Joining a DMZ server to the domain

%3CLINGO-SUB%20id%3D%22lingo-sub-2275734%22%20slang%3D%22en-US%22%3EJoining%20a%20DMZ%20server%20to%20the%20domain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2275734%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQuick%20question.%20I%20have%20a%20Read-Only%20Domain%20Controller%20in%20my%20DMZ%20who%20has%20access%20to%202%20writeable%20domain%20controllers%20through%20the%20firewall.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYesterday%20i%20had%20to%20disjoin%20a%20server%20in%20the%20DMZ%20and%20rejoin%20but%20it%20would%20not%20let%20me%20join.%20once%20I%20added%20a%20temp%20firewall%20rule%20to%20allow%20the%20server%20in%20question%20to%20reach%20the%202%20writeable%20domain%20controllers%20it%20went%20straight%20through.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20expected%3F%20I%20know%20the%20domain%20controller%20in%20the%20DMZ%20is%20a%20Read%20Only%20DC%20but%20I%20had%20it%20in%20my%20mind%20that%20it%20would%20%22forward%22%20the%20request%20to%20the%202%20writeable%20DCs%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20could%20of%20course%20have%20put%20it%20on%20the%20inside%20LAN%20network%20for%20a%20few%20minutes%20and%20then%20back%20out%20in%20the%20DMZ.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2275734%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2276130%22%20slang%3D%22en-US%22%3ERe%3A%20Joining%20a%20DMZ%20server%20to%20the%20domain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2276130%22%20slang%3D%22en-US%22%3E%3CP%3ESounds%20good%2C%20you're%20welcome.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fidentity%2Fconfig-firewall-for-ad-domains-and-trusts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConfigure%20firewall%20for%20AD%20domain%20and%20trusts%20-%20Windows%20Server%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D24009%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EDownload%20PortQryUI%20-%20User%20Interface%20for%20the%20PortQry%20Command%20Line%20Port%20Scanner%20from%20Official%20Microsoft%20Download%20Center%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E(please%20don't%20forget%20to%20mark%20helpful%20replies)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2276125%22%20slang%3D%22en-US%22%3ERe%3A%20Joining%20a%20DMZ%20server%20to%20the%20domain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2276125%22%20slang%3D%22en-US%22%3EHmm%20will%20do%20a%20test%20next%20week%20i%20think%20where%20i%20open%20all%20ports%20for%20a%2010%20min%20period%20from%20the%20RODC%20in%20DMZ%20to%20the%202%20writeable%20DCs.%20Thank%20you%20for%20that%20link.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2275853%22%20slang%3D%22en-US%22%3ERe%3A%20Joining%20a%20DMZ%20server%20to%20the%20domain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2275853%22%20slang%3D%22en-US%22%3E%3CP%3ESeems%20the%20firewall%20may%20be%20too%20restrictive.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CSTRONG%3EWhat%20operations%20fail%20if%20the%20WAN%20is%20offline%2C%20but%20the%20RODC%20is%20online%20in%20the%20branch%20office%3F%3C%2FSTRONG%3E%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3E-%20If%20the%20RODC%20cannot%20connect%20to%20a%20writable%20domain%20controller%20running%20Windows%20Server%202008%20in%20the%20hub%2C%20the%20following%20branch%20office%20operations%20fail%3A%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3E-%20Password%20changes%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3E-%20%3CSTRONG%3EAttempts%20to%20join%20a%20computer%20to%20a%20domain%3C%2FSTRONG%3E%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3E-%20Computer%20rename%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3E-%20Authentication%20attempts%20for%20accounts%20whose%20credentials%20are%20not%20cached%20on%20the%20RODC%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3E-%20Group%20Policy%20updates%20that%20an%20administrator%20might%20attempt%20by%20running%20the%20gpupdate%20%2Fforce%20command%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2008-R2-and-2008%2Fcc754956(v%3Dws.10)%3Fredirectedfrom%3DMSDN%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ERODC%20Frequently%20Asked%20Questions%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi all,

 

Quick question. I have a Read-Only Domain Controller in my DMZ who has access to 2 writeable domain controllers through the firewall.

 

Yesterday i had to disjoin a server in the DMZ and rejoin but it would not let me join. once I added a temp firewall rule to allow the server in question to reach the 2 writeable domain controllers it went straight through.

 

Is this expected? I know the domain controller in the DMZ is a Read Only DC but I had it in my mind that it would "forward" the request to the 2 writeable DCs?

 

I could of course have put it on the inside LAN network for a few minutes and then back out in the DMZ.

3 Replies

Seems the firewall may be too restrictive.

 

What operations fail if the WAN is offline, but the RODC is online in the branch office?
- If the RODC cannot connect to a writable domain controller running Windows Server 2008 in the hub, the following branch office operations fail:
- Password changes
- Attempts to join a computer to a domain
- Computer rename
- Authentication attempts for accounts whose credentials are not cached on the RODC
- Group Policy updates that an administrator might attempt by running the gpupdate /force command

 

RODC Frequently Asked Questions | Microsoft Docs

 

 

Hmm will do a test next week i think where i open all ports for a 10 min period from the RODC in DMZ to the 2 writeable DCs. Thank you for that link.