Power shell to create a secondary DNS zone and allow zone transfer on primary RRS feed

  • Question

  • Hi,

    I am looking for power shell commands to do the following: 

    1) Allow zone transfer on master to a list of servers

    I used the below command: 

     Set-DnsServerPrimaryZone -Name ""-SecureSecondaries TransferToSecureServers -SecondarySe
    rvers <IP address>

    This is working but in my production environment the zone in question is AD integrated.Do we need to use the above command for AD integrated zones as well? Also, when I execute this command with IP address of secondary server1 , that server gets added to the 'only to the following servers' section in zone transfer.But, when I execute it again with IP address of secondary server2, the secondary server1 IP is removed for the list and only secondary server2 IP is present.Is there a way to add new secondary servers without removing the ones that have already been added?

    2) Next I tried to create a secondary zone on the secondary server which will receive the zone from the primary using the Add-DnsServerSecondaryZone command but I am getting the below error: 

    PS C:\Users\Administrator> Add-DnsServerSecondaryZone -Name "" -ZoneFile "" -MasterServers <Master server IP>
    Add-DnsServerSecondaryZone : Failed to create zone on server.
    At line:1 char:1
    + Add-DnsServerSecondaryZone -Name "" -ZoneFile "" -M ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: ( [Add-DnsServerSecondaryZone],
        + FullyQualifiedErrorId : WIN32 1722,Add-DnsServerSecondaryZone

    Any idea why I am seeing this error?



    • Moved by jrv Friday, September 14, 2018 11:46 AM Better forum
    Friday, September 14, 2018 11:16 AM

All replies

  • Win32 1722 - RPC service unavailable


    Friday, September 14, 2018 11:43 AM
  • Hi,

    I checked RPC and RPC endpoint mapper in services and its running.Also , the firewall is off and registry entries look good.Anything else I can try to rectify this?

    Friday, September 14, 2018 12:05 PM
  • If the DNS server is remote then you will not be able to do this due to second hop restrictions.


    Friday, September 14, 2018 12:11 PM
  • Hi JV,

    Thank you for your response.

    Any idea on point 1) in my original message?

    Should we use  Set-DnsServerPrimaryZone command to allow zone transfers for AD integrated zones as well?

    And why does this command remove one secondary server when I try to add another secondary server ( to which zone transfer can be allowed)?



    Friday, September 14, 2018 2:15 PM
  • AD manages its own zones.  To create a second or third AD DNS service just install DNS on a DC and configure as an AD integrated DNS server.


    Friday, September 14, 2018 7:35 PM
  • By default, AD integrated zones are configured to not allow zone transfers. Allowing zone transfers is an option provided to support non-DC DNS servers, BIND or any other name brand DNS server that you want to allow zone transfers to a secondary on those servers,

    Do you have any non-DC DNS? 

    • Edited by Ghasem Shams Saturday, September 15, 2018 1:45 PM
    Saturday, September 15, 2018 1:44 PM
  • Hi,

    Yes, we have a non DC DNS server which we plan on configuring as secondary DNS getting the zone from the primary -an AD integrated DNS server.I came across the below powershell command to allow zone transfer on a primary zone , but I am not sure if the same should be used for an AD integrated zone: 

    Set-DnsServerPrimaryZone -Name ""-SecureSecondaries TransferToSecureServers -SecondarySe
    rvers <IP address>

    Also, this command overwrites the existing secondary servers (to which zone transfers are allowed) with the new ones specified in the command.Is there a way to prevent that?

    Monday, September 17, 2018 9:19 AM
  • If you are using a third-party DNS server, you must also perform manual configuration. For information about issues related to configuring DNS when you are using a third-party DNS server, see "Configuring Non-Windows 2000 DNS Servers to Support Active Directory" later in this chapter.


    Monday, September 17, 2018 11:51 AM
  • The secondary DNS server in our setup is MS only, just that it is not a domain controller.The aim is to allow a zone transfer to it from a domain controller DNS server.
    Monday, September 17, 2018 1:27 PM
  • So I have already allowed zone transfer from a MS DC DNS server to a MS non DC DNS server with IP address 'a' using GUI.

    Now when I allow zone transfer from the same source to another MS non DC DNS server say 'b' using the below powershell command, server 'a' is removed and replaced by 'b' in GUI (in the 'allow to the below servers' section)

    Set-DnsServerPrimaryZone -Name ""-SecureSecondaries TransferToSecureServers -SecondarySe
    rvers b

    Anyway to stop this from happening ? I want to allow zone transfer to both a and b.

    Wednesday, September 19, 2018 6:48 PM