Windows 2008 r2 dns allow zone transfers

Each authoritative server signs its own copy of the zone when it receives the key. For optimal performance, and to prevent increasing the size of the Active Directory database file, the signed copy of the zone remains in memory for Active Directory-integrated zones.

In general, cryptographic operations are computationally expensive. For large zones, the DNS server can take several minutes to sign the zone depending on the key length and size of the zone. To prevent performance degradation from occurring when all DNS servers start to sign the zone at the same time, signing is staggered. When a replica domain controller sees the DNSSEC keys and configuration, it waits for a random period between 5 minutes and 30 minutes before it begins signing the zone.

However, because the zone is read-only, the DNS server cannot make any updates to the zones that it hosts. Instead, it creates a secondary copy of the zone, and then configures the closest writeable domain controller for the domain as the primary server. The RODC then attempts to perform a zone transfer. Zone transfers must be enabled on the primary DNS server for this transfer to succeed.

If zone transfers are not enabled, the RODC logs an error event and takes no further action. In this scenario, you must manually enable zone transfers on the primary server that is selected by the RODC. If the zone is not yet signed, the only choice available is Sign the Zone. For information about signing and unsigning a zone, see DNS Zones. When you use default settings to sign a zone, the local server is selected as Key Master.

The Key Master must be a primary, authoritative server for the zone and must be capable of online zone signing. However, in a Microsoft multi-master DNS deployment environment, the following is possible:. The Key Master role can be transferred to a different authoritative name server after zone signing.

This transfer can be performed gracefully if the current Key Master is online, or it can be performed as part of a disaster recovery scenario if the current Key Master is offline. You cannot transfer the Key Master role if a zone is file-backed, because these zones have only one primary, authoritative DNS server.

If a zone is Active Directory-integrated, the Key Master is a domain controller and can benefit by enhanced security considerations that are used with domain controllers. If the zone is file-backed, the Key Master might not be also a domain controller. In this scenario, it is recommended to take additional security precautions to protect the Key Master from attack and to protect private key material from becoming compromised. For security reasons, a Key Master that is not a domain controller should only have the DNS Server role installed in order to limit its attack surface.

See the following example:. The Key Master generates all keys for the zone, and is responsible for distribution of private keys and zone signing information. The Key Master is also responsible for performing all zone signing key ZSK and key signing key KSK rollovers and for polling child zones to keep signed delegations up-to-date.

An unsigned zone can also be assigned a Key Master. All zones that have been signed have a Key Master setting, whether they are currently signed or not. A zone that has never been signed typically does not have a Key Master, but can be configured with a Key Master in preparation for zone signing with Windows PowerShell. Another qualifying DNS server must be available on the network.

When you click the drop-down list, a pop-up alert asks if you want the local server to build a list of available, qualifying DNS servers that can be the Key Master. Click OK , choose a server from the list, and then click OK.

See the following examples:. The signed-in user must have Domain Admins group rights, or equivalent, on a DNS server in order for it to be displayed in the list. Therefore, the settings don't replicate as part of Active Directory replication. The DNS service maintains a DS polling thread that periodically polls partitions and retrieves the list of all zones.

The switch accepts values from 0 to 3, seconds. However, values from 1 to 29 are not allowed. The minimum acceptable value is 30 seconds. For more information, see Dnscmd config.

Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Please rate your experience Yes No. Any additional feedback? Note When this issue occurs, the zone transfers settings on DC1 are not affected. Note These scripts are provided on an as-is basis. Note After you run the restore script, you must restart the DNS service to apply the changes. Improve this answer. Gepeto Gepeto 1 1 silver badge 5 5 bronze badges.

In my other question you can see problems with BPA. It reports some problems so I'm wondering what's the best way to approach this. Doug Luxem Doug Luxem 9, 7 7 gold badges 48 48 silver badges 80 80 bronze badges.

Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password. Post as a guest Name. Email Required, but never shown. The Overflow Blog. Podcast Making Agile work for data science. Stack Gives Back Featured on Meta.