DNS failover (DFO) utility

Command

dfo

Description

Used in script files to failover the DNS server name

Syntax

dfo [/dnssrvname [dnsservername] /srcname [sourceFQDN] /srcip [sourceip] /tarip [targetip] /tarname [targetFQDN] /recordtype [recordtype] /username [username] /password [password] /dnszone [dnszonename] /dnsdomain [dnsdomainname] /logfile [logfilename] /failback [fbswitch] /setpassword [username] [password] /getpassword /lock /unlock /trustee [trusteename] /sourceDN [sourceDN] /verbose /flushdns /machine [machineFQDN] /TTL [seconds] /test /debug /? | /help ]

Options

• dnsservername—The name of the source domain/zone's primary DNS server (optional; local machine name will be used if missing)
• sourceFQDN—The source machine's Fully Qualified Domain Name (required for modify)
• sourceip—The source machine's IP address (required for modify)
• targetip—The target machine's IP address (required for modify)
• targetFQDN—The target machine's Fully Qualified Domain Name (required for modify on failback)
• recordtype—The type of DNS resource records to modify or list (optional). Values can be: ALL (default; includes all record types except CNAME), MSEXCHANGE, A, CNAME, MX, PTR, STD, or STANDARD. STD and STANDARD are used to specify a non-Exchange record (minus the MX records).
• username—The user account's domain name (optional; the account running the program is used if missing)
• password—The user account's password (optional)
• dnszonename—The name of the DNS zone or DNS container, used to refine queries (optional)
• dnsdomainname—The name of the DNS domain, used to refine queries (optional)
• logfilename—The name of the log file (optional)
• /failback—Denotes a failback procedure, performed after a failed source is recovered or restored (required for modify on failback)
• fbswitch (optional)—By default, the DFO will only failback records in the dfo_failback_config.dat file. fbswitch allows you to enter a search criteria to identify the records to change back, even if they are not in the configuration file. fbswitch is also used if the dfo_failback_config.dat file is missing
• /lock—Allows Active Directory locking for the A type record of the source specified without modifying the record
• /unlock—Allows Active Directory unlocking for the A type record of the source specified without modifying the record
• trusteename—The domain account for the source server machine (domain\machine$). DFO will add a deny "Write All Properties" permission to the DNS A record on failover and remove the permission on failback for the account identified as a trustee. This prevents the source sever from reclaiming its DNS A record if it comes back online prior to failback.
• sourceDN—The distinguished name of the source machine's computer account (CN=<machine>,DC=domain,DC=local). DFO will add a deny "Read All Properties" permission to the computer account on failover and remove the permission on failback for the trustees specified with the /trustee parameter. This prevents a source virtual server from being brought online in Windows 2008 prior to failback.
• /verbose—Logging and display level set to maximum detail (optional)
• /FLUSHDNS /machine [machine_FQDN])—Run the ipconfig /flushdns command to flush the DNS cache on the specified machine (remote or local)
• /TTL—Update the TTL value of all modified records
• /test—Test mode. Modifications are not actually made, just listed (optional)
• /debug—Forces DFO to write the DNS resource record as-is to the dfolog.log file prior to any DFO modify or list activity
• /?—Displays the syntax of the DNS Failover utility
• /help—Displays the syntax of the DNS Failover utility

Password Encryption

• /setpassword—Allows the user to store a username/password pairing in an encrypted file for later use. (Optional, but required if /getpassword will be used)

NOTE: This function must be run separate from a modify or list activity.

• /getpassword—Once a username/password pair has been encrypted and stored using /setpassword, this command can be used at the command line to retrieve the password associated with a specific username. It is designed to avoid storing passwords in clear text. (optional)

General Examples

dfo /dnssrvname mydns.mydomain.com /srcname mysource.mydomain.com /srcip 206.31.4.10 /verbose

Lists all resource records on the specified DNS server that match the source criteria

dfo /dnssrvname mydns.mydomain.com /srcname mysource.mydomain.com /srcip 206.31.4.10 /tarip 210.11.12.13 /verbose

Modifies all resource records on the specified DNS server that match the source criteria, using the credentials of the account running the program to connect to the DNS server

dfo /dnssrvname mydns.mydomain.com /srcname hasource.hadomain.com /srcip 210.11.12.13 /tarname mysource.mydomain.com /tarip 206.31.4.10 /failback /verbose

Modifies (fails back) all resource records on the specified DNS server that were changed on failover

dfo /dnssrvname mydnsserver.mydomain.com /srcname mysource.mydomain.com /srcip 206.31.4.10 /tarip 210.11.12.13 /username mydomain.com\admin /password pword /verbose

Modifies all resource records on the specified DNS server that match the source criteria, using the username and password to connect to the DNS server

Password Encryption Examples

dfo /setpassword mydomain.com\admin mypassword

Stores the username (mydomain.com\admin) and password (mypassword) in the default credentials file (dfo_credentials.dat)

dfo /dnssrvname mydnsserver.mydomain.com /srcname mysource.mydomain.com /srcip 206.31.4.10 /tarip 210.11.12.13 /username mydomain.com\admin /getpassword /verbose

Modifies all resource records on the specified DNS server that match the source criteria, using the username and /getpassword to retrieve the correct password for connecting to the DNS server