SBS2003 to SBS2011 Essentials Migration–HowTo

WARNING: LONG POST!

This documents a LAB migration test from SBS2003 to SBS2011 Essentials.

All steps performed as per this document from Microsoft:

http://www.microsoft.com/en-us/download/details.aspx?id=3231

NOTE: The only currently supported migration from an existing SBS install is from SBS2003 to SBS2011E, no other migration is Microsoft supported (there might be something coming from the SwingIT guys).

I followed all instructions in the document to prep SBS2003 for migration including the ADPREP processes. I have not documented the process to this point as it is pretty standard stuff as per any other server migration. I’ll pick up below from the point where the Migration Answer file is created for the SBS2011 E install (page 17 of the document). Make sure you install the software update to allow for a full 21 day migration period once you have spun up SBS2011 E.

Migration Answer File

Unlike most SBS migrations you have to manually create the migration answer file as follows:

1. Click Start, click All Programs, click Accessories, and then click Notepad.

2. Copy the following content and paste it into the file. Do not put any other content in the file.

Note

The following values are for the Destination Server.

[WinPE]

[InitialConfiguration]

AcceptEula=true

CompanyName=<CompanyName>

ServerName=<ServerName>

PlainTextPassword=<Password>

Settings=All

Migration=true

where

· <CompanyName> is the friendly name of the company, for example Contoso Ltd.

· <ServerName> is the name of the server, for example Contoso-srv

· <Password> is the password for the local administrator, for example Pass@word1

Note

Do not change the other fields.

3. Click File, click Save, and browse to the root directory of the removable media.

4. In the File name text box, type cfg.ini; in Save as type, select All Files; and then click Save.

Important

When saving the file, you must choose All Files for the Save as type to ensure that Notepad does not append the file name with a .txt extension.

Mine looked like this:

[WinPE]

[InitialConfiguration]

AcceptEula=true

CompanyName=TestCo

ServerName=TCCA1SRV01

PlainTextPassword=pass@word1

Settings=All

Migration=true

With the migration file on a USB stick connected to the NEW server run the installation as follows:

Install Windows SBS 2011 Essentials on the Destination Server

Be aware that SBS2011E will auto-partition the disk space you give it up front into C: and D: drives and autoconfigure both drives. Minimum space required is 160GB which results in a 60GB C: and 100GB D: drive. You are best to serve up ALL available disk space to the installer in one chunk and let it figure out what it is going to do with the space (similar to Windows Home Server operation).

To install and configure Windows SBS 2011 Essentials on the Destination Server in migration mode, perform the following procedure.

To install Windows SBS 2011 Essentials on the Destination Server

1. Turn on the Destination Server and insert Windows SBS 2011 Essentials DVD1 into the DVD drive. If you see a message that asks if you want to boot from a CD or DVD, press any key to do so.

Note

If the Destination Server does not boot from the DVD, restart the computer and check the BIOS Setup to ensure that DVD-ROM is listed first in the boot sequence. For more information about how to change the BIOS Setup boot sequence, see your hardware manufacturer’s documentation.

Note

If the removable media that contains the answer file is a USB device, you must change the boot order in the BIOS Setup to assure that the server does not attempt to boot to the USB device.

2. Insert the USB device or other removable media that contains the migration answer file in the Destination Server.

Note

The migration answer file is automatically detected on the root of any drive. If the migration answer file is configured to run the installation in unattended mode, values from the file are used during migration. You will not be prompted for values unless they are invalid or missing from the answer file.

3. If you are installing the multilanguage version of Windows SBS 2011 Essentials, double-click one of the listed languages. If you are installing a single-language version, you will not be asked to choose a language.

4. Click New Installation.

5. If you have an internal hard drive that is not displayed in the list, click Load Drivers and install the necessary driver before continuing.

6. Select the check box that verifies all files and folders on your primary hard drive will be deleted, and then click Install.

7. When you receive the message "Your server is partially set up and is ready for you to start migration," click Close.

After the installation finishes, you are automatically logged on with the administrator user account and password that you provided in the migration answer file.

Note

To unlock the desktop while Windows SBS 2011 Essentials is installing, use the built-in administrator account and leave the password blank.

It all work as planned and the SBS2001E machine came up with the machine name applied in the migration file and the setup continued:

Screen clipping taken: 08/07/2012 11:23 AM

This step completed and the server rebooted and then continued:

Screen clipping taken: 08/07/2012 11:28 AM

Screen clipping taken: 08/07/2012 11:29 AM

Next step is to manually change DNS settings on the SBS2011E server to point back at the SBS2003 server.

Screen clipping taken: 08/07/2012 11:31 AM

Confirm SBS2011E "sees" DNS from SBS2003:

Screen clipping taken: 08/07/2012 11:32 AM

Now things get funky. There are some steps you must follow to remove the Cert Authority on the new SBS2011E box and then you join the SBS2011E box to the OLD domain.

Join the Destination Server to the domain of the Source Server

Joining the Destination Server to the domain of the Source Server requires backing up and removing the Certification Authority from the Destination Server, then promoting the Destination Server to be a domain controller.

Back up and remove the Certification Authority from the Destination Server

The Certification Authority must be removed from the Destination Server before it can join the domain. Perform the following steps to back up and remove the Certification Authority.

To back up the Certification Authority

1. In the Destination Server, open Windows Explorer and create an empty folder called C:CA_Backup.

2. Click Start, point to Administrative Tools, and click Certification Authority.

3. Right-click <ServerName>-CA, point to All Tasks, and select Backup the CA…

4. Click Next on the welcome page.

5. Ensure that Private Key and CA certificate and Certificate database and certificate database log are selected, choose a location such as C:CA_Backup, and then click Next.

