windows server 2003 + secondary zone failures

[Martin Zachs]

I have a primary and secondary DNS servers setup - ns1.mydomain.com,
ns2.mydomain.com. They are both internet facing with public IP addresses.
Both IP addresses can be pinged from the Internet.

I've setup a domain on the primary server with the name server as
ns1.mydomain.com & ns2.mydomain.com. Zone transfers are set to "only to
servers listed in the name servers tab" and notify set to "servers listed on
the name servers tab".

Both primary and secondary servers have their "DNS Server" set to their own
IP address.

When I setup the doman/zone on the secondary server (giving it the primary's
IP address to obtain a copy of the details), it immediately fails saying
"zone not loaded by DNS server". The DNS event log says "....was refused by
the master DNS server <<primary's IP address>>. Check the zone at the
master server.... to verify that zone transfer is enabled to this server".

The zone transfer is enabled. If I allow zone transfers to "any server" on
the primary server, the secondary servers gets the DNS details.

Any ideas why its not working when the zone transfers are set to "only
servers listed in name servers"? And are there any security implications of
making zone transfers to "any server"??

The above used to work perfectly until another Domain controller was added
to the network just before the primary DC failed and was disconnected.

Any ideas greatfully received...

 

[Kevin D. Goodknecht [MVP]]

In

I have a primary and secondary DNS servers setup - ns1.mydomain.com,
ns2.mydomain.com. They are both internet facing with public IP
addresses. Both IP addresses can be pinged from the Internet.

I've setup a domain on the primary server with the name server as
ns1.mydomain.com & ns2.mydomain.com. Zone transfers are set to "only
to servers listed in the name servers tab" and notify set to "servers
listed on the name servers tab".

Both primary and secondary servers have their "DNS Server" set to
their own IP address.

When I setup the doman/zone on the secondary server (giving it the
primary's IP address to obtain a copy of the details), it immediately
fails saying "zone not loaded by DNS server". The DNS event log says
"....was refused by the master DNS server <<primary's IP address>>.
Check the zone at the master server.... to verify that zone transfer
is enabled to this server".

The zone transfer is enabled. If I allow zone transfers to "any
server" on the primary server, the secondary servers gets the DNS
details.

Any ideas why its not working when the zone transfers are set to "only
servers listed in name servers"?

Probably because from the primary's view the secondary's IP address is not
the same as the NS record's IP address. Is the secondary getting its record
from behind NAT, or possibly the secondary multi-homed?

 

[Martin Zachs]

In

Probably because from the primary's view the secondary's IP address is not
the same as the NS record's IP address. Is the secondary getting its record
from behind NAT, or possibly the secondary multi-homed?

Both machines are multi-homed... The secondary is on the same subnet as the
primary and both machines each have two NICs each with two 81.1.1.X format
static IP addresses.. For example. primary = 81.1.1.1 and 81.1.1.2 (one ip
per NIC) and secondary = 81.1.1.20 and 81.1.1.21 (one ip per NIC).

As it looks like this could be the problem, any idea on the solution?

 

[Kevin D. Goodknecht [MVP]]

In

Both machines are multi-homed... The secondary is on the same subnet
as the primary and both machines each have two NICs each with two
81.1.1.X format static IP addresses.. For example. primary =
81.1.1.1 and 81.1.1.2 (one ip per NIC) and secondary = 81.1.1.20 and
81.1.1.21 (one ip per NIC).

As it looks like this could be the problem, any idea on the solution?

On the zone transfers tab select "allow zone transfers only to these
servers" then put in all IPs on all secondary servers. This is common
behavior on multi-homed DNS servers