Zone Transfer Problems.....

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Scenario:
I have three local dns servers all containing secondary zones for a certain
domain.. The primary zone is held on a server connected through a VPN.
Problem:
The three local dns servers often lose the zone or are unable to transfer
from master, even though connectivity is available between servers. This
happens randomly. One server can be transferring correctly, another will not
transfer at all!!

I am completely out of ideas so any help will be very very much
appreciated!!!!

Cheers,
Alex

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"alexbax" <alexbax@discussions.microsoft.com> wrote in message
news:70DA8D85-9D38-4EEC-9607-C655EE4005A5@microsoft.com...
> Scenario:
> I have three local dns servers all containing secondary zones for a
certain
> domain.. The primary zone is held on a server connected through a VPN.
> Problem:
> The three local dns servers often lose the zone or are unable to transfer
> from master, even though connectivity is available between servers. This
> happens randomly. One server can be transferring correctly, another will
not
> transfer at all!!

Ok, so you can site on each of the secondaries
and do a LIST in ntdsutil (shell) and it works
fine? [this will prove connectivity and that
the DNS traffic is not being filtered by a
firewall or restricted by the master.]

> I am completely out of ideas so any help will be very very much
> appreciated!!!!

"lose the zone" makes no sense -- DNS servers
don't lose zones (in general.)

Now, it's different if one transfers and the others
don't (one is filtered on the net, or restrict at the
master.)

BTW, a more common WAN architecture for
DNS replication would be for one of them to pull
across the WAN and the other two to pull (by
default) from a local server.

Secondaries can pull from other secondaries and
can place the (Primary across the WAN as an
alternate master so that it is even fault tolerant.)

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"Herb Martin" wrote:

> "alexbax" <alexbax@discussions.microsoft.com> wrote in message
> news:70DA8D85-9D38-4EEC-9607-C655EE4005A5@microsoft.com...
> > Scenario:
> > I have three local dns servers all containing secondary zones for a
> certain
> > domain.. The primary zone is held on a server connected through a VPN.
> > Problem:
> > The three local dns servers often lose the zone or are unable to transfer
> > from master, even though connectivity is available between servers. This
> > happens randomly. One server can be transferring correctly, another will
> not
> > transfer at all!!
>
> Ok, so you can site on each of the secondaries
> and do a LIST in ntdsutil (shell) and it works
> fine? [this will prove connectivity and that
> the DNS traffic is not being filtered by a
> firewall or restricted by the master.]
>
> > I am completely out of ideas so any help will be very very much
> > appreciated!!!!
>
> "lose the zone" makes no sense -- DNS servers
> don't lose zones (in general.)
>
> Now, it's different if one transfers and the others
> don't (one is filtered on the net, or restrict at the
> master.)
>
> BTW, a more common WAN architecture for
> DNS replication would be for one of them to pull
> across the WAN and the other two to pull (by
> default) from a local server.
>
> Secondaries can pull from other secondaries and
> can place the (Primary across the WAN as an
> alternate master so that it is even fault tolerant.)
>
>
>
Thanks for your response!

I have successfully run the list command in ntdsutil on all servers
including the one that is currently not replicating....

(When i said "lose the zone" i meant that the zone is automatically deleted
as it times out because no transfers are being made.)

All servers at some point have and will replicate the zone correctly,
sometimes they will all be working at the same time!

At the moment whenever the zone on one of the server fails to transfer from
the primary, i do change it so it transfers from one of the other secondary
servers temporally.
This is not a permanent fix as at some point this server's zone will fail to
replicate too....

Alex

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:533D9694-A555-47E2-9F58-FC270C3924F6@microsoft.com,
alexbax <alexbax@discussions.microsoft.com> commented
Then Kevin replied below:
> Thanks for your response!
>
> I have successfully run the list command in ntdsutil on
> all servers including the one that is currently not
> replicating....
>
> (When i said "lose the zone" i meant that the zone is
> automatically deleted as it times out because no
> transfers are being made.)
>
> All servers at some point have and will replicate the
> zone correctly, sometimes they will all be working at the
> same time!
>
> At the moment whenever the zone on one of the server
> fails to transfer from the primary, i do change it so it
> transfers from one of the other secondary servers
> temporally.
> This is not a permanent fix as at some point this
> server's zone will fail to replicate too....

Are the secondary servers multihomed? That is, do they have more than one IP
address?

Many times, if it is possible for the secondary to connect to the primary
from an IP addres that is not in the allow zone transfer list, zone
transfers will fail. Does change the allow zone transfer list to all IP
address allow the zone transfers to happen every time?


--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

>
> Are the secondary servers multihomed? That is, do they have more than one IP
> address?
>
> Many times, if it is possible for the secondary to connect to the primary
> from an IP addres that is not in the allow zone transfer list, zone
> transfers will fail. Does change the allow zone transfer list to all IP
> address allow the zone transfers to happen every time?
>
>
All secondary servers only have the one IP.
I am also not in control of the primery server, but am reassured that it is
set up correctly with the seccondarty server IP's.

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:0D7707A0-0408-4091-A956-B8DF9811FCF5@microsoft.com,
alexbax <alexbax@discussions.microsoft.com> commented
Then Kevin replied below:
>> Are the secondary servers multihomed? That is, do they
>> have more than one IP address?
>>
>> Many times, if it is possible for the secondary to
>> connect to the primary from an IP addres that is not in
>> the allow zone transfer list, zone transfers will fail.
>> Does change the allow zone transfer list to all IP
>> address allow the zone transfers to happen every time?
>>
>>
> All secondary servers only have the one IP.
> I am also not in control of the primery server, but am
> reassured that it is set up correctly with the
> seccondarty server IP's.

