how two dns bind master sync?

[Dave Warren]

On 2018-08-23 14:15, Grant Taylor via bind-users wrote:
> On 08/23/2018 01:20 PM, Barry S. Finkel wrote:
>> Somehow, under the covers, AD synchronizes the zones so that they have 
>> the same content.
> 
> It's my understanding that MS-DNS servers hosting AD Integrated zones 
> are actually functioning as application layer gateways between DNS and 
> data that's stored in LDAP.
> 
> So the case of synchronizing records with different FQDNs is actually 
> trivial in that different records are being updated in the back end LDAP 
> and the ALG is simply reading the data and replying to clients.
> 
> I don't know how to account for the serial number.  I think I've seen 
> something like an encoded form of the date / time be used.  ¯\_(ツ)_/¯

tl;dr: The Active Directory logic for the serial number is simple: Each 
update to the zone increments the serial as you expect locally. When DCs 
sync they use the highest serial number of either, +1.

Imagine you have 3 (or more) servers, updates happening everywhere. The 
is an unknown period of latency between updates, not all DCs receive 
updates at the same time, and not all DCs receive updates in the same 
order or use the same schedule.

Start off with serial 100.
Server1 updates, increments to serial 101.
Server1 updates, increments to serial 102.
Server1 updates, increments to serial 103.
Server2 updates, increments to serial 102.
Server1 updates, increments to serial 104.
Server3 updates, increments to serial 102.

At this point all three have different views of the zone, with serials 
104, 102, 102 respectively.

Server2 and Server3 now sync, highest serial is 102 so both are set to 
103. Server1 and Server2 now sync, highest serial is 104 but there are 
other changes, so both increment to 105. Eventually Server1 and Server3 
sync, highest serial is 105, but no other records have changed so both 
agree to 105 and now everything is in sync once again.

Neither Active Directory nor Microsoft DNS care what is in the SOA 
record in terms of the refresh, retry and expire intervals, DNS records 
will instead synchronize around Active Directory along with every other 
type of change.

If you set BIND slaves to master off of just server1 there are no 
problems at all as the serial increases in a predictable and normal way. 
If your BIND slaves off of multiple AD DCs then it will 1) Periodically 
see and complain about (log) older serial numbers, and 2) Perodically 
flip between the zone as reported by the different servers.

However, a lot of this happens if the DCs are sending notifies to BIND 
and BIND is then changing it's mind about which master to use. If you 
only have one DC send notifies then (I believe) BIND will tend to just 
pull updates from that one DC and everybody is happy. If that DC goes 
down then BIND will eventually hit the refresh interval and (if 
configured) try other masters.

Happy weekend all!