The Windows 2008 R2 systems are unable to ping and resolve the IP addresses of the ActiveUpdate servers and download updates for the installed Trend Micro products.
This issue happens because of the Windows Server 2008 R2 DNS Server that is looking up Internet names.
In Server 2008 R2, Microsoft enabled the EDNS support by default. In the operating systems prior to Server 2008 R2, the DNS packets carried by UDP were restricted to 512 bytes. Enabling EDNS allows for larger UDP packets if the DNS servers support it. In practice, older firewalls assume a maximum DNS message length of 512 bytes and may block longer DNS packets.
For additional information, refer to this microsoft article: Some DNS name queries are unsuccessful after you deploy a Windows Server 2003 or Windows Server 2008 R2-based DNS server
To resolve this issue, you need to disable the EDNS support on the Windows 2008 R2 DNS Server.
To disable ENDS, you can use any of the following:
Using command prompt
Execute the following command:
dnscmd /config /EnableEDNSProbes 0
Using the registry
- Open the Registry Editor.
Always back up the whole registry before making any modifications. Incorrect changes to the registry can cause serious system problems
- Go to HKLM\SYSTEM\CurrentControlSet\services\DNS\Parameters
- Create a DWORD key "EnableEDNSProbes" and set its value to "0".
- Close the Registry Editor.
- Restart the DNS Server service for the changes to take effect.
If the above steps did not resolve the issue, then do the following:
- Download and run the CDT utility on the target host machine.
- Collect the CDT logs and send them to Trend Micro Technical Support.
