HP StorageWorks Storage Mirroring DNS Failover Utility (DFO) release notes

Page created by Warren Stewart
 
CONTINUE READING
HP StorageWorks Storage Mirroring
DNS Failover Utility (DFO) release notes

Part number: T2558-96089
First edition: February, 2008
Legal and notice information
© Copyright 2005, 2008 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the
express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional
warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Version:   5.0

Description
        The DNS Failover utility (DFO.exe) is a command-line utility designed to list and/or modify DNS resource
        records associated with specific host names and/or host IP Addresses. This utility is installed as part of
        the Storage Mirroring Application Manager setup.
        This release also includes the following modification:
        • Added new command for /addomain .

Installation Notes
        After installing the DNS Failover utility, refer to the following documents for information on using the DNS
        Failover utility with the Storage Mirroring Application Manager. To view the .PDF manuals, you must
        have Adobe Acrobat Reader. If you do not have Acrobat, you can download it free from Adobe at:
        www.adobe.com/prodindex/acrobat/readstep.html.
        Application_Manager_Users_Guide.pdf—The User’s Guide is located in the directory where you installed
        Storage Mirroring and also in the \docs directory on the CD. This manual contains a product overview
        and step-by-step instructions for each Storage Mirroring Application Manager feature

Fixes
        If you are uncertain about the issues or workarounds addressed in the release notes, contact
        Hewlett-Packard Technical Support.
        • To use password encryption/decryption functionality, you must first register CAPICOM.DLL. To
          register CAPICOM.DLL, open a command prompt and switch to the directory where DFO.exe was
          installed. Type the following at the command prompt:RegSvr32 CAPICOM.DLL

           NOTE:
           If the DFO was installed as part of the Storage Mirroring Application Manager, this step should
           not be necessary.

        • /dnssrvname [dnsservername] — The DNS Server name may be a Fully-Qualified Domain Name
          or an IP address.
        • If there are any DNS resource record types listed which the administrator does NOT want to
          modify upon failover/failback, then custom command line or script entries should be made
          using specific /recordtype settings.
          The DNS server specified at the command line must have access to the source-related resource
          records. If the DNS server specified does not have access to the resource records associated
          with the source Exchange server, DFO will not be able to modify the source-related resource
          records upon failover/failback.
        • DFO.exe generates a log file that tracks all changes made when modifying or all records returned
          when searching. DFO.exe also writes a single Windows Event Log entry every time it is run. The
          event entry will either be an informational, warning, or error-related message, and the "Source" of
          the Event Log entry will always be "VBRuntime" (this is by design, as per Microsoft’s requirements).
        • The encryption file generated by the /setpassword command is machine specific. The
          credentials file will not work if copied to another machine.
        • By default, the DFO.exe will impersonate the account used to call it, unless valid credentials are
          supplied in the command line. When the DFO is called within failover or failback scripts initiated
          by Storage Mirroring, the calling account will be the LocalSystem account of the local machine by
          default. Unless the LocalSystem account (e.g., TARGET$) has the correct permissions to update
          resource records on the DNS server, you will have to provide credentials in the command line,

                                   HP StorageWorks Storage Mirroring DNS Failover Utility (DFO) release notes     3
except in cases where the host OS is Windows 2003 Service Pack 1. Check the Hewlett-Packard
        Support website for the latest information.
      • When NAT or certain VPNs exist between the DNS server and the target, the Application
        Manager will be unable to configure protection due to limitations of WMI. Please contact
        Hewlett-Packard Technical Support to obtain instructions for configuring protection manually.

Best Practices
      The following guidelines present best practices for using the DNS Failover utility.
      1. DFO.exe will list all resource records for a given host name and/or IP address, but will only
         modify the following resource record types:
         • A (host) type
         • CNAME (alias) type
         • MX (mail exchange) type
         • PTR (reverse lookout) type
      2. It is recommended that the administrator initially run DFO.exe to list all DNS resource records
         associated with specific host names and/or host IP address(es) to determine if there are any
         unsupported resource record types returned for the search criteria. If any unsupported resource
         record types are identified and those resource records are required for proper failover, alternative
         actions must be taken to guarantee those records are changed upon failover.
      3. Once the resource records have been listed and verified, it is then all right to configure DFO.exe
         to failover/failback those resource records.

DNS Failover Utility (DFO) Usage
      dfo [/dnssrvname ] [/srcname ]
           [/srcip ] [/tarip ]
           [/tarname ] [/recordtype ]
           [/username ] [/password ]
           [/dnszone ] [/dnsdomain ]
           [/logfile ] [/failback [fbswitch]]
           [/setpassword   [machine] [file]] [/getpassword]
           [/lock] [/unlock] [/trustee [trusteename]] [/verbose]
           [[/flushdns] [/machine ] [/ttl ]
           [/addomain ] [/test] [/debug] [/?] [/help]

      where
       dnsserver-        The name of the source domain/zone’s primary DNS server
       name:             (optional; local machine name used if missing)
       sourceFQDN:       The source machine’s Fully Qualified Domain Name (required for
                         modify)
       sourceip:         The source machine’s IP address (required for modify)
       targetip:         The target machine’s IP address (required for modify)
       targetFQDN:       The target machine’s Fully Qualified Domain Name (required for
                         modify)
       recordtype:       The type of DNS resource records to modify or list. Values can be:
                         ALL (default)
                         MSEXCHANGE
                         A
                         CNAME
                         MX
                         PTR
                         STD
                         STANDARD (optional)
                         NOTE: STD and STANDARD are used to specify non-Exchange resource records.

