samba - Apr 2018 - IP aliases of DCs to prevent DNS timeouts

Hi All,

In my environment, I have a total of 4 DCs (Samba 4.7.6) running in VMs. 
Their uptime schedule goes like this:
dc00 : usually 100% unless there's a failure.
dc01 : same as above
dc02 : a few days per week.
dc03 : a few days per month.

This has the consequence that a DNS A lookup on the AD domain shows 4 IPs, 
2 of which are usually not up.

Because I don't have shared storage in this setup and since all of the 
VM's hosting the DC's are orchestrated externally, I decided to come up 
with the following sequence:

- When any of dc01, dc02 or dc03 goes down, relocate its IP on dc00 so 
that the IP address answers DNS on behalf of the dc that's down.
- When the VM comes back up, remove the IP alias from dc00 and let the VM 
grab it.

On a normal given day, when dc02 and dc03 are both down, this is what it 
looks like on dc00:

# ip -4 -o a|cut -c-60
1: lo    inet 127.0.0.1/8 scope host lo\       valid_lft for
4: bond0    inet 10.0.131.248/22 brd 10.0.131.255 scope glob	# < dc00's
main IP.
4: bond0    inet 10.0.131.250/22 scope global secondary bond	# < dc02's
main IP.
4: bond0    inet 10.0.131.251/22 scope global secondary bond	# < dc03's
main IP.

While this appears to work fine and solves the DNS issue of hanging on DNS 
requests, I'm wondering if this might be causing problems in the future or 
induce issues that I wouldn't be having if I only had two DC's instead.
I think DRS replication would probably be impacted but since it 
negociates a p-to-p channel with its peer(s) I don't think it would cause 
corruption.

Also, one thing to note is that this forced me to move from the 
SAMBA_INTERNAL DNS backend to BIND9_DLZ so that bind would be able to 
answer DNS queries on IP aliases. (otherwise nslookup complained that I 
asked 10.0.131.251 but it was a different IP that answered).

Any guidance welcomed. :)

Vincent

Hi Vincent,
> In my environment, I have a total of 4 DCs (Samba 4.7.6) running in VMs.
> Their uptime schedule goes like this:
> dc00 : usually 100% unless there's a failure.
> dc01 : same as above
> dc02 : a few days per week.
> dc03 : a few days per month.
may I inquire why you are have setup such a scenario? If all DC are on 
same site, it is not necessary to have such a hassle. If DC02 and DC03 
are on different remote site with intermitent electricity/connectivity, 
you can juste setup "sites and services" in corresponding console, and
workstations will only communicate with their site's DC.

One issue may arise if you use the A DNS field corresponding to your 
domain name. There seems to be some kind of indetermination in certain 
cases.

Cheers,

Denis
> This has the consequence that a DNS A lookup on the AD domain shows 4
> IPs, 2 of which are usually not up.
>
> Because I don't have shared storage in this setup and since all of the
> VM's hosting the DC's are orchestrated externally, I decided to
come up
> with the following sequence:
>
> - When any of dc01, dc02 or dc03 goes down, relocate its IP on dc00 so
> that the IP address answers DNS on behalf of the dc that's down.
> - When the VM comes back up, remove the IP alias from dc00 and let the
> VM grab it.
>
> On a normal given day, when dc02 and dc03 are both down, this is what it
> looks like on dc00:
>
> # ip -4 -o a|cut -c-60
> 1: lo    inet 127.0.0.1/8 scope host lo\       valid_lft for
> 4: bond0    inet 10.0.131.248/22 brd 10.0.131.255 scope glob    # <
> dc00's main IP.
> 4: bond0    inet 10.0.131.250/22 scope global secondary bond    # <
> dc02's main IP. 4: bond0    inet 10.0.131.251/22 scope global secondary
> bond    # < dc03's main IP.
>
> While this appears to work fine and solves the DNS issue of hanging on
> DNS requests, I'm wondering if this might be causing problems in the
> future or induce issues that I wouldn't be having if I only had two
DC's
> instead.
> I think DRS replication would probably be impacted but since it
> negociates a p-to-p channel with its peer(s) I don't think it would
> cause corruption.
>
> Also, one thing to note is that this forced me to move from the
> SAMBA_INTERNAL DNS backend to BIND9_DLZ so that bind would be able to
> answer DNS queries on IP aliases. (otherwise nslookup complained that I
> asked 10.0.131.251 but it was a different IP that answered).
>
> Any guidance welcomed. :)
>
> Vincent
>
-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

On Wed, 2 May 2018, Denis Cardon via samba wrote:
> may I inquire why you are have setup such a scenario? If all DC are on same
> site, it is not necessary to have such a hassle. If DC02 and DC03 are on 
> different remote site with intermitent electricity/connectivity, you can 
> juste setup "sites and services" in corresponding console, and
workstations
> will only communicate with their site's DC.
Yes, all DCs are on the same site but some of them aren't always on: I 
have 4 non-symmetrical infrastructure hosts, each running redundant 
services and samba 4.7.6 in a VM. It is quite rare that all 4 hypervisors 
are up at the same time (to save on noise and electricity) and I was 
hoping to provide VIP redundancy to the DNS A records so that any client 
querying the 'wrong' DC wouldn't hit a timeout.

For normal (non-AD) DNS services, each host also runs named and I have two 
VIPs servicing DNS queries for clients. The VIPs get relocated to whatever 
hypervisor is up (so that clients do not hit timeouts) and I was hoping to 
do something similar for AD DC's.

I have actually given up on this as I've discovered that AD would 
auto-discover the VIPS local to a host and modify the AD DNS entries for 
that host : a few days ago I found dc00 with 3 IP's in DNS manager: its 
own and those of dc02 and dc03.
> One issue may arise if you use the A DNS field corresponding to your domain
> name. There seems to be some kind of indetermination in certain cases.
The DNS round-robin lookup, you mean? I admit that I am still very new at 
this samba AD/DC DNS stuff.

PS: Any idea when tranquil.it will be updating the samba 4.7.x to 4.7.7?

Thanks,

Vincent