none
AD Trust Relationship behind Firewall

    Question

  • Dear All,

    We are trying to establish a trust relationship between 2 Domains with a firewall between.  In the Domain at one side there is only one Domain Controller (Domain A) while on the other Domain (Domain B) there 30+ Domain Controllers.  Since the 2 Domains are owned by different companies the traffic to and from Domain A was only open for the IP address of one Domain Controller.  After the initial successful communication (when trying to establish the trust using AD domains and Trusts) on port 53 from the Domain Controller (10.9x.xx.xx) in Domain B to the Domain Controller in Domain A the Domain Controller in Domain A tries to communicate with a random Domain Controller in Domain B but this fails because ports are only open for the Domain Controller with IP 10.9x.xx.xx) in Domain B.

    The relationship is a one-way in which Domain A trusts Domain B and we opened the following ports on the firewall:

    389, 135, 445, 636, 53, 88, 3268, 3269, 123, 464 and 137

    The Domain Functional level for Domain A is Server 2012 R2 while the functional level for Domain B is Server 2008.

    Thank you


    Kevin

    Tuesday, January 17, 2017 4:03 AM

Answers

  • Should have a port open PDC to PDC communication and how the DNS is configured to resolve other domain?

    Regards www.windowstricks.in

    Tuesday, January 17, 2017 5:05 AM
  • Hi Kevin,

    You should open ports between all domain B controllers and domain A controller .

    All domain controllers in trusting domain (domain B) should be able to contact PDC in trusted domain (the only controller in domain A).
    Also you should open port 88 from whole domain's B subnet to DC from Domain A:

    for example, if you want to grant access for users in  domain B to some file resources in trusting domain A, user's workstation should be able to connect to domain controller in trusting domain, because during Kerberos authentication, user's workstation will send request to KDC to obtain the ticket.
    That's not all, please check this article, section 'Ports Required for Trusts': How Domain and Forest Trusts Work
     

    Tuesday, January 17, 2017 5:57 AM

All replies

  • Should have a port open PDC to PDC communication and how the DNS is configured to resolve other domain?

    Regards www.windowstricks.in

    Tuesday, January 17, 2017 5:05 AM
  • Dear Ganesamoorthy,

    So the ports that I mentioned in my initial post should be open on the PDC?

    As for DNS resolution we have established a Conditional Forwarding

    Kevin


    Kevin

    Tuesday, January 17, 2017 5:22 AM
  • Hi Kevin,

    You should open ports between all domain B controllers and domain A controller .

    All domain controllers in trusting domain (domain B) should be able to contact PDC in trusted domain (the only controller in domain A).
    Also you should open port 88 from whole domain's B subnet to DC from Domain A:

    for example, if you want to grant access for users in  domain B to some file resources in trusting domain A, user's workstation should be able to connect to domain controller in trusting domain, because during Kerberos authentication, user's workstation will send request to KDC to obtain the ticket.
    That's not all, please check this article, section 'Ports Required for Trusts': How Domain and Forest Trusts Work
     

    Tuesday, January 17, 2017 5:57 AM