DNS

If you are using a Microsoft DNS server, when Double-Take Availability failover occurs, DNS is not automatically updated. If the end-users use DNS to resolve server names and the source IP address was not failed over to the target, additional DNS updates will be required because the host records for the source will remain intact after failover. You can automate this process by scripting the DNS updates in the failover and failback scripts. You have two options for scripting the DNS updates.

Windows DNSCMD command

DNS updates can be added to your failover and failback scripts by using the Windows DNSCMD command as long as dynamic updates are enabled on the DNS zone and the account running the Double-Take service is a member of the DNSAdmins security group. (See your Microsoft documentation to verify if dynamic updates are enabled.) Add the following commands to your failover and failback scripts to delete the host and reverse lookup entries and add new entries associating the source to the target.

dnscmd DNS_server’s_FQDN /RecordDelete DNS_zone source_server_name A source_server_IP_address /f
dnscmd DNS_server’s_FQDN /RecordDelete www.xxx.in-addr.arpa zzz.yyy PTR source_server’s_FQDN /f
dnscmd DNS_server’s_FQDN /RecordAdd DNS_zone source_server_name A target_server_IP_address
dnscmd DNS_server’s_FQDN /RecordAdd aaa.bbb.in-addr.arpa ddd.ccc PTR source_server’s_FQDN

Use the following variable substitutions.

DNS_server’s_FQDN— The fully qualified domain name of the DNS server
DNS_zone —The name of the DNS zone
source_server_name —The name of the source server
source_server_IP_address—The IP address on the source
www.xxx—The first two octets of the source’s IP address. For example, if the source’s IP address is 192.168.1.108, this variable would be 192.168.
zzz.yyy—The last two octets, in reverse order, of the source’s IP address. For example, if the source’s IP address is 192.168.1.108, this variable would be 108.1.
source_server’s_FQDN—The fully qualified domain name of the source server
target_server_IP_address—The IP address on the target
aaa.bbb—The first two octets of the target’s IP address. For example, if the target’s IP address is 116.123.2.47, this variable would be 116.123.
ddd.ccc— The last two octets, in reverse order, of the target’s IP address. For example, if the target’s IP address is 116.123.2.47, this variable would be 47.2.

For example, suppose you had the following environment.

Full qualified domain name of the source—Alpha.domain.com
Source IP address—192.168.1.108
Fully qualified domain name of the target—Beta.domain.com
Target IP address—116.123.2.47
Fully qualified domain name of the DNS server—DNSServer.domain.com
DNS zone—domain.com

You would add the following to your failover script to delete the host and reverse lookup entries and add new entries associating the source to the target.

dnscmd DNSServer.domain.com /RecordDelete domain.com alpha A 192.168.1.108 /f

dnscmd DNSServer.domain.com /RecordDelete 192.168.in-addr.arpa 108.1 PTR alpha.domain.com /f

dnscmd DNSServer.domain.com /RecordAdd domain.com alpha A 116.123.2.47

dnscmd DNSServer.domain.com /RecordAdd 116.123.in-addr.arpa 47.2 PTR alpha.domain.com

You would add the following to your failback script to delete the host and reverse lookup entries and add new entries associating the source with its original identity.

dnscmd DNSServer.domain.com /RecordDelete domain.com alpha A 116.123.2.47 /f

dnscmd DNSServer.domain.com /RecordDelete 116.123.in-addr.arpa 47.2 PTR alpha.domain.com /f

dnscmd DNSServer.domain.com /RecordAdd domain.com alpha A 192.168.1.108

dnscmd DNSServer.domain.com /RecordAdd 192.168.in-addr.arpa 108.1 PTR alpha.domain.com

See your Windows documentation or the Microsoft web site for more details on the DNSCMD command.

Double-Take Availability DFO utility

DNS updates can be added to your failover and failback scripts by using the Double-Take Availability DFO utility as long as the utility has been registered and the proper privileges are configured.

Extract the DFO utility to the location where the Double-Take Availability program files are installed on the target.
From a command prompt, change to the Double-Take Availability program files directory and register the DFO utility by entering the command regsvr32 capicom.dll
Create a user account that has full control on the WMI DNS namespace on the source’s primary DNS server.

If you are using Windows 2003 SP1, use the following steps.

Select Start, Run, and enter the command mmc.
After the Microsoft Management Console starts, select File, Add/Remove Snap-in.
Click Add, select WMI Control, click Add again, confirm the local computer is selected, and then click Finish.
Close the snap-in dialog box and then click OK to return to the console.

If you are using Windows 2003 SP2 or later, select Start, Run, and enter the command wmimgmt.msc.
Right-click WMI Control and select Properties.
On the Security tab, expand the tree under Root.
Select MicrosoftDNS and click Security.
Click Add and identify the user account that you want the DFO utility to use.
If you are using Windows 2003 SP1, grant the user account permissions for Execute Methods, Full Write, Partial Write, Provider Write, Enable Account, Remote Enable, and Read Security.
If you are using Windows 2003 SP2 or later, use the following steps.

Grant the user account permissions for Execute Methods, Enable Account, Remote Enable, and Read Security.
Click Advanced and in the Permissions list, select the user account and click Edit. Select This namespace and subnamespaces.

Click OK to close all open dialog boxes and then close the console.
Restart the Windows Management Instrumentation service for the changes to take effect. .

If you are using Windows 2003 SP2 or later, complete the following additional steps.

Select Start, Run, and enter the command dcomcnfg.
Expand Component Services, expand Computers, then right-click My Computer and select Properties.
On the COM Security tab, under Access Permissions, click Edit Limits.
Click Add, identify the user account, and click OK.
In the Permissions for User list, allow permissions for Local Access and Remote Access and click OK.
Under Launch and Activation Permissions, click Edit Limits.
Click Add, identify the user account, and click OK.
In the Permissions for User list, allow permissions for Local Launch, Remote Launch, Local Activaiton, and Remove Activation.
Click OK.
Click OK again.
Expand My Computer, expand DCOM Config, then right-click Windows Management and Instrumentation and select Properties.
On the Security tab, under Access Permissions, click Edit.
Click Add, identify the user account, and click OK.
In the Permissions for User list, allow permissions for Local Access and Remote Access and click OK.
Click OK to close all open dialog boxes.
Restart the DNS/Domain Controller.

Add the same user account that has full control on the WMI DNS namespace to the domain’s DnsAdmins group where the source's primary DNS server is located.

Select Start, Programs, Administrative Tools (Common), and Active Directory Users and Computers.
Right-click the DnsAdmins group and select Properties.
Select the Members tab, click Add, and identify the user account that you granted full control on the WMI DNS namespace.
Click OK to close all open dialog boxes and then close Active Directory Users and Computers.

Add a user to the Server Operator group.

Select Start, Programs, Administrative Tools (Common), and Active Directory Users and Computers.
Select Builtin, then right-click the Server Operators group and select Properties.
Select the Members tab, click Add, and identify the user account that you granted full control on the WMI DNS namespace.
Click OK to close all open dialog boxes and then close Active Directory Users and Computers.

Add the appropriate DFO command to your failover script using the following syntax.

Command

DFO

Description

Used in scripts to failover DNS server name

Syntax

DFO [/DNSSRVNAME <dns_server_name>] /SRCNAME <source_fqd_name> /SRCIP <source_ip> /TARIP <target_ip> /TARNAME <target_fqd_name> [/RECORDTYPE <rec_type>] [/USERNAME <user_name> /PASSWORD <password>] [/DNSZONE <zone_name>] [/DNSDOMAIN <domain_name>] [/LOGFILE <file_name>] /FAILBACK [fb_switch] [/SETPASSWORD <user_name> <password>[machine][file]] [/GETPASSWORD] [/LOCK] [/UNLOCK] /TRUSTEE <trustee_name> [/VERBOSE] [/FLUSHDNS /MACHINE <machine_fqd_name>] [/TTL <seconds>] [/ADDOMAIN <active_directory_domain_name> [/SOURCEDN <source_domain_name> [/TEST] [/DEBUG] [/HELP]

