[Samba] IP aliases of DCs to prevent DNS timeouts

Denis Cardon dcardon at tranquil.it
Wed May 2 17:11:30 UTC 2018


Hi Vincent,

> In my environment, I have a total of 4 DCs (Samba 4.7.6) running in VMs.
> Their uptime schedule goes like this:
> dc00 : usually 100% unless there's a failure.
> dc01 : same as above
> dc02 : a few days per week.
> dc03 : a few days per month.

may I inquire why you are have setup such a scenario? If all DC are on 
same site, it is not necessary to have such a hassle. If DC02 and DC03 
are on different remote site with intermitent electricity/connectivity, 
you can juste setup "sites and services" in corresponding console, and 
workstations will only communicate with their site's DC.

One issue may arise if you use the A DNS field corresponding to your 
domain name. There seems to be some kind of indetermination in certain 
cases.

Cheers,

Denis

> This has the consequence that a DNS A lookup on the AD domain shows 4
> IPs, 2 of which are usually not up.
>
> Because I don't have shared storage in this setup and since all of the
> VM's hosting the DC's are orchestrated externally, I decided to come up
> with the following sequence:
>
> - When any of dc01, dc02 or dc03 goes down, relocate its IP on dc00 so
> that the IP address answers DNS on behalf of the dc that's down.
> - When the VM comes back up, remove the IP alias from dc00 and let the
> VM grab it.
>
> On a normal given day, when dc02 and dc03 are both down, this is what it
> looks like on dc00:
>
> # ip -4 -o a|cut -c-60
> 1: lo    inet 127.0.0.1/8 scope host lo\       valid_lft for
> 4: bond0    inet 10.0.131.248/22 brd 10.0.131.255 scope glob    # <
> dc00's main IP.
> 4: bond0    inet 10.0.131.250/22 scope global secondary bond    # <
> dc02's main IP. 4: bond0    inet 10.0.131.251/22 scope global secondary
> bond    # < dc03's main IP.
>
> While this appears to work fine and solves the DNS issue of hanging on
> DNS requests, I'm wondering if this might be causing problems in the
> future or induce issues that I wouldn't be having if I only had two DC's
> instead.
> I think DRS replication would probably be impacted but since it
> negociates a p-to-p channel with its peer(s) I don't think it would
> cause corruption.
>
> Also, one thing to note is that this forced me to move from the
> SAMBA_INTERNAL DNS backend to BIND9_DLZ so that bind would be able to
> answer DNS queries on IP aliases. (otherwise nslookup complained that I
> asked 10.0.131.251 but it was a different IP that answered).
>
> Any guidance welcomed. :)
>
> Vincent
>

-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr



More information about the samba mailing list