One way trust - Firewall (port 389) issue
Hello,
Long time reader, first post :)
Environment:
Windows server 2008, which serves as DC, DNS server - This server is placed in the perimeter network (DMZ)
Windows Server 2003 which serves as DC, DNS server - This server is placed in the internal network (LAN).
So I have successfully created a one way trust between the domain controllers. DMZ trust LAN. I want my internal users to access resources in the perimeter. I can add users internal users to domain local groups in the DMZ domain, no problem.
Example of problem: I add the group (with my internal user) to local administrators on a server member of the DMZ domain. This should allow me to remotely logon the server with the internal user on the given DMZ server. This gives me an error (failed to login..).
I check the Firewall logs and the DMZ member server tries to contact my internal DC on port 389 - and gets denied. I guess this is wrong? Should it not go trough my external DC and gain access that way around?
Firewall configuration:
Source "DMZ DC" Destination "LAN DC"
open for:
tcp/udp 389
tcp/udp 88
tcp 1025
tcp 135
tcp 3268
tcp 445
Thanks for any help, ive been stuck here for a while now :(
/Splint
Re: One way trust - Firewall (port 389) issue
Well here I want you to just follow this link and then see whether it helps you in this case or not. Actually the thing here is that A one-way, outgoing, external trust will allow resources in your domain (the domain that you are logged on to at the time that you run the New Trust Wizard) to be accessed by users in a different Active Directory domain (outside your forest) or in a Windows NT 4.0 domain.
Re: One way trust - Firewall (port 389) issue
Do you use the default Windows Firewall, if yes, then you will need to configure it to open a port for inbound traffic. So try to open Windows Firewall in your pc and then configure the inbound traffic rule. To do that right click Inbound Rules and then select New Rule. After that choose Port 4. Go to Specific Ports and enter your port number (389) and then click on Next to end the wizard. Simply restart your computer and now check if the port is accessible or not.
Re: One way trust - Firewall (port 389) issue
Did you try to verify your DC itself to see if it is listening to the port (netstat). It could be a worth try. The issue is certainly related to the traffic being blocked as it seems. Try to use the netstat command from the command prompt in order to easily understand if the port is open and listening requests from the network or not, check the below example:
c:\> netstat -ano | find ":389"