🟑 Medium   ⏱ 5–30 min  Last verified: 29 May 2026
Affected versions: Windows Server 2022

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Secondary DNS servers serve stale records, causing intermittent routing and service discovery failures.

Environment & Reproduction

Occurs where primary-secondary DNS replication relies on AXFR/IXFR.

Get-DnsServerZone -Name corp.local
Get-DnsServerZoneTransferPolicy
Resolve-DnsName app.corp.local -Server secondary01

Root Cause Analysis

Transfer ACLs, notification targets, or firewall controls commonly block incremental updates.

Quick Triage

Check transfer permissions and notification scope.

Get-DnsServerPrimaryZone -Name corp.local | Select ZoneName,SecureSecondaries
Get-DnsServerResourceRecord -ZoneName corp.local -Name @ -RRType SOA
Get-WinEvent -LogName DNS Server -MaxEvents 20

Step-by-Step Diagnosis

Validate NS/SOA correctness and connectivity from secondaries.

Get-DnsServerResourceRecord -ZoneName corp.local -RRType NS
Test-NetConnection primary01 -Port 53
Resolve-DnsName corp.local -Type SOA -Server primary01

Solution – Primary Fix

Allow approved secondaries and force notify/transfer.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

Set-DnsServerPrimaryZone -Name corp.local -SecureSecondaries TransferToSecureServers
Set-DnsServerPrimaryZone -Name corp.local -SecondaryServers 10.0.0.21,10.0.0.22
Invoke-DnsServerZoneTransfer -Name corp.local -ComputerName primary01

Solution – Alternative Approaches

Use AD-integrated zones where possible to avoid standalone transfer fragility.

Set-DnsServerPrimaryZone -Name corp.local -ReplicationScope Domain
Restart-Service DNS

Verification & Acceptance Criteria

SOA serial and key records match between primary and secondaries.

Resolve-DnsName corp.local -Type SOA -Server primary01
Resolve-DnsName corp.local -Type SOA -Server secondary01
Resolve-DnsName app.corp.local -Server secondary01

Rollback Plan

Restore previous zone transfer ACLs and server lists if sync behavior worsens.

Set-DnsServerPrimaryZone -Name corp.local -SecureSecondaries NoTransfer
Restart-Service DNS

Prevention & Hardening

Document secondary IP allowlists and monitor serial drift alerts.

Get-DnsServerPrimaryZone -Name corp.local | Export-Clixml zone-transfer-baseline.xml
Get-WinEvent -LogName DNS Server -MaxEvents 50
Illustrative mockup for windows-server-2022 β€” terminal_or_powershell
Diagnostics commands in PowerShell β€” Illustrative mockup β€” Progressive Robot
Illustrative mockup for windows-server-2022 β€” event_or_log_viewer
Event log verification for Windows Server 2022 β€” Illustrative mockup β€” Progressive Robot

Can coincide with stale NS records, packet filtering, and wrong interface binding on DNS service.

Related tutorial: View the step-by-step tutorial for Windows Server 2022.

View all Windows Server 2022 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: DNS zone transfer security and AD-integrated zone operations.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.