Messaging Gateway

I've upgraded our test environment from 8.0.3 to 9.0 and am playing with the new features. One of the features I'm most excited about is being able to add multiple directory data sources. Great, so if one of our Active Directory Domain Controllers is down, it can just use another one -- no more DC as a single point of failure, right? However, the admin guide seems to indicate this isn't necessarily the case. Page 483 says that if an LDAP server is down, it will use the cache. And that installing your own load balancer can provide failover. However, it also says that without a load balancer, "the directory data service rotates connections among multiple IP addresses assigned to an LDAP server hostname." Does this mean no failover unless your single LDAP data source is assigned multiple IP addresses in DNS and defined by hostname, in which case it will rotate among resolved IP addresses? Or does it mean it will rotate among multiple data sources as needed -- i.e. failover -- just not optimally balanced withthout a load balancer (which is fine)? Can you please clarify the multiple directory data sources functionality, please? Thanks!

The ability to query multiple data sources is mainly for our customers who have mutiple email domains and mutiple Windows domains. It is not meant as a failover solution. You would not create multiple entries for the same domain but instead each entry is for the domain the host you are specifying contains the information for. As documented, if you need load balancing or failover functionality you should set that up on a device designed for that.

Thanks for the clarification. Are there plans to allow adding a second domain controller for the same domain? It seems to me this would be an obvious desire of any admin, since Windows directory services are inherently designed to be redundant. Why would I want to implement a stand-alone load balancer when Active Directory is designed from within to allow queries to multiple DC & GCs? Everything else in our domain is fault-tolerant if a domain controller goes down, why not SBG?

As for the statement I quoted earlier that reads: "the directory data service rotates connections among multiple IP addresses assigned to an LDAP server hostname," does that mean if I setup a hostname and assign it the multiple IPs of our domain controllers, SBG would then be able to rotate to a different IP if the first attemped does not respond? If not, can you please clarify to what it's referring?

Thanks again, doni

Well, if we do a DNS lookup for the hostname you provide us and there are multiple entries returned, we know to try each before we fail. If there is just one, and it doesn't answer, we will look at our cache. If there is nothing cached, we give a transport error in the 400 range and the sending server will know to try again later.

Hi,

We do support multiple, redundant sources for Invalid Recipient Handling (IRH).
However, the new caching feature should actually negate the need for redundant sources.

The Directory Data Source architecture will always make use of cached data before attempting any lookups to LDAP.
Also, cache data is NEVER deleted except when cache size limits are reached.  Instead of deleting, we use a TTL concept.

Example -
If you have two IRH sources, DC1 and DC2 (both contain the same directory data), with DC1 first in the query order:

* DC1 will always return valid recipient data, DC2 will never be queried as the answer is received from DC1.
* Both DC1 and DC2 will be checked when an invalid recipient is the subject of the lookup.
* If DC1 is down, pre-cached valid recipients will be served from the cache.  DC2 will not be checked.
* If DC1 is down, 'new' valid recipient lookups will be served from DC2 and cached.
* If DC1 is down, cached invalid recipients within the TTL will be handled as normal from the cache.
* If either DC1 or DC2 is down, 'new' invalid recipients or invalid recipients with expired TTL will get a 421 "try later" SMTP response.

I hope that clarifies.

//ian

I should add that, in our design considerations, we do recommend that availability management (load balancing or failover) be handled at the network layer rather than at the application layer.  However the DDS functionality, specifically the caching, should help to mitigate availability risks.

//ian

Thanks guys, helpful info. I think I got just turned around a bit by the phrasing in the admin guide regarding an NLB requirement, but sounds like all I'll need is to setup a hostname for round robin DNS, something I could even have done with SBG 8. In our environment we don't care which DC is queried first, as long as one of them is, so round robin should do the trick without limiting me to IRH redundancy alone.

Thanks again! doni

Either a DNS/round robin or a load balancer will solve the problem.  If your DCs are all "near" the scanners, you probably already have a DNS record. In my case there is a DNS record  AD.example.com that aligns with AD name: DC=AD,DC=exmple,DC=com.  the DNS record contains each of my AD controllers.

Warning: I'm a consumer of active directory services and know just enought to get me in trouble (grin).

Actually, there isn't usually the need for a single round robin DNS entry for domain controllers unless you have a specific application for one, i.e. an app that isn't AD integrated AND doesn't support lookups against multiple servers. Since SBG is our only application that fits that description, we didn't have any other need for such a record. So no, I didn't have such an entry despite ours being a small "near" environment, but it took 30 seconds to create one. And it works fine in tests -- problem solved. :)