How can root zone transfers be prevented?

There are two Internet-facing Windows DNS servers: one is Windows 2003; the other is Windows 2008 R2.

• Nothing is returned when a zone transfer of root (.) is requested form the Windows 2003 server.  This is the desired response.
• Everything is returned when a zone transfer of root (.) is requested form the Windows 2008 server.  This is NOT the desired response.

What is needed to make the DNS service under Windows 2008 respond like the DNS server under Windows 2003?

Thanks in advance for your help.

Here are the dig commands that I'm using and responses that I'm receiving (I've munged the address info, but you get the idea):

$ dig @ns.anon2003server.com .

; <<>> DiG 9.7.6-P1 <<>> @ns.anon2003server.com .
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 28713
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;.    IN A

;; Query time: 26 msec
;; SERVER: <clipped>#53(<clipped>)
;; WHEN: Thu Aug  1 20:53:41 2013
;; MSG SIZE  rcvd: 17

$ dig @ns.anon2008server.com .

; <<>> DiG 9.7.6-P1 <<>> @ns.anon2008server.com .
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48592
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;.    IN A

;; AUTHORITY SECTION:
.   3600 IN NS g.root-servers.net.
.   3600 IN NS h.root-servers.net.
.   3600 IN NS i.root-servers.net.
.   3600 IN NS j.root-servers.net.
.   3600 IN NS k.root-servers.net.
.   3600 IN NS l.root-servers.net.
.   3600 IN NS m.root-servers.net.
.   3600 IN NS a.root-servers.net.
.   3600 IN NS b.root-servers.net.
.   3600 IN NS c.root-servers.net.
.   3600 IN NS d.root-servers.net.
.   3600 IN NS e.root-servers.net.
.   3600 IN NS f.root-servers.net.

;; ADDITIONAL SECTION:
g.root-servers.net. 3600 IN A 192.112.36.4
h.root-servers.net. 3600 IN A 128.63.2.53
i.root-servers.net. 3600 IN A 192.36.148.17
j.root-servers.net. 3600 IN A 192.58.128.30
k.root-servers.net. 3600 IN A 193.0.14.129
l.root-servers.net. 3600 IN A 198.32.64.12
m.root-servers.net. 3600 IN A 202.12.27.33
a.root-servers.net. 3600 IN A 198.41.0.4
b.root-servers.net. 3600 IN A 128.9.0.107
c.root-servers.net. 3600 IN A 192.33.4.12
d.root-servers.net. 3600 IN A 128.8.10.90
e.root-servers.net. 3600 IN A 192.203.230.10
f.root-servers.net. 3600 IN A 192.5.5.241

;; Query time: 55 msec
;; SERVER: <clipped>#53(<clipped>)
;; WHEN: Thu Aug  1 20:53:51 2013
;; MSG SIZE  rcvd: 448