I'm stuck in solving the following problem.
We have 2 domain and DNS controllers. Everything works like it should, except for something very weird.
On the DNS servers we have 2 extra Primary AD integrated zones to make sure everybody uses Google safe search.
If we use the 1st DNS server, www.google.com redirects perfectly to forcesafesearch.google.com, like it should. However, when using the second DNS server, it doesn't resolve. Yet, the zone is transfered from server 1 to server 2.... they have both the exact same settings....
What have I tried:
-Flush cache on clients and servers. Clean up old records, update the server data for the master DNS servers. Rebooted the servers, restarted the DNS service... etc... I'm really starting to get out of options.
What it should do:
C:\WINDOWS\system32>nslookup
Default Server: dom1.none.local
Address: 192.168.2.77
> www.google.com
Server: dom1.none.local
Address: 192.168.2.77
Name: forcesafesearch.google.com
Address: 216.239.38.120
Aliases: www.google.com
and what server 2 does:
C:\WINDOWS\system32>nslookup
Default Server: dom2.none.local
Address: 192.168.2.79
> www.google.com
When you lookup forcesafesearch.google.com on server 2, it resolves just fine to the correct ip address...
I'm puzzled by this, because everything else works just fine.
The zone name is: www.google.com. then a DNAME record linking to forcesafesearch.google.com.
It's all text book.. yet for some unknown reason, it doesn't work :(
Setup: both the servers are running 2012R2 latest version fully up2date.
//more info:
C:\WINDOWS\system32>nslookup
Default Server: dom2.none.local
Address: 192.168.2.79
> www.google.com
Server: dom2.none.local
Address: 192.168.2.79
Name: www.google.com
> google.com
Server: dom2.none.local
Address: 192.168.2.79
Non-authoritative answer:
Name: google.com
Addresses: 2a00:1450:400c:c04::64
64.15.124.119
64.15.124.123
64.15.124.120
64.15.124.121
64.15.124.117
64.15.124.116
64.15.124.118
64.15.124.122
> forcesafesearch.google.com
Server: dom2.none.local
Address: 192.168.2.79
Non-authoritative answer:
Name: forcesafesearch.google.com
Address: 216.239.38.120
>
and from the log:
18/03/2016 14:39:46 0B38 PACKET 0000008C13C3C1A0 UDP Rcv ::1 0012 Q [0001 D NOERROR] A (3)www(6)google(2)com(11)none(5)local(0)
UDP question info at 0000008C13C3C1A0
Socket = 524
Remote addr ::1, port 55912
Time Query=3300, Queued=0, Expire=0
Buf length = 0x0fa0 (4000)
Msg length = 0x0031 (49)
Message:
XID 0x0012
Flags 0x0100
QR 0 (QUESTION)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 0
Z 0
CD 0
AD 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 0
NSCOUNT 0
ARCOUNT 0
QUESTION SECTION:
Offset = 0x000c, RR count = 0
Name "(3)www(6)google(2)com(11)none(5)local(0)"
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
empty
AUTHORITY SECTION:
empty
ADDITIONAL SECTION:
empty
18/03/2016 14:39:46 0B38 PACKET 0000008C13C3C1A0 UDP Snd ::1 0012 R Q [8385 A DR NXDOMAIN] A (3)www(6)google(2)com(11)none(5)local(0)
UDP response info at 0000008C13C3C1A0
Socket = 524
Remote addr ::1, port 55912
Time Query=3300, Queued=0, Expire=0
Buf length = 0x0fa0 (4000)
Msg length = 0x0076 (118)
Message:
XID 0x0012
Flags 0x8583
QR 1 (RESPONSE)
OPCODE 0 (QUERY)
AA 1
TC 0
RD 1
RA 1
Z 0
CD 0
AD 0
RCODE 3 (NXDOMAIN)
QCOUNT 1
ACOUNT 0
NSCOUNT 1
ARCOUNT 0
QUESTION SECTION:
Offset = 0x000c, RR count = 0
Name "(3)www(6)google(2)com(11)none(5)local(0)"
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
empty
AUTHORITY SECTION:
Offset = 0x0031, RR count = 0
Name "(11)none(5)local(0)"
TYPE SOA (6)
CLASS 1
TTL 3600
DLEN 40
DATA
PrimaryServer: (4)dom2[C031](11)none(5)local(0)
Administrator: (10)hostmaster[C031](11)none(5)local(0)
SerialNo = 161741
Refresh = 900
Retry = 600
Expire = 86400
MinimumTTL = 3600
ADDITIONAL SECTION:
empty
18/03/2016 14:39:46 0B38 PACKET 0000008C13D4E1F0 UDP Rcv ::1 0013 Q [0001 D NOERROR] AAAA (3)www(6)google(2)com(11)none(5)local(0)
UDP question info at 0000008C13D4E1F0
Socket = 524
Remote addr ::1, port 55913
Time Query=3300, Queued=0, Expire=0
Buf length = 0x0fa0 (4000)
Msg length = 0x0031 (49)
Message:
XID 0x0013
Flags 0x0100
QR 0 (QUESTION)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 0
Z 0
CD 0
AD 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 0
NSCOUNT 0
ARCOUNT 0
QUESTION SECTION:
Offset = 0x000c, RR count = 0
Name "(3)www(6)google(2)com(11)none(5)local(0)"
QTYPE AAAA (28)
QCLASS 1
ANSWER SECTION:
empty
AUTHORITY SECTION:
empty
ADDITIONAL SECTION:
empty
These KB's all cause this behaviour. With Microsoft's non-security, security and preview rollups that are promised each month be prepared to decline everything but security only updates (so far as of October 2016) if you want any DNAME functionality.
EDIT: Should note that KB3192392 October 2016 security only update has no affect on this.