DNS Newb Zone Transfer Question

[Phil]

I have recently inherited all network admin
responsibilities; this is my first time managing such
services...

Q: How do the Primary and Secondary DNS servers know to
do zone transfers with each other?

Q: Shouldn't each Zone have a NS record listed for each
DNS server that is authoritative? We only have one
listed in every zone that is defined.


I'm trying to troubleshoot the following warning we
recieve every hour or so (it varies):

"The DNS server has encountered numerous run-time
events. These are usually caused by the reception of bad
or unexpected packets, or from problems with or excessive
replication traffic. The data is the number of
suppressed events encountered in the last 15 minute
interval."

thanks!

 

[Deji Akomolafe]

On the Properties of a zone, there is the "zone transfer" tab. This is where
you configure the server you wish to grant access to. I have seen people
leave this option as "to any server". This, IMO, is not a good thing to do
for many reasons. I generally advise people to use the "only to the
following server" option and then list the IP address of the secondary
server". The "only to servers listed on the Name Server tab" option is
buggy, again IMO. It seems to create a loop where the primary tries to
transfer from itself. I can't remember the exact event id for this symptom
right now.

Secondaries are not really "Authoritative" in any sense. If your zone were
AD-integrated, then all the NS will be authoritative

As for the error, you did not post the relevant event. Look for the errors
logged BEFORE the one you posted. The one you posted is just a report of the
situation.

--
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

 

[Kevin D. Goodknecht [MVP]]

In

I have recently inherited all network admin
responsibilities; this is my first time managing such
services...

Q: How do the Primary and Secondary DNS servers know to
do zone transfers with each other?

You can use Notify on the primary zone, or you can just let the secondary
use the refresh, retry and expire vavlues to get its transfers.

Q: Shouldn't each Zone have a NS record listed for each
DNS server that is authoritative? We only have one
listed in every zone that is defined.

It should have at least the master NS records, if this is for an Active
Directory domain.
If the DNS zone is for public consumption it needs the NS records that are
listed on the public record for the domain.

I'm trying to troubleshoot the following warning we
recieve every hour or so (it varies):

"The DNS server has encountered numerous run-time
events. These are usually caused by the reception of bad
or unexpected packets, or from problems with or excessive
replication traffic. The data is the number of
suppressed events encountered in the last 15 minute
interval."

Is this a secondary zone for an Active Directory domain with Dynamic updates
using the notify option?
If it is these are expected events because with all the dynamic updates
going on there are many incremental zone transfers going on. You can ignore
these events.
A domain Controller will update its records once an hour, with all the
records it has to update, it sends a lot of incremental zone transfers to
the secondary. You can turn off notify and remove the secondary NS records
it may stop the events. But then you could be left with an out of sync
secondary zone.

 

[Guest]

Right, I realize there is a Zone Transfer tab and it does
say "to any server", and i will try modifying those
settings, but i still dont understand how the Secondary
knows about the Primary. I tried installing DNS in the
lab, adding a new zone and doing a Zone transfer, and i
realized that is how it know to do the Zone Transfer =
when you initially configure the secondary zone; that
being said, what happens if the address of the Primary
server changes, how will the secondary know to transfer
from a new location?

Secondary's are authoritative in SOME sense arent they?
I couldnt think of a better word...

The error, unfortunately that is the only warning i
get... nothing else and everytime i go to the server
properties and turn event logging on, it doesnt stick...
keep going back to 'no events'...

By the way, thanks Dèjì, much appreciated!

 

[Guest]

"You can use Notify on the primary zone" I realize you
can notify, etc, but how does it know WHO to notify?

"refresh, retry and expire values"? What do you mean?

"It should have at least the master NS records" Great,
thanks, so if I add the secondary's for the zones it wont
hurt? replication, er zone transfers do seem to happen
faster...

"Dynamic updates" YES

"notify option" What notify option? you mean under Zone
transfers? in that case, i am not using the notify
option but i will be trying that in a few minutes here...
Can i Still Ignore?

"A domain Controller will update its records once an
hour" DNS is not integrated in this case nor is it
running on a DC

"You can turn off notify and remove the secondary NS
records it may stop the events. But then you could be
left with an out of sync secondary zone." The notify
option was not being used AND the secondary NS records
were not listed, yet the secondary was still getting the
zone transfers nicely... however when i did update
adding the 2nd name server it did transfer faster, almost
instanly.

Thanks for your help Kevin, much appreciated!

 

[Kevin D. Goodknecht [MVP]]

In (e-mail address removed) <[email protected]>
posted a question
Then Kevin replied below:

"You can use Notify on the primary zone" I realize you
can notify, etc, but how does it know WHO to notify?

The IP address of the Secondary DNS server.

"refresh, retry and expire values"? What do you mean?

These values are on the SOA tab.

"It should have at least the master NS records" Great,
thanks, so if I add the secondary's for the zones it wont
hurt? replication, er zone transfers do seem to happen
faster...

No the Dynamic updates will still be set to the master server. (Listed on
the SOA tab)

"Dynamic updates" YES

"notify option" What notify option? you mean under Zone
transfers? in that case, i am not using the notify
option but i will be trying that in a few minutes here...
Can i Still Ignore?

The Notify option is just that an option, it allows you to extend the
Refresh, retry and Expire values on the SOA tab and not have to worry about
an out of date secondary, because the primary will notify the secondary when
it needs to a zone transfer.

"A domain Controller will update its records once an
hour" DNS is not integrated in this case nor is it
running on a DC

DNS does not need to be AD integrated for the DC to register its records,
the DC will still update the DNS servers it has listed in its NICs once an
hour. If it can't register, you will get 5774 events.

Just to add, if you run DNS on the DC you can integrate the Zone into Active
Directory, AD Integrated zones can be set to allow only secure updates. What
that means is if the device that is set to register it addresses in DNS, it
will need either specific or inherited rights in the Zone's ACL (Access
Control List) if the device does not have permissions registration will be
denied.

 

[Deji Akomolafe]

I realize you can notify, etc, but how does it know WHO to notify?
As Kevin pointed out, it knows whom to "notify" by you specifying an IP
address on the notify tab. Again, do not use the "Servers listed on the Name
Servers" option. If you have to use the Notify option, specify the IP
addresses on the Secondaries ONLY. Don't put in the IP address of the
Primary. Otherwise, you will create some sort of loop and DNS will complain
bitterly about it.

Of course if this zone is AD-intg, then you don't use Zone Transfer or
Notify at all.

When you create a secondary, you tell the secondary that 1.2.3.4 is the
Primary. The Secondary would know from then on that it needs to
intermittently ask the Primary for updates to the zone. The Primary will get
the request for update (zone transfer request), it will then look at its
"Zone Transfer" settings to see IF it should honor the request or ignore it.
This is the default.

The Notify option is where the Primary does not wait for the Secondary to
request updates. The Primary will just tell the Secondary "hey, I have some
changes. Come and get them"

HTH
--
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

 

[Ace Fekay [MVP]]

In

"You can use Notify on the primary zone" I realize you
can notify, etc, but how does it know WHO to notify?

"refresh, retry and expire values"? What do you mean?

"It should have at least the master NS records" Great,
thanks, so if I add the secondary's for the zones it wont
hurt? replication, er zone transfers do seem to happen
faster...

"Dynamic updates" YES

"notify option" What notify option? you mean under Zone
transfers? in that case, i am not using the notify
option but i will be trying that in a few minutes here...
Can i Still Ignore?

"A domain Controller will update its records once an
hour" DNS is not integrated in this case nor is it
running on a DC

"You can turn off notify and remove the secondary NS
records it may stop the events. But then you could be
left with an out of sync secondary zone." The notify
option was not being used AND the secondary NS records
were not listed, yet the secondary was still getting the
zone transfers nicely... however when i did update
adding the 2nd name server it did transfer faster, almost
instanly.

Thanks for your help Kevin, much appreciated!

In addition to the other responses, this may help you with an explanation
about zone transfers. Keep in mind, AD Integrated zones also "act" as a
Primary Zone in relation to zone transfers so Secondaries can also grab a
copy of the zone, if allowed, of course. Note: Secondaries are just that,
read-only "copies", that's why they are NOT SOA for the zone...

Understanding zones, secondary zones and zone transfer:
http://www.microsoft.com/windows2000/en/server/help/sag_DNS_und_ZoneTransfers.htm


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Matt Hickman]

Secondary's are authoritative in SOME sense arent they?
I couldnt think of a better word...

You bet they are. They hold complete information for that zone,
they have a responsibility for maintaining accurate information
about the zone,

And finally and definitively when you register
an Internet domain name, you are required to provide the addresses of
two authoritative DNS servers. Traditionally, at least one of those
DNS servers is a secondary DNS.

 

[Ace Fekay [MVP]]

In

You bet they are. They hold complete information for that zone,
they have a responsibility for maintaining accurate information
about the zone,

And finally and definitively when you register
an Internet domain name, you are required to provide the addresses of
two authoritative DNS servers. Traditionally, at least one of those
DNS servers is a secondary DNS.

True they are, that is in the 'sense' of the word, especially if you
register two nameservers that only hold Secondary zones and the Primary is
'hidden' from the Internet, so to the registrar, the actual SOAs are the
ones holding the Secondary zone.

But as for the actual zone on those nameservers, the SOA would be the one
holding the Primary Zone.

AD Integrated, just to add, act like Primary Zones to a Secondary Zone.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Phil]

Great, thanks Ace.

So based on what you were saying, I could have a
secondary (that is not AD integrated) do a Zone transfer
from from a 'Primary' that IS AD integrated?

 

[Phil]

So, I'm assuming once i go AD Integrated, i will then
have additional securtity tabs for the zone? Non-AD
integrated doesn't have an ACL yes?

-----Original Message-----
In (e-mail address removed)

 

[Ace Fekay [MVP]]

In

So, I'm assuming once i go AD Integrated, i will then
have additional securtity tabs for the zone? Non-AD
integrated doesn't have an ACL yes?

That is correct.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Ace Fekay [MVP]]

In

Great, thanks Ace.

So based on what you were saying, I could have a
secondary (that is not AD integrated) do a Zone transfer
from from a 'Primary' that IS AD integrated?

You got it!

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory