I'm going to set this question up. There are a few assumptions.
Computer A - First domain controller at remote site. It is a PDC emulator and all FSMO roles
Computer B - Domain controller at local site.
Computer C - Domain controller at a tertiary hub site.
Network path from A to B is A-B-C. There are no direct connections.
Assume that firewall rules block connectivity from Domain Controller B to Domain Controller C
Assume that local computer log in to B normally. Will they need any connectivity to Computer A? What if passwords are changed?
If B fails, is there any chance that Computer A will tell the clients to log in to Computer C?
Should there be firewall rules blocking Computer B from Computer C?
What are the potential problems?