'Allow zone transfers' is disabled after every restart of the DNS service

Discussion in 'DNS Server' started by David Lightman Robles, Apr 25, 2005.

  1. We have a DNS server running on a Windows 2003 Std.Ed. which is doing some
    weird things.

    Configuration is as follows:
    - There is an AD integrated direct zone 'mydomain.com', replicated for every
    DNS servers in the AD forest.
    - Name servers for this zone are:
    * itself (lets call it DNSMAIN, W2003 Server SP1 applied)
    * the BDC for the domain (DNSBACKUP, W2000 Server SP4) and
    * another DNS server (DNSTRUST, W2003 Server), which is not in the forest
    but belonging to a trusted domain (using Active Directory domains and
    trusts). This domain belongs to a branch office that connects to us using a
    VPN. Since this server is not part of the mydomain.com forest, we have
    'Allowed zone transfers to servers in name servers tab' and activated
    automatic notifications in DNSMAIN.
    - The DNS Server in DNSTRUST for the zone 'mydomain.com' is configured as a
    secundary zone using DNSMAIN's IP as the source for it.

    Everything seems to work fine, zone updates are transferred to DNSTRUST and
    clients from the branch office can resolve dns names of mydomain.com.

    Functional level of the domain is 'Native Windows 2000' because we still
    have a Windows 2000 Server (DNSBACKUP) around.

    The problem shows up when DNS service in DNSMAIN is restarted or DNSMAIN
    server itself is rebooted. When DNS Service starts again, the 'Allow zone
    transfers' tick is disabled! You can manually re-enable it but whenever the
    service is stopped and started (due to a restart of the service or the
    server) it is disabled again! Because of this issue, if we do not notice,
    the zone in DNSTRUST expires after 1 day and clients in the branch office
    cannot communicate with the main office.

    There is a SQL Server in the branch office that replicates to another SQL
    Server in the main office that stops replicating because it cannot resolve
    the name of the SQL server in mydomain.com. Besides, clients from
    mydomain.com cannot access resources located on the branch site because the
    main office servers cannot be accessed from there in order to verify user's
    credentials. This is really annoying. I thought W2003 SP1 would solve this
    problem but we have just installed it and the problem still appears.

    Do we need to configure DNS and zone transfers in other way? Why 'Allow zone
    transfers' is disabled everytime DNS service restarts? Is this a bug or a
    feature? Has someone experience some kind of a similar problem? Any ideas
    would be appreciated.

    Thanks in advance. Regads.
    David Lightman Robles, Apr 25, 2005
    1. Advertisements

  2. David Lightman Robles

    Herb Martin Guest

    NT4 DCs have to be at a certain SP level and although
    I believe that SP4 is sufficient for that, this is a VERY
    POOR service pack.

    Practically every NT machine should have SP6+ all

    SP4 is very unstable in some situations and todays is
    very insecure.
    Ok, but is the other DNS server actually listed in the
    zone (it is possible to list it or not list it)?

    If not, you must specify the IP explicitly. It must
    also be routable -- which some people will mess
    up over a VPN.
    It is better if you put your problem at the top, then
    this sort of info later.
    That is some sort of odd bug or damage to the DNS
    server -- most people do not experience such problems
    so it is likely something specific to your conditions.

    You might try (this is a silly idea) setting it, and restarting
    the DNS server just to make sure the configuration gets

    I would also consider a REPAIR install, and checking all
    updates on the machine (Windows Update)

    It is not a feature and it is not a COMMON bug. It is something
    very unusual.
    Herb Martin, Apr 25, 2005
    1. Advertisements

  3. I have not talked of any NT4 server at all. We have 1 Windows 2003 Server
    SP1 (DNSMAIN), a Windows 2000 Server SP4 (DNSBACKUP) and another Windows
    2003 Server (DNSTRUST)
    Yes the IP addresses of all 3 servers I have talked about are listed as NS
    records in 'mydomain.com' zone.
    Sometimes it is hard to understand the problem without a little explanation
    about how things are set up. Besides, the subject of the thread gives a
    'hint' about what the problem is.
    Of course I have already tried that. Besides, the DNS server experiencing
    this problem is a fresh install. Nothing but dcpromo, WINS, DNS, IIS and SP1
    for Windows 2003 are installed.
    SP1 and all updates are applied.
    I supposed that. :)

    Any other ideas? Thanks for your comments, Herb.
    David Lightman Robles, Apr 25, 2005
  4. David Lightman Robles

    Herb Martin Guest

    You said that you had a BDC, there are no BDCs in Win2000+.

    They are just DCs.

    Sorry, I didn't notice you were using the term incorrectly.
    (You had the OS in parenthesis and it is a common error
    so I should have noticed.)
    You can test it by going into the "Nslookup shell" and
    doing a list command from the respective secondaries.

    NSLookup (shell) list is a zone transfer.

    If will not be possible from workstations that are not
    authorized but will be possible from authorized servers
    and lets you determined changes more directly.
    Right, but problem clearly stated first, then explanation.

    Otherwise one has no idea which are the important details.

    Many times people want even read such if the text is too dense
    and the problem is not easily findable.

    Then try the REPAIR install.

    Now that you have confirmation you may concentrate more
    on finding your local error or problem.

    It doesn't sound like anything you "did" (directly) but rather
    a messed up registry entry or DLL problem from the oddity.

    This is the reason for doing the repair install.

    You might also try just deleting and recreating the (secondary)

    These are trivial to recreate since the changes pull from the
    Primary -- maybe if the zone is remove and recreated it will
    set the transfer item correctly.
    Herb Martin, Apr 26, 2005
  5. More information on this issue:

    When I open Active Directory Users and Computers.
    - Under the View menu, select Advanced.
    - Then browse to:


    When I look below this folder I have the following containers:
    ..InProgress-4227585F5A61BCDD-mydomain.com (full of dnsNode objects)
    ..InProgress-4227586F5A61FC09-mydomain.com (full of dnsNode objects)
    1.0.10.in-addr.arpa (full of dnsNode objects)
    mydomain.com (EMPTY!!!)
    RootDNSServers (root dns servers, ndsNode

    I suppose this is not correct, because I have checked other domains in other
    servers that we also manage and there are not any 'inprogress' containers on
    them. I have also checked it using ADSIedit (instead of Active Directory
    Users and Computers) and the same 'inprogress' folders appear under
    Domain [maindns.mydomain.com] / DC=mydomain,DC=com / CN=System /

    Any new ideas taking into consideration this new info? Should I delete those
    'inprogress' folders?

    David Lightman Robles, Apr 26, 2005
  6. David Lightman Robles

    Herb Martin Guest

    No, I would not. (I would never recommend you use
    ADSIEdit before you do some simple things with
    DCDiag, NetDiag, etc.)

    You probably have one of the classic misconfigurations
    where AD is not replicating and DNS is integrated into
    AD etc.

    Do this: Pick your 'main' DNS Server (AD-integrated DNS)
    and point the client NIC IP settings of EVERY OTHER DC
    at this one server ONLY.

    Then go through the steps necessary to re-register them in
    DNS (on that one 'main' DNS server.)

    Once they all can find each other in a common DNS, they
    should replicate (check replication etc.) -- when that completes
    they will all "know" how to find each other.

    Then you may reconfigure them to use themselves first and
    the others as alternates. (For efficiency.)

    Here's the general DNS guidelines that will help with the
    DCDiag and the re-registration.

    DNS for AD
    1) Dynamic for the zone supporting AD
    2) All internal DNS clients NIC\IP properties must specify SOLELY
    that internal, dynamic DNS server (set.)
    3) DCs and even DNS servers are DNS clients too -- see #2
    4) If you have more than one Domain, every DNS server must
    be able to resolve ALL domains (either directly or indirectly)

    netdiag /fix

    ....or maybe:

    dcdiag /fix

    (Win2003 can do this from Support tools):
    nltest /dsregdns /server:DC-ServerNameGoesHere

    Ensure that DNS zones/domains are fully replicated to all DNS
    servers for that (internal) zone/domain.

    Also useful may be running DCDiag on each DC, sending the
    output to a text file, and searching for FAIL, ERROR, WARN.

    Single Label domain zone names are a problem Google:
    [ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]
    Herb Martin, Apr 27, 2005
  7. It simply resolved by disabling the zone from being published in AD,
    restarting the DNS Service, and then enabling it again to be published in
    AD. We then received a message telling that there was a zone called
    mydomain.com in AD and prompting to overwrite it with current data from dns
    or using it. We just selected the overwrite option and the container (from
    AD Users and Computers) mydomain.com\System\MicrosoftDNS\mydomain.com was
    populated again. After that, the 'allow zone transfers' tick was not
    disabled between DNS service restarts.

    I cannot tell exactly the texts that appeared in the textboxes because I
    cannot reproduce the problem, but I think I've exposed the main idea clearly

    BTW, those 'inprogress' containers are still there. I think I'll leave them
    as there are.

    Thanks Herb for your comments. Regards.

    David Lightman Robles, Apr 28, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.