In this post, a BlueCat customer discusses why organizations can’t afford to overlook DNS, DHCP and IPAM when planning for a disaster, and why a resilient architecture matters.
Almost all enterprise-class companies have a disaster recovery plan, and multiple teams and parts of the business have invested many hours working together to come up with the perfect plan. But no company ever wants to put a disaster recovery plan into action, and many companies dislike even the thought of testing that plan. There are two major areas of a disaster recovery plan that are often overlooked – DNS and DHCP core services – and one that is almost never considered – IP Address Management (IPAM) and tracking.
With most out-of-the-box DNS, DHCP and IPAM solutions, options are very limited. Any company moving up from a medium-sized business to a full enterprise either leverages Microsoft or some flavor of BIND for DNS and DHCP. And they typically use an Excel spreadsheet to track the IP addresses. Now fast-forward to a time when disaster recovery planning begins and you and your engineers must plan for the worst-case scenario. In my company’s case, we have sites around the US (including Hawaii), a primary data center, a disaster recovery site, and a third site for the IT staff. This presents a near nightmare for IT.
Initially, our configuration was a Microsoft solution for both DNS and DHCP, and it wasn’t pretty. We leveraged DNS on every domain controller (4 in our main data center, 2 in our backup site, and 4 in various geographically diverse facilities throughout the country. Our DHCP solution was even worse, with simply two servers, and each of 100 plus scopes spread between the two servers. As for IP address management, it was a good ol’ Excel spreadsheet to the rescue (oh yeah, and we backed it up to someone’s cloud storage for good measure).
In planning the conversion to a company-wide disaster recovery plan, we came to the realization that our current setup was not nearly good enough, nor would it allow for a quick failover should we ever be forced to perform one. We evaluated several vendors, but there was one thing BlueCat did particularly well – everything. Through the use of primary and secondary DNS servers adhering to BIND standards, we were able to reduce our service footprint to a single DNS server at each data center, one in our IT staff office, and 2 at our largest facilities which are geographically strategic. With the IPAM management console allowing for primary and failover as well, we are able to house one in our main data center, and one in our DR site. This solution also worked for our external DNS: we have one DNS server at each location for external DNS as well.
With BlueCat, DHCP proved to be an even easier solution than we thought. While the system still splits the DHCP scopes in half, we no longer have to manage them all separately on different servers. We now log in to one interface (BlueCat Address Manager™) and can manage them as single scopes. This allows for us to leverage the same server for DHCP as we do for internal DNS, with one at each site. The added benefit here is we can actually see which clients are leveraging DHCP by way of the Address Manager interface, which ties all of our DNS and DHCP together into one very simple to use management interface.
BlueCat Address Manager gives us the ability to centrally manage our network without Excel spreadsheets, or Access databases. This solution gives us not only an automated way to view our DNS records, or see which clients are using DHCP, but also a highly resilient solution that is in line with our company’s disaster recovery initiatives and fully redundant across multiple data centers.
Not only does BlueCat give our company the protection we require on paper, but the solution works. Not many companies are in a position to put their business connectivity at risk by shutting off their primary DNS and DHCP services, but we have fully tested the implemented solution, and much to management’s surprise, the solution works exactly as architected. We do not lose any service as a result, and failover could not be easier. Everything is monitored within the BlueCat systems and provides the failover with no human interaction, which in the case of disaster recovery is a very good thing.
Critical conversations on critical infrastructure
Find out how your peers are managing their networks through profound change. Watch this series of live interactive discussions with IT pros & join the debate in Slack.
Yes, IT should see what developers do in the cloud
Errors and outages occur when admins lack visibility into DNS and IP allocation in the cloud. With Bluecat, central DDI visibility is within reach.
Why McMaster University didn’t want another CIO
McMaster’s CTO, Gayleen Gray, highlights the importance of her unique role in a world where expectations of the CIO and CTO are colliding.
Customer situation brief on SUNBURST/Solorigate
Learn more about the attack via the SolarWinds Orion platform and how BlueCat products use DNS to help protect customers against compromises like it.
IT pros debate: Who should own DNS in the cloud?
Six networking pros dig into who should own DNS in the cloud during the third Critical Conversation on Critical Infrastructure hosted in Network VIP.