Everything you ever wanted to know about why that pesky firewall keeps causing you problems with your Forest Trusts among other things..

  • Article

So, I have had more than one customer with this issue. And it's not just trusts but, all sorts of service and access issues.

 

Sometimes, folks need to keep servers behind firewalls.  Between their corporate network & the Internet and, also inside their own Intranet, though this is more rare and MUCH more problematic.

 

Here is all the background information you could want on trusts and how they work:

 

How Domain and Forest Trusts Work

https://technet.microsoft.com/en-us/library/cc773178(v=WS.10).aspx

 

But, be aware that these ports are just the ports necessary for the trust to work.  It does not address any of the ports that will need to be opened on the firewalls in order to actually do anything over those trusts.  So, adding the ephemeral port ranges for Windows 2003 and Windows 2008 will also be required.  And in 2008 we changed the default 'ephemeral' or RPC port ranges in order to come into IANA standards..

 

The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008:

https://support.microsoft.com/kb/929851

 

Default RPC port range for Windows Server 2003:

1025-5000

 

Default RPC port range for Windows 2008 and beyond:

49152-65535

 

The best resource for what ports are needed by Windows and the various services is here:

 

How to configure a firewall for domains and trusts

https://support.microsoft.com/default.aspx?scid=kb;en-us;Q179442

 

And here:

 

Service overview and network port requirements for the Windows Server system:

https://support.microsoft.com/kb/832017

 

Hope that helps you keep some sanity!

 

-Chris Rutledge