I'm baffled!
I'm trying to narrow down the list of DC's that can resolve the fqdn of our domain. We have a hub spoke topology within a non-routed environment (only routes the spokes sites have is back to 2 central hub sites). Because of this design we want only the hub site's DC's to resolve the domain name, ie: ping test.local resolves to one of the hub DC's.
We have stopped the spoke site DC's from publishing the SRV resource records via a DC Locator GPO setting which is working as the FLZ for the domain only lists the hub site DC's in the global SRV containers with the relevant SRV records.
I then try to resolve the domain name on a non-DC spoke site's member server (which points to 2 hub site DC's for DNS). It resolves to another remote site DC which is uncontactable due to our non - routed design and therefore GPO processing fails as it can't resolve the \\domain.name section when querying sysvol.
I've checked the member server's host files, nothing, I've cleared the DNS cache 20 times, restarted DNS client and netlogon services and still the server picks up the remote spoke site DC as the domain.name resolver. There is no SRV record for this spoke site DC in the global DNS containers within the domain FLZ, the spoke site DC that the domain.name is being resolved to has SRV records published but only within the AD site container to which it resides.
The member server which has the GPO processing issue because of this is in it's own AD site which has it's subnet attached to the correct site and only has site links to both hub sites. It's DNS points to 2 hub site DC's. Also Auto site link bridging is disabled.
Where the heck is this machine getting the remote spoke site record from when resolving to domain.name????
I've cleared the central site DNS server's cache (to where the member server points to for DNS) and disabled round robin but still this member server picks up the spoke site DC from an entry/SRV record somewhere but I can find it!
Any help appreciated
Mark
