Friday, January 18, 2008

Creating a trust relationship between two Small Business Server 2000 domains

Taken from: http://fac.ce.vreau.eu.org/sbs.html

* A backup solution (in case you mess up with something)

* Two windows 2000 or windows 2003 servers (I have played with the trial version of windows 2003 server, but I think 2000 srv would do the job just fine)

* The 'replmon.exe' utility

* Patience (a lot ! especially if you have a slow link between the two sbs's)

Okay, let's begin (Make sure you follow the steps below for each domain ;) ) :

* Configure your SBS DNS server to allow dynamic updates (you will need this in order to add an additional dc) - I have even switched from ad-integrated mode to standard primary to avoid ad replication issues. Make sure each dns server contains a slave zone for it's partner dns zone, so one SBS can locate the other SBS

* Add each SBS WINS server as a replicating partner (so pre-windows 2000 clients will be able to locate the other domain)

* If you intend to play with w2k3, upgrade your sbs ad schema (run adprep /forestprep followed by adprep /domainprep from the i386 folder on your w2k3 cd or mapped network drive). Make sure you meet requirements for running adprep (you need to have your sbs at sp2 level or more, or have the needed patches - see http://www.petri.co.il/win2003_adprep.htm or better http://support.microsoft.com/?scid=331161). I was in sp3 and it worked fine

* Install the additional server (do not install a dns server, it will make things go slower because you will need to wait for dns replication)

* Make sure your new server is using only sbs dns as it's dns server

* Go through dcpromo

At this point you should have two domain controllers in your sbs forest

Now comes the interesting part.

As you all know, the sbs is a global catalog, and it is handling all 5 fsmo roles.

The trick is to move all the roles to your brand new additional dc, do the same within the other domain, establish the trust relationship, transfer the roles back to sbs's and demote the temporary servers.

Using ntdsutil, move all 5 fmso roles ( i know it might be only one that matters, but do not know yet wich one - I think the pdc emulator ?)

* at ntdsutil prompt, type:

roles
connections
connect to server NEW_DC (where NEW_DC is the name of the new temporary dc)
quit
transfer rid master
transfer pdc
transfer domain naming master
transfer infrastructure master
transfer schema master
quit
quit

I have also made new dc a global catalog, just to make sure I do not depend on sbs2k at all ;)
Of course there are other ways to transfer the fmso roles, but I like it this way, I come from linux world and I like
typing :P

Now comes the patience part

* You have two choices. Either wait for the normally replication, or manualy initiate it. To check how each server knows about server roles, I have used the fsmo.vbs script (found at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcenter/compmgmt/ScrCM24.asp). For manual replication I have used the 'replmon' utility found under \support\tools folder on the install cd and Active Directory Sites and Services mmc snap-in.

Basically, reading http://gracie.santarosa.edu/~mckeever/Active%20Directory/Reading/6%20Essential%20Tools%20for%20Troubleshooting%20AD%20Replication.htm should help you get through it.

http://www.winnetmag.com/articles/index.cfm?ArticleID=7429&pg=2 and http://www.netpro.com/forum/messageview.cfm?catid=7&threadid=42 might also be very helpful sources of information

* After you make sure that the fsmo roles have transferred to the new dc... go and create your trust as you normally would (note: do this operation on the new dc... not on sbs server!)
(For the really paranoid only: disconnect the sbs dc's from network before establishing the trust)

* Transfer back the roles to sbs

* Demote your new dc

* At this point all your MVP friends will still tell you "no, it's not possible, are you speaking about PTA ?" and eventually a Microsoft PSS will repeat saying that "Trust relatioinship is not supported in any SBS suites (SBS 4.0/4/5/2000/2003)"

But you don't care. You've just created a trust between two Small Business 2000 Servers, and yes, you see it working.

5 comments:

gludwig333 said...

How stable is this configuration?

costinel said...

gludwig333,
is stable enough that somehow the page mysteriously COMPLETELY dissapeared from google search results for "sbs trust", when it used to be in the first results page.
is stable enough that the 2008 EULA was modified so you're PREVENTED to do it:
"You may not work around any technical limitations in the software"
my article is for sbs 2000 and never had enough time and motivation to test on newer versions, actually I'm requesting feedback and since then I never received a single email.

Unknown said...

Great stuff!

Has anyone done this successfully / can this be done on 2 already existing SBS 2k3 Servers which belong to 2 different networks/AD sites and have their own internet/e-mail domain and users & policies configured!

In your example you install a new fresh sbs2003 and run dcpromo to get the 2nd server shown in server administration. What will dcpromo do to my existing different domain config/setup?

Tnx a mill
Regards
Andre

Nishant Kumar said...

I have done it on SBS 2003, but is was in lab environment. Yes it can this be done on 2 already existing SBS 2k3 domain. Give it a trail in lab environment.

Unknown said...

Hi, I ran the configuration and was successful to a point. I got the trust up and running but they dissappeared later before I have moved the GC and FSMO back to the SBS. Would not moving these roles back be a cause for the trust to dissappear on the SBS setup?