6. Type and confirm a password for restoring the database, click Next, then click Finish to finish the wizard.

To remove the Certification Authority

1. Click Start, click Administrative Tools, and then click Server Manager.

2. Under Roles Summary, click Remove Roles.

3. On the Before You Begin page, click Next.

4. Clear the Active Directory Certificate Services check box, and then click Next.

5. Confirm that only the Certification Authority is selected for removal, and click Remove.

6. After the Certification Authority is removed, click Close.

Screen clipping taken: 08/07/2012 11:35 AM

Screen clipping taken: 08/07/2012 11:36 AM

Screen clipping taken: 08/07/2012 11:37 AM

Screen clipping taken: 08/07/2012 11:38 AM

Screen clipping taken: 08/07/2012 11:39 AM

And restart the server.

Now comes another funky part, promoting the SBS2011E box to a DC. This is DEFINITELY way different from other SBS installs so here are the instructions from the migration doc:

Promote the Destination Server to a domain controller

You must promote the Destination Server to a domain controller in the existing Windows SBS 2011 Essentials forest within six days of installing Windows SBS 2011 Essentials.

Use the DCPromo tool to promote the Destination Server as described in this section.

To promote the Destination Server to a domain controller

1. Perform the following steps to create an answer file on the administrator’s desktop.

Important

The answer file contains logon and password information that can be used to log on to your server. To help protect your server, delete the answer file after promoting the Destination Server to a domain controller.

a. Click Start, click All Programs, click Accessories, and then click Notepad.

b. Copy the following content and paste it into the file. Do not put any other content into the file.

[DCINSTALL]

UserName=<domain-admin-user-name>

Password=<domain-admin-password>

UserDomain=<domain>.local

DatabasePath=%systemroot%ntds

LogPath=%systemroot%ntds

SYSVOLPath=%systemroot%sysvol

SafeModeAdminPassword=<domain-admin-password>

ConfirmGc=Yes

InstallDNS=yes

CreateDNSDelegation=No

CriticalReplicationOnly=no

ReplicaOrNewDomain=Replica

ReplicaDomainDNSName=<domain>.local

ReplicationSourceDC=<Source-Server-Name>.<domain>.local

RebootOnCompletion=No

ApplicationPartitionsToReplicate=""*"";

Leave the rest of the file blank.

Important

The <domain>, <domain-admin-user-name>, and <domain-admin-password> must reference the Source Server domain.

c. Click File, click Save, and then in the left pane, click Desktop.

d. In the File name text box, type dc-cfg.ini; for Save as type, choose All Files; and then click Save.

2. Open a Command Prompt window as an administrator. For more information, see To open a Command Prompt window as an Administrator.

3. Type the following command, and then press ENTER.

DCPROMO /unattend:”C:UsersAdministratorDesktopdc-cfg.ini”

After the DCPromo tool runs, the process status appears.

Note

If DCPromo does not succeed because of an incorrect entry in the answer file, the tool may erase the passwords from the dc-cfg.ini file. If this occurs, add the passwords back into the file before you run the tool again.

4. Restart the Destination Server to complete the operation.

5. Log on to the Destination Server as the domain administrator by using the same username and password that you use on the Source Server.

6. To verify that the server is a domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers.

7. Expand the node <domain>.local, where <domain> is the Source Server domain, and then click the Domain Controllers node. The Source Server and the Destination Server should appear in this node with GC in the DC Type column.

Important

Delete the answer file after you promote the Destination Server to a domain controller.

And here it all is as steps processed:

Dc-cfg.ini file created and on Desktop of server:

Screen clipping taken: 08/07/2012 12:13 PM

Screen clipping taken: 08/07/2012 12:15 PM

Ooops, typo, try again …

Screen clipping taken: 08/07/2012 12:16 PM

Screen clipping taken: 08/07/2012 12:17 PM

Screen clipping taken: 08/07/2012 12:18 PM

Reboot the server then verify domain membership.

First good sign is that I was prompted for DOMAIN credentials on login to SBS2011E and the domain admin login and password worked! Woo woo! And it is all good inside AD:

Screen clipping taken: 08/07/2012 12:26 PM

Now the Cert Authority has to be reinstalled. Here are the instructions from the migration document:

Install and restore the Certification Authority

To install the Certification Authority

1. On the Destination Server, click Start, point to Administrative Tools, and then click Server Manager.

2. In the Roles Summary section, click Add Roles.

3. On the Before You Begin page, click Next.

4. On the Server Roles page, select Active Directory Certificate Services, and then click Next.

5. On the Introduction to Active Directory Certificate Services page, click Next.

6. On the Select Role Services page, select Certification Authority and Certification Authority Web Enrollment, and then click Next.

7. On the Specify Setup Type page, select Standalone, and then click Next.

8. On the Specify CA Type page, select Root CA, and then click Next.

9. On the Set Up Private Key page, select Use existing private key, choose the Select a certificate and use its associated private key option, and then click Next.

10. On the Select Existing Certificate page, choose the <ServerName>-CA certificate (where <ServerName> is the name of your Destination Server), and then click Next.

11. On the Configure Certificate Database page, accept the default locations, or click Browse if you want to save the database or log file to a different location. Then click Next.

12. Confirm your selections, and then click Install.

13. When the wizard is finished, click Close, and then restart the server.

To restore the Certification Authority

1. Click Start, point to Administrative Tools, and then click Certification Authority.

2. In the Certification Authority console tree, right-click <ServerName>-CA (where <ServerName> is the name of your Destination Server), click All Tasks, and then click Restore CA.

3. If you are asked to stop Active Directory Certificate Services, click OK.

4. The Certification Authority Restore Wizard appears. Click Next on the Welcome page of the wizard.

5. On the Items to Restore page, select Private key and CA certificate and Certificate database and certificate database log, type or browse to C:CA_Backup, and then click Next.

Note

For an incremental restore, select the full backup file and complete the wizard. Then re-run the wizard and select subsequent incremental backup files.

6. On the Provide Password page, type a password for gaining access to the private key and the CA certificate file, and then click Next.

7. When the wizard completes, click Finish.

8. You are asked if you want to start Active Directory Certificate Services. If you have additional incremental backups to restore, click No to re-run the wizard and continue restoring. If restoration is complete, click Yes to start Active Directory Certificate Services.

Configure the CRL distribution list

1. Click Start, point to Administrative Tools, and then click Certification Authority.

2. Right-click the server name, and then click Properties.

3. Click the Extensions tab.

4. In the list that is displayed, click http://<ServerDNSName>/CertEnroll/<CaName><CRLNAMESUFFIX><DELTACRLALLOWED>.crl, and ensure that the following options are selected:

· Include in CRLs. Clients use this to find the Delta CRL location.

· Include in the CDP extension of issued certificates.

5. If the noted URL does not appear in the list, click Add, and in the location field, type http://<ServerDNSName>/CertEnroll/<CaName><CRLNAMESUFFIX><DELTACRLALLOWED>.crl, and then click OK

6. On the Extensions tab, click http://<ServerDNSName>/CertEnroll/<CaName><CRLNAMESUFFIX><DELTACRLALLOWED>.crl, and ensure that the following options are selected:

· Include in CRLs. Clients use this to find the Delta CRL location.

· Include in the CDP extension of issued certificates.

7. Click OK to save your changes.

8. When you are asked to restart Active Directory Certificate Services, click Yes.

And here we go with the various steps as they happened:

Screen clipping taken: 08/07/2012 12:29 PM

Screen clipping taken: 08/07/2012 12:30 PM

Screen clipping taken: 08/07/2012 12:31 PM

Screen clipping taken: 08/07/2012 12:32 PM

Screen clipping taken: 08/07/2012 12:33 PM

Reboot the server.

Now to import all the original Cert Server data.

Screen clipping taken: 08/07/2012 12:38 PM

Screen clipping taken: 08/07/2012 12:39 PM

Screen clipping taken: 08/07/2012 12:40 PM

Now to configure the CRL list:

Screen clipping taken: 08/07/2012 12:41 PM

Screen clipping taken: 08/07/2012 12:42 PM

Screen clipping taken: 08/07/2012 12:43 PM

After rebooting it is time to transfer the FSMO’s to the SBS2011E box. Anyone who has done a Swing will feel right at home with this part. From the migration document:

To transfer the operations master roles

1. On the Destination Server, open a Command Prompt window as an administrator. See To open a Command Prompt window as an Administrator.

2. At the command prompt, type NETDOM QUERY FSMO, and then press ENTER.

3. At the command prompt, type ntdsutil, and then press ENTER.

4. At the ntdsutil command prompt, enter the following commands:

a. Type activate instance NTDS, and then press ENTER.

b. Type roles, and then press ENTER.

c. Type connections, and then press ENTER.

d. Type connect to server <ServerName> (where <ServerName> is the name of the Destination Server), and then press ENTER.

e. At the command prompt, type q, and then press ENTER.

· Type transfer PDC, press ENTER, and then click Yes in the Role Transfer Confirmation dialog box.

· Type transfer infrastructure master, press ENTER, and then click Yes in the Role Transfer Confirmation dialog box.

· Type transfer naming master, press ENTER, and then click Yes on the Role Transfer Confirmation dialog box.

· Type transfer RID master, press ENTER, and then click Yes on the Role Transfer Confirmation dialog box.

· Type transfer schema master, press ENTER, and then click Yes on the Role Transfer Confirmation dialog box.

f. Type q, and then press ENTER until you return to the command prompt.

And here is the process as it happened:

Screen clipping taken: 08/07/2012 3:05 PM

Screen clipping taken: 08/07/2012 3:07 PM

Screen clipping taken: 08/07/2012 3:08 PM

And so on for the rest of the FSMO’s …

Now for the global catalog:

Transfer the global catalog to the Destination Server

To transfer the global catalog, create a new global catalog on the Destination Server, and then remove the existing global catalog on the Source Server.

To create a global catalog on the Destination Server

1. On the Destination Server, click Start, point to Administrative Tools, and then click Active Directory Sites and Services.

2. In the Active Directory Sites and Services console tree, double-click Sites, and then double-click Default-First-Site-Name.

3. Expand the Servers folder, click the name of the Destination Server, right-click NTDS Settings, and then click Properties.

4. On the General tab, select the Global catalog option if it is not already selected, and then click OK.

5. Restart the Destination Server.

Note

Allow sufficient time for the account and the schema information to replicate to the Destination Server before you remove the global catalog from the Source Server.

Before you continue, verify that the replication completed successfully, as follows:

1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.

2. Expand the node <domain>.local, where <domain> is the Source Server domain, and then select the Domain Controllers node. The Destination Server should appear in this node with GC in the DC Type column.

Note

You can perform additional verification by using the tools that are listed in the section Verify the health of the domain controller.

Note

Event 1119 might be logged in the Directory Services log in Event Viewer stating that the Destination Server is now advertising itself as a global catalog server.

To remove the global catalog from the Source Server

1. On the Source Server, click Start, click All Programs, click Administrative Tools, and then click Active Directory Sites and Services.

2. In the console tree, double-click Sites, and then double-click Default-First-Site-Name.

3. Double-click Servers, click the name of the Source Server, right-click NTDS Settings, and then click Properties.

4. On the General tab, clear the Global catalog option, and then click OK.

5. Restart the Source Server.

And the process as it happened:

The server is already a GC as shown here:

Screen clipping taken: 08/07/2012 3:15 PM

Time to remove GC from the old SBS2003 box.

Screen clipping taken: 08/07/2012 3:17 PM

And restart the OLD server.

Now time to ensure SBS2011E services are as they should be …

Enable the UPnP beacon for the Destination Server

The UPnP™ beacon is used to advertise the location of the Destination Server to the client computers. To enable Launchpad to find the Destination Server, perform the following steps to enable and start the necessary services.

1. On the Destination Server, click Start, click Administrative Tools, and then click Services.

2. On the Services console, find the following services:

· SSDP Discovery

· UPNP Device Host

· Windows Server UPNP Device Service

3. If any of the previously listed services are disabled, enable each disabled service as follows:

a. Right-click the service name, click Properties, change the Startup type to Automatic, and then click OK.

b. Right-click the service name, and then click Start.

Note

If a service already has an Automatic startup type, but it is not running, right-click the service name, and click Start.

Screen clipping taken: 08/07/2012 3:24 PM

Screen clipping taken: 08/07/2012 3:25 PM

Screen clipping taken: 08/07/2012 3:26 PM

We are pretty much at the point of being ready to migrate data form the old server. There are just a few steps that need to be completed.

Verify the health of the domain controller

Before proceeding with the migration, you should ensure that the domain controller and Windows SBS 2011 Essentials network are healthy.

The following table lists the tools that you can use to diagnose issues on your Destination Server and network, and in the domain:

Tool

Description

Netdiag

Helps isolate networking and connectivity issues. For more information and to download, see Netdiag.

Dcdiag.exe

Analyzes the state of domain controllers in a forest or enterprise, and reports issues to assist you in troubleshooting. For more information and to download, see Dcdiag.

Repadmin.exe

Assists you in diagnosing replication issues between domain controllers. This tool requires command-line parameters to run. For more information and to download, see Repadmin.

You should correct all the issues that these tools report before you proceed with the migration.

There were no issues found so we continue on and reconfigure DNS on the SBS2011E server.

To reconfigure DNS for the local network adapter

1. In the notification area, click the network icon, and then click Network and Sharing Center.

2. Click Change adapter settings.

3. Right-click the name of the network card, and then click Properties.

4. Select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

5. Click Use the following DNS server addresses. For Preferred DNS server, type 127.0.0.1.

6. Click OK to save your settings.

To turn off DNS on the Source Server

1. On the Source Server, click Start, click All Programs, click Administrative Tools, and then click DNS.

2. In the DNS management console, right-click the Source Server, click All tasks, and then click Stop.

Screen clipping taken: 08/07/2012 3:31 PM

And the DNS service has been stopped on the old server.

There now follows a bunch of steps to get users and other information to show up in the SBS2011E Dashboard. I’m going to break it down into steps.

Import users and the Destination Server into the Dashboard for Windows SBS 2011 Essentials migration

After the replication has taken place, user names will appear in Active Directory Users and Computers, but they will not appear in the Windows SBS 2011 Essentials Dashboard. You can use Windows PowerShell commands to import user names and the Destination Server into the Dashboard, or you can use a script to automate the import process.

Important

Windows SBS 2003 supports up to 75 users, while Windows SBS 2011 Essentials only supports up to 25 users. Ensure that you move no more than 25 users to the Windows SBS 2011 Essentials server.

To re-create security groups

1. On the Destination Server, click Start, click Administrative Tools, and then click Active Directory Users and Computers.

2. In the navigation pane, expand <DomainName>, expand My Business, expand Users, and then expand SBSUsers.

3. Right-click the right-hand panel, and click Create New Group. Type one of the following group names, click Security Group, and then click Create. Repeat this step to create the remainder of the following security groups. Set the scope for each group to Global.

· RA_AllowAddInAccess

· RA_AllowComputerAccess

· RA_AllowDashboardAccess

· RA_AllowHomePageLinks

· RA_AllowNetworkAlertAccess

· RA_AllowRemoteAccess

· RA_AllowShareAccess

· WSSUsers

Here is the process for the first of these groups:

Screen clipping taken: 08/07/2012 3:37 PM

And all groups added:

Screen clipping taken: 08/07/2012 3:40 PM

And the next step is:

Because the administrator account was migrated from the Source Server, by default it does not have memberships to the Windows SBS 2011 Essentials security groups. To add group memberships to the administrator account that you are using for migration, perform the following procedure.

To make the administrator a member of the security groups

1. On the Destination Server, click Start, click Administrative Tools, and then click Active Directory Users and Computers.

2. In the navigation pane, expand <DomainName>, expand My Business, expand Users, and then expand SBSUsers.

3. Open the administrator account or accounts to which you want to assign membership.

4. Click the tab Member of and add the following groups to the account:

a. RA_AllowAddInAccess

b. RA_AllowComputerAccess

c. RA_AllowDashboardAccess

d. RA_AllowHomePageLinks

e. RA_AllowNetworkAlertAccess

f. RA_AllowRemoteAccess

g. RA_AllowShareAccess

Screen clipping taken: 08/07/2012 3:48 PM

Screen clipping taken: 08/07/2012 3:49 PM

And the next step is:

To ensure that users can log on to Remote Web Access after the migration, you must add the Authenticated Users group to the Pre-Windows 2000 Compatible Access group.

To add the Authenticated Users group to the Pre-Windows 2000 Compatible Access group

1. On the Destination Server, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

2. In the navigation pane, expand <DomainName>, and then click the Builtin folder.

3. In the details pane, right-click the Pre-Windows 2000 Compatible Access group, and then click Properties.

4. On the Members tab, click Add.

5. Type Authenticated Users, and then click OK.

Screen clipping taken: 08/07/2012 3:51 PM

And the next step is:

To manually import user names into the Dashboard

1. On the Destination Server, open a Command Prompt window as an administrator. For more information, see To open a Command Prompt window as an Administrator.

2. Type cd “Program FilesWindows ServerBin”, and press ENTER.

3. Type WssPowerShell.exe, and then press ENTER.

4. Type Import-WssUser –Name <username>, and then press ENTER.

5. Repeat the previous step for each user name that you want to import into the Dashboard.

Screen clipping taken: 08/07/2012 3:55 PM

Screen clipping taken: 08/07/2012 3:56 PM

And I did the same for administrator.

The next step is:

1. Open a Command Prompt window as an administrator. For more information, see To open a Command Prompt window as an Administrator.

2. Type cd “Program FilesWindows ServerBin” and press ENTER.

3. Type WssPowerShell.exe, and then press ENTER.

4. Type Add-WssLocalMachineCert, and then press ENTER.

5. Reboot the Destination Server.

Screen clipping taken: 08/07/2012 3:58 PM

BTW, if you have not already done so, set the SBS2011E box to a STATIC IP. I have not seen anything tin the guide to suggest where this should be done so now is as good a time as any.

Now it is time to start messing about with the domain client computers. In the case of this lab there is a single Windows7 Pro machine.

Steps are as follows:

Join computers to the new Windows SBS 2011 Essentials network

The next step in the migration process is to join client computers to the new Windows SBS 2011 Essentials network and update Group Policy settings.

Domain-joined client computers

Browse to http://destination-server/connect and install the Windows Server Connector software as if this was a new computer. The installation process requires network administrator privileges for domain-joined client computers. Network administrator privileges are not required for computers that are not joined to the domain.

On the Windows7 box (which I set DNS to point at the SBS2011E machine):

Screen clipping taken: 08/07/2012 4:12 PM

Screen clipping taken: 08/07/2012 4:13 PM

After awhile you will be prompted for login and password then you will be prompted for a computer description. You will also be asked if it is okay to wake up the computer for backup as well as whether you want to participate in the Windows Customer Improvement program. After answering all of that the process continues.

Screen clipping taken: 08/07/2012 5:54 PM

Screen clipping taken: 08/07/2012 5:55 PM

Screen clipping taken: 08/07/2012 5:56 PM

After logging out and logging in then clicking Dashboard this is what you see:

Screen clipping taken: 08/07/2012 5:57 PM

The Launchpad is usable by all users, Dashboard only works for users with admin rights.

Now it’s time to start migrating data to the new server, a process that is no different from any other server to server migration. There is a specific task recommended by Microsoft as follows:

Copy data to the Destination Server

Before you copy data from the Source Server to the Destination Server, perform the following tasks:

· Review the list of shared folders on the Source Server, including permissions for each folder. Create or customize the folders on the Destination Server to match the folder structure that you are migrating from the Source Server.

· Review the size of each folder and ensure that the Destination Server has enough storage space.

· Make the shared folders on the Source Server Read-only for all users so no writing can take place on the drive while you are copying files to the Destination Server.

To copy data from the Source Server to the Destination Server

1. Log on to the Destination Server as a domain administrator.

2. Click Start, type cmd in the search box, and then press ENTER.

3. At the command prompt, type the following command, and then press ENTER:

robocopy \<SourceServerName> <SharedSourceFolderName> \<DestinationServerName> <SharedDestinationFolderName> /E /B /COPY:DATSOU /LOG:C:Copyresults.txt

where <SourceServerName> is the name of the Source Server, <SharedSourceFolderName> is the name of the shared folder on the Source Server, <DestinationServerName> is the name of the Destination Server, and <SharedDestinationFolderName> is the shared folder on the Destination Server to which the data will be copied.

4. Repeat the previous step for each shared folder that you are migrating from the Source Server.

In this case I have recreated the shared folder Stuff on the SBS2011E box with permissions to match the original on the SBS2003 box and ran the robocopy as listed above.

Screen clipping taken: 17/07/2012 8:11 AM

Screen clipping taken: 17/07/2012 8:13 AM

The copy ran fine, as expected.

One thing to note: SBS2011E has some very specific things it does with what it terms "Server Folders" which is just another name for Shared folders. That said, there are controls in the server Dashboard for managing the folders and you are wise to use those controls.

Screen clipping taken: 17/07/2012 8:27 AM

When in doubt, use the Dashboard to create/manage folder access. Also note that SBS2011E auto partitions the disk space you give it into C: and D: drives. All of the pre-defined Server (shared) folders are created under D:ServerFolders. You can create other shared folders on D: wherever you want.

Now I’ll copy user data across (just one user to copy in this case):

Screen clipping taken: 17/07/2012 8:36 AM

The next step is to configure the network and Remote Access:

Configure the network

Note

This is a required task.

To configure the network

1. On the Destination Server, open the Dashboard.

2. Click Server Settings.

3. Click Turn on Remote Web Access.

4. Complete the wizard to configure the router and domain names.

If your router does not support the UPnP framework, or if the UPnP framework is disabled, there may be a yellow warning icon next to the router name. Ensure that the following ports are open and that they are directed to the IP address of the Destination Server:

· Port 80: HTTP Web traffic

· Port 443: HTTPS Web traffic

Screen clipping taken: 17/07/2012 8:39 AM

Screen clipping taken: 17/07/2012 8:40 AM

I’ve skipped router set up as we always do this ourselves.

Screen clipping taken: 17/07/2012 8:40 AM

It goes through various set up steps.

Screen clipping taken: 17/07/2012 8:41 AM

I’m getting this because I have not allowed it to configure my router and it is unhappy because my settings are not "correct". This can be re-run later when the router is properly configured (as is normal with most of our installs as we fix the router settings once we are finished).

Screen clipping taken: 17/07/2012 8:43 AM

Screen clipping taken: 17/07/2012 8:44 AM

Screen clipping taken: 17/07/2012 8:45 AM

This will fail, of course, because the domain isn’t real but you get the drift of what to do ….

Screen clipping taken: 17/07/2012 8:46 AM

You can do it all yourself or have SBS2011E step you through the steps. I’m doing it manually so I can get through this test config.

Screen clipping taken: 17/07/2012 8:48 AM

Guess you should have a cert ready or go through the process of creating a CSR. Either way, I’ll stop this process as I can’t complete it for my test config. Again, I’m sure you get the process.

Verify that Terminal Services Gateway has configured the correct certificates

You need to ensure that Terminal Services Gateway has configured the correct certificates after the back up and restore of the Certification Authority.

To verify the certificates in Terminal Services Gateway

1. Open a Command Prompt window as an administrator. For more information, see To open a Command Prompt window as an Administrator.

2. Type the following, and then press ENTER:

cd Program FilesWindows ServerBin

3. Type the following, and then press ENTER:

ConfigureRDP.exe

After ConfigureRDP.exe runs, the correct certificates will be configured.

Screen clipping taken: 17/07/2012 8:54 AM

Remove legacy logon settings and Active Directory Group Policy objects

Remove old logon scripts (optional)

Windows SBS 2003 uses logon scripts for tasks such as installing software and customizing desktops. In Windows SBS 2011 Essentials, the Windows SBS 2003 logon scripts are replaced with a combination of logon scripts and Group Policy objects.

Note

If you modified the Windows SBS 2003 logon scripts, you should rename the scripts to preserve your customizations.

Note

Windows SBS 2003 logon scripts apply only to user accounts that were added by using the Add New Users Wizard.

To remove the Windows SBS 2003 logon scripts

1. Click Start, click Administrative Tools, click Active Directory Users and Computers, and then click Users.

2. Right-click a user name, then click Profile.

3. Delete the contents of the Logon script text box, then click OK.

4. Repeat the previous two steps for each user.

Screen clipping taken: 17/07/2012 8:56 AM

Remove legacy Active Directory Group Policy objects (optional)

The Group Policy objects (GPOs) are updated for Windows SBS 2011 Essentials. They are a superset of the Windows SBS 2003 GPOs. For Windows SBS 2011 Essentials, a number of the Windows SBS 2003 GPOs and Windows Management Instrumentation (WMI) filters have to be manually deleted to prevent conflicts with the Windows SBS 2011 Essentials GPOs and WMI filters.

Note

If you modified the original Windows SBS 2003 Group Policy objects, you should save copies of them in a different location, and then delete them from Windows SBS 2003.

To remove old Group Policy objects from Windows SBS 2003

1. Log on to the Source Server with an administrator account.

2. Click Start, and then click Server Management.

3. In the navigation pane, click Advanced Management, click Group Policy Management, and then click Forest: <YourDomainName>.

4. Click Domains, click <YourDomainName>, and then click Group Policy Objects.

5. Right-click Small Business Server Auditing Policy, click Delete, and then click OK.

6. Repeat step 5 to delete the following GPOs that apply to your network:

· Small Business Server Client Computer

· Small Business Server Domain Password Policy

We recommend you configure the password policy in Windows SBS 2011 Essentials to enforce strong passwords. To configure the password policy, use the Dashboard, which writes the configuration to the default domain policy. The password policy configuration is not written to the Small Business Server Domain Password Policy object, like it was in Windows SBS 2003.

· Small Business Server Internet Connection Firewall

· Small Business Server Lockout Policy

· Small Business Server Remote Assistance Policy

· Small Business Server Windows Firewall

· Small Business Server Windows Vista® Policy

· Small Business Server Update Services Client Computer Policy

This GPO will be present if you are migrating from Windows SBS 2003 R2.

· Small Business Server Update Services Common Settings Policy

This GPO will be present if you are migrating from Windows SBS 2003 R2.

· Small Business Server Update Services Server Computer Policy

This GPO will be present if you are migrating from Windows SBS 2003 R2.

