Forest / Domain Trust across firewall

Similar Messages

• Domain trust parameters meaning

  Hi all,
  can you help me understand what's the meaning of these parameters returned after querying a DC for trust relationships?
  DOMAIN_NAME={domain.netbios.name=NETBIOS_NAME,
  domain.flags=0x00000022, domain.trust.attributes=0x00000008, domain.dns.name=DNS_NAME,
  domain.trust.type=2, objectGUID=0etc, objectSid=Setc}
  Specifically I'm interested in these parameters:
  domain.flags
  domain.trust.attributes
  domain.trust.type
  What do they represent and what are the possible values?
  Thanks in advance
  Have a nice day

  I believe the answer is: https://msdn.microsoft.com/en-us/library/cc237110.aspx
  so in my case 
  domain.flags -> I don't understand this
  domain.trust.attributes -> Domain is root of another forest
  domain.trust.type -> Trust is with a Windows Active Directory-based Domain
  Is this correct?

• Change domain trust for Forest trust

  Hi
  I have a forest A with 3 domains (1 (root),2,3) and i have a forest B with 2 domains (4 (root),5).
  Presently, i have a domain trust between domain 2 and 5.
  I need to change for a forest trust ? what is a best practice ?
  1- Remove domain trust and create a forest trust?
  2- Create a forest trust (waiting a few day) a remove a domain trust?
  3- Create a forest trust and remove immediately a domain trust?
  Do you have a link to explain that?
  Thanks

  Hi,
  Which kind of domain trust have you created? Which kind of forest trust do you want to create?
  A one-way forest trust allows all users in one forest to trust all domains in the other forest; a two-way forest trust forms a transitive trust relationship between
  every domain in both forests.
  Based on my understanding of forest trust, a forest trust is a transitive trust between a forest root domain and a second forest root domain. If you create a forest
  trust between two root domains in forest A and forest B, it provides a one-way or two-way, transitive trust relationship between every domain in each forest.
  In another word, all the domains in forest A and forest B would inherit the trust relationship from their root domains. Personally, you can just create a new forest trust and keep the existing domain trust.
  In addition, please make sure that the forest function level is Windows Server 2003 or higher before you create a forest trust.
  Best regards,
  Susie

• What difference between a domain trust and a forest trust?

  What difference between a domain trust and a forest trust?

  Greetings!
  The answer is right on the question! :)
  I think it is best to distinguish properly between forest and domain. This article is a good one:
  What Are Domains and Forests?
  But in a nutshell, a forest trust is mostly used between two organizations, Suppose company A has a unique forest and company B has another unique forest as well, when they are merged they can simply create a forest trust between each other, This trust can
  be one-way or two-way depending on your needs.
  Domain trusts are between a single instance (domain) of a forest to another instance (domain) of another forest. It is worth mentioning that trust can be transitive as well.
  What Are Domain and Forest Trusts?
  I hope you got the answer.
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or
  to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Forest Level Trust to limited number of DC's

  I need to establish a 1-way forest level trust between 2 forests across firewalls. The source forest has a single domain with 13 domain controllers. Is it possible to limit the trust communication to only 2 domain controllers in the source
  domain or do I need to open up the required ports from the target domain controllers to all the DC's in the source forest?

  Hi,
  Based on my understanding of forest trust, if you create a one-way, forest trust between forest A (the trusted forest) and forest B (the trusting forest), members of forest A can access resources located in forest B, but members of forest B cannot access resources
  located in forest A using the same trust. There is no limitation for the number of DCs.
  In addition,for the ports used by trusts, you can refer to the link below:
  How Domain and Forest Trusts Work
  Best regards,
  Susie

• Domain Trust and DNS

  Hello,
  We have a 2-way domain trust between a Windows 2003 domain and a 2008 domain.  Nearly all works, we can share folder permissions etc but what we can't do on their domain is add a PC on their network that is part of our domain.
  The error is:
  it can't find the SRV record for _ldap._tcp.dc._msdcs.ukdomain.local.
  if they go to their DNS and look at the seconday forward lookup some for ukdomain.local it doesn't show a zone called _msdcs under ukdomain.local instead outside my zone we have a separete zone called _msdcs.gb.vo.local like this:
  DC1
  ----->Forward Lookup Zones
  -------->_Msdcs.ukdomain.local
  -------->ukdomain.local
  I though it should look like this:
  DC1
  ----->Forward Lookup Zones
  ------->ukdomain.local
  --------->_Msdcs
  Thanks

