I had to write an email about this and so take the trouble to set up a test zone and create screenshots. Figured I might as well put it in a blog post too.
Exhibit A: An AD integrated zone called some.zone.com.
Doesn’t matter that it’s AD integrated or what NS records it holds. I just created an AD integrated zone to simulate our work environment.
Note that this zone doesn’t have zone transfers enabled.
Exhibit B: A regular Windows Server 2012 machine called WIN-SVR01. Not domain joined (just in case anyone points out that could make a difference). It has access to the master server and Name Servers and that’s it. Create a stub zone as usual, pointing it to the master servers (in the screenshot below I point to just one master server).
Exhibit C: And that’s it! As soon as I do the above, the zone loads and I am able to query records in it.
That’s it!
One source of confusion seems to be the Get-DnsServerZone
cmdlet. Here’s the cmdlet output once the stub zone has loaded:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
PS C:\Users\Administrator> Get-DnsServerZone -Name some.zone.com | fl * MasterServers : 10.50.0.20 LocalMasters : DistinguishedName : IsAutoCreated : False IsDsIntegrated : False IsPaused : False IsReadOnly : False IsReverseLookupZone : False IsShutdown : False ZoneName : some.zone.com ZoneType : Stub DirectoryPartitionName : LastSuccessfulSoaCheck : 8/4/2015 9:04:48 AM LastSuccessfulZoneTransfer : 8/4/2015 9:04:48 AM LastZoneTransferAttempt : 8/4/2015 9:04:48 AM LastZoneTransferResult : 0 ReplicationScope : None ZoneFile : some.zone.com.dns PSComputerName : CimClass : root/Microsoft/Windows/DNS:DnsServerStubZone CimInstanceProperties : {DistinguishedName, IsAutoCreated, IsDsIntegrated, IsPaused...} CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties |
Note the attributes LastZoneTransferAttempt
and LastZoneTransferResult
– these give the impression a zone transfer is being carried out.
Now watch the same output after I recreated the stub zone but this time I blocked it from accessing the master servers (so the stub zone doesn’t load):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
PS C:\Users\Administrator> Get-DnsServerZone some.zone.com | fl * MasterServers : 10.50.0.20 LocalMasters : DistinguishedName : IsAutoCreated : False IsDsIntegrated : False IsPaused : False IsReadOnly : False IsReverseLookupZone : False IsShutdown : False ZoneName : some.zone.com ZoneType : Stub DirectoryPartitionName : LastSuccessfulSoaCheck : 8/4/2015 9:09:42 AM LastSuccessfulZoneTransfer : 8/4/2015 9:09:42 AM LastZoneTransferAttempt : 8/4/2015 9:09:42 AM LastZoneTransferResult : 1460 ReplicationScope : None ZoneFile : some.zone.com.dns PSComputerName : CimClass : root/Microsoft/Windows/DNS:DnsServerStubZone CimInstanceProperties : {DistinguishedName, IsAutoCreated, IsDsIntegrated, IsPaused...} CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties |
Even though the zone hasn’t loaded LastSuccessfulZoneTransfer
gives the impression it has succeeded. LastZoneTransferResult
gives an error code though. Best to ignore these attributes for stub zones – as I showed above stub zones don’t require a zone transfer.