Zone transfer

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

I have a 2 Windows 2000 servers that host AD and DNS. I have one
AD-integrated zone and 2 primary zones. When i attempt to set up zone
transfer for the 2 latter zones i get the error: "The DNS server encountered
an error while attempting to load the zone".

I've tried all the obvious solutions like checking nameserver setup for the
zones, zone transfer settings. Tried "Transfer from master" on the secondary
DNS server and checked DNS event logs. I get an error on the primary DNS
server; "Event ID: 3000, The DNS server is logging numerous run-time
events..." if that should matter. The primary DNS server is set up with
itself as DNS server and the secondary DNS server as secondary server. The
secondary DNS server is set up with the primary DNS server as Primary DNS
server and itself as the secondary.

I also tried the following commands on the secondary DNS server:
nslookup
[primary DNS listed as Default server]
ls -d <zone>
[lists all entries]

So, why doesn't it work?

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"" wrote:
> I have a 2 Windows 2000 servers that host AD and DNS. I have
> one
> AD-integrated zone and 2 primary zones. When i attempt to set
> up zone
> transfer for the 2 latter zones i get the error: "The DNS
> server encountered
> an error while attempting to load the zone".
>
> I've tried all the obvious solutions like checking nameserver
> setup for the
> zones, zone transfer settings. Tried "Transfer from master" on
> the secondary
> DNS server and checked DNS event logs. I get an error on the
> primary DNS
> server; "Event ID: 3000, The DNS server is logging numerous
> run-time
> events..." if that should matter. The primary DNS server is
> set up with
> itself as DNS server and the secondary DNS server as secondary
> server. The
> secondary DNS server is set up with the primary DNS server as
> Primary DNS
> server and itself as the secondary.
>
> I also tried the following commands on the secondary DNS
> server:
> nslookup
> [primary DNS listed as Default server]
> ls -d <zone>
> [lists all entries]
>
> So, why doesn't it work?

look at:
http://support.microsoft.com/default.aspx?scid=kb;en-us;816518&Product=winxp
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/547be1bb-1a55-465b-a39c-e326d31e1cf7.mspx

does this help?

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/DNS-Zone-transfer-ftopict418401.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1397430

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news9D7B491-6CC7-46A1-87A3-153AECDEB56F@microsoft.com,
Audun Wangen <Audun Wangen@discussions.microsoft.com> made this post, which
I then commented about below:
> I have a 2 Windows 2000 servers that host AD and DNS. I have one
> AD-integrated zone and 2 primary zones. When i attempt to set up zone
> transfer for the 2 latter zones i get the error: "The DNS server
> encountered an error while attempting to load the zone".

A Primary zone is a writable copy. It will not receive transfers, but you
can allow transfers to a secondary zone. If you have an AD INtegrated zone,
that acts as a Primary as well. Therefore you cannot transfer from an AD
Integrated zone to a Primary zone, but you can to a secondary zone. If you
have an AD Integrated zone, then why are you mixing AD Integrated zones with
Primary zones?


> I've tried all the obvious solutions like checking nameserver setup
> for the zones, zone transfer settings. Tried "Transfer from master"
> on the secondary DNS server and checked DNS event logs. I get an
> error on the primary DNS server; "Event ID: 3000, The DNS server is
> logging numerous run-time events..." if that should matter. The
> primary DNS server is set up with itself as DNS server and the
> secondary DNS server as secondary server. The secondary DNS server is
> set up with the primary DNS server as Primary DNS server and itself
> as the secondary.

This contradicts your earlier previous paragraph. ??


> I also tried the following commands on the secondary DNS server:
> nslookup
> [primary DNS listed as Default server]
> ls -d <zone>
> [lists all entries]
>
> So, why doesn't it work?

Please elaborate a bit on your infrastructure, why you are mixing Primary
and AD INtegrated zones, assuming the zone name is the same exact zone. If
this is the case, it maybe the root of the whole issue because the system is
seeing dupes.

--
Regards,
Ace

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"Ace Fekay [MVP]" wrote:

> In news9D7B491-6CC7-46A1-87A3-153AECDEB56F@microsoft.com,
> Audun Wangen <Audun Wangen@discussions.microsoft.com> made this post, which
> I then commented about below:
> > I have a 2 Windows 2000 servers that host AD and DNS. I have one
> > AD-integrated zone and 2 primary zones. When i attempt to set up zone
> > transfer for the 2 latter zones i get the error: "The DNS server
> > encountered an error while attempting to load the zone".
>
> A Primary zone is a writable copy. It will not receive transfers, but you
> can allow transfers to a secondary zone. If you have an AD INtegrated zone,
> that acts as a Primary as well. Therefore you cannot transfer from an AD
> Integrated zone to a Primary zone, but you can to a secondary zone. If you
> have an AD Integrated zone, then why are you mixing AD Integrated zones with
> Primary zones?

Sorry, I see it got a little messy so thank you very much for your patience.
I'll try to elaborate. I should have just ignored the AD integrated zones.
They work fine on both servers.

