none
DNS Secondary zone transfer appears to fail but then writes new version of zone that it complained of failing.

    Question

  • Currently we have two separate domains with a two-way external trust in-place. Each domain (DC) has a secondary copy of the other domain's AD integrated DNS zone.  We added new domain controllers (2) /DNS and confirmed that the remote DC’s are setup to allow zone transfers to the new DC’s. What is strange is that on one of the new DC’s, I’m getting an error when I run best practice analyzer and it is complaining that the “DNS: Zone ‘zonename’ transfers from the primary to the secondary DNS server must be successful” I look in the DNS event log on the new server and it basically confirms that that zone transfer request for the secondary zone was refused by the master DNS server on the remote side.  Then 1 minute later I see in the event log an informational message states “The DNS server wrote version 157480 of zone ‘zonename’.org to file “zonename’.org.dns….   and then every hour or so it writes a new version a few times then fails again.  It seems to be working for the most part but timing out every so often. Is there a timeout I can increase?


    William McConnell

    Thursday, March 23, 2017 4:11 PM

Answers

  • Hi WillieMac,

    Yeah, secondary zone may used to share each other's domain DNS entries.

    While I would recommend using Forwarders, in your DC, configure their DC as forwarder, in their DC, configure your DC as forwarder, this may have the same function as secondary zone and may avoid zone transfer issues.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by WillieMac99 Monday, April 3, 2017 5:26 PM
    Thursday, March 30, 2017 6:37 AM
    Moderator

All replies

  • Hi WillieMac,

    We are working on this issue now, any update will be provided as soon as possible.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, March 24, 2017 9:29 AM
    Moderator
  • Hi WillieMac,

    Since after setting up two-way trust, the domains can be resolved with each other, why do you still configure Secondary zone on the partner DC.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 28, 2017 8:40 AM
    Moderator
  • Well, that's a good question.. and maybe I'm confusing the terminology, (secondary zone) this is my understanding.  We have an external two-way trust in place, but not transitive. I believe this was created originally to share resources and DNS. I dont believe that users in the partner Domain can login to our network and I dont believe that I can login to their network.  The partner domain is on the same physical network separated by a FW and they use our Internet access, we push WSUS updates to them, etc.  This DNS configuration has been set like this for years and we are just replacing our DC's.  In DNS, under forward lookup zones, for our domain, we setup a zone transfer and selected "only to the following servers" and choose their 2 DCs on the partner Domain. They in turn have the same setup in DNS pushing their zone to our new DC's.   I thought that this was needed to share each others DNS.


    William McConnell

    Tuesday, March 28, 2017 1:37 PM
  • Hi WillieMac,

    Yeah, secondary zone may used to share each other's domain DNS entries.

    While I would recommend using Forwarders, in your DC, configure their DC as forwarder, in their DC, configure your DC as forwarder, this may have the same function as secondary zone and may avoid zone transfer issues.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by WillieMac99 Monday, April 3, 2017 5:26 PM
    Thursday, March 30, 2017 6:37 AM
    Moderator
  • Once we shutdown the old DC's/DNS servers and removed them from the zone, the errors went away.. 

    Thanks all.


    William McConnell

    Monday, April 3, 2017 5:27 PM