8.4
Hello everyone, I have a question about how to set up two hosts for Active Directory. Is it possible to create an application that connects to both Active Directory hosts? I want it to automatically connect to host 2 if host 1 fails. Is something like this possible?
For now I tried to make the 2 hosts of Active Directory and tried to connect it as a one application like this, but not sure is it correct?
Hey @fewthiraphat
Yes, it’s definitely possible to configure an application to connect to multiple Active Directory (AD) hosts and implement failover logic so if Host 1 goes down, the app can automatically switch to Host 2. This is commonly done in enterprise environments to ensure high availability.
From the configuration you shared, it looks like you are on the right track! You have defined two forests (testad.com and testad2.com) and two domain entries with separate servers (192.168.0.120 and 192.168.0.127). That’s a good start.
A few things to consider:
Failover Logic: The application itself (or the middleware you’re using) needs to support retry/failover mechanisms. Just listing two hosts doesn’t guarantee automatic switching unless the app is designed to handle connection failures gracefully.
Global Catalog: I noticed the Global Catalog Server fields are empty. If you’re planning to query AD for user/group info, setting these might help improve performance and reliability.
TLS: Security-wise, consider enabling TLS if this is going into production
Hi @haideralishaik , Thank you for your comment.
I tried more, I disable AD service for host 1 and clicked Test Connection, and I got this
Could you help me check what is wrong with my settings?
I tried to create an new application and Test Connection for Host 2 to make sure it can connecting to Host 2 already.
Thanks for the update! Based on the error message, it looks like the application is still trying to connect to Host 1 (192.168.0.120) even though you’ve disabled it. The error shows a connection attempt to ldap://192.168.0.120:389, which is being refused.
A few things you might want to check:
Domain Configuration: Make sure Host 2 (192.168.0.127) is correctly set in the domain/server list and that Host 1 is either removed or deprioritized.
Failover Logic: Some applications don’t automatically switch to the second host unless the first one is explicitly unreachable and the failover mechanism is properly configured.
IQService Settings: Double-check that the IQService host and port are pointing to Host 2 when testing the connection.
DNS Mapping: If you’re using domain names instead of IPs, ensure the DNS resolves correctly to Host 2.
Since you mentioned creating a new application and successfully testing Host 2, that confirms Host 2 is reachable. So the issue likely lies in how the original application is prioritizing or defaulting to Host 1.
You might want to check with the application team to confirm how host selection and failover are handled internally.
It’s a default AD setup. I just installed it on two hosts for testing and POC purposes, but I’m not sure how to configure failover when one becomes unreachable in AD or SailPoint IIQ.
Disclaimer: I have very little knowledge of the Active Directory - Direct connector.
From the Active Directory connector guide, in the “Domain Settings” section:
(Optional) Enter the Servers information for the domain controller servers that you want to configure using the following format:
IP AddressorFQDN. To configure multiple servers, enter a server and then press the Enter key. If you have configured two or more servers and the connection to the first servers fails, the source attempts to bind to the next domain controller server in the list.
If I am understanding your scenario correctly, you have one Active Directory forest and multiple domain controllers.
Therefore, I believe you should have just one entry in the Forest Configuration section and then for each domain, you should specify the IP addresses or FQDNs of the domain controllers that manage that domain.