The core of the issue is; I have 2 DNS servers (lets just refer to them as
DNS1 and DNS2). DNS1 is set up with 2 Primary zones and I have set up DNS2 to
host these zones as Secondary zones. Se below for explanation of why we mix
AD integrated and Primary/Secondary zones. If you know of a better solution,
feel free to inform me.

> > I've tried all the obvious solutions like checking nameserver setup
> > for the zones, zone transfer settings. Tried "Transfer from master"
> > on the secondary DNS server and checked DNS event logs. I get an
> > error on the primary DNS server; "Event ID: 3000, The DNS server is
> > logging numerous run-time events..." if that should matter. The
> > primary DNS server is set up with itself as DNS server and the
> > secondary DNS server as secondary server. The secondary DNS server is
> > set up with the primary DNS server as Primary DNS server and itself
> > as the secondary.
>
> This contradicts your earlier previous paragraph. ??

I don't think so . It just got messy. I refered to the network setup on
DNS1 and DNS2. DNS1 using DNS1 as primary DNS- server, and DNS2 using DNS1 as
primary DNS- server. It seemed to be the solution, on some forums, for some
issues conserning zone replication. Does that make more sense?

>
> > I also tried the following commands on the secondary DNS server:
> > nslookup
> > [primary DNS listed as Default server]
> > ls -d <zone>
> > [lists all entries]
> >
> > So, why doesn't it work?
>
> Please elaborate a bit on your infrastructure, why you are mixing Primary
> and AD INtegrated zones, assuming the zone name is the same exact zone. If
> this is the case, it maybe the root of the whole issue because the system is
> seeing dupes.

Well, I think I'll have to explain our infrastructure a bit for this to make
sence:
Firstly DNS1 and DNS2 is strictly for internal use.

We have a outer DMZ using internal non-routable IP-addresses for services
from the internet (NFuse, websites etc.). We use static NAT for the "outside"
to reach them. Before we set up a Primary zone these adresses were resolved
with the public IP- address, and that didn't work. So it worked from the
internet but not interally on the LAN.

So we had to make a new zone on DNS1 to override the name to be resolved to
the internal IP- address. The problem is I can't get these zones to replicate
to DNS2.

Is there a better way to solve this without going to extremes like using
HOST- files etc.?
>
> --
> Regards,
> Ace
>
> If this post is viewed at a non-Microsoft community website, and you were to
> respond to it through that community's website, I may not see your reply.
> Therefore, please direct all replies ONLY to the Microsoft public newsgroup
> this thread originated in so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
> Infinite Diversities in Infinite Combinations.
> =================================
>
>
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:976E1653-A933-4C93-B1CD-65A8345A1887@microsoft.com,
Audun Wangen <AudunWangen@discussions.microsoft.com> made this post, which I
then commented about below:
> "Ace Fekay [MVP]" wrote:
>
>> In news9D7B491-6CC7-46A1-87A3-153AECDEB56F@microsoft.com,
>> Audun Wangen <Audun Wangen@discussions.microsoft.com> made this
>> post, which I then commented about below:
>>> I have a 2 Windows 2000 servers that host AD and DNS. I have one
>>> AD-integrated zone and 2 primary zones. When i attempt to set up
>>> zone transfer for the 2 latter zones i get the error: "The DNS
>>> server encountered an error while attempting to load the zone".
>>
>> A Primary zone is a writable copy. It will not receive transfers,
>> but you can allow transfers to a secondary zone. If you have an AD
>> INtegrated zone, that acts as a Primary as well. Therefore you
>> cannot transfer from an AD Integrated zone to a Primary zone, but
>> you can to a secondary zone. If you have an AD Integrated zone, then
>> why are you mixing AD Integrated zones with Primary zones?
>
> Sorry, I see it got a little messy so thank you very much for your
> patience. I'll try to elaborate. I should have just ignored the AD
> integrated zones. They work fine on both servers.
>
> The core of the issue is; I have 2 DNS servers (lets just refer to
> them as DNS1 and DNS2). DNS1 is set up with 2 Primary zones and I
> have set up DNS2 to host these zones as Secondary zones. Se below for
> explanation of why we mix AD integrated and Primary/Secondary zones.
> If you know of a better solution, feel free to inform me.
>
>>> I've tried all the obvious solutions like checking nameserver setup
>>> for the zones, zone transfer settings. Tried "Transfer from master"
>>> on the secondary DNS server and checked DNS event logs. I get an
>>> error on the primary DNS server; "Event ID: 3000, The DNS server is
>>> logging numerous run-time events..." if that should matter. The
>>> primary DNS server is set up with itself as DNS server and the
>>> secondary DNS server as secondary server. The secondary DNS server
>>> is set up with the primary DNS server as Primary DNS server and
>>> itself as the secondary.
>>
>> This contradicts your earlier previous paragraph. ??
>
> I don't think so . It just got messy. I refered to the network
> setup on DNS1 and DNS2. DNS1 using DNS1 as primary DNS- server, and
> DNS2 using DNS1 as primary DNS- server. It seemed to be the solution,
> on some forums, for some issues conserning zone replication. Does
> that make more sense?
>
>>
>>> I also tried the following commands on the secondary DNS server:
>>> nslookup
>>> [primary DNS listed as Default server]
>>> ls -d <zone>
>>> [lists all entries]
>>>
>>> So, why doesn't it work?
>>
>> Please elaborate a bit on your infrastructure, why you are mixing
>> Primary and AD INtegrated zones, assuming the zone name is the same
>> exact zone. If this is the case, it maybe the root of the whole
>> issue because the system is seeing dupes.
>
> Well, I think I'll have to explain our infrastructure a bit for this
> to make sence:
> Firstly DNS1 and DNS2 is strictly for internal use.
>
> We have a outer DMZ using internal non-routable IP-addresses for
> services from the internet (NFuse, websites etc.). We use static NAT
> for the "outside" to reach them. Before we set up a Primary zone
> these adresses were resolved with the public IP- address, and that
> didn't work. So it worked from the internet but not interally on the
> LAN.
>
> So we had to make a new zone on DNS1 to override the name to be
> resolved to the internal IP- address. The problem is I can't get
> these zones to replicate to DNS2.
>
> Is there a better way to solve this without going to extremes like
> using HOST- files etc.?

