Forum Discussion

shahfar's avatar
shahfar
Level 5
14 years ago

Windows server 2003 DNS update from UNIX VCS cluster

Hi Everyone,

I want to update a windows DNS record from a UNIX VCS cluster. Is this possible using the VCS DNS agent for Linux/Unix?

This technote maybe points to the right direction:

http://www.symantec.com/business/support/index?page=content&id=TECH159015

 

Thanks in advance.

WBR,

SW

  • Suppose your DNS name for your application is sql1.company.com and you have 1 DNS server on each site:

    1.1.1.200

    1.1.2.200

    and sql1 should resolve to

     

    1.1.1.5  at prod site

    1.1.2.5  at DR site

    Then add static A-records to your DNS server for Prod and DR IPs - example:

    1.1.1.5  sql1_prd.company.com

    1.1.2.5  sql1_dr.company.com

    Then configure your VCS resources like (assuming you are using GCO:

    Prod cluster:

     

    DNS sql1_dns (
      ResRecord  = { sql1 = sql1_prd }
      Domain = "company.com"
      StealthMasters = { "1.1.1.5", "1.1.2.5" }
      )
     

    DR cluster:

    DNS sql1_dns (
      ResRecord  = { sql1 = sql1_dr }
      Domain = "company.com"
      StealthMasters = { "1.1.1.5", "1.1.2.5" }
      )

    If you are using an RDC, rather than GCO, then you will need to localise the ResRecord attibute.

    What VCS will do is resolve:

    sql1 -> sql1_prod (so 1.1.1.5)

    or

    sq1 -> sql1_dr (so 1.1.2.5)

    So VCS does not update A records, it updates the CNAME records

    From VCS 5.1, you MAY be able to update A records, but I have always updated CNAME records.

    You also need to make sure that your UNIX cluster nodes have permission to update your Windows DNS server - i.e. should be able to update the Windows DNS server using nsupdate command from UNIX (I forget the syntax) which I believe requires you to add the cluster nodes somewhere in the Windows DNS configuration (i.e only nodes you specify should be allowed to update DNS and this is non-secure because hostnames could be spoofed)

    Mike

  • The current UNIX DNS agent only supports updating a non-secure Windows 2k/2003 DNS server (i.e BIND compliant DNS servers), but most people use secure DNS.  You can update secure UNIX DNS servers, but Windows secure DNS uses its own standard rather than the conventional shared keyed TSIG authentication mechanism.

    However this will be supported in the upcoming 6.0 release - see extract from https://www-secure.symantec.com/connect/blogs/sfha-60-whats-new-document

    Support for Windows DNS server

     

    The DNS agent now supports Windowcs DNS server in its configuration. A new
    attribute UseGSSAPI is added to DNS agent configuration for this functionality.
     
    Mike
  • Hi Mike,

    Thank you for your response. My customer is using non-secure DNS (Win2K3) in this case. How should I configure the agent attributes in this case?

  • Suppose your DNS name for your application is sql1.company.com and you have 1 DNS server on each site:

    1.1.1.200

    1.1.2.200

    and sql1 should resolve to

     

    1.1.1.5  at prod site

    1.1.2.5  at DR site

    Then add static A-records to your DNS server for Prod and DR IPs - example:

    1.1.1.5  sql1_prd.company.com

    1.1.2.5  sql1_dr.company.com

    Then configure your VCS resources like (assuming you are using GCO:

    Prod cluster:

     

    DNS sql1_dns (
      ResRecord  = { sql1 = sql1_prd }
      Domain = "company.com"
      StealthMasters = { "1.1.1.5", "1.1.2.5" }
      )
     

    DR cluster:

    DNS sql1_dns (
      ResRecord  = { sql1 = sql1_dr }
      Domain = "company.com"
      StealthMasters = { "1.1.1.5", "1.1.2.5" }
      )

    If you are using an RDC, rather than GCO, then you will need to localise the ResRecord attibute.

    What VCS will do is resolve:

    sql1 -> sql1_prod (so 1.1.1.5)

    or

    sq1 -> sql1_dr (so 1.1.2.5)

    So VCS does not update A records, it updates the CNAME records

    From VCS 5.1, you MAY be able to update A records, but I have always updated CNAME records.

    You also need to make sure that your UNIX cluster nodes have permission to update your Windows DNS server - i.e. should be able to update the Windows DNS server using nsupdate command from UNIX (I forget the syntax) which I believe requires you to add the cluster nodes somewhere in the Windows DNS configuration (i.e only nodes you specify should be allowed to update DNS and this is non-secure because hostnames could be spoofed)

    Mike

  • Hi Mike,

    Thank you very much for your response. I will try this out in my environment and let you know the results. However, I would appreciate it if you could let me know where this is documented since I will have to pass this information on to the customer before we can proceed with this. Thanks.

     

    WBR,

    SW

  • Information on attributes for DNS agent are in bundled agents guide - https://sort.symantec.com/public/documents/sfha/5.1sp1/linux/productguides/pdf/vcs_bundled_agents_51sp1_lin.pdf

    I seem to remember there being a technote about UNIX DNS agent only working with non-secure Windows DNS servers, but I can't find it, but the technote you referenced only mentions Windows 2008 which "sort of" suggests that it would work in Windows 2003, otherwise you would think the technote would be more generic, listing the Windows O/S version the DNS agent doesn't work with.

    Mike

  • Hi Mike,

    Thank you very much for the solution. I have tried and tested the agent in the customers environment. The agent is updating the PTR A records sucessfully (creating and deleting them as well and yes they are not using secure DNS).

    I am just surprised that this is not documented anywhere. Thanks.

    WBR,

    SW