Creating
a trust relationship between two Small Business Server 2000 domains
without breaking the EULA
UPDATE 2: I am Available
UPDATE:
PROOF THAT THIS METHOD IS 100% LEGAL: they have mentioned this in the
vista EULA, and i believe (wanna bet?) the next windows server will
have this text included in the EULA, too (text from vista EULA):
rights to use the software. Microsoft reserves all other
rights. Unless applicable law gives you more
rights despite this limitation, you may use the software only as
expressly permitted in this agreement.
In doing so, you
must comply with any technical limitations in the software that only
allow you to use
it
in certain ways. For more information, see
http://www.microsoft.com/licensing/userights. You
may not work around any technical limitations in
the software; "
As long as this text or something similar was not present
in w2k EULA,
I strongly believe this method DOES NOT break
your EULA
Since the original writing of this article my free time has become very
short, so testing this under 2003 was always a low priority. I would
greatly appreciate any feedback regarding this working or not on sbs
2003!
Original article follows...
One
of the limitations 'imposed' by sbs2k is the following one (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q295765) :
"The
server is a single-domain solution, which is not intended to be
integrated with
other Windows domains. You are not permitted to establish explicit
trusts to
other Microsoft Windows NT nor to Active Directory domains. Also, Small
Business Server 2000 does not enable you to create child domains."
However,
despite those articles on Microsoft's web site and posts by some MVP's
and
Note:
Don't take my information as a trusted source. It worked for me, and it
might or might not for you. Whatever
consequences should happen because of
reading this text, the only responsible for them is YOU. You agree that
I have
NO RESPOSIBILITY about what might happen to your box, job or
private/public
life. If you get fired, your girlfriend leaves you, your pizza gets
burned in
your kitchen while you are following steps exposed below, it's all your
fault,
not mine.
If
you succeed I might accept thanks or comments at costinel (at gmail dot
com
Be
aware that sbs eula mentions: "1.e Reservation of Rights: Microsoft
reserves all rights not expressly granted to you in this EULA".
Which
means it is your entire responsibility if Microsoft asks you to remove
the
trust.
What
you need is the following:
*
A backup solution (in case you mess up
with something)
*
Two windows 2000 or windows 2003 servers (I
have played with the trial version of windows 2003 server, but I think
2000 srv
would do the job just fine)
*
The 'replmon.exe' utility
*
Patience (a lot !
especially if you have a slow link between the two sbs's)
Okay,
let's begin (Make sure you follow the
steps below for each domain ;) ) :
*
Configure your SBS DNS server to allow dynamic updates (you
will need this in order to add an additional dc) - I have even
switched from ad-integrated mode to standard primary to avoid ad
replication
issues. Make sure each dns server contains a slave zone for it's
partner dns zone, so one SBS can locate the other SBS
*
Add each SBS WINS server as a replicating partner (so
pre-windows 2000 clients will be able to locate the other domain)
*
If you intend to play with w2k3, upgrade your sbs ad schema (run
adprep /forestprep followed by adprep
/domainprep from the i386 folder on your w2k3 cd or mapped network
drive).
Make sure you meet requirements for running adprep (you need to have
your sbs
at sp2 level or more, or have the needed patches - see http://www.petri.co.il/win2003_adprep.htm
or better http://support.microsoft.com/?scid=331161).
I was in sp3 and it worked fine
*
Install the additional server (do not
install a dns server, it will make things go slower because you will
need to
wait for dns replication)
*
Make sure your new server is using only sbs dns as it's dns server
*
Go through dcpromo
At
this point you should have two domain controllers in your sbs forest
Now
comes the interesting part.
As
you all know, the sbs is a global catalog, and it is handling all 5
fsmo roles.
The
trick is to move all the roles to your brand new additional dc, do the
same
within the other domain, establish the trust relationship, transfer the
roles
back to sbs's and demote the temporary servers.
Using
ntdsutil, move all 5 fmso roles ( i know it might be only one that
matters, but
do not know yet wich one - I think the pdc emulator ?)
*
at ntdsutil prompt, type:
roles
connections
connect to server NEW_DC (where NEW_DC is the name of the new
temporary dc)
quit
transfer rid master
transfer pdc
transfer domain naming master
transfer infrastructure master
transfer schema master
quit
quit
I have also
made new dc a global catalog, just to make sure I do not depend on
sbs2k at all ;)
Of course there are other ways to transfer the fmso roles, but I like
it this way,
I come from linux world and I like typing :P
Now
comes the patience part
*
You have two choices. Either wait for the normally replication, or
manualy
initiate it. To check how each server knows about server roles, I have
used the
fsmo.vbs script (found at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcenter/compmgmt/ScrCM24.asp).
For manual replication I have used the 'replmon' utility found under
\support\tools folder on the install cd and Active Directory Sites and
Services mmc snap-in.
Basically,
reading http://gracie.santarosa.edu/~mckeever/Active%20Directory/Reading/6%20Essential%20Tools%20for%20Troubleshooting%20AD%20Replication.htm
should help you get through it.
http://www.winnetmag.com/articles/index.cfm?ArticleID=7429&pg=2
and http://www.netpro.com/forum/messageview.cfm?catid=7&threadid=42
might also be very helpful sources of information
*
After you make sure that the fsmo roles have transferred to the new
dc... go
and create your trust as you normally would (note:
do this operation on the new dc... not on sbs server!)
(For the really paranoid only: disconnect the sbs dc's from network
before establishing the trust)
*
Transfer back the roles to sbs
*
Demote your new dc
*
At this point all your MVP friends will still tell you "no, it's
not
possible, are you speaking about
But
you don't care. You've just created a trust between two Small Business
2000
Servers, and yes, you see it working.
And
yes, wait for Microsoft to contact you and tell you to remove the trust
as it
is their right to request it because it is specified in the eula.
Note:
See http://www.microsoft.com/mscorp/downloads/mstmark.rtf
for names used on this document
Good
luck !
Costin Gusa
PS:
It is left for the reader as an exercise the following task: "Creating
trusts between N sbs2k forests"