sbs2000 domain trusts workround

sbs2000 domain trusts workround

Post by Keit » Fri, 12 Apr 2002 19:45:48



I hope this may be of use to some of you.

We have found out that by installing windows 2000 server (not the one that
comes with the sbs disc but an original version) you can make it a member
domain controler of the sbs domain which then copies the active directory
from the sbs to the win2000 server. After this has been done you can the set
up trusts on the win2000 server (not the sbs) for your domain, this then
replicates to the SBS. And hey presto you have trusts on the SBS. From there
security shows any domain that is trusted.

 
 
 

sbs2000 domain trusts workround

Post by Grey Lancaster [MS MVP SBS » Fri, 12 Apr 2002 21:42:59


Okay? and how does this affect the SBS licensing?

--

Grey
MVP SBS

Quote:> I hope this may be of use to some of you.

> We have found out that by installing windows 2000 server (not the one that
> comes with the sbs disc but an original version) you can make it a member
> domain controler of the sbs domain which then copies the active directory
> from the sbs to the win2000 server. After this has been done you can the
set
> up trusts on the win2000 server (not the sbs) for your domain, this then
> replicates to the SBS. And hey presto you have trusts on the SBS. From
there
> security shows any domain that is trusted.


 
 
 

sbs2000 domain trusts workround

Post by Keit » Fri, 12 Apr 2002 21:53:54


What area of the licensing do you mean?



> Okay? and how does this affect the SBS licensing?

> --

> Grey
> MVP SBS


> > I hope this may be of use to some of you.

> > We have found out that by installing windows 2000 server (not the one
that
> > comes with the sbs disc but an original version) you can make it a
member
> > domain controler of the sbs domain which then copies the active
directory
> > from the sbs to the win2000 server. After this has been done you can the
> set
> > up trusts on the win2000 server (not the sbs) for your domain, this then
> > replicates to the SBS. And hey presto you have trusts on the SBS. From
> there
> > security shows any domain that is trusted.

 
 
 

sbs2000 domain trusts workround

Post by Jame » Fri, 12 Apr 2002 22:40:36



Quote:> What area of the licensing do you mean?

I think the implication was that you'll break the terms of the SBS2000 EULA
if you start using a "work around" to set up trusts - one of the reasons SBS
is cheap compared to the full suite of products is that it doesn't support
trusts...

James

 
 
 

sbs2000 domain trusts workround

Post by Dave Stoecke » Sat, 13 Apr 2002 02:04:09


I can hear the M$ Police sirens in the distance...  ; )



> Okay? and how does this affect the SBS licensing?

> --

> Grey
> MVP SBS


> > I hope this may be of use to some of you.

> > We have found out that by installing windows 2000 server (not the one
that
> > comes with the sbs disc but an original version) you can make it a
member
> > domain controler of the sbs domain which then copies the active
directory
> > from the sbs to the win2000 server. After this has been done you can the
> set
> > up trusts on the win2000 server (not the sbs) for your domain, this then
> > replicates to the SBS. And hey presto you have trusts on the SBS. From
> there
> > security shows any domain that is trusted.

 
 
 

sbs2000 domain trusts workround

Post by Jeff Middleton [SBS-MVP » Sat, 13 Apr 2002 06:20:02


I don't mean to put my head in the sand, but I don't think this actual will
work.  I think that if the SBS is properly installed, its the host for the
Catalog role and it's not going to share the Catalog with another domain,
and it's not going to allow a foreign DC to gain access to a DC in it's own
domain. I've not tried the break through this, but this is the understanding
I have about how the domain trust mechanisms work.


> I can hear the M$ Police sirens in the distance...  ; )



> > Okay? and how does this affect the SBS licensing?

> > --

> > Grey
> > MVP SBS


> > > I hope this may be of use to some of you.

> > > We have found out that by installing windows 2000 server (not the one
> that
> > > comes with the sbs disc but an original version) you can make it a
> member
> > > domain controler of the sbs domain which then copies the active
> directory
> > > from the sbs to the win2000 server. After this has been done you can
the
> > set
> > > up trusts on the win2000 server (not the sbs) for your domain, this
then
> > > replicates to the SBS. And hey presto you have trusts on the SBS. From
> > there
> > > security shows any domain that is trusted.

 
 
 

sbs2000 domain trusts workround

Post by Keit » Sat, 13 Apr 2002 19:48:31


Let me explain this a bit further, the win2000 server is used as a terminal
server and properly licenced the same as the SBS. The fact that you can set
up trusts on a full version of win2000 server and this then replicates to
the SBS is not realy a workround but a fact that MS software allows it and
does it of its own accord. I have tried it and it works apart from the fact
that you can only join the domain on the win2000 machine not the SBS. Apart
from that all permissions of users etc can be added to both machines (The
replication process automaticaly put the trusts on the SBS and had nothing
to do with me trying to add it).
Forgive me if I have done something wrong in the eyes of MS but there
software did it not me.


> I don't mean to put my head in the sand, but I don't think this actual
will
> work.  I think that if the SBS is properly installed, its the host for the
> Catalog role and it's not going to share the Catalog with another domain,
> and it's not going to allow a foreign DC to gain access to a DC in it's
own
> domain. I've not tried the break through this, but this is the
understanding
> I have about how the domain trust mechanisms work.



> > I can hear the M$ Police sirens in the distance...  ; )



> > > Okay? and how does this affect the SBS licensing?

> > > --

> > > Grey
> > > MVP SBS


> > > > I hope this may be of use to some of you.

