We have what I have seen referred to as a "Split Brain" DNS configuration. Brief details as follows:
SERVER52.D1.COM W2K8 R2 PDC (DNS server to 192.168.0.0/16). IP: 192.168.5.2/16
SERVER53.D1.COM W2K8 R2 DC (DNS server to 192.168.0.0/16). IP: 192.168.5.3/16
SERVER55.D1.COM W2K8 R2 Public-facing DNS Server. IP: 192.168.5.5/16 (MIP: 202.xxx.yyy.125/26)
OSNS1 Off-site secondary DNS Server
OSNS2 Off-site secondary DNS Server
OSNS3 Off-site secondary DNS Server
Web Server. IP: 192.168.1.197/16 (MIP: 202.xxx.yyy.70/26)
MAIL01.D2.COM Mail Server. IP: 192.168.0.189/16 (MIP: 202.xxx.yyy.76/26)
WEBMAIL.D2.COM Web mail portal. IP: 192.168.0.191/16 (MIP: 202.xxx.yyy.100/26)
All on-site DNS servers are running MS DNS included with W2K8 R2.
SERVER55 is a domain member. It's TCP/IP, DNS Server settings point to SERVER52 and SERVER53.
SERVER55's DNS Server is configured with four Primary (non-AD integrated) forward lookup zones (D1, D2, D3, D4.com). Each zone contains NS records for SERVER55 and the three off-site secondary servers. Zone transfers are allowed 'to all name servers listed on the name server tab'. Notifications are sent to the same list.
If I increment the serial number for a zone on SERVER55, the change is replicated successfully to the three off-site servers. This tells me notifications and zone transfers are working properly.
All of the A records defined in the zones on SERVER55 use 202.xxx.yyy.zzz/26 IPs. All of the A records defined in the machine domains on the two DCs use 192.168.0.0/16 IPs.
SERVER55's public IP is MIPed by the firewall to 192.168.5.5/16. A policy permits DNS traffic from Untrust to Trust. Queries are received, processed and returned.
I hope I have provided the correct level of detail above. Drum roll please....
I use DNS Stuff's professional toolkit (which does not used cached data) for troubleshooting. If I perform an A lookup on www.D2.COM
(or mail01 or webmail..) against any of our off-site DNS servers, I receive 100% correct results (202.xxx.yyy.zzz IPs). If I use the MMC DNS snap-in and the 'Run NSLOOKUP' option against SERVER55 for www.D2.COM
(or mail01 or webmail...), the IPs returned are 202.xxx.yyy.zzz IPs.
If, however, I run the queries against SERVER55, 100% of the time I receive the 192.168.0.0/16 address that is defined in the zone of the corresponding domain name on SERVER52 and SERVER53.
DNS Stuff Query to OSNS2 www.D2.COM
DNS Stuff Query to OSNS3 mail01.D2.COM Results: 202.xxx.yyy.76
DNS Stuff Query to OSNS1 webmail.D2.COM Results: 202.xxx.yyy.100
NSLOOKUP Query On SERVER55 www.D2.COM
NSLOOKUP Query On SERVER55 mail01.D2.COM Results: 202.xxx.yyy.76
NSLOOKUP Query On SERVER55 webmail.D2.COM Results: 202.xxx.yyy.100
(Above results are as expected)
DNS Stuff Query to SERVER55 www.D2.COM
DNS Stuff Query to SERVER55 mail01.D2.COM Results: 192.168.0.189
DNS Stuff Query to SERVER55 webmail.D2.COM Results: 192.168.0.191
(Not what we're looking for!)
The only thing that I can think of is that the results obtained by SERVER55's DNS Client (when querying SERVER52 and SERVER53) are being used in the responses sent by SERVER55 rather than using the data contained in SERVER55's DNS Zones. It has always been my (perhaps wrong!) understanding that the local primary zone files are all-powerful and take precedence over the results returned by the client service on the machine.
Fortunately the public-facing DNS server zone data is quite static. To overcome the issue of private IP addresses being returned when the query is routed to SERVER55, I have stopped the DNS Server service on that machine. Timeouts are being experienced, but at least the public is being given IPs they can access.
Is it true a W2K8 R2 machine will use DNS Client results in a DNS Server response, even if the name appears in a local DNS primary zone? Can this priority be changed? If so, references to knowledgebase articles or similar would be much appreciated.
Thank you for reading! I'm happy to provide as much further detail as I can.