[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Effects of Blocking connections to other remote servers via network (firewall) ACLs

Posted on 2006-07-11
4
Medium Priority
?
210 Views
Last Modified: 2010-04-18
I'm going to set this question up.  There are a few assumptions.

Computer A - First domain controller at remote site.  It is a PDC emulator and all FSMO roles
Computer B - Domain controller at local site.
Computer C - Domain controller at a tertiary hub site.

Network path from A to B is A-B-C.  There are no direct connections.
Assume that firewall rules block connectivity from Domain Controller B to Domain Controller C
Assume that local computer log in to B normally.  Will they need any connectivity to Computer A?  What if passwords are changed?
If B fails, is there any chance that Computer A will tell the clients to log in to Computer C?
Should there be firewall rules blocking Computer B from Computer C?
What are the potential problems?

Awakenings

0
Comment
Question by:awakenings
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 23

Assisted Solution

by:TheCleaner
TheCleaner earned 2000 total points
ID: 17083569
I'm almost not sure if I can follow you...but:

- all DCs will need to be able to communicate with whatever their replication partners are (set up in AD sites and services).  So if you set B to replicate with A then B needs to be able to see A and vice versa.
- the clients at site B won't necessarily need to get to DC-A, but if B is unavailable and C isn't part of that site, then they won't be able to login to the domain.

You shouldn't block connections between your DCs that are in the same site or that are replication partners.  In addition there isn't any reason to setup ACLs to block clients from getting to a particular DC either in my opinion.
0
 

Author Comment

by:awakenings
ID: 17083899
TheCleaner,

     Yes, the ACLs allow the GC to communicate between different domain controllers.  B and C replicate with A in this regard.  I am not sure that B and C do though.  Are you saying that B and C should?  If so why (from a Windows perspective) and what are the issues?

    The ACLs are blocked for audit reasons.  We have one domain, but we want to block the authentication so we don't have to do forensics all over the various domains.  We also would not have to log every server to see where our users are logging.

    How does windows "know" where to go for authentication?

Awakenings
0
 
LVL 23

Accepted Solution

by:
TheCleaner earned 2000 total points
ID: 17085213
B and C don't need to replicate with each other, they can get their updates from A.  The only benefit to having them replicate amongst themselves is that changes at B have to go to A and then to C, but if it doesn't happen that often, I wouldn't worry about it.

Windows "knows" where to go for authentication based on the sites and services snap-in.  You set the site with the subnet up and then that subnet will contact those particular DCs in that site.  It's best practice to have at least 2 DCs per site so that if one goes down the other users will still be able to login, since most firewalls/connections between physical locations don't forward that kind of traffic.
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 17085632
Thanks for the quick points...happy to help out.
0

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question