I have two Active Directory domains in two different forests; each domain has two DCs (all of them Windows Server 2008 R2). The domains are also in different networks, with a firewall connecting them.
I need to create a two-way forest trust between the two domains and forest.
How do I configure the firewall to allow this?
I found this article, but it doesn't explain very clearly which traffic is required between DCs, and which traffic (if any) in needed instead between domain computers in one domain and DCs for the other one.
I'm allowed to permit all traffic between the DCs, but allowing computers in one network to access DCs in the other one would be a little more difficult.
Best Answer
The minimum list for a AD Trust is:
You can tighten that up a bit by configuring Kerberos for TCP only.
And if you're crazy you could use HOSTS files instead of DNS.
References: Pber's Blog and MS KB 179442
As for which computers need to be able to access the above: The computer verifying the authentication of the trusted user must be able to directly contact both it's own DC and the Trusted DC.
For example: Bob from Alpha (domain) is trying to log in to a workstation that's in Omega (domain). That workstation will check with it's own DCs to get the relevant trust information. Then the workstation will contact a DC from Alpha, verify the user, and login.
Another stickier example: Bob is using his workstation in the Alpha domain. Bob logs into a web service that runs on the Omega domain, but does not use Kerberos to authenticate. The web server in Omega is going to do the authentication, so it needs access like the workstation in the previous example.
The last one I don't actually remember the "answer" to - exactly like the previous, but using Kerberized authentication. I believe the Omega web server still needs access just the same, but it's been too long and I don't have a lab to test that in quickly. I should dig into this one of these days and write a blog article.