none
AD Trust and Required Ports - Firewalls RRS feed

  • Question

  • We are looking to create an external, non-transitive, two-way trust to another domain. the security requirements are tight, so there are hardware firewalls between these two companies. We have researched the ports needed, but are still unable to create the Trust. It seems that w/o some major modifications, we need to allow all Domain Controllers from both sides to reach each other because when it does a DNS lookup for the other domain, it could randomly choose any one of the DCs for the Trust creation and maintenance. That means that the firewall ruleset needs to include all DCs from both sides. Does this seem correct?
    Thursday, July 20, 2017 8:03 PM

Answers

  • Hi,
    Before you create the external trust, you could follow the steps to configure the ports and DNS:
    Port requirement: If you have firewall between organization, please make sure Active Directory ports are open in both sides. You could see details from: Active Directory and Active Directory Domain Services Port Requirements
    https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx
    Add DNS Record in TCP/IP Properties of Domain Controllers in the both forests
    Ping each domain from the other domain and vice versa
    Test AD DS Ports: Telnet to port 389, 636 & 53 from both sides of domain to test whether you can access Active Directory & DNS
    AD health check in the both domains
    Create PTR Record in both organization
    Create Forward Lookup Zones in both organization
    Create Host (A) record in both organization
    Add Name Server (NS) in both organization
    Test DNS Record
    You could follow the article as below step by step to try it:
    https://araihan.wordpress.com/2009/08/05/how-to-create-an-external-trust-between-two-domains/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, July 21, 2017 2:40 AM
    Moderator

All replies

  • Hi,

    Before you start setting up trust, you must have created DNS name resolution through Conditional or Stub zone. Did you add all DNS servers there? You can restrict a number of DNS servers you desire to have firewall ports opened. This way your name resolution will happen only from those DNS servers.

    Thursday, July 20, 2017 8:14 PM
  • Hi,
    Before you create the external trust, you could follow the steps to configure the ports and DNS:
    Port requirement: If you have firewall between organization, please make sure Active Directory ports are open in both sides. You could see details from: Active Directory and Active Directory Domain Services Port Requirements
    https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx
    Add DNS Record in TCP/IP Properties of Domain Controllers in the both forests
    Ping each domain from the other domain and vice versa
    Test AD DS Ports: Telnet to port 389, 636 & 53 from both sides of domain to test whether you can access Active Directory & DNS
    AD health check in the both domains
    Create PTR Record in both organization
    Create Forward Lookup Zones in both organization
    Create Host (A) record in both organization
    Add Name Server (NS) in both organization
    Test DNS Record
    You could follow the article as below step by step to try it:
    https://araihan.wordpress.com/2009/08/05/how-to-create-an-external-trust-between-two-domains/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, July 21, 2017 2:40 AM
    Moderator
  • Hi,

    Was your issue resolved? If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions. If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, July 27, 2017 9:10 AM
    Moderator