In this post, a BlueCat customer discusses why organizations can’t afford to overlook DNS, DHCP and IPAM when planning for a disaster, and why a resilient architecture matters.
Almost all enterprise-class companies have a disaster recovery plan, and multiple teams and parts of the business have invested many hours working together to come up with the perfect plan. But no company ever wants to put a disaster recovery plan into action, and many companies dislike even the thought of testing that plan. There are two major areas of a disaster recovery plan that are often overlooked – DNS and DHCP core services – and one that is almost never considered – IP Address Management (IPAM) and tracking.
With most out-of-the-box DNS, DHCP and IPAM solutions, options are very limited. Any company moving up from a medium-sized business to a full enterprise either leverages Microsoft or some flavor of BIND for DNS and DHCP. And they typically use an Excel spreadsheet to track the IP addresses. Now fast-forward to a time when disaster recovery planning begins and you and your engineers must plan for the worst-case scenario. In my company’s case, we have sites around the US (including Hawaii), a primary data center, a disaster recovery site, and a third site for the IT staff. This presents a near nightmare for IT.
Initially, our configuration was a Microsoft solution for both DNS and DHCP, and it wasn’t pretty. We leveraged DNS on every domain controller (4 in our main data center, 2 in our backup site, and 4 in various geographically diverse facilities throughout the country. Our DHCP solution was even worse, with simply two servers, and each of 100 plus scopes spread between the two servers. As for IP address management, it was a good ol’ Excel spreadsheet to the rescue (oh yeah, and we backed it up to someone’s cloud storage for good measure).
In planning the conversion to a company-wide disaster recovery plan, we came to the realization that our current setup was not nearly good enough, nor would it allow for a quick failover should we ever be forced to perform one. We evaluated several vendors, but there was one thing BlueCat did particularly well – everything. Through the use of primary and secondary DNS servers adhering to BIND standards, we were able to reduce our service footprint to a single DNS server at each data center, one in our IT staff office, and 2 at our largest facilities which are geographically strategic. With the IPAM management console allowing for primary and failover as well, we are able to house one in our main data center, and one in our DR site. This solution also worked for our external DNS: we have one DNS server at each location for external DNS as well.
With BlueCat, DHCP proved to be an even easier solution than we thought. While the system still splits the DHCP scopes in half, we no longer have to manage them all separately on different servers. We now log in to one interface (BlueCat Address Manager™) and can manage them as single scopes. This allows for us to leverage the same server for DHCP as we do for internal DNS, with one at each site. The added benefit here is we can actually see which clients are leveraging DHCP by way of the Address Manager interface, which ties all of our DNS and DHCP together into one very simple to use management interface.
BlueCat Address Manager gives us the ability to centrally manage our network without Excel spreadsheets, or Access databases. This solution gives us not only an automated way to view our DNS records, or see which clients are using DHCP, but also a highly resilient solution that is in line with our company’s disaster recovery initiatives and fully redundant across multiple data centers.
Not only does BlueCat give our company the protection we require on paper, but the solution works. Not many companies are in a position to put their business connectivity at risk by shutting off their primary DNS and DHCP services, but we have fully tested the implemented solution, and much to management’s surprise, the solution works exactly as architected. We do not lose any service as a result, and failover could not be easier. Everything is monitored within the BlueCat systems and provides the failover with no human interaction, which in the case of disaster recovery is a very good thing.
Everything you need to know about shadow IT
When users implement their own solutions behind the IT team’s back, that’s shadow IT. Learn about the risks and how to manage and reduce it with BlueCat.
How an agency IT chief innovated amid bureaucracy
Government IT innovation isn’t easy, but Chad Sheridan did it at the USDA by removing silos, earning top-level buy-in, and moving to a product mindset.
Lexmark CIO & CTO on recognizing the right use cases for AI
Lexmark CIO & CTO Vishal Gupta wades through the murk surrounding AI, explaining what tech organizations should know when deciding whether to adopt it.
NSA and CISA: Protective DNS key to network defense
U.S. cyber agencies now point to protective DNS as a defense strategy, confirming what BlueCat already knew: DNS is critical to detecting network threats.