Zone Transfer Problems.....

[Guest]

Scenario:
I have three local dns servers all containing secondary zones for a certain
domain.. The primary zone is held on a server connected through a VPN.
Problem:
The three local dns servers often lose the zone or are unable to transfer
from master, even though connectivity is available between servers. This
happens randomly. One server can be transferring correctly, another will not
transfer at all!!

I am completely out of ideas so any help will be very very much
appreciated!!!!

Cheers,
Alex

 

[Herb Martin]

Scenario:
I have three local dns servers all containing secondary zones for a certain
domain.. The primary zone is held on a server connected through a VPN.
Problem:
The three local dns servers often lose the zone or are unable to transfer
from master, even though connectivity is available between servers. This
happens randomly. One server can be transferring correctly, another will not
transfer at all!!

Ok, so you can site on each of the secondaries
and do a LIST in ntdsutil (shell) and it works
fine? [this will prove connectivity and that
the DNS traffic is not being filtered by a
firewall or restricted by the master.]

I am completely out of ideas so any help will be very very much
appreciated!!!!

"lose the zone" makes no sense -- DNS servers
don't lose zones (in general.)

Now, it's different if one transfers and the others
don't (one is filtered on the net, or restrict at the
master.)

BTW, a more common WAN architecture for
DNS replication would be for one of them to pull
across the WAN and the other two to pull (by
default) from a local server.

Secondaries can pull from other secondaries and
can place the (Primary across the WAN as an
alternate master so that it is even fault tolerant.)

 

[Guest]

Scenario:
I have three local dns servers all containing secondary zones for a certain
domain.. The primary zone is held on a server connected through a VPN.
Problem:
The three local dns servers often lose the zone or are unable to transfer
from master, even though connectivity is available between servers. This
happens randomly. One server can be transferring correctly, another will not
transfer at all!!

Ok, so you can site on each of the secondaries
and do a LIST in ntdsutil (shell) and it works
fine? [this will prove connectivity and that
the DNS traffic is not being filtered by a
firewall or restricted by the master.]

I am completely out of ideas so any help will be very very much
appreciated!!!!

"lose the zone" makes no sense -- DNS servers
don't lose zones (in general.)

Now, it's different if one transfers and the others
don't (one is filtered on the net, or restrict at the
master.)

BTW, a more common WAN architecture for
DNS replication would be for one of them to pull
across the WAN and the other two to pull (by
default) from a local server.

Secondaries can pull from other secondaries and
can place the (Primary across the WAN as an
alternate master so that it is even fault tolerant.)

Thanks for your response!

I have successfully run the list command in ntdsutil on all servers
including the one that is currently not replicating....

(When i said "lose the zone" i meant that the zone is automatically deleted
as it times out because no transfers are being made.)

All servers at some point have and will replicate the zone correctly,
sometimes they will all be working at the same time!

At the moment whenever the zone on one of the server fails to transfer from
the primary, i do change it so it transfers from one of the other secondary
servers temporally.
This is not a permanent fix as at some point this server's zone will fail to
replicate too....

Alex

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Thanks for your response!

I have successfully run the list command in ntdsutil on
all servers including the one that is currently not
replicating....

(When i said "lose the zone" i meant that the zone is
automatically deleted as it times out because no
transfers are being made.)

All servers at some point have and will replicate the
zone correctly, sometimes they will all be working at the
same time!

At the moment whenever the zone on one of the server
fails to transfer from the primary, i do change it so it
transfers from one of the other secondary servers
temporally.
This is not a permanent fix as at some point this
server's zone will fail to replicate too....

Are the secondary servers multihomed? That is, do they have more than one IP
address?

Many times, if it is possible for the secondary to connect to the primary
from an IP addres that is not in the allow zone transfer list, zone
transfers will fail. Does change the allow zone transfer list to all IP
address allow the zone transfers to happen every time?

