We have multiple DMAs that authenticate users via LDAP and connect to Domain Controllers (DCs) to retrieve user groups. The Domain Controllers experience high CPU usage because all DMAs query them simultaneously.
It was previously suggested that staggering the scheduled user group retrieval times across different DMAs could prevent overwhelming the DCs.
An alternative suggestion proposes having only one DMA per DMS perform the scheduled task and then sync the user data (security.xml) with the other DMAs.
The question is whether DataMiner automatically syncs user data and if this approach is acceptable or recommended?
Hi,
To answer your question at the end: yes Dataminer syncs user data but this is not a viable approach. On login, the DMA in question still needs a connection to a domain controller to verify if the credentials of a given login attempt are correct. So all the DMAs that don't have an ldap connection won't authenticate users anymore. If this was possible the one DMA with an ldap connection would also be a single point of failure, meaning that if that DMA or it's host went down, no connection would exist to the domain anymore.
The best way forward would indeed be to stagger the scheduled syncs to balance the load on the DCs.