I have been search extensively on the forum but cannot find an answer for this even this seems to be one of the most commonly asked question. Here we are:
we have a test box called testserver. We installed on RODC called rodc1. There are two existing DCs called RWDC1 and RWDC2. Right now there is no firewall and everything works fine. We then add an AD site in the domain to include rodc1 and also the subnet where testserver sits. Now, when we login testserver, it goes through rodc1 and we confirmed this with nltest result. There is not password caching on RODC1
The problem starts when we start enable firewall on testserver. The reason we are doing this is to simulate the situation where we put testserver and rodc1 on the perimeter network where there is a firwall blocking testserver to rwdc1 and rwdc2. Related firewall ports will be open between rodc1 and rwdc1/2. The test we did is this:
1. we enabled firewall on testserver (a Win2012 server) to allow ALL traffic (in and out) between testserver and rodc1
2. we enabled on rule to block ALL traffic and ports inbound to testserver from rwdc1/2
3. we enabled one rule to block ALL traffice and ports outbound from testserver to rwdc1/2
Basically we want to see once a member server has ONLY access to rodc1, it should still work fine without any acces to RWDCs.
When we have #1 and #2, the authentication is working fine. Once #3 is enabled, authentication fails and we cannot even RDP into testserver. We are suprise with the result as we think all traffice go through rodc1, not directly to rwdc1/2. But the test result seems that some traffice should still go directly to RWDC from the member server.
Are we understand in a wrong way that we stil need a few ports to allow traffice from testserver ( a member server on perimeter) to rwdc? or the test we are doing here is a wrong represent of the real situation?
Thanks,