Joining a DMZ server to the domain

Question

Hi all,&nbsp;Quick question. I have a Read-Only Domain Controller in my DMZ who has access to 2 writeable domain controllers through the firewall.&nbsp;Yesterday i had to disjoin a server in the DMZ and rejoin but it would not let me join. once I added a temp firewall rule to allow the server in question to reach the 2 writeable domain controllers it went straight through.&nbsp;Is this expected? I know the domain controller in the DMZ is a Read Only DC but I had it in my mind that it would "forward" the request to the 2 writeable DCs?&nbsp;I could of course have put it on the inside LAN network for a few minutes and then back out in the DMZ.

dave patrick · Answer

Seems the firewall may be too restrictive.
&nbsp;
What operations fail if the WAN is offline, but the RODC is online in the branch office?- If the RODC cannot connect to a writable domain controller running Windows Server 2008 in the hub, the following branch office operations fail:- Password changes- Attempts to join a computer to a domain- Computer rename- Authentication attempts for accounts whose credentials are not cached on the RODC- Group Policy updates that an administrator might attempt by running the gpupdate /force command
&nbsp;
RODC Frequently Asked Questions | Microsoft Docs
&nbsp;
&nbsp;

rippieuk · Answer

Hmm will do a test next week i think where i open all ports for a 10 min period from the RODC in DMZ to the 2 writeable DCs. Thank you for that link.

dave patrick · Answer

Sounds good, you're welcome.
Configure firewall for AD domain and trusts - Windows Server | Microsoft Docs
Download PortQryUI - User Interface for the PortQry Command Line Port Scanner from Official Microsoft Download Center
&nbsp;
(please don't forget to mark helpful replies)
&nbsp;
&nbsp;
&nbsp;
&nbsp;
&nbsp;

Forum Discussion

Joining a DMZ server to the domain

3 Replies