Windows 2000Post your Windows 2000 related questions here.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
I have set up two internal DNS servers for our small network, which also has a persistent connection to the web. The primary internal DNS is WIN2k/SP2 with three zones; two Type: primary, one Type:AD All three set for dynamic updates, and for internal use only. The internal secondary DNS is WinNT4/SP6a and points to the internal primary.
The network environment is mixed with win98/nt4/w2k
DNS appears to be working except for Zone transfers, which occur every two minutes (+/- a few seconds)
Every "TWO MINUTES" Event ID 6001 will be written to Event Viewer\Dns Server
Event Type: Information
Event Source: DNS
Event Category: None
Event ID: 6001
Date: 7/2/2002
Time: 1:19:21 PM
User: N/A
Computer: P0035
Description:
The DNS server successfully completed transfer of zone
222.168.192.in-addr.arpa to DNS server at 192.168.222.41.
After receiving (20) events of ID:6001, Event ID 9999 will get
written...just like clockwork.
Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 9999
Date: 7/2/2002
Time: 1:19:21 PM
User: N/A
Computer: P0035
Description:
The DNS server has encountered numerous run-time events. These are usually
caused by the reception of bad or unexpected packets, or from problems with
or excessive replication traffic. The data is the number of suppressed
events encountered in the last 15 minute interval.
Data:
0000: 14 00 00 00 ....
I have turned on logging but can't seem to find any errors, nor does anything ring a bell after spending two days reading MS-KB.
These are the only events being written to Event Viewer. I have also tried turning off Dynamic updates and restarted DNS...No Change.
Need some assistance
Didn't find the information you thought to find? Check out these Similar Threads
You are going to get a zone transfer everytime there is a record update, which could happen a lot with active directory and multiple domain controllers. This will happen when a host registers itself with DNS.
If this zone is an Internet zone, then you should only allow zone transfers to "trusted" DNS servers. Otherwise a hacker could spoof a client on your network by knowing your entire network layout.
This problem sounds very "virus-like" to me. Take a look at This CERN Incident Report for a possibility and to give you some thoughts on things to check.
In general, you will do better I think if you can put DNS on Win2K machines. Granted, you may not have much legit zone change activity but with 2K, you can get incremental rather than full as NT4 requires. And I'm not really convinced the two systems play well together as DNS servers.
in-addr.arpa zone-updates don't sound like they are much needed on your system.
Why not put in static entries in your DNS table for each of the IP addresses in your DHCP scope. ISP's use this for their reverse DNS all the time. It really doesn't matter for clients.
Also you could block DNS updates unless they come from the DHCP server. (DHCP proxy will update the record). That way you know it's just your clients that are updating the zone. Each time a client reboots, or lease expires, they will renew their IP with the DHCP server. When that happens, they will try and update their DNS record also.
24jedi - something else that finally caught my attention. From a look at DNS Events 2000 thru 9999 which was posted for NT4 SP4 but may well still be valid (can't see a DNS machine right now) -
Quote:
..... Zone Transfer Master
6000 (Informational) DNS_EVENT_ZONEXFR_START
DNS Server initiating transfer of zone %1 to DNS server at %2.
6001 (Informational) DNS_EVENT_ZONEXFR_SUCCESSFUL
DNS Server transfer of zone %1 to DNS server at %2, successfully completed. ......
I would think you should see an event ID 6000 along with the 6001 you mention if the zone transfers were started by any of the usual means.
