none
Secondary DNS server not authoritative for domain

    Pregunta

  • We changed our company name last year so instead of completely rebuilding my AD with the new name I added a second domain. The orginal domain is still our AD domain and now we have the second domain which allows us to login with user@newdomain.com instead of user@olddomain.com.

    I've been using FreeBSD BIND as my secondary DNS for Windows 2003 and 2008 for years. Recently I was checking one of my Windows 2008 R2 DNS servers and noticed that my FreeBSD DNS server had a red X under Forward Lookup Zones - > Name Servers tab. The error is "The server with this IP address is not authoritative for the required zone." This error came up under the original domain. If I check the same settings under the new domain it looks fine.

    I verified that I wasn't able to get updates from the FreeBSD machine by running dig olddomain.com axfr, which returned "transfer failed". If I run the same dig command for the new domain it works.

    Both the old and new domain types in Windows 2008 R2 DNS are set to Active Directory-Integrated.

    jueves, 29 de marzo de 2012 18:03

Respuestas

  • Ace,

    I got it working!

    Not sure which step did it, but here's what I did:

    1.) Deleted/Corrected some CNAME records for my secondary Windows 2003 DNS

    2.) Before I was opening DNS MMC for Win2003 from Win2008R2 console. This time I made all changes to Win2003 DNS from that servers' MMC and did the same from Win2008R2. Not sure if opening Win2003 DNS from Win2008R2 corrupted anything in the past, but I won't do that again.

    Now when I go into Win2008R2 DNS and resolve BIND nameserver I get a nice green check mark. Also, when I go into BIND and run dig for either advocacyinc.org or disabilityrightstx.org it pulls all of the records.

    Thanks for all the suggestions.

    • Marcado como respuesta Carltonw1 sábado, 31 de marzo de 2012 19:34
    sábado, 31 de marzo de 2012 19:34

Todas las respuestas


  • Check this link if it helps
    http://www.pl.freebsd.org/doc/handbook/network-dns.html

    If above is not helpful,I would recommend to contact Berkeley Internet Name Domain vendor to check the same as this is Windows DS forum.


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    jueves, 29 de marzo de 2012 19:49
  • Check the Primary Master to make sure the nameserver names and IPs are correct. If necessary, you can delete and recreate the Secondary on your BIND.

    Note: Windows DNS is essentially BIND v4 based with enhancements (AD integrated zones, secure updates using Kerberos to authenticate the registration requests, and more), and act like BIND servers if used as a Master, as long as zone transfers are enabled, and TCP & UDP 53 are both opened between the two.

    In many cases, there is no harm in deleting the secondary and re-creating it in scenarios such as this. After all, it's just a read only copy anyway that's being pulled from another server (whether WIndows DNS or BIND).

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    jueves, 29 de marzo de 2012 20:24
  • Ace,

    I've reentered the FQDN for the BIND server and IP a several times without luck.

    If I recreate the non-working domain on the FreeBSD BIND will that affect whether Windows DNS allows it to be an authoritative server? I'm just wondering how recreating the zone on the BIND server will have any affect when adding the BIND nameserver to Windows DNS Name Servers.

    thanks,

    Carlton.

    jueves, 29 de marzo de 2012 21:42
  • If it's a secondary on the BIND side coming from Windows, it depends on how you setup the zone to allow zone transfers. Did you allow Zone transfers to any server, or servers only in the nameserver tab, or to specific IP addresses?

    Also, did you check the nameservers tab of the zone?

    In addition, zone transfers required bot UDP and TCP 53.

    .

    One more thing, you said this is a new zone that you are zone transferring, the one for your new domain? Are the nameservers registered in the zone?

    .

    Finally, how exactly did you add a new "domain?" Is it a child AD domain under your current forest root domain, or just a new UPN suffix that you added to the list? If a child domain, how did you design DNS between the parent forest root and the child domain? Did you use a delegation with a return forwarder (general or conditional), or is the zone replicated forest wide? Here's what I mean:

    DNS Design Options in a Multi-Domain Forest - How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest
    http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    jueves, 29 de marzo de 2012 21:56
  • Ace,

    Our original AD domain is advocacyinc.org, we changed out name last year and then I added the UPN name disabilityrightstx.org. (no child domains)  I then added this new domain to Windows DNS and to BIND. I'm able to run dig disabilityrightstx.org axfr from the FreeBSD DNS server and it works. If I run dig advocacyinc.org axfr it fails.

    I've setup zone transfer only from the nameserver tab. (verified that this is setup the same for advocacyinc.org and disabilityrightstx.org)

    Port 53 shouldn't be an issue since one of the zones will transfer.

    When you say "Are the nameservers registered in the zone?", I'm guess that you mean in the nameserver tab?

    viernes, 30 de marzo de 2012 0:07
  • I'm still having some minor problems understanding how you "changed out" your AD name last year. It may possibly be due to terminology. I think the terms "domains" and "zones" are being mixed up. AD has a domain. It's domain name is based on a DNS domain name, which is the zone name that a DNS server hosts. The reason I mentioned this, is you stated that you added the domain to Windows DNS and to BIND. I assume you meant the zone name itself.

    • Did you perform a migration from a single domain forest into a new single domain forest, such as using ADMT?
    • Did you perform a domain rename?

    .

    So to better understand the current infrastructure, what is your actual AD DNS domain name? Such as what exactly is the name that shows up when you are looking at ADUC (AD Users & Computers)? Is it disabilityrightstx.org, or is it still advocacyinc.org and you added disabilityrightstx.org as a UP suffix?

    If you are choosing to use zone transfers based on what is in the nameserver tab of the zone, then the Secondary's FQDN and IP address better be in the nameservers tab, or the Master won't allow the transfer.

    .

    And if you are testing this with DIG AXFR, AXFR is asynchronous transfer and keep in mind, when you run that command, it is literally asking for a zone transfer.

    Also, the way DIG does it, it can use either TCP or UDP. And if you are running this from the BIND server that is supposed to be the Secondary, and it's not giving you the expected results, then I would think oneof the ports, TCP 53 or UDP 53, haven't been allowed, or simply put, the secondary server you are running DIG from is not in the nameservers tab, and it's is disallowing the DIG ASYNC request.

    It may also be that the current SOA is not accessible when you are running the DIG tool. Yes, "current" SOA. That's because the SOA changes all day long with AD integrated zones. SInce AD Integrated zones are actually Primary zones, one of the feature (among other things), is any DC/DNS is writable. THs is dues to AD integrated zone's multi-master Pirimary zone features. And whichever DC/DNS at that moment in time gets a dynamic update request and changes the zone, then it becomes the SOA.

    .

    DIG and AXFR characteristics: (http://cr.yp.to/djbdns/axfr-notes.html)

    • Before sending the AXFR request, the AXFR client usually sends a preliminary SOA request to decide whether it wants to see the AXFR results. This SOA request may be sent through UDP or through TCP.
    • TCP port 53 is simultaneously used by normal (non-AXFR) DNS clients requesting data that did not fit through UDP. A non-AXFR DNS client tries all queries through UDP first; however, if a UDP DNS server sets the "TC'' bit in its response, the DNS client tries the query again through TCP.

    .

    Back to your master/secondary transfers, and I'll try to summarize this:

    1. I assume you're saying that both TCP and UDP 53 are both open.
    2. I assume that the FQDN and IP address of the BIND FreeBSD box is in the current zone properties on the Windows DNS server, zone properties.
    3. I assume that both zones, advocacyinc.org & disabilityrightstx.org are being hosted on the Windows DNS server.
    4. I assume that since you've selected that zone transfers are only allowed to servers in the Nameserver tab of the zone, that alll intended DNS servers that are meant to be secondaries, are in the nameserver tab.

    If the above is correct, then you should be able to get zone transfers working.

    .

    If not, as a test if you allow it to transfer to ANY, does it work?

    Also, try to use a different Windows DNS server, and see if that works.

    .

    advocacyinc.org

    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    viernes, 30 de marzo de 2012 1:02
  • Ace,

    You're right that's not very clear. Last year we added the UPN name disabilityrightstx.org, but the original AD domain was not affected so the AD domain remains advocacyinc.org. At that time we also added the zone disabilityrightstx.org to our Windows DNS servers. I also added this zone to the named.conf file in FreeBSD. I've verified that my FreeBSD server is in the Nameserver tab on the two Windows DNS servers that FreeBSD is pulling from.

    For the four questions you have. Yes to all of them.

    I allowed all as you suggested from my primary DNS and still could not get dig advocacyinc.org axfr to work (FreeBSD server in Nameserver tab still shows error)

    When I opened the Nameserver tab (advocacyinc.org and disabilityrightstx.org), on another Windows DNS server the FreeBSD server ip address shows "Validation not supported."

    From the Nameserver tab in my primary Windows DNS the FreeBSD ip address is okay (shows green check mark), for disabilityrightstx.org

    viernes, 30 de marzo de 2012 16:24
  • Interesting you're getting the following:

    When I opened the Nameserver tab (advocacyinc.org and disabilityrightstx.org), on another Windows DNS server the FreeBSD server ip address shows "Validation not supported."

    I assume this is from the 2008 R2 DNS server? I would suggest that if in a mixed environment, to manage DNS with the lowest operating system version, due to the difference in DNS features between 2008 R2 and older version. I've seen issues when trying to administer it wtih the newer version invoking features inadvertently that don't exist in the older version.

    So if you tried this from a 2008 or 2003 DNS, does it work?

    .

    Also, just to eliminate the possibility of a dupe zone, take a quick peek at ADSI Edit:

    Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
    http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    viernes, 30 de marzo de 2012 16:41
  • Ace,

    I got it working!

    Not sure which step did it, but here's what I did:

    1.) Deleted/Corrected some CNAME records for my secondary Windows 2003 DNS

    2.) Before I was opening DNS MMC for Win2003 from Win2008R2 console. This time I made all changes to Win2003 DNS from that servers' MMC and did the same from Win2008R2. Not sure if opening Win2003 DNS from Win2008R2 corrupted anything in the past, but I won't do that again.

    Now when I go into Win2008R2 DNS and resolve BIND nameserver I get a nice green check mark. Also, when I go into BIND and run dig for either advocacyinc.org or disabilityrightstx.org it pulls all of the records.

    Thanks for all the suggestions.

    • Marcado como respuesta Carltonw1 sábado, 31 de marzo de 2012 19:34
    sábado, 31 de marzo de 2012 19:34
  • Glad to hear it's working.

    If you ask me, it was probably a combination of things, including CNAMEs (I've always tried to avoid CNAMES), and trying to manage Windows 2003 DNS from the newer Windows 2008 R2 DNS console. As I pointed out, it's something we do not recommend. This is because Windows 2008 R2 has newer features that WIndows 2003 does not support.

    Rule of thumb -> In a mixed DNS version environment, always manage all DNS servers from the oldest installed operating system's DNS console. This also includes from the machine with the oldest Service Pack level.

    But glad to hear it's working, and you're welcome for the suggestions!

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    domingo, 01 de abril de 2012 1:19