Let's see. Simply, you're trying to replicate a zone from the internal DNS,
DNS1, to the DMZ DNS server. I bleive that's what you're appearing to be
saying. This is in order for your VPN clients to access internal resources
using their private IPs.

If zone transfer from DNS1 is not working to the external DMZ DNS server,
than maybe you didn't create a port re-map rule thru the NAT device to allow
UDP and TCP from the DMZ side (NAT's WAN IP) to go to DNS1's private IP on
the internal side.

I hope I understood...

Ace

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"Ace Fekay [MVP]" wrote:

> In news:976E1653-A933-4C93-B1CD-65A8345A1887@microsoft.com,
> Audun Wangen <AudunWangen@discussions.microsoft.com> made this post, which I
> then commented about below:
> > "Ace Fekay [MVP]" wrote:
> >
> >> In news9D7B491-6CC7-46A1-87A3-153AECDEB56F@microsoft.com,
> >> Audun Wangen <Audun Wangen@discussions.microsoft.com> made this
> >> post, which I then commented about below:
> >>> I have a 2 Windows 2000 servers that host AD and DNS. I have one
> >>> AD-integrated zone and 2 primary zones. When i attempt to set up
> >>> zone transfer for the 2 latter zones i get the error: "The DNS
> >>> server encountered an error while attempting to load the zone".
> >>
> >> A Primary zone is a writable copy. It will not receive transfers,
> >> but you can allow transfers to a secondary zone. If you have an AD
> >> INtegrated zone, that acts as a Primary as well. Therefore you
> >> cannot transfer from an AD Integrated zone to a Primary zone, but
> >> you can to a secondary zone. If you have an AD Integrated zone, then
> >> why are you mixing AD Integrated zones with Primary zones?
> >
> > Sorry, I see it got a little messy so thank you very much for your
> > patience. I'll try to elaborate. I should have just ignored the AD
> > integrated zones. They work fine on both servers.
> >
> > The core of the issue is; I have 2 DNS servers (lets just refer to
> > them as DNS1 and DNS2). DNS1 is set up with 2 Primary zones and I
> > have set up DNS2 to host these zones as Secondary zones. Se below for
> > explanation of why we mix AD integrated and Primary/Secondary zones.
> > If you know of a better solution, feel free to inform me.
> >
> >>> I've tried all the obvious solutions like checking nameserver setup
> >>> for the zones, zone transfer settings. Tried "Transfer from master"
> >>> on the secondary DNS server and checked DNS event logs. I get an
> >>> error on the primary DNS server; "Event ID: 3000, The DNS server is
> >>> logging numerous run-time events..." if that should matter. The
> >>> primary DNS server is set up with itself as DNS server and the
> >>> secondary DNS server as secondary server. The secondary DNS server
> >>> is set up with the primary DNS server as Primary DNS server and
> >>> itself as the secondary.
> >>
> >> This contradicts your earlier previous paragraph. ??
> >
> > I don't think so . It just got messy. I refered to the network
> > setup on DNS1 and DNS2. DNS1 using DNS1 as primary DNS- server, and
> > DNS2 using DNS1 as primary DNS- server. It seemed to be the solution,
> > on some forums, for some issues conserning zone replication. Does
> > that make more sense?
> >
> >>
> >>> I also tried the following commands on the secondary DNS server:
> >>> nslookup
> >>> [primary DNS listed as Default server]
> >>> ls -d <zone>
> >>> [lists all entries]
> >>>
> >>> So, why doesn't it work?
> >>
> >> Please elaborate a bit on your infrastructure, why you are mixing
> >> Primary and AD INtegrated zones, assuming the zone name is the same
> >> exact zone. If this is the case, it maybe the root of the whole
> >> issue because the system is seeing dupes.
> >
> > Well, I think I'll have to explain our infrastructure a bit for this
> > to make sence:
> > Firstly DNS1 and DNS2 is strictly for internal use.
> >
> > We have a outer DMZ using internal non-routable IP-addresses for
> > services from the internet (NFuse, websites etc.). We use static NAT
> > for the "outside" to reach them. Before we set up a Primary zone
> > these adresses were resolved with the public IP- address, and that
> > didn't work. So it worked from the internet but not interally on the
> > LAN.
> >
> > So we had to make a new zone on DNS1 to override the name to be
> > resolved to the internal IP- address. The problem is I can't get
> > these zones to replicate to DNS2.
> >
> > Is there a better way to solve this without going to extremes like
> > using HOST- files etc.?
>
> Let's see. Simply, you're trying to replicate a zone from the internal DNS,
> DNS1, to the DMZ DNS server. I bleive that's what you're appearing to be
> saying. This is in order for your VPN clients to access internal resources
> using their private IPs.
>
> If zone transfer from DNS1 is not working to the external DMZ DNS server,
> than maybe you didn't create a port re-map rule thru the NAT device to allow
> UDP and TCP from the DMZ side (NAT's WAN IP) to go to DNS1's private IP on
> the internal side.
>
> I hope I understood...
>

