Dlint & Sleuth

Merton Campbell Crockett mcc at CATO.GD-AIS.COM
Thu Jul 28 07:04:26 UTC 2005


On Wed, 27 Jul 2005, aro wrote:

> Thanks for answer,but i have another question: why a zone transfer id
> failed, for what reason?
> The DNS has built on Windows system(Active Directory) and servers have
> the same power.

I will assume that you are running an integrated DNS and Active Directory 
environment.  This just doesn't work as well as Microsoft would have us 
believe.  I suspect that it might work quite well in an homogenous Windows 
environment but in an heterogenous environment it works like [expletive 
deleted].

My site is assigned ASN 106, i.e. we were the 106th site connected to the 
ARPAnet.  We have, traditionally, used BIND for DNS and due to some DoD 
requirements control the DNS through all of the corporate mergers.  There 
were no problems when we were running WindowsNT domains.

Recently we acquired a company that was running Windows2000 AD domains.  I 
assigned them a subdomain for migration purposes.  IT decided to switch to 
Active Directory.  Unfortunately due to their "experience". they obtained 
the lead position in the migration to an Active Directory environment.

Their Active Directory domain was based on a "flat name space".  What they 
didn't realize is that they were at the limit for this construct in a 
heterogenous environment.  They overstepped their charter with the name 
space that I assigned them and moved our existing WindowsNT domain into 
their Active Directory domain.

The problem:  DNS no longer works reliably.  Active Directory relies on 
replication of the LDAP database to construct the DNS database used in an 
integrated environment.  It appears that both BIND's IXFR and AXFR are 
faster propagating updates than LDAP replication used by Windows 2003.

Effectively Windows 2003 uses an equivalent of an FTP method to transfer 
zone information between name servers.  Each Windows domain controller is 
designated as a master for the zone.  In our environment there are over 70 
domain controllers.  This creates a problem:  both the authoritative and 
additional sections of a DNS response are independently "round robin"ed 
under both ISC BIND and Microsoft DNS.

Guess what!  Even when using TCP for your DNS queries you can only get 
approximately 18 entries in the authoritative and extended sections of the 
response from a BIND server.  With 70 domain controllers, you can end up 
with a response in which none of the name servers can be accessed.  With 
the Microsoft DNS Service you can get 42 name servers but you will need to 
make another DNS request to find its address.

While Microsoft promotes the integrated DNS/Active Directory approach, its 
extremely careful in its online documentation to state that ther is no 
requirement to use this approach.  They appear to have removed all of the 
references to Albitz' and Liu's "BIND and DNS, Edition 4" on how to set up 
DNS in an heterogenous environment.

Go with the Book, Luke.

Take a page from Nancy Reagan's "Just say:  'No.'" campaign.  Don't run 
Microsoft DNS Services on the same system as Active Directory.



Merton Campbell Crockett



-- 
BEGIN:				vcard
VERSION:			3.0
FN:				Merton Campbell Crockett
ORG:				General Dynamics Advanced Information Systems;
				Intelligence and Exploitation Systems
N:				Crockett;Merton;Campbell
EMAIL;TYPE=internet:		mcc at CATO.GD-AIS.COM
TEL;TYPE=work,voice,msg,pref:	+1(805)497-5045
TEL;TYPE=work,fax:		+1(805)497-5050
TEL;TYPE=cell,voice,msg:	+1(805)377-6762
END:				vcard



More information about the bind-users mailing list