I am trying to design an environment that has one forest with an empty root, a user domain and multiple domains for different groups that have firewalls between the domains. I want to have a central user database but segmentation at the IP level for each group of folks. For the first group the forest would look like this
I will be adding other groups' domains after this first one is working.
Assume there is a firewall between each domain and they are segmented with a subnet for each group's domain.
Here is the initial firewall design
I am trying to allow a user on the Application server to enumerate the users and group objects in the users domain. Here is the problem. My users can log in no problem if I don't allow any connectivity between the app server and the User DCs but they cannot enumerate users and groups. Other the other hand If I allow TCP 389 (LDAP) and TCP 88 (Kerberos) I can enumerate the users and groups but interactive logins are really slow and the app server is looking for 135 (EPmapper) to be open during profile load. As a test I opened 135 and then the EPmapper passed a random high for the netlogon port which of course the app server then tries to hit.
So what do you think is best course of action? I cannot open all random highs, that is silly. I can make the netlogon port static on all my DCs and then open only that port. Any other ideas?