We have multi domain Active Directory forest with a few external trusts. Let's say we have forest root domain named company.com and a few child domains in that forest – subsidiary1.com, subsidiary2.com and subsidiary3.com. We are creating firewall rules that will restrict communication to domain controllers of company.com from networks of subsidiaries.
Is there any article from Microsoft that describes required network connectivity (opened ports in firewalls) between workstations/member servers and domain controllers of other domains of the same forest required for proper operation of AD infrastructure itself?
Some information on this topic is here:
How to configure a firewall for domains and trusts
How Domain and Forest Trusts Work
However these articles don't answer my question – is access to domain controllers of forest root domain from all workstations (and member servers) of all forest domains required?
I know that practically most things (except, for example domain authentication from MacOS workstations) are working fine if DCs of forest root domain (as well as all other domains, except domain where user and computer resides) are not accessible from workstations, but I would like to look at any official information from Microsoft or to hear opinion of administrators who have long experience with running such configurations.
Best Answer
No - clients only need access to the domain controllers for their domains. The DCs need to be able to talk but that can be routed through bridgehead DCs so there is no need for ports opened between all participants.
You should look at your global catalog server distribution to make sure clients have access to the data from other domains they need to function.
There is a lot to know about AD in large environments. I would start here: http://technet.microsoft.com/en-us/library/dd578336(v=ws.10)
and consider a copy of this AD book: