Active Directory Trusts vs the Unknown

While working on a project to get two different versions of Active Directory to talk nicely to each other, there were some good challenges arise. The most interesting has been some investigation around ports, Network Security Groups, Azure Firewall, and other corporate firewalls running across WAN links.

There are a lot of really good Microsoft Docs resources, and of course many others as well; out there to tell us about versions of Windows Server Active Directory ports and what is needed. Often detailed by well labelled well services and usage.

Of particular interest for this case was having an unknown destination domain and forest structure talk across WAN links through multiple hops to a Windows Server Active Directory 2016 domain and forest. Due to many communications challenges, there was simply missing information. There are lots of little nuances, but I’ll be leaving some details excluded on purpose; so here goes — Part 1 of my challenge is today’s shared experience.

In my case, we had opened the following ports under an assumption that we would be working with a 2012 or higher domain since we were not able to discover this.

TCP:
53, 88, 135, 137, 139, 445, 49152-65535 (High Ports)

UDP:
53, 88, 123, 135, 137, 138, 389, 49152-65536 (High Ports)

We encountered the challenge that is somewhat typical in large enterprise of having reliance on legacy applications and legacy domains. We landed ourselves a 2003 domain and forest structure. Awesome! Challenge accepted.

When attempting to create the trust an error was encountered:

Such a detailed error! Excellent. Now what – I asked myself as I tried to re-assure the client that this type of thing is just a hill and we can climb it in short order…I think.

Next article, I’ll talk further about this new challenge!