Re: Problems with zone transfers

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

<wedidwtc@xxxxxxxxx> wrote in message
news:1128105423.569778.147830@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>I must be doing something silly, but I can't figure out what it is that
> I've done wrong.
>
> Some background:
>
> Unless otherwise specified, it's all Win2k Server.
>
> I have an Active Directory running at ad.mydomain.net.
>
> I also have a primary DNS server for mydomain.net which is separate
> from my AD. Previously, I also had a secondary DNS server running, but
> recently my work has finally started buying licenses for Win2k3, so my
> first place to test it was on the secondary DNS server.
>
> The problem:
>
> I backed up, installed Win2k3, went to set up a nice new secondary DNS
> server for my primary DNS and noticed that I couldn't get it to work.
>
> The error I get in the management console (DNS -> servername -> Forward
> Lookup Zones -> mydomain.net) is Zone Not Loaded by DNS Server, like it
> says here:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;816518&Product=winxp
>
> So I thought, "maybe it's because the Win2k3 server is now attached to
> my AD." (which the primary DNS server is not).

? huh?

Zone transfers FROM AD-Integrated DNS servers is quite possible.


> I did a full reinstall
> without connecting it to my domain, but ended up with the same problem.

That was flailing. If you ARE going to re-install a broken
operating system then it is almost always preferable to do
a "repair install" (original CD, install in same directory,
ENSURE that you are asked and agree to REPAIR.)

> This made me think I was having issues with Win2k3 connecting to Win2k,

What made you think that? Could you ping?

Could you run "nslookup SomeComputer.domain.com"?

Is there a firewall between computers OR ON the DNS server?

Is the DNS server ALLOWING Zone transfers (MMC DNS
console properties for the zone)?

If is ALLOWING zone transfers is it restricting those transfer
to ONLY certain addresses OR to only zone DNS servers?

> so I tried another Win2k server, set up DNS, tried to get it to work
> and it failed too. Now remember, before I reinstalled my secondary DNS
> server, it was working just fine.
>
> Other things:
>
> Using nslookup and doing "ls mydomain.net" works just fine.

Then zone transfers will work to that same machine from that
same server.

LS counts as (is, in fact) a zone transfer.

Is the "ls" coming from the same client and being resolved at
the SAME server?

BTW, you should have mentiond the ls results BEFORE going
into all that irrelevant "re-install" stuff.

> On the
> primary DNS server, I get a "successfully completed transfer" message
> (Event ID 6001). I've also tried dig on an OSX laptop, which succeeds
> fine (in testing, I changed from allowing zone transfers only to the
> secondary DNS to "allow zone transfers...to any server").

Keep is simple and tell us if you can do a zone transfer AND/OR
an LS to the SAME machine?

That you can LS from the Primary proves the primary allows
zone transfers in GENERAL, and if you can do it to the same
secondary DNS server that is having trouble this pretty much
eliminates Firewalls and the Zone transfer restrictions and
places the blame/attention on the Secondary.

You might try the obvious and make sure the secondary "master"
is actually set to the SAME "IP Address" that the DNS Primary
is servicing.

> There's nothing in the event logs on the secondary DNS server to
> indicate a failure in transfer.
>
> What am I missing? Things should just magically work, right? ;) I'm

Right. With the caveats of "allow zone transfers" (generally or
specifically)
and watching out for "intervening firewalls".

> trying to avoid redoing my primary DNS server because it does a few
> other things too and it would be bad to take out the primary DNS
> without having a secondary DNS seeing as how people need it.

There is ZERO reason to re-install the Primary based on this report.

> I've checked a lot of other things, not sure what else I should mention
> that might help.

Simple tests. Done methodically. Reported explicitly.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

>


.

Relevant Pages

  • Re: Problems with zone transfers
    ... >> Zone transfers FROM AD-Integrated DNS servers is quite possible. ... AD-integrated and Primary DNS server NEVER pull the zone ... >> Is the DNS server ALLOWING Zone transfers (MMC DNS ... AD Integrated) DNS servers never pull from secondaries ...
    (microsoft.public.windows.server.dns)
  • Re: Problems with zone transfers
    ... >> I also have a primary DNS server for mydomain.net which is separate ... >> first place to test it was on the secondary DNS server. ... >> server for my primary DNS and noticed that I couldn't get it to work. ... > Zone transfers FROM AD-Integrated DNS servers is quite possible. ...
    (microsoft.public.windows.server.dns)
  • Re: Secondary DNS not working
    ... Are you sure that the secondary DNS server is working properly and reacheable by all the clients? ... the application failed to open when the primary DNS is put ...
    (microsoft.public.windows.server.dns)
  • Re: Allow AXFRs??
    ... You've got to allow zone transfers to ns1.secondary.com which is ... On the Zone transfers tab, enter the IPs of all DNS server ... My question is how do I do this with Microsoft DNS? ...
    (microsoft.public.windows.server.dns)
  • Re: Newbie Question on DNS forwarding
    ... So I "want" the SOA to point to itself (on each separate DNS server, they are both DCs as well) -? ... Thanks Ace, ... Smallish 50 user network with 2 DCs and both are DNS - what about ZONE transfers? ...
    (microsoft.public.windows.server.dns)