External Forest Trust Configuration with a Firewall – Windows 2003 and NT4

Reading Time: 4 minutes

An external forest trust relies on NetBIOS name resolution, dns is not involved.

All trust communication traffic flows between the Windows 2003 PDCe and the PDC. It doesn’t matter how you have your LMHosts table setup or your firewall setup the trust is only going to work with these two being able to talk to one another. 

WINS Configuration

Using the web site LMHost Creator create the lmhost files for the trust for name resolution. (Per KB180094)

I highly recommend using this site to generate the LMHosts file!!!

Windows 2003
10.0.0.1                       NT4_Server     #PRE #DOM:NT4_Domain                 ß The name NT4_Server should be your PDC 10.0.0.1                       "NT4_DOMAIN     \0x1b" #PRE  

NT4
10.0.0.1                       2003_Server    #PRE #DOM:2003_Domain                ßThe name 2003_Server should be your PDCe 10.0.0.1                       "2003_DOMAIN   \0x1b" #PRE

Note The domain name in this entry is case sensitive. Make sure that you use uppercase characters for the domain name. If you use lowercase characters for the domain name, NetBT does not recognize the name.

Note Make sure that you space these entries correctly. Replace 10.0.0.1 with the IP address of your primary domain controller (PDC). Replace PDCName with the NetBIOS name of your PDC, and replace domain with your Windows NT domain name. There must be a total of 20 characters within the quotations (the domain name plus the appropriate number of spaces to pad up to 15 characters, plus the backslash, plus the NetBIOS hex representation of the service type).
To help determine where the sixteenth character is, copy the following line to your Lmhosts file: # IP Address "123456789012345*7890"

Line up the double quotation marks (") by adding or removing spaces from the comment line, and put the \ on the sixteenth column (the column marked with the asterisk). You must use spaces after the name and before the \, not a tab.

Name Resolution Tests

Windows 2003

Nbtstat –R       –           Purges and reloads the remote cache name table Nbtstat -c        –           Lists NBT's cache of remote [machine] names and their IP addresses

NT4
Nbtstat –R       –           Purges and reloads the remote cache name table Nbtstat -C       –           Lists NBT's cache of remote [machine] names and their IP addresses

Note The -c is case sensitive and must be lowercase (Uppercase for NT4). After you type this text, you should receive a display that is similar to the following:

Node IpAddress: [10.0.0.5] Scope Id: []

NetBIOS Remote Cache Name Table

Name Type Host Address Life [sec] ———————————————————-

PDCName <03> UNIQUE 10.0.0.1 -1

PDCName <00> UNIQUE 10.0.0.1 -1

PDCName <20> UNIQUE 10.0.0.1 -1

Domain  <1B> UNIQUE 10.0.0.1 -1

 Configuring Domain Controller Ports

The following port definitions should be defined on ALL DC's within the DMZ that could be replicating to external DC’s. These define which ports will be made available to there requesting DC's.

Start Registry Editor (Regedt32.exe). Restrict FRS Traffic to a Specific Static Port – KB319553 Locate and then click the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters New     =          Reg_DWORD Name   =          RPC TCP/IP Port Assignment Value   =          10000              (Decimal)

Restricting Active Directory replication traffic to a specific port – KB224196 Locate and then click the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters New     =          REG_DWORD Name   =          TCP/IP Port Data     =          10001              (Decimal)

RPC dynamic port allocation – KB154596 (Only allow ports 10002 – 10200 for RPC from other machines) Locate and then click the following key in the registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\ Create a New Key = Internet
Locate and then click the following key in the registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\ Add the values "Ports" (MULTI_SZ)                            =          10002-10200 "PortsInternetAvailable" (REG_SZ)       =          Y "UseInternetPorts" (REG_SZ)               =          Y

If you would like to test connectivity to validate FRS communication (This communication is for Windows 2003 to Windows 2003 communications only)

 NTFRSUTL version server_name

 If the two can communicate through the firewall via FRS the response will provide the current version number

If you would like to validate connectivity between the NT4 and PDCe use the tool PortQryUI

Download PortQryUI and run the tool Select the destination DC or PDC Select Domains and Trusts Validate the ports that should be open in fact are via the output provided by the tool.

For additional info on this tool see PortQry features, this is the backend tool for PortQryUI

Configure 2003 Firewall Ports – KB179442 (This is between a dmz’d DC and an internal DC, these settings are for AD replication as well)

135 TCP RPC RPC Connector Helper (Machines connect to find out what high port to use)
137 TCP UDP NetBIOS Name
138 UDP NetBIOS Netlogon and Browsing
139 TCP NetBIOS Session
123 UDP NTP
389 TCP UDP LDAP
636 TCP LDAP SSL
3268 TCP LDAP GC
3269 TCP LDAP GC SSL
42 TCP WINS Replication
53 TCP UDP DNS
88 TCP UDP Kerberos
445 TCP UDP SMB over IP (Microsoft-DS)
123 UDP NTP
10000 TCP RPC NTFRS
10001 TCP RPC NTDS
10002 –10200 TCP RPC – Dynamic High Open Ports
ICMP

Configure NT4 Firewall Ports (If there is only an NT4 box outside the firewall than the previous is unneeded)

135 TCP UDP RPC Connector Helper
137 TCP UDP NetBIOS Name
138 UDP NetBIOS Netlogon and Browsing
139 TCP NetBIOS Session
42 TCP WINS Replication
123 UDP NTP
10000 – 10200 TCP RPC – Dynamic High Open Ports

Made following Changes in Default Domain Controller Group Policy

Computer Configuration \ Windows Settings \ Security Settings \ Security Options            Microsoft network client: Digitally sign communications (always) DISABLED  (Default ENABLED)       Microsoft network client: Digitally sign communications (if server agrees) ENABLED  (Default ENABLED)      Microsoft network server: Digitally sign communications (always) DISABLED  (Default ENABLED)     Microsoft network server: Digitally sign communications (if client agrees) ENABLED  (Default ENABLED)     Domain member: Digitally encrypt or sign secure channel data (always) DISABLED  (Default ENABLED)     Domain member: Digitally encrypt secure channel data (when it is possible) ENABLED  (Default ENABLED)     Domain member: Digitally sign secure channel data (when it is possible) ENABLED  (Default ENABLED)     Network access: Restrict anonymous access to Named Pipes and shares DISABLED (Default ENABLED)     Network access: Do not allow anonymous enumeration of SAM accounts and shares DISABLED (Default ENABLED)     Network access: Do not allow anonymous enumeration of SAM accounts  DISABLED (Default ENABLED)     Network access: Allow anonymous SID/Name translation  ENABLED (Default DISABLED)     Domain member: Digitally encrypt or sign secure channel data (always) DISABLED  (Default ENABLED)     Domain member: Require strong (Windows 2000 or later) session key DISABLED (Default ENABLED)

Made following Changed in Registry of 2003 PDCe   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\EveryoneIncludesAnonymous 1 (default 0)HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters\restrictnullsessaccess 0 (default 1)

Once all these steps have been completed the Trust can now be established

          How to establish trusts with a Windows NT-based domain in Windows Server 2003
There is a complete set of troubleshooting options available on KB889030