Solved

windows server 2003 forest trusting plan

Posted on 2010-08-30
9
478 Views
Last Modified: 2012-05-10
Hi Experts, I have read some steps on how to do server 2003 forest trusting.

I have gathered these:

1. checklist : creating a forest trust (http://technet.microsoft.com/en-us/library/cc756852(WS.10,printer).aspx

2. configure firewall for forest trust. - we have ipsec using juniper and cisco asa, what are the common forest trust ports to be opened? and are there any more to consider?

many thanks
0
Comment
Question by:ragot
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 4

Accepted Solution

by:
goyal_251 earned 500 total points
ID: 33556967
0
 

Author Comment

by:ragot
ID: 33556992
goyal : those on the list are the only ports required for ipsec to work on forest trust?
0
 
LVL 4

Expert Comment

by:goyal_251
ID: 33557212

you would need to open the port for Global Catalog, LDAP,DNS,File Replication Service and Kerberos services that u have already open.however can u see below link as well,state to create registry vlaue

http://technet.microsoft.com/en-us/library/cc756944(WS.10).aspx
http://support.microsoft.com/kb/555381
     
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 

Author Comment

by:ragot
ID: 33565094
1. http://technet.microsoft.com/en-us/library/cc756944(WS.10,printer).aspx


2. http://support.microsoft.com/kb/179442

Some ports are present on number 2, may i know if all ports in number 2 are required to be open for forest
trusting? thanks
0
 
LVL 4

Expert Comment

by:goyal_251
ID: 33566412

(LSA) RPC randomly allocated high TCP ports.you can restrict it by creating registry value also you would need to open file replication open and Active directly port

Restrict FRS Traffic to a Specific Static Port -
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters

New     =          Reg_DWORD

Name   =          RPC TCP/IP Port Assignment

Value   =          10000              (Decimal)


Restricting Active Directory replication traffic to a specific port
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

New     =          REG_DWORD

Name   =          TCP/IP Port

Data     =          10001              (Decimal)

 
RPC dynamic port allocation  (Only allow ports 10002 - 10200 for RPC from other machines)

HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\

Create a New Key = Internet

Locate and then click the following key in the registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\

Add the values

"Ports" (MULTI_SZ)                            =          10002-10200

"PortsInternetAvailable" (REG_SZ)       =          Y

"UseInternetPorts" (REG_SZ)               =          Y

now open 10000-10200 in firewall instead of 1024-65535.....
0
 

Author Comment

by:ragot
ID: 33572977
do i have to set the configuration above on the server?
0
 
LVL 4

Expert Comment

by:goyal_251
ID: 33573483
yes you need to make the changes in server registry and open the ports in firewall
0
 

Author Comment

by:ragot
ID: 33573557
thanks goyal
0
 
LVL 4

Expert Comment

by:goyal_251
ID: 33573576
welcome..
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question