none
DNS Secondary Zone - Timeout occurred during validation RRS feed

  • Question

  • Hi,

    We are setting up new external non AD-intergrated DNS servers. The setup is like this:

    1 Master server - VM on-premis

    1 Secondary server - VM Azure (on expressroute)

    They are both Windows Server 2016.

    Firewalls configured to allow both ping and TCP/UDP 53.

    Each server can telnet to port 53 and ping each other.

    Here is the problem is:

    - I set up primary zone on the master server (on-premis)

    - Zone-transfer is set to allowed for severs listed in the name servers tab

    - On secondary server (Azure), I set up a slave zone, pointing to Master server for zone transfer.

    - I get the error: A timeout occured during validation

    - No error in the DNS logs on eventviewer

    - Zone status: Zone not loaded by DNS server - The server encountered a problem while attempting to lad the sone. The transfer from the master server failed.

    However, it is woorking the other way around:

    - Creating a primary zone on Azure server

    - Add on-premis server to the name server list

    - I get the same validation error as above

    - Create secondary zone on the on-premis server, pointing to Azure server as master.

    - Validation OK.

    Zone transfer seems OK, although it updates according to the Refresh interval set on SOA record, and not almost instantly as it should normally do.

    Our wan guys set up packet sniffing, but could not see any traffic for zone transfer from Master server to Azure. I guess no zone transfer traffic is generated when the zone haven't been validated

    What exactly happens and what kind of traffic generates during validation of master server?

     


    Thomas


    Thursday, March 22, 2018 1:40 PM

All replies

  • Hi,

    Thanks for your question.

    Based on my experience, please try the following suggestions to see if it works.

    1. Check the name server lists tab on both two DNS servers. Please make sure "On-premis" and "Azure" were added in the tab.
    2. Please select Allow Zone Transfer to any server for testing at your convenience, and then drop me the result.
    3. Check SOA record on both two servers, make sure the consistence of them like Refresh interval as the following exhibit.

               

    1. Have you configured DNSSEC in the DNS servers ?
    2. Did you set NIC teaming or multiple NICs of the secondary DNS “Azure” in the same subnet?

    Here is a link refer to this issue, please refer to Checkpoint Firewall and AD, DNS and RPC Communications and Replication traffic section. It may be helpful.

    https://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple/

    Hope above information helpful. I look forward hearing your good news.

    Highly appreciate your effort and time. If you have any questions and concerns, please feel free to let me know.

    Best regards,  

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, March 23, 2018 6:59 AM
  • Hi,

    How are things going on? Was your issue resolved?

    Please let us know if you would like further assistance.

    Wish you have a nice day!

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, March 26, 2018 9:34 AM
  • Hi Michael,

    Sorry for late update

    We have not set up DNSSEC, and zone-transfer settings are correct. No NIC teaming nor multiple NICs either. We eventually ended up moving the on-premis server to another network and it's working there. Strange, as we couldn't identify what the problem where it was placed previously.


    Thomas

    Wednesday, March 28, 2018 8:11 AM
  • Hi,

    I am glad to hear that you resolved the issue by yourself. I really appreciate your ability to troubleshoot, analyze the issue and find the correct solutions. 

    If there is anything else we can do for you, please feel free to post in the forum.

    Wish you have a nice day!

    Best regards,

    Michael



    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, March 28, 2018 8:19 AM