[Webinar] Streamline your web hosting managementRegister Today


one-way AD replication via firewalls

Posted on 2010-03-31
Medium Priority
Last Modified: 2012-08-14
I have a hypothetical situation I'm trying to find the answer to.  I was hoping someone here might know the answer.  It's a bit complicated, so I'll try to be detailed.  Take the following scenario:

Say you have a single Active Directory domain, with domain controllers in two different environments (one DC per environment), separated by a firewall.  The firewall ports are opened both directions so that the domain controllers in both environments can successfully replicate with each other.  Now, say that you close the firewall holes in *one* direction, but not the other, such that DC1 (in one environment) can initiate a replication connection with DC2 (in the other environment), but DC2 cannot initiate a replication connect with DC1.

In this circumstance, what would happen with replication?  My question arises due to the fact that the AD replication model only does pull requests for replication, never push requests.  Since DC1 can still connect with DC2, I'm assuming any changes made on DC2 will get pulled over by DC1.  However, will any changes made on DC1 ever make it back to DC2?  DC2 can't initiate its own replication connection with DC1, so you'd think that DC1 changes would never make it back to DC2.  However, would DC2 be able to "piggy back" onto an existing DC1 replication connection and do its pull requests using that already-initiated connection?  Or do pull requests *require* that they be initiated with a new connection?
Question by:NetAdSubs

Accepted Solution

craigothy earned 2000 total points
ID: 29252575
You would need to allow two-way replication.  It won't piggy back like you mentioned.  In that environment, one way replication would work for awhile until you reached a tombstone lifetime and then both servers would stop replicating period.
LVL 71

Expert Comment

by:Chris Dent
ID: 29258772

Craigothy is right.

You might look into 2008 and Read Only Domain Controllers. The firewall requirements for that are discussed here:


As you'll see it still doesn't mean you can shut it out entirely.


Author Comment

ID: 29277656
Thanks for the comments.  I was indeed tossing around the idea of a read-only DC, but this particular domain is still (if you can believe it) running in mixed-mode, so unfortunately no 2008 read-only DCs for us on this particular domain.

We're basically having to meet a certain security requirement being imposed on our company by an outside party, which is where my strange question came from.  (So it's not really a hypothetical situation, but a real one!)  In our particular situation, I'm recommending two independent domains rather than this weird firewall blocking nonsense.  It's just cleaner, and it's the right way to do it.

Thanks again!

Featured Post

2018 Annual Membership Survey

Here at Experts Exchange, we strive to give members the best experience. Help us improve the site by taking this survey today! (Bonus: Be entered to win a great tech prize for participating!)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question