Windows 2008 Server DNS and RODC prevent zone transfer

Is there a way for DNS running on an RODC to NOT get a particular zone? For instance in the example below I want to prevent RODC03 from getting


DC01 Running DNS (Active Directory-Integrated Primary)
Forward Lookup Zones

DC02 Running DNS (Active Directory-Integrated Primary)
Forward Lookup Zones

RODC03 Running DNS (Active Directory-Integrated Primary Read-Only)
Forward Lookup Zones <- Do not want this Zone
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
In the properties of the zone, you can "allow zone transfers"  - only to servers listed on the name servers tab.  Don't include the RODC from there.


Nick RhodeIT DirectorCommented:
Cliff GaliherCommented:
Actually, as long as the zone is a primary zone and marked as AD Integrated, the RODC will get it regardless of your zone transfer settings. This is the nature of AD Integrated zones.

The only way to accomplish what you want is to pick a DC to be the primary zone host, change that zone on that DC to *not* be AD Integrated, and then configure any other machine that you *want* to have the zone to host secondary zones using that name and point them to your chosen DC as the primary.

Since the zone is no longer AD Integrated, it will not replicate to your RODC. But it is added work to maintain the primary/secondary relationships on your other servers. I'd suggest that in all but the most edge cases, this is a pretty good sign that you are trying to solve whatever problem you are having the wrong way. It is very strange that you'd trust a server enough to be an RODC and get all sorts of security identities about AD, but not trust it to get a zone replicated.  

Usually this means you are either trying to do split-DNS, which is another issue and shouldn't be solved as I described above (but would need to know more details before I could make a suggestion) or there is less trust than is being implied, which means an RODC is probably not the right choice, but a subdomain or forest trust and stub zones should be considered instead.

Now, as I said, this is an edge case. There may be a legitimate reason you are trying to do what you are trying to do. So I pass no judgment. Just pointing out the possibility that other options may be available to you because of the exceedingly rare decision to do what you are doing.

Hope that helps,


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SandeshdubeySenior Server EngineerCommented:
As other suggested is AD intergated zone the same will be replicated ot RODC and cannot be excluded.Why do you want this zone to excluded any specific reason for the same?

The DNS on the RODC is read-only and should be replicated from a "writable"/ADI DNS zone.
More info

You can make the zone primary but there are downsides which is already explaned by
jeffman5150Author Commented:
Thank You. Changing it from AD Integrated to Primary and managing the Secondary Zones via the Zone Transfers Tab is what I needed. Problem Solved.
As for your other comments it would not be productive for me to justify my configuration. The reasons are valid, but thank you for the input and taking the time to respond.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.