Symptoms

Unable to resolve users from additional domain configured in K2. Configuration from K2 side verified and performed correctly.
 

Diagnoses

There are number of checks you can perform to verify connectivity to external domain:

- There must be trust between the domains

- The firewall must have enough ports open for the LDAP call to be made, the ports we found were required are:

- RPC endpoint mapper: 135/TCP, 135/UDP

- RPC randomly allocated high TCP ports TCP 1024 - 65535*

* For more information about how to customize this port see http://support.microsoft.com/kb/224196/

- 445/TCP, 445/UDP

- LDAP: 389/TCP/389/UDP

- Kerberos: 88/TCP, 88/UDP

- DNS: 53/TCP, 53/UDP

Note: There is a good Microsoft KB articles which also covers LDAP ports in more detail which is: http://support.microsoft.com/kb/832017/

Possible issues we saw in the past with different clients:

- Kerberos port was not opened

- Kerberos packet fragmentation was occurring (see kb http://support.microsoft.com/kb/244474 )

- UDP port for LDAP was not opened, this needs to be opened as it looks like UDP is used to do the initial ping to find available DCs etc..

You can use this old Microsoft utility for these tests: https://support.microsoft.com/en-us/kb/310099

You may also need to confirm the following:

1) That K2 service account has read access on the root level of additional domain

2) That K2 service account has read access to OU or OUs in which K2 users reside, and can traverse down from the top of CN path level till this OU level
 

Resolution

See things you have to check above.