Solved

Effects of Blocking connections to other remote servers via network (firewall) ACLs

Posted on 2006-07-11
4
198 Views
Last Modified: 2010-04-18
I'm going to set this question up.  There are a few assumptions.

Computer A - First domain controller at remote site.  It is a PDC emulator and all FSMO roles
Computer B - Domain controller at local site.
Computer C - Domain controller at a tertiary hub site.

Network path from A to B is A-B-C.  There are no direct connections.
Assume that firewall rules block connectivity from Domain Controller B to Domain Controller C
Assume that local computer log in to B normally.  Will they need any connectivity to Computer A?  What if passwords are changed?
If B fails, is there any chance that Computer A will tell the clients to log in to Computer C?
Should there be firewall rules blocking Computer B from Computer C?
What are the potential problems?

Awakenings

0
Comment
Question by:awakenings
  • 3
4 Comments
 
LVL 23

Assisted Solution

by:TheCleaner
TheCleaner earned 500 total points
ID: 17083569
I'm almost not sure if I can follow you...but:

- all DCs will need to be able to communicate with whatever their replication partners are (set up in AD sites and services).  So if you set B to replicate with A then B needs to be able to see A and vice versa.
- the clients at site B won't necessarily need to get to DC-A, but if B is unavailable and C isn't part of that site, then they won't be able to login to the domain.

You shouldn't block connections between your DCs that are in the same site or that are replication partners.  In addition there isn't any reason to setup ACLs to block clients from getting to a particular DC either in my opinion.
0
 

Author Comment

by:awakenings
ID: 17083899
TheCleaner,

     Yes, the ACLs allow the GC to communicate between different domain controllers.  B and C replicate with A in this regard.  I am not sure that B and C do though.  Are you saying that B and C should?  If so why (from a Windows perspective) and what are the issues?

    The ACLs are blocked for audit reasons.  We have one domain, but we want to block the authentication so we don't have to do forensics all over the various domains.  We also would not have to log every server to see where our users are logging.

    How does windows "know" where to go for authentication?

Awakenings
0
 
LVL 23

Accepted Solution

by:
TheCleaner earned 500 total points
ID: 17085213
B and C don't need to replicate with each other, they can get their updates from A.  The only benefit to having them replicate amongst themselves is that changes at B have to go to A and then to C, but if it doesn't happen that often, I wouldn't worry about it.

Windows "knows" where to go for authentication based on the sites and services snap-in.  You set the site with the subnet up and then that subnet will contact those particular DCs in that site.  It's best practice to have at least 2 DCs per site so that if one goes down the other users will still be able to login, since most firewalls/connections between physical locations don't forward that kind of traffic.
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 17085632
Thanks for the quick points...happy to help out.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now