Windows 2008 Server DNS and RODC prevent zone transfer

Is there a way for DNS running on an RODC to NOT get a particular zone? For instance in the example below I want to prevent RODC03 from getting


DC01 Running DNS (Active Directory-Integrated Primary)
Forward Lookup Zones

DC02 Running DNS (Active Directory-Integrated Primary)
Forward Lookup Zones

RODC03 Running DNS (Active Directory-Integrated Primary Read-Only)
Forward Lookup Zones <- Do not want this Zone
Who is Participating?
Cliff GaliherConnect With a Mentor Commented:
Actually, as long as the zone is a primary zone and marked as AD Integrated, the RODC will get it regardless of your zone transfer settings. This is the nature of AD Integrated zones.

The only way to accomplish what you want is to pick a DC to be the primary zone host, change that zone on that DC to *not* be AD Integrated, and then configure any other machine that you *want* to have the zone to host secondary zones using that name and point them to your chosen DC as the primary.

Since the zone is no longer AD Integrated, it will not replicate to your RODC. But it is added work to maintain the primary/secondary relationships on your other servers. I'd suggest that in all but the most edge cases, this is a pretty good sign that you are trying to solve whatever problem you are having the wrong way. It is very strange that you'd trust a server enough to be an RODC and get all sorts of security identities about AD, but not trust it to get a zone replicated.  

Usually this means you are either trying to do split-DNS, which is another issue and shouldn't be solved as I described above (but would need to know more details before I could make a suggestion) or there is less trust than is being implied, which means an RODC is probably not the right choice, but a subdomain or forest trust and stub zones should be considered instead.

Now, as I said, this is an edge case. There may be a legitimate reason you are trying to do what you are trying to do. So I pass no judgment. Just pointing out the possibility that other options may be available to you because of the exceedingly rare decision to do what you are doing.

Hope that helps,

Mike KlineCommented:
In the properties of the zone, you can "allow zone transfers"  - only to servers listed on the name servers tab.  Don't include the RODC from there.


Nick RhodeIT DirectorCommented:
SandeshdubeySenior Server EngineerCommented:
As other suggested is AD intergated zone the same will be replicated ot RODC and cannot be excluded.Why do you want this zone to excluded any specific reason for the same?

The DNS on the RODC is read-only and should be replicated from a "writable"/ADI DNS zone.
More info

You can make the zone primary but there are downsides which is already explaned by
jeffman5150Author Commented:
Thank You. Changing it from AD Integrated to Primary and managing the Secondary Zones via the Zone Transfers Tab is what I needed. Problem Solved.
As for your other comments it would not be productive for me to justify my configuration. The reasons are valid, but thank you for the input and taking the time to respond.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.