none
Zone transfer refused by the primary server RRS feed

  • Question

  • Hi,

    I have issue on transfering Zones from a primary server to my secondary recursive DNS servers. We have 2 secondary recursive DNS servers (ns7,ns8) seperate from 2 secondary authoritative DNS servers (ns9,ns10) and 2 AD integrated DNS servers (dc1,dc2). The zone transfer on the primary (dc1) is set to "only to servers listed on name server tab" (ns7,ns8,ns9,ns10) and the notify set on the "automatically notify servers on the name server tab". On the name server tab, ns9 and ns10 are listed.

    The zone transfer request from secondary servers (ns7 and ns8) is refused by the primary server (dc1). The firewall is not blocking the zone transfer on port tcp 53. My question is, can the setting on notify tab be the problem?

    Best regards,


    • Edited by Panymony Wednesday, November 16, 2016 3:05 PM
    Wednesday, November 16, 2016 3:04 PM

All replies

  • Hi Panymony,

    >>The firewall is not blocking the zone transfer on port tcp 53.

    Please disable firewall and try again.

    You could enable Debug Logging and check if primary DNS server has received request.

    Have you check if there are events about issue exist?

    >>On the name server tab, ns9 and ns10 are listed.

    Please add ns7 and ns8 in name server list, and then try again.

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 17, 2016 3:03 AM
  • Hi John,

    I'm very thankful for your answer and help. Unfortunately I have no access to DC1 and the firewall and each time i have to bring a logical reason to the responsible person for changing any setting. The network guy is sure that the firewall is not blocking the zone transfer. I can telnet into the server on 53. On the secondary server, the log shows that it sends the query but receives a refused reply from DC1.

    UDP Snd DC1_IP   7d35   Q [0000       NOERROR]      SOA    Zone_name

    UDP Rcv  DC1_IP   7d35 R Q [8084 A  R  NOERROR]    SOA    Zone_name

    UDP Snd DC1_IP   91d7   Q [0000       NOERROR]     IXFR   Zone_name

    UDP Rcv DC1_IP   91d7 R Q [0580       REFUSED]      IXFR   Zone_name

    TCP Snd DC1_IP   0000   Q [0000       NOERROR]       AXFR   Zone_name

    TCP Rcv  DC1_IP   0000 R Q [0580       REFUSED]        AXFR   Zone_name

    I am actually migrating from two Linux DNS servers to two new Windows DNS servers. So the settings on the firewall and DC1 should be same for all new and old servers. The Zone transfer is working correctly from DC1 to old Linux system (ns1,ns2). Regarding to your 2nd answer, the ns1 and ns2 are also not exist in the name server list could you please tell me why ns7 and ns8 should be in the list for zone transfer?

    Best Regards,


    • Edited by Panymony Thursday, November 17, 2016 2:09 PM
    Thursday, November 17, 2016 2:08 PM
  • Hi Panymony,

    Did the DC authorize Ns7 and ns8 to transfer zone?

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 18, 2016 2:40 AM
  • Hi John,

    sorry that I am confused. How are you giving a server authorization for zone transfer on primary?

    I thought by choosing"Only to the Following Servers" we give the name and IP address of every authorized secondary DNS server individually and we enable zone transfer at the master server by adding the secondary to the zone transfer list. Which is written ns1,ns2,ns7,ns8,ns9,ns10 in zone transfer tab. Where else on primary should I add the secondary server to give it authorization to get zone from primary?

    I though, since the ns7 and ns8 are only recursive dns servers for our internal network we dont have to add them on name server tab. I think ns1 and ns2 have also no NS record anywhere anymore. Could you please give me more explanation? i probably have a wrong understanding of a secondary recursive non authoritative dns server.

    Best regards,




    • Edited by Panymony Friday, November 18, 2016 10:05 AM
    Friday, November 18, 2016 9:53 AM
  • Hi Panymony,

    >>I think ns1 and ns2 have also no NS record anywhere anymore.

    data of ns1 and ns2 were stored with AD.

    >>Where else on primary should I add the secondary server to give it authorization to get zone from primary?

    Please reference the article below to deploy it:

    Specify Other DNS Servers as Authoritative for a Zone

    https://technet.microsoft.com/en-us/library/cc770984%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396>>On the name server tab, ns9 and ns10 are listed.

    I have tested it in my lab.

    I created secondary DNS server, and choose "only to servers on name server tab", and then add another DNS server in name server tab, it works, and NS record exists.

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 21, 2016 5:04 AM