We started troubleshooting by checking the Name Resolution Policy table and we noticed that the NRPT was not getting applied on the DA client as shown below.
The next step was checking the DA resolution using the netsh dns show state command and it turned to be disabled.
Name Resolution Policy Table Options
--------------------------------------------------------------------
Query Failure Behavior : Always fall back to LLMNR and NetBIOS
if the name does not exist in DNS or
if the DNS servers are unreachable
when on a private network
Query Resolution Behavior : Resolve only IPv6 addresses for names
Network Location Behavior : Never use Direct Access settings
Machine Location : Outside corporate network
Direct Access Settings : Configured and Disabled
DNSSEC Settings : Not Configured
The DA client already has the correct group policies, certificates but its disabled.
The next step was checking the below registry key:
"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient EnableDAForAllNetworks"
The value of the key was set to 2 which means that DA is disabled !
Upon deleting the registry key, the DA started working normally without any problem.
For more information about the EnableDAForAllNetworks and its different values please check the below URL.
On both cases that i have seen so far the reason was playing with the DCA settings (Use local DNS) which triggered the flipping of this registry key from Automatic to disabled.
Hopefully this could help someone with the same problem.
