Server 2008 R2 blocked when accessing server 2019 or trying to join the domain

In short:

memberserver 2008 r2 can ping server 2019 std DC and do nslookups, but then trying to access \dc01 or joining the domain the whole memberserver is blocked, even ping

Long story:

I had a client with an SBS2011 domain. Let's say the virtual domaincontroller was called DC01 (the 'sbsserver', so it was server 2008 r2). There was a physical memberserver WEB01 which hosts an internal website.

DC01 was replaced by a server 2019 standard server "DC02" by adding it to the domain, replication, migrating to dfrs and cutting of the old DC as it didn't demote nicely. After cleaning up all old dns records, replication, ADUC, checking for metadata using ntdsutil the old server was officially 'exit'.

Because of a lot of external software, configuration, licensing, etc the client demanded that the new server was renamed to the old servername, including changing to the old ip-address. I said I head that was a bad idea, never reuse old dc names, but the client was convinced the benefits outweighed the possible problems. So we did.

New setup:

server 2019 std as DC (gc) with name "DC01" at the old ip address. A memberserver called MGT01, als server 2019 std and the physical server web01 with server 2008 r2. DNS fully checked and updates with correct name and ip. So far so good, everything was working except for some smb1 clients, we had to "temporarily" reinstall smb1 support.

Now the problem:

we use veeam to back-up both the virtual DC01 and the physical WEB01. The back-up gave errors and mentioned errors with authentication and domain stuff. Naturally I suspected dns problems. Some logs said the domain rd dc could not be found.

As the DNS on web01 was point at dc01 and other server could access dns and dc01 without problems I thought it might have something to do with security and kerberos as dc01 was replaced but the web01 hadn't rebooted since. I tried to reboot web01, tried to reset the computeraccount of web01, unjoined the domain and could join again?!

The strange part:

I reboot web01, I can ping dc01 from web01 and web01 from dc01. As soon as I try to join the domain or access \dc01, the ping stops from both sides. Same for mgt01. I can ping mgt01 from web01 and web01 from mgt01, but as soon as I try to access \mgt01 then ping is stopped. It seems WEB01 is completely blocked as I cannot access dns on DC01 anymore either. That explains why the domainjoin is failing.

All servers have MS firewall disabled (for testing), AV is installed but not a version with firewall.

I tried to delete all dns records for WEB01, clearing arp tables, rebooting... nothing helped... untill.... I gave web01 another ip.

Ping successfull, access to \dc01 with domainaccount credentials no problem, domain join no problem. Hurray! Except all clients have software point at the old ip of WEB01. I tried changing WEB01 backup to the old ip after joining the domain while using another ip, but the problems came back. So it seems the problem is tied to that specific IP. Not sure how windows is blocking an ip with firewall disabled. The WEB01 will be decomissioned soon but I want to know the source of the problem as the IP might get reused in a while and the the problems might be back...

I'm out of ideas.... anyone?

• edit -

I think the blockage is temporaily as I went from keyboard and came back ping was working again. I don't think I rebooted in between