BIND Secondaries of MS AD Integrated Zones
cbuxton at menandmice.com
Wed Nov 18 04:08:21 UTC 2009
On Nov 17, 2009, at 5:01 PM, <jim.sifferle at tektronix.com> <jim.sifferle at tektronix.com> wrote:
> Hi all,
> Most of our internal DNS zones are mastered in Microsoft DNS (2k3 R2) as AD Integrated zones. Currently, those zones are slaved from a single MS DNS server to our BIND 9 servers that handle recursion. Is there a reliable way to use multiple masters when slaving AD Integrated zones to BIND?
> In the O'Reilly book "DNS on Windows Server 2003" a section on p. 324 called "BIND Secondaries for Active Directory-Integrated Zones" says serial numbers can vary on otherwise synchronized MS DNS Servers, potentially causing a server to respond with an incorrect lower serial number.
The book is correct. Furthermore, if using multiple AD servers as masters, they can apply updates in different orders, so the IXFR mechanism breaks.
I believe the only way to make this work would be to use the statement "multi-master true;" inside your zone statement. My understanding is that named (the slave) will not compare versions between the two servers, essentially treating each DC's copy of the zone as separate and distinct. Thus, if it has to switch over to the second-listed master, it will request a full zone transfer rather than an IXFR.
Men & Mice
More information about the bind-users