difference with my environment is that I am using ESX as the hypervisor rather than Hyper-V Now I got the system fully setup, however when I navigate to the 'virtual IP' set in piranha, it does not return a page. I have tried over and over again to try and get this working, and I think this can only be down to 1 thing ? Number 1, in Hyper-V in the guide it says tick 'Enable Spoofing of MAC Address', I cannot find this option in ESX, so possibly requests are failing because it is spoofing the MAC address and ESX is denying this traffic ? Any ideas anyone ? Thanks, Scott
|
|
|
RE: LDAP Authentication HA ? - 9.Jan.2012 11:51:18 AM
|
|
|
travis.sheldon
Posts: 359
Joined: 16.Sep.2010
Status: offline
|
Not too sure..haven't used ESX in a while. Here is a sample /etc/sysconfig/ha/lvs.cf that you can use
serial_no = 1
primary = (Primary "real" IP of the load balancer)
service = lvs
backup = 0.0.0.0
heartbeat = 1
heartbeat_port = 539
keepalive = 6
deadtime = 18
network = direct
debug_level = NONE
virtual LDAP{
active = 1
#address = Virtual.IP.address eth0:1
address = 99.99.99.99 seth0:1
vip_nmask = 255.255.255.0
port = 389
persistent = 14400
pmask = 255.255.255.255
use_regex = 0
load_monitor = none
scheduler = wlc
protocol = tcp
timeout = 30
reentry = 15
quiesce_server = 0
server CAS1 {
address = 192.168.20.100
active = 1
weight = 1
}
server DC2 {
address = 192.168.20.101
active = 1
weight = 1
}
}
|
|
|
RE: LDAP Authentication HA ? - 25.Jan.2012 3:10:14 PM
|
|
|
online_pc_support
Posts: 16
Joined: 2.Sep.2010
Status: offline
|
Thanks for all your help so far :) I have the load blanced system working perfectly now. Load balancing LDAP requests. I have even managed to install Keepalived on 2 x boxes to setup virtual machine HA. So if VLB01 goes down ... VLB02 starts accepting requests on the virtual IP address and thus starts loadbalancing requests. Wondering when you get your head around it. My final question I think. All clients connect to this deployment via Outlook Anywhere, RPC over HTTPS. Now I have read that to load balance an Exchange 2010 environment you need to set a registry key on all CAS server to limit and make the CAS RPC ports static .... so you can add these to the load balancer. My question is as this is not an internal environment where clients have direct IP access to exchange, but instead connect via Outlook Anywhere. Do I need to make this change on my CAS servers ? as surley it is only HTTPS - port 443 that is being redirected by my load balancer .... I hope this makes sense. Any feedback would be great Thanks, Scott
|
|
|
RE: LDAP Authentication HA ? - 25.Jan.2012 4:25:03 PM
|
|
|
travis.sheldon
Posts: 359
Joined: 16.Sep.2010
Status: offline
|
Yes you should still set the static ports because those are used for address book services and rpc client access
|
|
|
New Messages |
No New Messages |
Hot Topic w/ New Messages |
Hot Topic w/o New Messages |
Locked w/ New Messages |
Locked w/o New Messages |
|
Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|