We have a new Windows 2008 R2 installation running as a domain controller with DNS. We also have external public IP's which NAT to internal resources on our network. An external DNS has been configured with these external public IP's to resolve the internal resources on our company domain name.
These same DNS records have also been configured on the internal Windows 2008 DNS to map to the internal private IP's (where the A record is for a resource not part of the AD, i.e. like a custom company website URL etc).
Our problem is that even though internal clients or other member servers have the primary DNS setup as the Windows 2008 DNS server (and the router set as the secondary DNS) the DNS query would intermittently resolve to the external public IP (which won't work as the Cisco router blocks it). Even when you do a nslookup on the resource it will give the Windows DNS as the primay DNS, return the correct internal IP. But still when you ping the resource or try to access it via a browser (as it is a website) it would then resolve to the external public IP.
Why on earth would it do this?
Best Answer
This behavior is expected given your configuration. You shouldn't have the router's IP set as the secondary DNS for PCs and member servers or they'll always sometimes go there which you don't want. They should only have domain controllers as their DNS so all of their DNS traffic routes through the domain controller. You can then either configure your domain controller to forward to an upstream DNS server for domains it can't resolve (usually this would be your ISP) or just leave it alone and it will use the root hints servers to resolve external queries.
Typically you would want two DNS servers on the PCs and member servers and you would get that by having a second domain controller so DNS (and Active Directory) continue to function if the primary goes down.