Description of the zone transfer throttling mechanism

Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows registry

Summary

This article describes the zone transfer throttling mechanism that is used by the dynamic update zone of a primary Domain Name System (DNS) Server that is running Microsoft Windows Server 2003 or Microsoft Windows 2000 Server.

More Information

The dynamic update zone of a primary DNS server uses a zone transfer throttling mechanism to limit the number of zone transfer requests that the primary DNS server must fulfill. The zone transfer throttling mechanism is only used for zones where dynamic updates are enabled. To make sure that a zone transfer is successful, you must write lock the zone. When a zone is write locked, dynamic updates are not written to that zone. If you do not write lock the dynamic update zone of the primary DNS server, it may not be able to fulfill continuous zone transfer requests from the secondary DNS servers.

After a successful zone transfer, the primary DNS server releases the write lock. This enables dynamic updates of the dynamic update zone of the DNS server to succeed. However, the primary DNS server maintains a zone transfer lock to prevent additional zone transfers. The primary DNS server maintains the zone transfer lock for a period of time that is equal to 10 times the amount of time that is spent transferring the zone, up to a maximum of 10 minutes. Zone transfer locking is used for each dynamic update zone of the primary DNS server.

For example, if a zone transfer requires 2 seconds, the primary DNS server refuses all zone transfer requests from the secondary DNS servers for the transferred zone for the next 20 seconds. If a zone transfer requires 2 minutes, the primary DNS server refuses all zone transfer requests from the secondary DNS servers for the transferred zone for the next 10 minutes.

When the primary DNS server refuses a zone transfer request from the secondary DNS servers, the secondary DNS servers may consider this behavior to be an unsuccessful zone transfer request. As a result, error messages may be logged on the secondary DNS servers. For example, a Microsoft Windows NT 4.0-based secondary DNS server may log Event ID 6525. This indicates that a zone transfer request from the secondary DNS server was refused by the primary DNS server.

A primary DNS server that uses the Notify feature and that has many secondary DNS servers may experience these types of errors more frequently. This is because the Notify feature can trigger all of the secondary DNS servers to request a zone transfer from the primary DNS server at approximately the same time.

How to configure the zone transfer lock time in Windows Server 2003

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To control the period of time that the zone transfer lock is maintained by using Registry Editor, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
  3. In the right pane, right-click the XfrThrottleMultiplier entry, and then click Modify.
  4. In the Value data box, type Multiplier, and then click OK.
  5. Exit Registry Editor.
To use the Dnscmd.exe command-line tool to control the period of time that the zone transfer lock is maintained, follow these steps:
  1. Click Start, click Run, type cmd, and then click OK.
  2. At the command prompt, type dnscmd /Config /XfrThrottleMultiplier Multiplier, and then press ENTER.
Multiplier is a placeholder for a numeric multiplier. This XfrThrottleMultiplier value is used to calculate the number of minutes that you want the zone transfer lock to be maintained. The lock time is equal to the XfrThrottleMultiplier value multiplied by the time that is required for the last zone transfer.

For example, if you set the XfrThrottleMultiplier to a value of 10, and it took 5 seconds to transfer the zone to a secondary DNS server, all the zone transfers for that zone will be refused for the next 50 seconds.

Notes
  • The default multiplier value is 10.
  • The maximum lock time is 10 minutes.
  • To disable zone transfer throttling, set the server registry key XfrThrottleMultiplier to DWORD zero.
Caution If you change the value of the zone transfer lock to zero, you may open the DNS server to possible denial of service attacks from a malicious zone transfer client.
Eigenschaften

Artikelnummer: 291016 – Letzte Überarbeitung: 07.01.2008 – Revision: 1

Feedback