Web lists-archives.com

Re: [Samba] IP aliases of DCs to prevent DNS timeouts




Hi Vincent,

In my environment, I have a total of 4 DCs (Samba 4.7.6) running in VMs.
Their uptime schedule goes like this:
dc00 : usually 100% unless there's a failure.
dc01 : same as above
dc02 : a few days per week.
dc03 : a few days per month.

may I inquire why you are have setup such a scenario? If all DC are on same site, it is not necessary to have such a hassle. If DC02 and DC03 are on different remote site with intermitent electricity/connectivity, you can juste setup "sites and services" in corresponding console, and workstations will only communicate with their site's DC.

One issue may arise if you use the A DNS field corresponding to your domain name. There seems to be some kind of indetermination in certain cases.

Cheers,

Denis

This has the consequence that a DNS A lookup on the AD domain shows 4
IPs, 2 of which are usually not up.

Because I don't have shared storage in this setup and since all of the
VM's hosting the DC's are orchestrated externally, I decided to come up
with the following sequence:

- When any of dc01, dc02 or dc03 goes down, relocate its IP on dc00 so
that the IP address answers DNS on behalf of the dc that's down.
- When the VM comes back up, remove the IP alias from dc00 and let the
VM grab it.

On a normal given day, when dc02 and dc03 are both down, this is what it
looks like on dc00:

# ip -4 -o a|cut -c-60
1: lo    inet 127.0.0.1/8 scope host lo\       valid_lft for
4: bond0    inet 10.0.131.248/22 brd 10.0.131.255 scope glob    # <
dc00's main IP.
4: bond0    inet 10.0.131.250/22 scope global secondary bond    # <
dc02's main IP. 4: bond0    inet 10.0.131.251/22 scope global secondary
bond    # < dc03's main IP.

While this appears to work fine and solves the DNS issue of hanging on
DNS requests, I'm wondering if this might be causing problems in the
future or induce issues that I wouldn't be having if I only had two DC's
instead.
I think DRS replication would probably be impacted but since it
negociates a p-to-p channel with its peer(s) I don't think it would
cause corruption.

Also, one thing to note is that this forced me to move from the
SAMBA_INTERNAL DNS backend to BIND9_DLZ so that bind would be able to
answer DNS queries on IP aliases. (otherwise nslookup complained that I
asked 10.0.131.251 but it was a different IP that answered).

Any guidance welcomed. :)

Vincent


--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba