BIND Secondaries of MS AD Integrated Zones

Mark Andrews marka at
Wed Nov 18 04:27:41 UTC 2009

In message <B07D01C0-86C2-45E6-AC8E-6FC3472D9B72 at>, Chris Buxton 
> On Nov 17, 2009, at 5:01 PM, <jim.sifferle at> <jim.sifferle at tektr
>> wrote:
> > Hi all,
> > 
> > Most of our internal DNS zones are mastered in Microsoft DNS (2k3 R2) as AD
>  Integrated zones.  Currently, those zones are slaved from a single MS DNS se
> rver to our BIND 9 servers that handle recursion.  Is there a reliable way to
>  use multiple masters when slaving AD Integrated zones to BIND?  
> > 
> > In the O'Reilly book "DNS on Windows Server 2003" a section on p. 324 calle
> d "BIND Secondaries for Active Directory-Integrated Zones" says serial number
> s can vary on otherwise synchronized MS DNS Servers, potentially causing a se
> rver to respond with an incorrect lower serial number.
> Hello Jim,
> The book is correct. Furthermore, if using multiple AD servers as masters, th
> ey can apply updates in different orders, so the IXFR mechanism breaks.
> I believe the only way to make this work would be to use the statement "multi
> -master true;" inside your zone statement. My understanding is that named (th
> e slave) will not compare versions between the two servers, essentially treat
> ing each DC's copy of the zone as separate and distinct. Thus, if it has to s
> witch over to the second-listed master, it will request a full zone transfer 
> rather than an IXFR.

multi-master true; still assumes correct zone serial number
maintenance.  It just prevents the warnings about serial number
going backwards which is a normal side effect of having multiple
masters vs a master with multiple addresses.
> Chris Buxton
> Professional Services
> Men & Mice
> _______________________________________________
> bind-users mailing list
> bind-users at
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the bind-users mailing list