Migrating Windows Small Business
Server 2003 to Windows Small Business
Server 2011 Essentials
Microsoft Corporation
Published: May 2012
Version: 12.05.04
This version includes the following updates:
Corrects and clarifies the level of permission that is necessary to join a client computer to the
Windows SBS 2011 Essentials domain.
Clarifies the steps necessary to configure the CRL distribution list.
Updates the script that is used to bulk import users into the Windows SBS 2011 Essentials
Dashboard. The revised script leverages the improved code that is included in the Windows
SBS 2011 Essentials SDK.
Abstract
This guide explains how to install Windows SBS 2011 Essentials in migration mode on a new
server, and then migrate the settings and data from the old server that is running Windows Small
Business Server 2003 to the new server that is running Windows SBS 2011 Essentials. This
guide also helps you demote and remove your old server from the network after you finish the
migration process.
This document is provided “as-is”. Information and views expressed in this document, including
URL and other Internet Web site references, may change without notice. You bear the risk of
using it.
This document does not provide you with any legal rights to any intellectual property in any
Microsoft product. You may copy and use this document for your internal, reference purposes.
© 2012 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Internet Explorer, SharePoint, SQL Server, Windows, Windows
Server, Windows XP, Windows PowerShell, and Windows Vista are trademarks of the Microsoft
group of companies.
All other trademarks are property of their respective owners.
Contents
Migrating Windows Small Business Server 2003 to Windows Small Business Server 2011
Essentials ..................................................................................................................................... 5
Additional resources ..................................................................................................................... 5
Terms and definitions ................................................................................................................... 5
Migration process summary ......................................................................................................... 5
Prepare your Source Server for Windows SBS 2011 Essentials migration .................................... 7
Back up your Source Server ..................................................................................................... 7
Install the most recent service packs ........................................................................................ 7
Verify the network configuration ............................................................................................... 9
Reconfiguring your existing network ..................................................................................... 9
Verify the settings for the DHCP Server role ....................................................................... 11
Use Windows SBS 2003 Best Practice Analyzer to evaluate the health of the Source Server
............................................................................................................................................. 11
Run the Windows SBS 2003 Best Practices Analyzer ........................................................... 11
Run the Windows Support Tools ............................................................................................ 12
Synchronize the Source Server time with an external time source ........................................ 13
Raise the functional level of the Active Directory domain and forest ..................................... 14
Prepare Active Directory for migration .................................................................................... 15
Create a plan to migrate line-of-business applications ........................................................... 16
Create a plan to migrate email that is hosted on Windows Small Business Server 2003 ...... 17
Create a migration answer file for Windows SBS 2011 Essentials migration ............................... 17
Copy the migration answer file to removable media .................................................................. 18
Install Windows SBS 2011 Essentials in migration mode for Windows SBS 2011 Essentials
migration ..................................................................................................................................... 19
Install Windows SBS 2011 Essentials on the Destination Server .............................................. 19
Configure the DNS of the local network adapter ........................................................................ 20
Join the Destination Server to the domain of the Source Server ............................................... 21
Back up and remove the Certification Authority from the Destination Server ........................ 21
Promote the Destination Server to a domain controller .......................................................... 21
Install and restore the Certification Authority ............................................................................. 23
Transfer the operations master roles for Windows SBS 2011 Essentials migration ..................... 25
Transfer the global catalog to the Destination Server for Windows SBS 2011 migration ............. 26
Transfer the global catalog to the Destination Server ................................................................ 26
Enable the UPnP beacon for the Destination Server ................................................................. 27
Verify the health of the domain controller .................................................................................. 28
Reconfigure DNS for the local network adapter ......................................................................... 28
Import users and the Destination Server into the Dashboard for Windows SBS 2011 Essentials
migration ..................................................................................................................................... 29
Join computers to the new Windows SBS 2011 Essentials network ............................................ 34
Domain-joined client computers ............................................................................................. 34
Non-domain-joined client computers ...................................................................................... 34
Ensure that Group Policy has updated ................................................................................... 34
Move settings and data to the Destination Server for Windows SBS 2011 Essentials migration . 35
Copy data to the Destination Server .......................................................................................... 35
Configure the network ................................................................................................................ 36
Verify that Terminal Services Gateway has configured the correct certificates ......................... 37
Remove legacy logon settings and Active Directory Group Policy objects................................ 37
Remove old logon scripts (optional) ........................................................................................... 37
Remove legacy Active Directory Group Policy objects (optional) .............................................. 38
Map permitted computers to user accounts ............................................................................... 39
Demote and remove the Source Server from the new Windows SBS 2011 Essentials network .. 40
Prepare your organization for the removal of the last server running Exchange Server 200340
Uninstall Exchange Server 2003 ............................................................................................ 41
Disconnect printers that are directly connected to the Source Server ................................... 41
Demote the Source Server ..................................................................................................... 41
Move the DHCP Server role from the Source Server to the router ........................................ 42
Remove and repurpose the Source Server ............................................................................ 43
Delete the old folder redirection Group Policy object for Windows SBS 2011 Essentials migration
.................................................................................................................................................... 44
Perform optional post-migration tasks for Windows SBS 2011 Essentials migration ................... 44
Move natively joined Active Directory computer objects ........................................................ 45
Delete DNS entries of the Source Server ............................................................................... 45
Share line-of-business and other application data folders ..................................................... 46
Fix client computer issues after migrating .............................................................................. 46
Run the Windows Server Solutions Best Practices Analyzer ........................................................ 47
Migrating Windows Small Business Server
2003 to Windows Small Business Server
2011 Essentials
This guide describes how to migrate an existing Windows SBS 2003 domain to Windows SBS
2011 Essentials on new hardware, and then to migrate the settings and data. This guide also
describes how to remove your existing server from the Windows SBS 2011 Essentials network
after you finish the migration.
Important
Windows SBS 2011 Essentials requires a 64-bit environment. Windows SBS 2011
Essentials does not support a 32-bit environment.
Important
To avoid problems during migration, we recommend that you read this document before
you begin the migration.
Note
To download the most recent printable version of this guide, see Migrating Windows
Small Business Server 2003 to Windows Small Business Server 2011 Essentials in the
Microsoft® Download Center.
Additional resources
For links to additional information, tools, and community resources to help guide you through the
migration process, visit the Windows Small Business Server Migration website.
Terms and definitions
Source Server: The existing server from which you are migrating your settings and data.
Destination Server: The new server to which you are migrating your settings and data.
Migration process summary
This Migration Guide includes the following steps:
1. Prepare your Source Server for Windows SBS 2011 Essentials migration. You must ensure
that your Source Server and network are ready for migration. This section guides you through
backing up the Source Server, evaluating the Source Server system health, installing the
most recent service packs and fixes, and verifying the network configuration.
5
2. Create a migration answer file for Windows SBS 2011 Essentials migration. Windows SBS
2011 Essentials Setup uses an answer file to automate the installation and run Setup in
migration mode. This section guides you through creating the migration answer file.
3. Install Windows SBS 2011 Essentials in migration mode for Windows SBS 2011 Essentials
migration. This section explains how to use the migration answer file to install Windows SBS
2011 Essentials on the Destination Server in migration mode.
4. Transfer the operations master roles for Windows SBS 2011 Essentials migration. The
operations master roles must be transferred to the Destination Server within 21 days of
installing Windows SBS 2011 Essentials on the Destination Server.
5. Transfer the global catalog to the Destination Server for Windows SBS 2011 migration. To
transfer the global catalog from the Source Server, you will create a new global catalog on
the Destination Server, and then remove the existing global catalog on the Source Server.
6. Import users and the Destination Server into the Dashboard for Windows SBS 2011
Essentials migration. You can use Windows PowerShell® commands to import user names
and the Destination Server into the Dashboard, or you can use a script to automate the
import process.
7. Join computers to the new Windows SBS 2011 Essentials network. This section covers
joining client computers to the new Windows SBS 2011 Essentials network and updating
Group Policy settings.
8. Move settings and data to the Destination Server for Windows SBS 2011 Essentials
migration. This section provides information about migrating data and settings from the
Source Server.
9. Demote and remove the Source Server from the new Windows SBS 2011 Essentials
network. Prior to removing the Source Server from the network, you must force a Group
Policy update and demote the Source Server.
10. Delete the old folder redirection Group Policy object for Windows SBS 2011 Essentials
migration. Use the Group Policy Management Console to delete the old Folder Redirection
Group Policy object from the Destination Server.
11. Perform optional post-migration tasks for Windows SBS 2011 Essentials migration. After you
finish migrating all settings and data to Windows SBS 2011 Essentials, you may want to map
permitted computers to user accounts.
12. Run the Windows Server Solutions Best Practices Analyzer. After you finish migrating
settings and data to Windows SBS 2011 Essentials, you should download and run the
Windows Server Solutions BPA.
Several of the migration procedures require that you open a Command Prompt window as an
Administrator.
