Restrict forest-trust to a single DC pair

Question

We have two AD forests with a trust in place. fwDomain has been firewalled from accessing resources in corpDomain.

corpDomain has one DC within the firewall boundary and has the ability to communicate with other corpDomain DCs.

The goal is to restrict fwDomain trust\AD traffic to the single corpDomain DC within the same firewall boundary. The fwDomain DCs should not attempt to communicate with other corpDomain DCs outside of the firewall. Trust Diagram

This is not a firewall question. This is a DNS or ADSS issue - restricting the ldap\kerberos\etc traffic to the DCs within the same firewall boundary.

A conditional forwarder won't work as fwDomain DCs are getting resolution for corpDomain DCs they can't communicate with.

In the fwDomain, I have tried creating a stripped-down primary corpDomain DNS zone with service records only pointing to the single corpDomain DC, but this did not work either.

Thanks in advance.

Answer 1

I don't believe this is feasible. If you want a domain controller record to be inaccessible, it should not be published globally. This, and the procedures and recommendations for it, have been documented for almost 20 years.

This is particularly true for the same as parent record.

Furthermore, there is usually not a good business reason for this. I've heard many arguments numerous times, and it's usually someone doesn't want to see messy stuff in a log. Tough.

AD is not designed that way. It's designed to be accessible in the form of multiple servers. Traffic can be influenced, but not eliminated. DNS records can be published, or not.

You can, however, prevent the DC in the impaired domain from communicating with specific domain controller records names. This is not uncommon and essentially involves sinkholing domain controller names in the hosts file on the offending impaired domain controller(s).