Windows Server Firewall Port Configuration Guide for Cross-Forest Domain Trusts in Active Directory


16 views

When establishing cross-forest trusts between Windows Server 2008 R2 domains, you'll need to open these critical ports in your firewall:

# Core Authentication Ports
TCP 88 (Kerberos authentication)
TCP/UDP 53 (DNS resolution)
TCP/UDP 389 (LDAP)
TCP 636 (LDAP SSL)

# Trust-Specific Ports
TCP/UDP 445 (SMB for netlogon)
TCP/UDP 464 (Kerberos password change)
TCP 3268 (Global Catalog)
TCP 3269 (Global Catalog SSL)

The DC-to-DC communication requires additional ports beyond the standard domain operations:

# RPC Endpoint Mapper
TCP/UDP 135 (RPC)

# Dynamic RPC Ports (requires range configuration)
TCP 49152-65535 (RPC dynamic ports)

# Netlogon Service
TCP/UDP 42 (WINS replication - if used)

Here's a PowerShell script to verify port accessibility between domain controllers:

function Test-TrustPorts {
    param(
        [string]$RemoteDC,
        [int[]]$Ports = @(53,88,135,389,445,636,3268,3269)
    )
    
    $results = @()
    foreach ($port in $Ports) {
        try {
            $tcp = New-Object System.Net.Sockets.TcpClient
            $async = $tcp.BeginConnect($RemoteDC, $port, $null, $null)
            $wait = $async.AsyncWaitHandle.WaitOne(1000, $false)
            
            if (-not $wait) {
                $tcp.Close()
                $results += [PSCustomObject]@{
                    Port = $port
                    Status = "Closed/Filtered"
                }
            } else {
                $null = $tcp.EndConnect($async)
                $tcp.Close()
                $results += [PSCustomObject]@{
                    Port = $port
                    Status = "Open"
                }
            }
        } catch {
            $results += [PSCustomObject]@{
                Port = $port
                Status = "Error: $_"
            }
        }
    }
    return $results
}

# Usage example:
Test-TrustPorts -RemoteDC "dc2.contoso.com" | Format-Table -AutoSize

When implementing firewall rules for cross-forest scenarios:

  • Ensure name resolution works bidirectionally (DNS forwarding or conditional forwarding)
  • Configure firewall rules for both initial trust creation and ongoing operations
  • Remember that computer account authentication requires access to the trusting domain's DCs

Use this Wireshark display filter to monitor trust-related traffic:

# Wireshark filter for trust operations
(kerberos or ldap or dcerpc or smb or tcp.port in {88,53,389,445,135,464,3268,3269}) and 
(ip.addr == 192.168.1.100 and ip.addr == 192.168.2.100)

For large environments with strict firewall policies, consider these optimizations:

# Group Policy for restricting RPC port range
Computer Configuration -> Policies -> Administrative Templates -> System -> Remote Procedure Call
"Restrict Remote Procedure Call (RPC) clients to use only the specified ports"

# Example netsh command for firewall configuration
netsh advfirewall firewall add rule name="AD Trust Ports" dir=in action=allow protocol=TCP localport=88,135,389,445,636,3268,3269 remoteip=10.0.0.0/24

When establishing a forest trust between two Windows Server 2008 R2 domains, these core ports must be open between all domain controllers:

TCP 88 (Kerberos authentication)
TCP/UDP 53 (DNS resolution)
TCP/UDP 389 (LDAP)
TCP 636 (LDAP SSL)
TCP/UDP 445 (SMB for sysvol access)
TCP 3268 (Global Catalog)
TCP/UDP 88 (Kerberos)
TCP/UDP 123 (NTP time sync)
TCP/UDP 464 (Kerberos password change)
TCP 135 (RPC endpoint mapper)
TCP 593 (RPC over HTTP)
TCP 49152-65535 (RPC dynamic ports)

The firewall configuration must account for three distinct communication patterns:

  1. DC-to-DC authentication (all ports listed above)
  2. Client-to-own-DC authentication (standard AD ports)
  3. Cross-forest client-to-DC access (limited ports)

Use this script to test basic connectivity between domains:

# Test core ports between DCs
$trustedDC = "dc2.contoso.com"
$ports = @(53,88,389,445,636,3268)

foreach ($port in $ports) {
    try {
        $test = New-Object System.Net.Sockets.TcpClient
        $test.Connect($trustedDC, $port)
        Write-Host "Port $port open to $trustedDC" -ForegroundColor Green
    }
    catch {
        Write-Host "Port $port blocked to $trustedDC" -ForegroundColor Red
    }
    finally {
        if ($test) { $test.Close() }
    }
}

For Windows Firewall with Advanced Security, create these rules:

# Create inbound rule for RPC
New-NetFirewallRule -DisplayName "AD Trust RPC" 
    -Direction Inbound 
    -Protocol TCP 
    -LocalPort 135,49152-65535 
    -Action Allow

# Create rule for Kerberos
New-NetFirewallRule -DisplayName "AD Trust Kerberos" 
    -Direction Inbound 
    -Protocol TCP 
    -LocalPort 88,464 
    -Action Allow
  • Enable SID filtering to prevent elevation of privilege attacks
  • Configure DNS conditional forwarders between forests
  • Ensure time synchronization within 5 minutes across forests
  • Verify name resolution works in both directions

When trust validation fails, check these event logs:

Get-WinEvent -LogName "Directory Service" -MaxEvents 50 | 
    Where-Object {$_.Id -in (1645,1663,1664)} | 
    Format-List Message,TimeCreated