Swing It Doc1 Swing Migration 2008 Rev1.06

Swing It!!
Kits
Reference Documentation

Swing It!!

Swing Migration: Reference Part 1
How to Perform a Swing Migration
2003 to SBS 2008 Domains

Author: Jeff Middleton

You may purchase this document in a Swing It!! Kit from SBSmigration.com

The Swing It!! Kits Reference Documentation is not free, therefore under no
circumstance are you authorized to redistribute or forward to another party your own
copy or a duplicated copy of this document, or the associated documents within the kit,
or any programming tools which may also be included in the Kit. Please review the
related guidelines on the pages that follow.

1.06 - 4.20.2009
Copyright 2004-2009 by Jeff Middleton, SBSmigration.com
All rights reserved

How to Perform a Swing Migration from 2003 to SBS 2008

Page 2
Copyright 2004-2009 by SBSmigration.com
Swing It!! Technician Kit Documentation

For more information on the Swing It!! Reference Kit, Swing It!! Technician Kit, plus a full
range of Swing It!! related products and services, please visit to SBSmigration.com, or send an
email requesting information as indicated below.

Swing It!! Kit information is available online or by request.
To Contact us:

YCST@SBSmigration.com
Include the subject line: You Can Swing That! Info Request

Acknowledgments

SBSmigration.com is grateful for the cooperation and opportunity to participate in discussions and access
with the product teams for Microsoft Small Business Server development, support and community. The
inspiration and technical suggestions offered from individual MVPs among the SBS-MVP and the SMB
Family are too numerous to cite individually, but worth each and every moment to improve the accuracy
and quality of the results. Our customers represent the best of the best IT Professionals worldwide with
the enthusiasm, patience and persistence to make the best of what we offer the best of what they deliver,
and to keep the target for quality and accuracy constantly improving through feedback and validation.

About the Author

Jeff Middleton is well recognized worldwide in Microsoft Small Business Server (SBS) community, known
as a speaker, author, advisor, and technical community leader. Microsoft has awarded him each year
since 1999 with the prestigious Small Business Server Most Valuable Professional recognition.

Based upon 20 years of experience as a consultant and system integrator in small business and vertical
market applications, hes operated his own business located in New Orleans since 1990. Jeffs name is
now synonymous with Swing Migration, the worldwide SMB consultants choice of methodology for SBS
Server replacement. He founded SBSmigration.com in 2004 providing a technical mentor and training
product as a project consultant to consultants. His work is both published and cited in books and trade
journals.

As an expert in disaster recovery, domain migration, and a full-range of topics on the SBS and Windows
platforms, Jeff travels constantly as a popular speaker. He has presented at conferences internationally
including the Microsoft Partner Program, Tech Ed, SMBTN, ITA and SMB Nation, as well as lending his
support in person as a guest speaker to over 50 local IT Pro groups of all sizes in North America,
Australia and Europe. Starting in 2007, he launched the SBSmigration.com IT Pro Conference held
annually during May in New Orleans offering a unique discussion forum for experts in SMB business and
technology.


Page 3

Swing It!! Kit Documentation Allowed Use Guidelines

This document is not free, and is part of a Swing It!! Kit purchase.

Swing It!! Kits are a continuing partnership benefit to us, to our customers, and extended to their customers.
Swing It!! Kits build technical skill, improve business practices, and that builds perpetual value for the all of
us. SBSmigration.com has every intention to honor our agreements with you when you purchase a Swing It!!
Kit, and we are optimistic that you will protect your investment from your loss, or ours.

As the owner of a Swing It!! Kit, you received this reference, and may also have received tools with it, all
under a license agreement which includes both copyright as well as authorized use restrictions which are
enforceable.

You are permitted to use the documentation and tools provided with a Swing It!! Kit exclusively for
the purpose of performing work related to what it describes, or preparing yourself in a manner of
training or education on that purpose.

We consider it fair that someone you know personally might be given the opportunity to casually
review your materials or tools in the context of deciding if they would value having a Swing It!! Kit of
their own. We also consider it fair to present the appropriate portion of your documentation to a
customer or prospect for whom related work is involved, where adequate disclosure of the method
involved is requested. However, please treat the shared access to our documentation and tools as a
training material for which the right to use it in that manner is yours, and yours alone. We would
consider a reasonable review as not effectively consuming the value gained in owning it without
properly obtaining another technician license.

You may not use this reference to teach others in an educational, instructional, or presentation
manner. You should contact SBSmigration.com for information on how to obtain materials properly
licensed for that purpose.


Page 4

Distribution and Duplication Guidelines

This document is not free, and is part of a Swing It!! Kit purchase.

You can obtain a Swing It!! Kit with complete documentation, tools and associated services by
contacting us at SBSmigration.com.

This document is only available as part of a Swing It!! Kit purchase. The owner of a Swing It!! Kit
receives this reference, and may also receive tools with it, via license agreement conditions which
define copyright as well as restrictions of use which are enforceable.

If you received this document from any other source than SBSmigration.com, please contact us to
obtain a fully licensed Swing It!! Kit of your own, the complete related documentation, services and total
value intended. Swing It!! Kits are licensed per technician, therefore our services and support are
extended only to the original purchaser.

SBSmigration.com understands your need to protect your investment in the tools and
documentation provided in your Swing It!! Kit. We consider it fair and reasonable use for you to
make as many backup copies of any of these items as is necessary to protect yourself from
loss or damage. We also understand that you may wish to maintain multiple copies for the
purpose of keeping references and tools in more than one location you can work from in the
course of a project, or on more than one device, or for continuing use. We expect at all times
that you would have the thought in mind that each copy you make is either for a backup to
protect against loss, or a copy you have made to facilitate your active work process, but for no
other reasons. Leaving copies for others to use is not a permitted use.

You may not place any hard copy or electronic copy of any portion of a Swing It!! Kit
documentation or tool (or tool code) in a location that provides anonymous access.

You may not store or locate the Swing It!! Kit tools or documents in a manner which
encourages, or permits violation of the license agreement or copyright such as with file
swapping technologies.

Under no circumstances are you permitted to abstract portions of this document and share
them with anyone else, without obtaining specific and written authorization from
SBSmigration.com for that purpose, and on that occasion, such as for a periodical review. This
means that posting sections of documentation to the Internet or public network, or a chat room,
or a private network are all examples in violation of our license and copyrights because they do
not represent a backup or reasonable use.


Page 5


Page 6

Contents Swing Migration: How to Perform a Swing Migration
Part 1 Doc 1
Overview: How to Perform a Swing Migration
Understanding the Swing Workflow and References
o Distinguishing between the Server Name References Used
o Summary Timeline Considerations
o Pre-Upgrade Disaster Recovery Precautions
Phase 0: Migration Notes & Server / Domain Audit
Review of Your Domain and Existing DC Confirmation
Phase 1: Existing DC and Domain Preparation
Prepare the existing Domain and Production DC Server Configuration
Prepare Your Migration Notes and Automated Migration Tools
Phase 2: Transfer AD from the OriginalDC to TempDC
Step A. Install a clean baseline of Server 2003 only (SBS 2003 Media)
Step B. DCpromo to establish the server as a new DC in the existing Domain
Step C. Root Domain Management Transfer/Seizure
Step D. Perform Required Active Directory Cleanup of Exchange
Step E. Remove Domain Controller entries: AD, DNS, WINS, DHCP
Step F. TempDC Pre-Setup Housekeeping Preparations
Step G. TempDC Exchange Installation
Phase 3: (This resumes in Part 2)


Page 7

Contents Swing Migration: How to Perform a Swing Migration
Part 2 Doc 2
Phase 3: SBS 2008 Setup: Join to Domain from TempDC to FinalDC
Step H. SBS 2008 Join to Domain Installation
Phase 4: Post-SBS 2008 Setup Tasks and Customization
Step I. Post-Setup SBS 2008 Configuration
Step I. Server Applications and Customization
Step I. Strategic Migration Testing
Phase 5: Transition: Exchange, Data, and Shared Network Resources

Step J. Exchange Information Store Transfer
o Stage 1: Exchange Forklift Compliance Review
o Stage 2: Store Forklift Transfer and Mount
o Stage 3: Reset Exchange Configuration Bindings to AD and Clients
o Stage 4: Exchange Mailbox & Public Folder Migration
Step K. Additional Final Server Configuration Issues
o Migrating Data Files
o Migrating Shared Folder Definitions
o Migrating SharePoint CompanyWeb
o Shared Printer Configuration
o Shared Fax Configuration
Step L. Additional Final Server Configuration Issues
o SBS Premium and Line of Business Applications
Step M. New Server Final Deployment
o Workstation Connectivity
o Outlook Configuration and Synchronization
o Connect Internet Wizard
o Enable SMTP Email Flow from Internet
o Configure User Roles Wizard
o SBS 2008 Group Converter Utility
Step N. Decommission TempDC Server Tasks
o Remove Exchange Routing Group Connectors
o Remove Recipient Update Service Objects
o Remove Public Folders Store and Mailbox Store
o Uninstall Exchange Server Application
o Demote Server Using DCpromo
o TempDC AD Object Removal


Page 8

Overview: How to Perform a Swing Migration

In the simplified diagram above, you should immediately observe why this is called a Swing Migration.
Notice that we use a third DC temporarily as the pivot point in a Swing of moving Active Directory. The AD
is shifted using normal Windows Domain Controller replication. Since that TempDC isnt needed
permanently, we dont need additional licenses or care to use a production server for this purpose. This
becomes clearer as you review the balance of the overview that follows.

Active Directory is the only content moved from the OriginalDC to the TempDC in Phase 2. Therefore
your OriginalDC remains in production, unchanged by the construction at that point.

The TempDC cleanup and further configuration tasks proceed offline, even offsite for Phase 2-4.

The key change in Swing Migration for SBS 2003 to SBS 2008 projects is driven by the need to transfer
the Exchange 2003 Information Store via the TempDC. Therefore, during Phase 5 the Store is moved
onto the TempDC allowing the mailboxes to be migrated over individually to the FinalDC.

This means that the TempDC is not removed from the construction configuration until the end of Phase 5.
Just keep in mind that the Exchange Store remains on the OriginalDC continuously into Phase 5, and
only at that point is the data moved rapidly across the TempDC into the FinalDC.
Figure 1 Swing Migration Simple View

Page 9

We start now with an orientation on the technical path of construction preparations and implementation.
Take a look at the pictorial flow illustration in summary. If you dont see the logic immediately, dont
worry. The next few pages go step by step through the technical procedures to highlight individual phases
of construction.

The main point shown below is that the AD migration and server construction moves on a separate
path, the loop around the bottom, followed later by the data migration as the final phase of construction.

If you are already familiar with Swing Migration from having worked a project to migrate to a 2003
platform, you likely will be interested in the summary comparison of that project outline compared to the
2008 series project path. On the other hand, if this is your first introduction to Swing Migration, dont be
concerned about analyzing the next section to closely, you will find its followed immediately with a
beginners introduction to the Swing Migration project path, you wont need any prior experience to
follow that explanation.

Figure 2-1 Swing Migration Overview Illustration

Page 10

Comparing the Swing Project Series: 2003 vs. 2008 Platforms

Note: This section is specifically for those experienced in doing a Swing Migration with the 2003
Series projects (that conclude on a 2003 release platform) vs. this project scenario for migration
to SBS 2008 platforms.

Swing Migration for SBS 2003 to SBS 2008 follows similar logic to past project outlines in Swing
Migration to conclude on a 2003 platform. However, to incorporate the migration to Exchange 2007 we
also have some additional tasks added.

In the original 2003 Series migration the TempDC was only used for just that, a TempDC.

Within the logic of the 2008 Series migration the TempDC is employed again initially only as a TempDC
during Phase 2. But the new concept is to use it as well as a bridge in the transition of Exchange data in
Phase 5. This means it remains attached to the FinalDC all the way through until Phase 5. This is
because at the end of Phase 2 we now also install Exchange 2003 on the TempDC. That prepares the
Active Directory and for the Exchange Information store to be migrated across the TempDC Exchange
2003 into the FinalDC Exchange 2007.

This change is required because Exchange 2007 does provide compatibility to Forklift the Exchange 2003
version Information Store onto Exchange 2007the database formats are now different. In addition,
Exmerge has been eliminated with Exchange 2007, and an import from PST combined with PST export is
time consuming and a challenge with larger mailbox sizes common today.

Not to worry, the Exchange-Swing Migration works quite efficiently, but will require some time depending
upon the size of the store. The procedure outlined here identifies how you can address Phase 5 as a
Forklift the Exchange 2003 store quickly from the OriginalDC onto the TempDC, then cleanup that stage
of work using a new tool that comes with the Kit: ExchSwingTool.

Using ExchSwingTool you can mount the original store on the TempDC and take the option to either
move for interim production use of that combination of TempDC with Exchange 2003 and FinalDC with
Exchange 2007, or working offline you could transfer the mailboxes over to the Exchange 2007 before
going live with the FinalDC.

Once you have completed the mailbox migration you can decommission the TempDC Exchange Server
installation and decommission the TempDC just as Microsofts Migration Mode documentation outlines to
do.

As a summary perspective on the Exchange Migration, this process of Swing Migration with the TempDC
allows the OriginalDC to remain completely unchanged for the entire project. Yet at the point of transition
you can quickly move an intact Information Store to the TempDC with your choice on procedure to
transfer the mailboxes exactly as Microsoft defines in their documentation. The difference is that we have
the OriginalDC unplugged, unchanged and nothing to undo if we need to roll back. If you keep the
Exchange 2007 server offline from the Internet, you have full rollback options with no changes required.

Keep in mind that these concepts also preserve the option to fully prototype test this deployment scenario
offline, using a copy of the originalDC information store for you test. You can test all the way to the end of
Step M, with only the decommission of the TempDC remaining. Thats a huge value in preparations!

Swing Migration remains the best option that is repeatable and consistent with Microsoft Migration Mode
construction, yet vastly more convenient, predictable and transparent in results. And as the bottom line for
consults, you retain the convenience to do most work offline, offsite, nothing to undo.


Page 11

4 Phases of Offline Constructionthen 1 Data Transition Phase

You can review the pictograph extending across the next several pages to identify how the project flows
through the various phases of construction. We start with a pictograph, followed by a chart step summary.

Build Offline:
Phases 1- 4

Existing DC and AD
Domain Analysis

Audit Namespace
Verify DNS and AD
Health
Configuration
Corrections
Prepare Deployment
Notes
Data
Transition:
Phase 5

Exchange Forklift to
TempDC
Exchange transfer to
FinalDC
Data Transfer from
OriginalDC to
FinalDC as backup
then restore
Substitute FinalDC
for OriginalDC in
production LAN


Page 12

Phase by Phase Review

Phase Zero

Health Analysis Review on
Existing DC and AD Domain

Audit Namespace
Verify DNS and AD Health
Configuration Corrections
Prepare Deployment Notes

Phase 1

Existing 200x DC Server
Preparation

Update Service Packs
Upgrade Compliance
Configuration Changes


Page 13

Phase 2

Build Win 200x TempDC
using temporary hardware
or Virtual PC/Server

Install Baseline Win
200x
Configure Network
Adapters
DCPromo to DC
Verify DNS and AD
Health
Cleanup AD Directory
removing all other DCs
Cleanup Exchange in
Active Dirctory
Remove Domain Trusts
Remove DNS
references
Clean Install of
Exchange 2003 on
TempDC


Page 14

Phase 3

Build SBS 2008 on Final
Hardware using
SBSAnswerFile

SBS 2008 install in
Migration Mode
On construction LAN,
setup performs join to
domain with TempDC
Assign Name and IP
matching original server
to be replaced
SBS 2008 Setup
completes standard
installation sequence
Phase 4

Finalize SBS 2008 Post-
Setup installation of
Applications and
customization

Complete required SBS
2008 post-setup specific
installation tasks
Install any Windows and
Applications, Service
Packs or customizations
Complete all
configuration which can
be done without data
migration


Page 15

Phase 5

Transition of Client/Server
applications and data
including Exchange
Information Store Forklift
transfer via TempDC

Production shutdown
begins for transition to
new server
Transfer data via backup
and restore onto new
server
Forklift Exchange
Information Store via
TempDC, mailboxes
transition into new
Exchange 2007
Information Store
ExchSwingTool makes
adjustments/repairs to
Exchange Mailboxes to
resume normal
operations
Transfer any additional
applications such as
Sharepoint, SQL, or Line
of Business applications
Return to production
operations on new server
Deploy client applications
or updates as needed
Decommission TempDC


Page 16

Swing Migration Benefits

Continuing with the tradition of safe construction offline, and transparent replacement procedure for the
new server, Swing Migration for SBS 2003 to SBS 2008 provides the following benefits:

Same Domain Name (and SIDs)
Same Server Name and IP
Same Information Store intact
No Impact to Workstations or User profiles
Business online during construction
Work offsite and/or offline, open timeline
Nothing to undo migration in progress

Notice that all of the critical path construction and compliance for the migration is performed offline,
without making changes to the production domain or server. In addition, all of the data migration tasks
can be fully tested with trial data in advance if you prefer to level of planning. Once you are satisfied with
the migration results you have tested offline you can commit to a predictable transition online.

