[windows2000] Re: Child Domain Ports Required?

  • From: Berny Stapleton <berny@xxxxxxxxxxxxxxxxx>
  • To: windows2000@xxxxxxxxxxxxx
  • Date: Mon, 30 Jul 2012 13:50:17 +0100

Morning, it is the same as the cross forest trust.

Firewall requirements for client access to domain controllers are as


"A-Kerberos" protocol tcp src-port 1024-65535 dst-port 88-88
"A-Kerberos" + udp src-port 1024-65525 dst-port 464-464
"A-Kerberos" + tcp src-port 1024-65525 dst-port 464-464
"A-Kerberos" + udp src-port 1024-65535 dst-port 88-88

The first port range from 1024 - 5000 is to support Windows 2003
clients and 49150 - 65535 is to support Windows 2008 / Vista and above

You *could* run rpccfg on each host on either side of the firewall,
but that's not best practise.

Now, you only need ports open between your child domain controllers and
their closest domain controllers, not the rest of the environment. Just
create your trust on those domain controllers, not somewhere else in your

I don't know enough about your environment, are you replicating the two DNS
zones around completely? Or are you looking at setting up a partial zone
for the child domain to look at the trusted domain?


On Jul 25, 2012 4:54 PM, "Dogers" <dogers@xxxxxxxxx> wrote:

> Hello! Wakey wakey list :)
> We're looking at putting a child domain in our DMZ as we're getting more
> and more machines there and could really do with some GPs and properly
> handled accounts.
> As this is the DMZ we need to get the firewall fairies do do their thing,
> however we can't find a definitive list of ports required. I've found a
> list of ports required for a cross forest trust, but I don't think that's
> quite the same. Don't suppose anyone has a list handy, do they?
> Andrew

Other related posts: