joe wrote in reply to a posting:

>On the w2k2003 master dns server, add the ip addresses of the slaves in
>the transfer and notify.
>On the bind server also have ip addy of the w2k2003 server as the master
>for the zone transfer to the bind server. now make a zone change on the
>w2k2003 server and it should notify the bind server right away. I left
>all ip's (as the default) and ran into some problems myself with no
>zone transfers happening for periods of time. so now i specifically tell
>the windows dns servers what ip's are the slaves no matter if they are
>other windows dns servers or not (just a little bit better dns security

In MS W2k DNS there are four options for controlling zone transfers.
These options are per zone; there is no global zone transfer option.

1) No zone transfers
2) Allow zone transfers to anyone.
3) Allow zone transfers to the name servers in the NS table.
4) Allow zone transfers to specific IP addresses.

I use 3) instead of 4) because I have six BIND slaves with a total of
ten IP addresses. And I did not want to enter each of the 10 IP
addresses for each of the 92 zones on my W2k+3 DNS Server. As I have
mentioned in previous postings, for a zone transfer to be allowed, the

IP-address IN PTR nodename

must be in the W2k DNS cache for the zone transfer to be allowed. If
the PTR record is not in the cache, the MS code will NOT do a DNS query
to locate the information, as that information may come from a
hijacked DNS server. When I have this situation, I run the following

nslookup IP-address w2k-dns-server

This will ask the W2k DNS Server for the PTR record, and if it does
not have it in its cache, it will retrieve the record from DNS,
just as the DNS protocol states.
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 222, Room D209 Internet:
Argonne, IL 60439-4828 IBMMAIL: I1004994