Swing Migration Workflow Benefits

Page 17

Understanding a Typical Swing Workflow and Server References

Server Name References

Swing Migration is described in this documentation as a project with the goal to replace one existing
server with a new server retaining the same name and providing the same application services. This
documentation assumes that this server is both a Domain Controller and an Exchange Server, and it
typically is also your internal network DNS Server. The server name references in this documentation
refer to the respective servers instances according to the following logic:

Server References in this Documentation
OriginalDC This is the existing server you are replacing
TempDC
This temporary DC is an interim construction machine, not sold or
licensed, really just a tool in the process
FinalDC This server is the goal of the project, its what you put into service

Distinguishing between the Server Name References Used

OriginalDC I refer to this generically as your existing DC, or perhaps as your existing OriginalDC. If
you have only one existing server, this would be the originalDC. If you have several servers being
replaced at once, we normally think of the OriginalDC as the root DC with all the FSMO roles. If you are
consolidating servers down to fewer servers, the OriginalDC is typically the one you are preserving with
its original name retained.

TempDC The TempDC is the server used temporarily to obtain a copy of the Active Directory off the
OriginalDC, its a core part of why this project works offline. The machine holds AD in our offline
construction to facilitate the cleanup swing steps removing the OriginalDC objects in AD. You construct
the FinalDC server by bringing over a cleaned up copy of the AD, and you will deploy to replace the
OriginalDC with this server.

Page 18

FinalDC The server you deploy permanently with the same name as the original server is the FinalDC,
and typically this machine has the same name as the previous one. Deploying a FinalDC with a different
name adds complications to the project process, so its not a normal project path, though it can be done.

More about the TempDC

Ive chosen to refer to the temporary DC we construct in Phase 2 as the TempDC, while calling the final
machine you intend to deploy as the FinalDC. The TempDC is needed through Phase 5 to facilitate the
migration of the Exchange Information Store. This can be an excellent application for virtual server.

In some cases, you may be introducing a pair of new servers as part of your project. If one is intended to
be a permanent Exchange server and DC, you might use it for the TempDC. Otherwise, using a truly
temporary server installation is preferable.

For a typical TempDC, theres no value in getting creative since the machine identity will be completely
removed from your Active Directory before the end of the project. You are encouraged to use the name
TempDC, or TempDC01, TempDC02 if you need to iterate the project starting over in Phase 2.


Page 19

Swing Migration projects provide some unique benefits, and heres where you will see several.

OriginalDC

To do this project path you dont need to update your OriginalDC to the latest service packs if they are not
already installed. Our project path allows us to address the service pack preparations only on the
TempDC and only for what we require in our minimal installation. Conspicuously missing below is a
requirement for SBS 2003 SP1, its not required. We avoid this problem because our TempDC doesnt
have the same service pack preparations as an SBS 2008 server join would involve, thus the construction
is simpler and the preparations issimpler.

TempDC

Our typical project construction allows us to address just current Windows 2003 and Exchange 2003
updates on the TempDC. Even if you are using SBS 2003 media for construction of the TempDC, our
construction path doesnt require a fully SBS 2003 installation, only the Windows and Exchange
application media is installed from the SBS media. Without installing the additional SBS features we dont
need to address the full suite of service packs for all those features we have no use for in our purpose.
This avoids and saves you at least 2-3 hrs construction that was non-essential for a TempDC. The Kit
tools provide a simple workaround against the SBS 2003 SP1 requirement blocking your setup
experience.

Preparation: Original (Existing) Server
Supported Media & Requirements
Existing Server: Media/Platform Prerequisites Service Packs Required
2003 Platforms:

SBS 2003 Server Media (pre-R2 or R2)
Platforms: Standard or Premium Edition
SP Release versions: All
Media Source: All

Windows 2003 Server Media (pre-R2 or R2)
Platforms: All
SP Release versions: All
Media Source: All

Windows 2003
Any installed service pack
level supported (no
update is required)
Exchange 2003
level supported (no
update is required)
SharePoint 2.0
Update to SP3 prior to
moving the database
SBS 2000, BOS 2000 or Windows 2000
Platforms: All
Release versions: All
Media Source: All

Exchange Server 2000 or 2003
Platforms: All
Media Source: All
Windows 2000
Service Pack 4
Exchange 2000
Service Pack 3

All Media Source includes: OEM, MOPL, Retail, MSDN, Action
Pack or Trial media

Service Pack & Platform Version Requirements

Page 20

Construction: TempDC and FinalDC
Supported Media & Requirements
TempDC Installation Media Phase
Recommended:

SBS 2003 Server Media (pre-R2 or R2)
Release versions:
RTM (Gold) release
Slipstreamed SP2
Media Source: All
Windows 2003
Service Pack 2
Exchange 2003
Service Pack 2

Recommended:

Windows 2003 Server Media (pre-R2 or R2)
Platforms: All
Release versions:All
Media Source: All

Exchange Server 2003 Media
Platforms: All
Media Source: All

Windows 2003
Service Pack 2
Exchange 2003
Service Pack 2
Compatible but not recommended:

Windows 2008 Server Media (pre-R2)
Platforms: All
Media Source: All

Note: Windows 2008 media is not recommended for the
TempDC unless you are already running Windows 2008
DCs in the production domain. The Kit documentation does
not include instructions for Windows 2008 specific issues.

Windows 2003 (32-bit)
level supported (no
update is required)
32-bit platform required to
host Exchange 2003 for
Information Store
transition
Pack or Trial media

FinalDC Installation Media

Required:

SBS 2008 Server Media
Media Source: All

Exchange 2008 (Warning!)
Service Pack 2 installed
as an update on SBS
2008 will break
functionality without other
post installation tasks.
Pack or Trial media


Page 21

It used to be that you could talk about the hardware requirements for installing a server and actually be
talking about, well, hardware. Times are changing.

For the traditional explanation of hardware requirements for installing SBS 2008 as well as for a Swing
Migration construction of a TempDC, please use the suggestions just below. These are intended for
interpretation to mean that there are no Virtual Server configurations involved as host or guests as part of
this decision or analysis.

SBS 2008 Hardware Requirements (FinalDC)

Hardware Minimum Requirement
Processor 2.66 GHz 64-bit (x64)
Physical memory 4 GB (8G Recommended)
Storage capacity (System Partition Requirement) 60 GB
DVD drive 1
USB Port Recommended for Setup
Network adapter One 10/100 Ethernet adapter (1Gbit Preferred)
Monitor and video adapter Super VGA (SVGA) monitor and video adapter with
1024 x 768 or higher resolution
Network devices One router that supports IPv4 NAT or IPv6
Optional network devices Device required by your Internet service
provider (ISP) to connect to the Internet
One or more switches to connect client
computers and other devices to the local
network
Source: (Microsoft) SBS 2008 Release Notes June 2008

Using Virtual Servers for SBS 2008 (FinalDC)

This information provided is not intended as optimization information. This is provided only as a baseline
recommendation as compared to the hardware specification above. You can assume that at least an
additional 1 Gb RAM per VM should be provided on a minimally configured host (memory) partition in
order to host the Virtual Server guest partition. Therefore you should add 1 Gb for the host, plus the
memory environment for each guest OS you plan to use.

Disk performance will generally be enhanced for the SBS 2008 running as a guest if you provide
separate spindles for the host and guest operating systems to isolate disk activity.

SBS 2008 Server: Minimum Hardware Requirements

Page 22

The illustration above shows a typical workbench arrangement that you might use for the offline
construction in Phases 2-5. In addition to the SBS 2008 final server hardware, you will need some spare
equipment for the construction phases.

Using Spare Hardware for Construction Tasks

Remember, a significant advantage of Swing Migration is that you can leave the production domain
unchanged, you can work with your construction LAN isolated from the production domain. For IT
consultants this includes the idea of doing the majority of the construction tasks in your office, not at the
customers place of business.

Typically you would like to have the following items for your offline construction:

TempDC A minimal 32-bit workstation class machine to load as the TempDC
Consumer grade Network Switch/Router Connects the TempDC and FinalDC
USB Hard Drive Convenient for backup/restore of data to FinalDC
Please note: The TempDC is not optional, its a requirement. The optional consideration is deciding what
you want to use as the TempDC. It can be anything from spare workstation class hardware to a virtual
server installation if you are familiar with using that technology. You can even substitute a spare hard
drive into a workstation if you have no better option.

Internet Access Not Required

Swing Migration procedures generally endorse not connecting to the Internet during your offline
construction. Its not required by the procedure, and as a general rule you would be better off to prepare
pre-downloaded copies of any service packs or updates.

Offline Construction: Temporary Hardware Requirements

Page 23

Swing Migration: TempDC Hardware Requirements

Note that this is not a permanent machine requirement; you can reasonably use a workstation class
machine for this temporary use. The purpose of the TempDC machine used in a Swing Migration is
described in the earlier sections on the Swing Migration phases of construction.

Processor 700 MHz 32-bit (x32)
(1 GHz or above recommended for larger transfer
operations above 8G Exchange Store size.)
Physical memory 512 MB (1 GB recommended)
Disk Partitions System Partition: 8 GB
Data Partition: Up total 120 GB for Exchange only
CD/DVD drive 1
Network adapter One 10/100 Ethernet adapter

As compared with Swing Migration to a 2003 final platform, the SBS 2008 project involves a significant
change in the hardware requirements for the TempDC. The new requirement is to run the TempDC as a
fully functional Exchange Server during Phase 3 through Phase 5. This is necessary to facilitate the
transfer of the Exchange 2003 Information Store for migration to the Exchange 2007 server. This means
that the trivial TempDC requirement for Exchange 2003 to 2003 migrations is no longer applicable, we
need a machine with a reasonable amount of RAM.

Using Virtual Servers for TempDC in Swing Migration

The information provided is not intended as optimization information. This is provided only as a baseline
recommendation as compared to the hardware specification above.

You can assume that at least an additional 1 Gb RAM per VM should be provided on a minimally
configured host (memory) partition in order to host the Virtual Server guest partition. Therefore you
should add 1 Gb for the host, plus the memory environment for each guest OS you plan to use.

Data Transfer to Final Server: USB Drive based Restore

At no time will the OriginalDC and the FinalDC be connected to each other. The data transfer from your
original production server should be handled as a backup and restore operation. Typically you can do this
using NT Backup to a USB or similar transfer hard drive. The Swing It!! Kit describes the use of NT
Backup as a convenient alternative however you should certainly use more efficient products for drive
imaging if you have that option.


Page 24

Swing It!! Kit Tools

Tools to help with the References

The table below outlines some of the tools you have available to take notes and assist you with review of
your current server configuration. Details of how to make best use of these tools is summarized in
Document 4 of the Kit, the Tools Reference.

Swing It!! Kit Tools
Server Transition Tools

o ShareMig Shared Folder definitions/security are intelligently
recorded & re-established without duplicates or invalid entries
Updated!
o DNSPurge Locates and removes all DNS records related to
a specific server for faster, accurate cleanup.
Updated!
Summary Notes and Status

o PrintDef Report all Printer Definitions Settings

o MailAddyAll Report all email addresses by user/group
Updated!
o DialinBy Report all users Dialin permission status

o LgnScrpt Report User Logon/Profile Legacy Settings

o EventDmp Click to export all Event Logs at once
Updated!
Individual User/Group Analysis

o GrpNest Report nested group memberships for a User

o AdminSID Report Root Admin & Admin Group memberships
Username/SID by domain or local station

New Tools for SBS 2003 to SBS 2008!!

o SwingIT AnswerFile Tool Generates a default
SBSanswerfile.xml file ready for Migration Mode and including
defaults obtain for your existing server
New!
o ExchSwingTool Resolves Orphan Mailbox, mismatched
attributes and public folder issues
New!
o DcGpoVerify Detect, optimize, & correct flawed DC Security
Policy conditions or orphan SID references
New!
o SwingItPreSourceTool Prepares your domain configuration
prior to running SBS 2008 setup
New!
o ExchPfReport Analyzes and recommend public folders for
required cleanup actions
New!
o GPO_Review - Analyzes and recommend Group Policy Object
required cleanup actions
New!
Important: To run these tools you must rename them after you download them. The
filename must be changed from .V_B_E to .VBE in order to execute them.
Please see the note on the following page for more details.

Page 25
Copyrigh
Swing It!! T

Hints on

Just below
suggestio
example b

How t
ht 2004-2009 b
Technician Kit
n When to u
w you see a ty
on hint box ma
below is worth
Swi

Swing
increme
a simple
simulta

After yo
much th
them, o

Impor
Renam

The tool
them fro

To use t
characte

Therefor
such as

(In case

Once the
some ad
o Perform a
by SBSmigratio
Documentatio
se Tools
ypical remind
ay also be fou
h noting as a
ing It!! To
It!! Kit Too
ental progre
e way to cr
neously, wi
ou export th
hey compre
or send the
rtant Note
me the To
s provided w
om false-posit
the tools you
ers from the fi
Downloaded

Use them as
re, as a conve
c:\swingit, the
Ren C:\swin
you wondere
e tools are re
dditional docu

Swing Migra
on.com
on
der that will be
und inline to a
valuable sug
ols Tip
ol EventD
ess while p
reate a reco
ith a single
he logs with
ess using W
logs by em
: How to U
ool Filena
ith the Kit are
tive deletion b
must rename
ile extension.
d name: [too
s name: [tool
enient solutio
en from a CM
git\*.V_B_E
ed, it doesnt
enamed, they
umentation on
ation from 20
e offered as a
a task page w
ggestion. You
Dmp can ea
erforming a
ord of all yo
click.
h EventDmp
WinZip or sim
mail.
Use Swin
me to .VB
e names that e
by antivirus sc
e them to rem
For example
lname].V_B_
lname].VBE
on, you can co
MD prompt run
C:\swingit\*
matter if the n
execute with
n tools in Doc
003 to SBS 2
a suggestion f
when appropri
really will val
asily help yo
a new insta
our Event Lo
p, you may
milar tools
g It!! Tool
BE
ends in .V_B_
canners.
ove the unde
e:
_E
opy all these f
n the followin
.VBE
name is uppe
a double-clic
c4 of the kit.
008
for a tool you
ate. By the w
lue the Event
ou docume
llation. This
ogs
be surprise
in order to
ls
_E to protect
erscore
files into a sin
g command:
er or lower cas
ck. You will al
can use. A s
way, this partic
DMP tool!
ent your
s tool is
ed how
archive
ngle folder,
se.)
so find

imilar
cular

Page 26
Copyrigh
Swing It!! T

No
Replacing
As a prac
in this pro
single DC
and Exc
challeng
preservi
Server i
Changing
more tran
change th
possible br
way th
Server Gro
Yes, you c
to replace
having the
performing
concurrent

How t
ht 2004-2009 b
Technician Kit
M

ormal 1:1 M

g One Server w
ctical reality, yo
ocess, or you m
C) environment
change Server
ge in this projec
ng the original
if they are to be
g the name ass
sparent, but do
he name of the
reak many UNC
hat will aggrava

Consolida

oup Replacem
an apply the sa
a group of serv
same identity.
g a hardware up
t upgrade to the

Server Re
o Perform a
by SBSmigratio
Documentatio
Multi-Serv

Migration
with More than
u might be rep
might be expand
t to have multip
services on mo
ct is to determin
server name o
e split across m
sociated with th
oes involve som
DC and it is al
C path designa
ate the staff, or

ating
ments as a Set
ame theory of S
vers with a new
In that proces
pgrade only, or
e servers at tha
?
?
name

Swing Migra
on.com
on
ver Swing
Replac
In most
one exi
more th
Exchan
your thi
that one
the sam
n One Server
placing more th
ding from a sin
ple DCs or a sp
ore than one D
ne if you benef
on the DC or th
more than one
he Exchange S
me additional c
so a file/print s
ations at the wo
even break ap

Bringin
The sam
name c
folks wi
current
process

t
Swing Migratio
w group of serv
s, you can be
r even do a
at same time.
No Ser
I get thi
TempD
Control
and all
candida
you rea
directio

Swing M
never re
or partia
for the
you sim
prefer a
ation from 20
g and Wor
cing One Serve
t projects involv
sting Domain C
han one existin
nge and Domai
inking slightly.
e server in part
me name as the
an one server
ngle-server (or
plit of your DC
C. The main
fit more from
he Exchange
new server.
Server can be
cleanup. If you
server, you will
orkstations in a
pplications.
ng Many Serve
me issues disc
change, you ha
ill want to retain
ly use, both to
s, but here you
on
vers
rver Rename a
is question all t
DC? Im firmly c
lers, Exchange
the other depe
ates for a renam
ally cant save m
on.
Migration neve
ename a serve
ally configured
new replaceme
mply construct t
as you are build
003 to SBS 2
rkflow Var
er with One Se
ving Swing Mig
Controller befo
g DC, or if you
n Controller op
The document
ticular is being
e previous one
a
ers down to O
cussed above a
ave to clean up
n the actual pro
keep it familiar
u have to comp
Multi-S
as a Step, we c
the time: Why c
convinced that s
e Servers, Web
endencies invol
me. Its just not
much if any tim
r applies a tech
er by literally ch
server. For an
ent server to ha
that new serve
ding it.
008
riations
erver
gration, you like
re the project s
u have separate
perations, you w
tation is based
replace by a n
.

