NetAdSubs
asked on
one-way AD replication via firewalls
I have a hypothetical situation I'm trying to find the answer to. I was hoping someone here might know the answer. It's a bit complicated, so I'll try to be detailed. Take the following scenario:
Say you have a single Active Directory domain, with domain controllers in two different environments (one DC per environment), separated by a firewall. The firewall ports are opened both directions so that the domain controllers in both environments can successfully replicate with each other. Now, say that you close the firewall holes in *one* direction, but not the other, such that DC1 (in one environment) can initiate a replication connection with DC2 (in the other environment), but DC2 cannot initiate a replication connect with DC1.
In this circumstance, what would happen with replication? My question arises due to the fact that the AD replication model only does pull requests for replication, never push requests. Since DC1 can still connect with DC2, I'm assuming any changes made on DC2 will get pulled over by DC1. However, will any changes made on DC1 ever make it back to DC2? DC2 can't initiate its own replication connection with DC1, so you'd think that DC1 changes would never make it back to DC2. However, would DC2 be able to "piggy back" onto an existing DC1 replication connection and do its pull requests using that already-initiated connection? Or do pull requests *require* that they be initiated with a new connection?
Say you have a single Active Directory domain, with domain controllers in two different environments (one DC per environment), separated by a firewall. The firewall ports are opened both directions so that the domain controllers in both environments can successfully replicate with each other. Now, say that you close the firewall holes in *one* direction, but not the other, such that DC1 (in one environment) can initiate a replication connection with DC2 (in the other environment), but DC2 cannot initiate a replication connect with DC1.
In this circumstance, what would happen with replication? My question arises due to the fact that the AD replication model only does pull requests for replication, never push requests. Since DC1 can still connect with DC2, I'm assuming any changes made on DC2 will get pulled over by DC1. However, will any changes made on DC1 ever make it back to DC2? DC2 can't initiate its own replication connection with DC1, so you'd think that DC1 changes would never make it back to DC2. However, would DC2 be able to "piggy back" onto an existing DC1 replication connection and do its pull requests using that already-initiated connection? Or do pull requests *require* that they be initiated with a new connection?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the comments. I was indeed tossing around the idea of a read-only DC, but this particular domain is still (if you can believe it) running in mixed-mode, so unfortunately no 2008 read-only DCs for us on this particular domain.
We're basically having to meet a certain security requirement being imposed on our company by an outside party, which is where my strange question came from. (So it's not really a hypothetical situation, but a real one!) In our particular situation, I'm recommending two independent domains rather than this weird firewall blocking nonsense. It's just cleaner, and it's the right way to do it.
Thanks again!
We're basically having to meet a certain security requirement being imposed on our company by an outside party, which is where my strange question came from. (So it's not really a hypothetical situation, but a real one!) In our particular situation, I'm recommending two independent domains rather than this weird firewall blocking nonsense. It's just cleaner, and it's the right way to do it.
Thanks again!
Craigothy is right.
You might look into 2008 and Read Only Domain Controllers. The firewall requirements for that are discussed here:
http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx
As you'll see it still doesn't mean you can shut it out entirely.
Chris