Windows DNS Zone transfers and aging?

We're running Windows 2008 AD Integrated DNS and a few Secondary Zones. After reviewing current DNS setup Aging is not set and Zone transfers are configured to "Only to servers listed on the Name Servers tab". From what I've read Zone Transfers is designed for Secondary Zones and AD Integrated DNS is not required because it's stored in the AD database which is handled by AD replication.

1) Is it wrong to have all AD Integrated DNS and Secondary configured for Zone transfers?
2) Should I list the secondary zones only in the Zone Transfers?

As for Zone Aging/Scavenging I found this unchecked. Isn't it recommended to have this enabled to clear out stale records?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
As for Zone Aging/Scavenging I found this unchecked. Isn't it recommended to have this enabled to clear out stale records? Best practices suggests that scavenging be enabled with defaults (7 days) for all zones.
If you have Secondary zones, I would make sure you know why you are using them.  Zone transfers occur from Standard Primary zones to a Secondary.  If you have AD-integrated Primary zones, then normal AD replication takes care of making sure the DNS zone date is available on other domain controllers with DNS installed vs. having the data transferred via zone transfer.  I would say in most cases it's preferable to have AD-integrated zones vs. Standard Primary and Secondary zones because the AD replication is more efficient than a zone transfer.  I couldn't give any further recommendation without knowing more about what your DNS and/or DC layout is like, the zones you have , and where you want them to be.
apimentel26Author Commented:
The secondary zones were the old IP's of decommissioned Win2K DC servers. The previous admin didn't want to update every device and kept it. Everything else is AD Integrated except for those few secondaries that I've found is used for every device.
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

I don't understand what you're trying to describe.  Not to be too blunt, but what you've said doesn't make any sense.

Are you saying the secondary zones contained records for servers which no longer exist?  Where is the secondary zone pulling it's data from (has to be a primary zone somewhere)?  How does a secondary zone on a server have anything to do with how a device is configured?  Maybe you should post some screenshots to help clear up any confusion.
apimentel26Author Commented:
The old Win2K AD servers were decommissioned. The previous admins forgot that every device is using the IP addresses of these servers as DNS. They stood up new servers using the same IP of those decommissioned servers and made it secondary DNS zones.
Everything makes sense until "...and made it secondary DNS zones."
apimentel26Author Commented:
The previous admins decided to stand up two servers using the same IP of those decommissioned AD servers and made it secondary DNS zones. Which in turn they didn't have to update or modify any DNS settings on the end users machines. Please don't ask my why...

I'm adding some docs that would help answer my original questions.
David Johnson, CD, MVPOwnerCommented:
it is probably time to do some housecleaning and get rid of the zones..
Again "made it secondary DNS zones".  What is it?  You don't make servers into zones.  Maybe I'm being dense but I don't understand what you're saying.

If you're referring to the NIC settings on machines where you set which DNS servers you want to use as preferred and alternate, that has nothing to do with zones.

Looking at the simple diagram, here's a guess:  "DNS Secondary 1" and "DNS Secondary 2" only have the DNS role installed (and not AD Directory Services).  They are configured with secondary zones to pull information from the DNS on the domain controllers (via zone transfer).  All the client machines are configured to use only the IPs of "DNS Secondary 1" and "DNS Secondary 2" in their NIC settings.

Is this guess anywhere close to correct?
apimentel26Author Commented:
Yes, that is correct. DNS Secondary 1 and 2 servers are running DNS Secondary zones of the
apimentel26Author Commented:

That's I'm planning to do but I'm trying to gather as much details before making these changes.
If I've understood correctly, then you have two options if you want to get rid of those servers.
1 - Change all devices and clients so that they only point to the domain controllers with DNS, after which you can remove the "secondary" DNS servers.
2 - Re-IP a couple of the domain controllers so they have the IP of the "secondary" DNS servers.  For example, if domain controller 1 has an IP of, and DNS Secondary 1 has an IP of, then first change the IP of DNS Secondary 1 to something else, then change the IP of domain controller 1 to  Once you've verified that clients are successfully using the domain controllers for DNS, you can remove the secondary DNS servers.
apimentel26Author Commented:

Thanks for trying to figure out what I'm trying to explain. I'm obviously not doing a good job. I'll try again, in the DNS properties of DNS Zone which is running Active Directory Integrated there is an option for Zone Transfer. In this section I can allow Zone transfers by enabling it and there are more options. What I found selected is "Only to servers listed on the Name Servers tab". In the Name Servers tab lists all our DNS servers.

Based off what I read and trying to confirm that this section applies to DNS servers that are running Primary and Secondary Zones. Since AD DNS is part of the AD Replication process (stored in AD partition) would I still need AD DNS in the Name Servers section? Or should I change the option in the Zone Transfer section to "Only to the following servers"? If I did that would I only list the servers running Secondary Zones? Is it wrong to have AD DNS listed there? Or am I completely misunderstanding this?

You can refer back to the drawings I made.
You are right that this applies only to Standard Primary and Secondary zones.  The setting has no impact on replication of AD-integrated zones (which can be Primary or Stub).  So, the only IPs you need to allow zone transfers to are those that host Seconary zones (which pull from the Primary zone).

When you have it set to "Only to servers listed on the Name Servers tab", in simple configurations you only have to make sure that each server that hosts a copy of the zone has an NS record, without worrying about updating the IPs on the Zone Transfers tab.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
apimentel26Author Commented:
Awesome! Thank you!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.