Failed transfer of zone from DNS server. The DNS server aborted or failed to complete transfer of the zone.

Question

Hello,

So a little while back, we ended up moving FSMO Roles to new Domain Controllers, and this also including changing the DNS master to our FSMO role holder. Name servers set up correctly, and allowing zone transfers only to those servers. We have one Forward Lookup Zone, our most important one, that hasn't been AD integrated yet. It is working correctly; however, I am looking in the DNS logs in most of our servers and I am seeing these errors occasionally throughout the day:

Event ID: 6522

A more recent version, version 130602599 of zone domain.com was found at the DNS server at X.X.X.X. Zone transfer is in progress.

Event ID: 6534
Failed transfer of zone domain.com from DNS server at X.X.X.X. The DNS server at X.X.X.X aborted or failed to complete transfer of the zone. Check the DNS server at X.X.X.X and ensure it is properly functioning and authoritative for zone octanner.com.

or some older domain controllers:

Event ID: 6525

A zone transfer request for the secondary zone domain.com was refused by the master DNS server at X.X.X.X. Check the zone at the master server X.X.X.X to verify that zone transfer is enabled to this server. To do so, use the DNS console, and select master server X.X.X.X as the applicable server, then in secondary zone domain.com Properties, view the settings on the Zone Transfers tab. Based on the settings you choose, make any configuration adjustments there (or possibly in the Name Servers tab) so that a zone transfer can be made to this server.

I've ensured that the new FSMO Role domain controller has the highest serial number (SOA record).

I've checked replication with repadmin /showrepl and repadmin /replsummary and it shows successful. I can can force replication to all domain controllers as well with repadmin /syncall /AeD.

If I test DNS, dcdiag /e /v /test:DNS all tests pass.

If I create a DNS record on the master DNS server, I can see that it ends up replicating to all domain controllers around the default 15 minute mark.

I've tried Reloading the zone.

I've also done the following steps:

ipconfig /flushdns
ipconfig /registerdns
net stop dns
net start dns

At first when setting up a new domain controller, I couldn't get it to Transfer from Master Server in the DNS snap-in (so I knew something was wrong), but after forcing a repadmin /syncall /AeD once, it seemed to get everything going, and then no problems after that.

But these events happen randomly throughout the day, and not sure why.

Answer 1

Great information, thanks. Testing is a good point to start (for example moving to another site and removing GC before decommissioning);besides you can validate the procedure that you did it to move the 5 fsmo roles and DNS :

• https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/move-zone-files-dns-server
• https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/demoting-domain-controllers-and-domains--level-200-

Due to event ID 6522/6525 looks like DNS still in progress on migration I have some old self notes about that:

Could be zone transfer request for the zone was refused by the master DNS server ?. Try to check the zone at the master server to verify that zone transfer is enabled to this server. To do so, use the DNS console, and select master server as the applicable server, then in secondary zone x.x.x.in-addr.arpa Properties, view the settings on the Zone Transfers tab. Based on the settings you choose, make any configuration adjustments there (or possibly in the Name Servers tab) so that a zone transfer can be made to this server.