Solved

windows server 2003 forest trusting plan

Posted on 2010-08-30
9
476 Views
Last Modified: 2012-05-10
Hi Experts, I have read some steps on how to do server 2003 forest trusting.

I have gathered these:

1. checklist : creating a forest trust (http://technet.microsoft.com/en-us/library/cc756852(WS.10,printer).aspx

2. configure firewall for forest trust. - we have ipsec using juniper and cisco asa, what are the common forest trust ports to be opened? and are there any more to consider?

many thanks
0
Comment
Question by:ragot
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 4

Accepted Solution

by:
goyal_251 earned 500 total points
ID: 33556967
0
 

Author Comment

by:ragot
ID: 33556992
goyal : those on the list are the only ports required for ipsec to work on forest trust?
0
 
LVL 4

Expert Comment

by:goyal_251
ID: 33557212

you would need to open the port for Global Catalog, LDAP,DNS,File Replication Service and Kerberos services that u have already open.however can u see below link as well,state to create registry vlaue

http://technet.microsoft.com/en-us/library/cc756944(WS.10).aspx
http://support.microsoft.com/kb/555381
     
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:ragot
ID: 33565094
1. http://technet.microsoft.com/en-us/library/cc756944(WS.10,printer).aspx


2. http://support.microsoft.com/kb/179442

Some ports are present on number 2, may i know if all ports in number 2 are required to be open for forest
trusting? thanks
0
 
LVL 4

Expert Comment

by:goyal_251
ID: 33566412

(LSA) RPC randomly allocated high TCP ports.you can restrict it by creating registry value also you would need to open file replication open and Active directly port

Restrict FRS Traffic to a Specific Static Port -
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters

New     =          Reg_DWORD

Name   =          RPC TCP/IP Port Assignment

Value   =          10000              (Decimal)


Restricting Active Directory replication traffic to a specific port
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

New     =          REG_DWORD

Name   =          TCP/IP Port

Data     =          10001              (Decimal)

 
RPC dynamic port allocation  (Only allow ports 10002 - 10200 for RPC from other machines)

HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\

Create a New Key = Internet

Locate and then click the following key in the registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\

Add the values

"Ports" (MULTI_SZ)                            =          10002-10200

"PortsInternetAvailable" (REG_SZ)       =          Y

"UseInternetPorts" (REG_SZ)               =          Y

now open 10000-10200 in firewall instead of 1024-65535.....
0
 

Author Comment

by:ragot
ID: 33572977
do i have to set the configuration above on the server?
0
 
LVL 4

Expert Comment

by:goyal_251
ID: 33573483
yes you need to make the changes in server registry and open the ports in firewall
0
 

Author Comment

by:ragot
ID: 33573557
thanks goyal
0
 
LVL 4

Expert Comment

by:goyal_251
ID: 33573576
welcome..
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question