BIND Secondaries of MS AD Integrated Zones

bsfinkel at
Wed Nov 18 22:46:45 UTC 2009

jim.sifferle at wrote:

>Most of our internal DNS zones are mastered in Microsoft DNS (2k3 R2)
>as AD Integrated zones.  Currently, those zones are slaved from a
>single MS DNS server to our BIND 9 servers that handle recursion.  Is
>there a reliable way to use multiple masters when slaving AD Integrated
>zones to BIND?
>In the O'Reilly book "DNS on Windows Server 2003" a section on p. 324
>called "BIND Secondaries for Active Directory-Integrated Zones" says
>serial numbers can vary on otherwise synchronized MS DNS Servers,
>potentially causing a server to respond with an incorrect lower serial
>Jim Sifferle
>Tektronix / Fluke Network Services

I have seen the replies to this mail, and I have something else to add.
See MS 282826.  Assume that you have a zone that is AD-integerated,
and you have the zone on two DCs, DC1 and DC2 - both are running the
MS DNS Service.  Assume that both copies of the zone are identical
and have serial number, say, 1.

Now two machines send DDNS updates for the same zone at the same time;
one sends to DC1 and one sends to DC2.  After each DC has processed
the update, the DCs now have serial number 2, but the zones have
different content.  Somehow (under the covers of AD), the two zones are
synchronized.  I do not know the algorithm, nor do I know how much time
elapses before the synchronization.  With the synchronized zone, what
is the proper serial number?  It can not be 2, as there could be
another DDNS packet for the same zone sent to DC1, and this results
(before the synchronization) to DC1 having serial number 2 and DC2
having serial number 1.  Article 282826 describes what the MS code does;
it depends upon what MS DNS Servers are treated as masters for BIND.

With my setup, I run only ONE MS DNS Server, even though I have four
DCs.  My Windows group wants two MS DNS Servers, and I will list only]
one as the master for the zone on my BIND servers.







