DNS zone transfer options are reset after you change zone replication scope in Windows Server 2008 R2

Applies to: Windows Server 2008 R2 EnterpriseWindows Server 2008 R2 DatacenterWindows Server 2008 R2 Standard

Symptoms


Consider the following scenario:

  • A domain that is named contoso.com contains two domain controllers, DC1.contoso.com and DC2.contoso.com.
  • Both domain controllers are Domain Name System (DNS) servers that host the "Contoso.com" zone.
  • The zone replication scope is set to the following value:

    To all domain controllers in the domain (for Windows 2000 compatibility): contoso.com
  • The contoso.com zone on DC1 and DC2 is configured to Allow Zone transfers to secondary servers.
  • You set the zone replication scope to the following value:

    To all DNS servers running on domain controllers in this domain: contoso.com


    Settings
  • This change is replicated to DC2, and then the contoso.com zone is reloaded by the DNS service on DC2.

In this scenario, the zone transfer settings on DC2 are removed. The following changes occur:

  • The Allow zone transfers check box is cleared.
  • The list of servers to which zone transfer was previously allowed is removed. The server values are also removed from the registry.

Zone Transfer settings

Note When this issue occurs, the zone transfers settings on DC1 are not affected.

Cause


This issue occurs because the existing zone object is deleted from the partition, and a new object is created in the corresponding partition when the replication scope is changed. This change is replicated across all domain controllers.

When the polling thread on DC2 pulls the change from the new partition, the registry settings for contoso.com is reset. Zone transfer is disabled because the value of SecureSecondaries is set to 3. Also, any configured servers in the zone transfer list are removed because the SecondaryServers value is removed. From a DNS perspective, this process resembles creating a new zone in a different partition.

Resolution


Before you change the replication scope, note the zone transfer settings. Reconfigure the zone transfer settings after the replication scope is changed.

You can also use the following scripts to back up and restore the settings.


Backup script

Save the following code as a file that is named BackupZoneTransferSettings.ps1.

# Begin Scriptparam([string]$ZoneName = "test2.com")#Build the vars$TargetRoot = "HKCU:\DNSZoneConfigMigration\"$TargetKeyPath = $TargetRoot$SourceRoot = "HKLM:\Software\Microsoft\Windows Nt\CurrentVersion\DNS Server\Zones\"$SourceKeyPath = $SourceRoot + $ZoneName#Copy the Item#Check for the presence of the itemGet-Item HKCU:\DNSZoneConfigMigration -ErrorAction SilentlyContinue >$nullif($?){  "DNSZoneConfigMigration key present already!"}else{  New-Item -Path HKCU:\DNSZoneConfigMigration -ErrorAction SilentlyContinue >$null}if($?){  Copy-Item -Path $SourceKeyPath -Destination $TargetKeyPath -ErrorAction SilentlyContinue >$null  if($?)  {   "Key backed up in registry (Current User Hive) successfully!"     }  else  {   "Key Backup Failed.Error Code is " + $Error[0].Exception.Message  }}else{  "Unable to Create Backup Key.Error code is " + + $Error[0].Exception.Message + ".Exiting" }# End Script


Restore script

Save the following code as a file that is named RestoreZoneTransferSettings.ps1.

# Begin Scriptparam([string]$ZoneName = "test2.com")#Build the vars$SourceRoot = "HKCU:\DNSZoneConfigMigration\"$SourceKeyPath = $SourceRoot + $ZoneName$DestinationRoot = "HKLM:\Software\Microsoft\Windows Nt\CurrentVersion\DNS Server\Zones\"$DestinationKeyPath = $DestinationRoot + $ZoneName#Copy the ItemProperty ValuesCopy-ItemProperty -Path $SourceKeyPath -Destination $DestinationKeyPath -Name "SecureSecondaries" -ErrorAction SilentlyContinue >$nullif($?){   "SecureSecondaries Value Successfully Restored for " + $ZoneName    Copy-ItemProperty -Path $SourceKeyPath -Destination $DestinationKeyPath -Name "SecondaryServers" -ErrorAction SilentlyContinue >$null    if($?)    {        "SecondaryServers Value Successfully Restored for " + $ZoneName "Restore Successful! Deleting the backup"           Remove-Item -Path $SourceKeyPath if(-Not $?)     {   "Unable to Delete Backup Key. Delete Manually. Error :" + $Error[0].Exception.Message }    }    else    {       "Failed to restore SecondaryServers value. " + $Error[0].Exception.Message    }}else{  "Failed to restore SecureSecondaries value. " + $Error[0].Exception.Message}# End Script


The backup script backs up the zone transfer settings for a particular zone. (For convenience, the backup is stored in the registry under the HKEY_CURRENT_USER hive.)


The second command (highlighted) in the following screen shot takes a backup of the zone transfer settings for the zone that is named "test3.com."

DNSZone11


Where the settings are backed up to in the registry

DNS backup


Running the script to restore the zone transfer settings (the restore script restores these two values only)

Restore script


Zone transfer settings in the registry before the restore operation

Registry key before restart


Zone transfer settings in registry after the restore operation

Restore key


Note After you run the restore script, you must restart the DNS service to apply the changes.

More information


Zone transfer settings storage

The zone transfer settings are stored in the registry on the DNS server in the following path:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS Server\Zones\<domain name>

When zone transfer is set to specific servers or IP addresses, the following values are populated:

  • SecureSecondaries is set to 0x2. This corresponds to the Only to the following servers option.
  • A multi-string value that is named SecondaryServers is created by using the IP addresses of the servers.
     

    Settings

    Zone transfer setting


    Registry

    Zone transfer registry


DS polling thread

The DNS service maintains a DS polling thread that periodically polls partitions and retrieves the list of all zones. For more information, see How Often Does the DNS Server Service Check AD for New or Modified Data?

By default, the DNS service polls Active Directory for changes every 180 seconds (3 minutes). You can control this process by using the DsPollingInterval registry key or the dnscmd /dspollinginterval switch.


For more information, see
Dnscmd config.