Creating a trust relationship between two Small Business Server 2000 domains

Creating a trust relationship between two Small Business Server 2000 domains

One of the limitations 'imposed' by SBS2k is the following one (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q295765) :

"The server is a single-domain solution, which is not intended to be integrated with other Windows domains. You are not permitted to establish explicit trusts to other Microsoft Windows NT nor to Active Directory domains. Also, Small Business Server 2000 does not enable you to create child domains."

However, despite those articles on Microsoft's web site and posts by some MVP's and PSS's on Microsoft's newsgroups, I have successfully created a trust relationship between two Windows Small Business 2000 Servers.

Note: Don't take my information as a trusted source. It worked for me, and it might or might not for you. Whatever consequences should happen because of reading this text, the only responsible for them is YOU. You agree that I have NO RESPOSIBILITY about what might happen to your box, job or private/public life. If you get fired, your girlfriend leaves you, your pizza gets burned in your kitchen while you are following steps exposed below, it's all your fault, not mine.

If you succeed I might accept thanks or comments at costin (at nextbyte dot ro

Be aware that SBS EULA mentions: "1.e Reservation of Rights: Microsoft reserves all rights not expressly granted to you in this EULA". Which means it is your entire responsibility if Microsoft asks you to remove the trust.

What you need is the following:

A backup solution (in case you mess up with something)
Two windows 2000 or windows 2003 servers (I have played with the trial version of windows 2003 server, but I think 2000 srv would do the job just fine)
The 'replmon.exe' utility
Patience (a lot ! especially if you have a slow link between the two SBS's)

Okay, let's begin (Make sure you follow the steps below for each domain ;) ) :

Configure your SBS DNS server to allow dynamic updates (you will need this in order to add an additional dc) - I have even switched from ad-integrated mode to standard primary to avoid ad replication issues. Make sure each DNS server contains a slave zone for it's partner DNS zone, so one SBS can locate the other SBS
Add each SBS WINS server as a replicating partner (so pre-windows 2000 clients will be able to locate the other domain)
If you intend to play with w2k3, upgrade your SBS ad schema (run adprep /forestprep followed by adprep /domainprep from the i386 folder on your w2k3 cd or mapped network drive). Make sure you meet requirements for running adprep (you need to have your SBS at sp2 level or more, or have the needed patches - see http://www.petri.co.il/win2003_adprep.htm or better http://support.microsoft.com/?scid=331161). I was in sp3 and it worked fine
Install the additional server (do not install a DNS server, it will make things go slower because you will need to wait for DNS replication)
Make sure your new server is using only SBS DNS as it's DNS server
Go through dcpromo

At this point you should have two domain controllers in your SBS forest

Now comes the interesting part.

As you all know, the SBS is a global catalog, and it is handling all 5 FSMO roles.

The trick is to move all the roles to your brand new additional dc, do the same within the other domain, establish the trust relationship, transfer the roles back to SBS's and demote the temporary servers.

Using ntdsutil, move all 5 FSMO roles ( i know it might be only one that matters, but do not know yet which one - I think the PDC Emulator ?)

at ntdsutil prompt, type:
roles
connections
connect to server NEW_DC (where NEW_DC is the name of the new temporary dc)
quit
transfer rid master
transfer PDC
transfer domain naming master
transfer infrastructure master
transfer schema master
quit
quit

I have also made new dc a global catalog, just to make sure I do not depend on SBS2k at all ;)

Of course there are other ways to transfer the FSMO roles, but I like it this way, I come from linux world and I like typing :P

Now comes the patience part

You have two choices. Either wait for the normally replication, or manualy initiate it. To check how each server knows about server roles, I have used the FSMO.vbs script (found at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcenter/compmgmt/ScrCM24.asp). For manual replication I have used the 'replmon' utility found under \support\tools folder on the install cd and Active Directory Sites and Services mmc snap-in.
Basically, reading http://gracie.santarosa.edu/~mckeever/Active%20Directory/Reading/6%20Essential%20Tools%20for%20Troubleshooting%20AD%20Replication.htm should help you get through it.
http://www.winnetmag.com/articles/index.cfm?ArticleID=7429&pg=2 and http://www.netpro.com/forum/messageview.cfm?catid=7&threadid=42 might also be very helpful sources of information
After you make sure that the FSMO roles have transferred to the new dc... go and create your trust as you normally would (note: do this operation on the new dc... not on SBS server!)
(For the really paranoid only: disconnect the SBS dc's from network before establishing the trust)
Transfer back the roles to SBS
Demote your new dc

At this point all your MVP friends will still tell you "no, it's not possible, are you speaking about PTA ?" and eventually a Microsoft PSS will repeat saying that "Trust relationship is not supported in any SBS suites (SBS 4.0/4/5/2000/2003)"

But you don't care. You've just created a trust between two Small Business 2000 Servers, and yes, you see it working.

And yes, wait for Microsoft to contact you and tell you to remove the trust as it is their right to request it because it is specified in the EULA.

Note: See http://www.microsoft.com/mscorp/downloads/mstmark.rtf for names used on this document

Good luck !
Costin Gusa

PS: It is left for the reader as an exercise the following task: "Creating trusts between N SBS2k forests"