Changing SOA & DNS server for an Active Directory DDNS zone

Barry Finkel b19141 at achilles.ctd.anl.gov
Tue Oct 11 14:24:47 UTC 2005 

Andy Blanchard <andyb at giganews.com> wrote:

>Does anyone have any ideas on the smoothest method of migrating the
>SOA and owner of the writable data for a dynamic Windows AD domain
>between two BIND v9.x servers?  I don't seem to be having much luck
>with finding a definitive answer to this one, and the best I have so
>far is as follows:
>
>Stop the DNS server on the current master (to flush pending updates)
>Stop the DNS server on the intended master (ditto)
>Copy the zone file from the current master to the replacement
>
>Then, on the new master:
>
>   Change the SOA record and increment the serial number by hand
>   Change "named.conf" to reflect the new status
>   Restart BIND
>
>And on the old master, and the other slaves:
>
>   Change "named.conf" to slave the zone from the new master server
>   Restart BIND / reload the BIND configuration
>
>That *seems* to cover everything from the point of view of BIND, but
>is there anything else I should be doing, and are there any changes
>that need to be made to the Windows' domain controllers?

Things to consider (besides what Kevin Darcy posted):

1) With the AD zones mastered on a W2k/W2k+3 Server, you have secure
   DDNS; with the master on a BIND server, you no longer have secure
   DDNS.

2) When the DCs decide to re-register their SRV records via DDNS, the
   MS DNS code realizes that the request is essentially a null request,
   so it responds OK to the initial non-secure DDNS, and there are no
   changes to the zone (and its serial number).  With BIND, I assume
   that the DDNS will result in a change to the zone, replacing records
   with identical records.  This will result in a serial number change
   and zone transfers to the slaves.  I do not know how often a DC will
   re-register its DNS records.  I have no experience with DDNS and
   BIND, so the BIND behavior might not be exactly what I have written.

3) If you decide to not use DDNS and use the netlogon.dns file instead,
   then you manually will have to know when that file has changed.

If you already have the AD zones slaved on the new BIND master, then
you will not need to copy the zones from the current W2k master.  Is
there a reason why you are moving the AD zones from MS to BIND?  I have
my AD zones (74 total) on a W2k+3 Server and slaved on BIND.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994

More information about the bind-users mailing list