I am building a new forest with one root domain and 5 child domains, all 2008 R2. Because of the security requirements every domain will be on a different network separated by the firewall. I need to come up with ports that will need to be opened between domain controllers in different domains.
This article outlines communication ports between DCs.
The thing that concerns me is the dynamic port range of 49152 to 65535. I know that security group is going to really not want to open that large of a port range. I know that you can restrict that range to the smaller number. I have done that previously for our smaller test domain. However I am not sure if I want for our main production forest.
1. Are all those ports listed in the article also apply to communication between domain controllers of different domains in the same forest. Particularly that dynamic port range.
2. Do I need to open any firewall ports between different child domains, or will it be enough to open ports between root domain and each child domain?
3. Would it be good idea to setup IPSec Transport mode between domain controllers of different domains. That way I will only have to open ports for 1 protocol, as oppose to all those many ports including large port range. Are there any drawbacks to this method?
4. Are there really any drawbacks to limiting the dynamic port range to let say 20 ports, or 50 ports, or 100 ports.