Firewalls on domain controllers and member servers and workstations need to be properly configured to ensure proper function of the trust and ultimately the domains themselves.
Your Domain Controllers
At a minimum, the following ports:
tcp 53, 88, 135, 389, 445, 636, 3268, 3269, * udp 53, 88, 135, 389, 445
need to be granted access to:
172.22.1.0/24 (172.22.1.0-172.22.1.255) 172.16.31.0/24 (172.16.31.0-172.16.31.255) 10.4.10.16/28 (10.4.10.17-10.4.10.31)
for network traffic TO and FROM your domain controllers.
* Additionally a range of dynamic RPC ports for the RPC endpoint mapper needs access if you want to be able to do trust validation. By default, this is a large set of ports: 49152-65535/TCP. You can limit it to a much smaller set on your servers. See the links below for more on this. The NETID domain controllers have the default set of dynamic RPC ports.
Your Workstations and Servers
If you have firewalls on your member servers or workstations, then the ports:
tcp 53, 88, 135, 137, 139, 389, 445, 636, 3268, 3269, * udp 53, 88, 123, 135, 137, 138, 389, 445, * * see note above about RPC endpoint mapper. In this case, both TCP and UDP are needed and the purpose goes beyond just trust validation.
need to be granted access to:
172.22.1.0/24 172.16.31.0/24 10.4.10.16/28
for network traffic TO and FROM your client computers.
This will ensure authentication and normal Windows operations work correctly between the NETID domain and your domain.
Troubleshooting Problems
You will need to verify and demonstrate that your firewall settings permit the required traffic noted above. At that time, UW-IT engineers will look into any issues related to the NETID domain. If it appears that the firewall is causing the issues we will ask that it be disabled to test functionality.
Future Changes
Should the networks that the NETID domain controllers are on change in the future, an announcement will be made to all trust requestors in advance.
Related Documents
How to configure a firewall for Active Directory domains and trusts
How to restrict Active Directory RPC traffic to a specific port