I see quite a few 6525 errors in my DNS logs: "A zone transfer request for
the secondary zone _msdcs.xxx.xx was refused by the master DNS server(s)".
The 6525 errors always refer to the secondary _msdsc zone. The _msdcs zone
is an Active Directory Integrated Zone in the root domain and is configured
as a secondary zone on Domain Controllers in the child Domain. The 6525
event is always followed by a succession of 6522 events in the child domains
DNS logs confirming that the _msdcs zone has sub sequentially transferred
successfully.

Reviewing the DNS logs on the root master DNS server, the date & time stamp
of the refused transfers always correlates to a successful transfer to
another Domain Controller in the child domain - event ID 6001: "The DNS
server successfully completed transfer of version xxxx of zone _msdcs to the
DNS server"

I have always assumed that the reason the master refuses the transfer to
another domain controller is because it is handling a request from another
Domain Controller, but I’d like to be able to qualify that – does anyone know
whether or not this is the case?

Thanks for your .

Joe

Hi

do you have allow zone transfer enabled?

check here if it s:
http://www.microsoft.com/technet/sup...odName=Windows
Operating System&ProdVer=5.0&EvtID=6525&EvtSrc=DNS&LCID=1033


--
I hope that the information above s you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"Joe" <Joe@discussions.microsoft.com> wrote in message
news:AD7125A9-3D20-406D-AA28-2C27AFA55548@microsoft.com...
>I see quite a few 6525 errors in my DNS logs: "A zone transfer request for
> the secondary zone _msdcs.xxx.xx was refused by the master DNS server(s)".
> The 6525 errors always refer to the secondary _msdsc zone. The _msdcs
> zone
> is an Active Directory Integrated Zone in the root domain and is
> configured
> as a secondary zone on Domain Controllers in the child Domain. The 6525
> event is always followed by a succession of 6522 events in the child
> domains
> DNS logs confirming that the _msdcs zone has sub sequentially transferred
> successfully.
>
> Reviewing the DNS logs on the root master DNS server, the date & time
> stamp
> of the refused transfers always correlates to a successful transfer to
> another Domain Controller in the child domain - event ID 6001: "The DNS
> server successfully completed transfer of version xxxx of zone _msdcs to
> the
> DNS server"
>
> I have always assumed that the reason the master refuses the transfer to
> another domain controller is because it is handling a request from another
> Domain Controller, but I'd like to be able to qualify that - does anyone
> know
> whether or not this is the case?
>
> Thanks for your .
>
> Joe
>

Joe wrote:
> I see quite a few 6525 errors in my DNS logs: "A zone transfer
> request for the secondary zone _msdcs.xxx.xx was refused by the
> master DNS server(s)". The 6525 errors always refer to the secondary
> _msdsc zone. The _msdcs zone is an Active Directory Integrated Zone
> in the root domain and is configured as a secondary zone on Domain
> Controllers in the child Domain. The 6525 event is always followed
> by a succession of 6522 events in the child domains DNS logs
> confirming that the _msdcs zone has sub sequentially transferred
> successfully.
>
> Reviewing the DNS logs on the root master DNS server, the date & time
> stamp of the refused transfers always correlates to a successful
> transfer to another Domain Controller in the child domain - event ID
> 6001: "The DNS server successfully completed transfer of version xxxx
> of zone _msdcs to the DNS server"
>
> I have always assumed that the reason the master refuses the transfer
> to another domain controller is because it is handling a request from
> another Domain Controller, but I'd like to be able to qualify that -
> does anyone know whether or not this is the case?

Are these all Win2k3 Domain Controllers?
If it is this is strange because by default the _msdcs.forestRoot AD
integrated zones replicate to all DNS servers on Win2k3 DCs in the forest.
Secondary zones are not needed.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================

Jorge

There are 2 Domain Controllers in the root and under the Zone Transfer tab
on one of the servers: "Allow zone transfers� is checked and the option to
"To any server" selected. The second Domain Controller did not have this
option checked, however the transfer refused referenced the DNS Server that
had the "Allow zone transfers� checked. Now that both have it checked both I
will monitor this to see what happens.

Kevin

The Domain was originally a W2K Domain and as such the _msdcs folder was
created as an AD integrated zone in the root and then replicated to the
Domain Controllers in the child domain as a secondary zone. We have since
upgraded all are Domain Controllers to Windows 2003. Can we revert from the
current configuration to the W2K3 default?

Thank you both for you comments.