To open a Command Prompt window as an Administrator
1. Click Start.
2. In the search box, type cmd.
3. In the list of results, right-click cmd, and then click Run as administrator.
6
Prepare your Source Server for Windows
SBS 2011 Essentials migration
Complete the following preliminary steps to ensure that the settings and data on your Source
Server migrate successfully to the Destination Server.
To prepare for migration
1. Back up your Source Server
2. Install the most recent service packs
3. Verify the network configuration
4. Use Windows SBS 2003 Best Practice Analyzer to evaluate the health of the Source
Server
5. Synchronize the Source Server time with an external time source
6. Prepare Active Directory for migration
7. Create a plan to migrate line-of-business applications
8. Create a plan to migrate email that is hosted on Windows Small Business Server 2003
Back up your Source Server
Back up your Source Server before you begin the migration process. Making a backup helps
protect your data from accidental loss if an unrecoverable error occurs during migration.
To back up the Source Server
1. Perform a full backup of the Source Server. For more information about backing up
Windows SBS 2003, see Backing Up and Restoring Windows Small Business
Server 2003.
2. Verify that the backup ran successfully. To test the integrity of the backup, select random
files from your backup, restore them to an alternate location, and then confirm that the
restored files are the same as the original files.
Install the most recent service packs
You must install the latest updates and service packs on the Source Server prior to migration. If
updates or service packs are missed, the Source Server will not be eligible for migration, and the
Migration Preparation Tool will report the problem and ask you to install the necessary updates
before proceeding.
Before installing a service pack, back up your server.
7
To install updates by using Windows Update
1. Click Start, click All Programs, and then click Windows Update.
2. Click Check for updates.
3. If you are asked to configure Windows Update settings, perform the following steps:
a. Click OK.
b. Click Change settings, which is located under the Check for updates link, and then
configure the Windows Update settings.
c.
Click Check for updates.
4. Click Install Updates to apply identified updates.
5. For each Microsoft Software License Term that is displayed, review the text and click Yes
to accept.
6. If prompted, restart the Source Server
7. To verify that the updates are installed, click Start, click Control Panel, click Programs,
and then click View installed updates.
Next, install individual service packs by performing the following procedures that apply to your
Source Server.
Install Windows SBS 2003 Service Pack 1
Install Windows SBS 2003 Service Pack 1 (SP1), if it is not yet installed. You can
download Windows SBS 2003 SP1 at the Microsoft Windows Small Business
Server 2003 Service Pack 1 (SP1) website.
Important
To ensure that the correct version of Microsoft .NET Framework is installed, you
must install Windows SBS 2003 SP1 before you install Windows Server 2003
Service Pack 2 (SP2).
Install Windows Server 2003 Service Pack 2
Install Windows Server 2003 SP2, if it is not yet installed. You can download Windows
Server 2003 SP2 at the Windows Server 2003 Service Pack 2 website.
Notes
If you experience network-related issues after installing SP2, see article 948496 in
the Microsoft Knowledge Base.
To learn more about the best practices and known issues that are related to SP2 for
Windows Server 2003, see article 939421 in the Microsoft Knowledge Base.
Note
8
Although Exchange Server and SharePoint® Services are not migrated during the
process documented here, we recommend that you create a well-known configuration for
these applications by applying the required service packs.
Install Exchange Server 2003 Service Pack 2
Install Exchange Server 2003 Service Pack 2 (SP2), if it is not installed. You can
download Exchange Server 2003 SP 2 from the Service Pack 2 for Exchange
Server 2003 website.
Note
Windows SBS 2011 Essentials does not directly support migrating Windows
SharePoint Services 3.0 or Windows Server Update Services 3.0 from Windows
SBS 2003 to Windows SBS 2011 Essentials. For information about migrating
Windows SharePoint Services 3.0, see Upgrading to SharePoint
Foundation 2010.
Install Windows SharePoint Services 2.0 Service Pack 3
Install Windows SharePoint Services 2.0 Service Pack 3, if it is not installed. Download it
from the Windows SharePoint Services Service Pack 3 (SP3) website, and then install it.
Install Microsoft Core XML Services (MSXML) 6.0 Service Pack 1
Download MSXML 6.0 from the Microsoft Core XML Services (MSXML) 6.0 Service
Pack 1 website.
Verify the network configuration
To prepare for migration, you must install a router on your network to use as a gateway to the
Internet. You must also configure your Source Server to use one network adapter, and disable
your virtual private network (VPN) on the Source Server (if it is running).
Reconfiguring your existing network
Before you can migrate your network to Windows SBS 2011 Essentials, you must install and
configure a router on your network and configure the Source Server to use one network adapter.
When you are done, your network will look like the following figure:
9
To configure the Source Server to use one network adapter
1. Unplug the network adapter from the broadband connection.
2. Install a router on your network as shown in the previous figure.
3. To make sure that the Windows SBS 2011 Essentials Installation Wizard can find the
router on your network, ensure that the IP address on the network adapter within the
router is set to 192.168.x.1 or 192.168.x.254, where x is a number from 1 to 254. This IP
address is the default gateway address for your network.
Note
For information about installing and configuring a router, see the documentation
from your router manufacturer.
4. On the Source Server, run the Configure E-mail and Internet Connection Wizard to
configure the Source Server for one network adapter, as follows:
To configure the Source Server for one network adapter
a. Click Start, and then click Server Management.
b. In the console pane, click To Do List.
c.
In the details pane, click Connect to the Internet.
d. Complete the wizard.
5. If you are using a VPN on the Source Server, disable it. To disable the VPN on the
Source Server, run the Remote Access Wizard, as follows:
To disable the VPN on the Source Server
a. Click Start, and then click Server Management.
b. In the console pane, click Internet and E-mail.
c.
In the details pane, click Configure Remote Access.
d. Complete the wizard, and make sure that you click Disable remote access
10
on the Remote Access Method page.
6. If you have computers or devices that are configured with static IP addresses or DHCP
Server role settings, you must manually update each of them with the new default
gateway IP address.
Verify the settings for the DHCP Server role
Windows SBS 2003 is configured to run the DHCP Server role. However, Windows SBS 2011
Essentials does not use the DHCP Server role, and you will eventually need to move the DHCP
Server role to the router. During migration, you can manage the DHCP Server role from the
Source Server or from the router, depending on your current network configuration:
If you are running the DHCP Server role on the Source Server, we recommend that you
continue to run this role from the Source Server during migration. After you have removed the
Source Server from the network, move the DHCP Server role to the router.
If your network already runs the DHCP Server role from the router, and it is running without
issues, we recommend that you continue to run the DHCP Server role from the router during
migration.
Note
Ensure that your Source Server is in a healthy state before you proceed by performing
the procedures in the following section.
Use Windows SBS 2003 Best Practice Analyzer to evaluate the
health of the Source Server
If your Source Server is running Windows SBS 2003, you can run the Windows SBS 2003 Best
Practices Analyzer (BPA) to verify that there are no issues on your server, network, or domain
before you start the migration process.
Note
If your Source Server is running Windows Server 2003 Standard Edition, you cannot use
the Windows SBS 2003 BPA. In these cases, make sure that you run the Windows
Support Tools to determine if there are any network issues that you need to resolve.
Run the Windows SBS 2003 Best Practices Analyzer
Note
Your Source Server must be running Windows SBS 2003 to run the Windows SBS 2003
BPA.
The Windows SBS 2003 BPA collects configuration information from the following sources:
Active Directory® Windows Management Instrumentation (WMI)
The registry
11
The Internet Information Services (IIS) metabase
The Windows SBS 2003 BPA checks the following services and applications:
Exchange Server
Update Services
Network configuration
Windows SharePoint Services
Microsoft SQL Server™
To use the Windows SBS 2003 BPA to analyze your Source Server
1. Download and install the Windows SBS 2003 BPA from the Microsoft Windows Small
Business Server 2003 Best Practices Analyzer website.
2. After the download is complete, click Start, click All Programs, and then click SBS Best
Practices Analyzer Tool.
Note
Check for updates before you scan the server.
3. In the navigation pane, click Start a scan.
4. In the details pane, type the scan label. The scan label is the name of the scan report, for
example SBS BPA Scan 8Jun2011. Click Start scanning.
5. After the scan finishes, click View a report of this Best Practices scan.
After the Windows SBS 2003 BPA collects and analyzes the information, it presents a list of
issues that are sorted by severity. The Windows SBS 2003 BPA describes each issue that it
encountered and suggests solutions. Three report types are available:
Report Type
Description
List Reports
Displays reports in a one-dimensional list.
Tree Reports
Displays reports in a hierarchical list.
Other Reports
Displays reports such as a Run-Time Log.
To view the description and the solutions for an issue, click the issue in the report. Not all of the
issues that are reported by the Windows SBS 2003 BPA affect migration, but you should solve as
many of the issues as possible to ensure that the migration is successful.
Run the Windows Support Tools
To determine if there are any other problems with the network, run the Windows Support Tools
after you run the Windows SBS 2003 BPA.
The following table lists the tools that you can use to diagnose issues on your server, network,
and domain:
12
Tool
Description
Netdiag.exe
Helps isolate networking and connectivity
issues. For more information and to download
this tool, see Netdiag.
