Slow Internet after Domain promotion

HallsIT
HallsIT used Ask the Experts™
on
Recently, we promoted Server 2016 DC's (Domain Controllers) from Server 2012R2 machines.  All FSMO roles have been successfully migrated over to the 2016 server(s) and the primary 2016 DC has the schema.  I ran a dcdiag on the new DC and received no errors but, for some reason when I change the IP's from the old DC's (Both primary and secondary) to the new ones, access to Internet sites take anywhere from 20 secs to getting a page cannot be displayed.  Everything else, works in the domain.  Email, file share access, printing, etc.  The only issue is the delay to the Internet.  The only thing I haven't done was to rename the new servers with the old servers' names.  I had to migrate the IP's because there are way too many back end configs throughout the network that point to those IP's.

Any clue on what may be causing the delay in Internet access?  I'm thinking maybe a DNS issue.  I just don't know where since DNS shows all 4 servers in its zone(s).
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jeff GloverSr. Systems Administrator

Commented:
Look at Root hints and Forwarders. Although some say to use Forwarders for Internet, I never do. I always use Root Hints. Make sure it is populated. Also make sure your clients are pointing to your new DNS servers for DNS resolution.

Author

Commented:
@Jeff Glover

In terms of clients point to DNS, we use DHCP forwarders within our routers with DNS helpers pointing to the IP address which I moved to the new servers.  This is done for each DNS scope and when I do an ipconfig /all on any client, it shows that it's point to the IP address which was moved to the new servers and the old servers' NIC's disabled.  

In terms or Root Hints, I will check that out now.

Author

Commented:
@Jeff Glover

I think the Forwarders is the issue.  I just checked and within the Forwarders tab in DNS, the IP's are still pointing to the old servers.  I will edit the Forwarders' properties this evening and let you know the results tomorrow.  I'd rather do this tonight when the fewest amount of users are on the network.

Thanks.
DrDave242Principal Support Engineer

Commented:
I just checked and within the Forwarders tab in DNS, the IP's are still pointing to the old servers.

Does that mean that the DCs are forwarding to each other? If so, that's almost always a bad idea. If all of your DNS zones are AD-integrated (which they should be, unless you know of a reason why they can't), every DC in the domain holds a replica of every zone. This means that they all have the same DNS records, so if one DC can't answer a particular query, none of them can, and forwarding that query from one DC to another just wastes time.

Forwarders should point to DNS servers outside of your domain, like your ISP's DNS servers or well-known public servers. Or, as Jeff suggested, delete the forwarders and use root hints.
Commented:
Actually, I ended up looking at the old DC and there wasn't any inputs for the forwarders.  Once I removed the the IP's there, things worked fine.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial