DNS

When Double-Take Availability failover occurs, DNS is not automatically updated. If the end-users use DNS to resolve server names and the source IP address was not failed over to the target, additional DNS updates will be required because the host records for the source will remain intact after failover. You can automate this process by scripting the DNS updates in the failover and failback scripts. You have two options for scripting the DNS updates.

Windows DNSCMD command

DNS updates can be added to your failover and failback scripts by using the Windows DNSCMD command as long as dynamic updates are enabled on the DNS zone and the account running the Double-Take service is a member of the DNSAdmins security group. (See your Microsoft documentation to verify if dynamic updates are enabled.) Add the following commands to your failover and failback scripts to delete the host and reverse lookup entries and add new entries associating the source to the target.

dnscmd DNS_server’s_FQDN /RecordDelete DNS_zone source_server_name A source_server_IP_address /f
dnscmd DNS_server’s_FQDN /RecordDelete www.xxx.in-addr.arpa zzz.yyy PTR source_server’s_FQDN /f
dnscmd DNS_server’s_FQDN /RecordAdd DNS_zone source_server_name A target_server_IP_address
dnscmd DNS_server’s_FQDN /RecordAdd aaa.bbb.in-addr.arpa ddd.ccc PTR source_server’s_FQDN

Variable	Description
DNS_servers’s_FQDN	The fully qualified domain name of the DNS server
DNS_zone	The name of the DNS zone
source_server_name	The name of the source server
source_server_IP_address	The IP address on the source
www.xxx	The first two octets of the source’s IP address. For example, if the source’s IP address is 192.168.1.108, this variable would be 192.168.
zzz.yyy	The last two octets, in reverse order, of the source’s IP address. For example, if the source’s IP address is 192.168.1.108, this variable would be 108.1.
source_server’s_FQDN	The fully qualified domain name of the source server
target_server_IP_address	The IP address on the source
aaa.bbb	The first two octets of the target’s IP address. For example, if the target’s IP address is 116.123.2.47, this variable would be 116.123.
ddd.ccc	The last two octets, in reverse order, of the target’s IP address. For example, if the target’s IP address is 116.123.2.47, this variable would be 47.2.

For example, suppose you had the following environment.

Full qualified domain name of the source—Alpha.domain.com
Source IP address—192.168.1.108
Fully qualified domain name of the target—Beta.domain.com
Target IP address—116.123.2.47
Fully qualified domain name of the DNS server—DNSServer.domain.com
DNS zone—domain.com

You would add the following to your failover script to delete the host and reverse lookup entries and add new entries associating the source to the target.

dnscmd DNSServer.domain.com /RecordDelete domain.com alpha A 192.168.1.108 /f

dnscmd DNSServer.domain.com /RecordDelete 192.168.in-addr.arpa 108.1 PTR alpha.domain.com /f

dnscmd DNSServer.domain.com /RecordAdd domain.com alpha A 116.123.2.47

dnscmd DNSServer.domain.com /RecordAdd 116.123.in-addr.arpa 47.2 PTR alpha.domain.com

You would add the following to your failback script to delete the host and reverse lookup entries and add new entries associating the source with its original identity.

dnscmd DNSServer.domain.com /RecordDelete domain.com alpha A 116.123.2.47 /f

dnscmd DNSServer.domain.com /RecordDelete 116.123.in-addr.arpa 47.2 PTR alpha.domain.com /f

dnscmd DNSServer.domain.com /RecordAdd domain.com alpha A 192.168.1.108

dnscmd DNSServer.domain.com /RecordAdd 192.168.in-addr.arpa 108.1 PTR alpha.domain.com

See your Windows documentation or the Microsoft web site for more details on the DNSCMD command.

Double-Take Availability DFO command

DNS updates can be added to your failover and failback scripts by using the Double-Take Availability DFO utility as long as the utility has been registered and the proper privileges are configured.

Extract the DFO utility to the location where the Double-Take Availability program files are installed on the target.
From a command prompt, change to the Double-Take Availability program files directory and register the DFO utility by entering the command regsvr32 capicom.dll
Create a user account that has full control on the WMI DNS namespace on the source’s primary DNS server.

Select Start, Run, and enter the command mmc.
After the Microsoft Management Console starts, select File, Add/Remove Snap-in.
Click Add, select WMI Control, click Add again, confirm the local computer is selected, and then click Finish.
Close the snap-in dialog box and then click OK to return to the console.
Right-click WMI Control and select Properties.
On the Security tab, expand the tree under Root.
Select MicrosoftDNS and click Security.
Click Add and identify the user account that you want the DFO utility to use.
Grant the user account permissions for Execute Methods, Full Write, Partial Write, Provider Write, Enable Account, Remote Enable, and Read Security.
Click OK to close all open dialog boxes and then close the console.
Restart the Windows Management Instrumentation service for the changes to take effect. .

Add the same user account that has full control on the WMI DNS namespace to the domain’s DnsAdmins group where the source's primary DNS server is located.

Select Start, Programs, Administrative Tools (Common), and Active Directory Users and Computers.
Right-click the DnsAdmins group and select Properties.
Select the Members tab, click Add, and identify the user account that you granted full control on the WMI DNS namespace.
Click OK to close all open dialog boxes and then close Active Directory Users and Computers.

Add the appropriate DFO command to your failover script using the following syntax.

DNS Failover Utility Command Syntax
Command	dfo
Description	Used in script files to failover the DNS server name
Syntax	dfo [/dnssrvname [dnsservername] /srcname [sourceFQDN] /srcip [sourceip] /tarip [targetip] /tarname [targetFQDN] /recordtype [recordtype] /username [username] /password [password] /dnszone [dnszonename] /dnsdomain [dnsdomainname] /logfile [logfilename] /failback [fbswitch] /setpassword [username] [password] /getpassword /lock /unlock /trustee [trusteename] /sourceDN [sourceDN] /verbose /flushdns /machine [machineFQDN] /TTL [seconds] /test /debug /? \| /help ]
Options	dnsservername—The name of the source domain/zone's primary DNS server (optional; local machine name will be used if missing) sourceFQDN—The source machine's Fully Qualified Domain Name (required for modify) sourceip—The source machine's IP address (required for modify) targetip—The target machine's IP address (required for modify) targetFQDN—The target machine's Fully Qualified Domain Name (required for modify on failback) recordtype—The type of DNS resource records to modify or list (optional). Values can be: ALL (default; includes all record types except CNAME), MSEXCHANGE, A, CNAME, MX, PTR, STD, or STANDARD. STD and STANDARD are used to specify a non-Exchange record (minus the MX records). username—The user account's domain name (optional; the account running the program is used if missing) password—The user account's password (optional) dnszonename—The name of the DNS zone or DNS container, used to refine queries (optional) dnsdomainname—The name of the DNS domain, used to refine queries (optional) logfilename—The name of the log file (optional) /failback—Denotes a failback procedure, performed after a failed source is recovered or restored (required for modify on failback) fbswitch (optional)—By default, the DFO will only failback records in the dfo_failback_config.dat file. fbswitch allows you to enter a search criteria to identify the records to change back, even if they are not in the configuration file. fbswitch is also used if the dfo_failback_config.dat file is missing /lock—Allows Active Directory locking for the A type record of the source specified without modifying the record /unlock—Allows Active Directory unlocking for the A type record of the source specified without modifying the record trusteename—The domain account for the source server machine (domain\machine$). DFO will add a deny "Write All Properties" permission to the DNS A record on failover and remove the permission on failback for the account identified as a trustee. This prevents the source sever from reclaiming its DNS A record if it comes back online prior to failback. sourceDN—The distinguished name of the source machine's computer account (CN=<machine>,DC=domain,DC=local). DFO will add a deny "Read All Properties" permission to the computer account on failover and remove the permission on failback for the trustees specified with the /trustee parameter. This prevents a source virtual server from being brought online in Windows 2008 prior to failback. /verbose—Logging and display level set to maximum detail (optional) /FLUSHDNS /machine [machine_FQDN])—Run the ipconfig /flushdns command to flush the DNS cache on the specified machine (remote or local) /TTL—Update the TTL value of all modified records /test—Test mode. Modifications are not actually made, just listed (optional) /debug—Forces DFO to write the DNS resource record as-is to the dfolog.log file prior to any DFO modify or list activity /?—Displays the syntax of the DNS Failover utility /help—Displays the syntax of the DNS Failover utility
Password Encryption	/setpassword—Allows the user to store a username/password pairing in an encrypted file for later use. (Optional, but required if /getpassword will be used) NOTE: This function must be run separate from a modify or list activity. /getpassword—Once a username/password pair has been encrypted and stored using /setpassword, this command can be used at the command line to retrieve the password associated with a specific username. It is designed to avoid storing passwords in clear text. (optional)
General Examples	`dfo /dnssrvname mydns.mydomain.com /srcname mysource.mydomain.com /srcip 206.31.4.10 /verbose` Lists all resource records on the specified DNS server that match the source criteria `dfo /dnssrvname mydns.mydomain.com /srcname mysource.mydomain.com /srcip 206.31.4.10 /tarip 210.11.12.13 /verbose` Modifies all resource records on the specified DNS server that match the source criteria, using the credentials of the account running the program to connect to the DNS server `dfo /dnssrvname mydns.mydomain.com /srcname hasource.hadomain.com /srcip 210.11.12.13 /tarname mysource.mydomain.com /tarip 206.31.4.10 /failback /verbose` Modifies (fails back) all resource records on the specified DNS server that were changed on failover `dfo /dnssrvname mydnsserver.mydomain.com /srcname mysource.mydomain.com /srcip 206.31.4.10 /tarip 210.11.12.13 /username mydomain.com\admin /password pword /verbose` Modifies all resource records on the specified DNS server that match the source criteria, using the username and password to connect to the DNS server
Password Encryption Examples	`dfo /setpassword mydomain.com\admin mypassword` Stores the username (mydomain.com\admin) and password (mypassword) in the default credentials file (dfo_credentials.dat) `dfo /dnssrvname mydnsserver.mydomain.com /srcname mysource.mydomain.com /srcip 206.31.4.10 /tarip 210.11.12.13 /username mydomain.com\admin /getpassword /verbose` Modifies all resource records on the specified DNS server that match the source criteria, using the username and /getpassword to retrieve the correct password for connecting to the DNS server