Apr 16 2021 03:24 AM
Hi all,
Quick question. I have a Read-Only Domain Controller in my DMZ who has access to 2 writeable domain controllers through the firewall.
Yesterday i had to disjoin a server in the DMZ and rejoin but it would not let me join. once I added a temp firewall rule to allow the server in question to reach the 2 writeable domain controllers it went straight through.
Is this expected? I know the domain controller in the DMZ is a Read Only DC but I had it in my mind that it would "forward" the request to the 2 writeable DCs?
I could of course have put it on the inside LAN network for a few minutes and then back out in the DMZ.
Apr 16 2021 05:16 AM
Seems the firewall may be too restrictive.
What operations fail if the WAN is offline, but the RODC is online in the branch office?
- If the RODC cannot connect to a writable domain controller running Windows Server 2008 in the hub, the following branch office operations fail:
- Password changes
- Attempts to join a computer to a domain
- Computer rename
- Authentication attempts for accounts whose credentials are not cached on the RODC
- Group Policy updates that an administrator might attempt by running the gpupdate /force command
RODC Frequently Asked Questions | Microsoft Docs
Apr 16 2021 08:36 AM
Apr 16 2021 08:39 AM
Sounds good, you're welcome.
Configure firewall for AD domain and trusts - Windows Server | Microsoft Docs
(please don't forget to mark helpful replies)