We have three firewalled network segments A | B | C.
A = our existing internal forest
B = a single DC to be stood up specifically to create this trust
C = external forest
B is necessary as we are unable to make A directly routable to C and want to avoid NAT'ing. Long story.
We have opened all ports between the new DC in B, and the existing DCs in A. We will probably do the same for the new DC in B, and one or all DCs in C.
Forest in A is 2003, forest in C is 2008R2.
Questions:
1) The member servers and workstations in A cannot communicate with the DC in B. Should any additional config be done to account for this? (e.g. can/should we restict all authentication to the DCs in A, or will AD just 'figure it out')
2) The DC's in A cannot see the DC's in the external forest in C. Should any additional config be done to account for this?
3) Is this what I should use if we were to restict by port? : http://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx
Thanks,
Jaime