So, we have an internal network and a DMZ network in play here. I'm attempting to setup a one way trust so resources on the DMZ network can be managed from the internal network. Internal network has RWDCs in its domain, and the DMZ has its own
RWDCs in its own domain and a RODC from the internal network's domain. The internal network's RODC is in its own site in AD and is confirmed to be communicating with the RWDCs in the internal network. The RODC is not an authoritative DNS server,
but can host a secondary zone or stub zone. The functional level of the internal domain is 08r2 and the DMZ domain is 2012r2, if that matters.
The task is to setup the one way trust, and its proving a bit difficult. So far I've attempted both Conditional Forwarders or stub zones on the RODC and the DMZ RWDC, no dice. There are no observed DNS replication problems within the domains themselves and using ping and nslookup, I've confirmed that DNS resolution is working between the RODC and the DMZ RWDC. When I try to create the trust from the DMZ RWDCs, it fails saying the specified domain cannot be contacted. Based on what I've read online in other posts and my inability to get around it, it seems that a trust requires a RWDC at each end to function. If this is not the case, I would love to hear how it can be setup with a RWDC at one and and a RODC at the other.
Now, if its correct that the trust requires two RWDCs to setup, what if it was setup with two RWDCs and then one of the RWDCs was removed and replaced with a RODC? I guess what I'm asking is does it just require a RWDC at each end to be setup, or does it also require a RWDC at each end for the trust to function properly on an ongoing basis?