Solved

Is my Windows 2003 DNS server sending notifications? Can I force it to?

Posted on 2009-05-11
9
663 Views
Last Modified: 2012-05-06
I've been trying to move my zones from a BIND server to a Windows DNS server with embarrassing results. For a couple of zones, Windows rejected some of the old, illegal entries and broke.

Anyway, today's FIRST issue is this: my server doesn't seem to be sending out notifications. I transferred the primary role for the zone from one (BIND) box to a windows box. I accidentally left the port blocked so the initial transfer to the (main campus) DNS server couldn't happen. I fixed that right away, but it hasn't initiated a transfer since then (at least 8 hours).
I've changed records and reloaded the zone, hoping to initiate a notify and thus a transfer, but no dice.
I'm allowing transfers to everyone (I know, I'll lock it back down when this gets fixed);
The other server is listed as a DNS server for the zone;
I have tried setting my server to notify other DNS servers;  then put in the specific IP address;
Neither helped.

Should I be able to see notifications in the Windows Event Log? It shows transfers but I don't see notifications.
Is there anything I can do (other than changing entries in the zone) to force it to send notifications?

0
Comment
Question by:briandunkle
  • 6
  • 2
9 Comments
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

I don't think notifications are logged. You could increment the serial in the SOA. Does the Unix system have any data for the zone? Would be worth checking what it thinks the SOA and NS are.

Chris
0
 
LVL 7

Author Comment

by:briandunkle
Comment Utility
Sorry; there are really three servers in this situation - the old, BIND server; the current, Windows server; and the main campus server, which is also BIND.

The communication I need is between the new Windows server and the main campus server.

And yes, things worked fine on the previous server on my end.

Anyway: SOA is the Windows server (DNS2), NS are my server and the main campus one - same setup as my old BIND box (DNS).

I just incremented the serial, worth a try but no dice yet.
I can't imagine the main campus server gave up when it couldn't get through for a while.

My Windows box is getting out there as the primary server for that zone - lookups work from the outside world and, after a slight delay, the local caching nameservers. It's just the primary main campus one that doesn't work.

Outside DNS makes its way to the main campus server and gets SERVFAIL twice then goes to mine.

(the point to all this is that the main campus server is supposed to answer most outside traffic and just generally act as a secondary)
0
 
LVL 7

Author Comment

by:briandunkle
Comment Utility
Oh, and thanks for the comment!
It bites that it doesn't log notifications.
Windows DNS service seems to fall short of BIND in many ways.
Maybe a 3rd-party Windows-based DNS server? :(
0
 
LVL 15

Expert Comment

by:markpalinux
Comment Utility

MS Technote:
Using NSlookup.exe
http://support.microsoft.com/kb/200525
look for the section - Using Nslookup.exe to Transfer Entire Zone


I would suggest from the main campus dns server running nslookup -d domain.com

run on bind server at main campus:
nslookup
server ms-dns-server-ip
ls -d domain.com

( use your ms dns server for - ms-dns-server-ip ,
and replace domain.com with the real domain.

Also on the zone in your MS DNS be sure that you have the correct ip for notify and to allow transfer.
also firewalls in between need to allow port 53 tcp and udp.

udp is for standard dns, tcp for zone tranfers

you could try wireshark looking at port 53, increment the zone , look at the traffic to your campus dns up - to see if the notifications are going ?

Also you there is bind you can download for windows (I only ever used it for testing)

Mark
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
Comment Utility

You could enable Debug Logging, it's packet logging. Although to capture specifics you're far better off using a packet sniffer, Wireshark (http://www.wireshark.org) for example.

Given a choice I would always use BIND for hosting public DNS services. I'll quite happily use MS DNS for AD Domains. It misses out on a lot of functionality when compared with BIND for public hosting.

> SOA is the Windows server (DNS2)

That's in the Secondary Zone at the moment? Might have to look at the zone file to see those.

Chris
0
 
LVL 7

Author Comment

by:briandunkle
Comment Utility
@markpalinux - I don't have access to the main campus server; I've entered a ticket to ask what's going on with the notifies/transfers, but I'm trying to look into it from my end;

@chris-dent - Yeah, I'm realizing how much Windows DNS sucks. I'm trying to move to a Windows box because all the people except one who might back me up if I'm not here are windows-only (they could do a linux box, but it'd be a pain). I need to move it one way or another, the current box for the rest of my DNS is old and in another building (different vlan). I'd just re-number it, but it's a really old redhat and the machine makes me nervous.

I'll try the debug and see if it gives me anything, thanks.

DNS2 is actually the primary now. "DNS" is the old server, which still serves the other 140+ zones, but may be used as a secondary once everything's moved.

Thanks to both of you for replying!
0
 
LVL 7

Author Comment

by:briandunkle
Comment Utility
Thanks for the tip on debug logging - it gives a better log than I expected, including every notify and response.
0
 
LVL 7

Author Closing Comment

by:briandunkle
Comment Utility
What I needed to know to get going on it.
0
 
LVL 7

Author Comment

by:briandunkle
Comment Utility
To clarify for anyone reading this later, the debug logging is a more sophisticated log than I expected - it shows only the DNS-related packets, and annotates them with a handy key at the top.
Stuff like what it is (notify, query), whether it's a response or an origination, and the result. I got this:
20090514 12:15:43 E7C PACKET  01E9A970 UDP Rcv xxx.xxx.xxx.xxx   0000 R N [05a0       REFUSED] SOA   (8)xxx(7)xxx(3)edu(0)
Saying xxx.xxx.xxx.xxx sent a response  to my notify, refusing it.
Now to figure out why. :)

Thanks again.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Best practices power settings GPO Win 10 4 57
active directory 3 16
AD Replications issues 12 39
Secondary DC 3 9
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now