> > > > We have found out that by installing windows 2000 server (not the
one
> > that
> > > > comes with the sbs disc but an original version) you can make it a
> > member
> > > > domain controler of the sbs domain which then copies the active
> > directory
> > > > from the sbs to the win2000 server. After this has been done you can
> the
> > > set
> > > > up trusts on the win2000 server (not the sbs) for your domain, this
> then
> > > > replicates to the SBS. And hey presto you have trusts on the SBS.
From
> > > there
> > > > security shows any domain that is trusted.

 
 
 

sbs2000 domain trusts workround

Post by Jeff Middleton [SBS-MVP » Sat, 13 Apr 2002 22:35:38


Hey, we're all consumers here and we pride ourselves upon defiant pursuit of
facts, ferreting out quirks, tweaks, and workarounds, and
particularly.....identifying hacks of the MS license technology.  Did I
mention we all post under assumed names?

I think I follow what you are saying, and I accept that you are saying that
all you did was "click stuff in the interface and it happened".  I
personally have no concerns for what you are suggesting, and if it does
that, I guess it does that, but I didn't think it would do that.  However, I
have so little need for such a feature that I'm not particularly interested
in even testing it.  I just didn't think that you could expose the Catalog
Server that way, though I do know that transient trust can allow a behavior
similar to what you are describing, but I didn't think that SBS would allow
that to happen.

I do want to make sure I understand what you are saying, though. You have an
SBS domain, you add a W2K server to the SBS domain and then promote it to be
a DC in the SBS domain? From there, you are able to establish a trust from
the DC to a different domain?

BTW, I would observe to you that "the server let me do it" isn't going to be
a valid defense if you were to be audited.  As a comparison, you can use NT
Backup to restore an image of a workstation onto another drive, then
continue to run both as two machines instead of one, but that doesn't mean
the licensing has been violated. Please don't think I'm lecturing on this,
I'm just pointing out that 90% of licensing enforcement is based upon trust
and commitment to an agreement, and the balance of "mechanisms" are really
not the significant points.  The intent to be license compliant is far more
important than anything else if it comes to an investigation.


> Let me explain this a bit further, the win2000 server is used as a
terminal
> server and properly licenced the same as the SBS. The fact that you can
set
> up trusts on a full version of win2000 server and this then replicates to
> the SBS is not realy a workround but a fact that MS software allows it and
> does it of its own accord. I have tried it and it works apart from the
fact
> that you can only join the domain on the win2000 machine not the SBS.
Apart
> from that all permissions of users etc can be added to both machines (The
> replication process automaticaly put the trusts on the SBS and had nothing
> to do with me trying to add it).
> Forgive me if I have done something wrong in the eyes of MS but there
> software did it not me.


> > I don't mean to put my head in the sand, but I don't think this actual
> will
> > work.  I think that if the SBS is properly installed, its the host for
the
> > Catalog role and it's not going to share the Catalog with another
domain,
> > and it's not going to allow a foreign DC to gain access to a DC in it's
> own
> > domain. I've not tried the break through this, but this is the
> understanding
> > I have about how the domain trust mechanisms work.



> > > I can hear the M$ Police sirens in the distance...  ; )


message

> > > > Okay? and how does this affect the SBS licensing?

> > > > --

> > > > Grey
> > > > MVP SBS


> > > > > I hope this may be of use to some of you.

> > > > > We have found out that by installing windows 2000 server (not the
> one
> > > that
> > > > > comes with the sbs disc but an original version) you can make it a
> > > member
> > > > > domain controler of the sbs domain which then copies the active
> > > directory
> > > > > from the sbs to the win2000 server. After this has been done you
can
> > the
> > > > set
> > > > > up trusts on the win2000 server (not the sbs) for your domain,
this
> > then
> > > > > replicates to the SBS. And hey presto you have trusts on the SBS.
> From
> > > > there
> > > > > security shows any domain that is trusted.

 
 
 

1. SBS2000 Domain Trusts

NT4 Domain w/ Exchange 5.5 -> SBS2000

     A client of mine has an existing NT4 domain and has
been using Exchange 5.5 for quite some time.  My basic
problem is that the server is reporting that it doesn't
support setting up trusts between domains. Is their a
workaround for this?
     I need to migrate all of their account info over to
their new SBS2000, and I've read all the docs that I can
find on the Exchange Migration tool and the Active
Directory Migration Tool.  The Exchange Migration tool
doesn't work correctly because the new mailboxes have
their security settings messed up since the old domain was
NT4.  (That is a known limitation.)  And the solution of
using the Active Directory Migration tool won't work since
I can't initiate a trust between the old and new domains.  
     Migrating their existing mailboxes and old messages
is critical.  Are their any other ways to move this data?
     My only other idea is to bring a temporary full Win2K
server up, perform the full migration then just do an
Exchange migration between the SBS and the 2K servers
since that is supported.  The other stuff I'll just have
to do by hand, but since there are only 10 users it isn't
a big deal.
     Any thoughts would be greatly appreciated.

2. NAT router can modify arbitrary data in TCP data segment?

3. samba domain authentication and trusted domains

4. Error uninstalling with GACUTIL

5. Adding ID from NT4 Trusted domain to W2K Domain through LDAP Provider and vbscript

6. SUN compatible CD-ROM

7. Trust between SBS2000 and W2k server

8. X on Intel-based Unix Frequently Asked Questions [FAQ]

9. Can a NT2000 server join a SBS2000 domain as an additional domain controller?

10. Normal NT4 domain upgrade to SBS2000 Domain

11. Windows 2000 Domain migration to SBS2000 domain

12. Trust relationship in SBS2000

13. SBS2000 & ISP & DNS Domain Name & Netbios Domain Name