Windows 2008 R2 DNS Issue - Recursion and Delegation

[guest]

HAve a strange one here. I have been looking through the forums to see if there is a fix.

Setup:
Windows 2003 Domain and have started to roll out Windows 2008 R2 Domain Controllers. Single Forest/domain successfully been prepped and servers working fine. One is now the PDCe

Problem:
All New 2008DC's are unable to resolve external (www.microsoft.com) addresses and in DNS, under Advnaced tab, recursive testing fails. It passes on the existing 2003DC's AND when I have the 2003 DC's in the DNS fields for the NICs on the 2008 DC's. I haven't set Disable recursion - it's default settings.

Configuration:
1. Windows firewall and Trend firewall are disabled.
2. There are no forwarders (there were some on the 2008 DC's but I have deleted them and rebooted the DC's)
3. I can telnet to the root hint servers on port 53 from the new DC's
4. Running dcdiag /s:servername /c /v gives a good amount of info including this:

Warning: Delegation of DNS server servernameA.domain.local. is broken on IP:AAA.AAA.BBB.16
Error: DNS server: servernameA.domain.local.

IP:AAA.AAA.BBB.16 [Broken delegation]

Warning: Delegation of DNS server servernameB.domain.local. is broken on IP:AAA.AAA.AAA.11
Error: DNS server: servernameB.domain.local.

IP:AAA.AAA.AAA.11 [Broken delegation]

Warning: Delegation of DNS server servernameC.domain.local. is broken on IP:AAA.AAA.AAA.12
Error: DNS server: servernameC.domain.local.

IP:AAA.AAA.AAA.12 [Broken delegation]

Warning: Delegation of DNS server servernameD.domain.local. is broken on IP:AAA.AAA.BBB.11
Error: DNS server: servernameD.domain.local.

IP:AAA.AAA.BBB.11 [Broken delegation]


and

DNS server: AAA.AAA.AAA.12 servernameA.domain.local.)

1 test failure on this DNS server

DNS delegation for the domain domainname.local.domainname.local. is broken on IP AAA.AAA.AAA1.12

[Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]

DNS server: AAA.AAA.AAA.14 (servernameB.domain.local.)

1 test failure on this DNS server

DNS delegation for the domain domainname.local.domainname.local. is broken on IP AAA.AAA.AAA.14

[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]

DNS server: AAA.AAA.AAA.20 (servernameC.domain.local.)

1 test failure on this DNS server

DNS delegation for the domain domainname.local.domainname.local. is broken on IP AAA.AAA.AAA.20

[Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]

However all the DC's listed above (is ALL DC's in our domain) are in DNS with srv and ldap, kerberos etc dns entries. They passed on dcdiag.

5. Running dcdiag /dnsresolveextname fails with:

Starting test: SystemLog

* The System Event log test
A warning event occurred. EventID: 0x000003F6

Time Generated: 11/06/2009 12:56:29

Event String:

Name resolution for the name www.microsoft.com timed out after none of the configured DNS servers responded.

Found no errors in "System" Event log in the last 60 minutes.

6. Internal resolving of clients is fine.

I guess I really need to get recursion working on the 2008 R2 Dc's?

[guest]

I've had the same issue, really annoying to find that something that's "always" worked previously suddenly doesn't. The details of the problem, together with the solution you are looking for is described here: http://weblogs.asp.net/owscott/archive/ ... ssues.aspx

If you don't care for all the background, simply enter "dnscmd /config /EnableEDNSProbes 0" at the cmd prompt and you're good - make sure you're running your command line "as Administrator", or you'll get an error message.

[guest]

I came to this site trying to find a solution to the same problem... I wasnt satisfied with the edns disable so I dig further...

I found out the problem is that my cisco Firewall is blocking the packet because it's too big. Typing "fixup protocol dns maximum-length 4096" in config mode fixed the problem for real

Hope it will help someone else

[guest]

Confirmed that EDNS and packet size is the issue. Received servfail responses from remote DNS servers when running packet captures.

disabling edns solved the issue.



Below is part of RFC 2671.



5.3. Responders who do not understand these protocol extensions are



expected to send a response with RCODE NOTIMPL, FORMERR, or

SERVFAIL. Therefore use of extensions should be "probed" such that

a responder who isn't known to support them be allowed a retry with

no extensions if it responds with such an RCODE. If a responder's

capability level is cached by a requestor, a new probe should be

sent periodically to test for changes to responder capability.




As far as the firewall being an issue. This is not typically behavior of a firewall and may not fit the bill for everyones environment.