DNS

If you are using a Microsoft DNS server, when Double-Take failover occurs, DNS may or may not be automatically updated depending on your job type and job options. If the end-users use DNS to resolve server names and the source IP address was not failed over to the target, additional DNS updates will be required because the host records for the source will remain intact after failover. You can automate this process by scripting the DNS updates in the failover and failback scripts. You have two options for scripting the DNS updates.

Windows DNSCMD command

DNS updates can be added to your failover and failback scripts by using the Windows DNSCMD command as long as dynamic updates are enabled on the DNS zone and the account running the Double-Take service is a member of the DNSAdmins security group. (See your Microsoft documentation to verify if dynamic updates are enabled.) You may want to disable the DNS registration feature of each IP address that is being changed in DNS to prevent the source from changing the record back when it comes online after a failover.

Add the following commands to your failover and failback scripts to delete the host and reverse lookup entries and add new entries associating the source to the target.

dnscmd DNS_server’s_FQDN /RecordDelete DNS_zone source_server_name A source_server_IP_address /f
dnscmd DNS_server’s_FQDN /RecordDelete www.xxx.in-addr.arpa zzz.yyy PTR source_server’s_FQDN /f
dnscmd DNS_server’s_FQDN /RecordAdd DNS_zone source_server_name A target_server_IP_address
dnscmd DNS_server’s_FQDN /RecordAdd aaa.bbb.in-addr.arpa ddd.ccc PTR source_server’s_FQDN

Use the following variable substitutions.

DNS_server’s_FQDN—The fully qualified domain name of the DNS server
DNS_zone—The name of the DNS zone
source_server_name—The name of the source server
source_server_IP_address—The IP address on the source
www.xxx—The first two octets of the source’s IP address. For example, if the source’s IP address is 192.168.1.108, this variable would be 192.168.
zzz.yyy—The last two octets, in reverse order, of the source’s IP address. For example, if the source’s IP address is 192.168.1.108, this variable would be 108.1.
source_server’s_FQDN—The fully qualified domain name of the source server
target_server_IP_address—The IP address on the target
aaa.bbb—The first two octets of the target’s IP address. For example, if the target’s IP address is 116.123.2.47, this variable would be 116.123.
ddd.ccc—The last two octets, in reverse order, of the target’s IP address. For example, if the target’s IP address is 116.123.2.47, this variable would be 47.2.

For example, suppose you had the following environment.

Full qualified domain name of the source—Alpha.domain.com
Source IP address—192.168.1.108
Fully qualified domain name of the target—Beta.domain.com
Target IP address—116.123.2.47
Fully qualified domain name of the DNS server—DNSServer.domain.com
DNS zone—domain.com

You would add the following to your failover script to delete the host and reverse lookup entries and add new entries associating the source to the target.

dnscmd DNSServer.domain.com /RecordDelete domain.com alpha A 192.168.1.108 /f

dnscmd DNSServer.domain.com /RecordDelete 192.168.in-addr.arpa 108.1 PTR alpha.domain.com /f

dnscmd DNSServer.domain.com /RecordAdd domain.com alpha A 116.123.2.47

dnscmd DNSServer.domain.com /RecordAdd 116.123.in-addr.arpa 47.2 PTR alpha.domain.com

You would add the following to your failback script to delete the host and reverse lookup entries and add new entries associating the source with its original identity.

dnscmd DNSServer.domain.com /RecordDelete domain.com alpha A 116.123.2.47 /f

dnscmd DNSServer.domain.com /RecordDelete 116.123.in-addr.arpa 47.2 PTR alpha.domain.com /f

dnscmd DNSServer.domain.com /RecordAdd domain.com alpha A 192.168.1.108

dnscmd DNSServer.domain.com /RecordAdd 192.168.in-addr.arpa 108.1 PTR alpha.domain.com

See your Windows documentation or the Microsoft web site for more details on the DNSCMD command.

Double-Take DFO utility

DNS updates can be added to your failover and failback scripts by using the Double-Take DFO utility as long as the utility has been registered and the proper privileges are configured.

