[Samba] IP aliases of DCs to prevent DNS timeouts
Denis Cardon
dcardon at tranquil.it
Wed May 2 17:11:30 UTC 2018
Hi Vincent,
> In my environment, I have a total of 4 DCs (Samba 4.7.6) running in VMs.
> Their uptime schedule goes like this:
> dc00 : usually 100% unless there's a failure.
> dc01 : same as above
> dc02 : a few days per week.
> dc03 : a few days per month.
may I inquire why you are have setup such a scenario? If all DC are on
same site, it is not necessary to have such a hassle. If DC02 and DC03
are on different remote site with intermitent electricity/connectivity,
you can juste setup "sites and services" in corresponding console, and
workstations will only communicate with their site's DC.
One issue may arise if you use the A DNS field corresponding to your
domain name. There seems to be some kind of indetermination in certain
cases.
Cheers,
Denis
> This has the consequence that a DNS A lookup on the AD domain shows 4
> IPs, 2 of which are usually not up.
>
> Because I don't have shared storage in this setup and since all of the
> VM's hosting the DC's are orchestrated externally, I decided to come up
> with the following sequence:
>
> - When any of dc01, dc02 or dc03 goes down, relocate its IP on dc00 so
> that the IP address answers DNS on behalf of the dc that's down.
> - When the VM comes back up, remove the IP alias from dc00 and let the
> VM grab it.
>
> On a normal given day, when dc02 and dc03 are both down, this is what it
> looks like on dc00:
>
> # ip -4 -o a|cut -c-60
> 1: lo inet 127.0.0.1/8 scope host lo\ valid_lft for
> 4: bond0 inet 10.0.131.248/22 brd 10.0.131.255 scope glob # <
> dc00's main IP.
> 4: bond0 inet 10.0.131.250/22 scope global secondary bond # <
> dc02's main IP. 4: bond0 inet 10.0.131.251/22 scope global secondary
> bond # < dc03's main IP.
>
> While this appears to work fine and solves the DNS issue of hanging on
> DNS requests, I'm wondering if this might be causing problems in the
> future or induce issues that I wouldn't be having if I only had two DC's
> instead.
> I think DRS replication would probably be impacted but since it
> negociates a p-to-p channel with its peer(s) I don't think it would
> cause corruption.
>
> Also, one thing to note is that this forced me to move from the
> SAMBA_INTERNAL DNS backend to BIND9_DLZ so that bind would be able to
> answer DNS queries on IP aliases. (otherwise nslookup complained that I
> asked 10.0.131.251 but it was a different IP that answered).
>
> Any guidance welcomed. :)
>
> Vincent
>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it
Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr
More information about the samba
mailing list