We currently have 2 Win 2003 DCs and have added 2 Win 2008 DCs to the domain. We would like to decommission the 2003 DCs and move to a native 2008 domain. However, yesterday we noticed errors in our DNS Server log that had an id of 5504 (The DNS server encountered an invalid domain name in the packet from <external IP>. The packet will be rejected). We also noticed that general web browsing was really slow.
After some debugging we traced the problem to the DNS forwarders on our 2008 DCs. Apparently when we promoted the 2008 DCs the ip addresses for the 2003 DCs got added as forwarders (they were the only ips in the forwarder lists on the 2 2008 DCs). Looking at the 2003 DCs there were no ip addresses in the forwarders list. We removed these IPs from the 2008 forwarder list...this is when we started getting hammered with the 5504 error. When we put these ip addresses back in the forwarders list on the 2008 DCs the errors stopped and the web browsing speeds went back to a more normal level.
What is the tie between the forwarders on the 2003 DCs and the 2008 DCs? Both of the 2008 DCs have the "use root hints" check box checked.
While we were debugging we tried turning off the Windows Firewall on the 2008 DCs. As soon as we did that we started experiencing issues with our Exchange server and couldn't ping or RDP to servers. As soon as we started the Windows Firewall service everything went back to normal. Why would stopping the firewall (by stopping the service) cause these issues?