2008 R2 Domain Controllers unable to communicate to root DNS servers

I upgraded a domain with two local domain controllers from 2003 to 2008 R2.
I installed two new dcs, then moved the fsmo roles over and flipped ip addresses.
That way i did not have to deal with issues of dns resolution for workstations (modify dhcp scope for DNS) or member servers.
When I did that, the new dcs had the old dcs ip address, and the old dcs had some other previously unused ip addresses.
At that point, the new dcs were being queried for names of external websites. The dcs were unable to resolve anything external.
For a quick fix, I configured one of the dcs to enable forwarding (rather than root hints servers) and all requests were forwarded to the ISP’s DNS servers.
That worked, but why could 2003 perform root hints communication, but 2008 could not I thought?
The answer turned out to be this technet article. It affects 2003 R2, 2008, and 2008R2

http://support.microsoft.com/kb/832223

Basically type this from an elevated cmd prompt
 dnscmd /config /enableednsprobes 0

No need to restart services or reboot anything.

Two issues: difference in implementation of dns server between windows version and some cisco firewall setting.
The cisco engineer enabled large packet size or something like that, but that still did not fix the issue.
So i ran the commands described in the above article, and all is good. I was able to turn off forwarders and use root hints as necessary.

Some strange setting on the cisco firewall that did not like the way 2008 operated dns.

“Some firewalls contain features to check certain parameters of the DNS packet. These firewall features may make sure that the DNS response is smaller than 512 bytes.”
Click on the image below to see it larger.
Note: You have to run the cmd prompt elevated (Runas Administrator)

Advertisements

About Mike

owner of blog
This entry was posted in Active Directory, Windows Server. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s