[Last Call] Learn how to a build a cloud-first strategyRegister Now


Does Domain Controllers send keepalives?

Posted on 2011-10-19
Medium Priority
Last Modified: 2012-06-27
Just as the titles says, do domain controllers send keepalives?  What would happen if I deny all traffic going from one domain controller to another (and assuming there are only 2 domain controllers in the domain)?
Question by:Marius Gunnerud
  • 3
  • 2
LVL 57

Accepted Solution

Mike Kline earned 500 total points
ID: 36994201
DCs need to replicate within the tombstone lifetime period (60 to 180 days by default   http://blogs.dirteam.com/blogs/jorge/archive/2006/07/23/1233.aspx)

If you deny traffic for longer than that the DC becomes worthless.


LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 500 total points
ID: 36994547
firstly.... Why would you want to?

A DC needs to replicate with EVERY other DC in the domain so that all of the Active Directory database info is upto date on all servers. A DC that is not connected to any other DC is a lump of dead metal very quickly.

LVL 17

Author Comment

by:Marius Gunnerud
ID: 36995167
The thing is I need to design a test environment that is partially connected to the production environment. It doen't need to be an exact copy of the production environment. The DC in the test environment should not be allowed to replicate to the DCs in the production environment. But other resources such as the CA, IAM, etc. should be accessable. The idea is that if user objects are created on the Test DC this should not be replicated to the production DC.  Also emails should be able to be sent between Test and Production and also out of the Test environment.

I was thinking of placing the test environment in a sort of DMZ, denying all AD rep traffic and permitting select traffic from resources.  This is something i know how to do as i am actually a networking guy (not sure why I was put on this project hehe).  Other options are to create child domains and i have even been toying with the idea of creating a completely seperate domain, but after research I keep hitting a wall that ends up not being able to meet the criteria.

I know it is best to keep test environment seperate but unfortunately this is not an option.

Any ideas would be very helpful.
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 37

Expert Comment

by:Neil Russell
ID: 36995392
good luck!! messing with AD it that manner and forcing two DC's out of sync is asking for trouble! Will the DC be deleted once your testing is completed?

May we ask What your test is for that invlolves crippling AD?

You would be far better doing a P2V of all machines involved and running in a pure closed test environment. If its a higher being that says you cant, then get them to sign of the plan for what you are going to do BEFORE it all goes pear shaped :P
LVL 17

Author Comment

by:Marius Gunnerud
ID: 36995446
LOL, yes it is higher up in my client's company that wants this done.  I did suggest P2V but they say that a closed environment isn't an option.  So...what to do.
anyway, thanks for the info, atleast I am learning a lot about AD doing this project LOL.
LVL 37

Expert Comment

by:Neil Russell
ID: 36995969
You can learn a hell of a lot from trying to fix it afterwards too trust me :P

Good luck anyway

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question