RIS cross-domain access

I had a requirement to initiate OS installs using RIS on Windows 2000 server when authenticating with cross-domain user accounts. In Windows Server 2003 this is a supported configuration, but I was pleasantly surprised that it worked from a 2003 domain to a trusting 2000 domain with a 2000 RIS server.

This test was successfully completed in a simple test environment authenticating with a cross-domain user account in a different forest than the RIS server computer account:

• XP workstation, member of a 2003 forest/domain
• 2000 server, which was a DC and RIS server of a 2000 domain
• The 2000 forest trusts the 2003 forest, with a one-way external NTLM trust
• NTFS permissions set such that the cross-domain user account has access to the RIS filesystem.

The following protocols were in use between the RIS server and the cross-domain DC:

• TCP RPC EndPoint Mapper 135
• TCP/UDP RPC Ephemeral ports above 1023
• TCP NetBIOS Session Setup 139
• TCP SMB 445
• TCP Microsoft Directory Services 445
• UDP Kerberos 88
• ICMP

Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.