If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

I’ve been working on a one-way trust so that my DMZ trusts my internal domain users. This is running mixed mode with Windows 2003 servers. A one-way trust shouldn’t require inbound ports (for reasons of security), but it’s the Redmond way, I suppose. So I had to either force users to have a separate login account in the DMZ and internal domains, or setup the trust and allow the traffic. In the end, the latter won out (though from a security standpoint, the former is a much better choice).

The problem I had was that I couldn’t find anywhere that Microsoft documented what ports need to be open between DMZ servers and the internal domain controllers. I ended up opening one port at a time, based on what I saw when I did packet captures on the data. If you ever need to do this, you’ll be happy to see the information posted in this blog entry.

Ports needed to authenticate users on a one-way external trust between Active Directory domains:
tcp 53
tcp 88
udp 88
tcp 135
tcp 139
tcp 389
udp 389
tcp 445
tcp 1025

There may be more ports that are required, but these are all the ones that showed up in the packet captures. When I allowed these ports, it worked. I say there may be more, because with Microsoft, you never know…