We have multi domain Active Directory forest with a few external trusts. Let's say we have forest root domain named company.com and a few child domains in that forest - subsidiary1.com, subsidiary2.com and subsidiary3.com. We are creating firewall rules that will restrict communication to domain controllers of company.com from networks of subsidiaries.
Is there any article from Microsoft that describes required network connectivity (opened ports in firewalls) between workstations/member servers and domain controllers of other domains of the same forest required for proper operation of AD infrastructure itself?
Some information on this topic is here:
How to configure a firewall for domains and trusts
How Domain and Forest Trusts Work
However these articles don't answer my question - is access to domain controllers of forest root domain from all workstations (and member servers) of all forest domains required?
I know that practically most things (except, for example domain authentication from MacOS workstations) are working fine if DCs of forest root domain (as well as all other domains, except domain where user and computer resides) are not accessible from workstations, but I would like to look at any official information from Microsoft or to hear opinion of administrators who have long experience with running such configurations.
No comments:
Post a Comment