DNS Issues!!!

Posted on 2004-08-23
Last Modified: 2010-04-11

i have two questions.  the first one is, our SOA server died and had to be
rebuilt, we did that and in the mean time the secondary picked up duties of
SOA automatically. when i went in to look at it it said it was the
SOA....Great!!!  so i rebuilt the other server, and brought it online as a
secondary DNS.  went in through the console to change it to SOA, it seemed
to work until i refreshed it and it kept the old settings.  i did this a few
times to make sure it would not work, and it never did work.  the SOA would
never change.  what did change though was now both servers thought they were
SOA for the domain/zone. problem!!

so, i decided to blow away the DNS server that i did not want as SOA, and
recreate it as a secondary DNS.  i did that, however, i could not delete the
whole server from the console, so i killed the service, and blew away the
zone.  created a new zone, made it a secondary, and thought i was done.
well, the now only SOA eventually got an error message, and said that the
zone was deleted, and it deleted the zone as well.  not good.

so i made the seconday a primary, since it still had all the records, and
made the other server a secondary, which i did not want to do.

now we cant seem to create a reverse lookup zone on the SOA, and it is
looking to the other DNS server and says that it is the SOA for the reverse
lookup zone.  weired!!

any help or explanations would be wow....great!!
Question by:shrek2
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +2
LVL 15

Expert Comment

ID: 11872026
Hi shrek2,

You seem to be getting confused between an "SOA" (which is a type of DNS record) and a primary nameserver.

Time to bombard you with questions:

Go to and put in your domain name.  Let us know what it fails on.
At the very least, that'll make sure that your parent DNSs (registrar) are configured to point to your own DNS properly.

I assume that you're using Windows DNS here?  What version of Windows is it?

Is your DNS set up in AD mode or as a standalone server?
Do you control both the primary and secondary DNS servers?

.. and another thought, is this an Internal DNS problem (your PCs can't resolve) or an External DNS problem (other people can't resolve your IPs)?

I hope that this helps - let me know if you need any further help.

Expert Comment

ID: 11872874
Common confusions:

Primary DNS : The server with the actual host and record db (may or may not be the 1st authorative server)
Secondary DNS (also know as slave, contains a copy of the primary DNS entries, gets them from the Primary)
Cacheing DNS (Does the lookups and resolutions, and caches the results for faster lookups, but does not contains any records of its own)

Authorative server (This is the server that is in your domain record. This can be Primary or secondary, as the job is to resolve addresses, so it can be primary or secondary, it does not care)

Your primary should be where it is easy to edit. It does not even have to be in the authorative list, so long as the authorative server can get updated copies of the domain records from it when it updates (Called a zone transfer).


Author Comment

ID: 11872905
This is a internal LAN, we have external DNS servers that handal our resolution outside our walls.  This is a W2k3 AD domain and yes i control both servers.  as far as the SOA, I am refering to the SOA records yes, however i am also speaking of the facility that MS has given to us in its DNS console, where you can change the start of authority for the domain. when i do that, the SOA records change approprieately, but when i refresh the zone, it returns back to the previous SOA, both the record and in the DNS MMC.

as far as resolving, there is not a problem, the DNS forward lookup zone is functioning properly, but the SOA for the domain is on a server i do not want it to be on.  

now the reverse lookup zone is not up, because we cant seem to create it because it wont let us delete the previous one we have there, which is not working properly because it is not populating.  the settings are right, but i think it is messed up from us changing SOA roles.  

hope that clarifies. . .oh and one more thing what the heck is msdcs_domain??  it seems to get created automatically and has its own serial number for the SOA and everything??
Increase Agility with Enabled Toolchains

Connect your existing build, deployment, management, monitoring, and collaboration platforms. From Puppet to Chef, HipChat to Slack, ServiceNow to JIRA, Splunk to New Relic and beyond, hand off data between systems to engage the right people.

Connect with xMatters.

LVL 15

Expert Comment

ID: 11873010
Sorry, this sounds like a DNS/AD screwup - I'm not very good at those.  I assumed that the problem was with external DNS resolution.

Sorry I couldn't help further.
LVL 25

Accepted Solution

mikeleebrla earned 500 total points
ID: 11873192
is the SOA being on the other server causing you any trouble?

if this is a w2k3 Ad domain,, it really was designed to be run as an AD integrated DNS zone, not a primary or secondary zone,, if you set it up as an AD integrated zone you will save yourself ALOT of headaches later on.

Author Comment

ID: 11874149
i am running AD integrated secure transfers.  everything seems to be ok, after a while the reverse lookup zones deleted themselves, and i was able to create reverse zones and they are populating now.  

if i want to change the SOA for the domain, what is the rpocedure for that?
LVL 25

Expert Comment

ID: 11874233
is your SOA "primaary server" record currently pointed to  the local machine or another one?
LVL 25

Expert Comment

ID: 11874298
from command prompt run

nslookup -querytype=all

this will tell you what the actual primary name server is for the zone,, dont belive what is set in the "primary server" on the SOA tab on the DNS GUI,,, they will give you two different answers,,,, but go with whatever the nslookup -querytype=all command tells you.


Author Comment

ID: 11874470
well, that gave me the answer i was looking for, the primary name server was what it was supposed to be.  now, if i want to change that, to make the other server the SOA, is it better to do this by command line or use the DNS GUI??

if so what is the command, and for the GUI dodi just change the SOA entry?

LVL 25

Expert Comment

ID: 11874520
as with anything else,, its always better to do anything from command line,,, but with windows,,, good luck finding what the actual command is

Author Comment

ID: 11912587
so changing the SOA for our domain, what would be the procedure for that??

Expert Comment

ID: 12166354
1. open DNS management.
2. goto properties on forward lookup zone-domain name you want to change.
3. Click on Start of Authority (SOA) tab
4. Browse for new Primary Server.
5. Click OK

Ill loook for an MS CLI command for you as well.


Expert Comment

ID: 12573831
We need a better way to close abandoned issues. Especially when the original question was not concise, and a lot of replies came in arount the issues.

My $.02


Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Internet Business Fax to Email Made Easy - With  eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question