Almost. Except that DNS2 is not in the DMZ. It's on the LAN as well, just
for redundancy. So there is no firewall between DNS1 and DNS2. Like you said
the zones were created for the internal IP's to reach the servers in the DMZ
by name.

Thanks again for the fast reply. Any ideas how to make the zones replicate?

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:AF8FE76D-4FFB-4293-9436-FCAA6C32A33D@microsoft.com,
Audun Wangen <AudunWangen@discussions.microsoft.com> made this post, which I
then commented about below:
>
> Almost. Except that DNS2 is not in the DMZ. It's on the LAN as well,
> just for redundancy. So there is no firewall between DNS1 and DNS2.
> Like you said the zones were created for the internal IP's to reach
> the servers in the DMZ by name.
>
> Thanks again for the fast reply. Any ideas how to make the zones
> replicate?

I believe you said transfers are working between DNS2 and DNS1, but not to
the DNS server in the DMZ?

Let me also understand, the DMZ has public IPs, and the internal network has
private IPs, correct? If so, you still need to remap those ports, firewall
or not.

Ace

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"Ace Fekay [MVP]" wrote:

> In news:AF8FE76D-4FFB-4293-9436-FCAA6C32A33D@microsoft.com,
> Audun Wangen <AudunWangen@discussions.microsoft.com> made this post, which I
> then commented about below:
> >
> > Almost. Except that DNS2 is not in the DMZ. It's on the LAN as well,
> > just for redundancy. So there is no firewall between DNS1 and DNS2.
> > Like you said the zones were created for the internal IP's to reach
> > the servers in the DMZ by name.
> >
> > Thanks again for the fast reply. Any ideas how to make the zones
> > replicate?
>
> I believe you said transfers are working between DNS2 and DNS1, but not to
> the DNS server in the DMZ?
>
> Let me also understand, the DMZ has public IPs, and the internal network has
> private IPs, correct? If so, you still need to remap those ports, firewall
> or not.
>
> Ace
>

No, I have no DNS servers in the DMZ. DNS1 and DNS2 are on the internal LAN.

The DMZ- servers are set up with private IPs (fx. 172.21.18.1). We use
static address translation to a public IP (fx. 62.70.34.1) on the
outside-interface of the firewall. We do not use NAT between internal LAN and
DMZ. So on layer 3 everything works fine.

We want the name to resolve to 172.21.18.1 on the LAN and 62.70.34.1 on the
internet. It works fine if i edit the HOSTS file, but that is unaccepable for
so many machines.

I have set up primary zones on DNS1 and they work correctly, but I can't get
the zones to replicate to DNZ2. The primary zones on DNS1 works correctly,
but not on DNS2.

Heres the output of some nslookup commands if that helps. www.dmzservers.com
is a server in our DMZ:

