nslookup returns one thing... then I ping same hostname and get different IP

Yes - this server is on my lan.  It's also my DNS server.  And the A record for itself (as you can see by the nslookup) is set to the private IP address.  Why would my PC then ping some random public IP when I ping the same hostname?  I mean... shouldn't ping be doing the same dns lookup that nslookup is doing and get the same private IP and ping that?  

I have no idea what that public IP is...

I'm going to assume that the DNS server on your LAN is actually hosting the domain.com zone? From what you've written I would say you have a client misconfiguration, zone misconfiguration or the DNS server's primary DNS is not looking to itself first. Check all of your client/server DNS settings and make sure they're correct. From there you can can do 1 of 2 things easily.

1. Packet capture.
2. Turn on DNS debugging and read through the debug logs to see what has occurred.

I would go with a packet capture because it is simple and fast. The logs are fine too though. Assuming you're going to do a packet capture... I would first run a packet capture on the client (wireshark is best though you can use netmon or whatever else you prefer).  Set a filter of: dns.qry.name==xyzipa1.domain.com. Clear your DNS server cache and client cache (for the client: ipconfig /flushdns).

When you ping xyzipa1.domain.com, you should see activity as follows.

1. A DNS request (if you use WINS you may also see a WINS request go out) from your client to its DNS server.
2. You should see a reply from the DNS server with an IP address in response the the request.

Did this happen? Or has it come back with the public IP? Did the client send a DNS request to your DNS server only or has it sent additional requests off to another DNS server? If it has come back with a public IP response from your DNS server, install wireshark on the DNS server or if it is Linux perform a tcpdump.

You want to clear the DNS servers cache and also the client cache again before you start. Before you ping from the client, start the packet capture; When you ping from the client, on the DNS server you should see the following.

1. Incoming DNS request from the client.
2. Response from your server back.

Does this happen? Did your DNS server send a DNS query off externally to resolve the address rather than responding itself?

@learnctx I will try to get to trying the things you suggest as soon as I have time.  Still but in the meantime am I justified in thinking that it is strange that nslookup returns a local address and when I try to ping apparently The DNS resolution returns a public address?   I mean.... lets just think about what *should* happen for a minute... when I do an nslookup or when I do a ping am I wrong that the EXACT SAME thing should happen in the background between my pc and dns server to get the ip for that name??  the only difference between the 2 commands should be that ping should ping it once it has the ip.  

Or is there a fundamental difference in the dns lookups done by ping and nslookup?

It isn't the same and it should not be. As giltjr correctly stated, nslookup just checks DNS, while everything else goes to the network name resolution layer of Windows. That layer of the network stack also prefers IPv6 over IPv4, and uses only one address if DNS would give out alternative addresses.
So as soon as DNS is not working 100% ok, there is a difference. If WINS is faster, it will answer, for example. If there is something in the local name cache (see results of ipconfig /displaydns, nbtstat -c and nbtstat -r), it takes precedence. And so on.

Having said that, it is strange that using the fully quallified domain name does not lead to the same result. What happens if you use only the hostname?
The public IP results probably from your public DNS server resolving any unknown name using the master domain's name to its public IP. A nslookup of thisshouldnotresolve.domain.com will return the same public IP, if I'm correct.

To further reinforce what has been said, from https://en.wikipedia.org/wiki/Nslookup

nslookup does not use the operating system's local Domain Name System resolver library to perform its queries

Can you post the output from the following command:

type "C:\Windows\system32\drivers\etc\hosts"

Hi There,

Check the host file entry.
The nslookup command queries the internal DNS servers defined and responds with the A record corresponding to it.
The ping command would check the host file and later the DNS servers.
There is a high probability that you have defined a host file entry on your machine for the stated website.
Check the behavior with another domain workstation and verify the status.

Honestly, for me, this was about trying to get IPA to work - and I gave up on that.  DNS issues went away - If you would like to flag the comments you find the most helpful please feel free :-).  (honestly - you and all the answerers probably know best what the most helpful answers are than me, since I never wound up digging deep here).... :-)

I don't know what IPA is, but I would suggest you still look at your hosts file.  

If it altered your hosts file during install, you have no idea what else is in there.

If the moderators can tell the authors what the correct answer is, then what's the point of having the author close the question and assign points?   Why not just do it for them?  Then we wouldn't have to worry about questions left open, either.

Hi Moderators,

No offences but just trying to understand how come you all are influencing authors to review /change their accepted solutions.

I was being facetious.   I don't think that the moderators should be twisting arms to push what they feel is a better answer.  I don't how many times I posted the most accurate or only accurate answer to a question,  another answer was chosen, and I kept my mouth shut because I felt that it was up to the author to make that determination.

Why not just do it for them?  Then we wouldn't have to worry about questions left open, either.

I think Jan has a point.... I pay to use EE... I sort of understand you want answers chosen, etc that helps the community as a whole and all... but the being forced to resolve questions before I can ask more seems a bit overboard to me...  feels like I have to pay AND do work for the site....  Perhaps you should have a "pick for me" button for a person who does not care.

In any case - select answers you think are helpful if you want, but please don't delete the question... if I ever resume my task I want this thread to look back at and review in more detail.

I charge more for an hour of my labor than you pay in a month for using this site.  Maybe you could do some things to help yourself when you are getting some high-priced help here.