I upgraded a domain with two local domain controllers from 2003 to 2008 R2.
I installed two new dcs, then moved the fsmo roles over and flipped ip addresses.
That way i did not have to deal with issues of dns resolution for workstations (modify dhcp scope for DNS) or member servers.
When I did that, the new dcs had the old dcs ip address, and the old dcs had some other previously unused ip addresses.
At that point, the new dcs were being queried for names of external websites. The dcs were unable to resolve anything external.
For a quick fix, I configured one of the dcs to enable forwarding (rather than root hints servers) and all requests were forwarded to the ISP’s DNS servers.
That worked, but why could 2003 perform root hints communication, but 2008 could not I thought?
The answer turned out to be this technet article. It affects 2003 R2, 2008, and 2008R2
Basically type this from an elevated cmd prompt dnscmd /config /enableednsprobes 0
No need to restart services or reboot anything.
Two issues: difference in implementation of dns server between windows version and some cisco firewall setting.
The cisco engineer enabled large packet size or something like that, but that still did not fix the issue.
So i ran the commands described in the above article, and all is good. I was able to turn off forwarders and use root hints as necessary.
Some strange setting on the cisco firewall that did not like the way 2008 operated dns.
“Some firewalls contain features to check certain parameters of the DNS packet. These firewall features may make sure that the DNS response is smaller than 512 bytes.”
Click on the image below to see it larger.
Note: You have to run the cmd prompt elevated (Runas Administrator)