Problem

When you try to open an Active Directory integrated zone, or any other dynamic zone, from a Windows 2003 Server host, Men & Mice Suite gives an error message that indicates that a zone transfer could not be obtained from the address 127.0.0.1.

Windows 2003 Server will not permit zone transfers over the localhost address, 127.0.0.1. (Microsoft has acknowledged this as a bug.) But Men & Mice DNS Server Controller needs to get a zone transfer of a dynamic zone in order to send it to the Management Console, and by default, it requests the transfer using the localhost address.

But why not use the Global Catalog?

Customers have asked why we use a zone transfer instead of getting data out of the Global Catalog, the way Microsoft's own DNS interface apparently does. After all, the DNS service itself gets all Active Directory DNS data out of the global catalog, right?

Well, not exactly. The DNS service obtains data via dynamic update, secured (hopefully) by Microsoft's kerberized version of the dynamic update protocol. (Their security mechanism in this case is called GSS-TSIG, and is entirely incompatible with the more standard, but more cumbersome, TSIG.) Data is then passed between DC's using RPC.

But aside from the fact that errors can occur between what's in the GC and what's actually in the DNS service, there's the issue of non-AD-integrated dynamic zones. In either case, the only reliable way to get the most current version of the zone is via a zone transfer.

Solution

Men & Mice DNS Server Controller can be configured to use an alternate IP interface for the zone transfer request. To do this, the server's administrator must edit a preferences file. On Windows Server 2003, it's usually located at:

C:\Windows\System32\dns\qdns\preferences.cfg

The following line must be added:

Make sure you replace the IP Address "1.2.3.4" with the IP Address of the server, i.e. the IP Address of the Domain Controller you are configuring. Once the file has been edited and saved, restart Men & Mice DNS Server Controller.

Lastly, the server must be configured to permit zone transfers to its own address. Select one or more affected zones in the Management Console's list of DNS Zones, then select the Options menu item from either the Zone menu or the contextual (right-click) menu. Set the options to enable transfers "Only to the following servers:" and enter the IP address of the server itself in the edit field. The result should look something like:

{{kb:mmsuite:msdns:change_axfr_w2k3.jpg}}

You should now be able to open dynamic zones from your server in the Management Console.