  If you are on their network can you ping their domain?
  If not then you have a DNS, routing, or firewall issue.
  Are ports being blocked?  For DNS, add a conditional forwarder to point to DNS for the other Domain and do the same on the other side, this will work better in 2008 as it's replicated to the forest.
  Testing
  Domain Controller Connectivity Using PORTQRY
  Protocol and Port
  AD and AD DS Usage
  Type of traffic
  TCP and UDP 389
  Directory, Replication, User and Computer Authentication, Group Policy, Trusts
  LDAP
  TCP 636
  Directory, Replication, User and Computer Authentication, Group Policy, Trusts
  LDAP SSL
  TCP 3268
  Directory, Replication, User and Computer Authentication, Group Policy, Trusts
  LDAP GC
  TCP 3269
  Directory, Replication, User and Computer Authentication, Group Policy, Trusts
  LDAP GC SSL
  TCP and UDP 88
  User and Computer Authentication, Forest Level Trusts
  Kerberos
  TCP and UDP 53
  User and Computer Authentication, Name Resolution, Trusts
  DNS
  TCP and UDP 445
  Replication, User and Computer Authentication, Group Policy, Trusts
  SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc
  TCP 25
  Replication
  SMTP
  TCP 135
  Replication
  RPC, EPM
  TCP Dynamic
  Replication, User and Computer Authentication, Group Policy, Trusts
  RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
  TCP 5722
  File Replication
  RPC, DFSR (SYSVOL)
  UDP 123
  Windows Time, Trusts
  Windows Time
  TCP and UDP 464
  Replication, User and Computer Authentication, Trusts
  Kerberos change/set password
  UDP Dynamic
  Group Policy
  DCOM, RPC, EPM
  UDP 138
  DFS, Group Policy
  DFSN, NetLogon, NetBIOS Datagram Service
  TCP 9389
  AD DS Web Services
  SOAP
  UDP 67 and UDP 2535
  DHCP
  Note
  DHCP is not a core AD DS service but it is often present in many AD DS deployments.
  DHCP, MADCAP
  UDP 137
  User and Computer Authentication,
  NetLogon, NetBIOS Name Resolution
  TCP 139
  User and Computer Authentication, Replication
  DFSN, NetBIOS Session Service, NetLogon
  If it answered your question, remember to “Mark as Answer”.
  If you found this post helpful, please “Vote as Helpful”.
  Postings are provided “AS IS” with no warranties, and confers no rights.
  Active Directory: Ultimate Reading Collection
  Active Directory Visio Stencils 2013 - Directory Services Visio Stencils
  Kelly Bush
  It appears that you've copied and posted the chart, with some editing,
  from my blog, link posted below. No problem, as long as it helps the poster. :-)
  Active Directory Firewall Ports – Let’s Try To Make This Simple
  http://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple/
  Also, I would like to add, that for firewall checks, to make sure the ephemeral ports are opened. These are the important random response ports. The ports are dependent on the operating system version.
  Here's the matrix:
  Ephemeral Ports:
  And most of all, the Ephemeral ports, or also known as the “service response ports,” that are required for communications. These ports are dynamically created for session responses for each client
  that establishes a session, (no matter what the ‘client’ may be), and not only to Windows, but to Linux and Unix as well. See below in the references section to find out more on what ‘ephemeral’ means.are used only for that session. Once the session has dissolved,
  the ports are put back into the pool for reuse. This applies not only to Windows, but to Linux and Unix as well. See below in the references section to find out more on what ‘ephemeral’ means.
  TCP & UDP 1025-5000
  Window 2003/XP and older
  Ephemeral Dynamic Service Response Ports
  TCP & UDP 49152-65535
  Windows 2008/Vista and newer
  Ephemeral Dynamic Service Response Ports
  TCP Dynamic Ephemeral
  Replication, User and Computer Authentication, Group Policy, Trusts
  RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
  UDP Dynamic Ephermeral
  Group Policy
  DCOM, RPC, EPM
  If the scenario is a Mixed-Mode NT4 & Active Directory scenario with NT4 BDCs, then the following must be opened:
  TCP & UDP 1024 – 65535
  NT4 BDC to Windows 2000 or newer Domain controller PDC-E communications
  RPC, LSA RPC, LDAP, LDAP SSL, LDAP GC, LDAP GC SSL, DNS, Kerberos, SMB
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• AD DS New Forest Domain Naming Problem