>server DNS1
Default Server: DNS1.domain.com
Address: 172.16.3.1

> www.dmzservers.com
Server: DNS1.domain.com
Address: 172.16.3.1

Name: www.dmzservers.com
Address: 172.21.18.1

> server DNS2
Default Server: DNS2.domain.com
Address: 172.16.3.2

> www.dmzservers.com
Server: DNS2.domain.com
Address: 172.16.3.2

*** DNS2.domain.com can't find www.dmzservers.no: Server failed

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Audun Wangen <AudunWangen@discussions.microsoft.com> wrote:
> "Ace Fekay [MVP]" wrote:
>
>> In news:AF8FE76D-4FFB-4293-9436-FCAA6C32A33D@microsoft.com,
>> Audun Wangen <AudunWangen@discussions.microsoft.com> made this post,
>> which I then commented about below:
>>>
>>> Almost. Except that DNS2 is not in the DMZ. It's on the LAN as well,
>>> just for redundancy. So there is no firewall between DNS1 and DNS2.
>>> Like you said the zones were created for the internal IP's to reach
>>> the servers in the DMZ by name.
>>>
>>> Thanks again for the fast reply. Any ideas how to make the zones
>>> replicate?
>>
>> I believe you said transfers are working between DNS2 and DNS1, but
>> not to the DNS server in the DMZ?
>>
>> Let me also understand, the DMZ has public IPs, and the internal
>> network has private IPs, correct? If so, you still need to remap
>> those ports, firewall or not.
>>
>> Ace
>>
>
> No, I have no DNS servers in the DMZ. DNS1 and DNS2 are on the
> internal LAN.
>
> The DMZ- servers are set up with private IPs (fx. 172.21.18.1). We use
> static address translation to a public IP (fx. 62.70.34.1) on the
> outside-interface of the firewall. We do not use NAT between internal
> LAN and DMZ. So on layer 3 everything works fine.
>
> We want the name to resolve to 172.21.18.1 on the LAN and 62.70.34.1
> on the internet. It works fine if i edit the HOSTS file, but that is
> unaccepable for so many machines.
>
> I have set up primary zones on DNS1 and they work correctly, but I
> can't get the zones to replicate to DNZ2. The primary zones on DNS1
> works correctly, but not on DNS2.

If zone transfers do not work, answer these questions.

a. Are the two primary zones for a publicly accessible domain name?

b. If yes to a, do you have NS records for both the Primary and Secondary
zones?

c. If yes to a and b, do the NS records use names that resolve to public IP
addresses?

d. If yes to a, b and c, do you have "Allow zone transfers only to the DNS
servers listed on the Name Server tab"?

e. If yes to d, zone transfers won't work because the NS records resolve to
public IP addresses and the secondary server has a private IP.

f. If yes to d, on the zone transfer tab, change the setting "Allow zone
transfers only to these IP addresses" with ALL the Private IP address on the
secondary server.


Also, take note, you cannot use the same zone for both local clients and
public clients, to resolve names for locally hosted services for public
domains.
Local clients must get the local address while public clients must get only
public address. You need to split the zones to separate DNS servers, one for
public clients and one for local clients.
This is one feature MS DNS does not support, that BIND does.


--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:A426854B-D924-48FA-BCC3-E8570065920F@microsoft.com,
Audun Wangen <AudunWangen@discussions.microsoft.com> made this post, which I
then commented about below:
>
> No, I have no DNS servers in the DMZ. DNS1 and DNS2 are on the
> internal LAN.
>
> The DMZ- servers are set up with private IPs (fx. 172.21.18.1). We use
> static address translation to a public IP (fx. 62.70.34.1) on the
> outside-interface of the firewall. We do not use NAT between internal
> LAN and DMZ. So on layer 3 everything works fine.
>
> We want the name to resolve to 172.21.18.1 on the LAN and 62.70.34.1
> on the internet. It works fine if i edit the HOSTS file, but that is
> unaccepable for so many machines.
>
> I have set up primary zones on DNS1 and they work correctly, but I
> can't get the zones to replicate to DNZ2. The primary zones on DNS1
> works correctly, but not on DNS2.
>
> Heres the output of some nslookup commands if that helps.
> www.dmzservers.com is a server in our DMZ:
>
>> server DNS1
> Default Server: DNS1.domain.com
> Address: 172.16.3.1
>
>> www.dmzservers.com
> Server: DNS1.domain.com
> Address: 172.16.3.1
>
> Name: www.dmzservers.com
> Address: 172.21.18.1
>
>> server DNS2
> Default Server: DNS2.domain.com
> Address: 172.16.3.2
>
>> www.dmzservers.com
> Server: DNS2.domain.com
> Address: 172.16.3.2
>
> *** DNS2.domain.com can't find www.dmzservers.no: Server failed

I see. It's either looks like you are mixing private/public IPs, or
something with your zone transfer settings. I read back through the thread,
and I didn't see where you listed what the zone transfer setting was, just
that you 'checked' it.

btw-, attempting an nslookup ls -d <zone> is a zone transfer query/request.
This points to your zone transfer settings as well, if it is not giving you
a response.

If you are mixing private and public data, follow Kevin's advise, we need to
have separate servers for this function.

If you just use the internal DNS with the private settings for your 'same
name internal/external domain name', then you can get to the website with
the correct private IP.

For the public records, you need a completely separate DNS server, actually
two of them, based on the Registrar's requirements. That server will ONLY
host public IPs, such as 62.70.34.1. Your internal server will NOT use this
server. Hence, the confusion of configuring this to work.

Unless you are mixing internal DNS and your ISP's DNS server in your
machines' IP properties?

Ace

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"Kevin D. Goodknecht Sr. [MVP]" wrote:
> If zone transfers do not work, answer these questions.
>
> a. Are the two primary zones for a publicly accessible domain name?
>

Yes, the zones are for domains that are publicly accessible.

> b. If yes to a, do you have NS records for both the Primary and Secondary
> zones?
>

I have NS records for the Primary zone, but because the Secondary zone
doesn't replicate I can't get the data for that zone. Isn't the Secondary
zone supposed to be a copy of the Primary zone? If so, the NS records should
also be replicated, am I right?

