Difference between Read Only Primary Zone and Secondary Zone

Why would you choose to use a Primary Read Only DNS zone over just using a standard Secondary zone?

AD Integration?
More control over replication?

Find more posts tagged with

SAVE $250 on Your Microsoft Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Microsoft Boot Camps

Comments

helios99

As far as I know in AD DS all Primary DNS Zones are writable and AD integrated, they are also called DDNS or Dynamic DNS. The only "READ-ONLY" Primary DNS Zones in AD DS are those found in RODC's.

Kindly correct me if I'm wrong.

Essendon

Yeah read-only DNS zones exist on RODC's only. So you cant choose them over secondary zones.

Not all primary zones are AD integrated, when you go into creating a new zone, it gives you a checkbox allowing you to choose if you want the zone to be AD integrated (in which case it is replicated to all DC's) or not AD integrated (in which case the zone is stored on that DNS server).

Jander1023

Vokse wrote: »

Why would you choose to use a Primary Read Only DNS zone over just using a standard Secondary zone?

AD Integration?
More control over replication?

You can delegate installation and administration of a RODC to non-Admin staff at the location of the RODC. This is an important factor as many small branch and/or office locations do not have IT staff and have slow WAN links that make remote administration difficult.

Installing DNS on a RODC implements a secondary DNS zone. If you just add a secondary DNS server to a branch or office, you only get name resolution. This doesn't help with user logons or other DC functions. Additionally, some applications installed on a branch or office server might require a DC on the same server. Since branch/office locations sometimes lack security, having a read-only DC is an important security factor.