On Wed, Dec 14, 2016 at 10:35 AM, Barry S. Finkel <bsfin...@att.net> wrote: > On 12/14/2016 Veaceslav Revutchi <slavarevut...@gmail.com> wrote: > >> Since this thread is still fresh, what is the current best practice >> when slaving from AD? Do you pick one DC and list it as master or is >> it safe to list multiple? We are looking to do the same and just >> started the conversation with our AD team. The serial numbers among >> DCs authoritative for the same zone are quite spread out and it takes >> a few minutes for the DC with the lowest number to catch up. I'm not >> sure if I can assume that two DCs with the same serial number have the >> same zone contents. Haven't done a zone transfer comparizon yet. >> >> Curious to know what your experience is when slaving from AD. >> >> Thank you, >> Slava > > > I have not included the previous text in this reply. > > When I was managing a BIND/AD DNS infrastructure, I chose > ONLY ONE of the AD DNS Servers as a master. There is a problem > with serial numbers (KB282826 - I have that number memorized). > If a MS DNS Server is not a master for a slave, then the zone > serial number does not matter, as the zone is internal only to > the Windows infrastructure. If the DNS Server is a master for > the zone, then the zone serial number does matter. > > Assume, for example, that you have two MS DNS Servers for a zone, > one on each of two Domain Controllers - DCA, and DCB. Assume > that for a given zone both DCs have the same zone contents and > zone serial number, say 100. Now, a machine sends a dynamic update for > the zone to DCA at the same time that another machine sends another > update to that zone to DCB. Each DC DNS now has a copy of the zone > with an increased serial number (101) BUT with different contents. > Sometime, under the covers of AD, the MS code will synchronize the > zone contents between DCA and DCB, but what serial number should be > assigned to the combined zone? It can't be 101, as that has already > been used. Can it be 102? What happens if another dynamic update > is sent to DCA or DCB while the synchronization is occurring? > This is the problem, and why I chose only one DC to be the master > for all of the DC zones. > > Also note that with the MS "_" zones, there are dynamic updates that > do not change the contents of a zone but do increase the zone serial > number. Thus there are lots of unnecessary zone transfers from the > AD DNS Server to the BIND slave server(s). (This was true when I was > the DNS manager, and I never got permission to ask MS why the serial > number was incremented when the zone had not changed. Things might > have changed in the past five years.)
Barry, Appreciate you sharing this. This is good info. Thank you! _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users