> c. If yes to a and b, do the NS records use names that resolve to public IP
> addresses?
>

No, both servers listed as NS records (DNS1 and DNS2) have, as i wrote,
private IP's. I have no DNS server in the DMZ. The DNS servers have 2
forwarders defined that are the DNS servers of our ISP.

> d. If yes to a, b and c, do you have "Allow zone transfers only to the DNS
> servers listed on the Name Server tab"?
>
Yes. I have tried other options as well ("To any server" and "Only to the
following"), with no results. I even tried specifying the server with its IP
address.

> e. If yes to d, zone transfers won't work because the NS records resolve to
> public IP addresses and the secondary server has a private IP.
>

I don't get it. Both DNS servers have private IP's and are used only for
internal name lookup. What we try to do is override the IP's so that the
servers in our DMZ are resolved to their private IP's and not to their public
IP's and this works perfectly for DNS1 which hosts the Primary zones. How
come I can't transfere these zones to DNS2 when it's on the same LAN/subnet
with no firewall between.

> f. If yes to d, on the zone transfer tab, change the setting "Allow zone
> transfers only to these IP addresses" with ALL the Private IP address on the
> secondary server.
>

I've tried that. No success.

>
> Also, take note, you cannot use the same zone for both local clients and
> public clients, to resolve names for locally hosted services for public
> domains.

If i get you right we don't. DNS1 and DNS2 are on the LAN and not accessible
from the internet. They are strictly used for LAN lookups. The "zone
override" works on DNS1, so it resolves the names in the DMZ to private IPs.
The problem is replication to DNS2.

> Local clients must get the local address while public clients must get only
> public address. You need to split the zones to separate DNS servers, one for
> public clients and one for local clients.
> This is one feature MS DNS does not support, that BIND does.

Yes, I get that, and that is why I had to make 2 new zones; for the clients
on the LAN to resolve to the private IPs. Lookups (to the pulic IPs of the
DMZ servers) work on the internet because that is taken care of by our ISP
and their DNS setup. Internal lookups ALSO work on DNS1 because I have set up
the Primary zones. The problem came when I attempted to set up the Secondary
zones (replica of the primary zones) on DNS2.

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"Ace Fekay [MVP]" wrote:
> I see. It's either looks like you are mixing private/public IPs, or
> something with your zone transfer settings. I read back through the thread,
> and I didn't see where you listed what the zone transfer setting was, just
> that you 'checked' it.

Ok, I'll give you the details (zone names and servernames are changed, but
you get the idea):
Zone: domain.com
Type: Primary
Location: DNS1
Allow dynamic updates: No
SOA, Primary server: DNS1
Refresh interval: 15 mins
Retry interval: 10 mins
Expires after: 1 days
Name servers: DNS1 and DNS2
WINS: No
Zone Tranfer:
Allow zone transfers: Yes
To any server

Also tried "Only the servers listed in the Name Servers tab" and tried to
specify the IP address of DNS2.

Notify:
Automatically notify: Yes
Servers listed on the Name Servers tab
-------------------------------------------------------------
I then attempted to set up a new zone on DNS2 as follows:
Standard secondary
Name of the zone: I selected the zone from DNS1 (domain.com)
Specify DNS servers from which to copy: I selected DNS1

I tried "Transfer from master" but it still says "Zone not loaded by DNS
server".

> btw-, attempting an nslookup ls -d <zone> is a zone transfer query/request.
> This points to your zone transfer settings as well, if it is not giving you
> a response.
>

On DNS2 I tried the following:
nslookup
>server DNS1
Default server: DNS1.ADdomain.com
Address: <IP of DNS1>

>ls -d domain.com
[DNS1.ADdomain.com]
domain.com SOA DNS1.ADdomain.com admin.ADdomain.com
domain.com NS DNS1.ADdomain.com
domain.com NS DNS2.ADdomain.com
domain.com CNAME www.domain.com
maps CNAME www.domain.com
www A <internal IP address of DMZ server>
domain.com SOA DNS1.ADdomain.com admin.ADdomain.com

After the SOA records there is a number (18 900 600 86400 3600).

> If you are mixing private and public data, follow Kevin's advise, we need to
> have separate servers for this function.
>
> If you just use the internal DNS with the private settings for your 'same
> name internal/external domain name', then you can get to the website with
> the correct private IP.
>
> For the public records, you need a completely separate DNS server, actually
> two of them, based on the Registrar's requirements. That server will ONLY
> host public IPs, such as 62.70.34.1. Your internal server will NOT use this
> server. Hence, the confusion of configuring this to work.
>
> Unless you are mixing internal DNS and your ISP's DNS server in your
> machines' IP properties?
>

No, I use DNS1 as primary DNS and DNS2 as secondary DNS, and i have set up
forwarders on DNS1 and DNS2 to our ISPs DNS servers (omg...dnsdnsdns.

Thanks for your reply. Any new ideas how to make the replication work?