Explodi

One Server
apply in reverse
the impact. Ob
oduction serve
r and to minimi
romise.

Server Sw
can build with
cant I just rena
servers that ar
b Servers, Sha
lved at once ar
t predictable. M
me trying to pus
hnical rename
hanging the act
ny project wher
ave a different
r using the diffe
ely have only th
starts. If you ha
e servers for yo
will need to alig
upon the prem
new server usin
ng
e. If you force a
bviously most
er name you
ze the technica
ing
h New Name
ame the
re Domain
repoint Servers
re not good
More important
sh a project in t
process. We
tual name of a
re your strategy
name assigne
erent name you

he
ave
our
gn
mise
ng

a
al
s
ly,
this
full
y is
d,
u

Page 27

Conventions in the Documentation

Inline Warning, Tips, and Comments

Many references (that are not part of the actual workflow steps but are related to the situation in progress)
are highlighted as sidebar information, in-line to the document steps. Each type of in-line reference
includes a unique appearance (box style and color), and labeled to identify the importance it carries.

Some of these entries are embedded in the Task Box format, others are standalone because they relate
more to a point in the project than a technical aspect of a specific Task.

As an example of a standalone comment, the Expert Tip shown below provides additional information
about using ADSiEdit and NTDSutil, warning that these are very dangerous command to use on live
Active Directory information. Hopefully you already realize this point, but this caution is presented here,
both as an illustration of an in-line comment, and to reinforce that very point. Be careful with these tools!

Expert Tip

NTDSutil and ADSiEdit are Efficient Killers

And yet, we will use them.

You never see a Microsoft KB that discusses the registry editing tool Regedit
without a very scary looking warning to the effect you could kill your computer
with this tool, so dont blame Microsoft. Okay, its a little less blunt.

Nonetheless, during this migration we dont use Regedit specifically, but we do
use two other tools that make Regedit look like a beanbag weapon. NTDSutil
and ADSiEdit are two of the most efficient killers of Active Directory you could
ask for. Any mistake you make with these tools in a production environment
would be potentially lethal disasters. Since we work offline with these tools, we
have the safety of starting over, but thats about all.

You should be prepared to start over from the beginning if you make a mistake.
Better yet, dont make a mistake, and be certain that you read the entire step
description Ive provided, and understand it fully before you press Delete! There
is no Undo command here. Familiarize yourself with the process before you start
to use these tools.

On the following page is an illustration of a Task Box with an explanation of the layout it provides to help
you move quickly through the indicated tasks, plus some inline comments to emphasize special issues.


Page 28

Understanding the Task Frame Page Layout of this Documentation

Please take a moment to review the frame below, it illustrates and explains how the documentation is
formatted to make it easier for you to get more or less detailed information on every task. Note that not all
Task Frames in the documentation have all of these elements. In fact, most have far fewer elements.

Task # Instruction Reference Context that Applies

What This Task
is All About at a Glance
Background on Why you have a particular task to do now,
and information that helps you to understand if it applies to
your circumstance. You probably dont need to read this
section after you have done at least one project, or only if an
unusual condition you have not encountered before should
arise.
Important
Concern
Important points that need special consideration for any project are highlighted. These
tend to be very critical points you must pay attention to because if you get this wrong,
you probably could end up having to redo some or all of your work, or even become
blocked in this task.
Media/Tool
Requirement
Media A
Some tasks involve either installing a tool, or an outside resource that may
be available on your original Media.
Media B
In some cases, you will have different media requirements with different
version of Windows.
Tasks

KB 325379
How to do this Task

This section will describe the actual required task steps. Typically the steps are
numbered or contain bullets to help you proceed in an orderly manner. In most cases,
this section is the minimum requirements for the task. If you are familiar with this task,
you probably dont need to read the Why information, just the actual steps.

1. Preparing to work a Swing Migration project the first time, you probably will be
interested to review the WHY information as well as each of the inline comments
and alerts. Its educational, and I believe it helps you to remember the process.
2. Once you are familiar with the project steps, you may find that with only a glance at
the title block you will know WHAT you need to do. Like any newspaper or journal,
this is a headline to frame the entire topic in summary.
3. You may notice the comments sidebar to the left? In addition to label for the Expert
Tips, Important Concern or Media/Tool Requirements notifications, look here for
Where external references such as Microsoft KBs are cited if you want to
troubleshoot something further on background references I have used, or that
relate to the process.

Expert Tip
The Expert Tips are generally optional information that offers optimization hints or
tricks. Occasionally these may do nothing more than remind you to beware for common
mistakes other have made, or assumptions you should avoid.

Technical
Background
Technical Background sections are purely educational, and opportunity for me to fill
out more information than you need for the task at hand, but that either sketch in the
details of the underlying logic of what you are working on, or frame the project with a
different perspective. You may find references to or abstracted information from a
whitepaper describing a related or alternative approach to a project step.

Page 29
Copyrigh
Swing It!! T

How Mu

A lot of iss
just under
that much

I try to cha
and know
work:
1
2
3

That gene
project tak

How t
ht 2004-2009 b
Technician Kit
ch Time Do
sues can sha
r an hour or o
h time alone. A
aracterize the
wing your own
. Time requ
. Time requ
additional
customizat
. Time requ
hard drive,
eral summary
kes a bit long
Impor
Summ

I strong
within a

It is very
less than
time as w

o
o

I am not
contrary
open-tim

Swing M
the proje
even if y
Howeve
one of th
o Perform a
by SBSmigratio
Documentatio
Summ
oes a Swing
ape the timelin
over ten hours
An estimate o
e project scop
unique cond
ired to perform
ired to build a
applications,
tions.
ired to transfe
, plus the Exc
y could be est
er as you are
rtant Proje
mary Sche
gly encourag
a fixed comp
y likely that m
n 16 hours, a
well, provided
A very well co
complications
A familiarity w
t trying to sca
y, I think most
meline constru
Migration is no
ect path is tha
you make a m
er, the open tim
he core benef

Swing Migra
on.com
on
mary Tim
g Migration
ne. For instan
s, right? Unfo
of 5-10Gb/hr.
pe in a simple
itions. Look fo
m the Swing s
a new SBS 20
anti-virus pro
er the data via
change Inform
timated as mi
e just learning
ect Note
edule Rec
e you not to
letion deadli
ost people ca
nd that many
d you have ei
onfigured and
s
with many of t
re anyone int
anyone can
uction and tes
ot hard, but it
at you can alm
mistake in you
meline is not
fits in your su
ation from 20
eline Con
Project Req
nce, the amou
rtunately, ma
can apply on
e manner you
or the time re
steps includin
008 server fro
oducts, line-of
a a backup an
mation Store m
nimum of 12-
g and working
commenda
choose you
ine of 3 days
an finish their
y can complet
ther:
d healthy exis
the technical
to believing th
learn the proc
sting.
is detailed dr
most always s
r steps, witho
only a benefi
pport options
003 to SBS 2
nsideration
quire?
unt of data yo
ilbox and pub
n the Exchang
can relate to
equired to be t
ng the TempD
om bare meta
f-business ap
nd restore se
move from Te
-15 hrs, thoug
g your way thr
ations
r first Swing
s or less time
second Swin
te their first m
sting productio
concepts of d
his is too diffic
cess and app
riven project w
start over at a
out starting ba
t for you work
s.
008
ns
u need to mo
blic folder mig
ge Information
based upon
the sum of th
DC constructio
al to completio
pplications, an
quence using
empDC to Fin
gh you may fin
rough the pro
g Migration
e in advance
ng Migration in
migration in tha
on server with
domain/serve
cult to learn. O
preciate the va
work. A uniqu
a midpoint of p
ack at the ver
king in this wa
ove could requ
grations can ta
n Store move
your experien
ree stages of
on and cleanu
on, add any
nd preferred
g media such
nalDC.
nd your first
cess the first
.
n
at
hout
er migrations
On the
alue of
e feature in
progress,
ry beginning.
ay, its also

uire
ake
s.
nce
f
up.
as
time.

Page 30

How Much Operations Down-Time is Involved

When you perform a Swing Migration to replace an existing server with new hardware, 95% of the project
tasks are performed offline and in advance of that transition point where your production domain must be
taken down. Thats the point where your new server is fully constructed and you now only need to move
the data over.

In most cases, you more likely will take several days or a week to complete the server construction, but
you can take a month if you need to. You have the option to approach the project construction time
separately from the downtime as long as you are bringing in new hardware as part of the project. You can
prepare the server and then schedule the transition for when its convenient.

The crucial timeline pinch is the impact on productivity when you reach Phase 5 and proceed to shutdown
for transfer of the Exchange and all data. In a Swing Migration where a new server is being deployed, this
period determines the apparent migration time as seen by business operations because they remain in
operations for all construction in the preceding time. Everything else is fairly transparent to the business
operations and staff.

With some experience and familiarity to the process gained, its possible to complete a full production
migration, including 3
rd
party apps with all work completed in one long day, with data migration and
interruption to the business operations following that. You might be able to handle the data migration
overnight, but this may be optimistic. Practicing the project is the only way to really know the time needed.

Time Required for a New Installation back onto the Original Hardware?

This is the least optimized project, but its still a pretty good solution. If you are redeploying the same
hardware, with or without a product upgrade, you cant work very far into the Swing Migration before you
need to shutdown the original server. Its quite simple: you need the hardware for the balance of the
construction. The construction time is pretty much the same as before, but you are no longer working
offline, and you lose the option to put the old server back online unless you do significant disaster
recovery preparations. Therefore, the disaster recovery steps in advance also add to your timeline.

Important Documentation Note!

You Have 21 Days to Complete Your Migration

SBS Product License Enforcement begins in Phase 3

Microsoft designs SBS 2003 and SBS 2008 to enforce that only on SBS
server may operate permanently in a singled domain. The time limit for
concurrent operations of 2 or more SBS servers is 21 days.

The 21 day period countdown begins on the date you initiate the Migration
Mode segment of the construction of the SBS 2008 by joining it to your SBS
2003 based domain. This corresponds to the Phase 3 construction tasks in
a Swing Migration. Please refer to that section of this documentation for
more details on this topic if you are concerned you cant complete your
project within 21 days.


Page 31

Pre-Upgrade Disaster Recovery Precautions

What follows here are recommend incremental risk analysis regarding the steps we are performing, not
a full risk analysis of the business operations overall. (Note: If your project requires redeploying the
original hardware, most of these points become critical. You will need a full disaster recovery plan for the
entire project.)

We have two perspectives on making incremental backups during this project. Obviously the highest
priority is to protect against a catastrophe in the production operations. Amazingly enough, its actually
possible to work the entire project with no extraordinary or extra disaster recovery preparations provided
you are replacing your hardware, and you start with a System State backup to start Phase 1, and an
Exchange Online backup to flush the logs, followed by an offline transfer of the files. The old server
drives may be all you need as your disaster recovery backup!

The second perspective: Protection against losing project progress time. You will find numerous
points in the project that identify make a system state backup. This allows you to repeat a sequence of
tasks if you have a construction problem. This can save you hours of reconstruction work.

Prior to Phase 1 A System State backup prior to starting is sufficient. You might be comfortable
just to confirm the previous nights routine System State backup was successful. We install
Service Packs, remove the Exchange Server Instant Messaging if its present. The balance is just
preparing notes. If you are very conservative, you may want to make a full system recovery
backup in preparing for an Active Directory recovery, assuming you are preparing for the very
worst case scenario in the Phase 2 steps as well as the Service Packs.

Phase 2 (Steps A & B) The production domain is only involved during the initial steps of this
phase. During that brief period, we are connected just long enough to add our new Domain
Controller to the production domain, replicate AD to it, then we disconnect. We never need to
reconnect again. This step generally isnt a high-risk process. Therefore, a System State backup
is usually sufficient for disaster recovery. A full AD rollback is probably not anticipated, but we will
be adding a DC and DNS changes affecting AD. Technical information on how to back-out the
changes to the production domain without requiring an Active Directory restore has been included
here.

Phases 2 (Steps C and later) though Phase 4 At this point, we have moved to working entirely
offline, detached from the production domain. Its not necessary to do any disaster recovery
process since you are working offline with a clone of the AD, the worst you can do to yourself is
kill your AD or your offline DC and need to start over. The production domain isnt at risk, so this
is quite safe, and efficient. Yet at the end of Phase 2 a System State backup is critical for roll-
back. You may need to repeat Phase 3 more than once to get a clean installation report.

Phase 5 This is the transition point where we are ready to migrate the data and remaining
configuration. Your original server is your backup, plus whatever backup of that you have,
because the original server is never introduced to the new one, it has remained
unchanged.

Suppose that you are starting your Server transition for a Saturday morning, and you know you
got a good complete backup of the production SBS the previous night. If nothing else, you could
disable the Internet connection to make a final backup of Exchange before you shift the servers.
The backup from the night before would presumably including System State, Online Exchange
Stores with logs flushed, and all data files. You might move the backup device over to the new
server and do the restore of the data files, but not the Exchange stores (we cant do a restore that
way). The Exchange Stores could be migrated to a portable disk drive to transfer a copy over to
the new server.

Page 32

Phase Zero: Migration Notes Preparation
and Domain/Server Audit

Figure 2-6 Phase 0 Domain and Server Health Evaluation


Page 33

Why a Phase 0?
Project Planning and Health Review

You may be wondering, why have a Phase Zero, why not start with a phase one? The answer is that
your migration tasks specific to this one unique project start in Phase One, but for now we are just going
to confirm the health and configuration of the existing environment.

As you begin with Phase Zero, you will make as close to zero changes as possible to your existing
production server and operations unless you find that your existing Domain Controller is actually non-
standard or unhealthy. Obviously, you want to start with a healthy server whenever possible. More
importantly, the health check we do is intended to ensure that when you begin Phase 1, all the minimum
conditions to succeed with the project are met.

Once you confirm the proper configuration of the existing server, you will begin taking the notes you will
need. One of the reasons for the note taking is also to confirm namespace and configuration details that
are critical to your project.

While this section isnt trying to walk you through process as theory, please dont be tempted to think
Phase Zero is any less important that the five phases that follow it. An omission or oversight in this phase
could result in a permanent condition that might lead you to work the entire project over again if you come
to realize the error too late.

