Active Directory vs the Unknown – Part 2
Last time we left off having a Cannot Continue error while establishing a domain trust across a WAN link and with some unknown variables involved; but we had to give it a shot in this case. The good news is that we have the power of community and Microsoft to help us discover based on our detailed ‘Cannot Continue’ error.
Read up on the first article here if you missed it.
Now, our next move was to try and force a more informative disclosure of what we were dealing with. We did discover that one of our unknown variables was having a 2016 Windows Server Active Directory Domain and Forest structure talk to….get ready to sit down for this….AD version 2003.
Yup. That’s right. We had to think about SMBv1 in 2020 as an actively used protocol. Oh boy was I in for a few surprises.
Not only did we have a serious issue with the SMBv1 protocol being possibly needed, but we had to go back to the older set of ports that would be needed. One of the advantages with newer Windows Server versions is that we gain some serious improvements in security and efficiency with each version (I realize reading this statement back that it is a bit contentious to say that newer is better, but I’m leaving it in because in the case of Active Directory improvements it is true based on more than my own opinion, and it is my honest opinion.)
So, by comparison, the range of ports we determined from Microsoft Docs articles needed for Domain Controllers running Windows Server 2016 to authenticate users from the existing Domain Controllers running Windows Server 2003 in that other domain would be:
Server Port | Service | Requirement Source |
123/UDP | W32Time | 2003 and 2008+ |
135/TCP | RPC Endpoint Mapper | 2003 and 2008+ |
464/TCP/UDP | Kerberos password change | 2003 and 2008+ |
1024-65535/TCP | RPC for LSA, SAM, Netlogon (*) | 2003 and 2008+ |
49152-65535/TCP | RPC for LSA, SAM, Netlogon (*), FRS RPC (*) | 2008+ |
389/TCP/UDP | LDAP | 2003 and 2008+ |
636/TCP | LDAP SSL | 2003 and 2008+ |
3268/TCP | LDAP GC | 2003 and 2008+ |
3269/TCP | LDAP GC SSL | 2003 and 2008+ |
53/TCP/UDP | DNS | 2003 and 2008+ |
1024 -65535/TCP | FRS RPC (*) | 2003 and 2008+ |
88/TCP/UDP | Kerberos | 2003 and 2008+ |
445/TCP | SMB (**) | 2003 and 2008+ |
49152-65535/TCP | DFSR RPC (*) | 2003 and 2008+ |
Please note that there are some key differences here and we are not talking about client or user authentications. Strictly talking about domain controllers of one version talking to other domain controllers of a lesser version.
Now the key difference from the first article that covered only the 2016 (2008+) requirements is the large range of 1024 to 65535 TCP ports. Oh boy, we were going to need to talk with security in depth on this one.
After we had all the roadblocks removed and security on board, we decided on not implementing SMBv1 and then opening the required ports to match the needed operating systems in place, and we were able to validate communications between the domain controllers.