Zone transfer

[Guest]

I have a 2 Windows 2000 servers that host AD and DNS. I have one
AD-integrated zone and 2 primary zones. When i attempt to set up zone
transfer for the 2 latter zones i get the error: "The DNS server encountered
an error while attempting to load the zone".

I've tried all the obvious solutions like checking nameserver setup for the
zones, zone transfer settings. Tried "Transfer from master" on the secondary
DNS server and checked DNS event logs. I get an error on the primary DNS
server; "Event ID: 3000, The DNS server is logging numerous run-time
events..." if that should matter. The primary DNS server is set up with
itself as DNS server and the secondary DNS server as secondary server. The
secondary DNS server is set up with the primary DNS server as Primary DNS
server and itself as the secondary.

I also tried the following commands on the secondary DNS server:
nslookup
[primary DNS listed as Default server]
ls -d <zone>
[lists all entries]

So, why doesn't it work?

 

[Jorge_de_Almeida_Pinto]

I have a 2 Windows 2000 servers that host AD and DNS. I have
one
AD-integrated zone and 2 primary zones. When i attempt to set
up zone
transfer for the 2 latter zones i get the error: "The DNS
server encountered
an error while attempting to load the zone".

I've tried all the obvious solutions like checking nameserver
setup for the
zones, zone transfer settings. Tried "Transfer from master" on
the secondary
DNS server and checked DNS event logs. I get an error on the
primary DNS
server; "Event ID: 3000, The DNS server is logging numerous
run-time
events..." if that should matter. The primary DNS server is
set up with
itself as DNS server and the secondary DNS server as secondary
server. The
secondary DNS server is set up with the primary DNS server as
Primary DNS
server and itself as the secondary.

I also tried the following commands on the secondary DNS
server:
nslookup
[primary DNS listed as Default server]
ls -d <zone>
[lists all entries]

So, why doesn't it work?

look at:
http://support.microsoft.com/default.aspx?scid=kb;en-us;816518&Product=winxp
http://www.microsoft.com/technet/pr...ons/547be1bb-1a55-465b-a39c-e326d31e1cf7.mspx

does this help?

 

[Ace Fekay [MVP]]

In

I have a 2 Windows 2000 servers that host AD and DNS. I have one
AD-integrated zone and 2 primary zones. When i attempt to set up zone
transfer for the 2 latter zones i get the error: "The DNS server
encountered an error while attempting to load the zone".

A Primary zone is a writable copy. It will not receive transfers, but you
can allow transfers to a secondary zone. If you have an AD INtegrated zone,
that acts as a Primary as well. Therefore you cannot transfer from an AD
Integrated zone to a Primary zone, but you can to a secondary zone. If you
have an AD Integrated zone, then why are you mixing AD Integrated zones with
Primary zones?

I've tried all the obvious solutions like checking nameserver setup
for the zones, zone transfer settings. Tried "Transfer from master"
on the secondary DNS server and checked DNS event logs. I get an
error on the primary DNS server; "Event ID: 3000, The DNS server is
logging numerous run-time events..." if that should matter. The
primary DNS server is set up with itself as DNS server and the
secondary DNS server as secondary server. The secondary DNS server is
set up with the primary DNS server as Primary DNS server and itself
as the secondary.

This contradicts your earlier previous paragraph. ??

I also tried the following commands on the secondary DNS server:
nslookup
[primary DNS listed as Default server]
ls -d <zone>
[lists all entries]

So, why doesn't it work?

Please elaborate a bit on your infrastructure, why you are mixing Primary
and AD INtegrated zones, assuming the zone name is the same exact zone. If
this is the case, it maybe the root of the whole issue because the system is
seeing dupes.

--
Regards,
Ace

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================

 

[Guest]

In

A Primary zone is a writable copy. It will not receive transfers, but you
can allow transfers to a secondary zone. If you have an AD INtegrated zone,
that acts as a Primary as well. Therefore you cannot transfer from an AD
Integrated zone to a Primary zone, but you can to a secondary zone. If you
have an AD Integrated zone, then why are you mixing AD Integrated zones with
Primary zones?

Sorry, I see it got a little messy so thank you very much for your patience.
I'll try to elaborate. I should have just ignored the AD integrated zones.
They work fine on both servers.

The core of the issue is; I have 2 DNS servers (lets just refer to them as
DNS1 and DNS2). DNS1 is set up with 2 Primary zones and I have set up DNS2 to
host these zones as Secondary zones. Se below for explanation of why we mix
AD integrated and Primary/Secondary zones. If you know of a better solution,
feel free to inform me.

This contradicts your earlier previous paragraph. ??

I don't think so . It just got messy. I refered to the network setup on
DNS1 and DNS2. DNS1 using DNS1 as primary DNS- server, and DNS2 using DNS1 as
primary DNS- server. It seemed to be the solution, on some forums, for some
issues conserning zone replication. Does that make more sense?

I also tried the following commands on the secondary DNS server:
nslookup
[primary DNS listed as Default server]
ls -d <zone>
[lists all entries]

So, why doesn't it work?

Please elaborate a bit on your infrastructure, why you are mixing Primary
and AD INtegrated zones, assuming the zone name is the same exact zone. If
this is the case, it maybe the root of the whole issue because the system is
seeing dupes.

Well, I think I'll have to explain our infrastructure a bit for this to make
sence:
Firstly DNS1 and DNS2 is strictly for internal use.

We have a outer DMZ using internal non-routable IP-addresses for services
from the internet (NFuse, websites etc.). We use static NAT for the "outside"
to reach them. Before we set up a Primary zone these adresses were resolved
with the public IP- address, and that didn't work. So it worked from the
internet but not interally on the LAN.

So we had to make a new zone on DNS1 to override the name to be resolved to
the internal IP- address. The problem is I can't get these zones to replicate
to DNS2.

Is there a better way to solve this without going to extremes like using
HOST- files etc.?

 

[Ace Fekay [MVP]]

In

In

A Primary zone is a writable copy. It will not receive transfers,
but you can allow transfers to a secondary zone. If you have an AD
INtegrated zone, that acts as a Primary as well. Therefore you
cannot transfer from an AD Integrated zone to a Primary zone, but
you can to a secondary zone. If you have an AD Integrated zone, then
why are you mixing AD Integrated zones with Primary zones?

Sorry, I see it got a little messy so thank you very much for your
patience. I'll try to elaborate. I should have just ignored the AD
integrated zones. They work fine on both servers.

The core of the issue is; I have 2 DNS servers (lets just refer to
them as DNS1 and DNS2). DNS1 is set up with 2 Primary zones and I
have set up DNS2 to host these zones as Secondary zones. Se below for
explanation of why we mix AD integrated and Primary/Secondary zones.
If you know of a better solution, feel free to inform me.

This contradicts your earlier previous paragraph. ??

I don't think so . It just got messy. I refered to the network
setup on DNS1 and DNS2. DNS1 using DNS1 as primary DNS- server, and
DNS2 using DNS1 as primary DNS- server. It seemed to be the solution,
on some forums, for some issues conserning zone replication. Does
that make more sense?

I also tried the following commands on the secondary DNS server:
nslookup
[primary DNS listed as Default server]
ls -d <zone>
[lists all entries]

So, why doesn't it work?

Please elaborate a bit on your infrastructure, why you are mixing
Primary and AD INtegrated zones, assuming the zone name is the same
exact zone. If this is the case, it maybe the root of the whole
issue because the system is seeing dupes.

Well, I think I'll have to explain our infrastructure a bit for this
to make sence:
Firstly DNS1 and DNS2 is strictly for internal use.

We have a outer DMZ using internal non-routable IP-addresses for
services from the internet (NFuse, websites etc.). We use static NAT
for the "outside" to reach them. Before we set up a Primary zone
these adresses were resolved with the public IP- address, and that
didn't work. So it worked from the internet but not interally on the
LAN.

So we had to make a new zone on DNS1 to override the name to be
resolved to the internal IP- address. The problem is I can't get
these zones to replicate to DNS2.

Is there a better way to solve this without going to extremes like
using HOST- files etc.?

Let's see. Simply, you're trying to replicate a zone from the internal DNS,
DNS1, to the DMZ DNS server. I bleive that's what you're appearing to be
saying. This is in order for your VPN clients to access internal resources
using their private IPs.

If zone transfer from DNS1 is not working to the external DMZ DNS server,
than maybe you didn't create a port re-map rule thru the NAT device to allow
UDP and TCP from the DMZ side (NAT's WAN IP) to go to DNS1's private IP on
the internal side.

