Dlint & Sleuth
Merton Campbell Crockett
mcc at CATO.GD-AIS.COM
Thu Jul 28 07:04:26 UTC 2005
On Wed, 27 Jul 2005, aro wrote:
> Thanks for answer,but i have another question: why a zone transfer id
> failed, for what reason?
> The DNS has built on Windows system(Active Directory) and servers have
> the same power.
I will assume that you are running an integrated DNS and Active Directory
environment. This just doesn't work as well as Microsoft would have us
believe. I suspect that it might work quite well in an homogenous Windows
environment but in an heterogenous environment it works like [expletive
deleted].
My site is assigned ASN 106, i.e. we were the 106th site connected to the
ARPAnet. We have, traditionally, used BIND for DNS and due to some DoD
requirements control the DNS through all of the corporate mergers. There
were no problems when we were running WindowsNT domains.
Recently we acquired a company that was running Windows2000 AD domains. I
assigned them a subdomain for migration purposes. IT decided to switch to
Active Directory. Unfortunately due to their "experience". they obtained
the lead position in the migration to an Active Directory environment.
Their Active Directory domain was based on a "flat name space". What they
didn't realize is that they were at the limit for this construct in a
heterogenous environment. They overstepped their charter with the name
space that I assigned them and moved our existing WindowsNT domain into
their Active Directory domain.
The problem: DNS no longer works reliably. Active Directory relies on
replication of the LDAP database to construct the DNS database used in an
integrated environment. It appears that both BIND's IXFR and AXFR are
faster propagating updates than LDAP replication used by Windows 2003.
Effectively Windows 2003 uses an equivalent of an FTP method to transfer
zone information between name servers. Each Windows domain controller is
designated as a master for the zone. In our environment there are over 70
domain controllers. This creates a problem: both the authoritative and
additional sections of a DNS response are independently "round robin"ed
under both ISC BIND and Microsoft DNS.
Guess what! Even when using TCP for your DNS queries you can only get
approximately 18 entries in the authoritative and extended sections of the
response from a BIND server. With 70 domain controllers, you can end up
with a response in which none of the name servers can be accessed. With
the Microsoft DNS Service you can get 42 name servers but you will need to
make another DNS request to find its address.
While Microsoft promotes the integrated DNS/Active Directory approach, its
extremely careful in its online documentation to state that ther is no
requirement to use this approach. They appear to have removed all of the
references to Albitz' and Liu's "BIND and DNS, Edition 4" on how to set up
DNS in an heterogenous environment.
Go with the Book, Luke.
Take a page from Nancy Reagan's "Just say: 'No.'" campaign. Don't run
Microsoft DNS Services on the same system as Active Directory.
Merton Campbell Crockett
--
BEGIN: vcard
VERSION: 3.0
FN: Merton Campbell Crockett
ORG: General Dynamics Advanced Information Systems;
Intelligence and Exploitation Systems
N: Crockett;Merton;Campbell
EMAIL;TYPE=internet: mcc at CATO.GD-AIS.COM
TEL;TYPE=work,voice,msg,pref: +1(805)497-5045
TEL;TYPE=work,fax: +1(805)497-5050
TEL;TYPE=cell,voice,msg: +1(805)377-6762
END: vcard
More information about the bind-users
mailing list