  Hey everyone,
  I'm having a bit of a conundrum about the new forest domain name and what possible implications it can have if I chose the wrong name convention...
  Current Setup
  The current issue is that the company I work for was bought out by another company and atm, where using a 2-way forest trust.
  The company also has another site in Africa which is using a different forest domain but doesn't have any forest trust to either of the other 2 domains.
  The current forest domains are:-
  1. Company1.local (my old company)
  2. Company2.com.au (main company)
  3. internal.company2direct.com.ke (Africa site)
  To make it worse, all three sites have their own Exchange environment and there's all types of file share/application authentication issues between sites.
  Therefore, the company has decided that they want to get rid of all the exchange environments/file shares and so forth and move everything to
  Office365, including SharePoint and Lync
  New Solution
  They have also decided that they want a new forest with a single domain and that the locations and security will be delegated by using different OU structures/GPO's as it's all going to administered by 2 people at the main company site. This is non-negotiable
  as they don't want sub/child domains or different forests, just a single entity.
  They're using a third party to do the Office365 design and implementation. However I have been assigned to setup the new initial ADDS server for the new forest.
  After some reading I've found that we really shouldn't be using '.local' or '.internal' for the forest root domain. I suggested that we use 'internal.thecompanynamethatisreallylong.com.au' and a NetBIOS of 'CNF' (which is actually that long,
  and I feel that if we have to use a FQDN for anything then it will cause an issue)
  They want me use the following for the forest root domain ' au.cnf' with a NetBIOS of 'CNF'
  Is that really such a good idea or is there any situation whereby using 'au.cnf' as the
  prefix.suffix could cause any issues?
  I would of like to use 'internal.cnf.com.au' however the domain name 'cnf.com.au' is already registered by another company..
  Once the new forest is created, I'll create a 2way trust between the companies and start using ADMT to migrate accounts across
  Thanks in advance for you help

  Hello,
  for AD limits, especially amount of usable characters, please see
  http://technet.microsoft.com/en-us/library/cc756101.aspx
  Personally I would NOT use the "CNF" as NetBIOS domain name. "CNF" in AD stands for "Conflicting object" and this will be shown in dcdiag or repadmin outputs when conflicts are listed as doubled names for example.
  For the internal naming I would always use short domain names. Top level domain names to avoid for WAAD and Office365 I would also check with the experts in http://social.msdn.microsoft.com/forums/azure/en-US/home?forum=WindowsAzureAD
  and http://community.office365.com/en-us/f/default.aspx
  You could use public TLDs but keep in mind that you have to configure split DNS that way.
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  

• Domain Trust Relationships in Windows Small Business Server 2011

  I have seen that SBS 2011 (and older SBS versions, apparently) do not 'support' Domain Trust relationships.
  Before coming across this information, I have already successfully created a trust relationship between a newly created SBS 2011 domain and an existing 2008 Domain, and everything seems to be working fine - users from one domain are recognized on the other,
  etc.
  So I was wondering - is the 'not supported' more of a 'you're on your own if it breaks', is this a violation of the license, or is it some sort of freak occurrence and I am extremely lucky to have gotten this to work.  This is actually my first time
  setting up a trust relationship and the entire process took about 10 minutes, so it seemed extremely easy for something that I now find out is unsupported.
  If it is a license violation, I'll remove the trust relationship immediately.  This is not a permanent configuration, just testing our software on the SBS2011 platform and domain trusts were the most expedient way of adding the SBS Domain users to the
  list of authorized users on our primary domain's SQL Server.
  Thanks in advance.