I hope I understood...

Ace

 

[Guest]

In

In Audun Wangen <Audun (e-mail address removed)> made this
post, which I then commented about below:
I have a 2 Windows 2000 servers that host AD and DNS. I have one
AD-integrated zone and 2 primary zones. When i attempt to set up
zone transfer for the 2 latter zones i get the error: "The DNS
server encountered an error while attempting to load the zone".

A Primary zone is a writable copy. It will not receive transfers,
but you can allow transfers to a secondary zone. If you have an AD
INtegrated zone, that acts as a Primary as well. Therefore you
cannot transfer from an AD Integrated zone to a Primary zone, but
you can to a secondary zone. If you have an AD Integrated zone, then
why are you mixing AD Integrated zones with Primary zones?

Sorry, I see it got a little messy so thank you very much for your
patience. I'll try to elaborate. I should have just ignored the AD
integrated zones. They work fine on both servers.

The core of the issue is; I have 2 DNS servers (lets just refer to
them as DNS1 and DNS2). DNS1 is set up with 2 Primary zones and I
have set up DNS2 to host these zones as Secondary zones. Se below for
explanation of why we mix AD integrated and Primary/Secondary zones.
If you know of a better solution, feel free to inform me.

I've tried all the obvious solutions like checking nameserver setup
for the zones, zone transfer settings. Tried "Transfer from master"
on the secondary DNS server and checked DNS event logs. I get an
error on the primary DNS server; "Event ID: 3000, The DNS server is
logging numerous run-time events..." if that should matter. The
primary DNS server is set up with itself as DNS server and the
secondary DNS server as secondary server. The secondary DNS server
is set up with the primary DNS server as Primary DNS server and
itself as the secondary.

This contradicts your earlier previous paragraph. ??

I don't think so . It just got messy. I refered to the network
setup on DNS1 and DNS2. DNS1 using DNS1 as primary DNS- server, and
DNS2 using DNS1 as primary DNS- server. It seemed to be the solution,
on some forums, for some issues conserning zone replication. Does
that make more sense?

I also tried the following commands on the secondary DNS server:
nslookup
[primary DNS listed as Default server]
ls -d <zone>
[lists all entries]

So, why doesn't it work?

Please elaborate a bit on your infrastructure, why you are mixing
Primary and AD INtegrated zones, assuming the zone name is the same
exact zone. If this is the case, it maybe the root of the whole
issue because the system is seeing dupes.

Well, I think I'll have to explain our infrastructure a bit for this
to make sence:
Firstly DNS1 and DNS2 is strictly for internal use.

We have a outer DMZ using internal non-routable IP-addresses for
services from the internet (NFuse, websites etc.). We use static NAT
for the "outside" to reach them. Before we set up a Primary zone
these adresses were resolved with the public IP- address, and that
didn't work. So it worked from the internet but not interally on the
LAN.

So we had to make a new zone on DNS1 to override the name to be
resolved to the internal IP- address. The problem is I can't get
these zones to replicate to DNS2.

Is there a better way to solve this without going to extremes like
using HOST- files etc.?

Let's see. Simply, you're trying to replicate a zone from the internal DNS,
DNS1, to the DMZ DNS server. I bleive that's what you're appearing to be
saying. This is in order for your VPN clients to access internal resources
using their private IPs.

If zone transfer from DNS1 is not working to the external DMZ DNS server,
than maybe you didn't create a port re-map rule thru the NAT device to allow
UDP and TCP from the DMZ side (NAT's WAN IP) to go to DNS1's private IP on
the internal side.

I hope I understood...

Almost. Except that DNS2 is not in the DMZ. It's on the LAN as well, just
for redundancy. So there is no firewall between DNS1 and DNS2. Like you said
the zones were created for the internal IP's to reach the servers in the DMZ
by name.

Thanks again for the fast reply. Any ideas how to make the zones replicate?

 

[Ace Fekay [MVP]]

In

Almost. Except that DNS2 is not in the DMZ. It's on the LAN as well,
just for redundancy. So there is no firewall between DNS1 and DNS2.
Like you said the zones were created for the internal IP's to reach
the servers in the DMZ by name.

Thanks again for the fast reply. Any ideas how to make the zones
replicate?

