Solved

Effects of Blocking connections to other remote servers via network (firewall) ACLs

Posted on 2006-07-11
4
208 Views
Last Modified: 2010-04-18
I'm going to set this question up.  There are a few assumptions.

Computer A - First domain controller at remote site.  It is a PDC emulator and all FSMO roles
Computer B - Domain controller at local site.
Computer C - Domain controller at a tertiary hub site.

Network path from A to B is A-B-C.  There are no direct connections.
Assume that firewall rules block connectivity from Domain Controller B to Domain Controller C
Assume that local computer log in to B normally.  Will they need any connectivity to Computer A?  What if passwords are changed?
If B fails, is there any chance that Computer A will tell the clients to log in to Computer C?
Should there be firewall rules blocking Computer B from Computer C?
What are the potential problems?

Awakenings

0
Comment
Question by:awakenings
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 23

Assisted Solution

by:TheCleaner
TheCleaner earned 500 total points
ID: 17083569
I'm almost not sure if I can follow you...but:

- all DCs will need to be able to communicate with whatever their replication partners are (set up in AD sites and services).  So if you set B to replicate with A then B needs to be able to see A and vice versa.
- the clients at site B won't necessarily need to get to DC-A, but if B is unavailable and C isn't part of that site, then they won't be able to login to the domain.

You shouldn't block connections between your DCs that are in the same site or that are replication partners.  In addition there isn't any reason to setup ACLs to block clients from getting to a particular DC either in my opinion.
0
 

Author Comment

by:awakenings
ID: 17083899
TheCleaner,

     Yes, the ACLs allow the GC to communicate between different domain controllers.  B and C replicate with A in this regard.  I am not sure that B and C do though.  Are you saying that B and C should?  If so why (from a Windows perspective) and what are the issues?

    The ACLs are blocked for audit reasons.  We have one domain, but we want to block the authentication so we don't have to do forensics all over the various domains.  We also would not have to log every server to see where our users are logging.

    How does windows "know" where to go for authentication?

Awakenings
0
 
LVL 23

Accepted Solution

by:
TheCleaner earned 500 total points
ID: 17085213
B and C don't need to replicate with each other, they can get their updates from A.  The only benefit to having them replicate amongst themselves is that changes at B have to go to A and then to C, but if it doesn't happen that often, I wouldn't worry about it.

Windows "knows" where to go for authentication based on the sites and services snap-in.  You set the site with the subnet up and then that subnet will contact those particular DCs in that site.  It's best practice to have at least 2 DCs per site so that if one goes down the other users will still be able to login, since most firewalls/connections between physical locations don't forward that kind of traffic.
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 17085632
Thanks for the quick points...happy to help out.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question