BIND Secondaries of MS AD Integrated Zones
marka at isc.org
Wed Nov 18 04:27:41 UTC 2009
In message <B07D01C0-86C2-45E6-AC8E-6FC3472D9B72 at menandmice.com>, Chris Buxton
> On Nov 17, 2009, at 5:01 PM, <jim.sifferle at tektronix.com> <jim.sifferle at tektr
> onix.com> wrote:
> > Hi all,
> > Most of our internal DNS zones are mastered in Microsoft DNS (2k3 R2) as AD
> Integrated zones. Currently, those zones are slaved from a single MS DNS se
> rver to our BIND 9 servers that handle recursion. Is there a reliable way to
> use multiple masters when slaving AD Integrated zones to BIND?
> > In the O'Reilly book "DNS on Windows Server 2003" a section on p. 324 calle
> d "BIND Secondaries for Active Directory-Integrated Zones" says serial number
> s can vary on otherwise synchronized MS DNS Servers, potentially causing a se
> rver to respond with an incorrect lower serial number.
> Hello Jim,
> The book is correct. Furthermore, if using multiple AD servers as masters, th
> ey can apply updates in different orders, so the IXFR mechanism breaks.
> I believe the only way to make this work would be to use the statement "multi
> -master true;" inside your zone statement. My understanding is that named (th
> e slave) will not compare versions between the two servers, essentially treat
> ing each DC's copy of the zone as separate and distinct. Thus, if it has to s
> witch over to the second-listed master, it will request a full zone transfer
> rather than an IXFR.
multi-master true; still assumes correct zone serial number
maintenance. It just prevents the warnings about serial number
going backwards which is a normal side effect of having multiple
masters vs a master with multiple addresses.
> Chris Buxton
> Professional Services
> Men & Mice
> bind-users mailing list
> bind-users at lists.isc.org
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users