Note: Wrong assumptions
It turned out that the VPN is configured to redirect all name lookups to a different server. So the problem is not the Windows DNS but the VPN Gateway.
Original Quesiton
I have a remote network 10.12.0.0/16 with a Windows Domain Controller (SBS 2011) and a VPN Gateway. Some Windows PC (no domain member) uses a l2tp VPN to connect to the SBS. It gets a virtual IP in 10.14.0.0/24. The VPN gateway is the SBS's default gateway and routes between the two networks. SBS and client can ping each other.
The Domain Controller owns the Active Directory Domain company.local. If I nslookup it on the SBS it is correctly resolved to the IP of the SBS. A query from the VPN Gateway works as well. But a nslookup company.local 10.12.0.5 (later is the SBS IP) from the client will respond that the domain is not found. Via tcpdump on the VPN gateway I can see that the SBS really returns NXDOMAIN 0/0/0.
As you might already guess the goal is to join the domain with the VPN connected computer.
Why does the DNS Server not return the correct A Record? My only idea is that the query comes from an unknown private network.
Update 01
Full query from the client computer:
C:\Users\abc>nslookup -debug company.local 10.12.0.5
------------
Got answer:
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
5.0.12.10.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 5.0.12.10.in-addr.arpa
name = xyz.cloud.internal
ttl = 0 (0 secs)
------------
Server: xyz.cloud.internal
Address: 10.12.0.5
------------
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
company.local, type = A, class = IN
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 3, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
company.local, type = AAAA, class = IN
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 4, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
company.local, type = A, class = IN
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 5, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
company.local, type = AAAA, class = IN
------------
*** xyz.cloud.internal can't find company.local: Non-existent domain
Update 02
C:\Users\abc>nslookup -debug _ldap._tcp.dc._msdcs.company.local.
------------
Got answer:
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
5.0.12.10.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 5.0.12.10.in-addr.arpa
name = xyz.cloud.internal
ttl = 0 (0 secs)
------------
Server: xyz.cloud.internal
Address: 10.12.0.5
------------
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
_ldap._tcp.dc._msdcs.company.local, type = A, class = IN
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 3, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
_ldap._tcp.dc._msdcs.company.local, type = AAAA, class = IN
AUTHORITY RECORDS:
-> (root)
ttl = 10789 (2 hours 59 mins 49 secs)
primary name server = a.root-servers.net
responsible mail addr = nstld.verisign-grs.com
serial = 2013011600
refresh = 1800 (30 mins)
retry = 900 (15 mins)
expire = 604800 (7 days)
default TTL = 86400 (1 day)
------------
*** xyz.cloud.internal can't find _ldap._tcp.dc._msdcs.company.local.: Non-existent domain
Best Answer
The problem (as troublehsot in the comments) ends up being the VPN gateway was intercepting the DNS queries.