How the DFO utility works

The DFO utility performs DNS resource record modifications by connecting to the DNS namespace (root\microsoftdns) on the DNS server using WMI. The WMI connection can be made using passed credentials or impersonation if the account running the DFO utility has permissions to perform all DNS-related activities. Passed credentials can be encrypted using Microsoft’s CAPICOM dynamic link library with DFO specifying the triple DES encryption algorithm with the maximum key length available (168). By providing reliable encryption, the DFO utility allows you to avoid storing secure passwords in script files.

If the source experiences a failure or an extended outage, clients will need to be redirected automatically to the target server. In these cases, the DFO utility can help make the network redirection portion of failover transparent to end users.

The DFO utility is able to modify five DNS resource record types: A, AAAA, CNAME, MX, and PTR. Here is how it works for the host record or A type.

The DFO utility builds and executes a focused WMI query to retrieve a collection of matching source DNS resource records from the DNS server. For example: SELECT * FROM MicrosoftDNS_AType WHERE IPAddress=“192.168.1.108”
The DFO utility iterates through the returned collection and modifies any matching resource records.
1. The DFO utility spawns an instance of the WMI DNS resource record object to call the modify method.
2. The DFO utility sets the parameters such that the target IP address is the input parameter.
3. The DFO utility executes the modify method on the WMI DNS record object.
The DFO utility locks the DNS resource record in Active Directory so that the source computer account is unable to modify the record outside of the DFO utility. This is done to prevent modification of the resource record to point back to the source machine until the failback process is initiated by the user through the DFO utility.
1. The DFO utility denies permission to modify the Active Directory object representing the DNS entry.
2. The DFO utility gets the DNS resource record object in Active Directory.
3. The DFO utility reads the security descriptor and gets the DACL.
4. The DFO utility adds the ACE ”ACCESS_DENIED” type for the passed-in trustee name (for example, source computer account, cluster administrator account, and so on) to deny access to the “Write All Properties” permission.
The DFO utility logs the results of the actions performed/attempted.

Other record types require different queries and input parameters. Additionally, CNAME, MX, and PTR record types do not execute the Active Directory object locking routines that A and AAAA type records require for failover.

AAAA type—Except for the query difference, this record type is identical to the A type record.

SELECT * FROM MicrosoftDNS_AAAAType WHERE IPAddress=“21DA:D3:0:2F3B:2AA:FF:FE28:9C5A”
CNAME type—This type does not have Active Directory object locking to prevent updates during failover.

SELECT * from MicrosoftDNS_CNAMEType WHERE PrimaryName="sql1.doubletake.com”
MX type—This type does not have Active Directory object locking to prevent updates during failover.

SELECT * from MicrosoftDNS_MXType WHERE MailExchange="mail1.doubletake.com”
PTR type—Instead of modifying the source record, the PTR type deletes the source PTR record and create a new PTR record by using previous source PTR text record information, substituting the target FQDN for the source FQDN, and calling the CreateInstanceFromPropertyData() method on the DNS server. This type does not have Active Directory object locking to prevent updates during failover.

SELECT * from MicrosoftDNS_PTRType WHERE PTRDomainName="sql1.doubletake.com”

During failback, the same mechanisms that were used during failover are used, except that the original source-related records are modified to point to the original source. (During failover, the source records were modified to point to the target IP address or name, depending on the record type.) Also, during failover the A and AAAA type DNS resource records are modified in DNS and then locked in Active Directory; during failback, those record types are unlocked in Active Directory and then modified in DNS.

Using the DFO utility

From a command prompt, change to the Double-Take program files directory and register the DFO utility by entering the command regsvr32 capicom.dll
Create a user account that has full control on the WMI DNS namespace on the source’s primary DNS server.

If you are using Windows 2003 SP1, use the following steps.

Select Start, Run, and enter the command mmc.
After the Microsoft Management Console starts, select File, Add/Remove Snap-in.
Click Add, select WMI Control, click Add again, confirm the local computer is selected, and then click Finish.
Close the snap-in dialog box and then click OK to return to the console.

If you are using Windows 2003 SP2 or later, select Start, Run, and enter the command wmimgmt.msc.
Right-click WMI Control and select Properties.
On the Security tab, expand the tree under Root.
Select MicrosoftDNS and click Security.
Click Add and identify the user account that you want the DFO utility to use.
If you are using Windows 2003 SP1, grant the user account permissions for Execute Methods, Full Write, Partial Write, Provider Write, Enable Account, Remote Enable, and Read Security.
If you are using Windows 2003 SP2 or later, use the following steps.

