<div>
You seem to be interested in doing something and you've determined that RODC is the solution, but you are running into issues.<br />
<br />
Are you looking at ADFS and need to place it in the DMZ?
</div>


<div>
First of all, who puts a RODC in a DMZ? What is your purpose?&nbsp;
</div>


<div>
We need to provide DNS to servers in this network. &nbsp;Our DNS is all AD integrated now. &nbsp;We provide LDAPS to our hosted voice provider to query for our AD user accounts. &nbsp;We currently have W2K12 server-core RODCs that have provided these services for the past few years. &nbsp;But it's now time to replace them with something more current.<br><br>
</div>


<div>
You can extend DNS services without making a system a DC/RODC<br />
Zone change it to allow member servers access to the Zone in AD.<br />
<br />
you could setup an LDAPS proxy in the DMZ that will relay requests to YOu can further limit by using credentials of a read-only serviceaccount.<br />
<br />
Check what options your Hosted Provider have. See if ADFS is an option to transition to.is the RODC exposed ot you have a VPN connection to secure the RODC in the DMZ traffic from the vendor?
</div>


<div>
We provided a read-only service account for LDAPS. &nbsp;<br><br>Firewall rules (on the router) restrict outside access to the RODCs to just the voice provider, and only for LDAPS.<br><br>DNS is for other servers on the "DMZ" network.<br><br>Isn't the advantage of the RODC that it just forwards AD &amp; DNS requests on to a writable DC? &nbsp;Or is it just AD (and it functions as a standard DNS server)? &nbsp;We went the RODC route b/c no user auth is required in the DMZ, and no credentials are stored on the RODC. &nbsp;It was a relatively easy way to provide LDAPS.<br><br>Given that we just need DNS and LDAPS, I realize an RODC is still probably more than we need. &nbsp;I've not worked with LDAP much in the past. &nbsp;So it's a bit of a leap for me. <br><br>
</div>


RhoSysAdmin

<div>
kevinhseih - Now we're back to my original question. I can't find directions for creating a W2K19 RODC in a perimeter network. I only have old directions for creating a W2K12 server-core RODC in a perimeter network - which is apples to my oranges.<br><br>Creating the RODC on our internal network and then moving it to the DMZ would require a change of IP, which I assume would be problematic.
</div>


<div>
I see, then I’ll just create a dns stub zone&nbsp;instead and allow port 53. Try not to have too much info on the dmz to prevent attacks.
</div>


<div>
<strong>kevinhsieh</strong> - About that "Check to be sure that DNS gets updated properly" comment...<br><br>After moving my new RODC from the internal network to the perimeter, I see the new RODC has registered its new IP in AD DNS but SRV records have not updated yet, and ADSS has not moved the server from the inside site to the perimeter site (yet). &nbsp;<br><br>I made sure all DNS SRV records associated with the old RODC were deleted (after demoting the old RODC of course). &nbsp;<br><br>I've tried a "repadmin /syncall" a couple of times. &nbsp;I've waited for the top of the hour to see if the DNS records register. &nbsp;<br><br>What else can I do to speed the DNS and ADSS updates along?<br>Do I need to do anything manually for DNS?<br>Do I need to move the RODC from its old site to the new one in ADSS?<br><br>
</div>


<div>
Not sure I understand what you refer to as site<br />
<br />
If you look at nslookup -q=SRV _ldap._tcp.dc._msdcs.ypura<wbr />ddomain.co<wbr />m<br />
<br />
Do you get a list of DCs including the RODC?<br />
<br />
Sites deal with location related breakdown if you arrange your network<br />
<br />
Top ad domain<br />
SiteA<br />
SiteB<br />
SiteC<br />
<br />
And placing systems in the sites where they are so they would first try to access the local DC before reaching out to another...<br />
<br />
Not sure placing a DC in the dMz is similarly handled.<br />
<br />
What is the purpose of placing the RODC in a DMZ in your setup?<br />
Do you have external systems accessing it over the Internet, or have adfs setup on it that authorized external resources query?
</div>


<div>
Everything resolved itself on the DNS side once I moved the RODC in ADSS based on what I read here - <a href="https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc739015(v=ws.10)?redirectedfrom=MSDN" rel="ugc">Moving a Domain Controller to a Different Site</a>. &nbsp;<br><br>There were some old SRV records in the old site I had to manually delete. &nbsp;<br><br>But it looks like it's all good now.
</div>


<div>
<div class="content wysiwyg-content fr-view">
I'm having difficulty finding current documentation for creating a Read Only Domain Controller running W2K19 on a perimeter "DMZ". &nbsp;Does anyone have a go-to doc they can point me to? <br><br>This will NOT be a server-core RODC. &nbsp;<br><br>
</div>
</div>



I'm having difficulty finding current documentation for creating a Read Only Domain Controller running W2K19 on a perimeter "DMZ".  Does anyone have a go-to doc they can point me to?
This will NOT be a server-core RODC.  

How to create RODC on a perimeter network

Windows Server 2019

Networking is the process of connecting computing devices, peripherals and terminals together through a system that uses wiring, cabling or radio waves that enable their users to communicate, share information and interact over distances. Often associated are issues regarding operating systems, hardware and equipment, cloud and virtual networking, protocols, architecture, storage and management.

Networking

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.