Dcdiag.exe
Analyzes the state of domain controllers in a
forest or enterprise, and reports issues to assist
you in troubleshooting. For more information
and to download this tool, see Dcdiag.
Repadmin.exe
Assists you in diagnosing replication issues
between domain controllers. This tool requires
command-line parameters to run. For more
information and to download this tool, see
Repadmin.
You should correct all the issues that these tools report before you proceed with the migration.
Synchronize the Source Server time with an external time source
The time on the Source Server must be set to within five minutes of the time on the Destination
Server, and the date and time zone must be the same on both servers. If the Source Server is
running in a virtual machine, the date, time, and time zone on the host server must match that of
the Source Server and the Destination Server. To help ensure that Windows SBS 2011
Essentials is installed successfully, you must synchronize the Source Server time to the Network
Time Protocol (NTP) server on the Internet.
To synchronize the Source Server time with the NTP server
1. Log on to the Source Server with a domain administrator account and password.
2. Click Start, click Run, type cmd in the text box, and then press ENTER.
3. At the command prompt, type w32tm /config /syncfromflags:domhier /reliable:no
/update, and then press ENTER.
4. At the command prompt, type net stop w32time, and then press ENTER.
5. At the command prompt, type net start w32time, and then press ENTER.
Important
During the Windows SBS 2011 Essentials installation, you have an opportunity to verify
the time on the Destination Server and change it, if necessary. Ensure that the time is
within five minutes of the time that is set on the Source Server. When the installation
finishes, the Destination Server synchronizes with the NTP. All domain-joined computers,
including the Source Server, synchronize to the Destination Server, which assumes the
role of the primary domain controller (PDC) emulator master.
13
Raise the functional level of the Active Directory domain and
forest
When Windows SBS 2003 is installed on a server, the functional level of the Active Directory
domain and forest are set to the Microsoft Windows 2000 operating system. To finish the
migration successfully, you must raise the level of the domain and forest to Windows
Server 2003. For more information about raising the functional level of the AD DS domain and
forest, see article 322692 in the Microsoft Knowledge Base.
Important
If you have domain controllers that are running the Windows NT® 4.0 operating system
or earlier, or Windows 2000 Server, you must demote them before you can raise the
domain functional level to Windows Server 2003. Also, after you raise the domain
functional level to Windows Server 2003, you cannot change it back to Windows 2000
mixed mode or to Windows 2000 native mode.
Important
You must be a member of the Domain Admins group in the domain for which you want to
raise functionality or the Enterprise Admins group in Active Directory Domain Services
(AD DS), or you must be delegated the appropriate authority. As a security best practice,
you should use Run as to perform this procedure.
To raise the functional level of the domain
1. On the Source Server, click Start, point to Administrative Tools, and then click Active
Directory Domains and Trust.
2. In the console pane, right-click the domain for which you want to raise the functional
level, and then click Raise Domain Functional Level.
Note
The current domain functional level is displayed in Current domain functional
level, in the Raise Domain Functional Level dialog box.
3. In Select an available domain functional level, click Windows Server 2003, click
Raise, and then click OK in the warning dialog box.
To raise the functional level of the forest
1. On the Source Server, click Start, point to Administrative Tools, and then click Active
Directory Domains and Trust.
2. In the console pane, right-click Active Directory Domains and Trusts, and then click
Raise Forest Functional Level.
Note
The current forest functional level is displayed in Current forest functional
level, in the Raise Forest Functional Level dialog box.
3. In Select an available forest functional level, click Windows Server 2003, click Raise,
14
and then click OK in the warning dialog box.
If you receive a warning about having a Windows 2000 Server domain controller and you want to
continue with the migration, you should demote the server that is running Windows 2000 Server
to avoid problems during migration.
Prepare Active Directory for migration
To prepare for migration, you need to:
1. Extend the AD DS schema
2. Update permissions on the Source Server
3. Extend the time limit for finishing the migration
You can use the Active Directory Preparation Tool (Adprep32) to extend the AD DS schema and
update permissions as necessary to prepare the forest and domain for a domain controller that is
running Windows SBS 2011 Essentials. The AD DS schema in Windows SBS 2011 Essentials is
not the same as the AD DS schema in Windows SBS 2003 or in Windows Server 2003. To
successfully complete the migration process, you must update the AD DS schema on the Source
Server if it is running Windows SBS 2003 or Windows Server 2003.
Important
Back up your Source Server before you run Adprep32. All changes that the tool makes to
the schema are irreversible. If you experience issues during the migration, you can only
return the Source Server to the state before you ran the tool by restoring the system
backup.
Important
Be sure that you have installed Windows SBS 2003 Service Pack 2 on the Source Server
before you run Adprep32.
Note
To run Adprep32, you need Microsoft .NET Framework 2.0 SP1 on the Source Server.
To download and install Microsoft .NET Framework 2.0 SP1, see Microsoft .NET
Framework 2.0 Service Pack 1 (x86).
Important
To run Adprep32, you must be a member of the Enterprise Admins group, the Schema
Admins group, and the Domain Admins group.
To verify that you have the appropriate permissions to run Adprep32 on Windows
SBS 2003
1. On the Source Server, click Start, and then click Server Management.
2. In the navigation pane, click Users.
3. Right-click the administrator account that you are using for the migration, and then click
Properties.
15
4. Click the Member Of tab, and then verify that Enterprise Admins, Schema Admins, and
Domain Admins are listed in the Member of text box.
5. If the groups are not listed, click Add, and then add each group that is not listed.
Note
You must log off and log back on the server for the changes to take effect.
To prepare Active Directory
1. Open a Command Prompt window as an administrator. See To open a Command Prompt
window as an Administrator.
2. At the command prompt, type <DVDDrive>:\support\adprep32 /forestprep, where
<DVDDrive> is the drive in which you have Windows SBS 2011 Essentials DVD1, and
press ENTER.
3. At the command prompt, type <DVDDrive>:\support\adprep32 /domainprep /gpprep,
where <DVDDrive> is the drive in which you have Windows SBS 2011 Essentials DVD1,
and press ENTER.
4. Install the update Software Update to Support “Join Domain” Migration of Windows Small
Business Server 2003 Data and Settings to New Hardware. This update extends the time
limit for finishing the migration. Normally, only one server running Windows SBS 2011
Essentials or Windows SBS 2003 is allowed to be a domain controller on your network,
but there is a limited exception for a migration. The update extends the time limit for the
exception to 21 days.
5. Restart the Source Server.
Create a plan to migrate line-of-business applications
A line-of-business (LOB) application is a critical computer application that is vital to running a
business. LOB applications include accounting, supply-chain management, and resourceplanning applications.
When you plan to migrate your LOB applications, consult with the LOB application providers to
determine the appropriate method for migrating each application. You also must locate the media
that is used to install the LOB applications on the Destination Server.
You can fill in the following table as you collect LOB application information. A good place to start
collecting information is to run Windows Control Panel, click Programs and look in the Program
Files (x86) and the Program Files folders.
Application or general data folder
Path to data
Notes
name
16
Create a plan to migrate email that is hosted on Windows Small
Business Server 2003
In Windows SBS 2003, email is provided through Exchange Server 2003. However, Windows
Small Business Server 2011 Essentials does not provide an inbox email service. If you are
currently using Windows SBS 2003 to host your company’s email, you will need to migrate to an
alternate on-premise or hosted solution.
Note
After you update and prepare your Source Server for migration, we recommend that you
create a backup of the updated server before you continue the migration process.
Next topic: Create a migration answer file for Windows SBS 2011 Essentials migration
Create a migration answer file for Windows
SBS 2011 Essentials migration
Use Notepad to create the migration answer file. Save the answer file in the root directory of a
USB flash drive or other removable media. Values in the answer file pertain to the Destination
Server.
Important
The answer file contains logon and password information that can be used to log on to
your server. To help protect your server, delete the answer file when you finish migrating
to Windows SBS 2011 Essentials.
To create a migration answer file
1. Click Start, click All Programs, click Accessories, and then click Notepad.
2. Copy the following content and paste it into the file. Do not put any other content in the
file.
Note
The following values are for the Destination Server.
[WinPE]
[InitialConfiguration]
AcceptEula=true
CompanyName=<CompanyName>
17
ServerName=<ServerName>
PlainTextPassword=<Password>
Settings=All
Migration=true
where
<CompanyName> is the friendly name of the company, for example Contoso Ltd.
<ServerName> is the name of the server, for example Contoso-srv
<Password> is the password for the local administrator, for example Pass@word1
Note
Do not change the other fields.
3. Click File, click Save, and browse to the root directory of the removable media.
4. In the File name text box, type cfg.ini; in Save as type, select All Files; and then click
Save.
Important
When saving the file, you must choose All Files for the Save as type to ensure
that Notepad does not append the file name with a .txt extension.
Copy the migration answer file to removable
media
Important
You must complete this step before you start the migration.
Copy the migration answer file to the root partition of a USB flash drive or other removable media
(for example, G:\cfg.ini). Then, insert the media into the Destination Server before you start
migrating to Windows SBS 2011 Essentials. If the Windows SBS 2011 Essentials installation
wizard detects a migration answer file, the migration starts automatically.
Important
When you finish migrating to Windows SBS 2011 Essentials, delete the answer file.
Next topic: Install Windows SBS 2011 Essentials in migration mode for Windows SBS 2011
Essentials migration
Previous topic: Prepare your Source Server for Windows SBS 2011 Essentials migration
18
Install Windows SBS 2011 Essentials in
migration mode for Windows SBS 2011
Essentials migration
Important
Windows SBS 2011 Essentials requires a 64-bit environment. Windows SBS 2011
Essentials does not support a 32-bit environment.
A Windows SBS 2011 Essentials server will be ready for migrating data and settings after you
install and configure Windows SBS 2011 Essentials in migration mode, as follows:
1. Install Windows SBS 2011 Essentials on the Destination Server
2. Configure the DNS of the local network adapter
3. Join the Destination Server to the domain of the Source Server
4. Install and restore the Certification Authority
Install Windows SBS 2011 Essentials on the
Destination Server
To install and configure Windows SBS 2011 Essentials on the Destination Server in migration
mode, perform the following procedure.
To install Windows SBS 2011 Essentials on the Destination Server
1. Turn on the Destination Server and insert Windows SBS 2011 Essentials DVD1 into the
DVD drive. If you see a message that asks if you want to boot from a CD or DVD, press
any key to do so.
Note
If the Destination Server does not boot from the DVD, restart the computer and
check the BIOS Setup to ensure that DVD-ROM is listed first in the boot
sequence. For more information about how to change the BIOS Setup boot
sequence, see your hardware manufacturer's documentation.
Note
If the removable media that contains the answer file is a USB device, you must
change the boot order in the BIOS Setup to assure that the server does not
attempt to boot to the USB device.
2. Insert the USB device or other removable media that contains the migration answer file in
the Destination Server.
Note
The migration answer file is automatically detected on the root of any drive. If the
19
migration answer file is configured to run the installation in unattended mode,
values from the file are used during migration. You will not be prompted for
values unless they are invalid or missing from the answer file.
3. If you are installing the multilanguage version of Windows SBS 2011 Essentials, doubleclick one of the listed languages. If you are installing a single-language version, you will
not be asked to choose a language.
4. Click New Installation.
5. If you have an internal hard drive that is not displayed in the list, click Load Drivers and
install the necessary driver before continuing.
6. Select the check box that verifies all files and folders on your primary hard drive will be
deleted, and then click Install.
7. When you receive the message "Your server is partially set up and is ready for you to
start migration," click Close.
After the installation finishes, you are automatically logged on with the administrator user account
and password that you provided in the migration answer file.
Note
To unlock the desktop while Windows SBS 2011 Essentials is installing, use the built-in
administrator account and leave the password blank.
Configure the DNS of the local network adapter
To resolve the existing domain name, perform the following steps to set the Domain Name
System (DNS) address of the Destination Server to the IP address of the Source Server.
Note
You can also resolve the existing domain name by configuring the router to provide the IP
address of the Source Server as the DNS address. However, you will need to perform
this task again after the Destination Server becomes the primary server on the network.
To obtain the IP address of the Source Server
1. Open a Command Prompt window on the Source Server.
2. At the command prompt, type ipconfig and press ENTER.
3. Record the IP address that is displayed.
To set the IP address of the Destination Server
1. Click the network icon in the notification area, click Network and Sharing Center, and
then click the link that is displayed.
2. Click Change adapter settings.
3. Right-click the network adapter, and then click Properties.
4. Select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
20
5. Select Use the following DNS server addresses, and in the Preferred DNS server text
box, type the IP address of the Source Server that you previously recorded.
Join the Destination Server to the domain of the
Source Server
Joining the Destination Server to the domain of the Source Server requires backing up and
removing the Certification Authority from the Destination Server, then promoting the Destination
Server to be a domain controller.
Back up and remove the Certification Authority from the
Destination Server
The Certification Authority must be removed from the Destination Server before it can join the
domain. Perform the following steps to back up and remove the Certification Authority.
To back up the Certification Authority
1. In the Destination Server, open Windows Explorer and create an empty folder called
C:\CA_Backup.
2. Click Start, point to Administrative Tools, and click Certification Authority.
3. Right-click <ServerName>-CA, point to All Tasks, and select Backup the CA…
4. Click Next on the welcome page.
5. Ensure that Private Key and CA certificate and Certificate database and certificate
database log are selected, choose a location such as C:\CA_Backup, and then click
Next.
6. Type and confirm a password for restoring the database, click Next, then click Finish to
finish the wizard.
To remove the Certification Authority
1. Click Start, click Administrative Tools, and then click Server Manager.
2. Under Roles Summary, click Remove Roles.
3. On the Before You Begin page, click Next.
4. Clear the Active Directory Certificate Services check box, and then click Next.
5. Confirm that only the Certification Authority is selected for removal, and click Remove.
6. After the Certification Authority is removed, click Close.
Promote the Destination Server to a domain controller
You must promote the Destination Server to a domain controller in the existing Windows
SBS 2011 Essentials forest within six days of installing Windows SBS 2011 Essentials.
Use the DCPromo tool to promote the Destination Server as described in this section.
21
To promote the Destination Server to a domain controller
1. Perform the following steps to create an answer file on the administrator’s desktop.
Important
The answer file contains logon and password information that can be used to log
on to your server. To help protect your server, delete the answer file after
promoting the Destination Server to a domain controller.
a. Click Start, click All Programs, click Accessories, and then click Notepad.
b. Copy the following content and paste it into the file. Do not put any other content into
the file.
[DCINSTALL]
UserName=<domain-admin-user-name>
Password=<domain-admin-password>
UserDomain=<domain>.local
DatabasePath=%systemroot%\ntds
LogPath=%systemroot%\ntds
SYSVOLPath=%systemroot%\sysvol
SafeModeAdminPassword=<domain-admin-password>
ConfirmGc=Yes
InstallDNS=yes
CreateDNSDelegation=No
CriticalReplicationOnly=no
ReplicaOrNewDomain=Replica
ReplicaDomainDNSName=<domain>.local
ReplicationSourceDC=<Source-Server-Name>.<domain>.local
RebootOnCompletion=No
ApplicationPartitionsToReplicate=""*"";
Leave the rest of the file blank.
Important
The <domain>, <domain-admin-user-name>, and <domain-adminpassword> must reference the Source Server domain.
c.
Click File, click Save, and then in the left pane, click Desktop.
d. In the File name text box, type dc-cfg.ini; for Save as type, choose All Files; and
then click Save.
2. Open a Command Prompt window as an administrator. For more information, see To
open a Command Prompt window as an Administrator.
22
3. Type the following command, and then press ENTER.
DCPROMO /unattend:”C:\Users\Administrator\Desktop\dc-cfg.ini”
After the DCPromo tool runs, the process status appears.
Note
If DCPromo does not succeed because of an incorrect entry in the answer file,
the tool may erase the passwords from the dc-cfg.ini file. If this occurs, add the
passwords back into the file before you run the tool again.
4. Restart the Destination Server to complete the operation.
5. Log on to the Destination Server as the domain administrator by using the same
username and password that you use on the Source Server.
6. To verify that the server is a domain controller, click Start, click Administrative Tools,
and then click Active Directory Users and Computers.
7. Expand the node <domain>.local, where <domain> is the Source Server domain, and
then click the Domain Controllers node. The Source Server and the Destination Server
should appear in this node with GC in the DC Type column.
Important
Delete the answer file after you promote the Destination Server to a domain
controller.
Install and restore the Certification Authority
To install the Certification Authority
1. On the Destination Server, click Start, point to Administrative Tools, and then click
Server Manager.
2. In the Roles Summary section, click Add Roles.
3. On the Before You Begin page, click Next.
4. On the Server Roles page, select Active Directory Certificate Services, and then click
Next.
5. On the Introduction to Active Directory Certificate Services page, click Next.
6. On the Select Role Services page, select Certification Authority and Certification
Authority Web Enrollment, and then click Next.
7. On the Specify Setup Type page, select Standalone, and then click Next.
8. On the Specify CA Type page, select Root CA, and then click Next.
9. On the Set Up Private Key page, select Use existing private key, choose the Select a
certificate and use its associated private key option, and then click Next.
10. On the Select Existing Certificate page, choose the <ServerName>-CA certificate
(where <ServerName> is the name of your Destination Server), and then click Next.
11. On the Configure Certificate Database page, accept the default locations, or click
Browse if you want to save the database or log file to a different location. Then click
23
Next.
12. Confirm your selections, and then click Install.
13. When the wizard is finished, click Close, and then restart the server.
To restore the Certification Authority
1. Click Start, point to Administrative Tools, and then click Certification Authority.
2. In the Certification Authority console tree, right-click <ServerName>-CA (where
<ServerName> is the name of your Destination Server), click All Tasks, and then click
Restore CA.
3. If you are asked to stop Active Directory Certificate Services, click OK.
4. The Certification Authority Restore Wizard appears. Click Next on the Welcome page
of the wizard.
5. On the Items to Restore page, select Private key and CA certificate and Certificate
database and certificate database log, type or browse to C:\CA_Backup, and then
click Next.
Note
For an incremental restore, select the full backup file and complete the wizard.
Then re-run the wizard and select subsequent incremental backup files.
6. On the Provide Password page, type a password for gaining access to the private key
and the CA certificate file, and then click Next.
7. When the wizard completes, click Finish.
8. You are asked if you want to start Active Directory Certificate Services. If you have
additional incremental backups to restore, click No to re-run the wizard and continue
restoring. If restoration is complete, click Yes to start Active Directory Certificate
Services.
Configure the CRL distribution list
1. Click Start, point to Administrative Tools, and then click Certification Authority.
2. Right-click the server name, and then click Properties.
3. Click the Extensions tab.
4. In the list that is displayed, click
http://<ServerDNSName>/CertEnroll/<CaName><CRLNAMESUFFIX><DELTACRLAL
LOWED>.crl, and ensure that the following options are selected:
Include in CRLs. Clients use this to find the Delta CRL location.
Include in the CDP extension of issued certificates.
5. If the noted URL does not appear in the list, click Add, and in the location field, type
http://<ServerDNSName>/CertEnroll/<CaName><CRLNAMESUFFIX><DELTACRLAL
LOWED>.crl, and then click OK
6. On the Extensions tab, click
http://<ServerDNSName>/CertEnroll/<CaName><CRLNAMESUFFIX><DELTACRLAL
24
LOWED>.crl, and ensure that the following options are selected:
Include in CRLs. Clients use this to find the Delta CRL location.
Include in the CDP extension of issued certificates.
7. Click OK to save your changes.
8. When you are asked to restart Active Directory Certificate Services, click Yes.
Next topic: Transfer the operations master roles for Windows SBS 2011 Essentials migration
Previous topic: Create a migration answer file for Windows SBS 2011 Essentials migration
Transfer the operations master roles for
Windows SBS 2011 Essentials migration
The operations master (also called flexible single master operations or FSMO) roles must be
transferred from the Source Server to the Destination Server within 21 days of installing Windows
SBS 2011 Essentials on the Destination Server.
To transfer the operations master roles
1. On the Destination Server, open a Command Prompt window as an administrator. See
To open a Command Prompt window as an Administrator.
2. At the command prompt, type NETDOM QUERY FSMO, and then press ENTER.
3. At the command prompt, type ntdsutil, and then press ENTER.
4. At the ntdsutil command prompt, enter the following commands:
a. Type activate instance NTDS, and then press ENTER.
b. Type roles, and then press ENTER.
c.
Type connections, and then press ENTER.
d. Type connect to server <ServerName> (where <ServerName> is the name of the
Destination Server), and then press ENTER.
e. At the command prompt, type q, and then press ENTER.
Type transfer PDC, press ENTER, and then click Yes in the Role Transfer
Confirmation dialog box.
Type transfer infrastructure master, press ENTER, and then click Yes in the
Role Transfer Confirmation dialog box.
Type transfer naming master, press ENTER, and then click Yes on the Role
Transfer Confirmation dialog box.
Type transfer RID master, press ENTER, and then click Yes on the Role
Transfer Confirmation dialog box.
Type transfer schema master, press ENTER, and then click Yes on the Role
25
Transfer Confirmation dialog box.
f.
Type q, and then press ENTER until you return to the command prompt.
Note
From any server on the network, you can verify that the operations master roles have
been transferred to the Destination Server. Open a Command Prompt window as an
administrator (for more information, see To open a Command Prompt window as an
Administrator). Then, type netdom query fsmo and press ENTER.
Next topic: Transfer the global catalog to the Destination Server for Windows SBS 2011
migration
Previous topic: Install Windows SBS 2011 Essentials in migration mode for Windows SBS 2011
Essentials migration
Transfer the global catalog to the Destination
Server for Windows SBS 2011 migration
To ensure that the Destination Server is the global catalog for the network, transfer the global
catalog from the Source Server and configure services and domain settings, as follows:
1. Transfer the global catalog to the Destination Server
2. Enable the UPnP beacon for the Destination Server
3. Verify the health of the domain controller
4. Reconfigure DNS for the local network adapter
Transfer the global catalog to the Destination
Server
To transfer the global catalog, create a new global catalog on the Destination Server, and then
remove the existing global catalog on the Source Server.
To create a global catalog on the Destination Server
1. On the Destination Server, click Start, point to Administrative Tools, and then click
Active Directory Sites and Services.
2. In the Active Directory Sites and Services console tree, double-click Sites, and then
double-click Default-First-Site-Name.
3. Expand the Servers folder, click the name of the Destination Server, right-click NTDS
Settings, and then click Properties.
4. On the General tab, select the Global catalog option if it is not already selected, and
then click OK.
5. Restart the Destination Server.
26
Note
Allow sufficient time for the account and the schema information to replicate to the
Destination Server before you remove the global catalog from the Source Server.
Before you continue, verify that the replication completed successfully, as follows:
1. Click Start, click Administrative Tools, and then click Active Directory Users and
Computers.
2. Expand the node <domain>.local, where <domain> is the Source Server domain, and then
select the Domain Controllers node. The Destination Server should appear in this node with
GC in the DC Type column.
Note
You can perform additional verification by using the tools that are listed in the section
Verify the health of the domain controller.
Note
Event 1119 might be logged in the Directory Services log in Event Viewer stating that the
Destination Server is now advertising itself as a global catalog server.
To remove the global catalog from the Source Server
1. On the Source Server, click Start, click All Programs, click Administrative Tools, and
then click Active Directory Sites and Services.
2. In the console tree, double-click Sites, and then double-click Default-First-Site-Name.
3. Double-click Servers, click the name of the Source Server, right-click NTDS Settings,
and then click Properties.
4. On the General tab, clear the Global catalog option, and then click OK.
5. Restart the Source Server.
Enable the UPnP beacon for the Destination
Server
The UPnP™ beacon is used to advertise the location of the Destination Server to the client
computers. To enable Launchpad to find the Destination Server, perform the following steps to
enable and start the necessary services.
1. On the Destination Server, click Start, click Administrative Tools, and then click Services.
2. On the Services console, find the following services:
SSDP Discovery
UPNP Device Host
Windows Server UPNP Device Service
3. If any of the previously listed services are disabled, enable each disabled service as follows:
27
a. Right-click the service name, click Properties, change the Startup type to Automatic,
and then click OK.
b. Right-click the service name, and then click Start.
Note
If a service already has an Automatic startup type, but it is not running, right-click the
service name, and click Start.
Verify the health of the domain controller
Before proceeding with the migration, you should ensure that the domain controller and Windows
SBS 2011 Essentials network are healthy.
The following table lists the tools that you can use to diagnose issues on your Destination Server
and network, and in the domain:
Tool
Description
Netdiag
Helps isolate networking and connectivity
issues. For more information and to download,
see Netdiag.
Dcdiag.exe
Analyzes the state of domain controllers in a
forest or enterprise, and reports issues to assist
you in troubleshooting. For more information
and to download, see Dcdiag.
Repadmin.exe
Assists you in diagnosing replication issues
between domain controllers. This tool requires
command-line parameters to run. For more
information and to download, see Repadmin.
You should correct all the issues that these tools report before you proceed with the migration.
Reconfigure DNS for the local network adapter
On the Destination Server, change the Domain Name System (DNS) settings so that the
Destination Server uses itself as the DNS server.
To reconfigure DNS for the local network adapter
1. In the notification area, click the network icon, and then click Network and Sharing
Center.
2. Click Change adapter settings.
3. Right-click the name of the network card, and then click Properties.
28
4. Select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
5. Click Use the following DNS server addresses. For Preferred DNS server, type
127.0.0.1.
6. Click OK to save your settings.
To turn off DNS on the Source Server
1. On the Source Server, click Start, click All Programs, click Administrative Tools, and
then click DNS.
2. In the DNS management console, right-click the Source Server, click All tasks, and then
click Stop.
Next topic: Import users and the Destination Server into the Dashboard for Windows SBS 2011
Essentials migration
Previous topic: Transfer the operations master roles for Windows SBS 2011 Essentials
migration
Import users and the Destination Server into
the Dashboard for Windows SBS 2011
Essentials migration
After the replication has taken place, user names will appear in Active Directory Users and
Computers, but they will not appear in the Windows SBS 2011 Essentials Dashboard. You can
use Windows PowerShell commands to import user names and the Destination Server into the
Dashboard, or you can use a script to automate the import process.
Important
Windows SBS 2003 supports up to 75 users, while Windows SBS 2011 Essentials only
supports up to 25 users. Ensure that you move no more than 25 users to the Windows
SBS 2011 Essentials server.
To re-create security groups
1. On the Destination Server, click Start, click Administrative Tools, and then click Active
Directory Users and Computers.
2. In the navigation pane, expand <DomainName>, expand My Business, expand Users,
and then expand SBSUsers.
