one-way AD replication via firewalls
Posted on 2010-03-31
I have a hypothetical situation I'm trying to find the answer to. I was hoping someone here might know the answer. It's a bit complicated, so I'll try to be detailed. Take the following scenario:
Say you have a single Active Directory domain, with domain controllers in two different environments (one DC per environment), separated by a firewall. The firewall ports are opened both directions so that the domain controllers in both environments can successfully replicate with each other. Now, say that you close the firewall holes in *one* direction, but not the other, such that DC1 (in one environment) can initiate a replication connection with DC2 (in the other environment), but DC2 cannot initiate a replication connect with DC1.
In this circumstance, what would happen with replication? My question arises due to the fact that the AD replication model only does pull requests for replication, never push requests. Since DC1 can still connect with DC2, I'm assuming any changes made on DC2 will get pulled over by DC1. However, will any changes made on DC1 ever make it back to DC2? DC2 can't initiate its own replication connection with DC1, so you'd think that DC1 changes would never make it back to DC2. However, would DC2 be able to "piggy back" onto an existing DC1 replication connection and do its pull requests using that already-initiated connection? Or do pull requests *require* that they be initiated with a new connection?