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Audun Wangen <AudunWangen@discussions.microsoft.com> wrote:

> Yes, I get that, and that is why I had to make 2 new zones; for the
> clients on the LAN to resolve to the private IPs. Lookups (to the
> pulic IPs of the DMZ servers) work on the internet because that is
> taken care of by our ISP and their DNS setup. Internal lookups ALSO
> work on DNS1 because I have set up the Primary zones. The problem
> came when I attempted to set up the Secondary zones (replica of the
> primary zones) on DNS2.

Are the AD integrated zones getting replicated?


--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Audun Wangen <AudunWangen@discussions.microsoft.com> wrote:
>
> > Yes, I get that, and that is why I had to make 2 new zones; for the
> > clients on the LAN to resolve to the private IPs. Lookups (to the
> > pulic IPs of the DMZ servers) work on the internet because that is
> > taken care of by our ISP and their DNS setup. Internal lookups ALSO
> > work on DNS1 because I have set up the Primary zones. The problem
> > came when I attempted to set up the Secondary zones (replica of the
> > primary zones) on DNS2.
>
> Are the AD integrated zones getting replicated?
>

Yes.

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Audun Wangen <AudunWangen@discussions.microsoft.com> wrote:
> "Kevin D. Goodknecht Sr. [MVP]" wrote:
>
>> Audun Wangen <AudunWangen@discussions.microsoft.com> wrote:
>>
>>> Yes, I get that, and that is why I had to make 2 new zones; for the
>>> clients on the LAN to resolve to the private IPs. Lookups (to the
>>> pulic IPs of the DMZ servers) work on the internet because that is
>>> taken care of by our ISP and their DNS setup. Internal lookups ALSO
>>> work on DNS1 because I have set up the Primary zones. The problem
>>> came when I attempted to set up the Secondary zones (replica of the
>>> primary zones) on DNS2.
>>
>> Are the AD integrated zones getting replicated?
>>
>
> Yes.

Why not use AD integration on these zones?
If you do, there is no need for secondary zones or zone transfers.


--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Audun Wangen <AudunWangen@discussions.microsoft.com> wrote:
> > "Kevin D. Goodknecht Sr. [MVP]" wrote:
> >
> >> Audun Wangen <AudunWangen@discussions.microsoft.com> wrote:
> >>
> >>> Yes, I get that, and that is why I had to make 2 new zones; for the
> >>> clients on the LAN to resolve to the private IPs. Lookups (to the
> >>> pulic IPs of the DMZ servers) work on the internet because that is
> >>> taken care of by our ISP and their DNS setup. Internal lookups ALSO
> >>> work on DNS1 because I have set up the Primary zones. The problem
> >>> came when I attempted to set up the Secondary zones (replica of the
> >>> primary zones) on DNS2.
> >>
> >> Are the AD integrated zones getting replicated?
> >>
> >
> > Yes.
>
> Why not use AD integration on these zones?
> If you do, there is no need for secondary zones or zone transfers.

Yes, why not . I did think of it but figured it would be nice to separate
our domain from the public ones. How does that work when I have to create a
new domain? Are there any issues I have to think about?

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Audun Wangen <AudunWangen@discussions.microsoft.com> wrote:
\> Yes, why not . I did think of it but figured it would be nice to
> separate our domain from the public ones. How does that work when I
> have to create a new domain? Are there any issues I have to think
> about?

Please clarify this statement, "separate our domain from the public ones"
This leads me to believe you are trying to host your public zone on the DNS
server, which you said you are not.

As for the difference between AD integrated zones and standard
primary/secondary , what this means in the zone is stored in Active
Directory instead of in a text file as in Standard Primary/secondary.



