LDAP Authentication HA ? (Full Version)

All Forums >> [Microsoft Exchange 2010] >> High Availability


online_pc_support -> LDAP Authentication HA ? (29.Dec.2011 8:51:18 PM)

At the moment we are using a product called Mailcleaner to scan all emails for SPAM, viruses etc. Fantastic product.

We are just in the workings of making Exchange 2010 highly available. With a DAG, CAS array etc. However the last piece to the puzzle is that for people to login to their spam quarantines, and for the system to actually check that their email addresses are valid, it does an LDAP query to 1 x IP address.

Obviously we have multiple DCs in our environment, however I can only point this LDAP query to 1 x IP.

I am aware that I could use a Kemp load balancer, however this is a very expensive solution when all I want to do is make an LDAP query Highly Available.

Does anyone know of a good virtual appliance, or other solution that would allow this query to failover?

Look forward to your response

Thanks, Scott

travis.sheldon -> RE: LDAP Authentication HA ? (30.Dec.2011 4:19:03 PM)

I use the following solution for load balancing my exchange network (I load balance LDAP with it as well)


online_pc_support -> RE: LDAP Authentication HA ? (3.Jan.2012 1:50:40 PM)

That is a brilliant solution :o)

Will try and put that together is a test lab and see how I get on.

On another note, I know this is a little bit off topic but I have been searching the Internet and cannot find an answer to another question on my mind.

When you create a DAG, I have named mine DAG01, you have to assign it a static IP on one network.

I have 2 x Networks.

Internal Network /24
Replication Network /24

I have 2 x Exchange Servers holding all roles

EX01 - &
EX02 - &

The static IP address I have assigned to the DAG on the Internal Network is

Now as we were just discussing, most deployments have a load balancer in front so the load balancer (be it a Kemp Load Master or other solution) checks to see if OWA is working on both and and will balance the requests between the servers. Lets say for example that EX02 goes offline, the balancer site check will detect this and only forward requests to EX01, full failover and HA

Now this is brilliant in a full production environment with lots of clients + resources for a virtual or physical load balancing set. However if you are looking for just failover, is there anything wrong with pointing clients to your clustered DAG01 IP (which in my case is

Then if one of the servers goes offline the other server will accept the requests. I know this will not check the status of the connection, so lets say IIS crashesz on EX01, some requests will fail. However apart from this, and the fact that the servers will be randomly accepting connections, one server may have 95% of the load and the other taking 5%, is there any other disadvantages of doing this ?

Look forward to your response

Thanks again for all of your advise


travis.sheldon -> RE: LDAP Authentication HA ? (3.Jan.2012 2:58:35 PM)

Pointing the clients to the DAG IP will not work the way you're expecting.

Remember with Exchange 2010 all requests go through CAS..nothing but public folders access goes directly to the mailbox servers from the clients end.

With that in mind, the DAG IP also isn't "really" used..it's a placeholder for just internal DAG communication (AFAIK) for the cluster service.

You'd need to use a load balanced solution with affinity. Imagine if you authenticate to CAS1 and then the next request from your machine goes to CAS2 -- at the moment, CAS2 has no token or authorization for your request so the request would get discarded.

online_pc_support -> RE: LDAP Authentication HA ? (7.Jan.2012 1:36:38 PM)


I tested the load balancing solution that you suggested Travis, using CentOS with Piranha.

The only difference with my environment is that I am using ESX as the hypervisor rather than Hyper-V

Now I got the system fully setup, however when I navigate to the 'virtual IP' set in piranha, it does not return a page.

I have tried over and over again to try and get this working, and I think this can only be down to 1 thing ?

Number 1, in Hyper-V in the guide it says tick 'Enable Spoofing of MAC Address', I cannot find this option in ESX, so possibly requests are failing because it is spoofing the MAC address and ESX is denying this traffic ?

Any ideas anyone ?

Thanks, Scott

travis.sheldon -> RE: LDAP Authentication HA ? (9.Jan.2012 11:51:18 AM)

Not too sure..haven't used ESX in a while.

Here is a sample /etc/sysconfig/ha/lvs.cf that you can use

serial_no = 1
primary = (Primary "real" IP of the load balancer)
service = lvs
backup =
heartbeat = 1
heartbeat_port = 539
keepalive = 6
deadtime = 18
network = direct
debug_level = NONE
virtual LDAP{
     active = 1
#address = Virtual.IP.address eth0:1
     address = seth0:1
     vip_nmask =
     port = 389
     persistent = 14400
     pmask =
     use_regex = 0
     load_monitor = none
     scheduler = wlc
     protocol = tcp
     timeout = 30
     reentry = 15
     quiesce_server = 0
     server CAS1 {
         address =
         active = 1
         weight = 1
     server DC2 {
         address =
         active = 1
         weight = 1

online_pc_support -> RE: LDAP Authentication HA ? (25.Jan.2012 3:10:14 PM)

Thanks for all your help so far :)

I have the load blanced system working perfectly now. Load balancing LDAP requests. I have even managed to install Keepalived on 2 x boxes to setup virtual machine HA. So if VLB01 goes down ... VLB02 starts accepting requests on the virtual IP address and thus starts loadbalancing requests.

Wondering when you get your head around it.

My final question I think. All clients connect to this deployment via Outlook Anywhere, RPC over HTTPS.

Now I have read that to load balance an Exchange 2010 environment you need to set a registry key on all CAS server to limit and make the CAS RPC ports static .... so you can add these to the load balancer.

My question is as this is not an internal environment where clients have direct IP access to exchange, but instead connect via Outlook Anywhere. Do I need to make this change on my CAS servers ? as surley it is only HTTPS - port 443 that is being redirected by my load balancer ....

I hope this makes sense.

Any feedback would be great

Thanks, Scott

travis.sheldon -> RE: LDAP Authentication HA ? (25.Jan.2012 4:25:03 PM)

Yes you should still set the static ports because those are used for address book services and rpc client access

Page: [1]