Effects of Blocking connections to other remote servers via network (firewall) ACLs

I'm going to set this question up.  There are a few assumptions.

Computer A - First domain controller at remote site.  It is a PDC emulator and all FSMO roles
Computer B - Domain controller at local site.
Computer C - Domain controller at a tertiary hub site.

Network path from A to B is A-B-C.  There are no direct connections.
Assume that firewall rules block connectivity from Domain Controller B to Domain Controller C
Assume that local computer log in to B normally.  Will they need any connectivity to Computer A?  What if passwords are changed?
If B fails, is there any chance that Computer A will tell the clients to log in to Computer C?
Should there be firewall rules blocking Computer B from Computer C?
What are the potential problems?

Awakenings

awakeningsAsked:
Who is Participating?
 
TheCleanerConnect With a Mentor Commented:
B and C don't need to replicate with each other, they can get their updates from A.  The only benefit to having them replicate amongst themselves is that changes at B have to go to A and then to C, but if it doesn't happen that often, I wouldn't worry about it.

Windows "knows" where to go for authentication based on the sites and services snap-in.  You set the site with the subnet up and then that subnet will contact those particular DCs in that site.  It's best practice to have at least 2 DCs per site so that if one goes down the other users will still be able to login, since most firewalls/connections between physical locations don't forward that kind of traffic.
0
 
TheCleanerConnect With a Mentor Commented:
I'm almost not sure if I can follow you...but:

- all DCs will need to be able to communicate with whatever their replication partners are (set up in AD sites and services).  So if you set B to replicate with A then B needs to be able to see A and vice versa.
- the clients at site B won't necessarily need to get to DC-A, but if B is unavailable and C isn't part of that site, then they won't be able to login to the domain.

You shouldn't block connections between your DCs that are in the same site or that are replication partners.  In addition there isn't any reason to setup ACLs to block clients from getting to a particular DC either in my opinion.
0
 
awakeningsAuthor Commented:
TheCleaner,

     Yes, the ACLs allow the GC to communicate between different domain controllers.  B and C replicate with A in this regard.  I am not sure that B and C do though.  Are you saying that B and C should?  If so why (from a Windows perspective) and what are the issues?

    The ACLs are blocked for audit reasons.  We have one domain, but we want to block the authentication so we don't have to do forensics all over the various domains.  We also would not have to log every server to see where our users are logging.

    How does windows "know" where to go for authentication?

Awakenings
0
 
TheCleanerCommented:
Thanks for the quick points...happy to help out.
0
All Courses

From novice to tech pro — start learning today.