Solved

Linking windows domains over the internet

Posted on 2010-11-25
36
266 Views
Last Modified: 2012-08-14
Hi,

we have 2 offices one office runs windows server 2003 and the other small business server 2008. We often have to transfer files between both servers which we currently do via remote desptop.

We would like to link the domains so we dont need to use remote desktop, I presume this is possible? Would we need to set up a VPN between both servers? It would also be helpful if users could log on at any site and access their email via exchange. Currenty both sites run their own exchange with different email domain names...

Thanks
0
Comment
Question by:andybrooke
  • 12
  • 10
  • 8
  • +2
36 Comments
 
LVL 25

Expert Comment

by:Tony1044
Comment Utility
You could set up VPN and connect the two sites.

Then you could set up two way trusts between them, but a more elegant way might be to keep an additional domain controller in the remote site, so that services all logon requests etc and only uses the VPN link to resolve back to the main office.

http://support.microsoft.com/kb/323441 <- How to set up in 2003
http://technet.microsoft.com/en-us/network/bb545442.aspx <--2008
0
 
LVL 6

Expert Comment

by:ipajones
Comment Utility
Windows Small Business Server doesn't support trust relationships - it's one of the limitations of SBS.  In terms of accessing emails could you use OutlookAnywhere or Outlook Web Access ?
0
 

Author Comment

by:andybrooke
Comment Utility
When you say it doesnt support trust relationships, does that mean users will not be able to access files on the other domain? Or do you mean trust for exchange?
0
 
LVL 25

Expert Comment

by:Tony1044
Comment Utility
Just build a domain controller in the remote site. I believe that SBS supports this as long as the second DC doesn't house any FSMO roles.
0
 

Author Comment

by:andybrooke
Comment Utility
fsmo?
0
 
LVL 6

Expert Comment

by:ipajones
Comment Utility
Yes I'm afraid so.  In order to share any resources between Windows domains you would need to establish Trust Relationships which Tony1044 mentioned in his post.  Because SBS is a limited version of the server OS there is no mechanism for creating the required trust relationship.

Tony1044:  With SBS you can only have 1 DC in a domain and that has be the first DC in the domain/forest unless using the Premium addition of SBS in which case you can only have an additional DC which must also be running SBS.

FSMO = flexible single master operations

0
 
LVL 25

Expert Comment

by:Tony1044
Comment Utility
Hmm actually I am just re-reading your original post properly - sorry. Both are SBS environments. That limits the scope of what you can really do.

For a description of FSMO roles in AD, Dan Petri explains it all nicely here: http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm

Your problem is that SBS is designed to be a self-contained environment. It expects to run all AD roles itself and not have any other servers outside of itself.

Because of that, MS restrict what you can and cannot do compared to 'normal' Windows server.

Because both of your servers are SBS, they both expect to have their own little world.

I actually can't see you being able to achieve what you want on SBS. Sorry.
0
 
LVL 25

Expert Comment

by:Tony1044
Comment Utility
ipa - not quite right on the DC thing.

You can only have ONE SBS server as a DC but you can have other non-SBS servers as DC's providing they don't hold FSMO roles (GC is ok):

http://blogs.technet.com/b/sbs/archive/2007/10/04/debunking-the-myth-about-additional-domain-controllers-replica-dcs-in-an-sbs-domain.aspx
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
SBS will support as many DC's as you like, but the FSMO roles must remain on the SBS, however you can only have one SBS in a domain. As stated SBS does not support trusts.

You could set up a VPN and access the remote resources without trusts. To do so you have to have an account on the remote Domain Controller and use their login credentials. The trust is much more convenient as you are automatically authorized. Thus ideally you want to add a VPN, demote the remote non-SBS domain controller, and then join it to the SBS domain. This will however remove the existing accounts from the non-SBS Domain controller.
0
 
LVL 25

Expert Comment

by:Tony1044
Comment Utility
Rob - that was my initial thoughts but it's blown away by the fact that both domains are SBS. So to do it, he's looking at installing at least two more DC's that are non-SBS.

