CA Identity Manager: Can the Active Directory Connector point to an F5 load balancer

Document ID : KB000096520
Last Modified Date : 16/05/2018
Show Technical Document Details
Question:
Can an F5 load balancer be configured in front of AD domain controllers, and let connector connect to F5 instead of directly to an AD server? 
Answer:
Pointing an Active Directory connector at an F5 load balancer instead of an AD server is not a supported configuration. 

When the AD Connector is operating against the AD system it is not just a single transaction. For example the ADD ACCOUNT is really composed of lots of steps such as (create account, set password, set useraccountcontrol, set groups, set custom attributes, create mailbox, etc) and if hitting an F5 load-balancer then those request could be getting spread out and then you could have AD replication delays between domain controllers. Furthermore the request sent to the Exchange Server includes the AD host we used for creating the account and so we would be telling Exchange to use the F5 in that case which again could lead to problems and latency/timing issues.

What would be more ideal is configuring the endpoint.dns file on the Connector Server managing the AD endpoint so that there is just a few domain controllers listed which are all available and have good replication to each other.