Read only Domain Controller support for IWA direct
Updated On:13-05-2017 09:59
ProxySG Software - SGOS
When choosing the closest DC to use via dns srv and ldap ping command it was found that the iwa direct realm was not using the domain controller closest to the proxy.
This was because the closest dc was a read only domain controller.
The process that the SG follows for locating a domain controller is the same as the process that a Windows box would follow.
We retrieve a list of DCs from DNS, then do an “LDAP Ping” to determine which one to use. The SG will use the first DC that responds. However, we will not use read only domain controller even though it responds quickest to the ldap ping request.
If you have configured AD “sites”, then the SG will look for a writable DC in its own site first. If no writable DCs in the SG’s site are online, then the SG will try to find a DC from another site that is part of the same domain. The bottom line is that the SG will select a DC the same way that a Windows box will – each will choose the first DC to respond to an LDAP ping, and each will give preference to DCs that are in the local site.
i.e. in /lsa/stats
if domain controller returns this then we will not use it:
(0x287C) GLOBAL_CATALOG KDC READ_ONLY
We will use domain controller with this flag set:
(0x317C) GLOBAL_CATALOG KDC WRITEABLE
Now of course this will lead to latency if the proxy is not using the closest dc and using a dc in a different part of the world.
You can on 18.104.22.168 and above create a preferred and alternate dc to override this behavior i.e. by doing that we won’t use the ldap ping approach if the preferred and alternate dc are available and we will support readable domain controller.