Solved

Exclude Certain DNS Records From Propogating Across to RODC

Posted on 2014-10-28
5
412 Views
Last Modified: 2014-10-29
Our main office is home to our AD and DNS Servers.  We are still using a .local for our AD (Unfortunately) so we have a .local as well as our .com as Forward Lookup Zones.  For the .com zone, we have our public facing servers resolving to their internal IP.

Now that we have a branch office with a RODC, this is causing an issue for us.  We have an MPLS that is routing most of the office traffic except for our DMZ subnet.  Because this is not routing (and I dont think we want to at this point) and the RODC is resolving an internal IP, the branch office users cannot reach the DMZ Servers.

Is there any way to have those particular records for the DMZ on the RODC be different or not replicate over at all from the primary domain controller to the RODC?  I would like those particular records to resolve over public DNS.
0
Comment
Question by:AllDaySentry
  • 3
  • 2
5 Comments
 
LVL 57

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 40409487
If you have an AD-Integrated zone, no. AD-Integrated is exactly that and replicates with AD.

The only way to do what you want is to make your zone non-AD integrated so it doesn't replicate *and* manage the zones independently at each site (a primary/secondary setup would still transfer all records with Windows DNS.)  You'd effectively be setting up a variant of split-DNS.

-Cliff
0
 

Author Comment

by:AllDaySentry
ID: 40409611
I added the .com zone in manually to work with our hosted / server applications.  Each time I have a new public facing server, I manually add in the DNS entry.

Does this mean that zone is still AD-integrated or can it be disabled from replicating?
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 40409765
Manually created zones can still be either AD-integrated or file-based. AD-integrated zones, even manually created ones, replicate.
0
 

Author Comment

by:AllDaySentry
ID: 40409782
Thats what I figured.  They look to both be AD-integrated.  I was just hoping there would be an easier solution in DNS for this.
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 40409787
The underlying issue is that DNS as a protocol is older than the public internet. Split DNS, and NAT for that matter, both exist because of the shortcomings of IPv4. So the "correct" solution is to deploy IPv6 whenever and wherever possible. Long term the world is going that way anyways.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Claiming a Domain Name 7 40
MS Endpoint Protection 2 25
Bandwidth issues? 5 30
Setting up static routes to  sonicwll 4 40
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question