Two masters for one zone

[Barry Finkel]

I wrote:

BF> Look at MS KB article 282826 (a revision of Q282826), 
BF> where there is this text:
BF> 
BF>       Note The multiple-master replication behavior of an Active
BF>       Directory-integrated Domain Name System (DNS) zone can
BF>       cause inconsistencies with serial numbers of the zone
BF>       across multiple DNS servers. It is not possible to
BF>       retrieve information (pull or source) from multiple Active
BF>       Directory-integrated primary DNS servers to a secondary
BF>       DNS server for the same Active Directory-integrated zone.

Jonathan de Boyne Pollard <J.deBoynePollard at tesco.net> replied:

>This isn't (as you imply it to be) a problem.  This is merely a
>specific case of the (quite sensible) warning that one should not mix
>and match different DNS database replication mechanisms across a set of
>peer content DNS servers (unless one is _very_ careful and knows
>_exactly_ what one is doing).  The contents of the "SOA" resource
>record should be treated as private to each particular replication
>mechanism, and one must not expect different DNS database replication
>mechanisms to use all of the fields in the same way, or in a way that
>is compatible with one another, or even to use them at all.  This
>warning isn't even Microsoft-specific, as it applies to _all_ content
>DNS server softwares.
>
>If one is using Active Directory database replication, one must use it
>between _all_ of the content DNS servers involved (unless one is very
>careful and knows exactly what one is doing).  The serial number in the
>"SOA" resource record is updated by Active Directory database
>replication, but that's just a sop for the benefit of things (mostly
>human beings running diagnostic tools, ironically) that expect serial
>numbers to change.  Active Directory database replication doesn't use
>the serial number field of "SOA" resource records any more than it uses
>the "primary master name", "refresh", or "retry" fields.  (The serial
>number could be a fixed constant, and Active Directory database
>replication would still work.)  Active Directory makes it appear as if
>there is a single, sequenced, counter.  But in fact that simply doesn't
>match the "multi-master" paradigm at all.  There is no perfect mapping
>from the "multi-master" paradigm to a single, sequenced, counter, and
>the serial number is at best a simulacrum.  Therefore constructing
>anything based upon the notion of there _being_ a single, sequenced,
>counter, such as anything but a trivial single-master "zone transfer"
>database replication setup, will fail.  But this is not a problem,
>because doing so is expecting two different DNS database replication
>mechanisms to use the fields of "SOA" resource records in ways that are
>compatible with each other, and violating the rule that one must _not_
>expect this.

I agree that there is probably no problem if the entire DNS setup
consists of AD-integrated zones.  The problem exists if there are
multiple AD-integrated masters and one or more BIND slaves.  If you
tell BIND that there is only one master, there may be no problems.  If
you tell BIND that there are multiple masters, then there may be serial
number problems.  That is why I run DNS on our ONLY ONE of our four W2k
Domain Controllers.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Instrumentation Solutions Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994