When Active Directory® integrated DNS is running on a Windows® 2003 system, the Microsoft® DNSCMD.EXE utility fails to update DNS records when the utility is run by the local System account. When scripts are run by DoubleTake® at failover or failback, the DNS records are not updated.
• Double-Take 4.x
This occurs due to additional security requirements in Windows 2003. The account running the DNSCMD utility must be in the Domain Admins group to have the necessary permissions. To confirm the issue, redirect the command output of DNSCMD to a log file by using a command similar to the following:
DNSCMD dns—server.domain.com /RecordDelete domain.com server—name A
10.11.2.7 /f > c:\temp\dnscmdlog.txt
A message similar to the following will be written to the log file:
Command failed: ERROR ACCESS DENIED 5 (00000005)
Perform one of the following to run DNSCMD as part of a failover or failback script:
• If the target server is a Windows 2003 system, add the target server computer account to the Domain Admins group and restart the Double-Take service on the target.
• Change the Double-Take service account on the target to a domain user account that in the Domain Admins group and restart the Double-Take service (NOTE: the acccount used for the Double-Take service must be given the act as part of operating system right and must be a member of the local Administrators group). Additionally, remove any user account credentials configured on the failover monitor. If the Double-Take service account and the failover monitor account are both in the Domain Admins group, service principal names may not fail over properly.
Note for users of Exchange Failover Utility:
Exchange Failover Utility 2.1 allows the Double-Take service to be run with a domain user account, whereas previous versions required the Double-Take service to be run with the local System account. Accordingly, Exchange Failover Utility 2.1 must be used in order to use DNSCMD in conjunction with Exchange Failover Utility, an Active Directory-intgrated DNS zone on a Windows 2003 server, and a Windows 2000 target. See the application note for details about the security settings required for the account used to run Double-Take.
Run the script with the DNSCMD commands while logged in with an account in the Domain