Options
- DNSSRVNAME dns_server_name—The name of the source domain/zone's primary DNS server. If not specified, the local machine will be used.
- SRCNAME source_fqd_name—The source machine's fully qualified domain name
- SRCIP source_ip—The source machine's IP address
- TARIP target_ip—The target machine's IP address
- TARNAME target_fqd_name—The target machine's fully qualified domain name (required only for failback)
- RECORDTYPE rec_type—The type of DNS resource records to modify or list. Values record types are ALL, MSEXCHANGE, A, CNAME, MX, PTR, STD, or STANDARD. STD and STANDARD are used to specify a non-Exchange record (minus the MX records). By default, all record types are included.
- USERNAME user_name—The domain name of the user account. If not specified, the account running the utility will be used.
- PASSWORD password—The password associated with the user account
- DNSZONE zone_name—The name of the DNS zone or DNS container, used to refine queries
- DNSDOMAIN domain_name—The name of the DNS domain, used to refine queries
- LOGFILE file_name—The name of the log file
- FAILBACK fb_switch—Denotes a failback procedure, performed after a failed source is recovered or restored (required for failback). By default, the DFO will only failback records in the dfo_failback_config.dat file. This option allows you to enter search criteria to identify the records to change back, even if they are not in the configuration file. This option is also used if the dfo_failback_config.dat file is missing.
- SETPASSWORD user_name password machine file—Stores user credentials on the specified machine in the specified file for later use. The file will be encrypted. This option must be run separately from a modify or list activity.
- GETPASSWORD—Retrieves previously stored user credentials. This option can only be used if the credentials were previously stored with the setpassword option.
- LOCK—Allows Active Directory locking for the A record type of the source specified without modifying the record
- UNLOCK—Allows Active Directory unlocking for the A record type of the source specified without modifying the record
- TRUSTEE trustee_name—The domain account for the source machine (domain\machine$). DFO attempts to deny write permissions to the DNS A record on failover for the account identified as the trustee. “Deny write permissions” is then removed from the DNS A record on failback. This keeps the source server from reclaiming its DNS A record if it comes back online prior to failback.
- VERBOSE—Logging and display level set to maximum detail
- FLUSHDNS MACHINE machine_fqd_name—Runs the ipconfig /flushdns command to flush the DNS cache on the specified machine. Use the fully-qualified domain name of the machine.
- TTL seconds—Specifies the number of seconds for the time to live value of all modified records
- ADDOMAIN active_directory_domain_name—The name of the Active Directory domain
- SOURCEDN source_domain_name—The name of the source's domain
- TEST—Runs in test mode so that modifications are not made, only listed
- DEBUG—Forces DFO to write the DNS resource record as-is to the dfolog.log file prior to any DFO modify or list activity.
- HELP—Displays the syntax of the DNS Failover utility
Examples
- dfo /dnssrvname gamma.domain.com /srcname alpha.domain.com /srcip 206.31.4.10 /verbose (Lists all resource records on the specified DNS server that match the source criteria)
- dfo /dnssrvname gamma.domain.com /srcname alpha.domain.com /srcip 206.31.4.10 /tarip 210.11.12.13 /verbose (Modifies all resource records on the specified DNS server that match the source criteria, using the credentials of the account running the utility to connect to the DNS server)
- dfo /dnssrvname gamma.domain.com /srcname alpha.domain.com /srcip 206.31.4.10 /tarip 210.11.12.13 /username domain.com\admin /password /verbose (Modifies all resource records on the specified DNS server that match the source criteria, using the username and password to connect to the DNS server)
- dfo /dnssrvname gamma.domain.com /srcname alpha.domain.com /srcip 210.11.12.13 /tarname beta.domain.com /tarip 206.31.4.10 /failback /verbose (Fails back all resource records on the specified DNS server that were changed on failover)
- dfo /setpassword domain.com\admin password (Stores the user name and password in an encrypted file)
- dfo /dnssrvname gamma.domain.com /srcname alpha.domain.com /srcip 206.31.4.10 /tarip 210.11.12.13 /username domain.com\admin /getpassword /verbose (Modifies all resource records on the specified DNS server that match the source criteria, using the specified username and retrieving the password from the encrypted file)