I believe you said transfers are working between DNS2 and DNS1, but not to
the DNS server in the DMZ?

Let me also understand, the DMZ has public IPs, and the internal network has
private IPs, correct? If so, you still need to remap those ports, firewall
or not.

Ace

 

[Guest]

In

I believe you said transfers are working between DNS2 and DNS1, but not to
the DNS server in the DMZ?

Let me also understand, the DMZ has public IPs, and the internal network has
private IPs, correct? If so, you still need to remap those ports, firewall
or not.

Ace

No, I have no DNS servers in the DMZ. DNS1 and DNS2 are on the internal LAN.

The DMZ- servers are set up with private IPs (fx. 172.21.18.1). We use
static address translation to a public IP (fx. 62.70.34.1) on the
outside-interface of the firewall. We do not use NAT between internal LAN and
DMZ. So on layer 3 everything works fine.

We want the name to resolve to 172.21.18.1 on the LAN and 62.70.34.1 on the
internet. It works fine if i edit the HOSTS file, but that is unaccepable for
so many machines.

I have set up primary zones on DNS1 and they work correctly, but I can't get
the zones to replicate to DNZ2. The primary zones on DNS1 works correctly,
but not on DNS2.

Heres the output of some nslookup commands if that helps. www.dmzservers.com
is a server in our DMZ:

server DNS1

Default Server: DNS1.domain.com
Address: 172.16.3.1

www.dmzservers.com

Server: DNS1.domain.com
Address: 172.16.3.1

Name: www.dmzservers.com
Address: 172.21.18.1

server DNS2

Default Server: DNS2.domain.com
Address: 172.16.3.2

www.dmzservers.com

Server: DNS2.domain.com
Address: 172.16.3.2

*** DNS2.domain.com can't find www.dmzservers.no: Server failed

 

[Kevin D. Goodknecht Sr. [MVP]]

No, I have no DNS servers in the DMZ. DNS1 and DNS2 are on the
internal LAN.

The DMZ- servers are set up with private IPs (fx. 172.21.18.1). We use
static address translation to a public IP (fx. 62.70.34.1) on the
outside-interface of the firewall. We do not use NAT between internal
LAN and DMZ. So on layer 3 everything works fine.

We want the name to resolve to 172.21.18.1 on the LAN and 62.70.34.1
on the internet. It works fine if i edit the HOSTS file, but that is
unaccepable for so many machines.

I have set up primary zones on DNS1 and they work correctly, but I
can't get the zones to replicate to DNZ2. The primary zones on DNS1
works correctly, but not on DNS2.

If zone transfers do not work, answer these questions.

a. Are the two primary zones for a publicly accessible domain name?

b. If yes to a, do you have NS records for both the Primary and Secondary
zones?

c. If yes to a and b, do the NS records use names that resolve to public IP
addresses?

d. If yes to a, b and c, do you have "Allow zone transfers only to the DNS
servers listed on the Name Server tab"?

e. If yes to d, zone transfers won't work because the NS records resolve to
public IP addresses and the secondary server has a private IP.

f. If yes to d, on the zone transfer tab, change the setting "Allow zone
transfers only to these IP addresses" with ALL the Private IP address on the
secondary server.


Also, take note, you cannot use the same zone for both local clients and
public clients, to resolve names for locally hosted services for public
domains.
Local clients must get the local address while public clients must get only
public address. You need to split the zones to separate DNS servers, one for
public clients and one for local clients.
This is one feature MS DNS does not support, that BIND does.

 

[Ace Fekay [MVP]]

In

No, I have no DNS servers in the DMZ. DNS1 and DNS2 are on the
internal LAN.

The DMZ- servers are set up with private IPs (fx. 172.21.18.1). We use
static address translation to a public IP (fx. 62.70.34.1) on the
outside-interface of the firewall. We do not use NAT between internal
LAN and DMZ. So on layer 3 everything works fine.

We want the name to resolve to 172.21.18.1 on the LAN and 62.70.34.1
on the internet. It works fine if i edit the HOSTS file, but that is
unaccepable for so many machines.

I have set up primary zones on DNS1 and they work correctly, but I
can't get the zones to replicate to DNZ2. The primary zones on DNS1
works correctly, but not on DNS2.

