[Samba] IP aliases of DCs to prevent DNS timeouts

[vincent at cojot.name]

Hi All,

In my environment, I have a total of 4 DCs (Samba 4.7.6) running in VMs. 
Their uptime schedule goes like this:
dc00 : usually 100% unless there's a failure.
dc01 : same as above
dc02 : a few days per week.
dc03 : a few days per month.

This has the consequence that a DNS A lookup on the AD domain shows 4 IPs, 
2 of which are usually not up.

Because I don't have shared storage in this setup and since all of the 
VM's hosting the DC's are orchestrated externally, I decided to come up 
with the following sequence:

- When any of dc01, dc02 or dc03 goes down, relocate its IP on dc00 so 
that the IP address answers DNS on behalf of the dc that's down.
- When the VM comes back up, remove the IP alias from dc00 and let the VM 
grab it.

On a normal given day, when dc02 and dc03 are both down, this is what it 
looks like on dc00:

# ip -4 -o a|cut -c-60
1: lo    inet 127.0.0.1/8 scope host lo\       valid_lft for
4: bond0    inet 10.0.131.248/22 brd 10.0.131.255 scope glob	# < dc00's main IP.
4: bond0    inet 10.0.131.250/22 scope global secondary bond	# < dc02's main IP. 
4: bond0    inet 10.0.131.251/22 scope global secondary bond	# < dc03's main IP.

While this appears to work fine and solves the DNS issue of hanging on DNS 
requests, I'm wondering if this might be causing problems in the future or 
induce issues that I wouldn't be having if I only had two DC's instead.
I think DRS replication would probably be impacted but since it 
negociates a p-to-p channel with its peer(s) I don't think it would cause 
corruption.

Also, one thing to note is that this forced me to move from the 
SAMBA_INTERNAL DNS backend to BIND9_DLZ so that bind would be able to 
answer DNS queries on IP aliases. (otherwise nslookup complained that I 
asked 10.0.131.251 but it was a different IP that answered).

Any guidance welcomed. :)

Vincent