Morning, it is the same as the cross forest trust. Firewall requirements for client access to domain controllers are as follows: "TCP-1024-5000" "TCP-49150-65535" "UDP-1024-5000" "UDP-49150-65535" "A-Kerberos" "UDP-LDAP-389" "DNS" "LDAP" "PING" "SMB" "MS-AD" "NBT" "A-Kerberos" protocol tcp src-port 1024-65535 dst-port 88-88 "A-Kerberos" + udp src-port 1024-65525 dst-port 464-464 "A-Kerberos" + tcp src-port 1024-65525 dst-port 464-464 "A-Kerberos" + udp src-port 1024-65535 dst-port 88-88 The first port range from 1024 - 5000 is to support Windows 2003 clients and 49150 - 65535 is to support Windows 2008 / Vista and above clients. You *could* run rpccfg on each host on either side of the firewall, but that's not best practise. Now, you only need ports open between your child domain controllers and their closest domain controllers, not the rest of the environment. Just create your trust on those domain controllers, not somewhere else in your environment. I don't know enough about your environment, are you replicating the two DNS zones around completely? Or are you looking at setting up a partial zone for the child domain to look at the trusted domain? Berny On Jul 25, 2012 4:54 PM, "Dogers" <dogers@xxxxxxxxx> wrote: > Hello! Wakey wakey list :) > > We're looking at putting a child domain in our DMZ as we're getting more > and more machines there and could really do with some GPs and properly > handled accounts. > > As this is the DMZ we need to get the firewall fairies do do their thing, > however we can't find a definitive list of ports required. I've found a > list of ports required for a cross forest trust, but I don't think that's > quite the same. Don't suppose anyone has a list handy, do they? > > Andrew >