External Forest Trust Configuration with a Firewall - Windows 2003 and NT4
An external forest trust relies on NetBIOS name resolution, dns is not involved.
All trust communication traffic flows between the Windows 2003 PDCe and the PDC. It doesn’t matter how you have your LMHosts table setup or your firewall setup the trust is only going to work with these two being able to talk to one another.
WINS Configuration
Using the web site LMHost Creator create the lmhost files for the trust for name resolution. (Per KB180094)
I highly recommend using this site to generate the LMHosts file!!!
Windows 2003
10.0.0.1 NT4_Server #PRE #DOM:NT4_Domain ß The name NT4_Server should be your PDC
10.0.0.1 "NT4_DOMAIN \0x1b" #PRE
NT4
10.0.0.1 2003_Server #PRE #DOM:2003_Domain ßThe name 2003_Server should be your PDCe
10.0.0.1 "2003_DOMAIN \0x1b" #PRE
Note The domain name in this entry is case sensitive. Make sure that you use uppercase characters for the domain name. If you use lowercase characters for the domain name, NetBT does not recognize the name.
Note Make sure that you space these entries correctly. Replace 10.0.0.1 with the IP address of your primary domain controller (PDC). Replace PDCName with the NetBIOS name of your PDC, and replace domain with your Windows NT domain name. There must be a total of 20 characters within the quotations (the domain name plus the appropriate number of spaces to pad up to 15 characters, plus the backslash, plus the NetBIOS hex representation of the service type).
To help determine where the sixteenth character is, copy the following line to your Lmhosts file:
# IP Address "123456789012345*7890"
Line up the double quotation marks (") by adding or removing spaces from the comment line, and put the \ on the sixteenth column (the column marked with the asterisk). You must use spaces after the name and before the \, not a tab.
Name Resolution Tests
Windows 2003
Nbtstat –R - Purges and reloads the remote cache name table
Nbtstat -c - Lists NBT's cache of remote [machine] names and their IP addresses
NT4
Nbtstat –R - Purges and reloads the remote cache name table
Nbtstat -C - Lists NBT's cache of remote [machine] names and their IP addresses
Note The -c is case sensitive and must be lowercase (Uppercase for NT4). After you type this text, you should receive a display that is similar to the following:
Node IpAddress: [10.0.0.5] Scope Id: []
NetBIOS Remote Cache Name Table
Name Type Host Address Life [sec] ----------------------------------------------------------
PDCName <03> UNIQUE 10.0.0.1 -1
PDCName <00> UNIQUE 10.0.0.1 -1
PDCName <20> UNIQUE 10.0.0.1 -1
Domain <1B> UNIQUE 10.0.0.1 -1
Configuring Domain Controller Ports
The following port definitions should be defined on ALL DC's within the DMZ that could be replicating to external DC’s. These define which ports will be made available to there requesting DC's.
Start Registry Editor (Regedt32.exe).
Restrict FRS Traffic to a Specific Static Port - KB319553
Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters
New = Reg_DWORD
Name = RPC TCP/IP Port Assignment
Value = 10000 (Decimal)
Restricting Active Directory replication traffic to a specific port - KB224196
Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
New = REG_DWORD
Name = TCP/IP Port
Data = 10001 (Decimal)
RPC dynamic port allocation - KB154596 (Only allow ports 10002 - 10200 for RPC from other machines)
Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\
Create a New Key = Internet
Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\
Add the values
"Ports" (MULTI_SZ) = 10002-10200
"PortsInternetAvailable" (REG_SZ) = Y
"UseInternetPorts" (REG_SZ) = Y
If you would like to test connectivity to validate FRS communication (This communication is for Windows 2003 to Windows 2003 communications only)
NTFRSUTL version server_name
If the two can communicate through the firewall via FRS the response will provide the current version number
If you would like to validate connectivity between the NT4 and PDCe use the tool PortQryUI
Download PortQryUI and run the tool
Select the destination DC or PDC
Select Domains and Trusts
Validate the ports that should be open in fact are via the output provided by the tool.
For additional info on this tool see PortQry features, this is the backend tool for PortQryUI
Configure 2003 Firewall Ports – KB179442 (This is between a dmz’d DC and an internal DC, these settings are for AD replication as well)
|
135 |
TCP |
RPC |
RPC Connector Helper (Machines connect to find out what high port to use) |
|
137 |
TCP |
UDP |
NetBIOS Name |
|
138 |
|
UDP |
NetBIOS Netlogon and Browsing |
|
139 |
TCP |
|
NetBIOS Session |
|
123 |
|
UDP |
NTP |
|
389 |
TCP |
UDP |
LDAP |
|
636 |
TCP |
|
LDAP SSL |
|
3268 |
TCP |
|
LDAP GC |
|
3269 |
TCP |
|
LDAP GC SSL |
|
42 |
TCP |
|
WINS Replication |
|
53 |
TCP |
UDP |
DNS |
|
88 |
TCP |
UDP |
Kerberos |
|
445 |
TCP |
UDP |
SMB over IP (Microsoft-DS) |
|
123 |
|
UDP |
NTP |
|
10000 |
TCP |
|
RPC NTFRS |
|
10001 |
TCP |
|
RPC NTDS |
|
10002 –10200 |
TCP |
|
RPC – Dynamic High Open Ports |
|
|
ICMP |
|
|
Configure NT4 Firewall Ports (If there is only an NT4 box outside the firewall than the previous is unneeded)
|
135 |
TCP |
UDP |
RPC Connector Helper |
|
137 |
TCP |
UDP |
NetBIOS Name |
|
138 |
|
UDP |
NetBIOS Netlogon and Browsing |
|
139 |
TCP |
|
NetBIOS Session |
|
42 |
TCP |
|
WINS Replication |
|
123 |
|
UDP |
NTP |
|
10000 – 10200 |
TCP |
|
RPC – Dynamic High Open Ports |
Made following Changes in Default Domain Controller Group Policy
Computer Configuration \ Windows Settings \ Security Settings \ Security Options
Microsoft network client: Digitally sign communications (always) DISABLED (Default ENABLED)
Microsoft network client: Digitally sign communications (if server agrees) ENABLED (Default ENABLED)
Microsoft network server: Digitally sign communications (always) DISABLED (Default ENABLED)
Microsoft network server: Digitally sign communications (if client agrees) ENABLED (Default ENABLED)
Domain member: Digitally encrypt or sign secure channel data (always) DISABLED (Default ENABLED)
Domain member: Digitally encrypt secure channel data (when it is possible) ENABLED (Default ENABLED)
Domain member: Digitally sign secure channel data (when it is possible) ENABLED (Default ENABLED)
Network access: Restrict anonymous access to Named Pipes and shares DISABLED (Default ENABLED)
Network access: Do not allow anonymous enumeration of SAM accounts and shares DISABLED (Default ENABLED)
Network access: Do not allow anonymous enumeration of SAM accounts DISABLED (Default ENABLED)
Network access: Allow anonymous SID/Name translation ENABLED (Default DISABLED)
Domain member: Digitally encrypt or sign secure channel data (always) DISABLED (Default ENABLED)
Domain member: Require strong (Windows 2000 or later) session key DISABLED (Default ENABLED)
Made following Changed in Registry of 2003 PDCe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\EveryoneIncludesAnonymous 1 (default 0)HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters\restrictnullsessaccess 0 (default 1)
Once all these steps have been completed the Trust can now be established
How to establish trusts with a Windows NT-based domain in Windows Server 2003
There is a complete set of troubleshooting options available on KB889030