Windows 2000 Trust Relationship Pass-Through Authentication and Required Network Ports

[Jerry G. Young II]

All,

I have a situation similar to the following:

Network 1 - Resource Domain Servers
Network 2 - Resource Domain Controller
Network 3 - Account Domain Controller

There is a firewall between Network 1, Network 2, and Network 3.

The necessary ports between Network 1 and Network 2 will be open to allow
authentication to occur between between the Resource Domain Servers and the
Resource Domain Controller. The necessary ports between Network 2 and
Network 3 will be open to allow a trust relationship to be established
between the Resource Domain Controller and the Account Domain Controller
(Resource Trusts Account).

Now, my network group is telling me that this is all that is needed to allow
accounts from the Account Domain in Network 3 to log onto Resource Domain
Servers in Network 1 because of pass-through authentication. Essentially,
the Resouce Domain Controller in Network 2 becomes an authentication proxy.

I don't think this is how it would work, though. After reading various
articles and postings, while not coming right out and saying it, everything
seems to indicate that the same ports that are opened between Network 2 and
Network 3 to allow the establishment of the trust relationship will need to
be opened between Network 1 and Network 3 to allow authentication of Account
Domain accounts on the Resource Domain Servers.

Does anyone know which of these assumptions are correct? The network group
would like to keep the "authentication proxy" design but I'm not sure this
is possible.

Any help is appreciated.

Cordially yours,
Jerry G. Young II

 

[JK [MSFT]]

The ports should be similar but not quite the same. Please see the following
article for Windows 2003. The ports should be very similar for Windows 2000.
The main difference in Windows 2000 is that you cannot run netlogon on a
fixed port.
http://www.microsoft.com/technet/tr...dowsserver2003/maintain/security/fedffin2.asp

 

[Jerry G. Young II]

I've done some testing and have found out that PTA can be used as an
"authentication proxy".

However, there are some caveats.

Since the downstream forest member servers cannot access the upstream forest
domain controllers, you need to use Domain Local Groups in the downstream
forest to assign downstream forest access rights to upstream forest accounts
(confused, yet?).

While this will allow you to manage Windows 2000 member servers (dump the
Domain Local Groups into server Local Groups) in the downstream forest,
Windows NT 4.0 member servers do not understand what a Domain Local Group is
and will not display these. So, if you have NT 4.0 member servers in the
downstream forest, you will not be able to manage them with upstream forest
accounts.

I even installed the Active Directory Client for Windows NT 4.0 but was
still unable to place a Domain Local Group in a Local Group on an NT 4.0
server.

Now, if any one happens to know how to work around this (aside from
maintaining separate accounts for NT 4.0 server administration in the
downstream forest), I'd greatly appreciate it if you shared. *8^)

Cordially yours,
Jerry G. Young II