Note: Wrong assumptions
It turned out that the VPN is configured to redirect all name lookups to a different server. So the problem is not the Windows DNS but the VPN Gateway.
Original Quesiton
I have a remote network 10.12.0.0/16 with a Windows Domain Controller (SBS 2011) and a VPN Gateway. Some Windows PC (no domain member) uses a l2tp VPN to connect to the SBS. It gets a virtual IP in 10.14.0.0/24. The VPN gateway is the SBS's default gateway and routes between the two networks. SBS and client can ping each other.
The Domain Controller owns the Active Directory Domain company.local
. If I nslookup it on the SBS it is correctly resolved to the IP of the SBS. A query from the VPN Gateway works as well. But a nslookup company.local 10.12.0.5
(later is the SBS IP) from the client will respond that the domain is not found. Via tcpdump on the VPN gateway I can see that the SBS really returns NXDOMAIN 0/0/0
.
As you might already guess the goal is to join the domain with the VPN connected computer.
Why does the DNS Server not return the correct A Record? My only idea is that the query comes from an unknown private network.
Update 01
Full query from the client computer:
C:\Users\abc>nslookup -debug company.local 10.12.0.5
------------
Got answer:
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
5.0.12.10.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 5.0.12.10.in-addr.arpa
name = xyz.cloud.internal
ttl = 0 (0 secs)
------------
Server: xyz.cloud.internal
Address: 10.12.0.5
------------
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
company.local, type = A, class = IN
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 3, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
company.local, type = AAAA, class = IN
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 4, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
company.local, type = A, class = IN
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 5, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
company.local, type = AAAA, class = IN
------------
*** xyz.cloud.internal can't find company.local: Non-existent domain
Update 02
C:\Users\abc>nslookup -debug _ldap._tcp.dc._msdcs.company.local.
------------
Got answer:
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
5.0.12.10.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 5.0.12.10.in-addr.arpa
name = xyz.cloud.internal
ttl = 0 (0 secs)
------------
Server: xyz.cloud.internal
Address: 10.12.0.5
------------
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
_ldap._tcp.dc._msdcs.company.local, type = A, class = IN
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 3, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
_ldap._tcp.dc._msdcs.company.local, type = AAAA, class = IN
AUTHORITY RECORDS:
-> (root)
ttl = 10789 (2 hours 59 mins 49 secs)
primary name server = a.root-servers.net
responsible mail addr = nstld.verisign-grs.com
serial = 2013011600
refresh = 1800 (30 mins)
retry = 900 (15 mins)
expire = 604800 (7 days)
default TTL = 86400 (1 day)
------------
*** xyz.cloud.internal can't find _ldap._tcp.dc._msdcs.company.local.: Non-existent domain
Best Answer
The problem (as troublehsot in the comments) ends up being the VPN gateway was intercepting the DNS queries.