UNIX BIND Server & W2000 DNS Server

Barry Finkel b19141 at achilles.ctd.anl.gov
Mon Mar 12 15:22:53 UTC 2001

Christian Krackowizer <ckrackowiz at std.schuler-ag.com> wrote:

>>Back to the problem at hand -- If you have three DCs, each one running
>>DNS, and there are two DDNS updates that arrive simultaneously to two
>>different DC/DNS servers, each DNS will save the update and increment
>>the zone serial number.
>Hmm, I don't think a client will send DDNS updates to all his servers, only 
>to the first who's responding.

I am not talking about only one client.  I am postulating the case where
two different clients in the same domain send DDNS updates at the same
time; each client sends its update to a different DC/DNS.  Here is
my personal take on what is happening with AD and DNS "under the 

I believe that MS does not fully understand DNS; MS does not treat the
SOA record with its embedded serial number as an integral part of the

Assume you have an AD-integrated zone and three DCs.  If updates to the
zone arrive simultaneously at each of the three DCs, the internal MS
AD synchronization code will place a timestamp on each DDNS update.
Eventually (I am not sure of the timeframe), each of the updates will
be propogated to the other two DNS servers.  At the end of the process
each of the three DNS servers will have all three DDNS updates reflected
in its zone.  But in the process MS will have "trashed" the serial
number.  If the three copies of the zone had serial number 5 (for
example) before the three DDNS updates arrived, during the DDNS process
each of the DNS servers will increment the serial by 1.  We now have
one zone on three DNS servers - each server has the same serial number
but different contents.  What happens next depends upon how you have
configured the BIND slave.

If you have treated ONE of the MS DNS servers as the master, then that
master will probably notify the BIND slave and transfer serial number
6, with one of the three DDNS updates.  When the other two DDNS updates
are synchronized with the master, I have no idea what the eventual
serial number will be.  It might remain at 6, as the other two AD DNS
servers had serial number 6 for that zone.  Or it might increase to 8,
as there are now two new DDNS updates to that zone.  If the serial
remains at 6, then the two new DDNS updates will not be transferred to
the BIND slave.  If the serial number increases to 8, then the new
information will be transferred.

If you have configured the BIND slave to treat each of the three MS DNS
servers as a master, then (I believe) BIND will always transfer from
the first master in the named.conf file.  If that server is unavailable,
then BIND will try the second, and if necessary the third.  Exactly
what updates from the three DDNS updates above get transferred to the
slave is anyone's guess.  In this multi-master environment the second
master could have a lower serial number than the first master, and if
the first master is unavailable, BIND will attempt to transfer from
the second master and see a lower serial number.  MS has acknowledged
that the serial numbers can decrease if one is running a multi-master
configuration.  I have not seen a Technet article, but I assume that
this behavior is not considered serious by MS, and it can not be
fixed without extensive modification to the AD replication code.
Barry S. Finkel
Electronics and Computing Technologies Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-9689
Building 221, Room B236              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4844             IBMMAIL:  I1004994

More information about the bind-users mailing list