I got it. Thanks very much! another question is can a stand alone computer
be registered to DC DNS server,stand alone DNS server and secondary DNS
server?
"be registered to DC DNS server"?
The question is unclear.
1) Any machine can appear in any DNS server that is
authoritative (holds the zone file) for that zone.
2) Only a Primary or a DC-AD Integrated DNS server
can accept the registrations (Secondaries do zone
transfers from another of the DNS servers of that zone.)
3) Anything registered with the Master will get copied
to the other DNS servers of that zone (if replication works
at all.)
4) There is no requirement for either the (standard) Primary
or any Secondary to be a Windows machine or to be in the
domain.
[The Primary for a zone supporting Windows AD SHOULD
generally be a Windows 2000+ DNS server but that is not
required -- Dynamic DNS is required for the Primary and
SRV record support is required for all Secondaries.]
5) Only domain (or trusted domain) machines can register
if "secure updates only" are enabled -- i.e., the machine must
be authenticated to register itself.
This last, #5, is really the only true security (based on ACL/ACE
security principals) that exists in Windows DNS (and pretty much
in the other DNS servers.)
--
Herb Martin
The connection exists.I can let the secondary DNS server as a DNS
client
to
query DNS records on the master DNS server.
That doesn't prove anything for ZONE TRANSFERS.
(Almost) all client requests are UDP while Zone transfers use TCP,
which is a completely different firewall/filter setting.
Second, zone transfers must be enable in general or to specific
request addresses even though a simple (resource record) request
is not so filter by the DNS server itself.
I.e., you can make resolution requests from a machine not
authorized to do zone transfers (in almost all cases unless an
additional firewall is involved.)
If there is permission problem?
No, not permissions in the sense of ACL/ACE's or authentication
in Windows.
Yes, perhaps, if you mean the "allow zone tranfers" which can
be totally disable, totally enabled (all addresses), or selectively
enabled for certain IP addresses (DNS zone properties.)
The master DNS server is a domain controller and the secondary DNS
server
is
a stand alone server.
It is irrelevant that the Master is a DC -- the key is the settings
for "allow zone transfers" on the Master.
And of course the firewall settings.
The only relevance of the DNS server being a stand alone server
(or member server, or BIND Unix server, really: NOT an
AD-integrated
DNS server) is that the replication will not be done through AD and
will require both the settings for "allow zone transfers" on the Master
and intervening firewalls to allow them to talk on TCP port 53 (relative
to the Master).
Suppose the domain is abc.com so I should set the
secondary zone as abc.com, right?
Yes, as it would not be a secondary FOR THAT ZONE unless you did
that.
A "secondary DNS server" is really a "Secondary DNS server FOR a
PARTICULAR zone/domain."
The same server can be secondary for many zones, and even primary
for some zones and secondary for others, but you should always
THINK
about and DESIGN DNS by thinking of only one zone/dna server at a
time.*
*Only real exception: When delegating a child zone you are working
IN the Parent zone, creating the delegation records for the child zone
DNS servers -- but again you really only think of one zone at a
time and
each will have it's own set of DNS servers, Primary OR
AD-Integrated
(Primary) set with optional Seconaries for THAT SPECIFIC zone.
--
Herb Martin
Thanks,
Charms
In Charms Zhou <
[email protected]> commented
Then Kevin replied below:
Yes I allowed zone transfer to all IP address on the
secondary DNS. The status of the zone is expired.
Then you should verify connectivity exists between the two
