DNS zone transfer options are reset after you change zone replication scope in Windows Server 2008 R2

This article provides help to solve an issue where DNS zone transfer options are reset after you change the zone replication scope.

Original product version:  Windows Server 2012 R2
Original KB number:  4050194

Symptoms

Consider the following scenario:

  • A domain that is named contoso.com contains two domain controllers, DC1.contoso.com and DC2.contoso.com.

  • Both domain controllers are Domain Name System (DNS) servers that host the Contoso.com zone.

  • The zone replication scope is set to the following value:

    To all domain controllers in the domain (for Windows 2000 compatibility): contoso.com

  • The contoso.com zone on DC1 and DC2 is configured to Allow Zone transfers to secondary servers.

  • You set the zone replication scope to the following value:

    To all DNS servers running on domain controllers in this domain: contoso.com

    Screenshot of setting the zone replication scope

  • This change is replicated to DC2, and then the contoso.com zone is reloaded by the DNS service on DC2.

In this scenario, the zone transfer settings on DC2 are removed. The following changes occur:

  • The Allow zone transfers check box is cleared.

  • The list of servers to which zone transfer was previously allowed is removed. The server values are also removed from the registry.

    Zone Transfer settings

    Note

    When this issue occurs, the zone transfers settings on DC1 are not affected.

Cause

This issue occurs because the existing zone object is deleted from the partition, and a new object is created in the corresponding partition when the replication scope is changed. This change is replicated across all domain controllers.

When the polling thread on DC2 pulls the change from the new partition, the registry settings for are reset. Zone transfer is disabled because the value of SecureSecondaries is set to 3. Also, any configured servers in the zone transfer list are removed because the SecondaryServers value is removed. From a DNS perspective, this process resembles creating a new zone in a different partition.

Resolution

Before you change the replication scope, note the zone transfer settings. Reconfigure the zone transfer settings after the replication scope is changed.
You can also use the following scripts to back up and restore the settings.

Note

These scripts are provided on an as-is basis. We recommend that you thoroughly test these scripts before you use them in a production environment.

Backup script

Save the following code as a file that is named BackupZoneTransferSettings.ps1.

# Begin Script  
param([string]$ZoneName = "test2.com")  
#Build the vars  
$TargetRoot = "HKCU:\DNSZoneConfigMigration\"  
$TargetKeyPath = $TargetRoot  
$SourceRoot = "HKLM:\Software\Microsoft\Windows Nt\CurrentVersion\DNS Server\Zones\"  
$SourceKeyPath = $SourceRoot + $ZoneName  
#Copy the Item  
#Check for the presence of the item  
Get-Item HKCU:\DNSZoneConfigMigration -ErrorAction SilentlyContinue >$null  
if($?)  
{  
"DNSZoneConfigMigration key present already!"  
}  
else  
{  
New-Item -Path HKCU:\DNSZoneConfigMigration -ErrorAction SilentlyContinue >$null  
}  
if($?)  
{  
Copy-Item -Path $SourceKeyPath -Destination $TargetKeyPath -ErrorAction SilentlyContinue >$null  
if($?)  
  {  
"Key backed up in registry (Current User Hive) successfully!"  
  }
 else  
  {  
"Key Backup Failed.Error Code is " + $Error[0].Exception.Message  
  }  
}  
else  
{ "Unable to Create Backup Key.Error code is " + + $Error[0].Exception.Message + ".Exiting"  
}  
# End Script

Restore script

Save the following code as a file that is named RestoreZoneTransferSettings.ps1.

# Begin Script  
param([string]$ZoneName = "test2.com")  
#Build the vars
$SourceRoot = "HKCU:\DNSZoneConfigMigration\"  
$SourceKeyPath = $SourceRoot + $ZoneName  
$DestinationRoot = "HKLM:\Software\Microsoft\Windows Nt\CurrentVersion\DNS Server\Zones\"  
$DestinationKeyPath = $DestinationRoot + $ZoneName  
#Copy the ItemProperty Values  
Copy-ItemProperty -Path $SourceKeyPath -Destination $DestinationKeyPath -Name "SecureSecondaries" -ErrorAction SilentlyContinue >$null  
if($?)
{  
    "SecureSecondaries Value Successfully Restored for " + $ZoneName  
    Copy-ItemProperty -Path $SourceKeyPath -Destination $DestinationKeyPath -Name "SecondaryServers" -ErrorAction SilentlyContinue >$null  
    if($?)  
    {  
       "SecondaryServers Value Successfully Restored for " + $ZoneName "Restore Successful! Deleting the backup" Remove-Item -Path $SourceKeyPath  
if(-Not $?)  
    {  
    "Unable to Delete Backup Key. Delete Manually. Error :" + $Error[0].Exception.Message  
}  
    }  
    else
    {
     "Failed to restore SecondaryServers value. " + $Error[0].Exception.Message  
    }  
}  
else  
{  
    "Failed to restore SecureSecondaries value. " + $Error[0].Exception.Message  
}
# End Script

The backup script backs up the zone transfer settings for a particular zone. (For convenience, the backup is stored in the registry under the HKEY_CURRENT_USER hive.)

Note

You can run the Set-ExecutionPolicy PowerShell cmdlet to allow unsigned scripts.

The second command (highlighted) in the following screenshot takes a backup of the zone transfer settings for the zone that is named "test3.com."

Screenshot of command to take a backup of the zone transfer settings

Where the settings are backed up to in the registry

DNS backup

Running the script to restore the zone transfer settings (the restore script restores these two values only)

Restore script

Zone transfer settings in the registry before the restore operation

Registry key before restart

Zone transfer settings in registry after the restore operation

Restore key

Note

After you run the restore script, you must restart the DNS service to apply the changes.

More information

Zone transfer settings storage

The zone transfer settings are stored in the registry on the DNS server in the following path:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS Server\Zones\<domain name>

When zone transfer is set to specific servers or IP addresses, the following values are populated:

  • SecureSecondaries is set to 0x2. This corresponds to the Only to the following servers option.
  • A multi-string value that is named SecondaryServers is created by using the IP addresses of the servers.

Settings

Zone transfer setting

Registry

Zone transfer registry

Note

The zone transfer settings are not stored in Active Directory. Therefore, the settings don't replicate as part of Active Directory replication.

DS polling thread

The DNS service maintains a DS polling thread that periodically polls partitions and retrieves the list of all zones. For more information, see How Often Does the DNS Server Service Check AD for New or Modified Data?
By default, the DNS service polls Active Directory for changes every 180 seconds (3 minutes). You can control this process by using the DsPollingInterval registry key or the dnscmd /dspollinginterval switch.

Note

The switch accepts values from 0 to 3,600 seconds. However, values from 1 to 29 are not allowed. The minimum acceptable value is 30 seconds.

For more information, see Dnscmd config.