Deploying Site Server (MP,DP) in an Untrusted Forest - Ports Required RRS feed

  • Question

  • Hi Team,

    We have a CAS (separate DB) and Primary (separate DB) in ForestA with 30k+ clients. There is another forest (ForestB) with 5000 clients and no SCCM 2012 Servers at the moment. There is no Trust between both the forests, neither any AD or DNS port communication between them. Both Forests have a single domain and 5 domain controllers each.

    We wish to place a remote Site Server (DP,MP) in Forest B. While management and configuration is very well documented in the blog series by Neil - - however there is little port information available.

    We cannot open ports between forests (all servers to all servers), it has to be opened between 2 endpoints specifically.

    To be able to install a Site Server in Forest B, discover clients, deploy clients using client push. Here is what I have documented and the plan. Have I missed anything?

    Host file entries will be used both ways to contact the domain and domain controller. We will use a dedicated domain controller for any domain query both ways (as we will only open ports to that particular domain controller)

    All the ports below will be bi-directional

    tcp 135 - RPC
    tcp/udp – 389 - LDAP
    tcp 3268  - GC
    tcp/udp - 88 - Kerberos
    tcp/udp – 53 - DNS
    tcp 445 - SMB
    tcp - RPC - Dynamic Ports from 49152-65535


    Remote Site Server ----> Primary Site Database Server - TCP Port 1433 (SQL)

    Regards, Vik Singh "If this thread answered your question, please click on "Mark as Answer"

    Thursday, October 30, 2014 10:19 AM


All replies

  • Thursday, October 30, 2014 10:24 AM
  • My question was more related towards using host files and AD ports between forests. Also, if I missed anything?

    Regards, Vik Singh "If this thread answered your question, please click on "Mark as Answer"

    • Edited by Vik Singh Friday, October 31, 2014 6:37 AM Typo
    Friday, October 31, 2014 6:36 AM
  • Why would you use hosts files? That's an ugly solution. It also has nothing to do with AD or ConfigMgr. That's basic name resolution.

    Also, I have no idea what an "AD port" is. If you mean the ports required for AD to function, that's best addressed in an AD forum but I'm sure a simple web search will give you a document for that.

    Jason | | @jasonsandys

    Friday, October 31, 2014 2:23 PM