Step 4: Build Trust

Owned by Maarten Meijer
Last updated: Oct 01, 2018
2 min read

NOTE: Small Business Server (SBS) does not support trusts.

Setting up a Trust between the SoftApp distribution environment and your local AD is necessary for exchanging and updating user data. For the initial addition of users, a bi-directional forest trust is always required. After adding the users to the system, this trust can be converted into a one-way forest trust.





Our topology

fig 1. Skype for Business resource forest topology

One-way or Two-way trust relationship?



One-way trust

Two-way trust



One-way trust

Two-way trust

Add users

Manual

Automatically

Security

Optimal

Sub-Optimaal, softapp can read users from your domain



Security

Open the following ports in the firewall towards 192.168.184.0/24

Client Port (s)

Server Port

Service

Client Port (s)

Server Port

Service

49152 -65535 / UDP

123 / UDP

W32Time

49152 -65535 / TCP

135 / TCP

RPC Endpoint Mapper

49152 -65535 / TCP

464 / TCP / UDP

Kerberos password change

49152 -65535 / TCP

49152-65535 / TCP

RPC for LSA, SAM, Netlogon (*)

49152 -65535 / TCP / UDP

389 / TCP / UDP

LDAP

49152 -65535 / TCP

636 / TCP

LDAP SSL

49152 -65535 / TCP

3268 / TCP

LDAP GC

49152 -65535 / TCP

3269 / TCP

LDAP GC SSL

53, 49152 -65535 / TCP / UDP

53 / TCP / UDP

DNS

49152 -65535 / TCP

49152 -65535 / TCP

FRS RPC (*)

49152 -65535 / TCP / UDP

88 / TCP / UDP

Kerberos

49152 -65535 / TCP / UDP

445 / TCP

SMB (**)

49152 -65535 / TCP

49152-65535 / TCP

DFSR RPC (*)



(*) For information about how to define RPC server ports that are used in the LSA RPC services, see the following Microsoft Knowledge Base articles:

(**) For the operation of the trust this port is not required, it is used for trust creation only. 



Note: External trust 123 / UDP is only required if the Windows Time Service is set to Sync with a server across the external trust.