Active Directory-integrated DNS zone serial number behavior

When a DNS server receives an update directly (either from the administrator, or through dynamic updates) its serial number always increases.

When a DNS server receives an update through Active Directory replication:

• If the serial number that is specified in the Start of Authority (SOA) record of the replicated copy of the zone (referred to later as replicated serial number) is higher than the serial number that is specified in the SOA record of the local copy of the zone (referred to later local serial number), the local serial number is set to the replicated serial number.
• If the replicated serial number is the same or lower than the local serial number, and the local DNS server is configured to not allow zone transfer of the zone, the local serial number is not changed.
• If the local DNS server is configured for zone transfer of this zone, then the local serial number is incremented if the local zone (with the local serial number) was transferred to other DNS server(s) because its most recent update previous to the current update replicated through the AD replication. Otherwise (i.e. if the most recent copy of the zone with the current local serial number was not replicated from the local DNS server to any DNS server), the local serial number is not changed.

In a scenario where a third-party DNS server is configured as secondary for an Active Directory-integrated zone, the first (preferred) master server becomes unavailable, and the secondary server attempts a zone transfer from another primary server for the zone, then the secondary DNS server (by using IXFR) may not notice that the zone was updated if the serial number of the zone is lower on the latter primary server. In this scenario, the secondary successfully performs zone transfer after the primary's serial number becomes greater than the serial number in the SOA record in the zone on the secondary server.

Note The multiple-master replication behavior of an Active Directory-integrated Domain Name System (DNS) zone can cause inconsistencies with serial numbers of the zone across multiple DNS servers. It is not possible to retrieve information (pull or source) from multiple Active Directory-integrated primary DNS servers to a secondary DNS server for the same Active Directory-integrated zone. This was possible and frequently done with conventional single-master DNS. However, because serial numbers are maintained separately on each Active Directory-integrated DNS server, the mechanism for determining whether the secondary DNS server has the most-recent copy may will fail.