Score:0

Server

Can I use one FQDN for all DCs for server authentication and one FQDN for NTP synchronisation?

suprovsky

3/24/24, 6:29 PM

I'm struggling in regards of a proper practice for server setup for LDAP/AD authentication and NTP. I was thinking if asking two separate questions will be better but I think being a common problem here for two types of services would be a good reason to ask.

So, I have three domain controllers:

dc1.test.internal (on 192.168.0.2/24)
dc2.test.internal (on 192.168.0.3/24)
dc3.test.internal (on 192.168.0.4/24)

I want to use all of them for authentication and NTP synchronisation. Let's say I want to set up AD-based authentication on iLO (integrated Lights Out). I have to specify these servers and iLO lets me to do it one by one. This case is simple. Same goes for chronyd, I can specify multiple hosts, no problem.

What if a service does not let you to do so, for instance by letting you enter only one DC or NTP server? Can i make a set of A DNS entries named dcs.test.internal and point each of them to 192.168.0.2, 192.168.0.3 and 192.168.0.4? And set dcs.test.internal as a Directory Server in iLO settings? What about NTP? I've read something about Anycast NTP but I am not sure where to go with it.

124

3 + 0

domain-name-system

active-directory

ntp

Score:2

Server

Paul Gear

3/25/24, 1:07 AM

Anycast is not needed or recommended for use with NTP - see the NTP Best Current Practice RFC. (I actually think the RFC does not go far enough and should explicitly recommend against anycast NTP if an all-active design is feasible.)

It's a common misconception about NTP that it should only have one source at a time and be able to fail over to another if that source is unavailable. Failover architectures for NTP are both suboptimal and unneccessary. Instead, you should use a design where all NTP sources are active all the time. I've written a summary of this in my blog, and you get more detailed info in the NTP docs.

The setup you suggested for DNS where the same name (in your case dcs.test.internal, or as Greg Askew suggested, the domain itself: test.internal) returns all the IP addresses of every available NTP server is the preferred way to configure NTP clients. This is what the NTP pool uses. Modern versions of chrony and ntpd (and various other client implementations) will automatically use all of the NTP servers and thus achieve greater accuracy as well as resilience.

+ 0

Score:1

Server

Greg Askew

3/24/24, 10:49 PM

You already have a name. The domain name. You can create your own CNAMEs if you want. But if any DC DNS record is present but does not answer or an IP for a DC that is having issues, it is the responsibility of the client to make those adjustments and select a domain controller that is operational.

+ 2

suprovsky

3/25/24, 11:02 AM

Technically yes, but the problem is that the client doesn't always offer such option, hence i'm asking what to do in such situations.

Greg Askew

3/25/24, 12:24 PM

@suprovsky: What to do is the client must handle selection of an operation domain controller themselves.

Score:0

Server

Gorshok

3/24/24, 9:10 PM

There might be quite some sysadmins who would have faced this issue. who could have a better answer than me but here is my thought.

You could create a failover architecture between your windows servers base on the TCP/IP stack.

you would create a cluster of windows server with DC and NTP services enable. And you would have a single FQDN pointing to a single IP address (let's say 192.168.0.10).

With the 3 servers Online, dc1 would listen and answer when a packet inbound with 192.168.0.10 as destination Ip Address.

if dc1 would fail dc2 would take over and start answering when a packet arrive in the broadcast domain with 192.168.0.10 as destination Ip Address.

Microsoft describe two method :

https://learn.microsoft.com/en-us/windows-server/networking/technologies/network-load-balancing

https://learn.microsoft.com/en-us/windows-server/failover-clustering/failover-clustering-overview

+ 2

Paul Gear

3/25/24, 1:10 AM

Failover designs for NTP are not the best way to configure it; see the links in my answer for more details.

Greg Askew

3/25/24, 6:28 AM

Clustering and load balancers may work with NTP. They do not work with and aren't supported with Active Directory domain controllers for authentication/LDAP. In an Active Directory environment, consuming applications are responsible for managing the availability to domain controllers. This is why products such as iLO and VMare provide for the selection of two domain controllers. If one is unavailable, they try the other.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Can I use one FQDN for all DCs for server authentication and one FQDN for NTP synchronisation?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.