Monday 23 June 2014

DNS Server setup for SCAN IP using Oracle 11gR2


In this blog, We will discuss how to setup DNS server on Linux for Oracle 11g R2 RAC setup.

With Oracle 11gR2 where we need to provide SCAN IP we need to configure either DNS or GNS. Giving SCAN  ips on host file does not work.

Instead of any other domain, I will be using LOCALDOMAIN.

Following is our environment to demonstrate DNS server setup.

Linux rac1.localdomain 2.6.39-300.26.1.el5uek #1 SMP Thu Jan 3 18:33:10 PST 2013 i686 i686 i386 GNU/Linux
Install following packages on
bind-9.3.6-20.P1.el5_8.5.i386.rpm
bind97-utils-9.7.0-17.P2.el5.i386.rpm
bind-utils-9.3.6-20.P1.el5_8.5.i386.rpm
bind97-chroot-9.7.0-17.P2.el5.i386.rpm

These RPM’s install and create files related to bind/DNS server that we use.
Go to /etc directory and run following command.
[root@rac1 etc]# ls -tlr named*

lrwxrwxrwx 1 root named 41 Jun 22 10:56 named.rfc1912.zones -> /var/named/chroot/etc/named.rfc1912.zones

lrwxrwxrwx 1 root named 51 Jun 22 10:56 named.caching-nameserver.conf -> /var/named/chroot/etc/named.caching-nameserver.conf

and now copy “Named.Caching-nameserver.conf” file into as /etc/named.conf

[root@rac1 etc]# cp /var/named/chroot/etc/named.caching-nameserver.conf named.conf

ls -ltr named*
lrwxrwxrwx 1 root named   41 Jun 22 10:56 named.rfc1912.zones -> /var/named/chroot/etc/named.rfc1912.zones
lrwxrwxrwx 1 root named   51 Jun 22 10:56 named.caching-nameserver.conf -> /var/named/chroot/etc/named.caching-nameserver.conf
-rw-r----- 1 root root  1230 Jun 22 11:09 named.conf

Now! Edit the named.conf file. The final named.conf file should look like following.

options {
        listen-on port 53 { 127.0.0.1; ***.***.**.***; }; ßIP of your DNS server
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";

        // Those options should be used carefully because they disable port
        // randomization
        // query-source    port 53;
        // query-source-v6 port 53;

        allow-query     { localhost; };
        allow-query-cache { localhost; };
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
view localhost_resolver {
        match-clients      { localhost; };
        match-destinations { localhost; };
        recursion yes;
        include "/etc/named.rfc1912.zones";
};

/*NOTE  I have added following two sections in named.conf file. One for localdomain  and one for reverse lookup . You can provide something like 0.168.192 or any other that matched your network*/

zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };
};

zone "***.***.***.in-addr.arpa." IN {
type master;
file "0.168.192.in-addr.arpa.";
allow-update { name; };
};

Now! Edit /var/named/localdomain.zone or if you are creating it for your own domain zone than better is to copy and rename localdomain.zone file. Eg zbc.com and make appropriate changes.
Final file should look like following:







[root@rac1 etc]# cat /var/named/localdomain.zone
$TTL    86400
@               IN SOA  localdomain root (
                                        42              ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum
                IN NS           localdomain
localdomain     IN A            127.0.0.1
rac1-vip IN A **.**.**.221
rac2-vip IN A **.**.**.222
rac-scan IN A **.**.**.11
rac-scan IN A **.**.**.12
rac-scan IN A **.**.**.13

Now create a file for reverse lookup. Change the name of your file as per your requirement. In our case we will be creating 0.**.**.in-addr.arpa.

The content of file should look like following:

$ORIGIN 0.168.192.in-addr.arpa.
$TTL 1H
@ IN SOA localdomain. root.localdomain. ( 2
3H
1H
1W
1H )
0.168.192.in-addr.arpa. IN NS localdomain.
221 IN PTR rac1-vip.localdomain.
222 IN PTR rac2-vip.localdomain.
11 IN PTR rac-scan.localdomain.
12 IN PTR rac-scan.localdomain.
13 IN PTR rac-scan.localdomain.

Now! Stop and restart named service as follows

[root@rac1 etc]# service named stop
Stopping named:                                            [  OK  ]
[root@rac1 etc]# service named start
Starting named:                                              [  OK  ]
[root@rac1 etc]# chkconfig named on



Now!  Modify /etc/resolv.conf file and final file should look like following:
[root@rac1 etc]# cat /etc/resolv.conf

# generated by /sbin/dhclient-script
nameserver 127.0.0.1
search localdomain

Further! Change /etc/nsswitch.conf and following in file.
hosts: dns files nis

restart NSCD service using following command.

/sbin/service nscd restart

Now run following command to check if DNS working or not.  As you can see its working.

[root@rac1 etc]# nslookup rac-scan.localdomain
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:   rac-scan.localdomain
Address: 192.168.0.13
Name:   rac-scan.localdomain
Address: 192.168.0.11
Name:   rac-scan.localdomain
Address: 192.168.0.12

[root@rac1 etc]# nslookup rac1-vip.localdomain
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:   rac1-vip.localdomain
Address: 192.168.0.221

[root@rac1 etc]# nslookup rac2-vip.localdomain
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:   rac2-vip.localdomain
Address: 192.168.0.222

Wednesday 11 June 2014

Password file explanation

OS : Linux
DB:- Oracle 11gR2


Remote_Login_PasswordFile parameter explanation;

1:- Remote_Login_password=Exclusive means you can change,add,delete
    users from Passwordfile. Secondly you can use alter command to change
    Password of sys using "ALER USER" command. Eventually this command update
    underlying password file. Only one database will be able to use this file.

   eg. Grant SYSDBA to ETL_USER; <--- Successfull.
        Revoke SYSDBA from ETL_USER; <--- Succesfull
       ALter user sys identified by tiger; <--- Successful

    Thirdly by this setting you can connect to database with sys priv. from
     any server using TNSname alias.
    eg.
    sqlplus ETL_USER/tiger@orcl as sysdba <--- Successful
    
     You can get list of all ther users with SYSDBA priv. from v$pwfile_users;


2:- Remote_Login_Password=Shared means more than one database can use this    

passwordfile. You cannot change this file. You cannot alter,delete,add     users with

sysdba priv. if this file is in use.you can connect to database     with sys

priv. from any server using TNSname alias.
        eg.
      sqlplus ETL_USER/tiger@orcl as sysdba <--- Successful

    SQL> Grant sysdba to scott;
        Grant sysdba to scott
        *
        ERROR at line 1:
        ORA-01999: password file cannot be updated in SHARED mode


        SQL> Alter user SYS identified by tiger;
        Alter user SYS identified by tiger
        *
        ERROR at line 1:
        ORA-28046: Password change for SYS disallowed
    You can get list of all ther users with SYSDBA priv. from v$pwfile_users;

3:-     Remote_Login_Password=None means Database is not using password file;You    

    cannot     grant/revoke sysdba priv. to users. You cannot connect as sysdba    

from any other server than database server itself.
   
    There will no row in v$pwfile_users view.

    sqlplus ETL_USER/tiger@orcl as sysdba <--- fail dwith massage.