Details
When
Active Directory® integrated DNS is running on a Windows® 2003 system, the
Microsoft® DNSCMD.EXE utility fails to update DNS records when the utility is
run by the local System account. When scripts are run by DoubleTake® at
failover or failback, the DNS records are not updated.
Affected Versions:
• Double-Take 4.x
Diagnosis
This
occurs due to additional security requirements in Windows 2003. The account
running the DNSCMD utility must be in the Domain Admins group to have the
necessary permissions. To confirm the issue, redirect the command output of
DNSCMD to a log file by using a command similar to the following:
DNSCMD
dns—server.domain.com /RecordDelete domain.com server—name A
10.11.2.7 /f > c:\temp\dnscmdlog.txt
A message similar to
the following will be written to the log file:
Command failed: ERROR
ACCESS DENIED 5 (00000005)
Solution
Perform one of the following to run DNSCMD as part of a failover or failback
script:
• If the target server is a Windows 2003 system, add the target server computer
account to the Domain Admins group and restart the Double-Take service on the target.
•
Change the Double-Take service account on the target to a domain user account
that in the Domain Admins group and restart the Double-Take service (NOTE: the
acccount used for the Double-Take service must be given the act as part of
operating system right and must be a member of the local Administrators group).
Additionally, remove any user account credentials configured on the failover
monitor. If the Double-Take service account and the failover monitor account
are both in the Domain Admins group, service principal names may not fail over
properly.
Note
for users of Exchange Failover Utility:
Exchange
Failover Utility 2.1 allows the Double-Take service to be run with a domain
user account, whereas previous versions required the Double-Take service to be
run with the local System account. Accordingly, Exchange Failover Utility 2.1
must be used in order to use DNSCMD in conjunction with Exchange Failover Utility,
an Active Directory-intgrated DNS zone on a Windows 2003 server, and a Windows
2000 target. See the application note for details about the security settings
required for the account used to run Double-Take.
Workaround
Run
the script with the DNSCMD commands while logged in with an account in the
Domain