Exclude Certain DNS Records From Propogating Across to RODC

Our main office is home to our AD and DNS Servers.  We are still using a .local for our AD (Unfortunately) so we have a .local as well as our .com as Forward Lookup Zones.  For the .com zone, we have our public facing servers resolving to their internal IP.

Now that we have a branch office with a RODC, this is causing an issue for us.  We have an MPLS that is routing most of the office traffic except for our DMZ subnet.  Because this is not routing (and I dont think we want to at this point) and the RODC is resolving an internal IP, the branch office users cannot reach the DMZ Servers.

Is there any way to have those particular records for the DMZ on the RODC be different or not replicate over at all from the primary domain controller to the RODC?  I would like those particular records to resolve over public DNS.
AllDaySentryAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
If you have an AD-Integrated zone, no. AD-Integrated is exactly that and replicates with AD.

The only way to do what you want is to make your zone non-AD integrated so it doesn't replicate *and* manage the zones independently at each site (a primary/secondary setup would still transfer all records with Windows DNS.)  You'd effectively be setting up a variant of split-DNS.

-Cliff
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AllDaySentryAuthor Commented:
I added the .com zone in manually to work with our hosted / server applications.  Each time I have a new public facing server, I manually add in the DNS entry.

Does this mean that zone is still AD-integrated or can it be disabled from replicating?
0
Cliff GaliherCommented:
Manually created zones can still be either AD-integrated or file-based. AD-integrated zones, even manually created ones, replicate.
0
AllDaySentryAuthor Commented:
Thats what I figured.  They look to both be AD-integrated.  I was just hoping there would be an easier solution in DNS for this.
0
Cliff GaliherCommented:
The underlying issue is that DNS as a protocol is older than the public internet. Split DNS, and NAT for that matter, both exist because of the shortcomings of IPv4. So the "correct" solution is to deploy IPv6 whenever and wherever possible. Long term the world is going that way anyways.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.