Kerberos Realm Trust: Extra settings

InfoTechdude 161 Reputation points
2020-10-10T13:53:31.15+00:00

Hi,

Kerberos Realm Trust is one of the available trusts in AD Domains and Trusts. So I proceed "as usual" by adding this trust with Wizard:
31355-realm.jpg

This can also be done from command line: netdom trust /add /realm .... . Netdom has also some extra commands about kerberos (/kerberos /EnableTgtDelegation etc):
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc835085(v=ws.11)

My question is this: Because this one is with non windows machine- what else has to be setup? Firewall? What about commands like ksetup/ktpass even kadmin?
Ksetup
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh240190(v=ws.11)
Ktpass
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc753771(v=ws.11)

kadmin [-O|-N] [-r realm] [-p principal] [-q query] [[-c cache_name]|[-k [-t keytab]]|-n] [-w password] [-s admin_server[:port]]

kadmin.local [-r realm] [-p principal] [-q query] [-d dbname] [-e enc:salt ...] [-m] [-x db_args]

Thanks for clear answer!

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
{count} votes

1 answer

Sort by: Most helpful
  1. Anonymous
    2020-10-12T02:22:36.407+00:00

    Hello @InfoTechdude ,

    Thank you for posting here.

    We can try the following steps on DC in Windows domain.

    1.Before setting up any trust, we should create secondary zone or set up conditional forwarders to make two realms can find each other on DC in Windows domain and DC in non-Windows domain.

    Create secondary zone or set up conditional forwarders based on the steps in the link below.
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/9e501d72-5457-421a-b81b-3a1f83ac7b0e/setup-of-trust-relationship-between-2-domains?forum=winservergen

    2.Create a Realm Trust through UI or netdom truat command on DC in Windows domain.

    Create a Realm Trust
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754706(v=ws.11)

    3.We should make some AD (including trust) Port Requirements below listening.

    For AD (including trust) Port Requirements, we can refer to the links below.
    Active Directory and Active Directory Domain Services Port Requirements
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)?redirectedfrom=MSDN

    Active Directory Replication over Firewalls
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb727063(v=technet.10)?redirectedfrom=MSDN

    For the two commands, if we want to set some settings to support Kerberos realms (Ksetup) and support Kerberos authentication (Ktpass), we can use them if needed.

    Best Regards,
    Daisy Zhou

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.