DNS Primary and Secondary Zone Versions are different.

dirkdigs used Ask the Experts™
i was using an online utility to check a dns zone and it alerted me that the primary zone was version 16 and the secondary was version 12. does anyone know what i need to do to make the dns zones equal. also how important is this ?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
The disparity in version between the primary and secondary zone could be a reflection on the number of changes commited in a period of time. The dynamic notification policy and refresh policy for the zone itself will help determine how often the updates should occur between the primary and secondary servers hosting the zone.

This can be an issue if there is a disparity between the zone file held on the primary and secondary server. You can validate this by checking for changes you know to exist between the two versions but the other item to check on would be the refresh timer for the zone itself.
the version number for your primary and secondary zones will always be different. it's normal for the primary zone to have a higher usn # versus your secondary because of the functional difference of those zones.

basically, a primary zone is hosts dns records and updates them for the name space it was configured for. a secondary zone is a read-only copy of the primary zone and will poll the primary dns server for updates every so often.

so basically, no worries my friend, nothing to worry about unless your having issues with clients not being able to resolve something.


yes i am having troubles ...
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

explain in as much detail as possible the issue you are having with clients not being able to resolve something (good examples to provide would be clients trying to resolve something local in your network and then something external to your network).
also, to manually initiate a zone transfer from the master dns server holding the primary zone, remote into the dns server hosting the secondary zone. launch dnsmgmt.msc and right click the secondary zone in question, at the top of the pop-up menu click transfer from master.


will that resolve the issue of having different zone versions ?


they are both primary zones

one on each dns server

is this wrong ?
as i stated before, the usn # being different on your primary/secondary zone will not cause any issues. what i suspect is that your secondary dns server is having issues initiating zone transfers from the primary dns server - although i don't have enough information from you to make an educated guess.

is the primary and secondary dns servers located in geographically different locations? how are your clients obtaining their tcp/ip information, from a dhcp server or are they statically configured?

bottom line, more background information about your dns architecture along with how your clients are receiving their ip addressing information is needed.
not at all, but just to double-check, are they both primary zones or are they both 'active directory-integrated primary zones'?


for the domain in question i just verified the contents of the forward lookup zone on each dns server

dns1 and dns2
they did  not have the same records. specifically one was missing and A record for webmail.domain.com

should the two DNS servers not be replicating ? Or does having to add the A record manually to each server the usual way? Thanks.


Hi john, Both Primary zones.

Each DNS server is in a geographically different zone. I only set the the DNS servers at the registrar level for the domains we are hosting ....

on a site to site basis they normally just use the DNS from the ISP.


dns1 and dns2 are both on there own workgroup, not on any domain.
if both of the dns servers are standalone, then that tells me that they each hold different primary zones.... unless you configured each primary zone on dns1 and dns2 to host the  same namespace (i.e. dns1 hosts the primary zone for mydomain.local and dns2 hosts a primary zone for the exact same thing)? and since you mentioned that they are standalone, then these servers are not domain controllers and you have that role configured on other servers in your network.

also, how are dynamic updates being handled for each primary zone on dns1 and dns2? are the zones configured to allow nonsecure updates from clients (you can check this on the general tab by right-clicking the primary zone and selecting properties)?

should all dns zone records be identical on dns1 and dns2 (is that your end goal)? if so, then you'll need to plan and determine which server to remove the primary zone from and configure as a secondary of the other primary dns server. check this microsoft article supporting this : http://technet.microsoft.com/en-us/library/cc776365%28WS.10%29.aspx.

i think the following may be your solution:

- on dns2, delete the primary zone
- on dns1, edit the properties of the primary zone and navigate to the "zone transfers" tab, select "only the following servers" and input the ip address of dns2
- on dns2, create a new secondary zone and call it the same thing as the primary zone on dns1. when prompted for the master server, input the ip address of dns1.
- wait a few minutes and the secondary zone on dns2 should begin to populate with all the records from the primary zone hosted on dns1.
- on dns1, configure it's tcp/ip properties to use itself as its primary dns server, and then dns2 as its secondary dns server.
- on dns2, configure it's tcp/ip properties to use itself as its primary dns server, and then dns1 as its secondary dns server.

if you have reverse lookup zones on dns1, you'll want to do the same thing. the steps are exactly the same.

and make sure that the primary zone on dns1 is configured to allow nonsecure and secure dynamic updates as well. since the dns server isn't a domain controller, and since the dns server isn't joined to any domain, you'll need this to allow your workstations/servers to update their own records when they change unless all your clients are manually configured and you plan on doing this manually...


i think it might be setup as two standalone primary's because the way you are suggested is somewhat insecure ?

i have about 40 client domains (zones) on each dns server. the end goal (you are correct) is to have all records identical. if i was deleting the primary zone and creating a secondary on dns2 would i have to re-create the 40 domains (zones) all over ? or are you just saying i would need to delete the "forward lookup zones" folder and its contents would get re-created.

what do you think?


I think you should first try and know what is the actual architecture of DNS in your domain.

See, for example I have a domain called domain.local. Then I would have same zone (domain.local) in DNS as well to make my domain working.
Now if I have two DNS servers in my domain called DNS1 and DNS2, both of them should show this zone on them.
Now, if these zones are NOT active Directory Integrated, then only one DNS server can host the promary copy of the zone. And that you can manage as well.
If the zone id ADI (Active DIrectory Integrated) then both the DCs would have a writable copy of the Zone that means both the zone are Primary (not as per terminology but as per the functionality).

Now if you say that you have to Primary zones, then either these zones are ADI zones OR you have created to different zones. for example domain.local AND domain.com (so these are tei different zones and can have different records).

You can check if a zone is ADI or not by juct cheking the properties of the zone. On the general tab, you will "Active Directory Integrated" written in case it is ADI. Else it will be Primary, Secondary or Stib Zone..

Now about your question: You said that you are hosting 40 domains? a bit high in number but I really doubt if the zones can be loaded automatically. You will have to transfer each zone saperately.




thanks arun. what your described does not apply to my scenario. these are TWO PUBLIC dns servers hosting 40+ client domains.

they are set up as TWO STANDALONE servers on (workgroup) they are both primary zones. my question is asking if this is setup because of security and that's why its not following the primary/secondary format.

Can you tell me if "Zone Transfer" is enabled on the primary DNS server hosting primary zones? Sometimes, if it gets disabled you get this kind of issues.

Please check zone transfer and enable it. Also, as this is workgroup scenario, please let me know the value under the replication scope of the zone. You can find all this under properties of the zone.

is there any possible way that you could take a possible screen shot of you dnsmgmt.msc console showing you forward lookup zones expanded? i've worked in some extremely large environments and have never seen that many forward lookup zones established.


i think there is a mistake in my terminology.

each dns server has only ONE forward lookup zone. (conatining about 40 domains)

get it ?
so it would look something like this perhaps:

- forward lookup zones
  - rootdomain.local
    - sub1.rootdomain.local
    - sub2.rootdomain.local
    - etc, etc, etc ?

if there is just one and only one rootdomain forward lookup zone with everything else within it, deleting it and creating it as a secondary of the other primary dns server will get you the result you're looking for (having both dns servers hold the same dns records). just make sure to do this during off hours or something as you don't want to adversely affect your clients that use that server for name resolution.


no it looks like this

-forward lookup zones

Who uses your internal dns servers for name resolution? Is it used just by your client workstations/servers? I presume you work for some type of web hosting company since your have so many forward lookup zones... Who designed your dns infrastructure and what was the initial need for so many forward lookup zones? You'll have to dig into the background of why it was setup that way and figure out if its worth making one of your dns servers secondary to the other - which means you'd have to manually create and configure each of the secondary zones to point to the
primary dns server. I'm guessing there is a rhyme and reason for why it is the way it currently is.


yes i do work for a hosting company. your bang on! im thinking it is for security purposes of some sort i will have to ask. thanks for your help.

ideally i would like to see a secondary dns server hosting secondary dns zones. then going forward we wont have to add  the same records 2 times . it wil just pull from the master.


Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial