hi

what ports do I need to open on the internal network in order to create a trust between an internal forest and dmz forest?

So it depends, is there a firewall between internal and external - yes otherwise there wouldn't be a question

An IPsec tunnel would limit it down to a few ports and would be more secure, which is the way I have implemented in the past with the DMZ. This allows internal clients to administer resources in the external dmz . You can use a shared secret or certificate to secure the tunnel

http://technet.microsoft.com/en-us/library/cc779912(v=WS.10).aspx

Otherwise you turn your firewall into swiss chesse to allow the trust
http://support.microsoft.com/kb/179442/en-us#method4