Authoritative Screening

In your GTM pool config, are your members the actual AD servers or virtual servers on an LTM that load balances across your AD servers?

When you say the zone exists on the GTM, does that mean you created the zone within ZoneRunner? Or created a DNSSEC zone for it? Or both?

yes there is a pool to LB the dns queries that aren't matched by a WIP.

yes in zonerunner the zone exists. not using dnssec.

You may not need the pool at all. If the zone that you define within ZoneRunner is a forward zone, and you specify the two AD server IP addresses as the forwarders, then any non-wide IP queries for that zone should be forwarded to the AD servers.

when the WIP is created it creates the zone as master. I would have to delete and re-create the zone as a forwarder. However per the deployment guide for screening the creation of a pool to LB non WIP queries is created and assigned to the listener. So I have to think this is best practice....

the stats indicate queries are getting to sent to the servers.

I'd recommend running a tcpdump on your GTM to help isolate what the problem may be. If the setup is working properly, you'll see GTM sending DNS queries to your pool members. Could be that responses aren't coming back for whatever reason.

a couple zones didn't exists.... the other zones are working just fine.

thanks for the response cory.

this is unfamiliar territory for me. so the zones that are missing are sub zones.

example zone returning SRV records - abc123.local zone not returning SRV records - test.abc123.local

all SOA and NS records are identical in both zones...

i am getting an unspecified error when i run against GTM nslookup ->set type=all ->_ldap._tcp.dc._msdcs.test.abc123.local

returns SRV records nslookup ->set type=all ->_ldap._tcp.dc._msdcs.abc123.local

however this query against DNS server returns srv records, nslookup ->set type=all ->_ldap._tcp.dc._msdcs.test.abc123.local

set debug and discovered read failed: result too large. looks like this can gone on for awhile better buckle in...

When querying for the SRV record you mention from an outside client, does the GTM return a response to the query? What do you see when using tcpdump?