Environments with Limited Hardware Resources
This document assumes that most installations will have sufficient resources to bring up additional servers (physical or virtual) to complete the migration of SBS. It is highly recommended and very advantageous to perform the migration to three additional servers (physical or virtual). Another option is to decommission the SBS server role you do not plan to migrate in order to reallocate its hardware.
Install the server for new Domain Controller
Install a new server, using the Windows Server 2008R2 Standard Edition media. Assign to the server a static IP address. When prompted, join the existing domain. Before you can promote a new machine to a domain controller, you have to upgrade the AD schema using this steps:
- Go to SBS Server.
- Insert the Windows Server 2008R2 Standard Edition media. Click Start, locate the Command prompt and run it as Administrator.
- Navigate to <Installation media drive>sourcesadprep.
- Type adprep /forestprep and wait for completing the command. It could take a lot of time, depends on the structure of your AD.
- Type adprep /domainprep and wait for completing the command. It could take a lot of time, depends on the structure of your AD.
- Type Exit to close the Command prompt window.
Now you can return to new domain controller machine and promote it to a Domain Controller using the following steps:
- Open Server Manager. Click Start, point to Administrative Tools, and then click Server Manager.
- In Roles Summary, click Add Roles.
- If necessary, review the information on the Before You Begin page and then click Next.
- On the Select Server Roles page, click the Active Directory Domain Services check box and then click Next.
- If necessary, review the information on the Active Directory Domain Services page and then click Next.
- On the Confirm Installation Selections page click Install.
- On the Installation Results page click Close this wizard and launch the Active Directory Domain Services Installation Wizard (dcpromo.exe).
- On the Welcome to the Active Directory Domain Services Installation Wizard page click Next.
- On the Operating System Compatibility page review the warning about the default security settings for Windows Server 2008 and Windows Server 2008 R2 domain controllers and then click Next.
- On the Choose a Deployment Configuration page click Existing forest, click Add a domain controller to an existing domain and then click Next.
- On the Network Credentials page type the name of the SBS domain. Under Specify the account credentials to use to perform the installation click My current logged on credentials or click Alternate credentials and then click Set. In the Windows Security dialog box provide the user name and password for an account that can install the additional domain controller. To install an additional domain controller, you must be a member of the Enterprise Admins group or member of the Domain Admins group. When you finished providing credentials, click Next.
- On the Select a Domain page, select the domain of the new domain controller and then click Next.
- On the Select a Site page, select a site from the list or select the option to install the domain controller in the site that corresponds to its IP address. Then click Next.
- On the Additional Domain Controller Options page make the following selections, and then click Next:
- DNS server: This option is selected by default so that your domain controller can function as a Domain Name System (DNS) server.
- Global Catalog: This option is selected by default. It adds the global catalog, read-only directory partitions to the domain controller and it enables global catalog search functionality.
- Read-only domain controller. This option is not selected by default. It makes the additional domain controller read only – it makes the domain controller a RODC. Leave this setting unchecked. If you do not have static IPv4 and IPv6 addresses assigned to your network adapters, a warning message might appear advising you to set static addresses for both of these protocols, before you can continue. If you have assigned a static IPv4 address to your network adapter and your organization does not use IPv6, you can ignore this message and click Yes, the computer will use a dynamically assigned IP address (not recommended).
- On the Location for Database, Log Files, and SYSVOL page click Next.
- On the Directory Services Restore Mode Administrator Password page type and confirm the restore mode password and then click Next. This password must be used to start AD DS in Directory Service Restore Mode (DSRM) for tasks that must be performed offline.
- On the Summary page review your selections. Click Back to change any selections, if necessary. To save the settings that you have selected to an answer file, that you can use to automate subsequent AD DS operations, click Export settings. Type the name for your answer file and then click Save. When you are sure that your selections are accurate, click Next to install AD DS.
- On the Completing the Active Directory Domain Services Installation Wizard page click Finish.
- You can either select the Reboot on completion check box to have the server restart automatically or you can restart the server to complete the AD DS installation when you are prompted to do so.
Reconfigure Document Redirection, User home folders and Share location
Document Redirection is configured by default for new users, added through the SBS Administration Console. The default share is \<SBS_SERVER>RedirectedFolders, which points to <DRIVE>:UsersFolderRedirections folder (where <SBS_SERVER> is the name of the SBS Server and <DRIVE> is the drive letter that the folder is located on). The settings for this policy are stored in the Small Business Server Folder Redirection Group Policy. By default, the “Redirect the folder back to the local userprofile location when the policy is removed” setting is set. With this setting in place, after the Group Policy is removed, clients will copy the contents of their Documents folder from the server back to their local workstation.
To stop Folder Redirection and copy data back to user workstations, follow this steps:
- Click Start, point to Programs, point to Administrative Tools, and then click Group Policy Management.
- In the Group Policy Management console tree, expand the domain tree, right-click on Small Business Server Folder Redirection Policy, and then click Edit….
- In the Group Policy Management Editor, right-click the Small Business Server Folder Redirection Policy [domain name] Policy object and choose Properties.
- In the GPO Properties dialog box, click the Security tab and then click on the Authenticated Users group. Change the Apply group policy permission from the default of Allow to the Deny. Click OK to close the dialog.
The folder Redirection will be stopped the next time that a user processes this GPO. By default the object is cached on the user’s computer and will not be updated, unless another change is detected. To force an update, you must follow these additional steps:
- Create or modify a GPO that applies to the computers on which users, who are affected by folder redirection policies, log on.
- Edit the GPO.
- Under Computer Configuration expand Policies and then Administrative Templates.
- Under Administrative Templates expand System.
- Under System select Group Policy.
- Double-click the Folder Redirection policy processing setting.
- Select the option Enabled and then click to select the second check box Process even if the Group Policy objects have not changed.
- Exit the Group Policy Object Editor. Make sure that this new GPO applies to computer accounts for which users are using folder redirection.
For more information, see http://support.microsoft.com/default.aspx?scid=kb;EN-US;888203.
After you are sure, that all users are logged off and on (it is recommended, that you wait a day or two), you can reestablish redirection to the new machine. The settings for this policy are stored in the Small Business Server Folder Redirection Group Policy. By default, the “Redirect the folder back to the local user profile location when the policy is removed” setting is set. With this setting in place, after the Group Policy is removed, clients will copy the contents of their Documents folder from the server back to their local workstation.
To re-enable the Folder Redirection policy, follow this steps:
- Create the FolderRedirections share.
- Click Start, point to Programs, point to Administrative Tools, and then click Group Policy Management.
- In the Group Policy Management console tree expand the domain tree, right-click on Small Business Server Folder Redirection Group Policy and then click Edit….
- On the left pane expand Small Business Server Folder Redirection Group Policy, Computer configuration, then Windows Settings and select Folder Redirection.
- In the right pane right click on the Documents (or some other folder you wish to redirect) and select Properties.
- On the Target tab, under Root Path, with Browse button, select the new SMB share for folder redirection (do not enter local path).
- Click OK for close the properties dialog box.
- Repeat steps from 5 to 7 for every redirected folder (it is highly recommended to control all listed folders to prevent future issues)
- In the Group Policy Management Editor right-click the Small Business Server Folder Redirection Group Policy [domain name] Policy object and choose Properties.
- In the GPO Properties dialog box click the Security tab and then click on the Authenticated Users group. Change the Apply group policy permission from Deny to Allow. Click OK to close the dialog box.
Folder Redirection will be started the next time that the user processes this GPO. By default, the object is cached on the user’s computer and will not be updated, unless another change is detected. To force an update, you must follow these additional steps:
- Create or modify a GPO that applies to the computers on which users who are affected by folder redirection policies log on.
- Edit the GPO.
- Under Computer Configuration expand Administrative Templates.
- Under Administrative Templates expand System.
- Under System select Group Policy.
- Double-click the Folder Redirection policy processing setting.
- Select the Enabled option and then click to select the second check box Process even if the Group Policy objects have not changed.
- Exit the Group Policy Object Editor. Make sure that this new GPO applies to computer accounts for which users are using folder redirection.
Users home folders are configured by default for new users, added through the SBS Administration Console. The default share is \<SBS_SERVER>UserShares, which points to <DRIVE>:Shares folder (where <SBS_SERVER> is the name of the SBS Server and <DRIVE> is the drive letter that the folder is located on). You must copy all content of all users folders to the new server with same permissions and change locations of users home folders in Active directory users and computers following this steps:
- On the new server create a root folder for Users home folder shares.
- Right-click on the folder and go to Properties.
- On the Sharing tab click Advanced sharing and check Share this folder.
- In Settings, Share name, type the name of the share and click Permissions.
- Give Allow full control permission to Everyone group.
