Domain Controller Changes – Server 2008 R2 DNS Broken

So, this weekend was a busy weekend for Active Directory work at LifeChurch.tv – prep work for Exchange 2010 migration.  Hooray!

We have a multi-site (physical and Active Directory sites) network – with 18 domain controllers.  Until a few weeks ago, all of these were Server 2003 / Server 2003 R2 boxes. As eluded to in my last post, I've added some Server 2008 R2 boxes – both physical and virtual – into the mix.

This weekend I activated those boxes – late last night actually – migrating all FSMO / DNS / GC "primary" focuses at our Central campus away from Server 2003 to Server 2008 R2.

I guess something broke.  This morning I awoke to some txts re: DNS.  I also got several phone calls and emails before I could make my way to the office.  Yup, sho' nuff' – external/recursive DNS was brok3d.

As a workaround, we reversed our DNS changes and then started some research.

One thing we did was disable – completely – the windows firewall on the affected boxes.  That didn't resolve the DNS recursive query issue though.

The root cause turned out to be related to how Server 2008 R2 handles recursive DNS – something called EDNS of which I know absolutely zero.

After a brief twitter conversation with @kendrickcoleman and @GreggRobertson5 it appears I am not alone with Server 2008 R2 DNS woes.  Some quick google-fu led to this blog post.

And it worked.

Short version: Server 2008 R2 implemented (activated) a change in how recursive DNS is handled on Windows DNS server.

Short fix: dnscmd /config /EnableEDNSProbes 0 -> on the affected Server 2008 R2 DNS box

More technical details far above my pay grade are on the blog post linked above.

The GOOD news is that this was the last remaining task on my "project list" before I could start the Exchange 2010 Migration project… so… buckle up!

UPDATE UPDATE UPDATE
This work has been negated with the DNSSEC Stuff from May 2010.  You can read about that and what LifeChurch.tv did to prepare on this blog post.