locked
Why have multiple pools? RRS feed

  • Question

  • I'm running OCS 2007 R2 Enterprise deployment. We currently have one pool with one server in it. When we brought out a consultant he was emphatic that we needed a director server. So we brought it up but didn't have time to intigrate it to the envrioment. He left and now that I have time to research the stuff I think I he's wrong.  I've been able to get my enviroment is up and running fine currently without a director. 

    My understanding is that a director routes between multiple pools, so if a user logs in and is on pool A, he'll go to pool A and not pool B. To scale a pool incase of performance issues a hardware loadbalancer is required(which is what we were concerned about).

    So if my above understanding is correct, why have multiple pools? Is there somewhere that cleanly explains this?

    Thanks in advance,

    Wednesday, September 2, 2009 9:44 PM

Answers

  • Hi Sudain,

    The OCS client finds the first server or pool to authenticate to via the SRV records created in DNS. Once the cilent finds the first server it looks up the "home server" which is either the pool or (if you're running standard edition), the name of the server you're "homed on". The OCS client then connects directly to that box.

    A director is used in larger deployments where you want to offload the process of authentication and home server lookup. The director can be either an Enterprise pool or Standard edition server. You wouldn't "home" any users on a director and you'd typically point your SRV record to the director so that clients will contact it first.

    Now, the reason for having multiple pools might be for logistical reasons (pool in USA and one in Taiwan), security settings (i.e. Tanjay phone lock), etc. You could have users on pools in different geographic regions but you typically only have one SRV record that the OCS client will use to authenticate.

    I've worked in an environment where we had 3 pools (two R1 and one R2 pool) because the client was in the middle of a migration and they had different HA requirements for a subset of users. Given that OCS Enterprise can support quite a few users in a pool (more than 150K), you can get away with one pool in most cases.

    I hope this helps.

    Thanks,

    Jason


    Jason C. Shave | Microsoft UC V-TSP | MCITP:EA, MCTS:OCS Configuring/Voice, MCSE, CCA:MPS/NetScaler 8.0 | http://jasonshave.blogspot.com
    • Marked as answer by Sudain Thursday, September 3, 2009 2:22 PM
    Thursday, September 3, 2009 2:34 AM
  • The other reason for a director is security, When you have connections and users authenticating from the outside via the edge. This authentication process does not actually take place on the edge (the edge has no knowledge of who is who) so the authentication process is proxied back to either the director or the pool.

    Obviosly authenticating directly at the pool is not the best secuirty model, so have the authentication happen at the director takes some load of and lessons the potential risk some from a security perspective
    Mitch Roberson |MCITP:Enterprise Server Admin, Messaging |MCTS:OCS with Voice Achievement |MCT
    • Marked as answer by Sudain Thursday, September 3, 2009 2:22 PM
    Thursday, September 3, 2009 2:15 PM

All replies

  • Hi Sudain,

    The OCS client finds the first server or pool to authenticate to via the SRV records created in DNS. Once the cilent finds the first server it looks up the "home server" which is either the pool or (if you're running standard edition), the name of the server you're "homed on". The OCS client then connects directly to that box.

    A director is used in larger deployments where you want to offload the process of authentication and home server lookup. The director can be either an Enterprise pool or Standard edition server. You wouldn't "home" any users on a director and you'd typically point your SRV record to the director so that clients will contact it first.

    Now, the reason for having multiple pools might be for logistical reasons (pool in USA and one in Taiwan), security settings (i.e. Tanjay phone lock), etc. You could have users on pools in different geographic regions but you typically only have one SRV record that the OCS client will use to authenticate.

    I've worked in an environment where we had 3 pools (two R1 and one R2 pool) because the client was in the middle of a migration and they had different HA requirements for a subset of users. Given that OCS Enterprise can support quite a few users in a pool (more than 150K), you can get away with one pool in most cases.

    I hope this helps.

    Thanks,

    Jason


    Jason C. Shave | Microsoft UC V-TSP | MCITP:EA, MCTS:OCS Configuring/Voice, MCSE, CCA:MPS/NetScaler 8.0 | http://jasonshave.blogspot.com
    • Marked as answer by Sudain Thursday, September 3, 2009 2:22 PM
    Thursday, September 3, 2009 2:34 AM
  • The other reason for a director is security, When you have connections and users authenticating from the outside via the edge. This authentication process does not actually take place on the edge (the edge has no knowledge of who is who) so the authentication process is proxied back to either the director or the pool.

    Obviosly authenticating directly at the pool is not the best secuirty model, so have the authentication happen at the director takes some load of and lessons the potential risk some from a security perspective
    Mitch Roberson |MCITP:Enterprise Server Admin, Messaging |MCTS:OCS with Voice Achievement |MCT
    • Marked as answer by Sudain Thursday, September 3, 2009 2:22 PM
    Thursday, September 3, 2009 2:15 PM
  • Awesome, thank you!  I've been curious about this for a while and this explains it cleanly.
    Thursday, September 3, 2009 2:25 PM
  • Does the pool "silo" users?  Meaning If I have a user on Pool A, can they see users on Pool B?  We are trying to prevent users from being able to send Communicator messages to certain users in the Address List.  We would prefer if they were unable to even look them up.  Would pools do this?
    Monday, October 5, 2009 10:57 PM