• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

LDAP Authentication HA ?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2010] >> High Availability >> LDAP Authentication HA ? Page: [1]
Login
Message << Older Topic   Newer Topic >>
LDAP Authentication HA ? - 29.Dec.2011 8:51:18 PM   
online_pc_support

 

Posts: 16
Joined: 2.Sep.2010
Status: offline
At the moment we are using a product called Mailcleaner to scan all emails for SPAM, viruses etc. Fantastic product.

We are just in the workings of making Exchange 2010 highly available. With a DAG, CAS array etc. However the last piece to the puzzle is that for people to login to their spam quarantines, and for the system to actually check that their email addresses are valid, it does an LDAP query to 1 x IP address.

Obviously we have multiple DCs in our environment, however I can only point this LDAP query to 1 x IP.

I am aware that I could use a Kemp load balancer, however this is a very expensive solution when all I want to do is make an LDAP query Highly Available.

Does anyone know of a good virtual appliance, or other solution that would allow this query to failover?

Look forward to your response

Thanks, Scott
Post #: 1
RE: LDAP Authentication HA ? - 30.Dec.2011 4:19:03 PM   
travis.sheldon

 

Posts: 359
Joined: 16.Sep.2010
Status: offline
I use the following solution for load balancing my exchange network (I load balance LDAP with it as well)

http://marksmith.netrends.com/Lists/Posts/Post.aspx?List=d0ef1a62-8e97-484a-9053-7acda05534cb&ID=111&Web=2dee96c1-5fed-439e-b530-37626608d03e

(in reply to online_pc_support)
Post #: 2
RE: LDAP Authentication HA ? - 3.Jan.2012 1:50:40 PM   
online_pc_support

 

Posts: 16
Joined: 2.Sep.2010
Status: offline
That is a brilliant solution :o)

Will try and put that together is a test lab and see how I get on.

On another note, I know this is a little bit off topic but I have been searching the Internet and cannot find an answer to another question on my mind.

When you create a DAG, I have named mine DAG01, you have to assign it a static IP on one network.

I have 2 x Networks.

Internal Network 192.168.0.0 /24
Replication Network 10.0.0.0 /24

I have 2 x Exchange Servers holding all roles

EX01 - 192.168.0.11 & 10.0.0.11
EX02 - 192.168.0.12 & 10.0.0.12

The static IP address I have assigned to the DAG on the Internal Network is 192.168.0.10

Now as we were just discussing, most deployments have a load balancer in front so the load balancer (be it a Kemp Load Master or other solution) checks to see if OWA is working on both 192.168.0.11 and 192.168.0.12 and will balance the requests between the servers. Lets say for example that EX02 goes offline, the balancer site check will detect this and only forward requests to EX01, full failover and HA

Now this is brilliant in a full production environment with lots of clients + resources for a virtual or physical load balancing set. However if you are looking for just failover, is there anything wrong with pointing clients to your clustered DAG01 IP (which in my case is 192.168.0.10)?

Then if one of the servers goes offline the other server will accept the requests. I know this will not check the status of the connection, so lets say IIS crashesz on EX01, some requests will fail. However apart from this, and the fact that the servers will be randomly accepting connections, one server may have 95% of the load and the other taking 5%, is there any other disadvantages of doing this ?

Look forward to your response

Thanks again for all of your advise

Scott

(in reply to travis.sheldon)
Post #: 3
RE: LDAP Authentication HA ? - 3.Jan.2012 2:58:35 PM   
travis.sheldon

 

Posts: 359
Joined: 16.Sep.2010
Status: offline
Pointing the clients to the DAG IP will not work the way you're expecting.

Remember with Exchange 2010 all requests go through CAS..nothing but public folders access goes directly to the mailbox servers from the clients end.

With that in mind, the DAG IP also isn't "really" used..it's a placeholder for just internal DAG communication (AFAIK) for the cluster service.

You'd need to use a load balanced solution with affinity. Imagine if you authenticate to CAS1 and then the next request from your machine goes to CAS2 -- at the moment, CAS2 has no token or authorization for your request so the request would get discarded.

(in reply to online_pc_support)
Post #: 4
RE: LDAP Authentication HA ? - 7.Jan.2012 1:36:38 PM   
online_pc_support

 

Posts: 16
Joined: 2.Sep.2010
Status: offline
Brilliant.

I tested the load balancing solution that you suggested Travis, using CentOS with Piranha.

The only difference with my environment is that I am using ESX as the hypervisor rather than Hyper-V

Now I got the system fully setup, however when I navigate to the 'virtual IP' set in piranha, it does not return a page.

I have tried over and over again to try and get this working, and I think this can only be down to 1 thing ?

Number 1, in Hyper-V in the guide it says tick 'Enable Spoofing of MAC Address', I cannot find this option in ESX, so possibly requests are failing because it is spoofing the MAC address and ESX is denying this traffic ?

Any ideas anyone ?

Thanks, Scott

(in reply to travis.sheldon)
Post #: 5
RE: LDAP Authentication HA ? - 9.Jan.2012 11:51:18 AM   
travis.sheldon

 

Posts: 359
Joined: 16.Sep.2010
Status: offline
Not too sure..haven't used ESX in a while.

Here is a sample /etc/sysconfig/ha/lvs.cf that you can use

serial_no = 1
primary = (Primary "real" IP of the load balancer)
service = lvs
backup = 0.0.0.0
heartbeat = 1
heartbeat_port = 539
keepalive = 6
deadtime = 18
network = direct
debug_level = NONE
virtual LDAP{
     active = 1
#address = Virtual.IP.address eth0:1
     address = 99.99.99.99 seth0:1
     vip_nmask = 255.255.255.0
     port = 389
     persistent = 14400
     pmask = 255.255.255.255
     use_regex = 0
     load_monitor = none
     scheduler = wlc
     protocol = tcp
     timeout = 30
     reentry = 15
     quiesce_server = 0
     server CAS1 {
         address = 192.168.20.100
         active = 1
         weight = 1
     }
     server DC2 {
         address = 192.168.20.101
         active = 1
         weight = 1
     }
}

(in reply to online_pc_support)
Post #: 6
RE: LDAP Authentication HA ? - 25.Jan.2012 3:10:14 PM   
online_pc_support

 

Posts: 16
Joined: 2.Sep.2010
Status: offline
Thanks for all your help so far :)

I have the load blanced system working perfectly now. Load balancing LDAP requests. I have even managed to install Keepalived on 2 x boxes to setup virtual machine HA. So if VLB01 goes down ... VLB02 starts accepting requests on the virtual IP address and thus starts loadbalancing requests.

Wondering when you get your head around it.

My final question I think. All clients connect to this deployment via Outlook Anywhere, RPC over HTTPS.

Now I have read that to load balance an Exchange 2010 environment you need to set a registry key on all CAS server to limit and make the CAS RPC ports static .... so you can add these to the load balancer.

My question is as this is not an internal environment where clients have direct IP access to exchange, but instead connect via Outlook Anywhere. Do I need to make this change on my CAS servers ? as surley it is only HTTPS - port 443 that is being redirected by my load balancer ....

I hope this makes sense.

Any feedback would be great

Thanks, Scott

(in reply to travis.sheldon)
Post #: 7
RE: LDAP Authentication HA ? - 25.Jan.2012 4:25:03 PM   
travis.sheldon

 

Posts: 359
Joined: 16.Sep.2010
Status: offline
Yes you should still set the static ports because those are used for address book services and rpc client access

(in reply to online_pc_support)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2010] >> High Availability >> LDAP Authentication HA ? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter