none
Windows Server Small Business and external Trusts RRS feed

  • Question

  • We have trouble with trust relationship "Windows Small Business Server 2011" & linux MIT kerberos environement

    We established the trust and user authentication from Linux worked fine. After 30 days the trust was suddendly broken. Today the trust losts are more common

    Similar implementation with Std Server 2003 and 2008 didn't brake.

    Here the command, who established the trust:

    netdom trust AHRNTAL.EU /domain:<MIT.NET> /realm /twoway /add /pt:<password>

    ksetup.exe /SetEncTypeAttr GVCC.NET AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96

    The server works actually as a Windows Server 2003 role holder (domain functional level, forest functional level)



    • Edited by HubertK Thursday, May 17, 2012 2:55 PM
    Thursday, May 17, 2012 2:53 PM

Answers

  • As you said in your posting
    You can't establish any trusts (1way or 2way) while using SBS...simply doesn't work

    --
    Cris Hanna [SBS - MVP] (since 1997)
    Co-Contributor, Windows Small Business Server 2008 Unleashed
    http://www.amazon.com/Windows-Small-Business-Server-Unleashed/dp/0672329573/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1217269967&sr=8-1
    Owner, CPU Services, Belleville, IL
    A Microsoft Registered Partner
    ------------------------------------
    MVPs do not work for Microsoft
    Please do not submit questions directly to me.
     
     

    We have touble with trust relationship "Windows Small Business Server 2011" & linux MIT kerberos environement

    We established the trust and user authentication from Linux worked fine. After 30 days the trust was suddendly broken. Today the trust losts are more common

    Similar implementation with Std Server 2003 and 2008 didn't brake.

    Here the command, who established the trust:

    Trust relationships with SBS have never been since supported beginning with the very first version

    netdom trust AHRNTAL.EU /domain:<MIT.NET> /realm /twoway /add /pt:<password>

    ksetup.exe /SetEncTypeAttr GVCC.NET AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96

    The server works actually as Windows Server 2003 role (domain functional level, forest functional level)


    Cris Hanna, Microsoft SBS MVP, Owner-CPU Services, Belleville, IL
    Thursday, May 17, 2012 2:56 PM
    Moderator

All replies

  • As you said in your posting
    You can't establish any trusts (1way or 2way) while using SBS...simply doesn't work

    --
    Cris Hanna [SBS - MVP] (since 1997)
    Co-Contributor, Windows Small Business Server 2008 Unleashed
    http://www.amazon.com/Windows-Small-Business-Server-Unleashed/dp/0672329573/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1217269967&sr=8-1
    Owner, CPU Services, Belleville, IL
    A Microsoft Registered Partner
    ------------------------------------
    MVPs do not work for Microsoft
    Please do not submit questions directly to me.
     
     

    We have touble with trust relationship "Windows Small Business Server 2011" & linux MIT kerberos environement

    We established the trust and user authentication from Linux worked fine. After 30 days the trust was suddendly broken. Today the trust losts are more common

    Similar implementation with Std Server 2003 and 2008 didn't brake.

    Here the command, who established the trust:

    Trust relationships with SBS have never been since supported beginning with the very first version

    netdom trust AHRNTAL.EU /domain:<MIT.NET> /realm /twoway /add /pt:<password>

    ksetup.exe /SetEncTypeAttr GVCC.NET AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96

    The server works actually as Windows Server 2003 role (domain functional level, forest functional level)


    Cris Hanna, Microsoft SBS MVP, Owner-CPU Services, Belleville, IL
    Thursday, May 17, 2012 2:56 PM
    Moderator
  • that note was from a tread that i read and then wrongly pasted. But in fact it was working and then broke casually

    Thursday, May 17, 2012 3:34 PM
  • While I can't speak to why it worked for the short time it did, but I provide the following quote from the Microsoft Knowledge Base
     
  • The server is a single-domain solution, which is not intended to be integrated with other Windows domains. You are not permitted to establish explicit trusts to other Microsoft Windows NT nor to Active Directory domains. Also, Small Business Server 2000 does not enable you to create child domains.
while this article refers to SBS 2000, it was true in versions before that, and is true for versions that follow

--
Cris Hanna [SBS - MVP] (since 1997)
Co-Contributor, Windows Small Business Server 2008 Unleashed
http://www.amazon.com/Windows-Small-Business-Server-Unleashed/dp/0672329573/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1217269967&sr=8-1
Owner, CPU Services, Belleville, IL
A Microsoft Registered Partner
------------------------------------
MVPs do not work for Microsoft
Please do not submit questions directly to me.
 
 

that note was from a tread that i read and then wrongly pasted. But in fact it was working and then broke casually


Cris Hanna, Microsoft SBS MVP, Owner-CPU Services, Belleville, IL
Thursday, May 17, 2012 3:51 PM
Moderator
  • I also have a 2008 R2 server, not SBS, in the domain. If I DCPromo it can I make it the PDC and use it to form a permanent trust?
    Thursday, January 10, 2013 3:38 PM
  • Only if you plan to remove the SBS server completely from the domain...

    If SBS remains in the domain, it must be the First Server at the root of the AD Forest/Domain (what we used to call the PDC) and it must hold all FSMO roles


    Cris Hanna, Microsoft SBS MVP, Owner-CPU Services, Belleville, IL

    Thursday, January 10, 2013 4:13 PM
    Moderator