Re: Unique setup - DCs cannot initiate connection to domain resources

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Al Mulnick (amulnick_No_SPAM_at_ncDOTrr.com)
Date: 04/25/04 

Date: Sun, 25 Apr 2004 19:35:17 -0400

Why? What's the advantage of that scenario?

Majority of the conversation should be either DC to DC else initiated by the
client. Best way to figure out what's different from that scenario beyond a
shadow of a doubt, is to set up a mock version of what you're about to
attempt and slap a sniffer on the wire to see it for your self.

I would have my doubts about the conversation of GPO's and where that would
come from exactly. Would there be any situations where that would occur as
a startup from the DC? I'd also say that anyone that wanted to manage a
non-dc host from a dc console would be out of luck in your scenario.

I'm having a hard time understanding why it would make sense to isolate the
DC's from the clients like that in the first place, but the previous is a
few random thoughts just the same.

Al

"David" <anonymous@discussions.microsoft.com> wrote in message
news:402201c42afc$1139c3a0$a301280a@phx.gbl...
> Thanks for the reply. However, the difference is that the
> DCs will be reachable through the firewall by all
> clients. Network communication initiation will be
> permitted one way through the firewall for all required
> ports, as per the required port list mentioned. The key
> is that the DCs will not be able to inititate new
> connections through the firewall to any of the resources.
>
> Basically, do DCs need to initiate connections to non-DCs
> for day-to-day operation of the AD and/or AD related
> services?
>
> thanks in advance
> >-----Original Message-----
> >The list of things that would not work properly in this
> scenario is too long
> >to go through. Have a read of this kb to see what ports
> you need to open in
> >the firewall for AD to function.
> >http://support.microsoft.com/?id=289241
> >
> >"David" <dgmonaco@datactrl.net> wrote in message
> >news:3cb901c42a35$6af91ac0$a301280a@phx.gbl...
> >> We have 1200 isolated domain resources that would be
> able
> >> to initiate connections to AD DCs but not the reverse
> due
> >> to a firewall.
> >>
> >> Does anyone know the repercussions of AD domain
> >> controllers not being able to initiate connections to
> >> other domain based resources; ie; desktops, servers,
> >> Exchange, etc?
> >>
> >> thanks!
> >
> >
> >.
> >

Relevant Pages

  • Re: Unique setup - DCs cannot initiate connection to domain resources
    ... You are correct that this is a bizarre scenario. ... impetus behind this setup is to isolate data from the ... >> clients. ... >> permitted one way through the firewall for all required ...
    (microsoft.public.windows.server.active_directory)
  • Smart clients, DMZ and 4-tiers
    ... "Browser-based clients have slow, ... network admins say that externally accessible web-servers must ... do smart-clients fit the 4-tier DMZ scenario? ...
    (microsoft.public.dotnet.distributed_apps)
  • Re: Commercial Certificate
    ... One of our clients is mandating that we use them. ... > best solution I have seen anywhere because certificates are messey to set up ... >> depending on your scenario, you don't always need the clients to have their ... >> msdn web services (Securing the Username Token with Web Services ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • PoPTop, Samba, IPTables
    ... I'm configuring a VPN using POPTOP/RedHat 9, in LAN scenario with a ... ADSL connection. ... the gateway is a propietary firewall (3Com Office Connect Cable/DSL ... The other scenario is RedHat 9 configured with iptables as firewall, ...
    (comp.os.linux.networking)
  • Re: SMS and DMZ
    ... This is a tricky scenario, I usually preffer not to have SMS clients in the DMZ as it requiers some ports to be opened. ...
    (microsoft.public.sms.setup)