Link to home
Create AccountLog in
Avatar of RhoSysAdmin
RhoSysAdminFlag for United States of America

asked on

How to create RODC on a perimeter network

I'm having difficulty finding current documentation for creating a Read Only Domain Controller running W2K19 on a perimeter "DMZ".  Does anyone have a go-to doc they can point me to?

This will NOT be a server-core RODC.  

Avatar of arnold
arnold
Flag of United States of America image

You seem to be interested in doing something and you've determined that RODC is the solution, but you are running into issues.

Are you looking at ADFS and need to place it in the DMZ?
First of all, who puts a RODC in a DMZ? What is your purpose? 
Avatar of RhoSysAdmin

ASKER

We need to provide DNS to servers in this network.  Our DNS is all AD integrated now.  We provide LDAPS to our hosted voice provider to query for our AD user accounts.  We currently have W2K12 server-core RODCs that have provided these services for the past few years.  But it's now time to replace them with something more current.

You can extend DNS services without making a system a DC/RODC
Zone change it to allow member servers access to the Zone in AD.

you could setup an LDAPS proxy in the DMZ that will relay requests to YOu can further limit by using credentials of a read-only serviceaccount.

Check what options your Hosted Provider have. See if ADFS is an option to transition to.is the RODC exposed ot you have a VPN connection to secure the RODC in the DMZ traffic from the vendor?
We provided a read-only service account for LDAPS.  

Firewall rules (on the router) restrict outside access to the RODCs to just the voice provider, and only for LDAPS.

DNS is for other servers on the "DMZ" network.

Isn't the advantage of the RODC that it just forwards AD & DNS requests on to a writable DC?  Or is it just AD (and it functions as a standard DNS server)?  We went the RODC route b/c no user auth is required in the DMZ, and no credentials are stored on the RODC.  It was a relatively easy way to provide LDAPS.

Given that we just need DNS and LDAPS, I realize an RODC is still probably more than we need.  I've not worked with LDAP much in the past.  So it's a bit of a leap for me.

ASKER CERTIFIED SOLUTION
Avatar of kevinhsieh
kevinhsieh
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
kevinhseih - Now we're back to my original question. I can't find directions for creating a W2K19 RODC in a perimeter network. I only have old directions for creating a W2K12 server-core RODC in a perimeter network - which is apples to my oranges.

Creating the RODC on our internal network and then moving it to the DMZ would require a change of IP, which I assume would be problematic.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
I see, then I’ll just create a dns stub zone instead and allow port 53. Try not to have too much info on the dmz to prevent attacks.
kevinhsieh - About that "Check to be sure that DNS gets updated properly" comment...

After moving my new RODC from the internal network to the perimeter, I see the new RODC has registered its new IP in AD DNS but SRV records have not updated yet, and ADSS has not moved the server from the inside site to the perimeter site (yet).  

I made sure all DNS SRV records associated with the old RODC were deleted (after demoting the old RODC of course).  

I've tried a "repadmin /syncall" a couple of times.  I've waited for the top of the hour to see if the DNS records register.  

What else can I do to speed the DNS and ADSS updates along?
Do I need to do anything manually for DNS?
Do I need to move the RODC from its old site to the new one in ADSS?

Not sure I understand what you refer to as site

If you look at nslookup -q=SRV _ldap._tcp.dc._msdcs.ypuraddomain.com

Do you get a list of DCs including the RODC?

Sites deal with location related breakdown if you arrange your network

Top ad domain
SiteA
SiteB
SiteC

And placing systems in the sites where they are so they would first try to access the local DC before reaching out to another...

Not sure placing a DC in the dMz is similarly handled.

What is the purpose of placing the RODC in a DMZ in your setup?
Do you have external systems accessing it over the Internet, or have adfs setup on it that authorized external resources query?
Everything resolved itself on the DNS side once I moved the RODC in ADSS based on what I read here - Moving a Domain Controller to a Different Site.  

There were some old SRV records in the old site I had to manually delete.  

But it looks like it's all good now.