Quite simply, if you dont go through the tasks in the section, you almost certainly will reach a point in the
project where you are either stuck and the project halted in need of something you could have obtained
from whats covered in Phase Zero. Even worse, you might impact upon a condition that prevents you
from moving forward with the work you started without starting over or taking a different course. Phase
Zero walks you through validating that you can anticipate a successful Swing Migration on this project,
and helps you prepare the information you will need to have on hand as you go forward.


Page 34

Phase 0 Task Outline & Checklist Preparations

Tasks Health Audit: Namespace Part 1
1
Namespace Compliance Audit
Verify critical names for server, domain, applications

Tasks Health Audit: Server and Domain Settings Part 2
1
Network Adapter and DNS Configuration
Ensure normal configuration for DC operations

2
Multi-Adapter/Host Environment NIC Bindings
Ensure functional configuration is established

3
NIC Services Bindings
Ensure functional configuration is established

4
Default Services Configuration
Confirm required DC configuration and service conditions

5
DNS Server and Forwarders
Verify DNS configuration and health

6
DC and Global Catalog Health
Verify AD roles and DC resolution behavior

7
Administrator Default Group Memberships
Audit for required & incompatible group settings

8
Minimum Required Policy & Rights Configuration
Verify and update for required rights & permissions

9
SMB Signing Configuration Audit
Verify secure channel communication and policy actions

10
Single Label Domain Name Resolution
Validate proper domain name configuration requirements

11
Refresh and Audit Operations
Review changes from previous revisions

Tasks Health Audit: FRS Operations Part 3
1
File Replication Service Health Audit & Repair
Confirm health of critical replication operations

Tasks Notes Notes Preparation
1
Prepare Migration Settings and Reference Notes
Baseline information for remaining project tasks

Page 35
Copyrigh
Swing It!! T

What mak
to abando

Microsoft
Windows

How t
ht 2004-2009 b
Technician Kit
He
kes this sectio
on the project
has introduce
2000, as wel
Impor
Single

What is

Typical i
with a .L

Howeve
mean th

Single-la
Window
Active D

The mai
blocks a
the sam

This is th
Window

As an ad
from 200
the use
Exchang

o Perform a
by SBSmigratio
Documentatio
ealth Che
C
Serv
on critical is
of domain/se
ed tighter nam
l as from Win
rtant Proje
e Label Do
a single-labe
in an SBS en
LOCAL label f
Companyna
er if the Active
ere is no peri
Companyna

abel domain n
s domain to h
Directory doma
n change mo
a single-label
e as with Win
he only signif
s 2003 doma
dded note, Fo
03 version for
of ADMT or R
ge 2007.

Swing Migra
on.com
on
ecklist: P
Critical Na
ver, Applic
that incompa
erver preserva
mespace rest
ndows 2000 m
ect Note
omain Na
el domain nam
vironment is t
following the
ame.local illus
e Directory do
iod in the full
ame without th
names should
have both a N
ain name is 2
oving now into
domain name
ndows 2003.
ficant change
ains or Exchan
orest Name C
rward, therefo
Rendom tool w
ation from 20
Part 1 E
amespace
cations an
atible or degra
ation, or alter
rictions in eac
moving to Win
ames: Bloc
me?
to name the A
root name. Th
strates a com
omain name is
forest domain
he .local is a s
d not be confu
Netbios doma
2-labels or m
o SBS 2008 p
e. Other than
in Namespac
nge 2003 org
Changes are n
ore a Single L
while still in W
003 to SBS 2
Existing
e Audit
nd Domai
aded namesp
r the path of th
ch increment
ndows 2003.
cked from
Active Directo
herefore:
mmon 2-label d
s only a single
n name:
single-label d
used with the
in name that
more.
platforms is th
that, the nam
ce requireme
anizations.
no longer sup
Label domain
Windows 2003
008
Domain
n
pace condition
he project ste
from domain
m Upgrade
ory domain
domain name
e label, this tr
omain name.
continuing fe
is one word
hat SBS 2008
mespace com
nts from proje
pported by Ex
is going to re
3 domain, pre

ns could lead
eps.
s under NT 4
e
e.
ranslates to
.
eature of a
, but the
Setup
patibility is
ects with
change
equire either
e-upgrade to

you
.0 to

Page 36
Copyrigh
Swing It!! T

How t
ht 2004-2009 b
Technician Kit
Ex

Yo
do

Call
out
bec
liter

The
SBS
.LO
AD
reco
sim
this
bec
con

Nob
tech

Nob
dom

o Perform a
by SBSmigratio
Documentatio
xpert Tip
ou do NOT
main nam
l it a myth or c
there on the
cause it is not
ral name as y
e confusion or
S 2000 refere
CAL extensio
domain and p
ommends you
ply because y
is their sugge
cause it doesn
fuses it, but it
body should to
hnically just b
body should b
main name to

Swing Migra
on.com
on
T need to
me to com
call it confusio
question of re
using .LOCA
our public do
riginates from
ences and wiz
on as part of a
public facing
u use .LOCAL
you have to p
estion. They a
nt really help
t doesnt brea
oss out an ex
ecause it doe
be concerned
the public do
ation from 20
revise an
ply with .L
on, there is ju
enaming an e
AL in the doma
main.
m some badly
zard details. It
an SBS doma
Internet doma
L if you are cr
pick somethin
also recomme
simplify your
ak it regardles
xisting domain
esnt comply w
about match
omain name.
003 to SBS 2
n existing
LOCAL
ust bad inform
existing doma
ain, or is the s
worded docu
ts never been
ain. Its also n
ain name mat
reating your f
g when you s
end not using
r configuration
ss.
n or attempt to
with .LOCAL.
ing or not ma
008
SBS
mation
in just
same
umentation in
n critical to ha
not a problem
tch. Microsoft
irst AD doma
start from scra
g your public d
n, and potenti
o rename it
atching the AD
the
ave the
if your
t
in
atch,
domain
ally it
D


Page 37

Here is a summary of what is covered in the balance of this section in more detail and included
troubleshooting and workaround options to resolve established conditions you have inherited. Depending
upon what you discover in reviewing that table, you may find that you will not be able to preserve you
existing domain. Potentially, the complications or blocks are so severe, you might start over.

Namespace Summary Guidelines:
Restricted Characters
Namespace Situation Explanation
Namespace Character for:
o DNS Domain
o Netbios domain
o Domain Controller Servers
o Exchange Servers
o Uppercase letters A through Z
o Lowercase letters a through z
o Numbers 0 through 9
o Hyphen
Exchange Server Organization Name
o All characters as above, plus the space
character is allowed for natural text naming
phrases with spaces included.
Most Compatible Domain Name
(examples)
o Private.Lan
o [GenericName].Local
(provided no Mac computers involved)

Namespace Guidelines:
Preferred Naming Choices
AD Domain Name
Conditions to Avoid
Explanation
To avoid Mac computer complications,
do not use .LOCAL
Requires additional configuration of the Mac
computers to operate
Do not use the exact public Internet
domain name (.COM) for your internal
domain name, make them different.
Requires additional DNS record configuration to
enable browsing a web hosted website by that
name.
Avoid a literal business name for the
internal domain name to avoid a future
need for renaming it
Renaming the internal domain is complicated,
potentially requires a full reinstallation of the entire
domain.
Do not reinstall a domain only for a
cosmetic namespace change
Use the recommended workarounds.

If you find issues identified in the table above that you want to understand with more background
explanation, refer to the Domain Audit Guide available from the SBSmigration.com website.


Page 38

Task 1 Namespace Audit Phase 0 Part 1

Blocked Namespace Checklist
Windows 2000/2003 Domains
The namespace information below can be critical to your ability to
even complete a project, therefore this first task is very important.
You need to pay special attention to Domain name and Server
name references.

Namespace Planning and Review

Allowed Namespace in this next series of tasks applies to any names for:
o DNS Domain (Active Directory)
o Netbios domain
o Domain Controller Servers
o Exchange Servers

Warning: The underscore _ is no longer supported for use in Windows 2003
based domains. SBS 2003 setup blocks it, as do Exchange Server 2003 setup.

Note: You will be provided a separate list of characters for the Exchange
Organization allowed character set.
Task 1.1 Critical Namespace Character Restrictions

Compliant Character Set

o Hyphen

Note: Any additional characters previous allowed in namespace for Windows 2000 or
Exchange 2000, but not in the list above, should be considered incompatible for continued
future use, therefore a namespace to abandon.

Verify each of the following, you can use the table below to record the names if you want.

Validation Server and Domain Namespace

DNS Domain Name
AcmeDomain.local

NetBios Domain
AcmeDomain

Server Name (DC)
Server01

Server Name (Exchange)
Server01

Continued with following page


Page 39

Task 1.2

KB 226144
Netbios domain name

o NetBIOS domain name has a 15-character limitation.
o Do not use dotted netbios names. Instead, use a hyphen when a dot is needed.

Note: NT4 Netbois Domain names can be renamed fairly easily before entering an
upgrade to an Active Directory domain. Renaming a Domain after creating Active
Directory is a signification project and should be avoided.

Task 1.3

DNS Domain Name

o DNS does not allow all numeric character domain name, or first label. (For example:
123456.local is not allowed)
Task 1.4

KB 245809
KB 295710
KB 222823
KB 241980
Domain Controller Name

Active Directory domain names on DCs are restricted in total character length.
Dcpromo.exe maintains a limit of 52 characters for the fully qualified DNS domain name.
(UTF-8 byte characters)

Task 1.5

Exchange 200x Organization Name

o Dash or hyphen
o Space

Note: LegacyDN can be used for a workaround on retaining the Information Store with an
Organization Name that isnt compliant.

The name of the new Exchange Server used to mount that legacy store must be compliant
to current requirements, even if LegacyDN is used to workaround a non-compliant
condition in the Information Store namespace.

Page 40
Copyrigh
Swing It!! T

How t
ht 2004-2009 b
Technician Kit
He
Ex

Im
Ad

Do
rath
stan

For
Win
From
prob
star

The
25%
proj

With
cha
fact
sho

o Perform a
by SBSmigratio
Documentatio
ealth Che
Existing D
xpert Tip
portant H
djustment
not think the
her these are
ndards.
instance, sup
ndows 2003 S
m there, you
bably find you
rted because
e problem that
% of the serve
ject because
hout meeting
nce of hitting
t, you might n
uld take the t

Swing Migra
on.com
on
ecklist: P
DCs Reco
ealth Aud
Recomm
ese are Swin
e standard he
ppose if you w
Server as the
try out a Swin
u dont need a
they are alrea
t we face in d
er project I ge
they didnt ins
these minimu
a problem in
ot even see a
time to review
ation from 20
Part 2 E
ommende
dit and Co
endations
ng Migration
ealthy doma
wanted to do
first new Dom
ng Migration f
any of these t
ady establish
doing a Swing
t support req
spect the hea
um requireme
Phase 2, 3 o
a preventable
w the health o
003 to SBS 2
Existing
ed Configu
onfiguratio
s
prerequisite
in configura
a lab test you
main Controlle
from that mac
things to be in
ed.
g Migration is
uests on ran
alth of the orig
ents, you stan
or 4 that could
e problem unt
f your existing
008
Domain
uration
on
es,
tion
u built a new
er in a new do
chine, and yo
nspected to g
that approxim
into a problem
ginal server!
nd a pretty go
d be prevente
il Phase 5. Yo
g server.

omain.
u would
get
mately
m in the
ood
ed. In
ou


Page 41

Task 1 NICs set to Internal DNS Only Phase 0 - Locally at Each DC

All Network Adapters DNS
entries must point only to
internal domain DNS Servers
An Active Directory server that is hosting DNS must have its TCP/IP
settings configured properly. TCP/IP on an Active Directory DNS
server must be configured to point to itself to allow the server to
register with its own DNS server.

On a DNS Server, remove any DNS entries on all TCP/IP network
interfaces which refer to Internet based DNS Servers. Configure
each interface, both internal and external, to point only to the DNS
Servers own primary LAN IP, or another internal domain DNS
Server as your option.

The DNS Server Forwarders feature is the only location where
Internet DNS Servers should be configured.

Expert Tip
As an example, if your SBS 200x Server uses the internal IP of 192.168.16.2 for the
LAN IP and is the only DC and DNS Server in your domain, the correct and normal
configuration is to list only this IP on all NIC entries to indicate DNS Servers.

Do not use NIC entries like these (each of these are wrong):
o Loopback 127.0.0.1
o ISP DNS Servers
o The NIC IP on your server facing externally
o DNS Servers in remote sites over slow connections
KB 260371 To view the current IP configuration, open a command window and type ipconfig /all to
display the details. You can modify the DNS configuration by following these steps:

1. Right-click My Network Places, and then click Properties.
2. Right-click Local Area Connection, and then click Properties.
3. Click Internet Protocol (TCP/IP), and then click Properties.
4. Click Advanced, and then click the DNS tab. Configure the DNS information as
follows:
a. Configure the DNS server addresses to point to the DNS server (itself).
Typically this should be the computer's own internal LAN IP address.
b. If the resolution of unqualified names setting is set to Append these DNS
suffixes (in order), the Active Directory DNS domain name should be listed
first (at the top of the list).
c. Verify that the DNS Suffix for this connection setting is either empty
(nothing set), or the same as the Active Directory domain name if present.
d. Verify that the Register this connection's addresses in DNS check box is
selected (enabled).
5. At a command prompt, type ipconfig /flushdns to purge the DNS resolver cache,
and then type ipconfig /registerdns to register the DNS resource records.

The table below provides an overview of related information in summary form:
Technical Hint:
Key network settings
on multi-homed DC/
DNS/ Exchange
Servers like an SBS
would typically be
configured in this
way:
Network Interface Connections > Primary NIC Internet Other Subnet
IP Assignment Static LAN IP Web IP As needed
Default Gateway (set on 1 NIC only) <empty> Gateway <empty>
DNS Server (point to self) LAN IP LAN IP LAN IP
Register Connection in DNS enabled disabled enabled
WINS/Netbios/Microsoft Networking enabled disabled disabled
DNS Request Listen On Interface enabled disabled enabled


Page 42

Task 2 NIC Binding Order Phase 0 - Locally at Each DC
Network Interface Bindings
Interface Order
Primary LAN IP connected NIC must be at the top of the connections
bindings order list.
Next Task
Continues
from here
To set the network bindings options:

1. Open the Network Connection properties from Control Panel or right-click on My
Network Places icon in Windows Explorer.

2. Navigate from the top menu bar option:
Advanced
Advanced Settings
Adapter and Bindings

3. Sort all NICs in order at the top of the list in the Connections items, specifically placing
the NIC with the primary LAN IP at the first position at the top.
4. Click Apply, but do not close the panel.

Note: Do not exit the Bindings Panel, your next task resumes with the additional steps performed
in the WINS/Netbios Service bindings options.
Task 3 Network Service Bindings Phase 0 - Locally at Each DC

Network Services Bindings
WINS/Netbios Services
bound only on the primary
LAN Network Adapter
The following services should not be bound to the Internet connected NIC, or
to more than one network adapter on a DC or DNS Server:

o Client to Microsoft Networking
o Microsoft File and Print Service

Bindings for these services to more than one interface on a Domain
Controller can cause internal network services to act in abnormal, even a
bizarre manner. Binding these services to Internet facing interfaces can
become a security threat exposure.
Task steps
continued
from above

Beginning with or continuing from the steps indicated in the previous task item just above for
correcting the Network Binding Order, next do the following additional steps:

1. Select the primary LAN IP NIC in the Connections list.
2. In the lower are indicated as Bindings for [connection name] review each protocol and
service bound to your internal LAN requires indicated as enabled with a checkbox entry.
At a minimum this will normally include: Internet Protocol (TCP/IP) bound to both:
o Client for Microsoft Networks
o File and Printer Sharing for Microsoft Networks
3. As you review each additional Connection item (network interface) other than your
primary LAN connection, you must now disable the bindings for those two same two
services. Only the primary LAN IP NIC should be bound to the Microsoft Networks
related protocols.

4. Close the Advanced Settings panel when you finish the adjustments for this task.

Note: These changes do not disable TCP/IP on your other interfaces, only the layer of
Microsoft Networks protocols. Your Internet traffic will continue to flow normally. If you use a
VPN, the Microsoft Networks can still be supported inside the tunnel as well.
Important
Concern
Reboot Required for Completion: Modifications in Task 2 or 3 may require a reboot to take full
affect with startup services. You may continue forward immediately and reboot at the final task.


Page 43

Task 4 Services Phase 0 - Locally at Each DC

Services required to be
installed and running

Its quite possible for a solo DC in a standalone domain to operate
normally in supporting client request, yet not have the minimum
required services in order to embrace replication operations, or for
adding and maintaining additional DCs in the domain. Dont assume
that if your existing DC is operating normally, that a DCpromo of an
additional DC will complete successfully.
KB 829623
KB 324418

From the Manage Computer console (right-click on My Computer, choose Manage), review
the services listed. To review the installed Services list:

1. Right-click on My Computer, choose Manage.
2. Expand Services and Applications.
3. Expand Services.
4. For any service in the list below which is to be set for Automatic, if it is not currently
started, enable and start it.
Distributed File System
DNS Client
DNS Server
File Replication Service
Kerberos Key Distribution Center
Net Logon
Remote Procedure Call (RPC)
Security Accounts Manager
Server
TCP/IP Netbios Helper Service
Workstation
Windows Time
Automatic
Distributed Link Tracking Client
Remote Procedure Call (RPC)
Locator
Manual
Distributed Link Tracking Server
Intersite Messaging
Disabled
(for SBS, single site domains)
Windows Firewall / Internet
Connection Sharing
Important Concern (see below)

Important
Concern
Note: Windows Firewall / Internet Connection Sharing is an unusual case here.
However, if the Firewall is active on a LAN connected NIC, it may also prevent
normal replication with other Domain Controllers. You can disable the service, or
filter it on the LAN connected NIC to allow replication. You may also see later that
this service reactivates again due to Group Policy enforcement refresh. You
should not disable the firewall if the machine is otherwise unprotected and
still connected directly to the Internet.
Expert Tip
If a service listed above is not installed, consult the Windows Components
options in Add/Remove Programs to add it.
Other than the firewall service, for any service in the list above which is suggested
to be set for Disabled, theres no harm to have that service running. For the
DCpromo steps of adding a Domain Controller, our greatest concern is that the
minimum number of services required are running, not that we halt others.


Page 44

Task 5 DNS Forwarders Phase 0 - Locally to Each DNS Server

Use Forwarders to
resolve Internet based
DNS addresses
In earlier tasks for this Phase 0 you are instruction Do not include Internet
DNS Servers on the network adapter based DNS references list. You may
be confused how Internet DNS can be resolved in that approach, so this is
the answer.

After you configure the network adapters for Primary and Alternate DNS
Server settings to point to itself, you now should either set Internet based
DNS Servers using the Forwarders option or allow Root Hints to resolve
Internet Addresses. Root Hints are the top-level Internet DNS servers list.

This is further explained in the previous task discussion.
KB 260371 1. Start the DNS Management console.
2. Right-click the object named for this server, and then click Properties.
3. Click the Forwarders tab.

Note: Windows 2000 Servers may provide a tickbox selection you must enable to
allow the configuration or addition of Forwarders entries.

4. You will see a set of controls that allow you to Add, Remove or change the order of
priority for DNS Forwarders shown as IP references. In some circumstances the list
will be empty meaning that the DNS Server is relying upon Root Hints (top-level
Internet DNS Servers). It is your choice to have the list empty in order to use Root
Hints, or populate the list with the DNS Services of your ISP hosting your domain or
Internet connection.
5. Type the appropriate IP addresses for the DNS servers that will accept forwarded
requests from this DNS server. The list reads from the top down in order; if there is a
preferred DNS server, place it at the top of the list.
6. Click OK to accept the changes.
7. Restart the DNS Server service.
Important
Concern
Enabling DNS Forwarders for Windows 2000 Servers

With Windows 2000 Servers, the DNS forwarders feature was an option you need to
enable. Therefore, for this situation you may have a tickbox to control if Forwarders are
used or not. To user Forwarders, click to select the Enable Forwarders check box.

NOTE: If the Enable Forwarders check box is unavailable, the DNS server is attempting
to host a root zone (usually identified by a zone named only with a period, or dot ("."). You
must delete this zone to enable the DNS server to forward DNS requests. In a
configuration in which the DNS server does not rely on an ISP DNS server or a corporate
DNS server, you can use a root zone entry.
Expert Tip
Though not a specifically required, you might review the settings now on the tab marked
Interfaces. In most conditions, the DNS Server configuration preferred for best security is
with your DNS Server answering only on internal NIC interfaces. This ensures that
unknown requests from the Internet are not returned information about your internal
domain, or Active Directory. Your DNS Servers ability to request from the ISP Servers
specified in Forwarders is unaffected.

To establish this, set Listen only on the Interfaces listed below with only your internally
connected NIC as an interface your DNS Server responds to for client requests. Remove
any interfaces listed which are not facing a private LAN, or network your DNS server must
support client request to come from. VPN tunnel and Dial-Up connections receive DNS
support by a manner configured specifically to that service, not here.


Page 45

Task 6 Global Catalog Phase 0 - Set once in AD for Each DC

Confirm the source DC is
enabled to act as a
Global Catalog Server.

You must have a Global Catalog Server operating in order to complete the
DCpromo. While it is not strictly required for every DC in a domain to be a
GC, in the nature of small LANs it does make sense. Typically, an SBS
Server is required to have all FSMO Roles in addition to being a Global
Catalog Server (GC). Regardless, in any domain with a relatively low count
of DCs, all should be designated as GCs as well.

To confirm Global Catalog Server status, or enable it:
1. Start the Active Directory Sites and Services snap-in.
To start the snap-in, click Start, point to Programs, point to Administrative
Tools, and then click Active Directory Sites and Services.
2. In the console tree, double-click Sites, and then double-click the sitename where
your server resides.
In most domains that have not been customized, the only sitename will be called
Default-First-Site-Name.
3. Below the Site, double-click Servers, double-click your domain controller, right-click
NTDS Settings, and then click Properties.
4. On the General tab, click to select the Global catalog check box to assign the role of
global catalog to this server if it is not already enabled.
5. Approximately 5 minutes must pass before a normally operating DC will advertise
itself as a Global Catalog server, signaled by Directory Services Log Event 1119. It
may be necessary to complete a reboot prior to Event 1119 appearing.
Important
Concern
Reboot Required for Completion: You may proceed forward immediately, but a reboot is
required for this modification to take affect. You may continue forward immediately and
reboot at the final task.
You should not wait for the Event 1119 to appear because this event itself may not show
up until following a reboot. If you dont identify Event 1119 at some point after enabling the
Global Catalog status on a server, that might indicate a domain health problem, or a server
health problem with the Domain Controller in question, or with another Domain Controller
in the domain. In other words, you problem could be some place else.


Page 46

Task 7 Administrator Group Memberships Phase 0 - Domain-wide (from any DC)

Administrator Default
Group Memberships
The Administrator account on a Small Business Server 2003 domain
should have the following Group Memberships:

o Administrators
o Domain Admins
o Domain Users
o Enterprise Admins
o Group Policy Creator Owners
o Schema Admins
o Mobile Users
o Internet Users Group (if ISA is installed)

A standard Windows 2003 Domain will have similar memberships
established for the groups in that list that also exist.

The reason is that the Group memberships above provide most all
permissions required for the Administrator account to operate normally,
and with full access to all activities.
Important
Concern
Group Memberships You Must Not Include the Administrator account Certain default
groups are actually given explicitly stated denied attributes which might impact the
administrator account negatively.

o Remote Operators
o Remote Users (a custom group established in SBS 2000)
o Power Users
o Guests

For instance, members of the Remote Operators group are prevented from local logon to
the SBS Server. In addition, SBS 2003 setup provide an automatic membership transition
from the SBS 2000 Remote Users group, placing those users as members automatically in
the Remote Operators during the upgrade sequence.
KB 842469
KB 841188
To verify or alter the group memberships of the Administrator account, do the following:

1. Start the Active Directory Users and Computers tool.
2. Right-click the Administrator account, and then click Properties.
3. Click the Member Of tab.

o Administrators
o Domain Admins
o Domain Users
o Enterprise Admins
o Group Policy Creator Owners
o Schema Admins
o Mobile Users (This SBS specific group is okay to keep)
o Internet Users Group (if ISA is installed)

4. Remove any other groups that are displayed on the Members Of tab that the
Administrator account is not a default member of. To remove a group membership,
click the name of the group, click Remove, and then click Yes when you are prompted
to confirm the removal.
5. Verify that the Primary Group is set to be Domain Users or make that adjustment.
6. Click OK, and then click Exit on the File menu.

Expert Tip
Groups Memberships You might establish custom Groups for your own purposes, and
join the Administrator to them, but you should avoid joining the Administrator to other built-in
Groups unless you have a specific instruction to the affect.


Page 47

Task 8 Administrator Rights: Privileges Phase 0 - Domain-wide (from any DC)

Verify Administrator Rights
needed to add a new DC
The permissions indicated below are require for successfully
adding a new Domain Controller to Active Directory, but are
not always present in pre-existing Domains upgraded from
earlier versions of Windows.

1. Open the Active Directory Users and Computers snap-in.
2. Expand the Domain object (named for your domain) revealing the containers (OUs)
below it.
3. Locate the Domain Controllers Organizational Unit. Right-Click, then choose
Properties.
4. Select the Group Policy tab on the panel that opens.
5. The contents shown on the tab panel can have two variations in appearance. (It
varies depending upon the Windows version of this DC, and if the Group Policy
Management snap-in feature has been installed.)
If only a single button marked Open shows in the center of the tab panel
now, click that button to open the Group Policy Management console
window. The steps continue below in this new panel.
6. For either variation (either in the new console window if you opened it, or the original
tab panel), you should now have a list of Group Policies to view. Identify the Default
Domain Controllers Policy, right-click on it, then choose Edit.
7. Expand out the tree indicated here, and confirm the policy items that follow just
below:

Computer Configuration
Windows Settings
Security Settings
Local Policies
User Rights Assignment
KB 285836
KB 257346
KB 249261

Access this computer from
network
Administrators
Authenticated Users
Enterprise Domain Controllers
Everyone
System
KB 257338

Bypass Traverse Checking

Administrators
Authenticated Users
Everyone
Pre-Windows 2000 Compatible Accounts
KB 232070 Enable Computer and User
Accounts to be trusted for
Delegation
Administrators

8. Refresh the machine policy now at all connected DCs. At a command prompt, type
command indicated below for the version Windows running on the server you
execute this command. (The command syntax is exactly the words as shown.)

For Windows 2000 servers:

secedit /refreshpolicy machine_policy /enforce

For Windows 2003 servers:

gpupdate /target:computer /force
Important
Concern
Reboot Required for Completion: Modifications in the task require a reboot to take full
affect. You may continue forward immediately and reboot at the final task.


Page 48

Task 9 SMB Signing Compatibility Phase 0 - Domain-wide to all computers

SMB Signing Conflicts
Application Log Contains
Events 1030 and 1058

SMB Signing has a history of causing problematic conditions. It is the
culprit of odd communication failures in which certain network
functions behave normally, while others fail for no apparent reason
on specific machines, or for specific tasks. The requirement for a
successful DCpromo is consistent settings for SMB Signing. It
doesnt matter to me what setting you use as long as you dont have
1030 and 1058 errors before you get started. You might have them
later in the project, and we can deal with that then.

Microsoft recommends the enabling SMB Signing as a best practice
for high security configuration. However, SMB Signing frequently
leads to degraded performance, or incompatibility in domains running
legacy OS versions, and even in pure AD compliant domains.

1. Open the Manage Computer console and inspect the Application Event Log.
2. Scan through the Application logs since the last reboot to identify if the Domain
Controller is showing an indication of Events 1030 and 1058.
3. You can force a refresh of Group Policy to identify if this error is generated on
demand. To refresh the machine policy now at all connected DCs, at a command
prompt, type command indicated below for the version Windows running on the
server you execute this command.

For Windows 2000 servers or workstations:

secedit /refreshpolicy machine_policy /enforce

For Windows 2003 servers or XP workstations:

gpupdate /target:computer /force

Following that command, in a healthy condition you should observe an
Information Event from source SceCli 1704 that states:

Security policy in the Group policy objects has been applied successfully.

4. Ensure that you can open the two critical policies related to this issue. From the
Administrator Tools section of the Start Menu, choose to open the Default Domain
Policy and now repeat the step for the Default Domain Controller Policy. If you
receive an error condition indicating that the policies folder may not exist, or that you
do not have access or permission to open it, you need to troubleshoot this condition.
5. To troubleshoot this problem, refer to the following Microsoft KB article:

You cannot open file shares or Group Policy snap-ins when you disable SMB
signing for the Workstation or Server service on a domain controller
http://support.microsoft.com/kb/839499/

Important
Concern
The policy adjustment above affects all computers in the domain, not just DCs. Therefore,
the policy refresh indicated must be applied to all workstations in order to take affect prior
to a reboot. Rebooting all stations immediately is probably preferred.


Page 49

Task 10 Single-Label Domain Name Phase 0 - Local to all computers

Single-Label
Domain Names

(DCpromo establishes
new DCs that are
non-functional)

If your domain uses something like domain.com or domain.local, you
dont require this special configuration prior to running DCpromo to
add a new DC to the domain.

An example of a Single-Label domain is a domain name without a suffix,
something like company instead of company.com, or company.local.
However, if the DNS hostname of your computer is single label, the critical
replication cycles following DCpromo will never occur without this additional
configuration.
o DNS might not be used to locate domain controllers in domains with
single-label DNS names.
o Dynamic updates are not performed to single-label DNS zones by
Windows XP/2K domain members.
Expert Tip

The preferred resolution for an existing single-label domain is to modify all domain controllers
and domain members with a REGKEY update to resolve DNS and FRS replication correctly.
This is described below. Each other alternative has strong negative considerations regarding
deployment complexity which is not discussed here in this context. You may want to review to
the earlier section of this document concerning Namespace compliance.
Critical
Concern

Modify all DCs and domain member stations The information below will guide you in how
to solve the immediate problem of DNS resolution by all domain members, as well as the flaw
that prevents new DCs from performing an essential task for replicating with the FRS service.
You must restart each computer after making these changes.

Note: These configuration changes must be applied to all domain controllers and
domain members of an Active Directory domain with single-label DNS names. If a
domain with a single-level domain name is a forest root, these configuration
changes should be applied to all of the domain controllers in the forest. Stations
without this modification performed locally may not be properly located by the
DNS Server in support of remote access or services they offer.

To enable such clients to attempt dynamic updates of a single-label DNS zones, make the
changes indicated below.

Add or set the UpdateTopLevelDomainZones (REG_DWORD) registry value to 0x1 under
the appropriate registry key on each clients station as indicated below:

KB 300684

Windows XP and
Windows 2000 SP4-based:
Windows Server 2003:

HKEY_LOCAL_MACHINE\
SYSTEM\
CurrentControlSet\
Services\
DnsCache\
Parameters

HKEY_LOCAL_MACHINE\
SOFTWARE\
Policies\
Microsoft\
Windows NT\
DNSClient

KB 300684
More information about configuring Windows for domains with single-label DNS names
http://support.microsoft.com/default.aspx?scid=kb;en-us;300684


Page 50

Task 11 Refresh Configuration Changes Phase 0 Each DC

Refreshing Configuration
Changes may require a
restart of the server, or
other machines

In the previous tasks, you may have modified many aspect of the
existing Domain Controller, possibly even Domain Policies that affect
workstations and servers throughout the domain. This raises three
concerns:

1. SBS Servers You should rerun the Internet Connection Wizard
as a final step so that you gain the full benefit of propagating all the
server settings accordingly.

2. Refresh or Reboot all DCs Each of the policy, rights, or network
configuration changes you have made could affect all DCs. In fact,
you should apply the same changes in this task list indicated as
server specific to all DCs if you have more than one.

3. Member Workstations and Server The policy settings for SMB
Signing affect all W2K/XP/w2003 machines, therefore all should be
restarted or have a policy refresh applied if you perform that
modification.

Important
Concern

Reboot Required for Completion: In each case, a reboot is preferred to a policy refresh, if
possible.

