Joining a DMZ server to the domain

Contributor

Hi all,

 

Quick question. I have a Read-Only Domain Controller in my DMZ who has access to 2 writeable domain controllers through the firewall.

 

Yesterday i had to disjoin a server in the DMZ and rejoin but it would not let me join. once I added a temp firewall rule to allow the server in question to reach the 2 writeable domain controllers it went straight through.

 

Is this expected? I know the domain controller in the DMZ is a Read Only DC but I had it in my mind that it would "forward" the request to the 2 writeable DCs?

 

I could of course have put it on the inside LAN network for a few minutes and then back out in the DMZ.

3 Replies

Seems the firewall may be too restrictive.

 

What operations fail if the WAN is offline, but the RODC is online in the branch office?
- If the RODC cannot connect to a writable domain controller running Windows Server 2008 in the hub, the following branch office operations fail:
- Password changes
- Attempts to join a computer to a domain
- Computer rename
- Authentication attempts for accounts whose credentials are not cached on the RODC
- Group Policy updates that an administrator might attempt by running the gpupdate /force command

 

RODC Frequently Asked Questions | Microsoft Docs

 

 

Hmm will do a test next week i think where i open all ports for a 10 min period from the RODC in DMZ to the 2 writeable DCs. Thank you for that link.