 

[Guest]

Are the secondary servers multihomed? That is, do they have more than one IP
address?

Many times, if it is possible for the secondary to connect to the primary
from an IP addres that is not in the allow zone transfer list, zone
transfers will fail. Does change the allow zone transfer list to all IP
address allow the zone transfers to happen every time?

All secondary servers only have the one IP.
I am also not in control of the primery server, but am reassured that it is
set up correctly with the seccondarty server IP's.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

All secondary servers only have the one IP.
I am also not in control of the primery server, but am
reassured that it is set up correctly with the
seccondarty server IP's.

Rarely are failing zone transfers the fault of the Secondary server, it is
the primary DNS responsible for allowing zone transfers. For whatever reason
the primary is not allowing the zone transfer.

If you can, run this from the secondary server machine.
nslookup
server <theprimaryserverIP>
ls <zonenameyouaretransferring>

This is a zone transfer command and should list all records at all nodes in
the zone.

 

[Guest]

Rarely are failing zone transfers the fault of the Secondary server, it is
the primary DNS responsible for allowing zone transfers. For whatever reason
the primary is not allowing the zone transfer.

If you can, run this from the secondary server machine.
nslookup
server <theprimaryserverIP>
ls <zonenameyouaretransferring>

This is a zone transfer command and should list all records at all nodes in
the zone.

I get "query refused" on the server that is currently not replicating
properly.
It lists the records fine on the servers that are replicating properly!

 

[Kevin D. Goodknecht Sr. [MVP]]

In

I get "query refused" on the server that is currently not
replicating properly.

"query refused" means zone transfers are not being allow to the IP you are
connecting from.

It lists the records fine on the servers that are
replicating properly!

Then whomever has control of the primary needs to verify the "allow zone
transfers to" address list. Or set this one to get its data from one of the
secondary servers where you can allow zone transfers to this one.

 

[Guest]

Then whomever has control of the primary needs to verify the "allow zone
transfers to" address list. Or set this one to get its data from one of the
secondary servers where you can allow zone transfers to this one.

I have been told that all my secondary servers are in the "allow zone
transfers to" tab, which i trust is correct! and i cant really set the other
secondary to transfer off the only one working, because sooner or later this
will stop working too!

The thing that confuses me the most is that the zones will sometimes
transfer ok, then randomly stop working.... so it show that the proper
connectivity is possible but not all the time!

 

[Kevin D. Goodknecht Sr. [MVP]]

In

I have been told that all my secondary servers are in the
"allow zone transfers to" tab, which i trust is correct!
and i cant really set the other secondary to transfer off
the only one working, because sooner or later this will
stop working too!

The thing that confuses me the most is that the zones
will sometimes transfer ok, then randomly stop
working.... so it show that the proper connectivity is
possible but not all the time!

Then, without a doubt you have a routing problem. How are these two networks
connected together?
Somewhere you have an IP address that is not listed on the primary, and when
the secondary connects the primary sees the wrong IP address then zone
transfers are disallowed.
You will have to find out what IP this is and either stop the secondary from
using the IP or add it to the zone transfer list.

 

[Guest]

In

Then, without a doubt you have a routing problem. How are these two networks
connected together?
Somewhere you have an IP address that is not listed on the primary, and when
the secondary connects the primary sees the wrong IP address then zone
transfers are disallowed.
You will have to find out what IP this is and either stop the secondary from
using the IP or add it to the zone transfer list.

The networks are connected through a VPN using two ISA servers....
I agree with what you are saying but why is the problem intermittent?

 

[Kevin D. Goodknecht Sr. [MVP]]

In

The networks are connected through a VPN using two ISA
servers....
I agree with what you are saying but why is the problem
intermittent?

ISA?
Make sure ISA has a rule to allow TCP 53 as well as UDP 53.

 

[Guest]

In

ISA?
Make sure ISA has a rule to allow TCP 53 as well as UDP 53.

Yep, both ports are open!