3. Right-click the right-hand panel, and click Create New Group. Type one of the following
group names, click Security Group, and then click Create. Repeat this step to create the
remainder of the following security groups. Set the scope for each group to Global.
RA_AllowAddInAccess
RA_AllowComputerAccess
29
RA_AllowDashboardAccess
RA_AllowHomePageLinks
RA_AllowNetworkAlertAccess
RA_AllowRemoteAccess
RA_AllowShareAccess
WSSUsers
Because the administrator account was migrated from the Source Server, by default it does not
have memberships to the Windows SBS 2011 Essentials security groups. To add group
memberships to the administrator account that you are using for migration, perform the following
procedure.
To make the administrator a member of the security groups
1. On the Destination Server, click Start, click Administrative Tools, and then click Active
Directory Users and Computers.
2. In the navigation pane, expand <DomainName>, expand My Business, expand Users,
and then expand SBSUsers.
3. Open the administrator account or accounts to which you want to assign membership.
4. Click the tab Member of and add the following groups to the account:
a. RA_AllowAddInAccess
b. RA_AllowComputerAccess
c.
RA_AllowDashboardAccess
d. RA_AllowHomePageLinks
e. RA_AllowNetworkAlertAccess
f.
RA_AllowRemoteAccess
g. RA_AllowShareAccess
To ensure that users can log on to Remote Web Access after the migration, you must add the
Authenticated Users group to the Pre-Windows 2000 Compatible Access group.
To add the Authenticated Users group to the Pre-Windows 2000 Compatible Access
group
1. On the Destination Server, click Start, point to Administrative Tools, and then click
Active Directory Users and Computers.
2. In the navigation pane, expand <DomainName>, and then click the Builtin folder.
3. In the details pane, right-click the Pre-Windows 2000 Compatible Access group, and
then click Properties.
4. On the Members tab, click Add.
5. Type Authenticated Users, and then click OK.
To manually import user names into the Dashboard
30
1. On the Destination Server, open a Command Prompt window as an administrator. For
more information, see To open a Command Prompt window as an Administrator.
2. Type cd “\Program Files\Windows Server\Bin”, and press ENTER.
3. Type WssPowerShell.exe, and then press ENTER.
4. Type Import-WssUser –Name <username>, and then press ENTER.
5. Repeat the previous step for each user name that you want to import into the Dashboard.
To use a script to import user names into the Dashboard
1. On the Destination Server, open Notepad and copy the following script into it:
"Script to Import Active Directory Users to the Windows SBS
2011 Essentials Dashboard"
#load userObjectModel Assembly.
[Reflection.Assembly]::LoadWithPartialName("UserObjectModel")
| out-null
#loading AD module.
try
{
.....import-module -name activedirectory
.....# "AD module imported"
}
catch
{
"---- There was an error loading AD Module"
.....$_.exception | fl * -for
}
$users = get-aduser -filter *
$imported = $false;
foreach ($user in $users)
{
if($user.enabled)
31
{
.....$userMgmtMgr = New-Object
Microsoft.WindowsServerSolutions.Users.UserMgmtManager
.....$userMgmtMgr.Connect()
.....
.....try
.....{
..........$userFromUserObjectModel =
$userMgmtMgr.GetUser($user.sAMAccountName);
............."__user $($user.sAMAccountName) already
imported";
..........
$imported=$true;
.....}
.....catch
.....{
.............$imported=$false;
.............if($_.Exception.InnerException -match
"UserNotExist")
.............{
.................."__User $($user.sAMAccountName) not
imported"
.............}
..........else
..........{
.................."__We hit an unexpected error"
..................$_.Exception
..........
.....}
.....if(!$imported)
.....{
..........
..........
.............$import= read-host "Do you want to import"
$user.name " to the Dashboard [y]/[n]"
.............if($import -eq "y")
32
.............{
.................."__Importing user
$($user.sAMAccountName).."
..................import-wssuser -name $user.samaccountname |
out-null
..................if((get-wssuser -name
$user.samaccountname).userstatus -eq "Enabled")
..................{
......................."__User $($user.sAMAccountName)
successfully imported"
..................}
.............}
.....}
.....
.....
}
}
2. Click File, and then click Save.
3. Browse to any folder on your Destination Server, and type a file name with a .ps1
extension (for example, C:\importusers.ps1).
4. For Save as type, choose All Files, and then click Save.
5. Open a Command Prompt window as an administrator. For more information, see To
open a Command Prompt window as an Administrator.
6. Type cd “C:\Program Files\Windows Server\Bin” and press ENTER.
7. Type WssPowerShell.exe, and then press ENTER.
8. Type Set-ExecutionPolicy RemoteSigned, and then press ENTER.
9. Type <path><filename> for the script file that you created (for example,
C:\importusers.ps1), and then press ENTER.
10. Type Set-ExecutionPolicy Restricted, and then press ENTER.
To import the Destination Server into the Dashboard
1. Open a Command Prompt window as an administrator. For more information, see To
open a Command Prompt window as an Administrator.
2. Type cd “\Program Files\Windows Server\Bin” and press ENTER.
3. Type WssPowerShell.exe, and then press ENTER.
4. Type Add-WssLocalMachineCert, and then press ENTER.
5. Reboot the Destination Server.
33
Next topic: Join computers to the new Windows SBS 2011 Essentials network
Previous topic: Transfer the global catalog to the Destination Server for Windows SBS 2011
migration
Join computers to the new Windows SBS
2011 Essentials network
The next step in the migration process is to join client computers to the new Windows SBS 2011
Essentials network and update Group Policy settings.
Domain-joined client computers
Browse to http://destination-server/connect and install the Windows Server Connector
software as if this was a new computer. The installation process requires network administrator
privileges for domain-joined client computers. Network administrator privileges are not required
for computers that are not joined to the domain.
Non-domain-joined client computers
Browse to http://destination-server/connect and install the Windows Server Connector
software as if this was a new computer. Network administrator privileges are not required.
Ensure that Group Policy has updated
Note
This is an optional step, and it is only required if the Source Server was configured with
custom Group Policy settings such as Folder Redirection.
While the Source Server and the Destination Server are still online, you should ensure that the
Group Policy settings have replicated from the Destination Server to the client computers.
Perform the following steps on each client computer:
1. Open a Command Prompt window.
2. At the command prompt, type GPRESULT /R, and then press ENTER.
3. Review the resulting output for the section “Group Policy was applied from:” and ensure it
lists the Destination Server, such as DestinationSrv.Domain.local. For example:
USER SETTINGS
-------------CN=User,OU=Users,DC=DOMAIN,DC=Local
34
Last time Group Policy was applied: 1/24/2011 at 1:26:27 PM
Group Policy was applied from:
DestinationSrv.Domain.local
Group Policy slow link threshold:
500 kbps
Domain Name:
Domain
Domain Type:
Windows 2003
4. If the Destination Server is not listed, at a command prompt, type gpupdate /force, and then
press ENTER to refresh the Group Policy settings. Then perform the previous procedure
again.
5. If the Destination Server still does not appear, there may be an error in the Group Policy
settings or an error in applying them to this specific client computer. If the Destination Server
does not appear, perform the following steps:
a. Click Start, click Run, type rsop.msc (Resultant Set of Policy), and then press ENTER.
b. Expand the tree with the “X” on it until you get to a node.
c.
Right-click the node, and click View Error for information about why the Group Policy
settings are failing on the computer listed.
Next topic: Move settings and data to the Destination Server for Windows SBS 2011 Essentials
migration
Previous topic: Import users and the Destination Server into the Dashboard for Windows SBS
2011 Essentials migration
Move settings and data to the Destination
Server for Windows SBS 2011 Essentials
migration
Move settings and data to the Destination Server as follows:
1. Copy data to the Destination Server.
2. Configure the network.
3. Verify that Terminal Services Gateway has configured the correct certificates.
4. Remove legacy logon settings and Active Directory Group Policy objects.
5. Remove legacy Active Directory Group Policy objects (optional).
6. Map permitted computers to user accounts.
Copy data to the Destination Server
Before you copy data from the Source Server to the Destination Server, perform the following
tasks:
35
Review the list of shared folders on the Source Server, including permissions for each folder.
Create or customize the folders on the Destination Server to match the folder structure that
you are migrating from the Source Server.
Review the size of each folder and ensure that the Destination Server has enough storage
space.
Make the shared folders on the Source Server Read-only for all users so no writing can take
place on the drive while you are copying files to the Destination Server.
To copy data from the Source Server to the Destination Server
1. Log on to the Destination Server as a domain administrator.
2. Click Start, type cmd in the search box, and then press ENTER.
3. At the command prompt, type the following command, and then press ENTER:
robocopy \\<SourceServerName> \<SharedSourceFolderName>
\\<DestinationServerName> \<SharedDestinationFolderName> /E /B
/COPY:DATSOU /LOG:C:\Copyresults.txt
where <SourceServerName> is the name of the Source Server,
<SharedSourceFolderName> is the name of the shared folder on the Source Server,
<DestinationServerName> is the name of the Destination Server, and
<SharedDestinationFolderName> is the shared folder on the Destination Server to which
the data will be copied.
