Solved

Effects of Blocking connections to other remote servers via network (firewall) ACLs

Posted on 2006-07-11
4
203 Views
Last Modified: 2010-04-18
I'm going to set this question up.  There are a few assumptions.

Computer A - First domain controller at remote site.  It is a PDC emulator and all FSMO roles
Computer B - Domain controller at local site.
Computer C - Domain controller at a tertiary hub site.

Network path from A to B is A-B-C.  There are no direct connections.
Assume that firewall rules block connectivity from Domain Controller B to Domain Controller C
Assume that local computer log in to B normally.  Will they need any connectivity to Computer A?  What if passwords are changed?
If B fails, is there any chance that Computer A will tell the clients to log in to Computer C?
Should there be firewall rules blocking Computer B from Computer C?
What are the potential problems?

Awakenings

0
Comment
Question by:awakenings
  • 3
4 Comments
 
LVL 23

Assisted Solution

by:TheCleaner
TheCleaner earned 500 total points
ID: 17083569
I'm almost not sure if I can follow you...but:

- all DCs will need to be able to communicate with whatever their replication partners are (set up in AD sites and services).  So if you set B to replicate with A then B needs to be able to see A and vice versa.
- the clients at site B won't necessarily need to get to DC-A, but if B is unavailable and C isn't part of that site, then they won't be able to login to the domain.

You shouldn't block connections between your DCs that are in the same site or that are replication partners.  In addition there isn't any reason to setup ACLs to block clients from getting to a particular DC either in my opinion.
0
 

Author Comment

by:awakenings
ID: 17083899
TheCleaner,

     Yes, the ACLs allow the GC to communicate between different domain controllers.  B and C replicate with A in this regard.  I am not sure that B and C do though.  Are you saying that B and C should?  If so why (from a Windows perspective) and what are the issues?

    The ACLs are blocked for audit reasons.  We have one domain, but we want to block the authentication so we don't have to do forensics all over the various domains.  We also would not have to log every server to see where our users are logging.

    How does windows "know" where to go for authentication?

Awakenings
0
 
LVL 23

Accepted Solution

by:
TheCleaner earned 500 total points
ID: 17085213
B and C don't need to replicate with each other, they can get their updates from A.  The only benefit to having them replicate amongst themselves is that changes at B have to go to A and then to C, but if it doesn't happen that often, I wouldn't worry about it.

Windows "knows" where to go for authentication based on the sites and services snap-in.  You set the site with the subnet up and then that subnet will contact those particular DCs in that site.  It's best practice to have at least 2 DCs per site so that if one goes down the other users will still be able to login, since most firewalls/connections between physical locations don't forward that kind of traffic.
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 17085632
Thanks for the quick points...happy to help out.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question