🟑 Medium   ⏱ 5–30 min  Last verified: 29 May 2026
Affected versions: Windows Server 2022

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution β€” Primary Fix
  7. Solution β€” Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Secondary DNS servers stop updating zones, causing stale records and resolution drift.

Environment & Reproduction

Windows Server 2022 build 20348 primary DNS with restricted zone transfer ACLs.

Get-DnsServerSecondaryZone
Get-DnsServerZone -Name contoso.local | Select ZoneName,ZoneType
Resolve-DnsName dc01.contoso.local -Type SOA

Root Cause Analysis

Zone transfer is disabled or secondary server IP is missing from allowed transfer list.

Quick Triage

Check SOA serial mismatch and transfer eligibility.

Get-DnsServerZoneTransferPolicy
Get-DnsServerResourceRecord -ZoneName contoso.local -RRType SOA

Step-by-Step Diagnosis

Validate transfer settings and network ACL path between primary and secondary.

Get-DnsServerZone -Name contoso.local | Select ZoneName,IsDsIntegrated,SecureSecondaries
Test-NetConnection  -Port 53
Get-WinEvent -LogName 'DNS Server' -MaxEvents 60
Illustrative mockup for windows-server-2022 β€” terminal_or_powershell
Zone transfer permission checks β€” Illustrative mockup β€” Progressive Robot

Solution β€” Primary Fix

Allow transfers to named secondaries and trigger refresh.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

Set-DnsServerPrimaryZone -Name contoso.local -SecureSecondaries TransferToSecureServers
Set-DnsServerSecondaryZone -Name contoso.local -MasterServers 10.0.0.10
Invoke-DnsServerZoneTransfer -Name contoso.local -ComputerName
Illustrative mockup for windows-server-2022 β€” event_or_log_viewer
DNS transfer refusal logs β€” Illustrative mockup β€” Progressive Robot

Solution β€” Alternative Approaches

For AD-integrated zones, use replication scope instead of classic secondary transfers.

Set-DnsServerPrimaryZone -Name contoso.local -ReplicationScope Forest
repadmin /syncall /AdeP

Verification & Acceptance Criteria

SOA serial on secondary should match primary after transfer.

Resolve-DnsName contoso.local -Server  -Type SOA
Resolve-DnsName contoso.local -Server  -Type SOA

Rollback Plan

Reinstate previous secure secondary setting if transfer exposure risk rises.

Set-DnsServerPrimaryZone -Name contoso.local -SecureSecondaries NoTransfer

Prevention & Hardening

Limit transfers to known secondaries and audit transfer attempts.

Set-DnsServerDiagnostics -EnableLoggingForZoneTransfers $true
Get-WinEvent -LogName 'DNS Server' -MaxEvents 30

Related to firewall port 53 filtering and stale glue records.

Related tutorial: View the step-by-step tutorial for Windows Server 2022.

View all Windows Server 2022 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn guidance on DNS zone transfer security and AD-integrated design.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.