firewall settings für windows certificate autoenrollment in multi domain environment
Hi, we have a AD forrest with two domains A and B, win 2008 domain controller an 2003 functional level, an W7 client. Between domain A and B there is a firewall, which only allows some communication between the domain controller. The win 2008 enterprise CA ist member of domain A. Our question ist, which communication has to be allowed between clients in domain B to domain A to enable certificate autoenrollment? Port 135 and 4000 (static PKI port) from domain B clients to the PKI server is already allowed. It seems as clients in domain B need ldap access to domain controller in A. (to check group memberships?). Does anybody has a list of needed communication paths? best regards, Carsten
May 2nd, 2011 4:54pm

Hi Carsten, Thanks for posting here. Not sure if you have read the article below but it seems the answer of your question: How to configure a firewall for domains and trusts http://support.microsoft.com/kb/179442 Thanks. Tiger Li Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
May 17th, 2011 8:14am

Hi, thanks for replay, we know this article already. Our question is regarding certificate autoenrollment in a multi domain evironment. Do you have any artocles about specific network requirements to that subject? best regards, Carsten
May 18th, 2011 4:41am

No difference really for multiple domains. The user's computer must have access to all DCs in all domain's used in referrals to get a Session Ticket. So you will need both DNS, Kerberos and LDAP (basic and SSL) opened up to these DCs. Brian
Free Windows Admin Tool Kit Click here and download it now
May 18th, 2011 1:29pm

our firewall log indicates, that the win 2008 enterprise CA in domain A needs dynamic RPC high ports to the DCs in domain B during certificate autoenrollment for clients in domain B; to configure the firewall our customer needs the meaning of this RPC communication. Can you explain this RPC-communication? best regards, Carsten
May 23rd, 2011 10:11am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics