Simple question about zone and CNAME

Lawrence K. Chen, P.Eng. lkchen at ksu.edu
Wed Apr 24 20:00:19 UTC 2013 


----- Original Message -----
> 
> In our case it would be impossible for the University's public web
> presence and the AD domain controllers to be the same machines.  It
> is
> conceivable that we could do some magic in load balancers to divide
> traffic appropriately, but I'd rather not do that if I don't have to.
> 
> Sam
> 
> --
> The University of Edinburgh is a charitable body, registered in
> Scotland, with registration number SC005336.
> _______________________________________________

But, assuming that your web presence is on the load balancer...there wouldn't be any trick to putting AD controller(s) on the same IP...since AD controllers listen to ports other than 80/443.

At our university (www.)ksu.edu is 129.130.8.49 and (www.)k-state.edu is 129.130.8.50....on this IP, the load balance has port 80 mapped to a pool of webservers handling http, and port 443 is mapped to a different pool of webservers handling https (they should be the same servers now, but there was a time when the webteam was switching webserver apps, that SSL continued to be handled by the old servers since the private keys were internal to that application.)  The instability of our web presence was attributed the high activity content that was largely http..... until about 2.5 years ago, we were still using Netscape Enterprise Server v4.1!  And, there were things specific to that version that precluded moving to newer NES/iPlanet/SunOneWS....  finally with to apache when a mod was written to recreate those features....and bugs.

Though our AD controllers are not behind our load balancer, but someday the windows group might....now that they want to be considered an enterprise server tech group....and cause all sorts of confusion with the already existing enterprise server tech group (unix/linux)...and shed their old name of lantech, from when they were the netware group

What we do have on this IP, is ports 5222 and 5223 being sent to another pool.

OTOH, I am doing some magic on the load balancers...because different URI paths are going to different pools, because some important section was mocked up using technology that is not our standard webserver but then is announced to the world as a path under our main web site.

The web team is has been talking about replacing our main web presence with varnish caches, which would give them the ability to do this themselves...rather needing me to maintain the TCL file that makes the magic.  But, its been taking them a long time for some reason....(years).  I have a personal setup, which is a pair nginx servers reverse proxying to various other servers that's working pretty slick....

The use of separate IPs for ksu.edu & k-state.edu is a left over from how things used to be done....but the site now uses a multiname cert with those 4 names and others...  since it was cheaper to cram as many different names into a single cert....  (and we're doing SSL proxy on our load balancer -- so the load balance can works its magic...)

More information about the bind-users mailing list