Menü

Domain Trust

Table of Contents

Trusted Domains auflisten

Import-Module ActiveDirectory
$TrustedDomains = Get-ADTrust -Filter * | % {
    $domain += $_.Target
    [PSCustomObject]@{
        Source=$_.Source
        Target=$_.DistinguishedName
        Name=$_.Name
        TrustType=$_.TrustType
        Direction=$_.Direction
    }
}
$TrustedDomains | sort Name | ft -AutoSize

Trusted Domains und DCs auflisten

Import-Module ActiveDirectory
$domain = @()
Get-ADTrust -Filter * | select Source, Target, TrustType, Direction | % {
  $domain += $_.Target
  [PSCustomObject]@{
    Source=$_.Source
    Target=$_.Target
    TrustType=$_.TrustType
    Direction=$_.Direction
  }
}
$domain |% {
  Write-Output `n$_
  try{
    Get-ADDomain -Identity $_ | select -ExpandProperty ReplicaDirectoryServers -EA SilentlyContinue |% {
     $dc= $_
     }
   }
   catch [Exception]{
     $dc= $($_.Exception.Message)
   }
   Write-Output $dc
}

Trust verifizieren

netdom trust TrustingDomain.com /D:TrustedDomain.com /verify

netdom query /d:devgroup.example.com DOMAIN /verify

Port Requirements

TCP Port Requirements for the Active Directory Domain Service:

TCP PortAD and AD DS UsageType of traffic
389Directory, Replication, User and Computer Authentication, Group Policy, TrustsLDAP
636Directory, Replication, User and Computer Authentication, Group Policy, TrustsLDAP SSL
3268Directory, Replication, User and Computer Authentication, Group Policy, TrustsLDAP GC
3269Directory, Replication, User and Computer Authentication, Group Policy, TrustsLDAP GC SSL
88User and Computer Authentication, Forest Level TrustsKerberos
53User and Computer Authentication, Name Resolution, TrustsDNS
445Replication, User and Computer Authentication, Group Policy, TrustsSMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc
25ReplicationSMTP
135ReplicationRPC, EPM
49152..65535Replication, User and Computer Authentication, Group Policy, TrustsRPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
5722File ReplicationRPC, DFSR (SYSVOL)
464Replication, User and Computer Authentication, TrustsKerberos change/set password
9389AD DS Web ServicesSOAP
139User and Computer Authentication, ReplicationDFSN, NetBIOS Session Service, NetLogon
tcp ports

UDP Port Requirements for the Active Directory Domain Service:

UDP PortAD and AD DS UsageType of traffic
389Directory, Replication, User and Computer Authentication, Group Policy, TrustsLDAP
88User and Computer Authentication, Forest Level TrustsKerberos
53User and Computer Authentication, Name Resolution, TrustsDNS
445Replication, User and Computer Authentication, Group Policy, TrustsSMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc
123Windows Time, TrustsWindows Time
464Replication, User and Computer Authentication, TrustsKerberos change/set password
UDP DynamicGroup PolicyDCOM, RPC, EPM
138DFS, Group PolicyDFSN, NetLogon, NetBIOS Datagram Service
67DHCPDHCP, MADCAP
2535DHCPDHCP, MADCAP
137User and Computer Authentication,NetLogon, NetBIOS Name Resolution
udp ports
Active Directory and Active Directory Domain Services Port Requirements

Test Communication to Domain Controllers

#Download and install PsNetTools
$ZipFile = "https://github.com/tinuwalther/PsNetTools/releases/download/v0.7.5/PsNetTools.zip"
$OutFile = "$($env:USERPROFILE)\Downloads\PsNetTools-v0.7.5.zip"

Invoke-WebRequest -Uri $ZipFile -OutFile $OutFile
$ExpandFolder = "$($env:USERPROFILE)\Downloads\PsNetTools"
if(-not(Test-Path $ExpandFolder)){$null = mkdir $ExpandFolder}
Expand-Archive -Path $OutFile -OutputPath $ExpandFolder -Force

Copy-Item -Path $ExpandFolder -Destination "C:\Program Files\WindowsPowerShell\Modules" -Recurse -Force -PassThru
#Test ports with PsNetTools
$TargetDC = 'your target Domain Controller'
$TcpPort = @(389,636,3268,3269,88,53,445,25,135,5722,464,9389,139,49152..65535)
Test-PsNetTping -Destination $TargetDC -TcpPort $TcpPort -MaxTimeout 1000 | Format-Table

$UdpPort = @(389,88,53,445,123,464,138,67,2535,137,49152..65535)
Test-PsNetUping -Destination $TargetDC -TcpPort $UdpPort -MaxTimeout 1000 | Format-Table

Letzte Beiträge

Sidebar

Entdecke mehr von Tinus IT Wiki

Jetzt abonnieren, um weiterzulesen und auf das gesamte Archiv zuzugreifen.

Weiterlesen