DNS at Remote Site with RODC

Jonathan Hatfield 31 Reputation points
2020-12-22T22:25:18.42+00:00

Hi Everyone,

I'm setting up a new remote office, and need some guidance in how I should configure DNS on this system. I'm setting up an RODC on premise, and will be configuring the firewall to set all the local clients to the RODC for DNS. This site is currently part of our MPLS network, but that will soon be replaced and SDWAN with IPSEC tunnels. At our data center we have our main DCs as well as our DNS filtering system (Cisco Umbrella). What is the best method to make sure that clients point to their local RODC for authentication and group policy, but also ensure they get their DNS relayed to the Umbrella system for filtering? How should I program the DNS on the local RODC?

Thank you

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,812 questions
Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,044 questions
{count} votes

Accepted answer
  1. Candy Luo 12,746 Reputation points Microsoft Vendor
    2020-12-30T02:00:19.587+00:00

    Hi @Anonymous ,

    DNS setting on RODC. Recommended setting for RODC that’s a DNS server, it should point to itself as the primary DNS server.

    52066-image.png

    For your reference:

    RODC Post-Installation Configuration

    Best Regards,

    Candy

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Thameur-BOURBITA 35,336 Reputation points
    2020-12-22T23:24:12.27+00:00

    Hi,

    What is the best method to make sure that clients point to their local RODC for authentication and group policy,but also ensure they get their DNS relayed to the Umbrella system for filtering?

    On IP settings of each machine in remote site you can set many DNS resolvers but you can set only the IP of RODC as DNS resolver, if you want avoid any communication between local client and other DC.

    On RODC you can set the IP of DC main site then its IP as second DNS resolver.

    If you want that the local client contact only the RODC for group policy and GPO, you have to create a AD site for this remote office, move only the RODC to this site and assign all client subnets to this site through the wizard( sites and services active directory) .

    Please don't forget to mark this reply as answer if it help you to fix your issue


  2. Candy Luo 12,746 Reputation points Microsoft Vendor
    2020-12-23T02:17:41.237+00:00

    Hi ,

    Here is a article talking about some important considerations when placing a RODC at a site, please check if it helps:

    Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Plan DNS Servers for Branch Office Environments

    Best Regards,

    Candy

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.