stealth server

[Barry Finkel]

Barry Margolin <barmar at genuity.net> wrote in reply:

> Windows 2000 is now my least favorite piece of Microsoft
>crapware, as the DNS server that it comes with seems to have a bug that
>causes serial numbers to drop back occasionally, and we have to notify our
>customers that zone transfers have stopped (I suspect that when it
>increments the serial# due to a dynamic DNS change, it doesn't update it in
>the Registry like it does when you make some other change to the zone, and
>when the server is rebooted it reverts to the last serial# that was stored
>there).

I have an open trouble ticket with MS on this serial number issue.
We were getting serial numbers that reverted to their values of three
months previous!  The MS engineers have been working for about 6-7
weeks trying to architect a fix.  I agree with Barry Margolin that
MS does not save the serial number in the AD or registry (depending 
upon the DNS configuration).  MS uses internal serial numbers and 
timestamps for each object in the AD, so if you are running a 
multi-master AD-integrated DNS with no slaves, then there is no need
for an SOA serial number.  See Q282826 for details on how the MS code
updates serial numbers in a multi-master configuration.

MS has told us that when the zone serial number decreases, there is
no data loss in the zone; it is just the serial number that has \
decreased.  All of the zone information is retrieved intact from the
AD.  I have not verified this, as I do not want to corrupt live DNS
data (and our W2k testbed is not active enough for me to duplicate some
of the problems I have seen with the MS code).  If you stop the DNS
process on the W2k DC before a shutdown/reboot, then the serial number 
remains intact.  If you do a clean shutdown/reboot, then the serial
number is not stored, and the decrease occurs.  I believe that on a
clean shutdown/reboot there must be contention for the AD, and the
DNS process cannot store the SOA serial number before the shutdown
process terminates the DNS process.  I have no idea why the MS code
does not store the SOA serial number in the AD every time it is
updated.

As the subject line of the original posting was "stealth server", I
have another W2k-related comment.  A W2k server cannot be a stealth
server, as the MS code will add an NS record for the W2k DNS server
if one does not exist.  If you delete the NS record, the MS code will
sense the fact and re-add the NS record.

One other related topic that I posted a number of months ago and to 
which I did not receive a definitive answer --  In a W2k multi-master
AD-integrated environment, each DNS server has its own copy of the
zone (stored in the AD).  But the SOA record in each copy is
different; each DNS server has its own name in the SOA as the master.
Does this violate any DNS RFC?  My feeling is that it probably does,
as two zones with the same content except the SOA record are NOT the
same zone, and it is illegal to have a zone on two masters that
differs.


----------------------------------------------------------------------
Barry S. Finkel
Electronics and Computing Technologies Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-9689
Building 221, Room B236              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4844             IBMMAIL:  I1004994