DNS zone not working like it should S2012R2

Question

I'm stuck in solving the following problem.

We have 2 domain and DNS controllers. Everything works like it should, except for something very weird.

On the DNS servers we have 2 extra Primary AD integrated zones to make sure everybody uses Google safe search.

If we use the 1st DNS server, www.google.com redirects perfectly to forcesafesearch.google.com, like it should. However, when using the second DNS server, it doesn't resolve. Yet, the zone is transfered from server 1 to server 2.... they have both the exact same settings....

What have I tried:

-Flush cache on clients and servers. Clean up old records, update the server data for the master DNS servers. Rebooted the servers, restarted the DNS service... etc... I'm really starting to get out of options.

What it should do:

C:\WINDOWS\system32>nslookup
Default Server:  dom1.none.local
Address:  192.168.2.77

> www.google.com
Server:  dom1.none.local
Address:  192.168.2.77

Name:    forcesafesearch.google.com
Address:  216.239.38.120
Aliases:  www.google.com

and what server 2 does:

C:\WINDOWS\system32>nslookup
Default Server:  dom2.none.local
Address:  192.168.2.79

> www.google.com

When you lookup forcesafesearch.google.com on server 2, it resolves just fine to the correct ip address...

I'm puzzled by this, because everything else works just fine.

The zone name is: www.google.com. then a DNAME record linking to forcesafesearch.google.com.

It's all text book.. yet for some unknown reason, it doesn't work :(

Setup: both the servers are running 2012R2 latest version fully up2date.

//more info:

    C:\WINDOWS\system32>nslookup
Default Server:  dom2.none.local
Address:  192.168.2.79

> www.google.com
Server:  dom2.none.local
Address:  192.168.2.79

Name:    www.google.com

> google.com
Server:  dom2.none.local
Address:  192.168.2.79

Non-authoritative answer:
Name:    google.com
Addresses:  2a00:1450:400c:c04::64
          64.15.124.119
          64.15.124.123
          64.15.124.120
          64.15.124.121
          64.15.124.117
          64.15.124.116
          64.15.124.118
          64.15.124.122

> forcesafesearch.google.com
Server:  dom2.none.local
Address:  192.168.2.79

Non-authoritative answer:
Name:    forcesafesearch.google.com
Address:  216.239.38.120

>

and from the log:

18/03/2016 14:39:46 0B38 PACKET  0000008C13C3C1A0 UDP Rcv ::1             0012   Q [0001   D   NOERROR] A      (3)www(6)google(2)com(11)none(5)local(0)
UDP question info at 0000008C13C3C1A0
  Socket = 524
  Remote addr ::1, port 55912
  Time Query=3300, Queued=0, Expire=0
  Buf length = 0x0fa0 (4000)
  Msg length = 0x0031 (49)
  Message:
    XID       0x0012
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      CD        0
      AD        0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(3)www(6)google(2)com(11)none(5)local(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

18/03/2016 14:39:46 0B38 PACKET  0000008C13C3C1A0 UDP Snd ::1             0012 R Q [8385 A DR NXDOMAIN] A      (3)www(6)google(2)com(11)none(5)local(0)
UDP response info at 0000008C13C3C1A0
  Socket = 524
  Remote addr ::1, port 55912
  Time Query=3300, Queued=0, Expire=0
  Buf length = 0x0fa0 (4000)
  Msg length = 0x0076 (118)
  Message:
    XID       0x0012
    Flags     0x8583
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        1
      TC        0
      RD        1
      RA        1
      Z         0
      CD        0
      AD        0
      RCODE     3 (NXDOMAIN)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   1
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(3)www(6)google(2)com(11)none(5)local(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
    Offset = 0x0031, RR count = 0
    Name      "(11)none(5)local(0)"
      TYPE   SOA  (6)
      CLASS  1
      TTL    3600
      DLEN   40
      DATA   
        PrimaryServer: (4)dom2[C031](11)none(5)local(0)
        Administrator: (10)hostmaster[C031](11)none(5)local(0)
        SerialNo     = 161741
        Refresh      = 900
        Retry        = 600
        Expire       = 86400
        MinimumTTL   = 3600
    ADDITIONAL SECTION:
      empty

18/03/2016 14:39:46 0B38 PACKET  0000008C13D4E1F0 UDP Rcv ::1             0013   Q [0001   D   NOERROR] AAAA   (3)www(6)google(2)com(11)none(5)local(0)
UDP question info at 0000008C13D4E1F0
  Socket = 524
  Remote addr ::1, port 55913
  Time Query=3300, Queued=0, Expire=0
  Buf length = 0x0fa0 (4000)
  Msg length = 0x0031 (49)
  Message:
    XID       0x0013
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      CD        0
      AD        0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(3)www(6)google(2)com(11)none(5)local(0)"
      QTYPE   AAAA (28)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

Answer 1

• KB3133954
• KB3161591
• KB3179574
• KB3185279
• KB3185331
• KB3192404

These KB's all cause this behaviour. With Microsoft's non-security, security and preview rollups that are promised each month be prepared to decline everything but security only updates (so far as of October 2016) if you want any DNAME functionality.

EDIT: Should note that KB3192392 October 2016 security only update has no affect on this.