Enterprise DNS Architecture - AD and BIND
Barry S. Finkel
bsfinkel at att.net
Wed Dec 14 15:35:50 UTC 2016
On 12/14/2016 Veaceslav Revutchi <slavarevutchi at gmail.com> wrote:
> Since this thread is still fresh, what is the current best practice
> when slaving from AD? Do you pick one DC and list it as master or is
> it safe to list multiple? We are looking to do the same and just
> started the conversation with our AD team. The serial numbers among
> DCs authoritative for the same zone are quite spread out and it takes
> a few minutes for the DC with the lowest number to catch up. I'm not
> sure if I can assume that two DCs with the same serial number have the
> same zone contents. Haven't done a zone transfer comparizon yet.
> Curious to know what your experience is when slaving from AD.
> Thank you,
I have not included the previous text in this reply.
When I was managing a BIND/AD DNS infrastructure, I chose
ONLY ONE of the AD DNS Servers as a master. There is a problem
with serial numbers (KB282826 - I have that number memorized).
If a MS DNS Server is not a master for a slave, then the zone
serial number does not matter, as the zone is internal only to
the Windows infrastructure. If the DNS Server is a master for
the zone, then the zone serial number does matter.
Assume, for example, that you have two MS DNS Servers for a zone,
one on each of two Domain Controllers - DCA, and DCB. Assume
that for a given zone both DCs have the same zone contents and
zone serial number, say 100. Now, a machine sends a dynamic update for
the zone to DCA at the same time that another machine sends another
update to that zone to DCB. Each DC DNS now has a copy of the zone
with an increased serial number (101) BUT with different contents.
Sometime, under the covers of AD, the MS code will synchronize the
zone contents between DCA and DCB, but what serial number should be
assigned to the combined zone? It can't be 101, as that has already
been used. Can it be 102? What happens if another dynamic update
is sent to DCA or DCB while the synchronization is occurring?
This is the problem, and why I chose only one DC to be the master
for all of the DC zones.
Also note that with the MS "_" zones, there are dynamic updates that
do not change the contents of a zone but do increase the zone serial
number. Thus there are lots of unnecessary zone transfers from the
AD DNS Server to the BIND slave server(s). (This was true when I was
the DNS manager, and I never got permission to ask MS why the serial
number was incremented when the zone had not changed. Things might
have changed in the past five years.)
More information about the bind-users