🟡 Medium   ⏱ 5–30 min  Last verified: 29 May 2026
Affected versions: Windows Server 2019

📖 ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution — Primary Fix
  7. Solution — Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Secondary DNS servers stop updating and clients resolve stale records from out-of-date zones.

Environment & Reproduction

Primary zone on Windows Server 2019 with restrictive transfer settings.

Get-DnsServerZone -Name contoso.local | Select ZoneName,ZoneType,SecureSecondaries

Root Cause Analysis

Zone transfer is disabled or authorized secondary server IPs are missing from policy.

Quick Triage

Check SOA serial mismatch between primary and secondary servers.

Resolve-DnsName contoso.local -Server 10.0.0.10 -Type SOA
Resolve-DnsName contoso.local -Server 10.0.0.20 -Type SOA

Step-by-Step Diagnosis

Validate transfer settings and network path on port 53 between DNS peers.

Test-NetConnection 10.0.0.10 -Port 53
Get-WinEvent -LogName 'DNS Server' -MaxEvents 80
Illustrative mockup for windows-server-2019 — terminal_or_powershell
Zone transfer policy validation — Illustrative mockup — Progressive Robot

Solution — Primary Fix

Allow transfers to secure secondaries and trigger replication.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

Set-DnsServerPrimaryZone -Name contoso.local -SecureSecondaries TransferToSecureServers
Invoke-DnsServerZoneTransfer -Name contoso.local -ComputerName dns02.contoso.local
Illustrative mockup for windows-server-2019 — event_or_log_viewer
DNS transfer refusal log entries — Illustrative mockup — Progressive Robot

Solution — Alternative Approaches

For AD-integrated zones, switch to AD replication scope instead of secondary transfer.

Set-DnsServerPrimaryZone -Name contoso.local -ReplicationScope Forest
repadmin /syncall /AdeP

Verification & Acceptance Criteria

Secondary SOA serial aligns with primary and transfer errors stop.

Resolve-DnsName contoso.local -Server dns02.contoso.local -Type SOA

Rollback Plan

Disable transfers again if unexpected exposure is detected.

Set-DnsServerPrimaryZone -Name contoso.local -SecureSecondaries NoTransfer

Prevention & Hardening

Restrict transfers to explicit secondaries and audit transfer requests.

Set-DnsServerDiagnostics -EnableLoggingForZoneTransfers $true

Related to stale glue records and firewall ACL mismatches.

Related tutorial: View the step-by-step tutorial for Windows Server 2019.

View all Windows Server 2019 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: DNS zone transfer security and AD-integrated DNS design.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.