Given the implementation here, it might be time to consider moving up from SBS?
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
PS- Should you wish to add a second domain controller to an existing SBS 2008 domain

-Make sure the SBS is fully up to date with all patches and service packs
-If the new server has more than one NIC, disable all but one while joining the domain. Once completed you can enable others
-Then point the new servers DNS only to the SBS
-If the second server is 2003 it should work to join the domain using http://connect
-If 2008 or newer join the domain manually using my computer | properties | computer name | change
-in Active Directory move the computer from the Servers OU to the MyBusiness/SBS servers OU
-If you wish the new server to be a domain controller, now you can run DCpromo on the new server. You must use integrated zones when working with SBS. (there are different options in the wizard, just choose defaults and integrated). I would recommend at the same time installing DNS.
-If the new server is a newer version such as server 2008 R2 or server 2008 before running DCpromo you first need to run adprep, on the SBS, from the new server CD set to "extend the SBS schema". If the new server is server 2003 R2 or newer adprep  it is located on the second CD under \CMPNENTS\R2\ADPREP\
Se: http://www.petri.co.il/windows-server-2008-adprep.htm

You may want to review the following as well:
Add and Manage Additional Servers in a Windows Small Business Server Domain
http://www.microsoft.com/downloads/details.aspx?FamilyID=6f4015f2-7606-4eaa-828a-00b8df6bd999&displaylang=en
0
 
LVL 25

Expert Comment

by:Tony1044
Comment Utility
Of course, if the end game is only a desire to share files and email you may want to investigate things like hosted email from Microsoft or Google and some form of cloud based storage that your users can connect into.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"the fact that both domains are SBS"??
I read; "we have 2 offices one office runs windows server 2003 and the other small business server 2008"
You can still access the remote SBS even if there are two domains. Two SBS servers can actually exist on the same network so long as they are different domains. There are issues with DHCP if doing so, and it is not recommended. However these are separated by a VPN so there would be no problem except inconvenience because they are also on different network segments (subnets).
0
 

Author Comment

by:andybrooke
Comment Utility
My post didn't state 2 sbs. There is only 1 small business server 2008. The other site is running windows server 2003 not sbs.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
To summarize:
1) You can install a VPN, map a drive using credentials (user name and password) for the remote domain, and copy files back and fort. E-mail can be accessed with Outlook Web Access, or rpc/http
2) Ideal: change the 2003 site to have a local domain controller that is a member of the SBS domain.
0
 
LVL 6

Expert Comment

by:ipajones
Comment Utility
Rob / Tony - Don't you need the Premium edition of SBS in order to have additional DC's ?
0
 
LVL 25

Expert Comment

by:Tony1044
Comment Utility
I apologise. I don't know why I've misunderstood your original post twice now!

Unfortunately, SBS even at one site complicates things.
0
 
LVL 6

Expert Comment

by:ipajones
Comment Utility
Following Rob's summary:
**********************
To summarize:
1) You can install a VPN, map a drive using credentials (user name and password) for the remote domain, and copy files back and fort. E-mail can be accessed with Outlook Web Access, or rpc/http
2) Ideal: change the 2003 site to have a local domain controller that is a member of the SBS domain
**********************
Assuming you go down this route be sure to think about how you will replicate AD over the VPN and think about replication schedules etc.  Remember this will have to be a site-2-site VPN not a client-2-site VPN to enable the 2 servers to exist in the same domain.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"Rob / Tony - Don't you need the Premium edition of SBS in order to have additional DC's ?"
Definitely not.

>>"Unfortunately, SBS even at one site complicates things. "
I completely disagree :-) SBS can make your life very simple, but I agree it can be confusing to work within the few restrictions.

Replication between SBS and a second DC over a VPN is easy to set up, actually quite dependable. Correct though it has to be a site-2-site VPN between 2 VPN routers. They start at $150 each.

SBS is an ideal server for small businesses with multi-site locations. The primary limitation is a total of 75 users.
The remote sites can use less expensive Foundation server as a local DC and file store. It is limited to 15 users. I have yet to see clear licensing explanations though as to whether the foundation server 15 user limitation is locally or a total of 15 users in the domain.
0
 

Author Comment

by:andybrooke
Comment Utility
Ok, so I have to do the VPN via hardware like a draytek router and unable to use the windows RAS/VPN fuction?

Our main office has a windows server 2003 DC. While the second office has SBS 2008, if anyone was unclear on this....
0
 
LVL 25

Expert Comment

by:Tony1044
Comment Utility
>>"Unfortunately, SBS even at one site complicates things. "
I completely disagree :-) SBS can make your life very simple, but I agree it can be confusing to work within the few restrictions.

Sorry but I have to disagree (probably because I tend to work in the enterprise arena).

Not so much the technical side of things, granted, but the lack of detailed information and the lack of a reasonable and cost effective migration path out of SBS.

At the very least, in this instance, a lack of trusts is a big problem. Ok there are workarounds but they're all quite costly in the scheme of things (coming at this from a SME perspective - buying new hardware & OS licensing just because a server can't handle a trust).

Hey, I used to work for Microsoft as a messaging consultant and even I get confused by SBS (and MS licensing in general, to be honest).



0
 
LVL 6

Expert Comment

by:ipajones
Comment Utility
Yes I know the Dreytek Vigor hardware and yes I would setup the site-2-site VPN between the 2 routers.  That way you should be able create seamless IP connectivity between your 2 servers.  Once that's established look at persuing Rob's suggestions.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"Ok, so I have to do the VPN via hardware like a draytek router and unable to use the windows RAS/VPN function? "
Correct.
It is possible to use RRAS at both sites to create a permanent VPN tunnel, but it is a very lengthy procedure, less secure, and probably as costly in labor as the hardware to use routers. site to site RRAS has not been very popular since Server 2000.

>>"Our main office has a windows server 2003 DC. While the second office has SBS 2008, if anyone was unclear on this.... "
I got that, and all note assume so.

0
 
LVL 6

Expert Comment

by:ipajones
Comment Utility
Tony - yes I agree with you.  The licencing and limitations of what you can / can't do with SBS is definitely confusing.  I certainly remember the days of SBS 2000 and SBS 2003 when it was even more restrictive and that's where I got the "only 1 DC in the domain" thought from.
0
 
LVL 25

Expert Comment

by:Tony1044
Comment Utility
So the consensus is a site-site VPN with an additional DC in one of the sites.

But since SBS doesn't support trusts, with the new DC, you will be able to browse to a share and authenticate but the share will reside over the VPN links. Perhaps if you are going down this route, use DFS based shares so the users can get the server closest to them.

DFS is supported in SBS 2008 but there are no inbuilt management tools: http://technet.microsoft.com/en-us/sbs/cc817589.aspx

No one has addressed his nice to have regarding Exchange logon at either site as yet, either. However, once you have the VPN you should be able to just connect to either Exchange server and authenticate to the correct domain. Assuming SBS won't stop that(?)

Outlook anywhere (RPC over HTTP/s) is always an option too once the VPN is in place (again, assuming SBS doesn't stop this?)



0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Tony I agree trusts are the one thing that would be very nice to have with SBS, but there are limitations for a reason.
I also have to agree that understanding Microsoft licensing is totally baffling.

Hard to beat SBS though in a small environment for cost, number of built-in services, RWW, and ease of maintenance.
I think you will find all of the people in the "top experts" list here for SBS come from the "enterprise arena", some more so than others. They will all also admit "embarrassingly" they have crippled their first SBS because they applied enterprise thinking and not looked at SBS limitations, planed carefully within those confines, and used the wizards. Generally people that don't know too much do better with SBS than ITpro's :-)


ipajones, SBS 2003 was definitely not limited to 1 DC, and I don't believe 200 or 4.5 were either. The only limitation has always been SBS must retain the FSMO roles. You can add DC's and member servers as much as you like. I agree it has been a common misconception.

Tony will DFS work without a trust?

SBS does not "stop" rpc/http. It is fully supported and automatically configured during the install. Ideal solution for remote users who are not members of that domain.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
By the way if both domains have Exchange you can use rpc/http from any where with or without the VPN. However if any clients need to access both Exchange servers you will need to use Outlook 2010 or stick with OWA (OWA is also automatically configured with SBS). Outlook prior to 2010 only supports 1 Exchange domain.
0
 
LVL 25

Expert Comment

by:Tony1044
Comment Utility
Oh don't get me wrong - I think SBS is a fabulous product with a very important place within the SME. I wish it were just a bit more flexible with some aspects and a little easier to upgrade from. Also agree on the point about the less IT literate having a better chance. The only time I failed an MS exam it was Windows 2000 Pro. Rather big-headedly I didn't believe I would need to revise (hey - server guy here, how hard can it be?). Had my backside handed to me with a good helping of modesty. Same thing though - some skills just take a bit longer to translate.

