8

I have two Active Directory domains in two different forests; each domain has two DCs (all of them Windows Server 2008 R2). The domains are also in different networks, with a firewall connecting them.

I need to create a two-way forest trust between the two domains and forest.

How do I configure the firewall to allow this?

I found this article, but it doesn't explain very clearly which traffic is required between DCs, and which traffic (if any) in needed instead between domain computers in one domain and DCs for the other one.

I'm allowed to permit all traffic between the DCs, but allowing computers in one network to access DCs in the other one would be a little more difficult.

Massimo
  • 70,200
  • 57
  • 200
  • 323

1 Answers1

9

The minimum list for a AD Trust is:

53   TCP/UDP  DNS
88   TCP/UDP  Kerberos
389  TCP/UDP  LDAP
445  TCP      SMB
636  TCP      LDAP (SSL)

You can tighten that up a bit by configuring Kerberos for TCP only.
And if you're crazy you could use HOSTS files instead of DNS.

References: Pber's Blog and MS KB 179442

As for which computers need to be able to access the above: The computer verifying the authentication of the trusted user must be able to directly contact both it's own DC and the Trusted DC.

For example: Bob from Alpha (domain) is trying to log in to a workstation that's in Omega (domain). That workstation will check with it's own DCs to get the relevant trust information. Then the workstation will contact a DC from Alpha, verify the user, and login.

Another stickier example: Bob is using his workstation in the Alpha domain. Bob logs into a web service that runs on the Omega domain, but does not use Kerberos to authenticate. The web server in Omega is going to do the authentication, so it needs access like the workstation in the previous example.

The last one I don't actually remember the "answer" to - exactly like the previous, but using Kerberized authentication. I believe the Omega web server still needs access just the same, but it's been too long and I don't have a lab to test that in quickly. I should dig into this one of these days and write a blog article.

Chris S
  • 77,945
  • 11
  • 124
  • 216
  • Ok, but between DCs or between member computers and remote DCs? – Massimo Oct 08 '12 at 13:23
  • Sorry, Monday morning haze has me writing "poor" Answers again. – Chris S Oct 08 '12 at 14:25
  • 2
    Between both networks as a whole. Here's a good article on Trusts and Trust communication/authentication: http://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx – joeqwerty Oct 08 '12 at 14:51
  • Good. Can you please confirm that NetBIOS (137-138-139) and RPC (135 + dynamic) are *not needed* for the trust to work? – Massimo Oct 10 '12 at 11:44
  • Also, if DNS forwarding is enabled between the two domains, only the DCs will need to talk DNS (53) between themselves; clients in domain A will not have any need to directly query DNS servers for domain B, right? – Massimo Oct 10 '12 at 11:45
  • I pulled out my old trusty WireShark, and I can confirm that NetBIOS is not used at all; however, RPC **is** used... – Massimo Oct 10 '12 at 13:10