Heres the output of some nslookup commands if that helps.
www.dmzservers.com is a server in our DMZ:

Default Server: DNS1.domain.com
Address: 172.16.3.1

Server: DNS1.domain.com
Address: 172.16.3.1

Name: www.dmzservers.com
Address: 172.21.18.1

Default Server: DNS2.domain.com
Address: 172.16.3.2

Server: DNS2.domain.com
Address: 172.16.3.2

*** DNS2.domain.com can't find www.dmzservers.no: Server failed

I see. It's either looks like you are mixing private/public IPs, or
something with your zone transfer settings. I read back through the thread,
and I didn't see where you listed what the zone transfer setting was, just
that you 'checked' it.

btw-, attempting an nslookup ls -d <zone> is a zone transfer query/request.
This points to your zone transfer settings as well, if it is not giving you
a response.

If you are mixing private and public data, follow Kevin's advise, we need to
have separate servers for this function.

If you just use the internal DNS with the private settings for your 'same
name internal/external domain name', then you can get to the website with
the correct private IP.

For the public records, you need a completely separate DNS server, actually
two of them, based on the Registrar's requirements. That server will ONLY
host public IPs, such as 62.70.34.1. Your internal server will NOT use this
server. Hence, the confusion of configuring this to work.

Unless you are mixing internal DNS and your ISP's DNS server in your
machines' IP properties?

Ace

 

[Guest]

If zone transfers do not work, answer these questions.

a. Are the two primary zones for a publicly accessible domain name?

Yes, the zones are for domains that are publicly accessible.

b. If yes to a, do you have NS records for both the Primary and Secondary
zones?

I have NS records for the Primary zone, but because the Secondary zone
doesn't replicate I can't get the data for that zone. Isn't the Secondary
zone supposed to be a copy of the Primary zone? If so, the NS records should
also be replicated, am I right?

c. If yes to a and b, do the NS records use names that resolve to public IP
addresses?

No, both servers listed as NS records (DNS1 and DNS2) have, as i wrote,
private IP's. I have no DNS server in the DMZ. The DNS servers have 2
forwarders defined that are the DNS servers of our ISP.

d. If yes to a, b and c, do you have "Allow zone transfers only to the DNS
servers listed on the Name Server tab"?

Yes. I have tried other options as well ("To any server" and "Only to the
following"), with no results. I even tried specifying the server with its IP
address.

e. If yes to d, zone transfers won't work because the NS records resolve to
public IP addresses and the secondary server has a private IP.

I don't get it. Both DNS servers have private IP's and are used only for
internal name lookup. What we try to do is override the IP's so that the
servers in our DMZ are resolved to their private IP's and not to their public
IP's and this works perfectly for DNS1 which hosts the Primary zones. How
come I can't transfere these zones to DNS2 when it's on the same LAN/subnet
with no firewall between.

f. If yes to d, on the zone transfer tab, change the setting "Allow zone
transfers only to these IP addresses" with ALL the Private IP address on the
secondary server.

I've tried that. No success.

Also, take note, you cannot use the same zone for both local clients and
public clients, to resolve names for locally hosted services for public
domains.

If i get you right we don't. DNS1 and DNS2 are on the LAN and not accessible
from the internet. They are strictly used for LAN lookups. The "zone
override" works on DNS1, so it resolves the names in the DMZ to private IPs.
The problem is replication to DNS2.

Local clients must get the local address while public clients must get only
public address. You need to split the zones to separate DNS servers, one for
public clients and one for local clients.
This is one feature MS DNS does not support, that BIND does.

Yes, I get that, and that is why I had to make 2 new zones; for the clients
on the LAN to resolve to the private IPs. Lookups (to the pulic IPs of the
DMZ servers) work on the internet because that is taken care of by our ISP
and their DNS setup. Internal lookups ALSO work on DNS1 because I have set up
the Primary zones. The problem came when I attempted to set up the Secondary
zones (replica of the primary zones) on DNS2.

 

[Guest]

I see. It's either looks like you are mixing private/public IPs, or
something with your zone transfer settings. I read back through the thread,
and I didn't see where you listed what the zone transfer setting was, just
that you 'checked' it.

Ok, I'll give you the details (zone names and servernames are changed, but
you get the idea):
Zone: domain.com
Type: Primary
Location: DNS1
Allow dynamic updates: No
SOA, Primary server: DNS1
Refresh interval: 15 mins
Retry interval: 10 mins
Expires after: 1 days
Name servers: DNS1 and DNS2
WINS: No
Zone Tranfer:
Allow zone transfers: Yes
To any server

Also tried "Only the servers listed in the Name Servers tab" and tried to
specify the IP address of DNS2.

Notify:
Automatically notify: Yes
Servers listed on the Name Servers tab
-------------------------------------------------------------
I then attempted to set up a new zone on DNS2 as follows:
Standard secondary
Name of the zone: I selected the zone from DNS1 (domain.com)
Specify DNS servers from which to copy: I selected DNS1

I tried "Transfer from master" but it still says "Zone not loaded by DNS
server".

btw-, attempting an nslookup ls -d <zone> is a zone transfer query/request.
This points to your zone transfer settings as well, if it is not giving you
a response.

On DNS2 I tried the following:
nslookup

server DNS1

Default server: DNS1.ADdomain.com

ls -d domain.com

[DNS1.ADdomain.com]
domain.com SOA DNS1.ADdomain.com admin.ADdomain.com
domain.com NS DNS1.ADdomain.com
domain.com NS DNS2.ADdomain.com
domain.com CNAME www.domain.com
maps CNAME www.domain.com
www A <internal IP address of DMZ server>
domain.com SOA DNS1.ADdomain.com admin.ADdomain.com

After the SOA records there is a number (18 900 600 86400 3600).

If you are mixing private and public data, follow Kevin's advise, we need to
have separate servers for this function.

If you just use the internal DNS with the private settings for your 'same
name internal/external domain name', then you can get to the website with
the correct private IP.

For the public records, you need a completely separate DNS server, actually
two of them, based on the Registrar's requirements. That server will ONLY
host public IPs, such as 62.70.34.1. Your internal server will NOT use this
server. Hence, the confusion of configuring this to work.

Unless you are mixing internal DNS and your ISP's DNS server in your
machines' IP properties?

No, I use DNS1 as primary DNS and DNS2 as secondary DNS, and i have set up
forwarders on DNS1 and DNS2 to our ISPs DNS servers (omg...dnsdnsdns.

Thanks for your reply. Any new ideas how to make the replication work?

 

[Kevin D. Goodknecht Sr. [MVP]]

Yes, I get that, and that is why I had to make 2 new zones; for the
clients on the LAN to resolve to the private IPs. Lookups (to the
pulic IPs of the DMZ servers) work on the internet because that is
taken care of by our ISP and their DNS setup. Internal lookups ALSO
work on DNS1 because I have set up the Primary zones. The problem
came when I attempted to set up the Secondary zones (replica of the
primary zones) on DNS2.

Are the AD integrated zones getting replicated?

 

[Guest]

Are the AD integrated zones getting replicated?

Yes.

 

[Kevin D. Goodknecht Sr. [MVP]]

Yes.

Why not use AD integration on these zones?
If you do, there is no need for secondary zones or zone transfers.

 

[Guest]

Why not use AD integration on these zones?
If you do, there is no need for secondary zones or zone transfers.

Yes, why not . I did think of it but figured it would be nice to separate
our domain from the public ones. How does that work when I have to create a
new domain? Are there any issues I have to think about?

 

[Kevin D. Goodknecht Sr. [MVP]]

separate our domain from the public ones. How does that work when I
have to create a new domain? Are there any issues I have to think
about?

Please clarify this statement, "separate our domain from the public ones"
This leads me to believe you are trying to host your public zone on the DNS
server, which you said you are not.

As for the difference between AD integrated zones and standard
primary/secondary , what this means in the zone is stored in Active
Directory instead of in a text file as in Standard Primary/secondary.

 

[Ace Fekay [MVP]]

In

I see. It's either looks like you are mixing private/public IPs, or
something with your zone transfer settings. I read back through the
thread, and I didn't see where you listed what the zone transfer
setting was, just that you 'checked' it.

Ok, I'll give you the details (zone names and servernames are
changed, but you get the idea):
Zone: domain.com
Type: Primary
Location: DNS1
Allow dynamic updates: No
SOA, Primary server: DNS1
Refresh interval: 15 mins
Retry interval: 10 mins
Expires after: 1 days
Name servers: DNS1 and DNS2
WINS: No
Zone Tranfer:
Allow zone transfers: Yes
To any server

Also tried "Only the servers listed in the Name Servers tab" and
tried to specify the IP address of DNS2.

