Home / server / Questions / 396885
In Process
DavisNT
Asked: 2012-06-09 04:47:55 +0800 CST

Network connectivity requirements for Active Directory forest

  • 772

We have multi domain Active Directory forest with a few external trusts. Let's say we have forest root domain named company.com and a few child domains in that forest - subsidiary1.com, subsidiary2.com and subsidiary3.com. We are creating firewall rules that will restrict communication to domain controllers of company.com from networks of subsidiaries.

Is there any article from Microsoft that describes required network connectivity (opened ports in firewalls) between workstations/member servers and domain controllers of other domains of the same forest required for proper operation of AD infrastructure itself? Some information on this topic is here:
How to configure a firewall for domains and trusts
How Domain and Forest Trusts Work

However these articles don't answer my question - is access to domain controllers of forest root domain from all workstations (and member servers) of all forest domains required?
I know that practically most things (except, for example domain authentication from MacOS workstations) are working fine if DCs of forest root domain (as well as all other domains, except domain where user and computer resides) are not accessible from workstations, but I would like to look at any official information from Microsoft or to hear opinion of administrators who have long experience with running such configurations.

windows firewall networking active-directory

3 Answers

  1. No - clients only need access to the domain controllers for their domains. The DCs need to be able to talk but that can be routed through bridgehead DCs so there is no need for ports opened between all participants.

    You should look at your global catalog server distribution to make sure clients have access to the data from other domains they need to function.

    There is a lot to know about AD in large environments. I would start here: http://technet.microsoft.com/en-us/library/dd578336(v=ws.10)

    and consider a copy of this AD book:

    • 5

  2. Some US government agencies have a parent forest root domain that is accessible only over an IPSEC connection from the designated bridgehead domain controllers. There is no ip connectivity between child domains or even from the child domain to the forest root domain. This is perfectly acceptable.

    • 3

  3. There are 2 scenarios I know of in which clients in a child domain need access to DCs in a parent domain:

    1. Seamless Kerberos authentication of accounts from the client domain against resources in the parent domain (although authentication can work without that access)
    2. ADBA (Active Directory-Based Activation) - as I have just learned from the MS Directory Services team. ADBA is configured once per forest but is only served from DCs in the root domain >:(
    • 0