On Jul 8, 2008, at 12:32 PM, Kyle McDonald wrote:
> Chris Buxton wrote:
>> 1) Disable recursion. Set up separate recursion servers that know
>> where to find the parent zone(s) (using one or more stub zones).
>> Do not use forwarding. And the servers for the parent zone
>> absolutely should not be doing recursion. (If they are, ask the
>> admins to turn it off, and set up replacement resolving name
>> servers elsewhere.)

> Since the 2 AD/WinDNS servers are the only DNS servers in the
> company (at least they're the ones DHCP configures for resolution on
> all the windows clients.) I'm betting they are doing recursion. But
> that's not the only thing wrong there I think. (It may be OK but
> seems wierd to me that the SOA record on each is different -
> claiming that each is master, and they seem to have slightly
> different info at times.)

Typical behavior for Active Directory. Each server is a master; there
are no slaves. Instead, data is replicated via a back-end database.
The two copies of the zone are different in predictable ways.

Chris Buxton
Professional Services
Men & Mice