      4
username:      The user account’s domain name (optional; account running
               program is used if missing)
password:      The user account’s password (optional)
machine:       The machine that the DFO utility will run on when it runs with
               /getpassword. In effect, this parameter locks the credentials
               for use by a particular machine.
file:          New location for the credentials file. By default, the
               credentials file is stored as dfo_credentials.dat in the
               current working directory
dnszonename:   The name of the DNS zone or DNS container, used to refine
               queries (optional)
dnsdomain-     The name of the DNS domain, used to refine queries (optional)
name:
logfilename:   The name of the log file (optional)
fbswitch:      (optional)
               fbswitch =
               The DFO will only failback records in the dfo_failback_config.dat file.
               fbswitch = forcemodify. The DFO will failback all records that match
               the search criteria, even if they are not in the config file.
               Also used if dfo_failback_config.dat file is missing
trusteename:   The domain account for the source server
               machine (domain\machine$). DFO attempts to deny write
               permissions to the DNS A record on failover for the
               account identified as the trustee. “Deny write
               permissions” is then removed from the DNS A record
               on failback. This keeps the source server from
               reclaiming its DNS A record if it comes back online
               prior to failback. You can enter multiple
               /trustee switches
               (for example, /trustee administrator /trustee user)
               (optional)
Seconds:       The number update interval for the TTL (in seconds)
Options
/failback      Denotes a failback procedure, performed after a
               failed source is recovered or restored
               (required for modify on failback)
/lock          Allows Active Directory locking for the A type record of the
               source specified without modifying the record
/unlock        Allows Active Directory unlocking for the A type record of the
               source specified without modifying the record
/verbose       Logging and display level set to maximum detail (optional)
/FLUSHDNS       /machine [machine_FQDN]) Run the ipconfig /flushdns command to flush the DNS
               cache on the specified machine (remote or local (.))

/addomain       (optional) The name of the Active Directory domain where the
               source A type record’s object is stored. This is used if the
               Active Directory Domain location of the DNS record object is different
               than the DNS domain name location for that object. The DFO utility will
               attempt to locate the Active Directory record object for
               locking (see the “trusteename” for more information),
               but if the DFO utility is unable to determine the location of the
               Active Directory object, it will use the
               ADFQDN location if specified.
/TTL           Update the TTL value of all modified records.
/test          Test mode.   Modifications are NOT actually made, just listed
               (optional)

                     HP StorageWorks Storage Mirroring DNS Failover Utility (DFO) release notes   5
/debug            Forces DFO to write the DNS resource record as-is to the
                        dfolog.log file prior to any DFO modify or list activity.
      /?                Display the DFO syntax
      /help             Display the DFO syntax
      Password Encryption
      !!! NOTE: To use encryption/decryption functionality, you must first register the CAPICom.dll.
      See the Notes section at the beginning of this readme file!!!
      /setpassword      !!! Warning: This function must be run separate from a modify or list
                        activity. /setpassword is designed to allow the user to store a username/password
                        pairing in an encrypted file for later use. (optional, but REQUIRED IF
                        /getpassword will be used)
      /getpassword      Once a username/password pair has been encrypted and stored using /setpassword,
                        this command can be used at the command line to retrieve the password associated
                        with a specific username. It is designed to avoid storing passwords in clear text.
                        See the examples below for correct usage.(optional)
      Password Encryption Examples
      > dfo /setpassword mydomain.com\admin mypassword
      This stores the username (mydomain.com\admin) and password (mypassword) in the default
      credentials file (dfo_credentials.dat)

      > dfo /dnssrvname mydnsserver.mydomain.com /srcname mysource.mydomain.com
      /srcip 206.31.4.10 /tarname mytarget.mydomain.com /tarip 210.11.12.13 /username mydomain.com\admin
      /getpassword /verbose This modifies all resource records on the specified DNS server that
      match the source criteria, using the username and /getpassword to retrieve the correct
      password for connecting to the DNS server
      General Examples
      > dfo /dnssrvname mydns.mydomain.com /srcname mysource.mydomain.com /srcip 206.31.4.10 /verbose
                This lists all resource records on the specified DNS server that match the source criter

      > dfo /dnssrvname mydns.mydomain.com /srcname mysource.mydomain.com /srcip 206.31.4.10 /tarname
      mytarget.mydomain.com /tarip 210.11.12.13 /verbose This modifies all resource records on the speci
      server that match the source criteria, using the credentials of the account running the program to
      connect to the DNS server

      > dfo /dnssrvname mydns.mydomain.com /srcname mysource.mydomain.com /srcip
      210.11.12.13 /tarname mytarget.mydomain.com /tarip 206.31.4.10 /failback/verbose
      This modifies (fails back) all resource records on the specified DNS server
      that were changed on failover

      > dfo /dnssrvname mydnsserver.mydomain.com /srcname mysource.mydomain.com /srcip 206.31.4.10
      /tarname mytarget.mydomain.com /tarip 210.11.12.13 /username mydomain.com\admin /password pword /v
      This modifies all resource records on the specified DNS server that match the source criteria,
      using the username and password to connect to the DNS server

Documentation Notes
     For a list of current Application Notes containing configuration procedures, visit the support web site at
     http://www.hp.com/support..

     6
Contact Information
     Sales— If you need maintenance renewal, an upgrade activation code, or other sales assistance, contact
     your authorized local HP sales representative.
     nl

     Technical Support—Contact the technical support center identified on your service agreement. This is
     generally the reseller or distributor who you purchased your product from. If you do not have access to
     this agreement, contact HP Technical Support and we can direct you to the correct service provider.
     nl

     To contact HP Technical Support, you will need your serial number and activation code. Online support is
     available at http://www.hp.com/support . Please call (800) 633-3600.

                               HP StorageWorks Storage Mirroring DNS Failover Utility (DFO) release notes   7
You can also read