4. Repeat the previous step for each shared folder that you are migrating from the Source
Server.
Configure the network
Note
This is a required task.
To configure the network
1. On the Destination Server, open the Dashboard.
2. Click Server Settings.
3. Click Turn on Remote Web Access.
4. Complete the wizard to configure the router and domain names.
If your router does not support the UPnP framework, or if the UPnP framework is disabled, there
may be a yellow warning icon next to the router name. Ensure that the following ports are open
and that they are directed to the IP address of the Destination Server:
Port 80: HTTP Web traffic
Port 443: HTTPS Web traffic
36
Verify that Terminal Services Gateway has
configured the correct certificates
You need to ensure that Terminal Services Gateway has configured the correct certificates after
the back up and restore of the Certification Authority.
To verify the certificates in Terminal Services Gateway
1. Open a Command Prompt window as an administrator. For more information, see To
open a Command Prompt window as an Administrator.
2. Type the following, and then press ENTER:
cd \Program Files\Windows Server\Bin
3. Type the following, and then press ENTER:
ConfigureRDP.exe
After ConfigureRDP.exe runs, the correct certificates will be configured.
Remove legacy logon settings and Active
Directory Group Policy objects
Remove old logon scripts (optional)
Windows SBS 2003 uses logon scripts for tasks such as installing software and customizing
desktops. In Windows SBS 2011 Essentials, the Windows SBS 2003 logon scripts are replaced
with a combination of logon scripts and Group Policy objects.
Note
If you modified the Windows SBS 2003 logon scripts, you should rename the scripts to
preserve your customizations.
Note
Windows SBS 2003 logon scripts apply only to user accounts that were added by using
the Add New Users Wizard.
To remove the Windows SBS 2003 logon scripts
1. Click Start, click Administrative Tools, click Active Directory Users and Computers,
and then click Users.
2. Right-click a user name, then click Profile.
3. Delete the contents of the Logon script text box, then click OK.
4. Repeat the previous two steps for each user.
37
Remove legacy Active Directory Group Policy
objects (optional)
The Group Policy objects (GPOs) are updated for Windows SBS 2011 Essentials. They are a
superset of the Windows SBS 2003 GPOs. For Windows SBS 2011 Essentials, a number of the
Windows SBS 2003 GPOs and Windows Management Instrumentation (WMI) filters have to be
manually deleted to prevent conflicts with the Windows SBS 2011 Essentials GPOs and WMI
filters.
Note
If you modified the original Windows SBS 2003 Group Policy objects, you should save
copies of them in a different location, and then delete them from Windows SBS 2003.
To remove old Group Policy objects from Windows SBS 2003
1. Log on to the Source Server with an administrator account.
2. Click Start, and then click Server Management.
3. In the navigation pane, click Advanced Management, click Group Policy Management,
and then click Forest: <YourDomainName>.
4. Click Domains, click <YourDomainName>, and then click Group Policy Objects.
5. Right-click Small Business Server Auditing Policy, click Delete, and then click OK.
6. Repeat step 5 to delete the following GPOs that apply to your network:
Small Business Server Client Computer
Small Business Server Domain Password Policy
We recommend you configure the password policy in Windows SBS 2011 Essentials
to enforce strong passwords. To configure the password policy, use the Dashboard,
which writes the configuration to the default domain policy. The password policy
configuration is not written to the Small Business Server Domain Password Policy
object, like it was in Windows SBS 2003.
Small Business Server Internet Connection Firewall
Small Business Server Lockout Policy
Small Business Server Remote Assistance Policy
Small Business Server Windows Firewall
Small Business Server Windows Vista® Policy
Small Business Server Update Services Client Computer Policy
This GPO will be present if you are migrating from Windows SBS 2003 R2.
Small Business Server Update Services Common Settings Policy
This GPO will be present if you are migrating from Windows SBS 2003 R2.
Small Business Server Update Services Server Computer Policy
This GPO will be present if you are migrating from Windows SBS 2003 R2.
7. Confirm that all of the GPOs are deleted.
38
To remove WMI filters from Windows SBS 2003
1. Log on to the Source Server with an administrator account.
2. Click Start, and then click Server Management.
3. In the navigation pane, click Advanced Management, click Group Policy Management,
and then click Forest: <YourNetworkDomainName>
4. Click Domains, click <YourNetworkDomainName>, and then click WMI Filters.
5. Right-click PostSP2, click Delete, and then click Yes.
6. Right-click PreSP2, click Delete, and then click Yes.
7. Right-click Vista, click Delete, and then click Yes.
8. Confirm that these three WMI filters are deleted.
Map permitted computers to user accounts
In Windows SBS 2003, if a user connects to Remote Web Access, all the computers in the
network are displayed. This may include computers that the user does not have access rights to.
In Windows SBS 2011 Essentials, a user must be explicitly assigned to a computer for it to be
displayed in Remote Web Access. Each user account that is migrated from Windows SBS 2003
must be mapped to one or more computers.
To map user accounts to computers
1. Open the Windows SBS 2011 Essentials Dashboard.
2. In the navigation bar, click Users.
3. In the list of user accounts, right-click a user account, and then click View the Account
Properties.
4. Click the Remote Web Access tab, click Allow Remote Web Access, and show
selected links in Remote Web Access.
5. Click Shared Folders, click Computers, click Home page, and then click Apply.
6. Click the Computer Access tab, and click the name of the computer to which you want
to allow access.
7. Repeat steps 3, 4, 5, and 6 for each user account.
After you have mapped user accounts to client computers, you can set a default computer to be
used for remote access. In the Dashboard, click the Remote Access tab. In User Account
Properties, set a default client computer for each user who needs to access the network remotely.
Note
You do not need to change the configuration of the client computer. It is configured
automatically.
Note
39
After you complete the migration, if you encounter an issue when you create the first new
user account on the Destination Server, remove the user account that you added, and
then create it again.
Next topic: Demote and remove the Source Server from the new Windows SBS 2011 Essentials
network
Previous topic: Join computers to the new Windows SBS 2011 Essentials network
Demote and remove the Source Server from
the new Windows SBS 2011 Essentials
network
After you finish installing Windows SBS 2011 Essentials and you complete the tasks in the
Migration Wizard, you must perform the following tasks:
1. Prepare your organization for the removal of the last server running Exchange Server 2003.
2. Uninstall Exchange Server 2003.
3. Disconnect printers that are directly connected to the Source Server.
4. Demote the Source Server.
5. Move the DHCP Server role from the Source Server to the router.
6. Remove and repurpose the Source Server.
Prepare your organization for the removal of the last server
running Exchange Server 2003
Note
Complete the following tasks prior to uninstalling Exchange Server 2003. For detailed
instructions about how to complete these steps, see How to Remove the Last Legacy
Exchange Server from an Organization.
1. Move all mailboxes.
2. Move all contents from the public folders.
3. Move the Offline Address Book Generation Process.
4. Remove the public folder mailbox and stores.
5. Verify that you can send and receive email to and from the Internet.
6. Delete the routing group connectors.
7. Delete or reconfigure the Mailbox Manager policies.
8. Move the public folder hierarchy.
9. Delete the domain Recipient Update Services.
10. Delete the Enterprise Recipient Update Service.
40
Uninstall Exchange Server 2003
Important
If you add user accounts after you move mailboxes to the Destination Server and before
you uninstall Exchange Server 2003 from the Source Server, the mailboxes are added on
the Source Server. This is by design. You must move the mailboxes to the Destination
Server for all user accounts that are added during this time. Repeat the instructions in
Move Exchange Server mailboxes and settings for Windows SBS 2011 Essentials
migration before you uninstall Exchange Server 2003.
You must uninstall Exchange Server 2003 from the Source Server before you demote it. This
removes all references in AD DS to Exchange Server on the Source Server. You must have your
Exchange Server 2003 media to remove Exchange Server 2003.
Important
To remove Exchange Server 2003 from the Source Server, follow the instructions in How
to remove Exchange Server 2003 from your computer.
Disconnect printers that are directly connected to the Source
Server
Before you demote the Source Server, physically disconnect any printers that are directly
connected to the Source Server and are shared through the Source Server. Ensure that no Active
Directory objects remain for the printers that were directly connected to the Source Server. The
printers can then be directly connected to the Destination Server and shared from Windows SBS
2011 Essentials.
Demote the Source Server
Before you demote the Source Server from the role of the AD DS domain controller to the role of
a domain member server, ensure that Group Policy settings are applied to all client computers, as
described in the following procedure.
Important
The Source Server and the Destination Server must be connected to the network while
the Group Policy changes are updated on the client computers.
To force a Group Policy update on a client computer
1. Log on to the client computer as an administrator.
2. Open a Command Prompt window as an administrator. For more information, see To
open a Command Prompt window as an Administrator.
3. At the command prompt, type gpupdate /force, and then press ENTER.
4. The process may require you to log off and log on again to finish. Click Yes to confirm.
41
To demote the Source Server
1. On the Source Server, click Start, click Run, type dcpromo, and then click OK.
2. Click Next twice.
Note
Do not select This server is the last domain controller in the domain.