--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:88F8B67A-6421-4813-8C54-B53A1E51E5AA@microsoft.com,
Audun Wangen <AudunWangen@discussions.microsoft.com> made this post, which I
then commented about below:
> "Ace Fekay [MVP]" wrote:
>> I see. It's either looks like you are mixing private/public IPs, or
>> something with your zone transfer settings. I read back through the
>> thread, and I didn't see where you listed what the zone transfer
>> setting was, just that you 'checked' it.
>
> Ok, I'll give you the details (zone names and servernames are
> changed, but you get the idea):
> Zone: domain.com
> Type: Primary
> Location: DNS1
> Allow dynamic updates: No
> SOA, Primary server: DNS1
> Refresh interval: 15 mins
> Retry interval: 10 mins
> Expires after: 1 days
> Name servers: DNS1 and DNS2
> WINS: No
> Zone Tranfer:
> Allow zone transfers: Yes
> To any server
>
> Also tried "Only the servers listed in the Name Servers tab" and
> tried to specify the IP address of DNS2.
>
> Notify:
> Automatically notify: Yes
> Servers listed on the Name Servers tab
> -------------------------------------------------------------
> I then attempted to set up a new zone on DNS2 as follows:
> Standard secondary
> Name of the zone: I selected the zone from DNS1 (domain.com)
> Specify DNS servers from which to copy: I selected DNS1
>
> I tried "Transfer from master" but it still says "Zone not loaded by
> DNS server".
>
>> btw-, attempting an nslookup ls -d <zone> is a zone transfer
>> query/request. This points to your zone transfer settings as well,
>> if it is not giving you a response.
>>
>
> On DNS2 I tried the following:
> nslookup
>> server DNS1
> Default server: DNS1.ADdomain.com
> Address: <IP of DNS1>
>
>> ls -d domain.com
> [DNS1.ADdomain.com]
> domain.com SOA DNS1.ADdomain.com admin.ADdomain.com
> domain.com NS DNS1.ADdomain.com
> domain.com NS DNS2.ADdomain.com
> domain.com CNAME www.domain.com
> maps CNAME www.domain.com
> www A <internal IP address of DMZ server>
> domain.com SOA DNS1.ADdomain.com admin.ADdomain.com
>
> After the SOA records there is a number (18 900 600 86400 3600).
>
>> If you are mixing private and public data, follow Kevin's advise, we
>> need to have separate servers for this function.
>>
>> If you just use the internal DNS with the private settings for your
>> 'same name internal/external domain name', then you can get to the
>> website with the correct private IP.
>>
>> For the public records, you need a completely separate DNS server,
>> actually two of them, based on the Registrar's requirements. That
>> server will ONLY host public IPs, such as 62.70.34.1. Your internal
>> server will NOT use this server. Hence, the confusion of configuring
>> this to work.
>>
>> Unless you are mixing internal DNS and your ISP's DNS server in your
>> machines' IP properties?
>>
>
> No, I use DNS1 as primary DNS and DNS2 as secondary DNS, and i have
> set up forwarders on DNS1 and DNS2 to our ISPs DNS servers
> (omg...dnsdnsdns.
>
> Thanks for your reply. Any new ideas how to make the replication work?

Honestly, if both DNS servers are on the same subnet (I didn't see any IP
addresses listed above), and zone transfers are allowed to "any", then it
should just work.

Maybe between Kevin and I, we're missing something rudimentary here in your
configuration. But as far as I see it, and tyring to understand your
configuration (and terminology), you have two DNS servers on the same subnet
and you want to have to transfer a zone from one to the other, and all the
IPs under the nameserver tab are all their private IPs (not mixing them).
This should just *work*.

Kevin made a point about the nameservers listing and their IP addresses, but
if they are both private IPs, meaning these two:
> domain.com NS DNS1.ADdomain.com
> domain.com NS DNS2.ADdomain.com
and they are one the same subnet, then transfers should just work.

Maybe it's that blank domain CNAME record causing the whole problem. I
couldn't mimick your configuration on my server. I am assuming that:
> domain.com CNAME www.domain.com
means it really shows up in the DNS console under the zone as:
(same as parent) CNAME www.domain.com

unless you really did select to create a new Alias, typed in domain.com in
the host section, then typed in www.domain.com for the traget name. But if
you did that, then the system will automatically create a "com" zone under
the current "domain.com" zone and then it will create a "domain" CNAME
record in that zone with a target of www.domain.com. When I tried to do it
the other way, it wouldn't let me stating that it is an incompatible record
type. Maybe the zone transfer attempt recognizes it and is preventing the
transfer.

Ace

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Audun Wangen <AudunWangen@discussions.microsoft.com> wrote:
> \> Yes, why not . I did think of it but figured it would be nice to
> > separate our domain from the public ones. How does that work when I
> > have to create a new domain? Are there any issues I have to think
> > about?
>
> Please clarify this statement, "separate our domain from the public ones"
> This leads me to believe you are trying to host your public zone on the DNS
> server, which you said you are not.
>

No, I meant on the DNS server. I figured it was smart to separate our AD
domain from the others by making Primary/Secondary zones.

> As for the difference between AD integrated zones and standard
> primary/secondary , what this means in the zone is stored in Active
> Directory instead of in a text file as in Standard Primary/secondary.

If there is no other differences I am more than willing to use AD integrated
zones. I'll give it a try.

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Audun Wangen <AudunWangen@discussions.microsoft.com> wrote:
> "Kevin D. Goodknecht Sr. [MVP]" wrote:
>
>> Audun Wangen <AudunWangen@discussions.microsoft.com> wrote:
>> \> Yes, why not . I did think of it but figured it would be nice to
>>> separate our domain from the public ones. How does that work when I
>>> have to create a new domain? Are there any issues I have to think
>>> about?
>>
>> Please clarify this statement, "separate our domain from the public
>> ones" This leads me to believe you are trying to host your public
>> zone on the DNS server, which you said you are not.
>>
>
> No, I meant on the DNS server. I figured it was smart to separate our
> AD domain from the others by making Primary/Secondary zones.
>
>> As for the difference between AD integrated zones and standard
>> primary/secondary , what this means in the zone is stored in Active
>> Directory instead of in a text file as in Standard
>> Primary/secondary.
>
> If there is no other differences I am more than willing to use AD
> integrated zones. I'll give it a try.

There are security differences, AD zones are secure, standard
primary/secondary zones are only as secure as the text file it is stored in.

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================