7. Confirm that all of the GPOs are deleted.

Screen clipping taken: 17/07/2012 9:04 AM

Screen clipping taken: 17/07/2012 9:08 AM

To remove WMI filters from Windows SBS 2003

1. Log on to the Source Server with an administrator account.

2. Click Start, and then click Server Management.

3. In the navigation pane, click Advanced Management, click Group Policy Management, and then click Forest: <YourNetworkDomainName>

4. Click Domains, click <YourNetworkDomainName>, and then click WMI Filters.

5. Right-click PostSP2, click Delete, and then click Yes.

6. Right-click PreSP2, click Delete, and then click Yes.

7. Right-click Vista, click Delete, and then click Yes.

8. Confirm that these three WMI filters are deleted.

Screen clipping taken: 17/07/2012 9:09 AM

Final step before demoting old server …

Map permitted computers to user accounts

In Windows SBS 2003, if a user connects to Remote Web Access, all the computers in the network are displayed. This may include computers that the user does not have access rights to. In Windows SBS 2011 Essentials, a user must be explicitly assigned to a computer for it to be displayed in Remote Web Access. Each user account that is migrated from Windows SBS 2003 must be mapped to one or more computers.

To map user accounts to computers

1. Open the Windows SBS 2011 Essentials Dashboard.

2. In the navigation bar, click Users.

3. In the list of user accounts, right-click a user account, and then click View the Account Properties.

4. Click the Remote Web Access tab, click Allow Remote Web Access, and show selected links in Remote Web Access.

5. Click Shared Folders, click Computers, click Home page, and then click Apply.

6. Click the Computer Access tab, and click the name of the computer to which you want to allow access.

7. Repeat steps 3, 4, 5, and 6 for each user account.

After you have mapped user accounts to client computers, you can set a default computer to be used for remote access. In the Dashboard, click the Remote Access tab. In User Account Properties, set a default client computer for each user who needs to access the network remotely.

Note

You do not need to change the configuration of the client computer. It is configured automatically.

Note

After you complete the migration, if you encounter an issue when you create the first new user account on the Destination Server, remove the user account that you added, and then create it again.

And I have done all of this on the SBS2011E box.

Screen clipping taken: 17/07/2012 9:22 AM

Demote and remove the Source Server from the new Windows SBS 2011 Essentials network

First, Exchange 2003 goes away.

Prepare your organization for the removal of the last server running Exchange Server 2003

Note

Complete the following tasks prior to uninstalling Exchange Server 2003. For detailed instructions about how to complete these steps, see How to Remove the Last Legacy Exchange Server from an Organization.

1. Move all mailboxes.

2. Move all contents from the public folders.

3. Move the Offline Address Book Generation Process.

4. Remove the public folder mailbox and stores.

5. Verify that you can send and receive email to and from the Internet.

6. Delete the routing group connectors.

7. Delete or reconfigure the Mailbox Manager policies.

8. Move the public folder hierarchy.

9. Delete the domain Recipient Update Services.

10. Delete the Enterprise Recipient Update Service.

For purposes of this lab we assume that Exchange has already migrated to Office 365 so we’ll just proceed with removal as referenced in the link above.

Use the Active Directory User and Computers snap-in to disconnect all mailbox-enabled users

You cannot remove the Exchange Server 2003 components if the Exchange server still has mailboxes for mailbox-enabled users. To use the Active Directory User and Computers snap-in to disconnect all mailbox-enabled users, follow these steps: click here to expand or collapse the steps

Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

Expand Your_Domain, and then click Users.
Note In this step, Your_Domain is a placeholder for the name of your domain.
Press and hold CTRL, click the user name of each user who has a mailbox on the server, right-click any of the selected user names, click Exchange Tasks, and then release CTRL.
On the Select a task to perform list, click Delete Mailbox, and then click Next.
On the Delete Mailbox page, click Next.
Wait for the mailboxes to be deleted, and then click Finish.

Pasted from <http://support.microsoft.com/kb/833396>

To remove Exchange on SBS2003 you have to select Small Business Server from Add/remove programs. Let it do its thing then select Exchange from its list.

Screen clipping taken: 17/07/2012 9:51 AM

Screen clipping taken: 17/07/2012 9:52 AM

Screen clipping taken: 17/07/2012 9:54 AM

Screen clipping taken: 17/07/2012 10:05 AM

Exchange is now removed.

Demote the Source Server

Before you demote the Source Server from the role of the AD DS domain controller to the role of a domain member server, ensure that Group Policy settings are applied to all client computers, as described in the following procedure.

Important

The Source Server and the Destination Server must be connected to the network while the Group Policy changes are updated on the client computers.

To force a Group Policy update on a client computer

1. Log on to the client computer as an administrator.

2. Open a Command Prompt window as an administrator. For more information, see To open a Command Prompt window as an Administrator.

3. At the command prompt, type gpupdate /force, and then press ENTER.

4. The process may require you to log off and log on again to finish. Click Yes to confirm.

Screen clipping taken: 17/07/2012 10:08 AM

To demote the Source Server

1. On the Source Server, click Start, click Run, type dcpromo, and then click OK.

2. Click Next twice.

Note

Do not select This server is the last domain controller in the domain.

3. Type a password for the new Administrator account on the server, and then click Next.

4. In the Summary dialog box, you are informed that AD DS will be removed from the computer and that the server will become a member of the domain. Click Next.

5. Click Finish. The Source Server restarts.

6. After the Source Server restarts, add the Source Server as a member of a workgroup before you disconnect it from the network.

After you add the Source Server as a member of a workgroup and disconnect it from the network, you must remove it from AD DS on the Destination Server.

To remove the Source Server from Active Directory

1. On the Destination Server, click Start, click Administrative Tools, and then click Active Directory Users and Computers.

2. In the User Account Control window, click Continue if prompted.

3. In the Active Directory Users and Computers navigation pane, expand the domain name, and then expand Computers.

4. Right-click the Source Server name if it still exists in the list of servers, click Delete, and then click Yes.

5. Verify that the Source Server is not listed, and then close Active Directory Users and Computers.

Ok, here comes a weird one … certainly NOT something we are used to. SBS2011E does NOT support the DHCP server role, this is performed by your router.

Move the DHCP Server role from the Source Server to the router

Note

If you already performed this task before you started the migration process, continue with the section Remove and repurpose the Source Server.

If your Source Server is running the DHCP role, perform the following steps to move the DHCP role to the router.

To move the DHCP role from the Source Server to the router

1. Turn off the DHCP service on the Source Server, as follows:

a. On the Source Server, Click Start, click Administrative Tools, and then click Services.

b. In the list of currently running services, right-click the Windows Server, and then click Properties.

c. For Start type, select Disabled.

d. Stop the service.

2. Turn on the DHCP Role on your router

a. Follow the instructions in your router documentation to turn on the DHCP role on the router.

b. To ensure that IP addresses issued by the Source Server remain the same, follow the instructions in your router documentation to configure the DHCP range on the router to be the same as the DHCP range on the Source Server.

Important

If you have not set up a static IP or DHCP reservations on the router for the Destination Server, and the DHCP range is not the same as the Source Server, it is possible that the router will issue a new IP address for Destination Server. If this happens, reset the port forwarding rules of the router to forward to the new IP address of the Destination Server.

And the final steps …

Delete the old folder redirection Group Policy object for Windows SBS 2011 Essentials migration

Note

Perform this task only if folder redirection was enabled on the Source Server.

After you demote and disconnect the Source Server, you can delete the old Folder Redirection Group Policy object from the Destination Server.

To delete the Folder Redirection Group Policy object

1. On the Destination Server, click Start, click Administrative Tools, and then click Group Policy Management.

2. In the User Account Control dialog box, click Continue

3. In the Group Policy Management navigation pane, expand Forest:<YourNetworkDomainName>, expand Domains, expand <YourNetworkDomainName>, and then expand Group Policy Objects.

4. Right-click Small Business Server Folder Redirection, and then click Delete.

5. Click Yes in the warning dialog box.

6. Close the Group Policy Management console.

Next topic: Perform optional post-migration tasks for Windows SBS 2011 Essentials migration

Previous topic: Demote and remove the Source Server from the new Windows SBS 2011 Essentials network

Perform optional post-migration tasks for Windows SBS 2011 Essentials migration

The following tasks help you finish setting up your Destination Server with some of the same settings that were on the Source Server. You may have disabled some of these settings on your Source Server during the migration process, so they were not migrated to the Destination Server. Or they are optional configuration steps that you may want to perform.

1. Move natively joined Active Directory computer objects

2. Delete DNS entries of the Source Server

3. Share line-of-business and other application data folders

4. Fix client computer issues after migrating

Move natively joined Active Directory computer objects

Note

This is an optional task.

The Windows SBS 2011 Essentials Dashboard displays AD DS computer objects that are in the Windows SBS 2011 Essentials default organizational unit (OU), OU=<YourNetworkDomainName>MyBusinessComputersSBSComputers. If you want to manage computer objects that were natively joined to the domain, you must move the computer objects into the default OU.

To move computer objects to the default OU

1. On the Destination Server, click Start, click Administrative Tools, and then click Active Directory Users and Computers.

2. In the Users Account Control dialog box, click Continue.

3. In the navigation pane, expand <YourNetworkDomainName>, and then expand the Computers container or the container where the computer objects are located.

4. Expand the MyBusiness container, expand the Computers container, and then expand the SBSComputers container.

5. Drag-and-drop the computer objects from their current location to the SBSComputers container, and then click Yes in the warning dialog box.

6. When you finish moving the computer objects, close Active Directory Users and Computers.

Delete DNS entries of the Source Server

After you decommission the Source Server, the Domain Name Service (DNS) server may still contain entries that point to the Source Server. Delete these DNS entries.

To delete DNS entries that point to the Source Server

1. On the Destination Server, click Start, click Administrative Tools, and then click DNS.

2. In the User Account Control dialog box, click Continue.

3. In the DNS Manager console, expand the server name, and then expand Forward Lookup Zones.

4. Right-click the first zone, click Properties, and then click the Name Servers tab.

5. Click an entry in the Name servers text box that points to the Source Server, click Remove, and then click OK.

6. Repeat the previous step until all pointers to the Source Server are removed.

7. Click OK to close the Properties window.

8. In the DNS Manager console, expand Reverse Lookup Zones.

9. Repeat steps 4 through 7 to remove all Reverse Lookup Zones that point to the Source Server.

Share line-of-business and other application data folders

You must set the shared folder permissions and the NTFS permissions for the line-of-business and other application data folders that you copied to the Destination Server. After you set the permissions, the shared folders are displayed in the Windows SBS 2011 Essentials Dashboard on the Shared Folders tab.

If you are using a logon script to map drives to the shared folders, you must update the script to map to the drives on the Destination Server.

That’s it! Now live on SBS2011E! But check the doc referenced at the beginning of this post for some cleanup steps on the client machines IF you have weird client issues.

Navo - The company directory for the connected workplace.