On 2018-08-23 14:15, Grant Taylor via bind-users wrote:
On 08/23/2018 01:20 PM, Barry S. Finkel wrote:
Somehow, under the covers, AD synchronizes the zones so that they have
the same content.
It's my understanding that MS-DNS servers hosting AD Integrated zones
are actually functioning as application layer gateways between DNS and
data that's stored in LDAP.
So the case of synchronizing records with different FQDNs is actually
trivial in that different records are being updated in the back end LDAP
and the ALG is simply reading the data and replying to clients.
I don't know how to account for the serial number. I think I've seen
something like an encoded form of the date / time be used. ¯\_(ツ)_/¯
tl;dr: The Active Directory logic for the serial number is simple: Each
update to the zone increments the serial as you expect locally. When DCs
sync they use the highest serial number of either, +1.
Imagine you have 3 (or more) servers, updates happening everywhere. The
is an unknown period of latency between updates, not all DCs receive
updates at the same time, and not all DCs receive updates in the same
order or use the same schedule.
Start off with serial 100.
Server1 updates, increments to serial 101.
Server1 updates, increments to serial 102.
Server1 updates, increments to serial 103.
Server2 updates, increments to serial 102.
Server1 updates, increments to serial 104.
Server3 updates, increments to serial 102.
At this point all three have different views of the zone, with serials
104, 102, 102 respectively.
Server2 and Server3 now sync, highest serial is 102 so both are set to
103. Server1 and Server2 now sync, highest serial is 104 but there are
other changes, so both increment to 105. Eventually Server1 and Server3
sync, highest serial is 105, but no other records have changed so both
agree to 105 and now everything is in sync once again.
Neither Active Directory nor Microsoft DNS care what is in the SOA
record in terms of the refresh, retry and expire intervals, DNS records
will instead synchronize around Active Directory along with every other
type of change.
If you set BIND slaves to master off of just server1 there are no
problems at all as the serial increases in a predictable and normal way.
If your BIND slaves off of multiple AD DCs then it will 1) Periodically
see and complain about (log) older serial numbers, and 2) Perodically
flip between the zone as reported by the different servers.
However, a lot of this happens if the DCs are sending notifies to BIND
and BIND is then changing it's mind about which master to use. If you
only have one DC send notifies then (I believe) BIND will tend to just
pull updates from that one DC and everybody is happy. If that DC goes
down then BIND will eventually hit the refresh interval and (if
configured) try other masters.
Happy weekend all!
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
