Microsoft Windows 2008 R2 Domain Controller with DNS Server Fails to Resolve Some External Domains

Active Directory DNS Microsoft Windows

Upon the setup of the new Windows 2008 R2 DNS servers there is a problem that the DNS lookups for external domain fail; internal domain name resolution is unaffected.

Restarting the DNS server (or the whole server) resolve the problem, as does clearing the cache.

When the problem is happening, an nslookup command issued for an affected name will return the error “server failed”. A network trace will show that the DNS server does not send any traffic for such a request to the Internet. No events related to a problem are reported in the DNS Event Log.

There are two DNS related hotfixes we need to install/do on the servers to ensure the DNS works correctly for external domain name resolution. Once the two hotfixes are installed the server needs to be rebooted.

I’ve applied these hotfixes and the problems with DNS resolution for some domains that intermittently fail have gone away.

Hotfix Update 1 to be Applied

You need to apply the hotfix defined here:, once installed, reboot the server. (This should work, but it doesn’t) So for now this hasn’t been installed, upon attempting to install the update, it says the system doesn’t support it.

Hotfix Update 2 to be Applied

This isn’t an application of a patch more a change of a setting change; the problem is defined well in the excerpt from a website shown below:


The cause of this problem is that in EU countries (and certain other TLDs outside the USA), nameserver records are typically cached for more than 1 day. SBS2008 has a cap on the maximum time that it will allow nameserver records to be cached, which defaults to 1 day. This default works fine in the USA but When the .uk and .eu records become stale, they are not deleted from the cache but are no longer returned as valid records. Therefore, they effectively prevent DNS lookups in those TLDs from succeeding until the records expire and are deleted from teh cache, or the DNS Server service is restarted.

The fix is to increase the maximum Time To Live (TTL) setting in the DNS server so that it recognises records older than 1 day. Experience has shown that setting the value to 4 days is usually enough, but the maximum setting is 30 days.


  1. This problem can be temporarily resolved by restarting DNS Server service or by clearing the DNS cache on DNS server. – YUK don’t like this!
  2. Permanent resolutions include – increasing the maximum DNS cache TTL value. – Reconfiguring the DNS server to use DNS forwarders instead of relying on Root Hints. – This is a possible option, but why should we not use root hints just because of a Microsoft oddity, so I’ve gone with the solution as below. However if all else fails I may need to use this and reconfigure forwarders on all our DNS servers to look at the ISPs DNS resolvers.


To resolve the issue and continue using root hints, change the MaxCacheTTL registry value to 2 days or greater.

  1. Start Registry Editor (regedit.exe).
  2. Locate the following registry key:
  3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
  4. On the Edit menu, click New, click DWORD (32-bit) Value, and then add the following value:
    Value: MaxCacheTTL
    Data Type: DWORD
    Data value: 0x2A300 (172800 seconds in decimal, or 2 days)
  5. Click OK.
  6. Quit Registry Editor.
  7. Restart the DNS Server service.