So my hjo.se zone has refreshed the RRSIGs on primary, and it is now inconsistent on the secondary. Please have a look at the zone quickly as I will need to force a refresh tomorrow (before it is noticed...).
PS C:\> Get-DnsServerSigningKey -ZoneName hjo.se | fl *
KeyId : 54fc417e-9601-405f-9a45-0e2af05c2a6c
IsRolloverEnabled : True
ActiveKey : Microsoft Software Key Storage Provider;10 f2 4a 5f 6d 4f 9c b7 4a b4
CryptoAlgorithm : RsaSha256
CurrentRolloverStatus : NotRolling
CurrentState : Active
DnsKeySignatureValidityPeriod : 30.00:00:00
DSSignatureValidityPeriod : 7.00:00:00
InitialRolloverOffset : 00:00:00
KeyLength : 4096
KeyStorageProvider : Microsoft Software Key Storage Provider
KeyType : KeySigningKey
LastRolloverTime :
NextKey :
NextRolloverAction : Normal
NextRolloverTime : 2018-06-08 09:53:44
RolloverPeriod : 1820.00:00:00
RolloverType : DoubleSignature
StandbyKey : Microsoft Software Key Storage Provider;1d 4d a8 b4 d8 d2 ef 96 42 1f
StoreKeysInAD : False
ZoneName : hjo.se
ZoneSignatureValidityPeriod : 10.00:00:00
PSComputerName :
CimClass : root/Microsoft/Windows/DNS:DnsServerSigningKey
CimInstanceProperties : {ActiveKey, CryptoAlgorithm, CurrentRolloverStatus, CurrentState...}
CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties
KeyId : 8ac74cf6-bb21-4f07-ae40-981d7ccb8c6f
IsRolloverEnabled : True
ActiveKey : Microsoft Software Key Storage Provider;3f 48 6e 90 c8 55 b1 b4 4d ef
CryptoAlgorithm : RsaSha256
CurrentRolloverStatus : NotRolling
CurrentState : Active
DnsKeySignatureValidityPeriod : 30.00:00:00
DSSignatureValidityPeriod : 30.00:00:00
InitialRolloverOffset : 00:00:00
KeyLength : 2048
KeyStorageProvider : Microsoft Software Key Storage Provider
KeyType : ZoneSigningKey
LastRolloverTime :
NextKey : Microsoft Software Key Storage Provider;40 22 38 01 33 10 b0 97 45 83
NextRolloverAction : Normal
NextRolloverTime : 2014-06-19 09:53:44
RolloverPeriod : 370.00:00:00
RolloverType : PrePublish
StandbyKey :
StoreKeysInAD : False
ZoneName : hjo.se
ZoneSignatureValidityPeriod : 30.00:00:00
PSComputerName :
CimClass : root/Microsoft/Windows/DNS:DnsServerSigningKey
CimInstanceProperties : {ActiveKey, CryptoAlgorithm, CurrentRolloverStatus, CurrentState...}
CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties
I do not have any 7670 events, but it's not doing any rollovers, just signature refresh. I'm also missing all the 6001s, but that may be caused by some notify setting on the secondary?
I do have two 3150 that the DNS server has written the same version twice:
Log Name: DNS Server
Source: Microsoft-Windows-DNS-Server-Service
Date: 2013-11-06 04:06:05
Event ID: 3150
Level: Information
Computer: DNS04.jkp.invid.se
Description:
The DNS server wrote version 2013061435 of zone hjo.se to file hjo.se.dns.
<EventData Name="DNS_EVENT_ZONE_WRITE_COMPLETED">
<Data Name="param1">2013061435</Data>
<Data Name="param2">hjo.se</Data>
<Data Name="param3">hjo.se.dns</Data>
</EventData>
Log Name: DNS Server
Source: Microsoft-Windows-DNS-Server-Service
Date: 2013-11-11 19:37:17
Event ID: 3150
Level: Information
Computer: DNS04.jkp.invid.se
Description:
The DNS server wrote version 2013061435 of zone hjo.se to file hjo.se.dns.
<EventData Name="DNS_EVENT_ZONE_WRITE_COMPLETED">
<Data Name="param1">2013061435</Data>
<Data Name="param2">hjo.se</Data>
<Data Name="param3">hjo.se.dns</Data>
</EventData>
Also, you are correct that I made a change to the zone in August. The scheduled task I use to script a SOA serial increase had stopped working over the summer, and I activated it again in August.
Incremental zone transfers sounds interesting. Are there any settings that can me made regarding this? Such as disable it? :)
Thanks Greg for helping us with this, it's much appreciated!