Monitoring Zonefiletransfer

Markus Weber bumpemacvettn at googlemail.com
Tue Feb 25 09:10:07 UTC 2014 

Hey guys,

sorry for the delay, i urgently had to take some days off last week.
Anyways, thanks for all your help, i appreciate this a lot.

I will now try to use only one DC as a master.
a last question, Do you also run monitoring software on bind? and if so,  
what or how do you monitor?



Am 19.02.2014, 20:33 Uhr, schrieb Barry S. Finkel <bsfinkel at att.net>:

>> On 2014-02-19 16:06, Barry S. Finkel wrote:
>>
>>> >See MS KB article 282826, where MS documents the handling of zone
>>> >serial numbers in an AD environment.
>
> And Dave Warren replied:
>
>> My experience is that it tends to work pretty well if BIND only points
>> to one particular MS DNS server at a time, with a failover script that
>> detects when that DNS server goes down and flips to another master (if
>> you're worried about such things)
>>
>> That being said, even without that script and with multiple MS DNS
>> masters configured in BIND at once, any issues generally work themselves
>> out within 15 minutes or so, once the Active Directory serial number
>> update propagates through the MS DNS infrastructure. As described in the
>> article, the servers self-increment properly when a slave is detected,
>> and occasionally sync up the serial numbers between MS DNS servers
>> (again, only moving update).
>>
>> The only inconsistencies are in those recently added/modified records,
>> so if you just plan for 15 minute update times for non-MS secondaries to
>> sync up and ignore the periodic "serial is lower than expected"
>> warnings, multi-mastering works fine in practice.
>>
>> -- Dave Warren
>
>
> That MS KB article states that if a Domain Controller DNS Server is
> not used as a master for a slave server, then the zone serial number
> is irrelevant.  But if the Server is used as a master, then the serial
> number is relevant.  Assume one zone that is "mastered" on two DCs, and
> the two serial numbers match (and the serial is N).  A dynamic update
> for the zone is sent to DC1, and the serial number there is increased to
> N+1.  At the same time a different dynamic update for the zone is sent
> to DC2, and DC2 then has serial number N+1.  The two copies of the zone
> are different, but they both have the same serial number.  When Active
> Directory synchronizes the zone, what serial number can it use for the
> synched zone?  It can't use N+1, because that serial has been used, and
> the zone might have already been transferred to the slave server.
> It can't be N+2, because, in the meantime, another dynamic update may
> have come to DC1 or DC2, so serial N+2 might have already been used.
>
> Another thing that I hinted in an earlier reply - With AD zones, the
> serial number can increase unnecessarily.   In the past, when a
> dynamic DNS update was sent to a DC, and that update was already in DNS
> (e.g., a re-lease of a DHCP address), the Windows DNS Server code
> treated the update as a no-op, except for updating an internal timestamp
> in the zone.  But sometime later, MS changed the code, so that the
> dynamic DNS update is no longer treated as a no-op.  This causes
>
> 1) the DNS update to be initially refused because it does not have
>     TSIG authorization, and the client (or DHCP Server) has to re-send
>     the update.
>
> 2) the zone serial number is updated, even when there is no update to
>     the zone; this causes unnecessary zone transfers.
>
> --Barry Finkel
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to  
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list