Solved: Windows server 2003 DNS update from UNIX VCS clust...

shahfar · ‎12-08-2011

Hi Everyone,

I want to update a windows DNS record from a UNIX VCS cluster. Is this possible using the VCS DNS agent for Linux/Unix?

This technote maybe points to the right direction:

http://www.symantec.com/business/support/index?page=content&id=TECH159015

Thanks in advance.

WBR,

SW

mikebounds · ‎12-08-2011

Suppose your DNS name for your application is sql1.company.com and you have 1 DNS server on each site:

1.1.1.200

1.1.2.200

and sql1 should resolve to

1.1.1.5 at prod site

1.1.2.5 at DR site

Then add static A-records to your DNS server for Prod and DR IPs - example:

1.1.1.5 sql1_prd.company.com

1.1.2.5 sql1_dr.company.com

Then configure your VCS resources like (assuming you are using GCO:

Prod cluster:

DNS sql1_dns (

ResRecord = { sql1 = sql1_prd }

Domain = "company.com"

StealthMasters = { "1.1.1.5", "1.1.2.5" }

)

DR cluster:

DNS sql1_dns (

ResRecord = { sql1 = sql1_dr }

Domain = "company.com"

StealthMasters = { "1.1.1.5", "1.1.2.5" }

)

If you are using an RDC, rather than GCO, then you will need to localise the ResRecord attibute.

What VCS will do is resolve:

sql1 -> sql1_prod (so 1.1.1.5)

or

sq1 -> sql1_dr (so 1.1.2.5)

So VCS does not update A records, it updates the CNAME records

From VCS 5.1, you MAY be able to update A records, but I have always updated CNAME records.

You also need to make sure that your UNIX cluster nodes have permission to update your Windows DNS server - i.e. should be able to update the Windows DNS server using nsupdate command from UNIX (I forget the syntax) which I believe requires you to add the cluster nodes somewhere in the Windows DNS configuration (i.e only nodes you specify should be allowed to update DNS and this is non-secure because hostnames could be spoofed)

Mike

View solution in original post

mikebounds · ‎12-08-2011

The current UNIX DNS agent only supports updating a non-secure Windows 2k/2003 DNS server (i.e BIND compliant DNS servers), but most people use secure DNS. You can update secure UNIX DNS servers, but Windows secure DNS uses its own standard rather than the conventional shared keyed TSIG authentication mechanism.

However this will be supported in the upcoming 6.0 release - see extract from https://www-secure.symantec.com/connect/blogs/sfha-60-whats-new-document

Support for Windows DNS server

The DNS agent now supports Windowcs DNS server in its configuration. A new

attribute UseGSSAPI is added to DNS agent configuration for this functionality.

Mike

shahfar · ‎12-08-2011

Hi Mike,

Thank you for your response. My customer is using non-secure DNS (Win2K3) in this case. How should I configure the agent attributes in this case?

mikebounds · ‎12-08-2011

Suppose your DNS name for your application is sql1.company.com and you have 1 DNS server on each site:

1.1.1.200

1.1.2.200

and sql1 should resolve to

1.1.1.5 at prod site

1.1.2.5 at DR site

Then add static A-records to your DNS server for Prod and DR IPs - example:

1.1.1.5 sql1_prd.company.com

1.1.2.5 sql1_dr.company.com

Then configure your VCS resources like (assuming you are using GCO:

Prod cluster:

DNS sql1_dns (

ResRecord = { sql1 = sql1_prd }

Domain = "company.com"

StealthMasters = { "1.1.1.5", "1.1.2.5" }

)

DR cluster:

DNS sql1_dns (

ResRecord = { sql1 = sql1_dr }

Domain = "company.com"

StealthMasters = { "1.1.1.5", "1.1.2.5" }

)

If you are using an RDC, rather than GCO, then you will need to localise the ResRecord attibute.

What VCS will do is resolve:

sql1 -> sql1_prod (so 1.1.1.5)

or

sq1 -> sql1_dr (so 1.1.2.5)

So VCS does not update A records, it updates the CNAME records

From VCS 5.1, you MAY be able to update A records, but I have always updated CNAME records.

You also need to make sure that your UNIX cluster nodes have permission to update your Windows DNS server - i.e. should be able to update the Windows DNS server using nsupdate command from UNIX (I forget the syntax) which I believe requires you to add the cluster nodes somewhere in the Windows DNS configuration (i.e only nodes you specify should be allowed to update DNS and this is non-secure because hostnames could be spoofed)

Mike

shahfar · ‎12-10-2011

Hi Mike,

Thank you very much for your response. I will try this out in my environment and let you know the results. However, I would appreciate it if you could let me know where this is documented since I will have to pass this information on to the customer before we can proceed with this. Thanks.

WBR,

SW

mikebounds · ‎12-11-2011

Information on attributes for DNS agent are in bundled agents guide - https://sort.symantec.com/public/documents/sfha/5.1sp1/linux/productguides/pdf/vcs_bundled_agents_51...

I seem to remember there being a technote about UNIX DNS agent only working with non-secure Windows DNS servers, but I can't find it, but the technote you referenced only mentions Windows 2008 which "sort of" suggests that it would work in Windows 2003, otherwise you would think the technote would be more generic, listing the Windows O/S version the DNS agent doesn't work with.

Mike

shahfar · ‎12-12-2011

Hi Mike,

Thank you very much for the solution. I have tried and tested the agent in the customers environment. The agent is updating the PTR A records sucessfully (creating and deleting them as well and yes they are not using secure DNS).

I am just surprised that this is not documented anywhere. Thanks.

WBR,

SW

VOX

Windows server 2003 DNS update from UNIX VCS cluster