We have two Active Directory Forests that we want to create a two-way transitive Forest trust.
One AD forest is Windows 2008 R2 and the other is Windows 2012 R2
Do Forest Trusts require SMB? if so will disabling SMB 1 or 2 on the DC's prevent us from creating the AD forest trust?
Our security team want both SMB v1 and 2 disabled but I'm curious of the impact of doing so.
thanks in advance!
SMB and Forest Trusts
- 402 Views
- Last Post 30 June 2017
You should absolutely consider disabling SMB 1 across the board and only re-enable if needed to specific servers for legacy requirements.
For a Trust Relationship to be created, TCP port 445 (SMB) only needs to be open during the trust creation process. However, once the trust has been created,
verified and tested, this port can be closed off on firewalls between the forests if required for security purposes.
You cannot disable SMB on the Domain Controllers altogether. This is required for client communication, replication, etc.
Thanks for responding.
So I should disable SMB 1 across all clients and servers using the following article as a guide:
This article does not recommend disabling SMB v2 or 3. Based on what you've said I'll need to keep SMB enabled as they're DC's (2008 R2 and 2012 R2) but I can close the firewall port (445) once the trust has been created, verified and tested?
I’m not telling you to disable SMB 1. I used the word “consider”. You and your security team will need to test and decide that as I know nothing about your
The rest is correct. Remember that the vulnerability is SMB 1. So if that’s all you’re trying to protect against, you don’t need to worry about closing the
firewall port as long as SMB 1 is disabled.