Headache Prevention: Install Hotfix 953317 to Prevent DNS Records from Disappearing from Secondary DNS Zones on Windows Server 2008 SP1

  • Article

Craig here. We’ve had some nasty cases related to this bug, so it seemed prudent to do our best to increase the awareness of this issue. In a nutshell, the DNS Server service in Windows Server 2008 has a bug that can result in a large number of DNS records disappearing. When those records go missing, you will start seeing problems with anything that depends on name resolution, which in an Active Directory environment is pretty much everything. Note this hotfix only applies to standard secondary zones. Active Directory-integrated zones are not affected by this issue because they use AD replication, not zone transfers, to stay synchronized.

For this reason, we recommend that you take a look at the following KB article and consider applying the hotfix to your environment.

953317 A primary DNS zone file may not transfer to the secondary DNS servers in Windows Server 2008
https://support.microsoft.com/kb/953317

If you are hitting this issue, you may see the following event logged:

Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 6527
Date: 8/21/2008
Time: 3:20:34 PM
User: N/A
Computer: Server01.contoso.com
Description: Zone contoso.com expired before it could obtain a successful zone transfer or update from a master server acting as its source for the zone. The zone has been shut down.

The problem is specific to Windows Server 2008 SP1 (meaning the original release of Windows Server 2008). The 953317 hotfix version of DNS.EXE is 6.0.6001.22218. The problem may occur on both secondary DNS servers that were upgraded from Windows Server 2003 and also new installs of Windows Server 2008. For this issue to reproduce, a master server must be hit with enough changes that it cannot service an IXFR request, and so will respond to IXFR with an AXFR.

What you will see is that most of the records in the DNS zone will appear to have disappeared, expired, or been deleted. The zone itself continues to exist but virtually all records in the zone are deleted except for the Start of Authority (SOA) records. Often a handful of host “A” records will also remain present in the zone.

Because DNS servers affected by this condition continue to host a copy of the zone, they will continue to respond to queries from clients. The typical response returned by DNS servers with deleted zone contents is that the record queried do not exist (this assumes that the DNS server role is otherwise functional) in the zone. Windows clients will continue to direct queries to responsive DNS servers instead of failing over to an alternate DNS server that hosts a complete copy of the zone.

Keywords: Windows Server 2008 secondary master primary zone transfer zone axfr ixfr incremental zone transfer full zone transfer delete deleted disappear disappeared missing expired expire

- Craig Landis