Category Archives: Sbs2011 Essentials Migration Steps

Essentials next step – decide on the email


If this looks familar you are right.  We’ve blogged this before.


But BEFORE you get to this step and start ripping out Exchange installs… what are you planning to do with email in SBS 2011 Essentials?


I hope you said “oh we’ve contacted a hosted email company and they said to do this…” not “Oh, you mean Office365 is not included in the SBS 2011 essentials?”



In software there is a lot of moving parts and no where no noticable than SBS where the system has to wait for the parts to RTM… or not.. in the case of SBS 2011 Essentials.  Right now there isn’t even a public beta of Office 365.



Now … let’s also be honest .. in the consultant community the idea that Microsoft is going to bill your client is less than palatable in these parts.  So many are looking at www.ownwebnow.com and other hosted email vendors.



After you finish installing Windows SBS 2008 and you complete the tasks in the Migration Wizard, you must perform the following tasks:


1.   Prepare your organization for the removal of the last server running Exchange Server 2003


2.   Uninstall Exchange Server 2003


3.   Physically disconnect printers that are directly connected to the Source Server


4.   Demote the Source Server


5.   Move the DHCP role from the Source Server to the router


6.   Remove the Source Server from the network


7.   Repurpose the Source Server


Prepare your organization for the removal of the last server running Exchange Server 2003


Note


Complete the following tasks prior to uninstalling Exchange Server 2003. For detailed instructions about how to complete these steps, see How to Remove the Last Legacy Exchange Server from an Organization.


1.   Move all mailboxes.


2.   Move all contents from the public folders.


3.   Move the Offline Address Book Generation Process.


4.   Remove the public folder mailbox and stores.


5.   Verify that you can send and receive email to and from the Internet.


6.   Delete the routing group connectors.


7.   Delete or reconfigure the Mailbox Manager policies.


8.   Move the public folder hierarchy.


9.   Delete the domain Recipient Update Services.


10.  Delete the Enterprise Recipient Update Service.


Uninstall Exchange Server 2003


Important


If you add user accounts after you move mailboxes to the Destination Server and before you uninstall Exchange Server 2003 from the Source Server, the mailboxes are added on the Source Server. This is by design. You must move the mailboxes to the Destination Server for all user accounts that are added during this time. Repeat the instructions in Move Exchange Server mailboxes and settings for Windows SBS 2011 Essentials migration before you uninstall Exchange Server 2003.


You must uninstall Exchange Server 2003 from the Source Server before you demote it. This removes all references in AD DS to Exchange Server on the Source Server. You must have your Exchange Server 2003 media to remove Exchange Server 2003.


Important


To remove Exchange Server 2003 from the Source Server, follow the instructions in How to remove Exchange Server 2003 from your computer.

Essentials migration steps – Re-configure DNS for the local network adapter

Next step is making the new server look back to itself for DNS.  In this case all you need to do is change the dns entries.  Leave the IP address to be dynamic (unless you’ve decided to change it to a static IP)


Re-configure DNS for the local network adapter


On the Destination Server, change the DNS settings so that the Destination Server uses itself for DNS


To re-configure DNS for the local network adapter


1.   In the notification area, click the network icon, and then click Network and Sharing Center.

2.   Click Change adapter settings.

3.   Right-click the network card and then click Properties.

4.   Select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

5.   Select User the following DNS server addresses. For Preferred DNS server, type 127.0.0.1.

6.   Click OK to save your settings.

Essentials migration – moving the logon settings

We’re on to a step in the migration of Essentials that I think you might want to keep some of these group policies around. 


Sure nuke the logon scripts if you haven’t already.  But if you WANT to borrow that group policy from the old SBS 2003 and keep such things as the firewall settings, I’d say keep them. 


You can remove the items that are WSUS policies (assuming you migrated from an R2 box that has WSUS mind you)


 


Remove legacy logon settings and active Directory Group Policy objects


Note


These are optional tasks.


Remove old logon scripts


Windows SBS 2003 uses logon scripts for tasks such as installing software and customizing desktops. In Windows SBS 2011 Essentials, the Windows SBS 2003 logon scripts are replaced with a combination of logon scripts and Group Policy objects.


Note


If you modified the Windows SBS 2003 logon scripts, you should rename the scripts to preserve your customizations.


Note


Windows SBS 2003 logon scripts apply only to user accounts that were added by using the Add New Users Wizard.


To remove the Windows SBS 2003 logon scripts


1.   On the Migration Wizard Home page, click Remove legacy group policies and logon settings, and then click Next.

2.   Log on to the Source Server with an administrator account and password.

3.   On the Source Server, click Start, and then click Run.

4.   Type \\localhost\sysvol\<YourNetworkDomainName>.local\scripts, and then press ENTER.

5.   Delete or rename SBS_LOGIN_SCRIPT.bat.


After you delete the old logon scripts, use the following procedure to verify that all users’ profiles are updated to not use a logon script:


To verify user profiles


1.   On the Source Server, click Start, click Administrative Tools, and then click Active Directory Users and Computers.

2.   In the navigation pane, expand <YourNetworkDomainName>, expand My Business, expand Users, and then expand SBSUsers.

3.   Select all the user accounts, right-click the highlighted user accounts, and then click Properties.

4.   On the Profile tab, select the logon script check box, clear the text field, and then click Apply.

5.   Close Active Directory Users and Computers.


Remove legacy Active Directory Group Policy objects


The Group Policy objects (GPOs) are updated for Windows SBS 2011 Essentials. They are a superset of the Windows SBS 2003 GPOs. For Windows SBS 2011 Essentials, a number of the Windows SBS 2003 GPOs and WMI filters have to be manually deleted to prevent conflicts with the Windows SBS 2011 Essentials GPOs and WMI filters.


Note


If you modified the original Windows SBS 2003 Group Policy objects, you should save copies of them in a different location, and then delete them from Windows SBS 2003.


To remove old Group Policy objects from Windows SBS 2003


1.   Log on to the Source Server with an administrator account.

2.   Click Start, and then click Server Management.

3.   In the navigation pane, click Advanced Management, click Group Policy Management, and then click Forest: <YourDomainName>.

4.   Click Domains, click <YourDomainName>, and then click Group Policy Objects.

5.   Right-click Small Business Server Auditing Policy, click Delete, and then click OK.

6.   Repeat step 5 to delete the following GPOs that apply to your network:

·      Small Business Server Client Computer

·      Small Business Server Domain Password Policy

We recommend you configure the password policy in Windows SBS 2011 Essentials to enforce strong passwords. To configure the password policy, use the Dashboard, which writes the configuration to the default domain policy. The password policy configuration is not written to the Small Business Server Domain Password Policy object, like it was in Windows SBS 2003.

·      Small Business Server Internet Connection Firewall

·      Small Business Server Lockout Policy

·      Small Business Server Remote Assistance Policy

·      Small Business Server Windows Firewall

·      Small Business Server Windows Vista Policy

·      Small Business Server Update services Client Computer Policy

·      Small Business Server Update Services Common Settings Policy

·      Small Business Server Update Services Server Computer Policy

7.   Confirm that all of the GPOs are deleted.


To remove WMI filters from Windows SBS 2003


1.   Log on to the Source Server with an administrator account.

2.   Click Start, and then click Server Management.

3.   In the navigation pane, click Advanced Management, click Group Policy Management, and then click Forest: <YourNetworkDomainName>

4.   Click Domains, click <YourNetworkDomainName>, and then click WMI Filters.

5.   Right-click PostSP2, click Delete, and then click Yes.

6.   Right-click PreSP2, click Delete, and then click Yes.

7.   Right-click Vista, click Delete, and then click Yes.

8.   Confirm that these three WMI filters are deleted.

SBS 2011 Essentials setups – setting up a domain name

Here’s where the wizard of SBS Essentials is different than SBS 2011 Standard.


You see in SBS Essentials YOU MUST have a third party cert OR park your domain under their remotewebaccess.com domain in order to have remote access.  You ARE NOT allowed to use self signed certs.



You turn on remote access and it attempts to configure your router.  If it barfs, ignore that it barfed, I’ve never seen this configure a nice good business class firewall as we tend to turn off UPnP, just manually port forward 443 to your server.



I’m skipping the set up and setting it up manually.



It enables the web site



Ignore the fact it can’t set up the router, again we can do this manually, no worries.



Yeah yeah you don’t like my non UPnP router, I get that.


Now comes the nuance you need to be aware of… the “Cert” part of the wizard.


So we’re assuming here you already have a domain name.  Let’s say this domain name is parked over on enom’s domain servers.



We put in the domain name (in this case this domain is set up at enom)



And at this point it stops because you HAVE to buy a SSL cert now.  Now to make your life easier, buy the cert from the domain where your url is parked.  You can set up the SSL cert manually, but your life will be a lot easier to just roll with the wizard.



If your domain that you are setting up is parked at godaddy, it offers up the SSL certs from godaddy.  Again at this point what it’s stopping for and saying  “You need to upgrade” has nothing to do with the domain hosting but EVERYTHING to do with the fact that you MUST have a third party cert with SBS Essentials.



If the domain you are trying to set up isn’t recognized by the domain service (like in this case it was a networksolutions.com one) it will throw up a different wizard that you have to walk through manually to get the SSL cert.



I’ll show you what it’s like to buy the cert next, but see how this is done?  It’s a lot different than the wizard of SBS 2011.


 


Configure the network


Note


This is a required task.


To configure the network


1.   On the Destination Server, open the Dashboard.

2.   Click Server Settings.

3.   Click Turn on Remote Web Access.

4.   Complete the wizard to configure the Router and Domain name.


If your router does not support the UPnP framework, or if the UPnP framework is disabled, there may be a yellow warning icon next to the router name. Ensure that the following ports are open and that they are directed to the IP address of the Destination Server:


·      Port 80: HTTP Web traffic


·      Port 443: HTTPS Web traffic


 

Essentials step – moving the data

Moving the data over.


Remember on this step of the migration from SBS 2003 to SBS 2011 Essentials you re moving over the file shares.


But before you get to this point make sure that you’ve contacted your vendors that they support x64bit servers. 


Granted if your line of business application is so old that YOU are the support team, then test it on a x64 bit server and see it it works.  Normally all you need to do to get a really old app working is disable UAC and check the permissions.  You may have to give that folder full rights.


Did she just say disable UAC?  Yes I did.  Sometimes in a small firm you do what you have to do with a crappy line of business app.



Review the list of shared folders on the Source Server, including permissions for each folder, and create or customize the folders on the Destination Server to match that of the Source Server. Review the size of each folder and ensure the Destination Server has enough storage space. If not, add more storage space to the default storage pool.


If you are performing the copy during business hours, we recommend that once you start the copy of a share, you make the share read-only for all users so no more writes to the drive can take place.


When you are ready to copy the data from the Source Server to the Destination Server, perform the following steps.


1.   Log on as a domain administrator on the Destination Server.


2.   Type the following command and press ENTER.


robocopy \\<SourceServerName> \<SourceShares> \\<DestinationServerName> \<DestinationShares> /E /B /COPY:DATSOU /LOG:C:\Copyresults.txt where:


·      <SourceServerName> is the name of the Source Server


·      <SourceShares> is the folder name on the Source Server


·      <DestinationServerName> is the name of the Destination Server


·      <DestinationShares> is the shared folder on the Destination Server.


3.         Repeat the previous step for each folder. Create and remove folders as appropriate to make the Destination Server match the Source Server.

Essentials migration steps – import server into the dashboard

To import the Destination Server into the Dashboard


1.   Open a Command Prompt window as an administrator. For more information, see To open a Command Prompt window as an Administrator.

2.   Change directory to c:\program files\windows server\bin

3.   Type wsspowershell.exe, and then press ENTER.

4.   Type add-wsslocalmachinecert, and then press ENTER.

5.   Reboot the Destination Server.



After rebooting it looks like this


Essentials migration steps – adding a user the script way

Since I’ve been blogging on migrating from SBS 2003 to SBS essentials a new version of the document came out.


http://www.microsoft.com/downloads/en/details.aspx?FamilyID=288a1d8a-5620-4f20-ad67-20af97275a80&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3a+MicrosoftDownloadCenter+$Microsoft+Download+Center$


This one includes a script to add users to the console


To use a script to import users into the Dashboard


1.   On the Destination Server, open Notepad and copy the following text into it:

“Script to Import Active Directory Users to the SBS 2011 Essentials Dashboard”

import-module -name activedirectory

$users = get-aduser -filter *

foreach ($user in $users)

{

 If ($user.enabled -eq $True)

  {

$imported = Select-String -path “C:\ProgramData\Microsoft\Windows Server\Data \settingsproviderdata\IDENTITY\USERS\index.xml” -pattern $user.samaccountname

 

If ([boolean]$imported -eq $False)

{

$import = read-host “Do you want to import” $user.name “to the Dashboard [y]/[n]”

 

If ($import -eq “y”)

        {

write-host {Importing User} $user.name

import-wssuser -name $user.samaccountname | out-null

If( (get-wssuser -name $user.samaccountname).UserStatus -eq “Enabled”)

    {

write-host User Successfully Imported

          }

        }

      }

   }

}

 

2.   Save the file on the Destination Server in any folder with a name you choose (for example, C:\importusers.ps).

3.   Open a Command Prompt window as an administrator. For more information, see To open a Command Prompt window as an Administrator.

4.   Change directory to c:\program files\windows server\bin.

5.   Type wsspowershell.exe, and then press ENTER.

6.   Type <path><filename> for the script file you created (for example, C:\importusers.ps), and then press ENTER.

Essentials steps – getting users into the console

To import users into the console


1.   Open a Command Prompt window as an administrator. For more information, see To open a Command Prompt window as an Administrator.

2.   Change directory to c:\program files\windows server\bin

3.   Type wsspowershell.exe, and then press ENTER.

4.   Type import-wssuser –name <username>, and then press ENTER.

5.   Repeat the previous step for each user who you want to import into the console.


Okay it’s about at this step that you go… okay someone could have coded up a tool for this….



 


 

Essentials migration steps – creating security groups

After the replication has taken place, users will appear in Active Directory Users and Computers, but will not appear in the Windows SBS 2011 Essentials  Console. Use the Windows Powershell commands in the following two procedures to import user names and the Destination Server into the console.


To recreate security groups


1.   On the Destination Server, click Start, click Administrative Tools, and then click Active Directory Users and Computers.

2.   In the navigation pane, expand <DomainName>, expand My Business, expand Users, and then expand SBSUsers.

3.   Right-click on the right-hand panel, and click Create New Group.

type one of the following group names, select the Security Group radio button, and click Create. Repeat this step to create the remainder of the following security groups:

·      RA_AllowAddInAccess

·      RA_AllowComputerAccess

·      RA_AllowDashboardAccess

·      RA_AllowHomePageLinks

·      RA_AllowNetworkAlertAccess

·      RA_AllowRemoteAccess

·      RA_AllowShareAccess

·      WSSUsers


 


Since the administrator account being used was migrated over from the Source Server, by default it does not have memberships to the Windows SBS 2011 Essentials  security groups. To add group memberships to the administrator account that you are using for migration, perform the following procedure.


To make the administrator a member of the security groups


1.   On the Destination Server, click Start, click Administrative Tools, and then click Active Directory Users and Computers.

2.   In the navigation pane, expand <DomainName>, expand My Business, expand Users, and then expand SBSUsers.

3.   Open the administrator account or accounts to which you want to give group memberships.

4.   Click on the tab Member of and add the following groups to the account:

a.   RA_AllowAddInAccess

b.   RA_AllowComputerAccess

c.   RA_AllowDashboardAccess

d.   RA_AllowHomePageLinks

e.   RA_AllowNetworkAlertAccess

f.    RA_AllowRemoteAccess

g.   RA_AllowShareAccess


 


Migration steps in Essentials – turning on the beacon

We’re back blogging the steps to migrate from SBS 2003 to SBS Essentials and next up is turning on the UPnP beacon.Enabling the UPnP beacon for the Destination Server


The UPnP beacon is used to advertise the location of the Destination Server to the clients. You must restart the following services in the order listed to enable Launchpad to find the Destination Server.


1.   SSDP Discovery


2.   UPNP Device Host


3.   Windows Server UPNP Device Service


Why do we need to set this up?


Because remember the normal way SBS Essentials is set up is WITHOUT dhcp on the server and WITH a dynamic IP.  No you can manually set up DHCP on the server and give it a static IP but it doesn’t have to be set this way.


Instead of “you must restart” it should say….


Click on Start, Adminstrative Tasks, Services.


In the Services Console, you need to ensure that the following services are set to automatic and started.


The SSDP Discovery service will be disabled.  Right mouse click on SSDP Discovery and change the startup type to automatic.  Click Apply.  Now Click Start to start the service and click OK.



Scroll down to UPNP Device host.  Right mouse click on UPNP Device Host and change the startup type to automatic.  Click Apply.  Now Click Start to start the service and click OK.



Scroll down to Windows Server UPNP Device Service and start this service.  It will already be set to automatic so you only need to start the service.


Remember the design of SBS Essentials is that the DHCP server is on the router, not on the SBS Essentials box.  During client install, there will be an install of Windows Server LAN Configuration code that handles updating of the DHCP addresses by using this upnp beacon service.  The Essentials server has a dynamic IP so what it does is this service pings the server every 30 seconds and the server responds. 


(and yes before you ask… if you want to you can set up the server with a static IP and move dhcp back onto the server if you really want to)