(no subject) [W2k Master and BIND Slave AXFR Problem]

joe joe at telepacific.net
Thu May 5 19:13:50 UTC 2005 

On the w2k2003 master dns server,  add the ip addresses of the slaves in
the transfer and notify.

On the bind server also have ip addy of the w2k2003 server as the master
for the zone transfer to the bind server. now make a zone change on the
w2k2003 server and it should notify the bind server right away. I left
all ip's (as the default) and ran into some problems myself  with no
zone transfers happening for periods of time. so now i specifically tell
the windows dns servers what ip's are the slaves no matter if they are
other windows dns servers or not (just a little bit better dns security
too).

Hope this helps
Joe


Barry Finkel wrote:

>"Mike Carly" <starmunger at hotmail.co.uk> wrote:
>
>  
>
>>I'm having problems with Bind 9.3.1 acting as a slave with a Windows Server 
>>2003 master
>>
>>I've spent the last few days trawling through google and archives without 
>>much luck (for some bizarre reason most sites assume i'm upgrading to 
>>Microsoft not integrating with!), so am posting here now in the hope that 
>>someone can offer a pointer.
>>
>>The problem is that when I request that bind makes a new zone transfer 
>>(AXFR), it doesn't always happen. The same problem occurs when using dig. If 
>>I leave bind running then sometimes within 40 minutes or so it will 
>>sucessfully make a transfer, but not always.
>>
>>Looking at the Windows Server 2003 system log, the bind box does actually 
>>try and make the request and windows does reply. Looking at syslog on the 
>>bind box it makes the request, but times out recieving an answer.
>>
>>Using nslookup on the Windows box works, as does from other windows machines 
>>on the network. I haven't set the Windows Server machine to restrict access 
>>to certain IPs, and it's config is pretty standard (it was a fresh install a 
>>couple of days ago)
>>
>>I'm 99% sure this isn't a firewalling issue. I did read somewhere that it 
>>might be due to Windows Server not being able to resolve the IP of the bind 
>>box, so I added an entry to it's DNS and ran nslookup on the machine 
>>manually to make sure it had it in it's DNS cache, which didn't help.
>>
>>I've taken some packet dumps with ethereal whilst attempting an AXFR that I 
>>can post if it helps.
>>    
>>
>
>Do you have full logging enabled on the W2k+3 Server?  If so, what is
>in the dns.log file?  Is the zone transfer refused?  It appears from
>what you wrote that BIND receives no answer from the MS DNS Server.
>The dns.log file will tell you if the request is making it to the
>MS DNS executable.
>
>As for Windows not being able to resolve the IP address of the BIND 
>server -- The dns.log file will show that the AXFR or IXFR was
>refused.  This is the ONLY place you will see it on the Windows box,
>as MS does not write an eventlog record for a refused zone transfer.
>I have formally requested an eventlog record with a notification as to
>why the zone transfer was refused (there are a number of reasons why).
>But a refused AXFR/IXFR will result in a message from BIND, assuming
>that it receives the response packet back from the Windows box.
>
>As for David Botham's  reply that KB 282826 may be the cause - I am not
>sure.  As I do not run multi-master (I did for about a month in our W2k
>testbed when we initially were testing MS DNS-BIND integration), I do
>not remember what happens.  If you are running multi-master, and the
>BIND server sends a query to the Windows box and receives a response
>packet that has a lower serial number than what BIND has for the zone,
>then BIND will not request a zone transfer.  It probably will produce
>an error message.  So, if BIND is attempting the zone transfer, then
>its logic has told it that the serial number on the master Windows DNS
>Server is larger than the slave's serial number, and a zone transfer is
>required.
>----------------------------------------------------------------------
>Barry S. Finkel
>Computing and Information Systems Division
>Argonne National Laboratory          Phone:    +1 (630) 252-7277
>9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
>Building 222, Room D209              Internet: BSFinkel at anl.gov
>Argonne, IL   60439-4828             IBMMAIL:  I1004994
>
>
>
>
>  
>

More information about the bind-users mailing list