AllDaySentry
asked on
Exclude Certain DNS Records From Propogating Across to RODC
Our main office is home to our AD and DNS Servers. We are still using a .local for our AD (Unfortunately) so we have a .local as well as our .com as Forward Lookup Zones. For the .com zone, we have our public facing servers resolving to their internal IP.
Now that we have a branch office with a RODC, this is causing an issue for us. We have an MPLS that is routing most of the office traffic except for our DMZ subnet. Because this is not routing (and I dont think we want to at this point) and the RODC is resolving an internal IP, the branch office users cannot reach the DMZ Servers.
Is there any way to have those particular records for the DMZ on the RODC be different or not replicate over at all from the primary domain controller to the RODC? I would like those particular records to resolve over public DNS.
Now that we have a branch office with a RODC, this is causing an issue for us. We have an MPLS that is routing most of the office traffic except for our DMZ subnet. Because this is not routing (and I dont think we want to at this point) and the RODC is resolving an internal IP, the branch office users cannot reach the DMZ Servers.
Is there any way to have those particular records for the DMZ on the RODC be different or not replicate over at all from the primary domain controller to the RODC? I would like those particular records to resolve over public DNS.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Manually created zones can still be either AD-integrated or file-based. AD-integrated zones, even manually created ones, replicate.
ASKER
Thats what I figured. They look to both be AD-integrated. I was just hoping there would be an easier solution in DNS for this.
The underlying issue is that DNS as a protocol is older than the public internet. Split DNS, and NAT for that matter, both exist because of the shortcomings of IPv4. So the "correct" solution is to deploy IPv6 whenever and wherever possible. Long term the world is going that way anyways.
ASKER
Does this mean that zone is still AD-integrated or can it be disabled from replicating?