Notify:
Automatically notify: Yes
Servers listed on the Name Servers tab
-------------------------------------------------------------
I then attempted to set up a new zone on DNS2 as follows:
Standard secondary
Name of the zone: I selected the zone from DNS1 (domain.com)
Specify DNS servers from which to copy: I selected DNS1

I tried "Transfer from master" but it still says "Zone not loaded by
DNS server".

btw-, attempting an nslookup ls -d <zone> is a zone transfer
query/request. This points to your zone transfer settings as well,
if it is not giving you a response.

On DNS2 I tried the following:
nslookup

server DNS1

Default server: DNS1.ADdomain.com

ls -d domain.com

[DNS1.ADdomain.com]
domain.com SOA DNS1.ADdomain.com admin.ADdomain.com
domain.com NS DNS1.ADdomain.com
domain.com NS DNS2.ADdomain.com
domain.com CNAME www.domain.com
maps CNAME www.domain.com
www A <internal IP address of DMZ server>
domain.com SOA DNS1.ADdomain.com admin.ADdomain.com

After the SOA records there is a number (18 900 600 86400 3600).

If you are mixing private and public data, follow Kevin's advise, we
need to have separate servers for this function.

If you just use the internal DNS with the private settings for your
'same name internal/external domain name', then you can get to the
website with the correct private IP.

For the public records, you need a completely separate DNS server,
actually two of them, based on the Registrar's requirements. That
server will ONLY host public IPs, such as 62.70.34.1. Your internal
server will NOT use this server. Hence, the confusion of configuring
this to work.

Unless you are mixing internal DNS and your ISP's DNS server in your
machines' IP properties?

No, I use DNS1 as primary DNS and DNS2 as secondary DNS, and i have
set up forwarders on DNS1 and DNS2 to our ISPs DNS servers
(omg...dnsdnsdns.

Thanks for your reply. Any new ideas how to make the replication work?

Honestly, if both DNS servers are on the same subnet (I didn't see any IP
addresses listed above), and zone transfers are allowed to "any", then it
should just work.

Maybe between Kevin and I, we're missing something rudimentary here in your
configuration. But as far as I see it, and tyring to understand your
configuration (and terminology), you have two DNS servers on the same subnet
and you want to have to transfer a zone from one to the other, and all the
IPs under the nameserver tab are all their private IPs (not mixing them).
This should just *work*.

Kevin made a point about the nameservers listing and their IP addresses, but
if they are both private IPs, meaning these two:

domain.com NS DNS1.ADdomain.com
domain.com NS DNS2.ADdomain.com

and they are one the same subnet, then transfers should just work.

Maybe it's that blank domain CNAME record causing the whole problem. I
couldn't mimick your configuration on my server. I am assuming that:

domain.com CNAME www.domain.com

means it really shows up in the DNS console under the zone as:
(same as parent) CNAME www.domain.com

unless you really did select to create a new Alias, typed in domain.com in
the host section, then typed in www.domain.com for the traget name. But if
you did that, then the system will automatically create a "com" zone under
the current "domain.com" zone and then it will create a "domain" CNAME
record in that zone with a target of www.domain.com. When I tried to do it
the other way, it wouldn't let me stating that it is an incompatible record
type. Maybe the zone transfer attempt recognizes it and is preventing the
transfer.

Ace

 

[Guest]

Please clarify this statement, "separate our domain from the public ones"
This leads me to believe you are trying to host your public zone on the DNS
server, which you said you are not.

No, I meant on the DNS server. I figured it was smart to separate our AD
domain from the others by making Primary/Secondary zones.

As for the difference between AD integrated zones and standard
primary/secondary , what this means in the zone is stored in Active
Directory instead of in a text file as in Standard Primary/secondary.

If there is no other differences I am more than willing to use AD integrated
zones. I'll give it a try.

 

[Kevin D. Goodknecht Sr. [MVP]]

No, I meant on the DNS server. I figured it was smart to separate our
AD domain from the others by making Primary/Secondary zones.


If there is no other differences I am more than willing to use AD
integrated zones. I'll give it a try.

There are security differences, AD zones are secure, standard
primary/secondary zones are only as secure as the text file it is stored in.