RODC at remote site does not respond to nslookup

We have a RODC at a remote site. When users do a nslookup at the remote site , the local domain controller (RODC) does not respond, instead the NS server that shows up is the one at primary site. We have verified sites and subnets are set up correctly and no problems with DNS. Is there something peculiar about RODCs and why they would not respond to nslookup?

Thanks for your time.
Antonio02Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Michael PfisterCommented:
Are there any client connectivity problems or is it just the strange output of nslookup that concernes you?
DNS replicated its zones to the RODC? Check your RODC with dcdiag /v.

There is a lot involved for a RODC to handle clients DNS update requests. Maybe nslookup gets confused by this (http://blogs.chrisse.se/2009/01/25/how-read-only-domain-controllers-and-dns-works/)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Will SzymkowskiSenior Solution ArchitectCommented:
Is there something peculiar about RODCs and why they would not respond to nslookup?
No there is nothing wrong here. This is by design when you run nslookup you will not see RODC in the list. RODC is exactly what is states (read-only).

It cannot act as a true DNS or AD server because it does not allow you to write anything to it. It is basically getting a read only copy of AD and DNS from another Read/Write DC in the domain.

I have illustrated this below for you using screenshots from my lab, for your reference.

eess1.JPG
As you can see in the screenshot above, I have run nslookup and it only shows my read/write DC's. I have also run netdom query dc and it only shows the read/write DC's as well. Even though it is called a "RODC" it does not operate exactly like a DC because it is read-only.

Will.
SteveCommented:
He's right. That's how its meant to be.
What are your reasons for having a read only DC? it's rare they are needed these days so it may be worth reconsidering.
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

Antonio02Author Commented:
Hi mpfister, apologize for the late response but the issue we are having is that when users at this site point to the local dc (rodc), response time is very slow. When they point to the IP address of the dc, queries are pretty fast. dcdiag does not show any errors.
@totallytonto: This dc is loacted at AWS, and though I agree with you there is no reason for having a rodc, this place wants to take every security precaution.

Thanks for your replies.
Will SzymkowskiSenior Solution ArchitectCommented:
I hope you are not disregarding the second post as I have illustrated that what you see it correct as you have asked in your original question.

Will.
SteveCommented:
I know some security precautions are necessary but how exactly does having a read only DC help? it's obviously affecting functionality so it may be best to reconsider.
Michael PfisterCommented:
Have you set a password replication policy for the users and machine accounts at the remote site?

Have a look here: http://www.experts-exchange.com/Software/Server_Software/Active_Directory/Q_28199012.html
and
http://www.experts-exchange.com/Software/Server_Software/Active_Directory/Q_26765941.html
Antonio02Author Commented:
Apologies for the delayed response but had family emergencies. Thanks for for you replies and suggestions.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.