Load balancing LDAP from a Domain Controller via F5

Yes, applications who want to interact with Active Directory really should be designed to use proper DC location procedures (which are well documented); unfortunately, quite often they aren't.

You can usually work around this by pointing your LDAP application to the Active Directory domain name instead of a specific DC, because each DC automatically registers AN A record for the domain name pointing to its IP address, so this will work as a DNS round robin; however, this can and will cause two significant issues:

• If a DC is down, it will still be included in the DNS answer; this could cause LDAP failures if the application isn't smart enough to try another one.
• This will not take into any account the Active Directory site topology; if you have a geographically distributed environment, you could end up with an application in London authenticating against a DC in Australia over a slow and/or unreliable WAN link.

A slightly better solution is to create your own DNS record for LDAP applications as a CNAME record pointing to a specific DC, such as ldap.example.com pointing to dc1.example.com, and set a slow TTL on it (f.e. 60 seconds); you can then configure your application to use ldap.example.com for all its LDAP needs. If/when DC1 goes down, you can then remap ldap.example.com to dc2.example.com, and the slow TTL will ensure the application becomes aware of the change as soon as possible, thus minimizing downtime.

In any case, it's really better to avoid load balancing solution, because LDAP is simply not designed to work with them and they could load to any sort of issues.