3. Type a password for the new Administrator account on the server, and then click Next.
4. In the Summary dialog box, you are informed that AD DS will be removed from the
computer and that the server will become a member of the domain. Click Next.
5. Click Finish. The Source Server restarts.
6. After the Source Server restarts, add the Source Server as a member of a workgroup
before you disconnect it from the network.
After you add the Source Server as a member of a workgroup and disconnect it from the network,
you must remove it from AD DS on the Destination Server.
To remove the Source Server from Active Directory
1. On the Destination Server, click Start, click Administrative Tools, and then click Active
Directory Users and Computers.
2. In the User Account Control window, click Continue if prompted.
3. In the Active Directory Users and Computers navigation pane, expand the domain
name, and then expand Computers.
4. Right-click the Source Server name if it still exists in the list of servers, click Delete, and
then click Yes.
5. Verify that the Source Server is not listed, and then close Active Directory Users and
Computers.
Move the DHCP Server role from the Source Server to the router
Note
If you already performed this task before you started the migration process, continue with
the section Remove and repurpose the Source Server.
If your Source Server is running the DHCP role, perform the following steps to move the DHCP
role to the router.
To move the DHCP role from the Source Server to the router
1. Turn off the DHCP service on the Source Server, as follows:
a. On the Source Server, Click Start, click Administrative Tools, and then click
Services.
b. In the list of currently running services, right-click the Windows Server, and then
42
click Properties.
c.
For Start type, select Disabled.
d. Stop the service.
2. Turn on the DHCP Role on your router
a. Follow the instructions in your router documentation to turn on the DHCP role on the
router.
b. To ensure that IP addresses issued by the Source Server remain the same, follow
the instructions in your router documentation to configure the DHCP range on the
router to be the same as the DHCP range on the Source Server.
Important
If you have not set up a static IP or DHCP reservations on the router for the
Destination Server, and the DHCP range is not the same as the Source Server, it
is possible that the router will issue a new IP address for Destination Server. If
this happens, reset the port forwarding rules of the router to forward to the new
IP address of the Destination Server.
Remove and repurpose the Source Server
Turn off the Source Server and disconnect it from the network. We recommend that you do not
reformat the Source Server for at least one week to ensure that all the necessary data migrated
to the Destination Server. After you have verified that all the data has migrated, you can reinstall
this server on the network as a secondary server for other tasks, if required.
Note
After you demote and remove the Source Server, restart the Destination Server.
After you demote the Source Server, it is not in a healthy state. If you want to repurpose the
Source Server, the simplest way is to reformat it, install a server operating system, and then set it
up for use as an additional server.
Next topic: Delete the old folder redirection Group Policy object for Windows SBS 2011
Essentials migration
Previous topic: Move settings and data to the Destination Server for Windows SBS 2011
Essentials migration
43
Delete the old folder redirection Group Policy
object for Windows SBS 2011 Essentials
migration
Note
Perform this task only if folder redirection was enabled on the Source Server.
After you demote and disconnect the Source Server, you can delete the old Folder Redirection
Group Policy object from the Destination Server.
To delete the Folder Redirection Group Policy object
1. On the Destination Server, click Start, click Administrative Tools, and then click Group
Policy Management.
2. In the User Account Control dialog box, click Continue
3. In the Group Policy Management navigation pane, expand
Forest:<YourNetworkDomainName>, expand Domains, expand
<YourNetworkDomainName>, and then expand Group Policy Objects.
4. Right-click Small Business Server Folder Redirection, and then click Delete.
5. Click Yes in the warning dialog box.
6. Close the Group Policy Management console.
Next topic: Perform optional post-migration tasks for Windows SBS 2011 Essentials migration
Previous topic: Demote and remove the Source Server from the new Windows SBS 2011
Essentials network
Perform optional post-migration tasks for
Windows SBS 2011 Essentials migration
The following tasks help you finish setting up your Destination Server with some of the same
settings that were on the Source Server. You may have disabled some of these settings on your
Source Server during the migration process, so they were not migrated to the Destination Server.
Or they are optional configuration steps that you may want to perform.
1. Move natively joined Active Directory computer objects
2. Delete DNS entries of the Source Server
44
3. Share line-of-business and other application data folders
4. Fix client computer issues after migrating
Move natively joined Active Directory computer objects
Note
This is an optional task.
The Windows SBS 2011 Essentials Dashboard displays AD DS computer objects that are in the
Windows SBS 2011 Essentials default organizational unit (OU),
OU=<YourNetworkDomainName>\MyBusiness\Computers\SBSComputers. If you want to
manage computer objects that were natively joined to the domain, you must move the computer
objects into the default OU.
To move computer objects to the default OU
1. On the Destination Server, click Start, click Administrative Tools, and then click Active
Directory Users and Computers.
2. In the Users Account Control dialog box, click Continue.
3. In the navigation pane, expand <YourNetworkDomainName>, and then expand the
Computers container or the container where the computer objects are located.
4. Expand the MyBusiness container, expand the Computers container, and then expand
the SBSComputers container.
5. Drag-and-drop the computer objects from their current location to the SBSComputers
container, and then click Yes in the warning dialog box.
6. When you finish moving the computer objects, close Active Directory Users and
Computers.
Delete DNS entries of the Source Server
After you decommission the Source Server, the Domain Name Service (DNS) server may still
contain entries that point to the Source Server. Delete these DNS entries.
To delete DNS entries that point to the Source Server
1. On the Destination Server, click Start, click Administrative Tools, and then click DNS.
2. In the User Account Control dialog box, click Continue.
3. In the DNS Manager console, expand the server name, and then expand Forward
Lookup Zones.
4. Right-click the first zone, click Properties, and then click the Name Servers tab.
5. Click an entry in the Name servers text box that points to the Source Server, click
Remove, and then click OK.
6. Repeat the previous step until all pointers to the Source Server are removed.
7. Click OK to close the Properties window.
45
8. In the DNS Manager console, expand Reverse Lookup Zones.
9. Repeat steps 4 through 7 to remove all Reverse Lookup Zones that point to the Source
Server.
Share line-of-business and other application data folders
You must set the shared folder permissions and the NTFS permissions for the line-of-business
and other application data folders that you copied to the Destination Server. After you set the
permissions, the shared folders are displayed in the Windows SBS 2011 Essentials Dashboard
on the Shared Folders tab.
If you are using a logon script to map drives to the shared folders, you must update the script to
map to the drives on the Destination Server.
Fix client computer issues after migrating
If you migrate to Windows SBS 2011 Essentials from Windows Small Business Server 2003
Premium Edition with Microsoft Internet Security and Acceleration (ISA) Server installed, client
computers on the network still have the Microsoft Firewall Client and Internet Explorer®
configured to use a proxy server.
This causes connectivity issues on the client computers, because the proxy server no longer
exists. If there is a different proxy server configured, the client computers continue to use the
server running Windows SBS 2003 for the proxy server. To fix this issue, you must remove
Microsoft Firewall Client on the client computers, and then reconfigure Internet Explorer to not
use a proxy server or to use the new proxy server.
To remove Microsoft Firewall Client in Windows XP Professional
1. On the client computer, click Start, click Control Panel, and then click Add or Remove
Programs.
2. Click Microsoft Firewall Client, click Remove, and then click Yes.
3. Close all windows.
To remove Microsoft Firewall Client in Windows Vista
1. On the client computer, click Start, click Control Panel, and then click Uninstall a
program.
2. Click Microsoft Firewall Client, click Remove, and then click Yes.
3. Close all windows.
To reconfigure Internet Explorer
1. In Internet Explorer, click Tools, and then click Internet Options.
2. Click the Connections tab, click LAN Settings, and then do one of the following:
a. If you are not using a proxy server on your network, clear all check boxes in the
46
Local Area Network (LAN) Settings dialog box.
b. If you want to use a new proxy server on your network:
In the Local Area Network (LAN) Settings dialog box, clear the check boxes in
the Automatic configuration section.
In the Proxy server section, verify that both check boxes are selected.
In the Address text box, type the fully qualified domain name (FQDN) of the
proxy server.
In the Port text box, type 80.
3. Click OK twice.
4. Browse to a website to ensure that the connection settings are correct.
Next topic: Run the Windows Server Solutions Best Practices Analyzer
Previous topic: Delete the old folder redirection Group Policy object for Windows SBS 2011
Essentials migration
Run the Windows Server Solutions Best
Practices Analyzer
When you finish migrating your settings and data to Windows SBS 2011 Essentials, you should
run the Windows Server® Solutions BPA. The BPA examines a server that is running Windows
SBS 2011 Essentials and presents a report that describes issues and provides recommendations
for resolving them. The recommendations are developed by the product support organization for
Windows SBS 2011 Essentials.
For more information about Windows Server Solutions BPA, see the Windows Server Solutions
Best Practices Analyzer.
Previous topic: Perform optional post-migration tasks for Windows SBS 2011 Essentials
migration
47
