W2K DNS Master and BIND Secondaries

Barry Finkel b19141 at achilles.ctd.anl.gov
Tue Aug 15 15:39:27 UTC 2000 

"Sim Alam" <salam at postoffice.tased.edu.au> wrote:

>The Bind servers are all grabbing the zones from a single W2K AD enabled DNS
>server, however changes to the DNS can be originated from other W2K servers
>and replicated throughout the AD. Sounds OK so far huh? Well the SOA serial
>numbers in AD-enabled zones are getting out of whack between the W2K DNS
>servers. One server will have one SOA serial number and another will have a
>different serial number. It looks like when the AD replicates it doesn't
>resolve the serial numbers to a common value but then occasionally do and
>when they do it is not to a necessarily higher value. Is anyone else
>experiencing this?

I do not understand this.  Assume that there are three Domain 
Controllers, AD1, AD2, and AD3.  For the BIND slave, it must list
one of these three as the zone's master; let us assume that AD1 is
listed as the master.  The BIND slave will always retrieve the zone
from AD1.  The serial number of the zone on AD1 should never decrease,
although (according to your supposition) the serial number of the zone
on AD2 or AD3 might be higher than the serial number on AD1.

Are you listing all three masters in the BIND named.conf?

     type slave;
     masters {AD1; AD2; AD3;}

If so, then I can see that the problem you report can occur.  But if
you only list one master, then I cannot see how the problem can occur.
Maybe I am missing something here.

There is a bug that we have found; we have to do more testing.  In a
zone that is not AD-integrated (i.e., there is only one copy inside the
AD), a hard reboot of the computer without a clean shutdown of the
DNS process may result in a zone with an earlier serial number.  I
assume that dynamic updates are not written to disk quickly enough,
and when the DNS process restarts after the reboot, it has an old copy
of the zone on disk.  It expects to find other members of the AD from
which it can synchronize the zone, but there are no other copies in the
AD.  MS was able to reproduce this bug, but I did not see mention of
it in the list of fixes in Service Pack 1 for W2k.

>Our other problem is that the W2K servers are having problems with zone
>transfers from the Bind servers. They attempt to do a AXFR and seem to be
>unable to transfer the zone. We are constantly seeing transfer attempts from
>the W2K servers in the Bind logs. The event logs on the W2K servers contain
>occasionally contain an error message (event ID 6524) saying that they could
>not transfer the zone. After quite some time (hours) the W2K servers manage
>to transfer the zones successfully. Anyone seen this?

I have not seen this in our W2k testbed.  I see no problems with our
BIND 8.2.2-P5 slave retrieving zones from our W2k (non-AD-integrated)
master.
----------------------------------------------------------------------
Barry S. Finkel
Electronics and Computing Technologies Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-9689
Building 221, Room B236              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4844             IBMMAIL:  I1004994

More information about the bind-users mailing list