  From here, it says that the trust relationship is not supported for SBS: http://technet.microsoft.com/en-us/library/cc672124%28v=ws.10%29.aspx
  This means that this have not been tested by Microsoft and if you will have issues, you will not get supported from Microsoft.
  I don't think that this is a violation of the license but it will be better to check with a Microsoft licensing expert in your country.
  More if you ask them here: http://social.technet.microsoft.com/Forums/en-US/category/sbsserver
  This
  posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   
  Microsoft
  Student Partner 2010 / 2011
  Microsoft
  Certified Professional
  Microsoft
  Certified Systems Administrator: Security
  Microsoft
  Certified Systems Engineer: Security
  Microsoft
  Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
  Microsoft
  Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
  Microsoft
  Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
  Microsoft
  Certified Technology Specialist: Windows 7, Configuring
  Microsoft
  Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
  Microsoft
  Certified IT Professional: Enterprise Administrator
  Microsoft Certified IT Professional: Server Administrator
  Microsoft Certified Trainer

• Master data services 2012 domain trust issues

  hi,
  we have a Master Data Services 2012 installation within one domain and the users exist within another domain.  This has a selective trust both ways.
  the behaviour that we are seeing in MDS 2012 when adding users to the master data services from the other domain we are getting no exact match found for the users that exists when adding users in;  these users are from the domain that MDS does not reside
  in but there is a trust in place.
  we have given authentication permissions to all users requiring access to the server that MDS resides on.
  the question is what steps are necessary to allow MDS to operate in two domain environment.   We have other applications that function in this manner but MDS is causing issues.
  any help would be appreciated..
  thanks

  I don't have the exact multi domains environment to try it on. But I tried on mutil forest domains. It seems working fine.
  When add the user, the format is like [DomainName\]UserName
  When add the user for another domain, the domain name is required.
  There is a trust between our two domains (which works because I can log into SQL Server effortlessly with SSMS). However, when I try to add a user from the other domain, I get the error
  "No exact match was found for domain\user"
  It seems that MDS really doesn't like trusts.
  MCSE SQL Server 2012 - Please mark posts as answered where appropriate.

• People Picker search order with multiple forest domains

  I had customer with multiple forest domain environment. Now the problem is that all users from one domain synced to the resource domain(Domain A) where sharepoint is installed.
  The peoplepicker is now finding at first the user in Domain A where sharepoint is installed. My Solution is now to specify the order of searching in People Picker that first all users in Domain B will return and if there is noting will return Domain A.
  All SharePoint Server(s) had Network Access to the other Domains. And there are two-way-trust konfigured.
  Any Solution for that?
  Thanks for your feedback!
  P.

  Regardless of search order, you would get both results returned. Have you tried using the UserAccountDirectoryPath property on the Site Collection to specify DC=domainB,DC=com?
  Trevor Seward
  Follow or contact me at...
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
  Nice to now that i can set it up per site collection. But it do not work in my case, it indeed returned users from Domain B but Domain A, C, D and F(Examples) are excluded from People Picker.

• Kerberos Authentication Setup for MSCRM in cross forest oneway trust environment.

  Dear All,
  Kindly help related to implement Kerberos authentication on CRM application with multiple Forest environment. My environment details are as below:
  Number of forests: 2
  1. First is with name of domain1.local
  2. Second is with name of domain2.local
  Trust Level: One Way trust from domain1 and domain2.
  CRM Farm Details:
  1.  1 CRM(APP + WEB)Server (CRMAPP-01.domain1.local)
  2.  1 SQL Server (CRMSQL-01.domain1.local)
  3. 1 CRM SSRS Server (CRMSSRS-01.domain.local)
  4. CRM site url: http://mscrminternal.domain.local/MSORG1
  *I have successfuly configured Kerberos authentication and everything is working fine once try to access for Users of domain1.
  But once I tried to access for users of domain2. I am getting following error.
  HTTP Error 401 - Unathorized: Access denied.
  *If i switch to NTLM, I can access CRM site for domain2 and domain1 users without any issue.
  I read MS article, Kerberos delegation can be established if one way FOrest trust is present.
  Please help me to understand if Kerberos is possible to setup cross forest oneway trust.
  Regards
  Gyan
  GYAN SHUKLA

  Hi Gyan,
  I assume that you have solved this issue by synchronizing time between Domain Controllers, right?
  Then your last reply should be marked as answer.
  If this issue still persists, pelase feel free to let us know.
  Best Regards,
  Amy 

