Zone transfer info via NSLOOKUP

Hey again!

A) dnscmd /zoneresetsecondaries xyz.com /nonsecure (when you wish to retrieve zone info)

dnscmd /zoneresetsecondaries xyz.com /securens (when you're finished retrieving zone info)

Now, I understand that to display zone info for any given domain, you must use the above commands. Please could someone answer me the following:

1) What is meant by the term 'Secondaries?'
2) When using command A, does this allow everyone outside the company network to retrieve important zone info?
3) Is there any other way (either by GUI or other means) to view zone info?

I just dont understand why even when the allow zone transfers box for listed name servers is ticked, and the the host entry for the computer im running the lookup from is listed in the Name servers tab.. why must I carry out this further task?

Thanks in advance!

Find more posts tagged with

Comments

Mishra

nslookup>

ls -d your.zone.information.com

1) Zone transfers are meant to update DNS servers hosting secondary zones
2) You have to make sure you have disabled the ability to zone transfers to anyone and only add the workstations that need to use that information

undomiel

This will help explain a bit more what is going on: http://technet2.microsoft.com/windowsserver/en/library/5c497b2e-3387-4ecf-adf5-562045620a961033.mspx?mfr=true

Also there should be a need to run that because if the computer you're on is listed in the allow zone transfers then it should be a-ok for running the nslookup zone transfer.

Spacer_08

Mishra - Thanks for that, I forgot that requesting zone transfer info through nslook is basicly simulating a secondary zone server environment.

Undomiel - Thanks for your reply and the link! I initially thought this too, I didnt understand why the query was refused.. so if anyone else has any ideas on that please let me know!

So, if you wanted to reset zone secondaries to 'non secure' manually (through DNS management) how would you do it? Which property/field is within DNS management console thats being modified exactly, because i thought it was the enable zone transfer check box to start with.

Thanks again!

undomiel

It is the same as setting on the Zone Transfers tab to "To any server" or "Only servers listed on the Name Servers tab" for /nonsecure and /securens. /securelist would be like setting on the list instead of the Name Servers tab. You could try adding your computer to the list on the Zone Transfers tab and set it to that and see if it works. Don't forget when you use nslookup that you make sure you set your server to the server that you're wanting to do the zone transfer from.