- Use Robocopy command on SBS server to transfer all content and permissions of the folders:
robocopy.exe <DRIVE>:UsersShares \<NEW_SERVER><NEW_DRIVE>$UsersShares /Z /R:5 /COPYALL /MIR /FP /LOG+:<DRIVE>:UserShares.log /TEE /XF UserShares.log (where DRIVE is drive letter, where shares are located, NEW_SERVER is the name of the new server and NEW_DRIVE is the destination drive letter on the new server).
Example: robocopy.exe C:UsersShares \My_NewServerD$UsersShares /Z /R:5 /COPYALL /MIR /FP /LOG+:C:UserShares.log /TEE /XF UserShares.log - Open Active Directory Users and Computers and go to MyBusinessSBSUsers Organization Unit.
- Select all active users, click on Properties.
- On Profile tab check Home Folder and select Connect.
- Select drive letter to connect home folder. In field To write: \<NEW_SERVER><SHARE_NAME>%username% (where <NEW_SERVER> is the name of the new server, <SHARE_NAME> is the name of the share of users home folders).
- Close all Windows with OK.
- Repeat all steps between step 8 and 10 for Organization unit MyBusinessSBSPowerUsers.
- Optional: it is recommended, on Users home folders on SBS Server, to change sharing permissions for Everyone group to Deny Full control (it is only to prevent any duplicate using of home folders).
Shared folders should be in SBS server configured thru SBS Console and are all visible there. You can do a migration of shared folders in two different ways, but you must pay attention, to move all of them and that users will not be able to write in both shared folders (the old and the new one) while the migration is going on.
First you must locate all of the shared folders:
- Go to SBS Administration console.
- Click to Shared folders and Web sites and go to Shared folders.
- Annotate all the shared folders locations and share names.
Now you have to move all data to the new server, but you must preserve all security and share permissions:
- On the new server create a new folder for share.
- Right-click on it and select properties.
- Click on Security tab and give to folder exactly the same permissions as those in the source folder.
- Click on Sharing tab, Advanced Sharing and type the name of the share (it is recommended, that is the same as old one).
- Click on Permissions and give to share exactly the same permissions as those in the source share.
- It is recommended that in this time you open properties of Share on the SBS server and change all share permissions from Allow to Deny (just for prevent users to modify content in share, during and after the migration).
- On the SBS Server run robocopy.exe <DRIVE>:<OLD_FOLDER> \<NEW_SERVER><NEW_DRIVE>$<NEW_FOLDER> /Z /R:5 /COPYALL /MIR /FP /TEE /XF /LOG+:<DRIVE>:ShareLog.log (where DRIVE is the drive letter where share is located, OLD_FOLDER is the folder of share on SBS Server, NEW_SERVER is the name of the new server, NEW_DRIVE is the destination drive letter on the new server and NEW_FOLDER is the folder of share in the new sever), to copy data to the new server.
- Repeat all steps for any shared folder.
Hi will these steps work for SBS2008 migration to Windows 2012 Standard as well?
Yap. They will work.
Hi, thanks for your post it’s very well explained but I was wondering if instead of updating the GPO I could use the Gpupdate /force to make all the pc´s to update the new GPO?. And well I have a little problem ’cause my users have about 10 to 20 Gb between their desktop a documents folders so it could be a headache to put off the redirection, wait until the pc’s move the info to their local desktop and documents and finally re-enable the gpo to make them synchronize with the new server, we are talking about 150 to 200 gb of information being sync which will sure turn my users on trouble cause of the time it takes to do this operation so, is there anything I can do in order to overcome this situation?
I always prefer to do things in the right way. In your case (I know that will take a time), but I would do it in this way, but you can try to move content with robocopy. Be carefull with transfering permissions!
By changing de GPO permission to deny we could may lost the gpo and the next time we want to enable redirected folders the gpo will be gone, but this is due the deny permission, to recover it I’ve followed the next tutorial and I take it back:
https://msdirectoryservices.wordpress.com/2012/01/06/recover-gpo-rights/
Uh Friend at the re-enabling folder redirections point, when doing step 4 you say:
On the left pane expand Small Business Server Folder Redirection Group Policy, Computer configuration, then Windows Settings and select Folder Redirection.
But it is User configuration instead of computer so I think it should be like:
On the left pane expand Small Business Server Folder Redirection Group Policy, User configuration, Policies, then Windows Settings and select Folder Redirection.