Zone Transfer problem - Need Help

[W C Hull]

I'm having a problem and need help badly. Here is the issue.

I'm running Windows 2000 Server and I have over 100 primary zones that are
Active Directory Integrated zones and all of these zones are configured to
allow zone transfers to any server.

Of these 100 AD integrated zones I have two zones that have stopped allowing
zone transfers to other secondary DNS servers in our environment.

I have tried removing the secondary zone on the secondary dns and recreating
it but when I finish the secondary zone never completes that zone transfer.
I have also re-created the primary zone prior to creating the secondary zone
and the secondary zone never completes the zone transfer. I have also
deleted the zone from Active Directory and have recreated it as a Primary
non-ADIntegrated zone and still no luck in being able to create a secondary
zone that can complete a zone transfer. Note also that it doesn't matter
what secondary DNS server I try create the secondary zone on the zone
transfer always fails. This also fails on brand new secondary DNS servers
.... the zone transfer never completes between the primary and secondar
zones.

So far I can find no errors being reported as to what or why the zone
transfer is failing and I'm stumped as to how to fix this problem. It's
almost like the 2 zones was setup not to allow zone tranfers or only
transfers to specific servers and that the configuration to allow zone
transfers to any server has failed to set properly. Note that I have tried
changing the setting specifying that zone transfers are allowed to my
secondary DNS server but I still cannot get the zone transfer to complete.

Can anyone help me resolve this issue so I can get these two zones to
perform a zone transfer?

 

[Kevin D. Goodknecht Sr. [MVP]]

I'm having a problem and need help badly. Here is the issue.

I'm running Windows 2000 Server and I have over 100 primary zones
that are Active Directory Integrated zones and all of these zones are
configured to allow zone transfers to any server.

Of these 100 AD integrated zones I have two zones that have stopped
allowing zone transfers to other secondary DNS servers in our
environment.

I have tried removing the secondary zone on the secondary dns and
recreating it but when I finish the secondary zone never completes
that zone transfer. I have also re-created the primary zone prior to
creating the secondary zone and the secondary zone never completes
the zone transfer. I have also deleted the zone from Active
Directory and have recreated it as a Primary non-ADIntegrated zone
and still no luck in being able to create a secondary zone that can
complete a zone transfer. Note also that it doesn't matter what
secondary DNS server I try create the secondary zone on the zone
transfer always fails. This also fails on brand new secondary DNS
servers ... the zone transfer never completes between the primary
and secondar zones.

So far I can find no errors being reported as to what or why the zone
transfer is failing and I'm stumped as to how to fix this problem.
It's almost like the 2 zones was setup not to allow zone tranfers or
only transfers to specific servers and that the configuration to
allow zone transfers to any server has failed to set properly. Note
that I have tried changing the setting specifying that zone transfers
are allowed to my secondary DNS server but I still cannot get the
zone transfer to complete.

Can anyone help me resolve this issue so I can get these two zones to
perform a zone transfer?

Tell us about the "Secondary" DNS server, is it on a DC?... Just to let you
know, if the primary is AD integrated and the "secondary" DNS is also on a
DC in the same domain, zone transfers are not necessary, in fact you can't
use a secondary of the zone on another DC, you have to let Active Directory
replicate the zone.
Is it multi-homed?
Is it behind the same router?

 

[W C Hull]

Kevin,

Thanks for the reply.

In our environment all of the DNS servers are Domain Controllers. The
primary DNS servers that I was referring to are on our production root DC's.
Two of the secondary DNS servers are also on root DC's but they are for a
separate TEST environment. Two other secondary DNS servers are what we
refer to as our Test "Corp" DC's which are 1 level down from the Test Root
DC. Note that at the primary root level there are 3 DC's and that the zones
appear to be replicating correctly via active directory. Also note that the
Test DC's (2 roots and 2 corps) all have many secondary zones from the
Production DC's (3 root and 2 corp) on them and all of them are performing
zone transfers correctly. It's only these 2 zones that are failing and they
are setup just like the other zones from a zone transfer perspective.





The secondary DNS servers are all Active Directory Domain Controllers
however none are on the same domain as the primary. The primary DC is our
root DC and the secondary

 

[W C Hull]

Note sure that I understand this but both zones had a CName record that had
no name (i.e. same as parent folder). With help from Ace Feley I was able
to replicate this problem by starting out with a totally new zone that quit
doing zone transfers as soon as I put the blank CName record in the zone. I
could put a blank Host records in the zone and zone transfers would continue
but not with a blank CName record.

 

[Ace Fekay [MVP]]

In

Note sure that I understand this but both zones had a CName record
that had no name (i.e. same as parent folder). With help from Ace
Feley I was able to replicate this problem by starting out with a
totally new zone that quit doing zone transfers as soon as I put the
blank CName record in the zone. I could put a blank Host records in
the zone and zone transfers would continue but not with a blank CName
record.

Hence that was the offending record. CNAMES can be problematic at times if
not configured correctly. CNAMES to the parent folder are not a valid
record.

Glad you figured it out!
Ace

 

[W C Hull]

The only thing I find odd is that the DNS MMC allowed me to create the
record in the first place.


"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

The only thing I find odd is that the DNS MMC allowed me to create the
record in the first place.

I know, unfortunate to find out the hard way!

Ace