We are currently using CAS for multiple directory authentication. AD for internal users, AD LDS for external users. I've read that NLB is a possible solution, but wondering if this is possible with SRV records, and how about you would correctly configure that. With our AD directory, I can bind with olddomain.local, and hit any of the DCs in the domain. We don't want to hardcode servernames into CAS, so the end goal is to bind with LDSdomain.gov.
nslookup -type=srv _ldap._tcp.LDSdomain.gov
returns
_ldap._tcp.LDSdomain.gov SRV service location:
priority = 0
weight = 100
port = 1025
svr hostname = server01
_ldap._tcp.LDSdomain.gov SRV service location:
priority = 0
weight = 200
port = 1025
svr hostname = server02
NLB is your best option here. With DNS or an SCP clients can choose a random server to connect to. LBS can be configured to fail-over when required. While you can configure multiple AD LDS instances to be a single configuration set, sometimes (more often than I'd like) applications will use the "random server" to make multiple updates to attributes in a form. Eg I add user jsmith , If someone else is adding user jsmith no conflict will be reported because I'm on a different instance. When replication occurs one of these gets renamed as cnf:GUID and now has to be sorted out. This is the same as regular AD however there is generally some admin noticing that user jsmith can't log in. I've seen crappy apps using LDS with DNS that have lots of cnf object sticking around due to lack of maintenance. NLB solves that problem by allowing fail-over instead of round robin. It's typically pretty tough to overload LDS.
I believe a Service Connection Point is what you want. See also : Active Directory Lightweight Directory Services (AD LDS) best practice for clustering