I am trying to design an environment that has one forest with an empty root, a user domain and multiple domains for different groups that have firewalls between the domains. I want to have a central user database but segmentation at the IP level for each group of folks. For the first group the forest would look like this

enter image description here

I will be adding other groups' domains after this first one is working.

Assume there is a firewall between each domain and they are segmented with a subnet for each group's domain.

Here is the initial firewall design

enter image description here

I am trying to allow a user on the Application server to enumerate the users and group objects in the users domain. Here is the problem. My users can log in no problem if I don't allow any connectivity between the app server and the User DCs but they cannot enumerate users and groups. Other the other hand If I allow TCP 389 (LDAP) and TCP 88 (Kerberos) I can enumerate the users and groups but interactive logins are really slow and the app server is looking for 135 (EPmapper) to be open during profile load. As a test I opened 135 and then the EPmapper passed a random high for the netlogon port which of course the app server then tries to hit.

So what do you think is best course of action? I cannot open all random highs, that is silly. I can make the netlogon port static on all my DCs and then open only that port. Any other ideas?

Tom Seibert
  • 189
  • 1
  • 10

1 Answers1


Here is what you need.

Vick Vega
  • 2,398
  • 16
  • 22
  • I think your post got lost somewhere – Tom Seibert Feb 10 '11 at 01:39
  • Sorry, not sure what you mean ... – Vick Vega Feb 10 '11 at 15:14
  • The link for the MS article was not there last night. The word need was just text. Now it is good. – Tom Seibert Feb 10 '11 at 18:39
  • So after reading that, the article looks like it is DC to DC based communication which is currently working fine. I am looking more for advice on the best course of action. How to do it is clear in the MS docs. I just have at least two choices and am looking for the pros and cons of each. My focus is on the app server that is not a DC. How should it communicate to the DC in the remote domain? – Tom Seibert Feb 10 '11 at 18:40
  • Is there a chance to configure VPN between locations? – Vick Vega Feb 10 '11 at 18:45
  • None of this crosses the internet, I control all of the space. They just have a requirement to have IP separation between the groups. – Tom Seibert Feb 10 '11 at 20:54
  • Check the REFERENCES section in the following article http://support.microsoft.com/kb/839880 espessially http://support.microsoft.com/kb/154596 – Vick Vega Feb 10 '11 at 21:03