Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

windows server 2003 forest trusting plan

Posted on 2010-08-30
9
Medium Priority
?
479 Views
Last Modified: 2012-05-10
Hi Experts, I have read some steps on how to do server 2003 forest trusting.

I have gathered these:

1. checklist : creating a forest trust (http://technet.microsoft.com/en-us/library/cc756852(WS.10,printer).aspx

2. configure firewall for forest trust. - we have ipsec using juniper and cisco asa, what are the common forest trust ports to be opened? and are there any more to consider?

many thanks
0
Comment
Question by:ragot
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 4

Accepted Solution

by:
goyal_251 earned 2000 total points
ID: 33556967
0
 

Author Comment

by:ragot
ID: 33556992
goyal : those on the list are the only ports required for ipsec to work on forest trust?
0
 
LVL 4

Expert Comment

by:goyal_251
ID: 33557212

you would need to open the port for Global Catalog, LDAP,DNS,File Replication Service and Kerberos services that u have already open.however can u see below link as well,state to create registry vlaue

http://technet.microsoft.com/en-us/library/cc756944(WS.10).aspx
http://support.microsoft.com/kb/555381
     
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 

Author Comment

by:ragot
ID: 33565094
1. http://technet.microsoft.com/en-us/library/cc756944(WS.10,printer).aspx


2. http://support.microsoft.com/kb/179442

Some ports are present on number 2, may i know if all ports in number 2 are required to be open for forest
trusting? thanks
0
 
LVL 4

Expert Comment

by:goyal_251
ID: 33566412

(LSA) RPC randomly allocated high TCP ports.you can restrict it by creating registry value also you would need to open file replication open and Active directly port

Restrict FRS Traffic to a Specific Static Port -
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters

New     =          Reg_DWORD

Name   =          RPC TCP/IP Port Assignment

Value   =          10000              (Decimal)


Restricting Active Directory replication traffic to a specific port
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

New     =          REG_DWORD

Name   =          TCP/IP Port

Data     =          10001              (Decimal)

 
RPC dynamic port allocation  (Only allow ports 10002 - 10200 for RPC from other machines)

HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\

Create a New Key = Internet

Locate and then click the following key in the registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\

Add the values

"Ports" (MULTI_SZ)                            =          10002-10200

"PortsInternetAvailable" (REG_SZ)       =          Y

"UseInternetPorts" (REG_SZ)               =          Y

now open 10000-10200 in firewall instead of 1024-65535.....
0
 

Author Comment

by:ragot
ID: 33572977
do i have to set the configuration above on the server?
0
 
LVL 4

Expert Comment

by:goyal_251
ID: 33573483
yes you need to make the changes in server registry and open the ports in firewall
0
 

Author Comment

by:ragot
ID: 33573557
thanks goyal
0
 
LVL 4

Expert Comment

by:goyal_251
ID: 33573576
welcome..
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Here's a look at newsworthy articles and community happenings during the last month.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seveā€¦

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question