I have a question:
We have a huge Active Directory forest (company.local.com) on premise. And also 2 additional Domain Controllers in Azure as part of this (DC-AZ1.company.local.com and DC-AZ2.company.local.com) Both of these 2 DC have the DNS role installed (Active Directory integration). The FSMO role holder DC-A is located on-premise. Also more than 10 other DCs in other on-premise locations
As a part of security restrictions, the DC are NOT allowed to go to the internet, that means for resolving Azure services (e.g. SQL managed databases) these DNS servers could not resolve this. Using a conditional forwarder for these DCs are not allowed too.
To relove this, we have installed 2x &#34;standalone&#34; DNS servers with a Stub Zone. These 2 DNS1 and DNS2 load their Zone information from DC-AZ1.company.local.com and DC-AZ2.company.local.com. Name resolution (nslookup) for servers in the company.local.com domain is not a problem. Also these 2 servers are allowed to go Internet. So they can finde the Azure services (e.g. the SQL managed database) as well.
We have pointed the DNS settings for our VMs in Azure to these 2 DNS servers.
What is now the exact way, when a new server wants to join the domain. Where is he sending the request, where the DNS record is created?
What I think is: (1. Domain join request to DNS1, 2.) Answer with correct Nameserver 3.) Domain join sent to correct Nameserver 4.) After approved, DNS entry ceated 5.) DNS entriy repicated using Active Directory to all other DNS servers)
We have in 50% that during the domain join (which takes a long time), we will get an error &#34;that the network name company.local.com isnt available anymore. Sometimes a second try works, sometimes not. (in case of &#34;not working&#34;, we are changing the DNS settings from Stub Zone DNS server to AD DNS server (in Azure), then the domain join process will work. After joining, we change back to the Stub Zone DNS server)
Is this a &#34;runtime&#34; problem? Or what can be the reason for this?
Would be very helpful, to clear this DNS miracle a bit