Windows DNS, AD subdomain as separate zone, DCs register in wrong zone

When something (up to and including a DC) tries to register a DNS record ending with .inside.contoso.com with your DNS servers, the request matches two zones and thus gets registered in both of them, because the server doesn't know they are related.

What is missing here is a delegation for the inside.contoso.com zone in the contoso.com zone; this will tell the server that inside.contoso.com is indeed a subdomain of contoso.com, and thus a record in that zone should only be registered there.

You need to create a delegation and list all DCs as delegates.

The problem:

The solution:

So I ran into this same issue a few months back when I was doing a virtual lab, and if memory serves me correctly the short reason why this is occurring is because your manually created zone for contoso.com is AD-Integrated into your inside.contoso.com domain, and replicates to the DCs in inside.contoso.com zone which is why you're seeing the folder (similar to the _msdcs subdomain folder that exists in other domains). Because they are hosts that contoso.com is aware of and are part of a subdomain a folder with the name of the subdomain is created and host records for the DC are also automatically created, but the other host records in internal.contoso.com it is unaware of and also not authoritative for anyways so no records are created automatically, like the DCs are.

The problem with doing this (for which there is a solution), i come to find out, is that when you create a zone for an external facing namespace you MUST maintain records for ALL devices in that zone, not just the ones you want to create records for to facilitate resolution to your internal hosts (remember this zone is authoritative)

This is one of the compromises of using subdomains for internal Domain Design (Active Directory) versus a split-brain domain design. However, its still for the best because you will have a valid subdomain for issuing third party certificates to for inside.contoso.com and external DNS namespaces without issue.

The resolution mentioned earlier: So to resolve the issue of needing a zone to resolve external servers for internal clients (or whatever the reason may be) is to do something very similar to what you're doing now, just on a manual, one by one scale, called "Pinpoint DNS". What you do here is you create a zone for EACH server you wish to allow resolution for. This may sound tedious but if you have MANY servers that you require internal resolution for perhaps you may just want to make that zone non-ad integrated and authoritative (i have no experience on this maybe someone can chime in for what that would entail)

Pin-Point DNS Guide: Check the link below to help you create those manual, single zone entries to properly resolve external servers for internal clients while not being authoritative for the entire external domain: http://exchangenerd.com/2014/03/pin-point-dns-split-dns-alternative/

Active Directory Naming Guide (answers lots of commenters questions): For excellent information on why using subdomains for internal AD Domain design and other reasons see the link to the guide below authored by Maxmahem (many comments are asking why you have things setup this way and the guide below as well as microsofts own best practices for AD naming speak to these reasons too):

https://docs.google.com/document/d/16xl2j-2Ns_JuQvFLG61Gw5iabz62LnTUKpCYtYn4f08/edit#heading=h.vw1qd8ol95y1