UNIX BIND Server & W2000 DNS Server

Barry Finkel b19141 at achilles.ctd.anl.gov
Fri Mar 9 21:34:26 UTC 2001

Christian Krackowizer <ckrackowiz at std.schuler-ag.com> wrote:

>Well, we started with one server (DC). This server is master. Changed the 
>zone from standalone to AD integrated.
>Installed second machine, which results in a running, but empty DNS-server. 
>We promoted this server also to DC. After haveing replicated AD, the next 
>reboot shows a full flying DNS-server with same zones (serial quirks) but 
>having his name as master. We tried to change the SOA record back to 
>server1 - without look.
>Afais, we have two masters, which makes 'sense' as both can accept dynamic 
>updates. I one DC fails, the other can still accept.

I have the impression that MS tried to "shoehorn" DNS into AD.  When I
called MS about the serial number decrease (that I posted here 
yesterday) the person to whom I spoke said that it is documented that
if you have multiple master in the AD cloud (i.e., one DNS running on
each DC), then serial numbers will not match; if you have defined all
of the DCs as masters to BIND, then BIND will complain about serial
number decreases.  (The serial number decreases I reported yesterday
were due to a hotfix and reboot of the DC/DNS.  It was the reboot that
caused the serial numbers in zones on our ONE DC DNS to decrease.
MS said that others have reported this, but MS has been unable to
reproduce it.  We reproduced it today in our productiion network
when we rebooted the DNS again as a test.  In that test we lost all of
the zone transfer IP addresses we had entered for the eight "_" MS
zones on that DNS box.  See Technet article Q272089.)

Back to the problem at hand -- If you have three DCs, each one running
DNS, and there are two DDNS updates that arrive simultaneously to two
different DC/DNS servers, each DNS will save the update and increment
the zone serial number.  You then have two zones with the same serial
number (assuming that the serial numbers were in sync before the DDNS
updates arrived) but with different contents.  I have heard that MS
uses timestamps within the AD to keep things in sync.  But I am not
sure what the DNS and AD code does with the serial number.  I think
that this leads to the serial number problems that MS acknowledges.
I cannot live with serial number decreases, so I have defined only
ONE DNS server in the AD cloud.

Barry S. Finkel
Electronics and Computing Technologies Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-9689
Building 221, Room B236              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4844             IBMMAIL:  I1004994

More information about the bind-users mailing list