windows server 2003 forest trusting plan

Hi Experts, I have read some steps on how to do server 2003 forest trusting.

I have gathered these:

1. checklist : creating a forest trust (http://technet.microsoft.com/en-us/library/cc756852(WS.10,printer).aspx

2. configure firewall for forest trust. - we have ipsec using juniper and cisco asa, what are the common forest trust ports to be opened? and are there any more to consider?

many thanks
ragotAsked:
Who is Participating?
 
goyal_251Connect With a Mentor Commented:
0
 
ragotAuthor Commented:
goyal : those on the list are the only ports required for ipsec to work on forest trust?
0
 
goyal_251Commented:

you would need to open the port for Global Catalog, LDAP,DNS,File Replication Service and Kerberos services that u have already open.however can u see below link as well,state to create registry vlaue

http://technet.microsoft.com/en-us/library/cc756944(WS.10).aspx
http://support.microsoft.com/kb/555381
     
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
ragotAuthor Commented:
1. http://technet.microsoft.com/en-us/library/cc756944(WS.10,printer).aspx


2. http://support.microsoft.com/kb/179442

Some ports are present on number 2, may i know if all ports in number 2 are required to be open for forest
trusting? thanks
0
 
goyal_251Commented:

(LSA) RPC randomly allocated high TCP ports.you can restrict it by creating registry value also you would need to open file replication open and Active directly port

Restrict FRS Traffic to a Specific Static Port -
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters

New     =          Reg_DWORD

Name   =          RPC TCP/IP Port Assignment

Value   =          10000              (Decimal)


Restricting Active Directory replication traffic to a specific port
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

New     =          REG_DWORD

Name   =          TCP/IP Port

Data     =          10001              (Decimal)

 
RPC dynamic port allocation  (Only allow ports 10002 - 10200 for RPC from other machines)

HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\

Create a New Key = Internet

Locate and then click the following key in the registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\

Add the values

"Ports" (MULTI_SZ)                            =          10002-10200

"PortsInternetAvailable" (REG_SZ)       =          Y

"UseInternetPorts" (REG_SZ)               =          Y

now open 10000-10200 in firewall instead of 1024-65535.....
0
 
ragotAuthor Commented:
do i have to set the configuration above on the server?
0
 
goyal_251Commented:
yes you need to make the changes in server registry and open the ports in firewall
0
 
ragotAuthor Commented:
thanks goyal
0
 
goyal_251Commented:
welcome..
0
All Courses

From novice to tech pro — start learning today.