Grant the user account permissions for Execute Methods, Enable Account, Remote Enable, and Read Security.
Click Advanced and in the Permissions list, select the user account and click Edit. Select This namespace and subnamespaces.

Click OK to close all open dialog boxes and then close the console.
Restart the Windows Management Instrumentation service for the changes to take effect. .

If you are using Windows 2003 SP2 or later, complete the following additional steps.

Select Start, Run, and enter the command dcomcnfg.
Expand Component Services, expand Computers, then right-click My Computer and select Properties.
On the COM Security tab, under Access Permissions, click Edit Limits.
Click Add, identify the user account, and click OK.
In the Permissions for User list, allow permissions for Local Access and Remote Access and click OK.
Under Launch and Activation Permissions, click Edit Limits.
Click Add, identify the user account, and click OK.
In the Permissions for User list, allow permissions for Local Launch, Remote Launch, Local Activation, and Remove Activation.
Click OK.
Click OK again.
Expand My Computer, expand DCOM Config, then right-click Windows Management and Instrumentation and select Properties.
On the Security tab, under Access Permissions, click Edit.
Click Add, identify the user account, and click OK.
In the Permissions for User list, allow permissions for Local Access and Remote Access and click OK.
Click OK to close all open dialog boxes.
Restart the DNS/Domain Controller.

Add the same user account that has full control on the WMI DNS namespace to the domain’s DnsAdmins group where the source's primary DNS server is located.

Select Start, Programs, Administrative Tools (Common), and Active Directory Users and Computers.
Right-click the DnsAdmins group and select Properties.
Select the Members tab, click Add, and identify the user account that you granted full control on the WMI DNS namespace.
Click OK to close all open dialog boxes and then close Active Directory Users and Computers.

Add a user to the Server Operator group.

Select Start, Programs, Administrative Tools (Common), and Active Directory Users and Computers.
Select Builtin, then right-click the Server Operators group and select Properties.
Select the Members tab, click Add, and identify the user account that you granted full control on the WMI DNS namespace.
Click OK to close all open dialog boxes and then close Active Directory Users and Computers.

Grant the user full control over the source and target DNS records.
1. Select Start, Programs, Administrative Tools (Common), and DNS.
2. Locate both the source and target records in the forward and reverse lookup zones.
3. For each record, right-click and select Properties.
4. On the Security tab, click Add and identify the user account that you granted full control on the WMI DNS namespace, and click OK.
5. In the Permissions for User list, allow permissions for Full control and click OK.
6. Click OK to close all open dialog boxes and repeat for each record.
7. Close DNS Manager.
Add the appropriate DFO command to your failover script using the following syntax.

Command

DFO

Description

Used in scripts to failover DNS server name

Syntax

DFO [/DNSSRVNAME <dns_server_name>] [/SRCNAME <source_fqd_name>] [/SRCIP <source_ip>] [/TARIP <target_ip>] [/TARNAME <target_fqd_name>] [/RECORDTYPE <rec_type>] [/USERNAME <user_name>] [/PASSWORD <password>] [/DNSZONE <zone_name>] [/DNSDOMAIN <domain_name>] [/LOGFILE <file_name>] [/FAILBACK [fb_switch]] [/SETPASSWORD <user_name> <password>[machine][file]] [/GETPASSWORD] [/LOCK] [/UNLOCK] [/TRUSTEE [<trustee_name>]] [/VERBOSE] [/FLUSHDNS] [ /MACHINE <machine_fqd_name>] [/TTL <seconds>] [/ADDOMAIN <active_directory_domain_name>] [/SOURCEDN <source_domain_name>] [/TEST] [/DEBUG] [/HELP]

Options
- DNSSRVNAME dns_server_name—The name of the source domain/zone's primary DNS server. If not specified, the local machine will be used.
- SRCNAME source_fqd_name—The source machine's fully qualified domain name
- SRCIP source_ip—The source machine's IP address
- TARIP target_ip—The target machine's IP address
- TARNAME target_fqd_name—The target machine's fully qualified domain name (required only for failback)
- RECORDTYPE rec_type—The type of DNS resource records to modify or list. Values record types are ALL, MSEXCHANGE, A, CNAME, MX, PTR, STD, or STANDARD. STD and STANDARD are used to specify a non-Exchange record (minus the MX records). By default, all record types are included.
- USERNAME user_name—The domain name of the user account. If not specified, the account running the utility will be used.
- PASSWORD password—The password associated with the user account
- DNSZONE zone_name—The name of the DNS zone or DNS container, used to refine queries
- DNSDOMAIN domain_name—The name of the DNS domain, used to refine queries
- LOGFILE file_name—The name of the log file
- FAILBACK fb_switch—Denotes a failback procedure, performed after a failed source is recovered or restored (required for failback). By default, the DFO will only failback records in the dfo_failback_config.dat file. The fb_switch is optional and allows you to enter search criteria to identify the records to change back, even if they are not in the configuration file. The fb_switch is also used if the dfo_failback_config.dat file is missing.
- SETPASSWORD user_name password machine file—Stores user credentials on the specified machine or in the specified file for later use. The file will be encrypted. This option must be run separately from a modify or list activity.
- GETPASSWORD—Retrieves previously stored user credentials. This option can only be used if the credentials were previously stored with the setpassword option.
- LOCK—Allows Active Directory locking for the A record type of the source specified without modifying the record
- UNLOCK—Allows Active Directory unlocking for the A record type of the source specified without modifying the record
- TRUSTEE trustee_name—The domain account for the source machine (domain\machine$). DFO attempts to deny write permissions to the DNS A record on failover for the account identified as the trustee. “Deny write permissions” is then removed from the DNS A record on failback. This keeps the source server from reclaiming its DNS A record if it comes back online prior to failback.
- VERBOSE—Logging and display level set to maximum detail
- FLUSHDNS—Runs the ipconfig /flushdns command to flush the DNS cache.
- MACHINE machine_fqd_name—Specifies the machine where ipconfig /flushdns is run. Use the fully-qualified domain name of the machine.
- TTL seconds—Specifies the number of seconds for the time to live value of all modified records
- ADDOMAIN active_directory_domain_name—The name of the Active Directory domain
- SOURCEDN source_domain_name—The name of the source's domain
- TEST—Runs in test mode so that modifications are not made, only listed
- DEBUG—Forces DFO to write the DNS resource record as-is to the dfolog.log file prior to any DFO modify or list activity.
- HELP—Displays the syntax of the DNS Failover utility
Examples
- dfo /dnssrvname gamma.domain.com /srcname alpha.domain.com /srcip 206.31.4.10 /verbose (Lists all resource records on the specified DNS server that match the source criteria)
- dfo /dnssrvname gamma.domain.com /srcname alpha.domain.com /srcip 206.31.4.10 /tarip 210.11.12.13 /verbose (Modifies all resource records on the specified DNS server that match the source criteria, using the credentials of the account running the utility to connect to the DNS server)
- dfo /dnssrvname gamma.domain.com /srcname alpha.domain.com /srcip 206.31.4.10 /tarip 210.11.12.13 /username domain.com\admin /password /verbose (Modifies all resource records on the specified DNS server that match the source criteria, using the username and password to connect to the DNS server)
- dfo /dnssrvname gamma.domain.com /srcname alpha.domain.com /srcip 210.11.12.13 /tarname beta.domain.com /tarip 206.31.4.10 /failback /verbose (Fails back all resource records on the specified DNS server that were changed on failover)
- dfo /setpassword domain.com\admin password (Stores the user name and password in an encrypted file)
- dfo /dnssrvname gamma.domain.com /srcname alpha.domain.com /srcip 206.31.4.10 /tarip 210.11.12.13 /username domain.com\admin /getpassword /verbose (Modifies all resource records on the specified DNS server that match the source criteria, using the specified username and retrieving the password from the encrypted file)
Notes

All options are marked as optional, enclosed in brackets [ ], however, you will have to supply options to execute DFO functionality. The options to supply will depend on the functionality you are trying to complete. For example, you must supply the username and password to cache credentials, but you do not need those options to query or modify a DNS record.