Establish one-way external outgoing trust using RODC in trusted domain jh

We have a domain that we'll call 'resource' that needs to be accessed by users in a third party domain that we'll call 'source.'

Due to security issues, we cannot route to all of the domain controllers in source from resource. What we've done is setup a DMZ in source and placed a RODC in it. We've created a dns zone on the DNS servers in resource pointing to the RODC (so all the necessary _ldap and _kerberos SRV records and the necessary A records).

When we try and create the external outgoing trust, we receive a message saying: 'The name you specified is not a valid Windows domain. Is the specified name a Kerberos V5 realm?'.

I've been told that the source RODC has full access to the writeable DCs in its domain. I'm also told that we should be able to setup the trust using the RODC, although I am sceptical.
Who is Participating?
tlcsupportConnect With a Mentor Author Commented:
We ended up setting up the trust with a writeable DC, then replaced it with a RODC later and fudged DNS at the trusting end to only see the RODC at the trusted end.
Neil RussellTechnical Development LeadCommented:
On your Source domain you need to have a DNS forwarder set up pointing to any valid DNS server on Resource, the RODC? Have you done this?
tlcsupportAuthor Commented:
Yes, the source domain has a conditional forward to the resource domain and we have confirmed that queries resolve correctly.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Hello tlcsupport,

I am curious if you have been able to set up this trust using the RODC.? I am considering a similar trust setup and can not find any documentation certifying a RODC can be use this way.

Thank you very much for the feed back.
tlcsupportAuthor Commented:
Appears to not be possible. Although it's possible to setup the trust with a writeable DC at the trusted end and then replace with a RODC later.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.