Firewall requirements for client access to domain controllers are as follows: "TCP-1024-5000" "TCP-49150-65535" "UDP-1024-5000" "UDP-49150-65535" "A-Kerberos" "UDP-LDAP-389" "DNS" "LDAP" "PING" "SMB" "MS-AD" "NBT" "A-Kerberos" protocol tcp src-port 1024-65535 dst-port 88-88 "A-Kerberos" + udp src-port 1024-65525 dst-port 464-464 "A-Kerberos" + tcp src-port 1024-65525 dst-port 464-464 "A-Kerberos" + udp src-port 1024-65535 dst-port 88-88 The first port range from 1024 - 5000 is to support Windows 2003 clients and 49150 - 65535 is to support Windows 2008 / Vista and above clients. You *could* run rpccfg on each host on either side of the firewall, but that's not best practise. On Wed, Mar 7, 2012 at 8:12 PM, Steve <kwajalein@xxxxxxxxx> wrote: > conditional forwarding has now been enabled on the client domain, resolution > of fqdn now happens. FW guy now tells me that they are limiting traffic to > ports needed for kerberos, though I'm guessing that IPSec filters haven't > been updated for the DCs in the site where the resource servers were moved > to. there is a site in sites & services for the site that's causing > consternation. oh, and even though I > I've got a couple of microsoft guys engaged, hopefully they can figure it out. > > Sent from my iPad > > On Mar 6, 2012, at 3:14 PM, Berny Stapleton <berny@xxxxxxxxxxxxxxxxx> wrote: > >> Answers inline >> >> On Tue, Mar 6, 2012 at 11:34 AM, Steve Snyder <kwajalein@xxxxxxxxx> wrote: >>> On Tue, Mar 6, 2012 at 10:53 AM, Berny Stapleton <berny@xxxxxxxxxxxxxxxxx> >>> wrote: >>>> >>>> DNS is replicated completely? >>> >>> That I won't know, though I'm trying to get some hostnames for the other >>> domain to see if I can resolve them. >>> Got a hostname - can't resolve it. >>>> >>>> >>>> NetBIOS over TCP/IP is turned on? >>> >>> On my PC, yes. On the DCs? Don't know. >>>> >>>> >>>> What does sites and services look like? >>> >>> Oodles of sites, can't really tell that there's one setup for the other >>> domain. What should I be looking for here? >> >> Whatever subnet that machine that doesn't work is sitting in, should >> be in a subnet defined in sites and services, that should specify >> which DC it should be looking at. Can you run dcdiag and try to see if >> there is any problems there. >> >>>> >>>> >>>> Can you run wireshark on one of the machines that's not working and >>>> >>>> see whether it's trying to connect out to a DC that's perhaps not in >>>> the policy? >>> >>> that would definitely be out of the question. I can run a port query from >>> PCs and member servers. >>>> >> >> Give that IP address to the firewall admins on both sides and ask for >> drops. Also ask the networking guys if they have routed *all* the IP >> address space in use between the two orgs. Firewall might be open on >> both sides, but without the routes there, you're going to lose out. >> >> >>>> >>>> On the machine that you are running ADUC on, can you login there to >>>> the other domain? >>> >>> I'll see if they can create an account for me to test with. >>> >>> They're currently allowing perhaps 7 DCs on each domain to contact one >>> another. The FW guys say that there's no port restrictions, they're just >>> allowing IPs to connect to one another. >>> >>> One enterprise group controls our DCs and FWs, another enterprise controls >>> the other DCs; FWs on the other domain are controlled locally. Everyone says >>> that their part is configured correctly (of course). Seems like there should >>> be a way to set up a bridgehead or two on each domain, and then just allow >>> the bridgeheads to talk through the firewalls. One enterprise AD guy >>> believes that we need to configure the firewalls with ACLs for all of the >>> DCs (hundreds) on both domains (so hundreds X2); I'm hoping there's a more >>> succinct way. >> >> In my experience, he's right. It shouldn't work that way, but you see >> strange oddities sometimes (Timeouts) without it. >> >> I just did a POC for a trust relationship setup the other day. >> >> Also, just to state the obvious. Make sure that are trying to add >> members of another domain to a domain local group. Otherwise it won't >> work. >> >> >>> >>> thanks. >>>> >>>> >>>> On Tue, Mar 6, 2012 at 9:14 AM, Steve Snyder <kwajalein@xxxxxxxxx> wrote: >>>>> Alright, one for the AD Gods/Goddesses >>>>> >>>>> Got a trust between two different AD forests. From my PC I can browse >>>>> the >>>>> other domains and select/add objects. From ADUC, I can't even see the >>>>> other >>>>> domains (see the attached pic). >>>>> >>>>> Ideas? >>>>> >>>>> What's driving this issue is from a server in another site (still in my >>>>> domain) one can't see the other domains at all in order to add users (as >>>>> I >>>>> can from my PC). So between these two matters I'm guessing that our >>>>> trust >>>>> isn't quite right, but I don't have access to DCs nor the firewalls so >>>>> I'm >>>>> troubleshooting symptomatically. If anyone wants to pipe in with a Cliff >>>>> Notes version of setting up trusts between AD domains through firewalls >>>>> for >>>>> domains with a *lot* of DCs I'd gladly read it and drink a german bier >>>>> in >>>>> their honor. >>>> ************************************************ >>>> For Archives, RSS, to Unsubscribe, Subscribe or >>>> set Digest or Vacation mode use the below link: >>>> //www.freelists.org/list/thin >>>> ************************************************ >>> >>> >> ************************************************ >> For Archives, RSS, to Unsubscribe, Subscribe or >> set Digest or Vacation mode use the below link: >> //www.freelists.org/list/thin >> ************************************************ > ************************************************ > For Archives, RSS, to Unsubscribe, Subscribe or > set Digest or Vacation mode use the below link: > //www.freelists.org/list/thin > ************************************************ ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin ************************************************