one-way AD replication via firewalls

I have a hypothetical situation I'm trying to find the answer to.  I was hoping someone here might know the answer.  It's a bit complicated, so I'll try to be detailed.  Take the following scenario:

Say you have a single Active Directory domain, with domain controllers in two different environments (one DC per environment), separated by a firewall.  The firewall ports are opened both directions so that the domain controllers in both environments can successfully replicate with each other.  Now, say that you close the firewall holes in *one* direction, but not the other, such that DC1 (in one environment) can initiate a replication connection with DC2 (in the other environment), but DC2 cannot initiate a replication connect with DC1.

In this circumstance, what would happen with replication?  My question arises due to the fact that the AD replication model only does pull requests for replication, never push requests.  Since DC1 can still connect with DC2, I'm assuming any changes made on DC2 will get pulled over by DC1.  However, will any changes made on DC1 ever make it back to DC2?  DC2 can't initiate its own replication connection with DC1, so you'd think that DC1 changes would never make it back to DC2.  However, would DC2 be able to "piggy back" onto an existing DC1 replication connection and do its pull requests using that already-initiated connection?  Or do pull requests *require* that they be initiated with a new connection?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You would need to allow two-way replication.  It won't piggy back like you mentioned.  In that environment, one way replication would work for awhile until you reached a tombstone lifetime and then both servers would stop replicating period.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Chris DentPowerShell DeveloperCommented:

Craigothy is right.

You might look into 2008 and Read Only Domain Controllers. The firewall requirements for that are discussed here:

As you'll see it still doesn't mean you can shut it out entirely.

NetAdSubsAuthor Commented:
Thanks for the comments.  I was indeed tossing around the idea of a read-only DC, but this particular domain is still (if you can believe it) running in mixed-mode, so unfortunately no 2008 read-only DCs for us on this particular domain.

We're basically having to meet a certain security requirement being imposed on our company by an outside party, which is where my strange question came from.  (So it's not really a hypothetical situation, but a real one!)  In our particular situation, I'm recommending two independent domains rather than this weird firewall blocking nonsense.  It's just cleaner, and it's the right way to do it.

Thanks again!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.