Highly available ADAM
I thought I'd post on ADAM once more before moving on to something new. Once you get me started on something, it's tough for me to switch gears!
One of the most common questions I’m asked about ADAM is “how do we deploy highly-available LDAP/LDAPS?” In AD, people often rely upon DC discovery (connect to the naming context name, let your API set do the discovery) but ADAM isn’t fortunate enough to have such a rich discovery mechanism. There are many reasons for this that I won’t get in to here. (It is worth noting that you are welcome to implement your own, and if you do I’d like to hear from you!)
When it comes to solutions, people typically first ask about clustering their ADAM nodes. This is an unfortunate first question for several reasons. First, cluster hardware tends to be pricy. I like to evaluate more economical solutions to start, move on to pricy ones if required. Secondly, ADAM doesn’t cluster well. You certainly can run ADAM on cluster nodes, but it doesn’t give you the benefit you are probably looking for as the DIT can not be a shared resource among multiple nodes.
At this point people start to look gloom, thinking there is no answer here. This is the point where I mention that NLB can achieve what you are looking for! That is, connect to sharedname.domain.com and be routed to an available (and hopefully not too busy….that’s up to your NLB solution of course) node to service your request. This solution can utilize Microsoft NLB or a 3rd party product, it doesn’t make any difference. That is entirely up to you.
There are, of course, some tricks. LDAP will play with NLB no problem, but LDAPS is a bit more picky about it. If there weren’t any tricks this wouldn’t make a very good post really. Fundamentally there are two tricks to making LDAPS & NLB & ADAM all play well together:
1) Don’t pull a cert by the name of nodename.domain.com. Rather, pull a cert by the name of sharedname.domain.com. This way when clients pull the cert from the DSA it is ok with the name on the cert as it matches the name the client connected to.
2) Place the cert in the ADAM service MY store, not in the machine store. This way ADAM selects the correct cert to hand out to clients. Oh, and of course be sure this is the only cert in the service MY store.
Once you’ve got the hang of it, there are other more complicated things you can do, such as multiple different names on the cert. But this should get the ball rolling!