Rarely are failing zone transfers the fault of the Secondary server, it is
the primary DNS responsible for allowing zone transfers. For whatever reason
the primary is not allowing the zone transfer.

If you can, run this from the secondary server machine.
nslookup
server <theprimaryserverIP>
ls <zonenameyouaretransferring>

This is a zone transfer command and should list all records at all nodes in
the zone.


--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

>
> Rarely are failing zone transfers the fault of the Secondary server, it is
> the primary DNS responsible for allowing zone transfers. For whatever reason
> the primary is not allowing the zone transfer.
>
> If you can, run this from the secondary server machine.
> nslookup
> server <theprimaryserverIP>
> ls <zonenameyouaretransferring>
>
> This is a zone transfer command and should list all records at all nodes in
> the zone.

I get "query refused" on the server that is currently not replicating
properly.
It lists the records fine on the servers that are replicating properly!

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:CD9EC499-20C9-4BD5-BA80-804A09D7E8A6@microsoft.com,
alexbax <alexbax@discussions.microsoft.com> commented
Then Kevin replied below:
>> Rarely are failing zone transfers the fault of the
>> Secondary server, it is the primary DNS responsible for
>> allowing zone transfers. For whatever reason the primary
>> is not allowing the zone transfer.
>>
>> If you can, run this from the secondary server machine.
>> nslookup
>> server <theprimaryserverIP>
>> ls <zonenameyouaretransferring>
>>
>> This is a zone transfer command and should list all
>> records at all nodes in the zone.
>
> I get "query refused" on the server that is currently not
> replicating properly.

"query refused" means zone transfers are not being allow to the IP you are
connecting from.

> It lists the records fine on the servers that are
> replicating properly!

Then whomever has control of the primary needs to verify the "allow zone
transfers to" address list. Or set this one to get its data from one of the
secondary servers where you can allow zone transfers to this one.

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

>
> > It lists the records fine on the servers that are
> > replicating properly!
>
> Then whomever has control of the primary needs to verify the "allow zone
> transfers to" address list. Or set this one to get its data from one of the
> secondary servers where you can allow zone transfers to this one.
>


I have been told that all my secondary servers are in the "allow zone
transfers to" tab, which i trust is correct! and i cant really set the other
secondary to transfer off the only one working, because sooner or later this
will stop working too!

The thing that confuses me the most is that the zones will sometimes
transfer ok, then randomly stop working.... so it show that the proper
connectivity is possible but not all the time!

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:018DC649-2049-4345-9E0C-1BA77B7A77E3@microsoft.com,
alexbax <alexbax@discussions.microsoft.com> commented
Then Kevin replied below:
>>> It lists the records fine on the servers that are
>>> replicating properly!
>>
>> Then whomever has control of the primary needs to verify
>> the "allow zone transfers to" address list. Or set this
>> one to get its data from one of the secondary servers
>> where you can allow zone transfers to this one.
>>
>
>
> I have been told that all my secondary servers are in the
> "allow zone transfers to" tab, which i trust is correct!
> and i cant really set the other secondary to transfer off
> the only one working, because sooner or later this will
> stop working too!
>
> The thing that confuses me the most is that the zones
> will sometimes transfer ok, then randomly stop
> working.... so it show that the proper connectivity is
> possible but not all the time!

Then, without a doubt you have a routing problem. How are these two networks
connected together?
Somewhere you have an IP address that is not listed on the primary, and when
the secondary connects the primary sees the wrong IP address then zone
transfers are disallowed.
You will have to find out what IP this is and either stop the secondary from
using the IP or add it to the zone transfer list.

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> In news:018DC649-2049-4345-9E0C-1BA77B7A77E3@microsoft.com,
> alexbax <alexbax@discussions.microsoft.com> commented
> Then Kevin replied below:
> >>> It lists the records fine on the servers that are
> >>> replicating properly!
> >>
> >> Then whomever has control of the primary needs to verify
> >> the "allow zone transfers to" address list. Or set this
> >> one to get its data from one of the secondary servers
> >> where you can allow zone transfers to this one.
> >>
> >
> >
> > I have been told that all my secondary servers are in the
> > "allow zone transfers to" tab, which i trust is correct!
> > and i cant really set the other secondary to transfer off
> > the only one working, because sooner or later this will
> > stop working too!
> >
> > The thing that confuses me the most is that the zones
> > will sometimes transfer ok, then randomly stop
> > working.... so it show that the proper connectivity is
> > possible but not all the time!
>
> Then, without a doubt you have a routing problem. How are these two networks
> connected together?
> Somewhere you have an IP address that is not listed on the primary, and when
> the secondary connects the primary sees the wrong IP address then zone
> transfers are disallowed.
> You will have to find out what IP this is and either stop the secondary from
> using the IP or add it to the zone transfer list.
>

The networks are connected through a VPN using two ISA servers....
I agree with what you are saying but why is the problem intermittent?

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:42F62EED-94CE-4EAF-B7FA-7554F6D3A789@microsoft.com,
alexbax <alexbax@discussions.microsoft.com> commented
Then Kevin replied below:
> The networks are connected through a VPN using two ISA
> servers....
> I agree with what you are saying but why is the problem
> intermittent?

ISA?
Make sure ISA has a rule to allow TCP 53 as well as UDP 53.

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> In news:42F62EED-94CE-4EAF-B7FA-7554F6D3A789@microsoft.com,
> alexbax <alexbax@discussions.microsoft.com> commented
> Then Kevin replied below:
> > The networks are connected through a VPN using two ISA
> > servers....
> > I agree with what you are saying but why is the problem
> > intermittent?
>
> ISA?
> Make sure ISA has a rule to allow TCP 53 as well as UDP 53.
>

Yep, both ports are open!