Secondary ZOne not receiving current information in transfers

Hi

Our group is creating a private WAN connected over VPN tunnels using Netscreen hardware and software. We are using DNS and W2K as the backbone for our network and resource sharing internally and across the WAN.

The network consists of two LANs and a number of remote users who connect to one of the hubs. Currently each LAN has a primary DNS server setup to provide name service within each. In addition we created secondary zones on each lan to pull the information from the primary on the opposing LAN, therefore allowing users on each side to access resources by name on either LAN.

Lan1
Primary A – Secondary A

Lan2
Primary B – Secondary B

This was function reasonably well for a period, however in order to access high speed connections we changed ISPs and had to reestablish the tunnels. Once this was complete, we found that the secondary on Lan1 re-established the zone connections without problem. The secondary on Lan2 did not. We noticed the following event log errors

1202 - SceCli – an indication that the trust relationship had been broken
6534 – DNS – no explanations found (NetID, MS support). It seems to be associated with zone information not being received.

The trust failed because the DNS could not identify the trusted network on the other side of the tunnel. After not finding any errors in the configuration of the Lan2 secondary or the Lan1 primary, we recreated the secondary on Lan2. This did not initially work, however after a few hours the transfer occurred. The information transferred was old however (secondary index 1666, primary 1749). Over the period of the wait – the Lan1 server indicated successful transfer in the event log, however the Lan2 side showed the 6534 errors.

My questions

1) The research seemed to suggest that there may be illegal characters in the primary zone of Lan1, what are these illegal characters, how can we remove them?

2) That the secondary on Lan1 us receiving and updating without problem is mystifying – it suggests that the connectivity across the tunnel is there. What are we missing?

3) Is it likely that the continuing lack of updates will eventually result in the Lan2 secondary expiring? How can we address that (at least short term in the absence of a solution)?

Any thoughts, suggestions, solutions, fixes or workarounds would be appreciated.

Thanks

Well I glanced through your post. Can't find a domain to test. Oh well. One thing that you should know is that you need to raise the value of the SOA serial every time you change the zone information. Otherwise the secondary will never know that it needs to redownload the zone.