Re: question about domain trusts and firewall ports
- From: "Ace Fekay [MVP]" <PleaseAskMe@xxxxxxxxxxxxxx>
- Date: Tue, 29 Apr 2008 23:11:47 -0400
In news:a815812f-88c3-4e34-aaf9-573716758228@xxxxxxxxxxxxxxxxxxxxxxxxxxxx,
Adam Sandler <corn29@xxxxxxxxxx> typed:
Hello,
I'm going to establish a trust between two separate domains (W2K3
R2). I'd like to confirm what ports on the firewall need to be opened
to allow:
1. for the two servers to establish a trust between them
2. for file sharing across the two domains
I came across this post which illustrates a firewall configuration
which supports creating the trust:
http://groups.google.com/group/microsoft.public.windows.server.migration/browse_thread/thread/e99a28c5399b8484/54f920c9660ce408?lnk=st&q=windows+2003+domain+trust#54f920c9660ce408
The questions I have are the post says to open up 135/TCP, 139/TCP,
and 42/TCP on the server side and have 1024-65535/TCP open on the
client side. What is the difference between the client side and
server side? Especially when the ports on the server side are not
included in the range on the client side? Finally, is the list from
the post inclusive -- are there any other ports not previously
mentioned which need to be configured?
Thanks!
Actually you need about 29 ports open on the client and server side. That
post you referenced doesn't appear to be totally accurate. The following
Microsoft article indicates a complete list of what you need opened for full
AD communication to work between DC to DC, and DC to client. Ignore the part
that it says it's for Windows 2000. WIndows 2000, 2003 and 2008 are the same
when it comes to AD communication.
Active Directory Replication over Firewalls
http://technet.microsoft.com/en-us/library/bb727063.aspx
Thinking about your intentions further, it is beneficial to create a wide
open VPN tunnel between you and the partner domain's internal subnets. This
will eliminate the multiple rules that you need to create, which effectively
turns your firewall into Swiss cheese anyway, if you ask me.
Oh, and if you try to do this thru a NAT, it simply won't work. Ture
firewall sliced up, yes, but NAT, no. NAT cannot translate RPC, Kerberos or
LDAP communications.
--
Regards,
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer
For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Infinite Diversities in Infinite Combinations
.
- Follow-Ups:
- Re: question about domain trusts and firewall ports
- From: Adam Sandler
- Re: question about domain trusts and firewall ports
- References:
- question about domain trusts and firewall ports
- From: Adam Sandler
- question about domain trusts and firewall ports
- Prev by Date: RE: Duplicate computer name?
- Next by Date: Re: question about domain trusts and firewall ports
- Previous by thread: question about domain trusts and firewall ports
- Next by thread: Re: question about domain trusts and firewall ports
- Index(es):
Relevant Pages
|
Loading