Joe



"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Joe wrote:
> > I see quite a few 6525 errors in my DNS logs: "A zone transfer
> > request for the secondary zone _msdcs.xxx.xx was refused by the
> > master DNS server(s)". The 6525 errors always refer to the secondary
> > _msdsc zone. The _msdcs zone is an Active Directory Integrated Zone
> > in the root domain and is configured as a secondary zone on Domain
> > Controllers in the child Domain. The 6525 event is always followed
> > by a succession of 6522 events in the child domains DNS logs
> > confirming that the _msdcs zone has sub sequentially transferred
> > successfully.
> >
> > Reviewing the DNS logs on the root master DNS server, the date & time
> > stamp of the refused transfers always correlates to a successful
> > transfer to another Domain Controller in the child domain - event ID
> > 6001: "The DNS server successfully completed transfer of version xxxx
> > of zone _msdcs to the DNS server"
> >
> > I have always assumed that the reason the master refuses the transfer
> > to another domain controller is because it is handling a request from
> > another Domain Controller, but I'd like to be able to qualify that -
> > does anyone know whether or not this is the case?
>
> Are these all Win2k3 Domain Controllers?
> If it is this is strange because by default the _msdcs.forestRoot AD
> integrated zones replicate to all DNS servers on Win2k3 DCs in the forest.
> Secondary zones are not needed.
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This s
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> https://secure.lsaol.com/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oe.com/OEBackup/Default.aspx
> ===================================
>
>
>

yes, in my opinion you should host the DNS service on Windows 2003, however
there's a couple o differences between Windows 2000 and 2003, check these
links to see how to do it.

How to reconfigure an _msdcs subdomain to a forest-wide DNS application
directory partition when you upgrade from Windows 2000 to Windows Server
2003
http://support.microsoft.com/?id=817470

--
I hope that the information above s you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"Joe" <Joe@discussions.microsoft.com> wrote in message
news:AA7C5B7B-ECBB-46C0-AA3F-83785C80163C@microsoft.com...
> Jorge
>
> There are 2 Domain Controllers in the root and under the Zone Transfer tab
> on one of the servers: "Allow zone transfers" is checked and the option to
> "To any server" selected. The second Domain Controller did not have this
> option checked, however the transfer refused referenced the DNS Server
> that
> had the "Allow zone transfers" checked. Now that both have it checked
> both I
> will monitor this to see what happens.
>
> Kevin
>
> The Domain was originally a W2K Domain and as such the _msdcs folder was
> created as an AD integrated zone in the root and then replicated to the
> Domain Controllers in the child domain as a secondary zone. We have since
> upgraded all are Domain Controllers to Windows 2003. Can we revert from
> the
> current configuration to the W2K3 default?
>
> Thank you both for you comments.
>
> Joe
>
>
>
> "Kevin D. Goodknecht Sr. [MVP]" wrote:
>
>> Joe wrote:
>> > I see quite a few 6525 errors in my DNS logs: "A zone transfer
>> > request for the secondary zone _msdcs.xxx.xx was refused by the
>> > master DNS server(s)". The 6525 errors always refer to the secondary
>> > _msdsc zone. The _msdcs zone is an Active Directory Integrated Zone
>> > in the root domain and is configured as a secondary zone on Domain
>> > Controllers in the child Domain. The 6525 event is always followed
>> > by a succession of 6522 events in the child domains DNS logs
>> > confirming that the _msdcs zone has sub sequentially transferred
>> > successfully.
>> >
>> > Reviewing the DNS logs on the root master DNS server, the date & time
>> > stamp of the refused transfers always correlates to a successful
>> > transfer to another Domain Controller in the child domain - event ID
>> > 6001: "The DNS server successfully completed transfer of version xxxx
>> > of zone _msdcs to the DNS server"
>> >
>> > I have always assumed that the reason the master refuses the transfer
>> > to another domain controller is because it is handling a request from
>> > another Domain Controller, but I'd like to be able to qualify that -
>> > does anyone know whether or not this is the case?
>>
>> Are these all Win2k3 Domain Controllers?
>> If it is this is strange because by default the _msdcs.forestRoot AD
>> integrated zones replicate to all DNS servers on Win2k3 DCs in the
>> forest.
>> Secondary zones are not needed.
>>
>> --
>> Best regards,
>> Kevin D. Goodknecht Sr. [MVP]
>> Hope This s
>> ===================================
>> When responding to posts, please "Reply to Group"
>> via your newsreader so that others may learn and
>> benefit from your issue, to respond directly to
>> me remove the nospam. from my email address.
>> ===================================
>> http://www.lonestaramerica.com/
>> http://support.wftx.us/
>> https://secure.lsaol.com/
>> ===================================
>> Use Outlook Express?... Get OE_Quotefix:
>> It will strip signature out and more
>> http://home.in.tum.de/~jain/software/oe-quotefix/
>> ===================================
>> Keep a back up of your OE settings and folders
>> with OEBackup:
>> http://www.oe.com/OEBackup/Default.aspx
>> ===================================
>>
>>
>>