I've got a RWDC in my LAN, and a RODC setup in my DMZ. The DMZ has appropriate subnets and links and is replicating properly from the RWDC. When trying to join a computer in the DMZ to the domain via the RODC, I'm actually prompted with a username and password box, suggesting that the RODC is trying to authenticate. However, once proper credentials are supplied, I get an error saying the domain itself either doesn't exist or can't be contacted.
To confirm the nearest DC, its IP, and its assigned site, I've used:
nltest /DSGETDC:<domain>
And the result came back as it should, reading the proper RODC instead of the RWDC in the LAN. And within NSLOOKUP:
_ldap._tcp.<site name>._sites.dc._msdcs.<domain name>
This even returns the proper RODC and IP for the DMZ. So everything looks like it should be working fine, but once credentials are supplied to join the domain in the DMZ, I'm told that domain doesn't exist or can't be contacted. When I try to ping my domain.com, I'm returned with the RWDC IP, which obviously isn't reachable. I know the DMZ shouldn't be able to talk to the LAN (with the exception of the RODC, whose ports are all properly opened), but I feel like the error I'm getting is related to the computer thinking that domain exists solely in the LAN based on how it returns my RWDC's IP when I ping the domain name...
Any thoughts?