In terms of DFS I was thinking: Site-site VPN. New DC in one of the sites. Configure DFS on the existing and new DC's (again - assuming the files are in a share on one of the DC's).

When a user wants a resource, they can point to the DFS share and if they're in the remote domain, they should get prompted for a login and can put in domain\username plus password.

That way, they're authenticating against the remote domain rather than locally, albeit on the 'local' DC and will get access to the server closest to them.

I'm thinking it'd be simpler than trying to remember to batch copy changes and / or copy everything over the VPN links each time you needed them.

Of course, I may have overlooked something there. It's almost going home time here, it's been "one of those days" and I managed to misunderstand on two occasions how many SBS servers the OP actually has(!) which is embarrassing.
0
 
LVL 25

Expert Comment

by:Tony1044
Comment Utility
Ah there's a trick for Outlook prior to 2010. A guy wrote a neat little app called ExtraOutlook which bypasses Outlook's "am I already running" check.

If you set up a profile for each user and start ExtraOutlook / Outlook with a profile switch, you can get more than one running on your desktop.

And mail links will still use whatver your default is, which is neat.
0
 
LVL 6

Expert Comment

by:ipajones
Comment Utility
Tony - I would just add that if adding the Win2K3 server to the existing 2008 SBS domain then trusts obviously won't be required.

Rob - yes I agree about the cost and benefits of SBS for small business environments.  However, one thing that MS seems to forget is that small businesses need the flexibility to grow and develop into larger environments.  MS doesn't make this transition particularly easy.  The transisition pack used to be a good route but is no longer available.

One thing we haven't "bottomed out" here is what happens to the existing Exchange organisation on the Win2K3 server when its demoted and joined to the SBS 2008 domain ?  If you're going down this route you're going need a strategy as to whether to move the existing users mailboxes or setup the relevent users accounts in the SBS domain.
--IJ
0
 

Author Comment

by:andybrooke
Comment Utility
Thanks for all the imput a lot of reading...lol

So I need to impliment a hardware VPN Draytek router etc... But I would need an extra DC on the SBS site?
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
-You don't need to add any DC's if you can use rpc/http, and are content with a mapped drive and having to enter a user name and password when first connecting (or that can be saved).
-If you want efficiency and you want to maintain two domains, which I don't recommend, you want to add a DC at both sites replicated with the other site
-Long term my recommendation is changing the existing 2003 DC to be a DC for the SBS domain. However you have to address Exchnage. SBS can handle multiple domains if you want to go that route and have it as the only Exchange server.
0
 
LVL 6

Accepted Solution

by:
ipajones earned 500 total points
Comment Utility
I think if I dare to summarise for all the posts, the concesus was something like...

1.  Setup a site-2-site VPN using your Draytek routers

2.  Establish IP connectivity through the VPN, basically make sure the 2 local IP subnets can communicate

3.  You should then be able to map to shared resources using the appropriate user credentials for the originating domain. i.e. from win2k3 domain machine:
at a command prompt:  net use * \\win2k8sbsserver\share /user:win2k8domain\user

4. Once the VPN is established should be able to setup Outlook profiles putting in the appropriate user credentials to enable access to users email irrespective of location.  You could also use either OutlookAnyWhere or Outlook Web Access for users to access their emails.

If you're going to consolidate to just the 1 domain I would strongly recommend creating a separate new DC (at the Win2K3 server site) and joining this to the 2008 SBS domain - the reason being it will assist with the migration process allowing you to establish a single domain across the 2 sites without risking any downtime.  You'll also need to plan your strategy for what to do with your existing Win2K3 users and consider the following points:

- How to migrate users from the existing Win2K3 domain onto the SBS 2008 domain
- How to maintain access to the Exchange server mailboxes that exist on the Win2K3 server
OR how to move the mailboxes from the existing Win2K3 exchange server to the SBS2008 exchange server (if moving them you'll need to look at "exmerge")
- Ensure that AD replication is properly setup between the 2 DC's in the 2008 SBS domain
- Make sure DNS is installed on the new DC and replicates successfully with DNS on the SBS 2008 server (this should be sutomatic as long as AD replication is working)
- Make sure you setup each site and IP subnet within AD sites and services to create a proper replication topology between the 2 sites

Finally, once you've established your single domain across the 2 sites, migrated users etc you can then add the existing Win2K3 server to the SBS2008 domain.  You can make it a DC of just leave it as a member server depending on your requirements.

Also, remember you could just add the existing Win2K3 server to the SBS2008 domain but you'll need a clear plan that you're confident will work otherwise there maybe downtime for users which rely on resources in the current Win2K3 domain.

Good luck!
--IJ
0
 
LVL 95

Expert Comment

by:Lee W, MVP
Comment Utility
> I think you will find all of the people in the "top experts" list here for SBS come from the "enterprise arena",
> some more so than others. They will all also admit "embarrassingly" they have crippled their first SBS
> because they applied enterprise thinking and not looked at SBS limitations, planed carefully within those
> confines, and used the wizards. Generally people that don't know too much do better with SBS than ITpro's :-)

Talking about me again!  (or am I just being arrogant assuming I'm a top expert?)  - KIDDING.

But yes, I was one of those people who managed 30+ Windows servers for a large company and the first SBS I setup I royally messed up because I thought it was "just" a bundling of Exchange and Server.  It's not.  It's a customized product that USES Exchange and Server.  And it's VERY stable and easy for non-admins provided it setup as it was intended.  I've been using it for a while now and learning much about it.  To summarize/restate what Rob has said and clarify some follow up comments that I've seen posted by others:

1.  SBS supports multiple DCs (and multiple servers) with no problem.  The restriction - and probably what led to the misunderstanding is that SBS only supports ONE SBS server in a domain.  This is because the FSMO roles MUST be on the SBS server and since you cannot have two servers hosting the same FSMO roles, you CANNOT have two SBS servers in one domain.  BUT, that doesn't cause any problems for having other DCs in the domain so long as they aren't asked to hold any FSMO roles.  [This restriction and the capability has been present since at least SBS 2000]

2.  SBS cannot have trusts.  To me, this makes sense.  It can be irritating for an Enterprise guy like myself, but it makes sense.  If SBS supported trusts, it would be easy for a much larger company to save thousands by implementing it on a per-department basis or for branch offices.  The cost of SBS is MUCH less than the combined costs of the standard products and it's less because smaller companies often need a smaller price to implement these things or they simply won't (and Microsoft would rather have a discounted sale than no sale at all).  At least, that's my understanding of the MS logic.

3. The SBS server itself cannot be a Terminal Server. This is from SBS 2003 and on and is just good sense.  Making a DC AND an Exchange server your Terminal Server is a great way to bring down the entire network when someone gets infected with a virus or something.  You can add a terminal server, it just can't be your terminal server.

4. 75 CAL limit (best way to put that, I think).  if you've got 225 employees working 3 shifts and only ever logging in from company computers, then your SBS server, using DEVICE CALs, can have 225 users and be perfectly legal.  Again, there has to be a cut off.  Now, this is the one area I think Microsoft has done a poor job with.  The transition pack was good, but that's not available for 2008.  EBS was a good idea, but clearly not handled properly. (incidentally - the limit was 50 CALs in SBS 2000)

5.  FOUNDATION Server.  Is confusing - I asked this on a mailing list with Microsoft folks and while it was clarified to some extent, subsequent behavior seems to contradict their explanation, at least in some cases.  Basically, Foundation is designed to be used in networks of 15 or fewer users.  Built-in accounts do NOT count towards this limit, but user created accounts do.  I have seen, when adding a Foundation server to an existing network that had more than 15 users (didn't realize it was Foundation until after joining the domain), it warned me that I was in violation of the EULA because the domain has more than 15 users.  SITES should not matter.  Now here's the confusing part.  I went to another site where they had a foundation server installed and working with 20+ user accounts and no warnings.  So frankly, I don't know what to make of it.

What would I do here?  I'd consolidate into the SBS domain and create a second DC, joining the two sites via a hardware VPN.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Nicely stated Lee!
--Rob
0
 
LVL 25

Expert Comment

by:Tony1044
Comment Utility
Very nice summarisations and I have to say a nicely toned, and I believe helpful (all around) topic.

Hopefully this has helped to answer the original questions but we may have gone off at the odd tangent in our 'round table' disccussions of SBS, so please feel free to ask if you require more details.
0

Featured Post

Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

Join & Write a Comment

Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
This video discusses moving either the default database or any database to a new volume.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now