Bring SBS 2011 Exchange DC into existing Win2k8 domain w/Exchange 2013

Hi,all!  Current system is an AD domain w/Win2k12 & Win2k8 DCs, existing Ex2013 DAG with all the extras (DHCP, VM, DNS, etc) w/multiple subnets (including 10.1.1.x subnet; more later).  We are about to "inherit" an existing SBS 2011 DC with Exchange 2010 server, all functional in a different site.   This SBS is config'd on 10.1.1.x itself.

We need to be able to make this server available to certain users on our current subnets.  We plan to export all Ex2010 mailboxes while box is stand-alone, and disabling Ex2010 on it.  But it still needs to be accessible for a few months.

1. Promoting/reinstalling this SBS DC into the existing domain is not an option; this server will be decommissioned in months, and we're not about to alter our production multi-site domain for this one server.
2. Access it via RRAS/MSTSC?
3. Cannot install a second NIC in an SBS 2011 server
4. Cannot establish a domain trust with an SBS server

I'm guessing I need to get this config'd to allow remote access to give my local subnet users access to it.  Any suggestions on how I  an accomplish this?  I can dig up a router to join the two subnets, and I'm assuming I need to change the IP address on the SBS server after disabling all relevent domain services.

Has anyone done this?  Interested in actual experience more than theoretical configurations.
Thanks!
SteveInReno

ps: on a side note I've been trying to locate an ISO to install a trial of SBS 2011; anyone know if that's still available from MS?  I am not a TechNet subscriber.
LVL 2
Steve BottomsSr Network AdminAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
Since you are using the same IP segments, you are in a difficult situation.
Depending on your firewall. You could establish a site to site VPN with IP overlay such that the VPN will see one with 172.16.0.0/24 while the other will be 172.17.0.0/24 asan example.
This way if you are on the sbs side and need access to the other you would use the 172.17.0.x ip to hit the respective 10.1.1.x IP and the same is true in reverse.

"Site to site VPN with Ip overlap"
Steve BottomsSr Network AdminAuthor Commented:
We're using a SonicWall 240 as our primary firewall/gate/router on-premise, so my next question is about the configuration of SonicWall VPNs or subnets.  I'm curious if this will work, and whether it's sufficient isolation of the SBS DC so it won't be an issue on our main Win2k12 domain.

Working on the assumption that I change the IP address on the foreign SBS server to a subnet that is not currently in use on our LAN, can I:
1) Create a new VLAN on the SonicWall *specifically* for the SBS 2011 domain/server?  Is that actually enough segregation of the two domains to be separate "distinct" entities on the network?
2) Can I join a couple existing workstations (on their own VLANs as necessary for daily operations) to that new VLAN to access the SBS server "in-isolation"?  Will that cause access issues for those workstations because they're already part of out existing Win2k12 domain?  Presumably it'll only be accessed via UNC or IP address
3) Since I can't disable DNS on the SBS domain controller, is an operating DNS on the SBS DC a concern?

Any thoughts welcome as I try to work this issue out.  Thanks!
SteveInNV
arnoldCommented:
Here is a sonicwall site to site VPNsetup.  There is a NAT translation section covered there that deals with handling IP translation within the VPN when there is an issue with IP overlap.

http://help.mysonicwall.com/sw/eng/305/ui2/23200/VPN/VPN_Policy_Config_Site2Site.htm
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Larry Struckmeyer MVPCommented:
Assuming access is from current sites to new site across the internet:  Create the required users on the SBS, install an RDS server in that domain and the current users can RWA, or RDP to the RDS server for their needs.  If the subnets are the same you will not be able to VPN.  If there are or will be extra stations in the SBS domain there may be  no need for the RDS server.  RWA redirects users to the chosen system from the SBS landing page.
Steve BottomsSr Network AdminAuthor Commented:
Thanks for the input, guys!  :)

The SBS server will be installed physically on-site; remote access will be for the purposes solely of keeping it segregated from the existing AD domain: because SBS is so limited in what we can do here I'm leaning toward trying to identify a way to keep it operational for user access WITHOUT going thru the whole upgrade/promotion procedure SBS requires to co-exist with "real" Windows domains.  That is why I'm looking at whether using a VLAN on the SonicWall will act as enough segregation from the existing domain to be usable on our network.  I'm 100% not willing to do the "upgrade" route to make it live happily on our domain, given that it'll have a limited lifespan *and* will be removed from service in around 3 months, but I must have a couple users able to access it without hassle.

Arnold, I've read that article on the SonicWall site; I just need to experiment to see if I can get it to work contained within the SonicWall itself (ie, no internet access).  The only thing making what we need a "site to site" is users accessing the SBS from another VLAN, but the SBS server not having any external access whatsoever.

Larry, the same issues apply if I install a Win2k12 RDP server in the SBS domain: I still need to get access from within the same network but different VLANs (presumably) without the SBS server actually being in the existing AD domain or vice-versa.

Once again, it's pretty much a given that I'll be changing the IP address/subnet on the SBS server after the Exchange 2010 mailboxes have been exported and Exchange has been disabled.
arnoldCommented:
Vlan isolate SBS ip 172.16.15.2 assigned to the WAN side of the SBS sonicwall whose LAN side is 10.1.1.0/24
You then would only allow the isolateSBS

Depending on the mode of the VPN I.e. How they setup, ore shared, certificate, etc. , the items dealing with overlapping LAN side segments are in parts 12 and 14


What access to the SBS do you need, are there systems associated with it that are being brought on board or is the SBS the only thing and access to the SBS is the only thing needed in which case a port forward from the new VLAN IP is the only thing needed, no need for VPN and if access from the SBS to the .... Is unneeded.
Steve BottomsSr Network AdminAuthor Commented:
No working resolution achieved.  Taking different approach.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Steve BottomsSr Network AdminAuthor Commented:
No working solution reached; I'm taking a different approach to try to resolve this issue.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.