Re: Upgrade to 2000 DNS or stay with Unix Bind (Coexistence) ?

Jonathan de Boyne Pollard <J.deBoynePollard@tesco.net> wrote, in part:

>Of course, Microsoft's DNS server does have features that ISC's BIND does not
>and that may be desirable benefits to some; such as multi-master database
>replication, for example.

There may be serial number problems if you use a W2k multi-master and
BIND slaves. See Q282826 for details on how the MS code updates serial
numbers in a multi-master configuration. I posted this on
Mon, 12 Mar 2001 09:22:53 -0600 (CST):

I believe that MS does not fully understand DNS; MS does not treat the
SOA record with its embedded serial number as an integral part of the
zone.

Assume you have an AD-integrated zone and three DCs. If updates to the
zone arrive simultaneously at each of the three DCs, the internal MS
AD synchronization code will place a timestamp on each DDNS update.
Eventually (I am not sure of the timeframe), each of the updates will
be propogated to the other two DNS servers. At the end of the process
each of the three DNS servers will have all three DDNS updates reflected
in its zone. But in the process MS will have "trashed" the serial
number. If the three copies of the zone had serial number 5 (for
example) before the three DDNS updates arrived, during the DDNS process
each of the DNS servers will increment the serial by 1. We now have
one zone on three DNS servers - each server has the same serial number
but different contents. What happens next depends upon how you have
configured the BIND slave.

If you have treated ONE of the MS DNS servers as the master, then that
master will probably notify the BIND slave and transfer serial number
6, with one of the three DDNS updates. When the other two DDNS updates
are synchronized with the master, I have no idea what the eventual
serial number will be. It might remain at 6, as the other two AD DNS
servers had serial number 6 for that zone. Or it might increase to 8,
as there are now two new DDNS updates to that zone. If the serial
remains at 6, then the two new DDNS updates will not be transferred to
the BIND slave. If the serial number increases to 8, then the new
information will be transferred.

If you have configured the BIND slave to treat each of the three MS DNS
servers as a master, then (I believe) BIND will always transfer from
the first master in the named.conf file. If that server is unavailable,
then BIND will try the second, and if necessary the third. Exactly
what updates from the three DDNS updates above get transferred to the
slave is anyone's guess. In this multi-master environment the second
master could have a lower serial number than the first master, and if
the first master is unavailable, BIND will attempt to transfer from
the second master and see a lower serial number. MS has acknowledged
that the serial numbers can decrease if one is running a multi-master
configuration. I have not seen a Technet article, but I assume that
this behavior is not considered serious by MS, and it can not be
fixed without extensive modification to the AD replication code.

----------------------------------------------------------------------
Barry S. Finkel
Computing and Instrumentation Solutions Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 222, Room D209 Internet: BSFinkel@anl.gov
Argonne, IL 60439-4828 IBMMAIL: I1004994