AD Topology - Hub-Spoke.DC1=10.1.1.100(w2k); DC01=10.2.1.1(w2k3); DC02=10.2.1.2(w2k3)DC02 has all fsmo rolesWe have web sites in a DMZ - 10.1.3.xComputers in the Hub subnets can access these websites - 10.1.1.x, 10.2.1.x; nslookup resolves to correct 10.1.3.x addressComputers at the spoke (sites) cannot access the websites 10.1.4.x, 10.1.5.x, 10.1.6.x, etc.At the sites, the computers reslove to the public address - 207.152.... - "Non-authoritative address" in nslookupchanges made:on DC02...1. old name servers existed as "unknown" - these were old domain controllers that were removed from AD last year. I removed 3.2. SOA Primary server was DC1(w2k server), wanted to change this to the PDC server of DC02(w2k3 server)3. with the discovery of this internal web site issue, I changed SOA back to DC1(w2k server)Made these changes on 2-22-2010, web site issues just started today. Not sure if the SOA caused the problem.Thanks for any help.

Hello Narf2, The SOA record does not have anything to do with resolving the host names stored in the zone, but of course, your SOA record needs to be set up correctly so the NS servers know how to manage the zone. The SOA record has information about the zone such as the version number and how often secondary NS servers should be pulling zone transfers and how long a zone is valid on a secondary if a zone transfer fails.I think the mesage you are receiving on the computers at the sites, 207.152.... - "Non-authoritative address", is an indication that these computers are using DNS servers that do not have the authoritative zone for your domain. 1) either these computers are configured to use a DNS server on the internet, or2) these computers are using an internal DNS server that does not have the internal zone loaded. If these internal DNS servers are configured to use the "root hints" file rather than forward to your HUB location, these DNS servers will go out to the internet to resolve the hostname. My recommendation... Take a look at the TCP/IP settings for these remote computers and see which DNS servers they are configured to use. If these DNS servers are internal then check that DNS server and make sure it has the DOMAIN hosted. Your DNS servers need to be AUTHORITATIVE for the internal domains. I would also recommend that you configure these "spoke" DNS servers to forward to the HUB site so that you can control all of your DNS traffic in your network. Visit my blog: anITKB.com, an IT Knowledge Base.