• AD domain trust

  We have setup a One-Way domain trust between Domain A and Domain B. Users in Domain A can logo on to servers in Domain B. (B trust A). Relevant ports are open in the firewallbetween the domain controllers in A+B. It Works but are very slow. So I need to verify that my conclution is correct. What I think is going on, is that when a users from A is logging on to a server (let us call it B1)in B, thenB1 tries to contact a domain controller in A, using Kerberos. Since this is not allowed in the firewall, the server tries NTML as a fall back option, but here it is the B domain controllers that contact the A domain controllers and the user is authenticated. Because of the "Kerberos then NTML" problem, the logon is very slow. Now is my only option to open so that B1 can connect to domain controllers in Domain A? or is there another way to...
  This topic first appeared in the Spiceworks Community

  Sorry I don't follow your question? Can you expand on what you are after. When you say AD assessment for Domain Trust do you mean you need to validate and document an existing trust, or propose a solution for a new one? And what are you interested in with
  sites.
  Thanks
  Regards,
  Denis Cooper
  MCITP EA - MCT
  Help keep the forums tidy, if this has helped please mark it as an answer
  Blog: http://www.windows-support.co.uk 
  Twitter:   LinkedIn:

• Domain trust for external exchange domain

  Ok so I have inherited two domains, one domain runs activedirectory services that all of the workstations are joined to (domainA), thesecond domain hosts exchange (domainB).After signing in on a computer in domainA we have to authenticateoutlook with domainB to get email.The end result, I would like is to be able to authenticatewith domainA for email but have it load the profile as if it was domainB. I cancreate a one way trust from domainB to domainA but Im not sure how to foolexchange into believing DomainA\user1 is DomainB\user1. I've messed around withAuthenticate as permissions on domainB but that doesnt seemto work correctly. I don’t want to messwith full access permissions on exchange as that would cause issues.I havent had any problems getting the trust functioning correctly, just the windows/exchange user side of things.Does...
  This topic first appeared in the Spiceworks Community

  Hi,
  Which kind of domain trust have you created? Which kind of forest trust do you want to create?
  A one-way forest trust allows all users in one forest to trust all domains in the other forest; a two-way forest trust forms a transitive trust relationship between
  every domain in both forests.
  Based on my understanding of forest trust, a forest trust is a transitive trust between a forest root domain and a second forest root domain. If you create a forest
  trust between two root domains in forest A and forest B, it provides a one-way or two-way, transitive trust relationship between every domain in each forest.
  In another word, all the domains in forest A and forest B would inherit the trust relationship from their root domains. Personally, you can just create a new forest trust and keep the existing domain trust.
  In addition, please make sure that the forest function level is Windows Server 2003 or higher before you create a forest trust.
  Best regards,
  Susie

• Can the SidHistory attribute be moved from one User account to a different User account in the same Forest/Domain?

  Hello,
  Can the SidHistory attribute be moved from one User account to a different User account in the same Forest/Domain manually with  Active Directory Users and Computers or with something like Powershell?  it would seem to me this is a safe operation.
  Thanks for your help! SdeDot

  Hi,
  In addition, please also take a look at the below thread:
  copy SIDHistory from one account to another in the same domain
  http://social.technet.microsoft.com/Forums/en-US/2ca8727c-b3fd-4ef8-9747-99295f0cd61c/copy-sidhistory-from-one-account-to-another-in-the-same-domain?forum=winserverDS
  Hope this helps
  Best regards
  Michael
  If you have any feedback on our support, please click
  here.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Setting up two way AD domain trust ?

  Hi,
  I'd like to know what are the steps that I need to take when setting up Active Directory domain trust between two  or more different AD domain? and also the steps to undo the domain trust in case I need to prevent some issues.
  Because I currently have about 15+ site offices that runs their own Active Directory domain to be joined with my current parent company AD domain.
  Thanks
  /* Server Support Specialist */

  Have you thought about using Azure Active Directory with users synchronization to consolidate all your office to one place?
  Answering directly: There are different types of trusts. Think about setting 1-way trust (users from first domain can get access to the resources in second domain but not the other way round) or 2-way trust (users in both domains get access to resources
  such as applications or sysytems in both domains). Please read https://technet.microsoft.com/en-us/library/cc730798.aspx
  Setting up the trust is rather easy task (https://technet.microsoft.com/en-us/library/cc771580.aspx) and can be undone easily as well (https://technet.microsoft.com/en-us/library/cc771137.aspx)
  Hope that helps!
  Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.