Important Concern

Reboot is Required to Validate All Previous
Changes and inspect for Complications

If you made changes in the tasks above, you should consider that
not all results of those changes will be observed until after a
complete reboot of the server. You should have two concerns:

1. To ensure that you have the benefit of what the
changes are intended to resolve, you should reboot
2. In some circumstances, the changes you made may
have either unintended consequences or may now
reveal new symptoms of interest.


Page 51

Health Checklist: Part 3 File Replication Service
Existing DC Replication Review

Normal Start-up Events with Healthy FRS Healthy Condition

NTFRS Event Log
Normal Information Events
Immediately following the first reboot of a new DC, the
NTFRS Log may indicate warnings about having trouble
contacting the source DC (any other DC). This isnt
necessarily a problem.

The main concern is that these should not continue without
yielding to a successful replication event indicated.
Event Type: Information
Event Source: NtFrs
Event Category: None
Event ID: 13501
Computer: SBSSERVER

Description:

The File Replication Service is starting.

Event Type: Information
Event Source: NtFrs
Event ID: 13516
Computer: SBSSERVER

Description:

The File Replication Service is no longer preventing the computer
SBSSERVER from becoming a domain controller. The system volume has
been successfully initialized and the Netlogon service has been notified that
the system volume is now ready to be shared as SYSVOL.

Expert Tip

FRS Repair on the OriginalDC

On the following page you will see the two most common error conditions you are
likely to encounter in the File Replication Service operations. The resolutions to
either is quite simple, but sometimes it can be confusing if this is a new concept for
you.

If you do not see additional event log entries added when you restart the FRS
service, the FRS Event Log itself may be corrupted. Simply export and save a copy
of the log (as reference), the flush to create a new log. This usually allows new
entries to be added again.

If you see the Event 13568 as indication of Journal Wrap, the text of that event
provides a resolution step which is quite simple. However, you may find that after
that repair you get a different set of events, but not the Event 13516 we are looking
for. Please consider contacting support with SBSmigration.com for assistance in
resolving these issues.


Page 52

Flawed Symptom 1 No FRS Start-up Events Flawed Condition

NTFRS Event Log
No Events added following system
restart or NTFRS restart

Immediately following the reboot of a DC or restart of the FRS,
the FRS Log should be updated with either Information or
Warning event. Normally you will see the Event 13501, just as
indicated above.

If no new log entries are added, this must be investigated
immediately to repair the FRS service, or the Event Log itself.

Important
Repair Step

The absence of any new events at all on restart, this suggests that the FRS Event Log
itself is damaged. In such case, you should export whatever log entries exist, if any,
then delete the log in order for a new one to be established.

In most circumstance, to resolve a log corruption problem, you can choose Clear all
Events to reset the log from the Computer Management console.

After creating a new log, its quite likely that you will begin to see errors reported. At
that point, you would want to troubleshoot whatever errors or warnings are provided.

Flawed Symptom 2 Journal Wrap Flawed Condition

NTFRS Event Log
No Events added following system
restart or NTFRS restart

Among the most common reason for FRS not functioning
correctly is Journal Wrap Error. Under certain
circumstances, even if you resolve the Journal Wrap
using the outlined steps in the Event Log Error, you still
have more work to do. Therefore, identifying the steps to
first repair Journal Wrap, as well as then getting FRS to i
begin operating again is sometimes a two step
resolution. You identify the problem most often with the
error message shown below.

Event Type: Error
Event Source: NtFrs
Event ID: 13568
Computer: SERVER

Description:
The File Replication Service has detected that the replica set
"DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in
JRNL_WRAP_ERROR.


Page 53

Migration Notes

I know a lot of you are like me, you hate making lists of things you need to have later. Im sorry, but you
really cant escape this part because when the data entry blanks appear on the screen to be filled in, if
you dont have the information matching the original SBS servers configuration, you might get a break in
your process. This is reasonably important stuff here, okay?

We need a list of information we need along the way during the migration. Turns out, when you make a
list of the items, it looks pretty long!

Regardless, we may need to confirm how we want to handle any changes to them we make by
preference, so a list of original settings is useful. If you plan to build the new SBS side-by-side with the old
one, some of this you only need to glance at on the other machine as you go.

What do we not need to prepare because its done automatically?

As full as our list is, you may notice some things are curiously not included. Heres a list of information
that we didnt make a note to record because our upgrade process is designed to transparently migrate
and preserve these things:

o Username and passwords
o User account permissions and settings
o User Security groups
o Email Distribution groups
o Computer names
o Group Policies
o Domain SAM or SIDs references
o Workstation profiles or assignments
o Logon Scripts

What Exchange data references might we need to prepare?

Depending upon the method you plan for migrating your Exchange contents, you may need to record a
little or a lot of your Email and mailbox related items. Ive not produced a table to illustrate what you might
need for this, theres just too much to illustrate within a blank table in this book. Therefore, the following
bullets are summary, you should have at least this much information prepared:

Exchange Forklift Method
o Public Folder Email Addresses and Permissions
o User Mailbox alternate Email Addresses
Exchange Exmerge Method
o Potentially everything but the mailbox contents might be lost.


Page 54

Table of References: Phase 2 Migration of AD

When you are building both the first and second new Domain Controller, you will want to refer to
configuration information about the production server. The following two tables show the type of
information you will want to have on hand. The tables are defined based upon when we will need to have
the information on hand. In addition, if you have a Swing It!! Technician Kit, you have many tools that
can help automate capturing some of this information.

Baseline OS Installation Phase

SBS Server Name
Netbios Domain Name
DNShostname Domain Name
Domain Administrator account name and password
Product Registered Owner and Company Name
Network Adapter Settings (per adapter interface)
LAN IP, Mask and Gateway
WAN IP, Mask and Gateway
DHCP or static configuration
DNS and WINS Server references
Internal vs. Internet Designations for the Interface
DNS Details
Critical Static Entries
Forwarder Settings
Forward Lookup Zones
Summary of DC related records
Static Routing and VPN Gateway Details
Destination: Route, Gateway
Destination: Route, Gateway
Drive Volume Details
Drive Letter assigned per volume
Drive Letter for CD/DVD devices
Root Folder permission requirements (per partition on server)
Total allocated and Free disk space per volume (per partition on server)


Page 55

Table of References: Phase 3 4 SBS 2008 Setup and Completion

Migration/SBS Integrated Suite Setup Phase
SBS Organization Profile Contacts Default Entries
Contact Names
Contact Address
Phones and Fax
Exchange Information
Organization
Site
Storage Group Name
Information Store names
Email Domains Hosted by Exchange
POP3 Connector Mailbox Configuration Details
Alternate email proxy addresses per user/account (per user/account)
Server Public Host Name (and Masquerade alias if any)
Any Unique RRAS Device Identifications and
Configuration details (modems and VPN ports)
Shared Folders Resources (per share)
Sharename
Share Description
Share Permissions Template
Resource Folder Name


Page 56

Table of References: Phase 4 Post-Setup Configuration Finalization Phase

After the migration has reached the point of completing the SBS Setup steps, you still have more
information to configure before the new SBS looks like the old SBS. If you do a technical migration of
things like WINS and DHCP, you dont really need to have a list of critical items from that.

What remains to be addressed may depend upon the details you automated or didnt in the process
above.

Post-Setup Configuration Finalization Phase
Group Policy Revisions due to Namespace changes
(if any)
DHCP Details
Scopes
Exclusions
Reservations
Scope Option Preferences
Shared Printers Resources (per printer)
Sharename
Printer Description
Printer Location
Share Permissions Template
Security
Port Name
Customized Website Content
Logon Script Revision Management
Essential commands to keep or revise on new server


Page 57

Table of References: Migration Tasks List Internet Configuration Wizard Details

Some of this information isnt requested in the wizard, but its helpful to have the information together in
one place, not just for the upgrade but for the long-term as a reference.

Internet Services Related Configuration
ISP Connection Public Addresses

Public IP (or range)

Subnet Mask

Public Gateway

Primary DNS (used as DNS Forwarder)

Secondary DNS (also used as DNS Forwarder)

ISP reference Username

ISP reference Password

NAT Interface (if router/firewall provides NAT to SBS)

Interface IP

Subnet Mask

Gateway

Router Admin Username

Router Admin Password

ISP Hosted Information

Hosted DNS Reference MX records

Backup Mailserver IP you allow to relay to your Exchange

Hosted DNS Reference WWW records

Your Hosted Website IP


Page 58

Phase 1: Domain Controller and AD Preparation

Figure 2-6 Phase 1 Prepare Notes and Project Plan

Phase 1 will take you through the minimal preparation of the production domain, outline the notes you
need to prepare from your current domain for reference in the later phases, and we look at a hand-full of
conditions that Microsoft built into SBS Setup as blocked conditions we dont want to see.

We start with just a few minimal steps to prepare our existing server. The minimum steps required here
are shown in the Task Outline and Checklist table following on the next page.

As a practical matter, a Swing Migration project is frequently performed with your existing production
server running and accessible to review for comparison or special settings. That means you can refer to
it, and you can even pull your data over at the end of the project with it having been running continuously
the whole time.

Therefore, in the typical project, until Phase 5 the original server is really minimally altered, and it can stay
online. This raises the point that if the server is actually being shutdown and then redeployed during this
upgrade, we cant do that, we wont have the original server to look at. You need full backup and notes.

Page 59
Copyrigh
Swing It!! T

How t
ht 2004-2009 b
Technician Kit
Ex

Im

This
prod

Con

In P
Orig
form

Step
of th

Kee
hav

o Perform a
by SBSmigratio
Documentatio
xpert Tip
portant: S
s migration ou
duction serve
nstruction thro
Phase 3 you m
ginalDC confi
m of surrogate
ps in Phase 5
he Exchange
ep in mind, if y
ve to roll-back

Swing Migra
on.com
on
Same Har
utline is desig
er to remain in
ough Phase 2
must have the
guration mus
e hardware in
5 determine th
, all data files
you are unab
k to recover yo
ation from 20
dware Re
gned for a seq
n production.
2 is the same
e final hardwa
st go offline at
n order to free
he required st
s, and the prin
le to complete
our original co
003 to SBS 2
edeployme
quence to allo
regardless.
are available
t that point, or
e-up your fina
teps for data
nter configura
e the migratio
onfiguration, s
008
ent
ow the
e, meaning th
r you must us
l hardware
restore includ
tion details.
on path, you m
so plan accor
at your
se some
ding all
might
rdingly.


Page 60

Prepare the Production DC Domain and Server Configuration

Phase 1 Task Outline & Checklist Prepare Existing DC /Domain

Tasks Rebinding Mailbox & Information Store to AD
1
Disaster Recovery: System State Backup
This is disaster recovery precaution, not a migration task
2
Scenario Alert: Same Hardware Swing Projects
Unique concerns for redeploying onto original hardware
3
Scenario Alert: Multi-DC or Exchange members
Unique concerns with Multi-DC or Exchange member servers
4
Service Pack Requirements for Windows & Exchange
Review minimum SP levels (see website for current details)
5
Generate a Default SBSanswerfile.xml
Creates Migration Mode ready and suggested defaults
6
Generate Public Folder Analysis Report
You are provided a report for use in a later task
7
SharePoint Database Analysis & Preparation
Run the Prescan Tool to analyze health of databases


Look for Updates on SBSmigration.com

If you are using this document for a project scenario other than
starting with Windows or SBS 2003 on your production server,
please refer to the supplemental documentation at
SBSmigration.com for scenario specific references on Service
Packs, as well as more current recommendations for recently
released Service Packs.

Page 61

Task 1 Disaster Recovery Preparation Phase 1 Prep - Existing Domain

Disaster Recovery
Preparation:

System State Backup
Recommended

As unlikely as it might seem, I do occasionally hear from
people who either dont do nightly System State and
server backups, or it doesnt occur to them how
essential it is to prepare one right now.

There really is very little risk in the Swing Migration
procedure itself, but any time you begin modifying the
Service Packs, adding Domain Controllers, modifying
Exchange Configurations, or proceeding with a major
upgrade, this should just be common sense.

Tasks

Disaster Recovery: System State Backup

As you begin the procedures to do a Swing Migration, a System State backup at
this point ensures that you can truly have a no harm experience going forward.

Our procedure outline is actually quite safe when you perform the task sequence
as indicated, so this is really protection against making a mistake. There is no
technical require being addressed, this is a Disaster Recovery preparation.

How to Perform a System State Backup or Restore

Hopefully you already have a routine nightly procedure in place to address System
State protection. However, if you are not doing that now, or if you want to use a
basic level of protection on which either SBSmigration.com or Microsoft Customer
Support Services can assist you with in an emergency, using NT Backup is a great
answer.

For a simple reference guide on performing a System State Backup or Restore,
please refer to the Supplemental References section in the Library at
SBSmigration.com.
Expert Tip
Disaster Recovery During Swing Migration This may be a good point to
mention where else in the process of doing a Swing Migration you will find a
recommendation to do a System State backup.

Highly Recommended Backup Milestones:

OriginalDC To begin Phase 1: A System State backup will protect your
production environment from an accidental error.

TempDC to complete Phase 2: If your SBS 2008 setup in Phase 3
encounters a block or failure, you will need to roll-back to the end of
Phase 2.

TempDC & FinalDC to Complete Phase 4: A full server image backup
with SBS Backup is useful to protect the 4-6 hrs of work you just
completed. The TempDC also needs to be backed up in case you have
problems with the Exchange Migration.

Page 62
Copyrigh
Swing It!! T

Task

Req

Im
C
E

How t
ht 2004-2009 b
Technician Kit
k 2 Same
SPEC
Redeployin
Original S
quires Diffe
mportant
Concern

xpert Tip
o Perform a
by SBSmigratio
Documentatio
Hardware P
CIAL CASE:

ng Back to
erver Hardw
rent Step S
Before a Pr

Using the exi
project option
server to refe

One of the ta
multiple appro
for just one o

You likely can
Outlook clien
but you need
part of your s
anything.

I strongly u
that you ma

Consider pre
partitions) be
for redeploym
the server to
confirm that I
image. Once
migration and

Swing Migra
on.com
on
Project Path

Your
ware
Sequence

roject Redep
sting productio
n, but the steps
er to and to put
sks in Phase 5
oaches to hand
r all methods.
n make any ch
ts or Forklift to
to address tha
strategic plan, y
urge you to p
ay have to de
paring a fully te
fore you proce
ment on that sa
another single
can operate th
e that test is co
d go back in se
ation from 20
h Phase
The plan of re
production ser
construction p
Migration time
construction, it
Phase 5. Norm
even the last s
over already!

Therefore, red
hardware from
prepare in ad
neededbefo

You need to re
preparations o
migration task
now, not wait f
perform the m
you are only p

ploying your
on hardware to
s shown in this
back online.
5 is the Exchan
dle this, you ne
oice of method
the TempDC a
at before you s
you should revi
prepare for d
elay complet
ested drive ima
eed with a proje
me hardware.
drive, take the
he existing con
ompleted, I put
ervice with the c
003 to SBS 2
1 Prep - Ap
using the origin
rver offline perm
rocess to begin
eline, your origi
ts operating an
mally, you can
step. In this pro
deploying your
m your original s
dvance everyth
ore you begin.
eview Phase 5
on Exchange, n
ks while the orig
for that as the f
igration steps i
preparing your n
original hard
construct your
guide implies t
nge Information
eed to decide n
d, meaning you
as documented
hutdown the pr
iew all of Phase
isaster recov
tion of the p
age clone of yo
ect that requires
My practice fo
e original produ
nfiguration from
that drive on a
current configu
008
pplies to Ori
nal hardware im
manently amid
n Phase 3. Nor
nal server rem
nd available to
put it right back
oject scenario,
new final serve
server requires
hing which is go
for the data ba
network service
ginal server is s
final Phase 5 ta
involved as ind
notes and back
dware
r new final serv
that you still ha
n Store migratio
now if you want
u could use PST
d, in modifying
roduction SBS
e 5 first before
very, and the
roject or sta
our existing serv
s formatting the
r such projects
uction drives of
m my disaster r
shelf in case I
uration.
iginal DC
mplies taking th
the midpoint
rmally in a Swi
ains online dur
look at even in
k in service on
its been forma
er on the same
s that you mus
oing to be
ackup and note
es and data
still operationa
ask. You will st
dicated in Phas
kup at this time
ver is a support
ave the original
on. Since there
t to be prepare
T export with
the Forklift mo
server. If this i
you begin
e possibility
rt over.
ver (including a
e existing serv
s is to drive ima
ffline and then
recovery drive
need to abort

he
ng
ring
n
atted
e
t
es
l
till
se 5,
e.
ted
l
e are
d
ove,
is
all
er
age
the

Page 63

Task 3 Handling Multi-DCs or Exchange Phase 1 Prep - Existing Domain

SPECIAL CASE:

Handling Additional
Domain Controllers or
Exchange Servers

The project path of a Swing Migration can address a
domain with only one Domain Controller (DC), or with
many DCs present. However, you should be aware of
special requirements for a project with Multiple DCs.

Tasks

Do you have any DCs to Remain in Production after the Swing Migration?

The default assumption in this documentation is that you are either operating with
only one Domain Controller, or if you have several DCs you have planned to
replace all of them during the offline construction via Swing Migration.

The concern here is that you have special steps that apply if you have additional
DCs, what are called replica DCs, that exist in your production domain now and
that you will continue to use after the new FinalDC is introduced.

You have two alternative:

1. You may demote your replica DCs immediately now, and then promote them
again to a DC after Phase 5 when you have introduced the new FinalDC.
2. You may leave all DCs intact for now provided they are not also Exchange
Servers. Instead you may demote them from the production domain at the last
task in Phase 4. With that done, you introduce the new FinalDC and then
promote these machines back to being DCs again at that time.

Any server you have currently configured as an Exchange Server and a Domain
Controller as well must be demoted at this point. The project path forward cannot
be completed otherwise.

Important
Concern
Exchange Servers as member servers remaining after the Swing Migration

A member servers running Exchange Server 2003 may remain operating in the
domain throughout the construction and beyond completing the Swing Migration
only if you update it to Service Pack 2 before you start Phase 2. You must address
Step D differently than the default documentation suggests because you do not
remove that server.

Any project where a member server running Exchange Server will remain in the
production domain requires you not to purge that Exchange Server from Active
Directory during Step D. You must instead remove only any Exchange Servers
listed in the Exchange Organization which are being replaced during the offline
construction. This is addressed in more detail in Step D.


Page 64


SPECIAL MULTI-SERVER SCENARIOS

Exchange Servers Remaining in the Organization

Only if you have a multi-server production configuration at the end of this project will
this possibly apply to you.

If you did not update those servers to Exchange 2003 SP2, you will be blocked by
SBS setup in Phase 3. SBS Setup detects the Service Pack version for the servers
listed in AD, even if they are offline.

Exchange Servers as member servers require Service Pack Updates

A member servers running Exchange Server 2003 may remain operating in the
domain throughout the construction and beyond completing the Swing Migration
only if you update it to Service Pack 2 before you start Phase 2.

If you did not address that before replication and disconnect of the TempDC you
may have to start over with this Phase 2 again after updating the member servers
Exchange 2003 service pack.


Page 65

Task 4 Current Service Packs Phase 1 Prep - Applied to Existing DC

(Optional)
Install Current
Service Packs on
Original DC

Not Required Here With
Swing Migration Projects

The reality is that your production server probably should be
at current Service Pack level under any operation condition
simply because of the need to maintain current security
patches.

However, the minimum requirement for service packs to
proceed with Swing Migration is that your TempDC will need
to meet the critical requirements for Service Pack level, but
not the OriginalDC. The only Service packs that will be critical
can be installed when you reach Phase 5.

Tasks
The same service pack requirements apply for SBS or non-SBS platforms based upon
any Windows 2000 or Exchange 2000 product platform. For a project migration from
SBS 2000 to SBS 2003, at a minimum your production DC server requires:
Windows Server 2003
(same with SBS 2003)

Service Pack 2
(Recommended in general practice, but not strictly
required in Swing Migration procedures)
Exchange Server 2003
Service Pack 2 on Member Servers remaining

No Update on Exchange Servers being replaced
Important
Concern
Exchange Servers as member servers require Service Pack Updates

A member servers running Exchange Server 2003 may remain operating in the domain
throughout the construction and beyond completing the Swing Migration only if you
update it to Service Pack 2 before you start Phase 2. You must address Step D
differently than the default documentation suggests because you do not remove that
server.

Any project where a member server running Exchange Server will remain in the
production domain requires you not to purge that Exchange Server from Active
Directory during Step D. You must instead remove only any Exchange Servers listed in
the Exchange Organization which are being replaced during the offline construction.
This is addressed in more detail in Step D.


Page 66

Task 5 SBS 2008 AnswerFile Phase 1 Prep - Existing Domain

Generate a Default
SBSanswerfile.xml

Microsoft designed the SBS 2008 path with Migration
Mode to use an answer file, a reference during the
boot of the machine to configure it with your
preferences. This answer file also controls how the
installation runs, either in Migration Mode or in the
standard new domain setup method when no answer
files is detected.

One of the tools included in this Kit is capable of
creating an Answer File pre-populated with most of the
settings you need by detecting them in your existing
SBS installation.

Tasks

Why use the SwingITAnswerFile Tool?

This is offered as a simple convenience for consultants, who as I well know,
always are delighted to avoid the need to retype information the original server
already has stored! Using this tool, you generate an AnswerFile preconfigured with
the minimum details required to ensure you can run in Migration Mode and have
pre-established entries for the Company Contact and similar details.

The creation of this default SBSAnswerFile.XML using this tool is not strictly
required. If you prefer, you can create your SBSAnswerFile later entirely from
scratch using the SBSafg.exe tool provided by if you wish.

Swing It!! Tool
SwingITAnswerFile Tool

This tool performs a simple task, it detects information you likely will need to use
and pre-populates a correctly formatted SBSAnswerFile.XML that you can use
later.

A key point about this default Answer File is that it doesnt matter if you want to
change anything or everything in it. What is critical is that the Answer File will start
your server installation in Migration Mode and cause the server to prompt you with
all the information that was set as default. Therefore, instead of starting the
creation with a blank Answer File, you have likely entries already stored. You can
change them on the fly.

This tool is included in your Kit resources.


Page 67

Task 6 Public Folder Analysis Phase 1 Prep - Existing Domain

Public Folder Analysis

One of the tools included in this Kit is capable of
analyzing your existing Exchange 2000 or 2003
installation of Public Folders. The purpose of this is to
provide a reference list of stale items to remove during
cleanup performed later in the project tasks (Phase 2,
Step D).

Some Exchange organization dont actually use Public
Folders which is not a problem at all, it means the
cleanup can be defined as remove any remaining
objects. However, for organizations that do use Public
Folders, this report adds the value of preserving real
Public Folder references while doing housekeeping to
remove stale information.

Unfortunately, its possible that your server may have a
condition in which you may not realize you cant properly
view your Public Folder details, and the same condition
may affect the tool being provided. In that case, it may
be necessary to make a relatively trivial repair in order
for the tool to work properly in performing the analysis.

Tasks

Why use the ExchPfReport Tool?

Using this tool, you will generate a simple text file used to guide you in what objects
you need to remove during cleanup later in Phase 2. Therefore, you will generate
this report, but not use it until later. Without this report, it is somewhat difficult to
know what items to remove in the later task.

If you have no Exchange Server currently, you may omit this task.
Swing It!! Tool
ExchPfReport Tool

This tool performs a simple task, it detects information you likely will need to
perform cleanup tasks later in the project.


Task 6.1 Phase 1 Prep - Existing Domain

How to use the ExchPfReport Tool?

Place the tool in a convenient folder on the OriginalDC if this server is running
Exchange. Execute the tool by a dbl-click. It will generate a report text file. Save the
file for later use.

Important Concern
Issue: 80090308 "The token supplied to the function is not valid"

You may experience this error when running the tool, or when
attempting to view Public Folders from Exchange System Manager

This error can appear as a pop-up message if you use Exchange System Manager
to expand the Folders container located on the first level below your Organization
when viewed in Exchange System Manager.

To correct this condition, follow the resolution step below, then rerun the tool as
described above.



Page 68

Task 6 Public Folder Analysis (cont) Phase 1 Prep - Existing Domain
Task 6.2 Troubleshooting

Disable SSL on the Exadmin Website
1. Go into IIS Manager, then select:
Default Website
Exadmin properties
Select: Directory > Security tab > SSL Encryption > Edit

2. Ensure that option Require SSL Encryption is unchecked (not selected).
3. Ensure that option Accept Client Certificates is checked (selected).
4. Close the IIS console.
5. Open a CMD prompt windows. (Start > Run: CMD) Type:
IISRESET (then press enter)
6. This will restart the IIS World Wide Web Publishing Service enacting the
changes performed above.

Task 6.3 Troubleshooting

Clear the attribute SSL attribute in Active Directory for Exadmin

Note: This task may not be required in some cases, you may find theres nothing to
do because there is no attribute value established. You should inspect this
regardless to confirm no value is set.
1. Launch ADSI Edit by running adsiedit.msc.
2. In the left side pane expand the Configuration container.
CN=Configuration
CN=Services
CN=Microsoft Exchange
CN=<your organization name here>
CN=Administrative Groups
CN=First Administrative Group <your name may vary here>
CN=Servers
CN=Protocols
CN=HTTP
CN=1
CN=Exadmin

3. Right Click on CN=Exadmin and choose Properties.
4. In the Properties dialog box scroll down to the attribute
"msExchSecureBindings" and double click on it to perform an edit.

5. If this attribute is set to 443, :443: or has any other value, click the
443 value (or whatever is listed) to select it and click the "Remove" button.
Then click "Apply" and then "OK". The value will show <not set> at that
point.

6. Close out of ADSI Edit, close and reopen Exchange System Manager and
test Public Folder access again. If successful, run the tool again.


Page 69

Task 6 SharePoint Analysis Phase 1 Prep - Existing Domain

SharePoint Database
Analysis & Preparation

To migrate a SharePoint database (such as CompanyWeb) to the
new FinalDC you must ensure that the existing database is in
good condition. This is accomplished by running the Prescan tool
included in the Microsoft media.

To run the Prescan tool you must take the SharePoint database
offline (not accessible to your users in the production operations).

Why use the Prescan Tool?

Using this tool, you will ensure that your SharePoint database migration moves a
smoothly as possible in Phase 5. A common and frustrating experience is to be in the
final stages of the migration only to discover a time consuming repair of SharePoint is
required for the transition to complete.

Unlike Exchange databases which rarely are a problem to move to a new server,
SharePoint is more likely to have problems discovered which prevent you from moving
from a SharePoint 2.0 to SharePoint 3.0 platform without repair or attention.
Tools / Media
Required
Download the Microsoft Windows SharePoint 3.0 Prescan Utility
http://www.microsoft.com/downloads/details.aspx?FamilyID=e8a00b1f-6f45-42cd-8e56-
e62c20feb2f1&displaylang=en

To locate this URL directly with a simple search, go to:

www.Microsoft.com/downloads

In the search blank adjacent All Downloads, enter: SharePoint prescan.exe download
Tasks

SBS 2008
Migration Docs
How to Run the Prescan Tool

Note: SharePoint 2.0 Service Pack 3 is required

1. Notify users that the CompanyWeb site is going to be migrated to Windows
SBS 2008 and that the Source Server will be offline during this process.
2. Save the prescan.exe utility to folder on the Source Server.
3. Click Start, click Run, type cmd in the text box, and then click ENTER.
4. In the Command Prompt window, switch to the folder where you saved prescan.exe,
at the command prompt type and then press ENTER:

prescan.exe /V http://companyweb

5. Note any messages about errors, and review the log files that are created by
prescan.exe. If there are errors, make the necessary corrections, and then run
prescan.exe again.
6. If Full Text Search was enabled on an upgraded to SQL Sharepoint Companyweb,
check if that is still working. If it doesnt seem to be working anymore, disable the Full
Text Search with the SharePoint Central Administration, Component Configuration
and then enable it again.
Expert Tip
Delaying this Task or Skip it Entirely?

If you have no SharePoint Server sites in use currently, you may omit this task.

This task can be performed at any time prior to the data migration in Phase 5. Therefore,
you can do the task now or delay to a more convenient time to address this.

If you will be migrating SharePoint to your new server, please consider reviewing in
advance the complete step details contained in Doc3 of the Swing It!! Kit reference. The
transfer of SharePoint databases is actually as technically involved than the transfer of
the Exchange Information Store.

Page 70

Expert Tip

Schema Update is not required on this OriginalDC.

TempDC running SBS 2003 Media

Our project calls for building a TempDC running Windows 2003, therefore you do
not need to do a Schema update.

In fact, this is true if you use any version of SBS 2003 or SBS 2003 R2
media as your TempDC.

TempDC build with non-SBS 2003 Media?

The only time a schema update would be required is if you chose to use
non-SBS media to install a higher level domain version that you are
currently operating on the OriginalDC. For instance, Windows 2003 R2 is a
higher level schema than any version of SBS 2003 (R2 or not).

Expert Tip

Recommended: Confirm a System State Backup

Verify the protection of the OriginalDC Now!

This is a good point to confirm or perform a full System State Backup or even a full
backup of the entire server before you go further.

Typically the tasks in Phase 1 have not modified much on your existing server or
domain. However, in Phase 2 the next set of tasks begin with procedures that if done
correctly pose no risk, but if you accidentally forget to separate the TempDC, or if you
make the huge mistake of reconnecting it later, this is a very nasty problem. You will
want a System State to restore in that case.


Page 71

Milestone

End Phase 1: Production Server Remains Online

The balance of the migration steps until Phase 5 are performed on either your
temp server, or the permanent server you build after that. Until you reach the
point to shift your data files and Exchange Mailbox Stores, you can continue
to operate the production domain.

From this point forward, the only changes related to the migration process that
will occur to your production Domain and SBS server will be the following:

You will build a new server and then establish it a Domain Controller
and Global Catalog holder. The instance of this Domain Controller in
the production domain can remain there in the production Active
Directory without concern after you detach the server as this migration
plan calls to be done. However, you may observe warning in the
Directory Services Event Logs indicating that the detached DC is
failing to replicate with the production SBS server. These can be
ignored. Only if your production domain Directory Services appear to
operate in a abnormal manner should you pursue this as a concern.

Similarly, with the new DC described in the previous point, you will
likely find it convenient to establish replication configurations for DNS
between the new DC and the production SBS prior to disconnecting.
Again, you may note Application and DNS Event Log warning noting
replication errors for DNS once this server is disconnected. You can
ignore these errors if the operation of your domain remains normal.

Only if you experience production operational problems should you be
concerned to undo those changed on your production domain. If you
have significant problems to troubleshoot regarding performance or
name resolution, the Troubleshooting section at the end of this
chapter provides some tips in how to address removing the detached
DC or DNS configuration from the production domain AD.


Page 72

Phase 2: Transfer AD from Production DC to TempDC

Figure 2-7 Phase 2 AD Transfer to temporary TempDC

Page 73
Copyrigh
Swing It!! T

How t
ht 2004-2009 b
Technician Kit
Im

All

You
perf
proc
DC,
don

Ex

Pa
ph

You
eve

You
repl
doe

Do
ass
indi

o Perform a
by SBSmigratio
Documentatio
portant D
Phase 2
u are never gi
form a task or
cess of const
, and then wo
ne on the Tem
xpert Tip
ay attentio
ase.
u MUST have
ery step, and
u must shift th
licate AD, and
esnt work oth
not get lazy, d
ume it doesn
cted is critica
Swing Migra
on.com
on
ocumenta
Steps are
ven an instru
r step on any
ructing. You a
orking on to pe
mpDC.
on to DNS
e the DNS ref
you must ad
he DNS settin
d before you m
erwise!
dont snooze
t matter. Cor
lly important.
ation from 20
ation Note
e execute
ction during P
other machin
are building th
erform the cle
adjustme
ferences con
djust them m
gs at several
modify FSMO
past a chang
rrectly configu
003 to SBS 2
e!
d at the T
Phase 2 or Ph
ne than the on
hat machine,
ean-up steps.
ents durin
nfigured corr
more than on
times as you
O roles becau
ge of the DNS
uring the DNS
008

TempDC
hase 3 where
ne you are in
promoting it t
. Its always w
g this
rectly at
ce!
u install DNS,
se this proce
S setting, do n
S changes as
e you
the
to a
work
dure
not


Page 74

Swing Migration: TempDC Hardware Requirements

Note that this is not a permanent machine requirement, you can reasonably use a workstation class
machine for this temporary use. The purpose of the TempDC machine used in a Swing Migration is
described in the following section on the Swing Migration Phases of construction.

A significant change in the hardware requirements for the TempDC is driven by the new requirement to
run the TempDC as a fully functional Exchange Server during Phase 3 through Phase 5. This is
necessary to facilitate the transfer of the Exchange 2003 Information Store for migration to the Exchange
2007 server. This means that the trivial tempDC requirement for Exchange 2003 to 2003 migrations is
no longer applicable, we need a machine with a reasonable amount of RAM

Processor 700 MHz 32-bit (x32)
(1 GHz or above recommended for larger transfer
operations above 8G Exchange Store size.)
Physical memory 512 MB (1 GB recommended)
Storage capacity 8 GB System Partition
Up total 80 GB including Data Partition
DVD drive 1
Network adapter One 10/100 Ethernet adapter
Required Network devices One 100 Mbit or above switch to connect
servers in offline construction tasks in a
construction network isolated from the
production LAN
Router not required
Optional network devices Device required by your Internet service
provider (ISP) to connect to the Internet
Source: (Microsoft) SBS 2008 Release Notes June 2008

Using Virtual Servers for TempDC in Swing Migration

The information provide is not intended as optimization information. This is provided only as a baseline
recommendation as compared to the hardware specification above.

You can assume that at least an additional 1 Gb RAM per VM should be provided on a minimally
configured host (memory) partition in order to host the Virtual Server guest partition. Therefore you
should add 1 Gb for the host, plus the memory environment for each guest OS you plan to use.

Page 75

Step A
Install a clean baseline of Server 2003 only (SBS 2003 Media)

This Phase 2 construction starting now is not for your server that will run SBS 2008. If
you are confused on this point, please refer back to Figure 1 on the first page of this
document and review the construction summary.

Preparing a Reusable Baseline Server Image For non-SBS deployments, or when it is a
specific preference to use non-SBS media (like with a VPC image), you can proceed with the
same instructions indicated below, but the screen prompts may not be identical.

Offsite Construction in Advance Step A can be performed with the new machine (or
virtual machine) in advance, disconnected from the production LAN. A reseller consultant
might choose to do Step A in preparation before going on site, or perhaps using a standard
deployment image. In any case, the steps listed below assume the machine is disconnected
to start and that if a DHCP Server is present on the LAN, the server will be set to a static IP in
Step B if it has not already been set that way. Step B is the beginning of tasks that require
communication to the production domain, therefore you cant proceed beyond Step A without
making a connection.

Must Format OEM Preinstalled Server If you are performing construction on a new OEM
server that came preinstalled from the manufacturer with SBS 200x already on the drives,
you will need to format the system partition and follow the instructions below. The existing
installation has already placed the configuration into a new domain we cant use, and we
cant undo that faster than a reinstall will take.

Phase 2 Task Outline & Checklist TempDC Initial Construction

Tasks Topic Step A
1
Baseline Installation of Windows
Install only minimal configuration as required
2
Halt SBS Setup
Critical step to maintain domain
3
Verify Critical Drivers & RDP Configuration
General inspection for core functionality of server
4
Configure Network Adapter Settings
Establish essential IP & DNS configuration
5
Ensure DHCP is Not Configured or Operational
Verify IP configuration will remain as specified

Page 76
Copyrigh
Swing It!! T

Task

Be
Win
E
T
I
T
Cont

How t
ht 2004-2009 b
Technician Kit
k 1 Baselin
egin constru
ndows 200x
used fo
Expert Tip
Tasks
mportant
Concern

Tasks
tinued with f
o Perform a
by SBSmigratio
Documentatio
ne OS Instal
uction of a b
x Server ins
or this Phas
This is prob
you an hour
day and yea
will kick in t
the clock if
Preparing

1. Verify t
what yo
2. If your
remove
3. Boot fro
Window
4. If you n
Assigning

Note: You
building the
name for it
The tempor
network per
for it like Te
that to clear
this machin
5. You sh

o Re
o Re
o Pr
o Se
o Da

A more deta
following pa

Swing Migra
on.com
on
ll
baseline
stallation
se
bably one of the
r. Before you s
ar. If you dont,
he first time yo
its off by a mo
g to start you
that your hardw
our existing do
machine came
e it and install t
om Windows in
ws Server only
need to provide
g the Machin
are in Phase
e temporary DC
like TempDC,
rary DC will not
rmanently. Cho
empDC or som
rly distinguish t
e in all steps th
hould be prepar
egional Setting
egistration Own
roduct Key (use
erver Name and
ate/Time and T
ailed summary
age
ation from 20
Ph
There is no sp
normal setup
through are lis
point at which
of a normal S

We do not nee
therefore if yo
finishing more
e more trivial ti
start the install,
, theres a good
ou reboot after j
onth or year.
ur installation
ware system clo
main is set to u
e preinstalled w
this installation
nstallation DVD
y (you will interr
e boot drivers,
ne Name for y
2 and should
C which will not
or SwingDC o
t remain in the
oose a name
me variation of
the purpose of
hat follow.
red with the fol
s
ner Name and
e the SBS Prod
d Password
Time Zone
y of the screens
003 to SBS 2
ases 2 - Ste
pecial case set
install from CD
sted further bel
h we deviate fro
BS install.
ed to install mo
ou are using SB
e than the first C
ps I have decid
logon and set
d chance that t
joining the dom
n
ock is close to
use.
with an SBS 20
on a bare part
D/CD media as
rupt the SBS po
press F6 when
your TempDC
be constructi
t remain in the
or some variatio
Recommen
TempDC
lowing informa
Company
duct key if you
s you will see fo
008
ep A
tup task require
D1 media steps
low to help you
om the scripted
ore than the co
BS 200x media
CD in Step A.
ded to include,
the CMOS clo
the Windows P
main and the tim
the correct dat
0x Operating S
tition.
s normal, run no
ortion of setup)
n prompted to s
C Server
ing your Temp
network perma
on of that as re
nded Computer
C or TempDC
Computer
ation:
are using SBS
ollows just belo
ed here. The
s you proceed
u to recognize t
d setup sequen
ontent of CD1,
a, we wont be
but it could sa
ock to the corre
Product Activati
me sync adjust
te and time for
System, you sh
ormal installatio
).
supply the drive
pDC. This invo
anently. Choos
easonable choic
r name:
C1
name
S media)
ow.

the
nce
ve
ct
on
ts
hould
on of
ers.
lves
se a
ces.

Page 77

(cont.) Task 1 Baseline OS Install

Technical
Background

For reference, heres a summary of the progress screen steps you see during a
normal SBS/Windows 2003 setup by default:

o Complete the text mode setup, including any special configuration and boot device
driver setup you require just as you normally would do.
o Continue with GUI mode setup that indicates the left sidebar of 5-steps as follows:
Collecting Information
Dynamic Update
Preparing installation
Installing Windows
Regional Settings
Registration Owner Name and Company
Product Key (use the SBS Product key if you are using SBS
media)
Server Name and Password At this step you must know the
name you intend to use for this server, or you may change the
machine name at a later step.
Date/Time and Time Zone
Finalizing installation
o Following a reboot, you will be given a standard Windows logon screen requiring
Ctrl-Alt-Del. This is your cue to interrupt the setup sequence.


Page 78

Task 2 Halt SBS Setup at CD1 Phases 2 - Step A

Halt the setup
at the Ctrl-Alt-Del
Secure Logon Request
After the initial 40 minutes setup period involving the
automated 5 step sequence outline above have completed,
you will now be halting the normal SBS install.

Eject media prior to the Secure Logon request to
terminate continuation of SBS Setup, or logon and
cancel the dialog box that launches.

Either way, you dont want to continue the SBS Setup steps.
This point in the installation is where a Windows 200x Server
installation is now a workgroup member.

Tasks
At the secure logon prompt, you should now have either ejected the media before
executing the Administrator logon, or you have the option to cancel the setup process
as it resumes after logon.

If you did eject the media before logon, you receive a couple of prompts
requesting you to provide the media to continue with BOSPREP.EXE.

Close that prompt box by canceling, confirm that you intend to cancel setup
with the prompt box that follows, and you have effectively interrupted the
next phase of the SBS setup.

If you failed to eject the CD before the logon, instead you will see a dialog box
for the next step of SBS setup resume. It will briefly indicated configuration of files
into temporary folders. Wait just a moment, the setup will pause again at a dialog
box screen indicating the title Microsoft Windows Small Business Server Setup,
and with the headline text in the box indicates Continuing Microsoft Windows
Small Business Server Setup. Its not too late, you can still stop here.
You must choose Cancel here!
Confirm you want to Abort.
Choose Finish.

Once you have stopped the automated setup, move on to the next task.
Important
Concern
Note: You will need to reinsert the SBS installation media during later steps. On any
occasion you insert the media, Windows Autoplay feature will attempt to restart the SBS
setup or present options for you to do that. You can cancel that immediately, or as
above as needed without causing a problem.

Expert Tip
Think of this as only interrupting the normal SBS Setup process, because you will pick
up at this point again later, just with your final server having already been joined to an
existing domain. This is how we are able to complete SBS Setup with a server created
in an existing domain. We are emulating the migration process involved in moving an
existing domain over to an SBS domain. We actually pick up again at this very same
point in the automated SBS setup when we reach Section F, after we do some cleanup.


Page 79

Expert Tip

Do not activate the product license for this server at
this time!

In a typical Swing Migration, the TempDC is never activated, its not required.

Even if prompted, you are recommended to wait until your complete an final SBS
Setup process is complete. Activating earlier is likely to create a license violation
condition you will have added difficulty resolving. You probably want to wait until
completing the Full SBS setup and are ready to add the SBS CALS and then to
activate the server at that time. Just ignore any activation prompts in the interim.

If your project should require you to permanently deploy this tempDC or if you
should need to work with this server longer than expects, the option to activate it
become a question of whether or not you have proper licensing for that.

Only the FinalDC is Activated (in Phase 5)

The server you are building now is not the FinalDC.

The FinalDC construction does not begin until Phase 3, and we do not need to
activate that server until end of Phase 5 when the entire construction is complete.

The main reason this is because you gain nothing by activating the installation, and
it could cause you problems since you might get blocked later in the project from
activating when you really need to activate, but a block condition prevents that.

There is no issue of license compliance involved here. We are not working around a
licensing issue, we are just using common sense. The simple answer is that we may
decide to format this installation and start over again for some reason, and if the
product is already activated from a previous installation, this could add to the
frustration by preventing an Internet based activation from completing without the
need to obtain telephone activation instead.


Page 80

Task 3 Verify Installation Settings Phases 2 - Step A

Verify Critical Drivers
& RDP Configuration
You cant assume that a clean install of a server will have all
the necessary drivers installed automatically, or that the
configuration of the network adapters will not require
adjustment. Therefore, you need to take a moment to review
the following details before continuing with the construction
process.

You many need additional drivers disk provided by your
server motherboard manufacturer or other hardware device
providers.
Tasks

Perform the following minimum verification steps:

1. Inspect the Event Viewer to see if any error events are reported that require
attention.
2. Open Device Manager to inspect for devices without valid drivers installed.
3. Ensure that NICs are established with functional drivers.
4. As needed, install drivers for any other hardware devices that were not properly
configured during setup.

(optional) Enable Terminal Servers for Remote Management

5. Optionally, enable Terminal Services in Remote Administration mode. This is not
directly required for the project, but it is very often handy to have this available and
this is a good time to address this setting.
Expert Tip
In Windows 2000 products, you must first run Add/Remove Programs to install the
Terminal Services feature. Windows 2003 Server installs the feature by default, but
does not enable remote logon as a user enabled option, but this is easily turned on from
the Remote tab in the My Computer properties.

Page 81
Copyrigh
Swing It!! T

Task

Ta
Im
C
Ta

How t
ht 2004-2009 b
Technician Kit
4 Verify I
Networ
Confi
asks
mportant
Concern

asks
o Perform a
by SBSmigratio
Documentatio
nstallation
rk Adapter
iguration
How to con

1. On the p
LAN you
2. On the p
Check b
Assigning

Note: Assign
which is excl

Use the asso
mask and ga
applicable to
LAN.
Set preferred
the LAN IP o
3. If this se

If more

a. Ope
Ne

b. Nav
c. Sort
pla
d. Clic

Swing Migra
on.com
on
Settings
T
s
u
i
y
c
nfigure your
primary NIC, as
u will be conne
primary NIC, as
below for the P
a Static LAN
n a static IP wh
luded from any
ociated subnet
ateway as
o your productio
d DNS pointing
of the Existing D
erver has more
than one NIC m
en the Network
twork Places
vigate from the
Advanced
Advanced
Adapter a

t all NICs in ord
cing the NIC w
k Apply, close
ation from 20
Pha
The configurati
some attention
using for the IP
in Step B, you
you should con
correct, and tha
Network Ad
ssign a static IP
ecting to. Use th
ssign the Prima
hase you are p
N IP and Pref
ich is not used
y DHCP scope
on
IP Ad
Subne
Gat
g to
DC
Pref
DNS
e than one NIC,
must be presen
k Connection
icon in Window
top menu bar o
Settings
and Bindings
der at the top o
with the primary
e the panel.
003 to SBS 2
ases 2 - Step
ion of the netw
n. If you already
P and DNS con
can set that co
nfirm that the b
at you have the
dapters
P that is availa
he Phase inform
ary DNS Serve
performing for m
ferred DNS S
d by any other d
allocations use
ddress
et Mask
teway
ferred
Server
, disable the se
nt, set the netw
properties from
ws Explorer.
option:
of the list in the
y LAN IP at the
008
p A
work adapters w
y know the sett
nfiguration on th
onfiguration now
inding order on
e correct servic
ble within the s
mation below t
er to be the IP o
more detail.
Server Settin
device in the pr
ed in your netw
TempDC S
Productio
econdary NIC (
work bindings o
m Control Pane
Connections
e first position a
will require at le
tings you will b
he LAN you wil
w. At the very l
n the NICs is
ces installed.
same subnet a
o guide you.
of the opposite
gs
roduction LAN,
work.
Static LAN IP

on DC LAN IP
(if any).
options:
el or right-click o
items, specific
at the top.

east
e
ll join
least,
s the
e DC.
, and
on My
cally

Page 82

Task 5 DHCP Not in Use Phases 2 - Step A

Ensure that DHCP Server Service
is disabled, or not yet installed
This step is included to avoid complications with other DHCP
servers during the migration. In particular with an SBS server,
conflicting DHCP servers on a network can create confusion
and odd behavior. When an SBS server configured to use
DHCP Server Service detects an additional DCHP provider,
the SBS stops the local service which can produce
unexpected conditions.

I encourage you not to install this service on a new server
before reaching Phase 5. If it is already installed, either
disable the service or uninstall it.
Tasks

KB 280209
KB 309633
DHCP Server Service is typically not installed by default to a new server by
Windows setup. If you did chose to install it already yourself, disable the service
before you connect this new server to the LAN with the production SBS. You can
enable or add DHCP Server Service back later if you ultimately expect to use it in
your production environment.

No need to uninstall it if you have it currently installed, just open the Manage
Computer console, drill down to Services, set the DHCP Server Service to
startup type Disabled.

Note: Settings on DHCP Client Service can be ignored entirely, they dont matter to
us.

If you have a router or other device you prefer for providing DHCP support to your
normal LAN, you do not need to be concerned about disabling it, or it impacting the
setup steps outlined here. The reason for discussion the DHCP Server Service at
all is to ensure that you have the expected behavior of your server configuration.
For that reason, you want to avoid conflicting network-wide DHCP operations.


Page 83

Expert Tip

Should you add Service Packs or patches now?

You are instructed on the recommended and required service packs when
you reach Step F. Until then, you probably dont need any updates, and at
the point in Step F you are given instructions they are specific for only what
is needed on this server for the purpose of migration.

The main motivation here is to not add work that doesnt really matter. If
your server has been installed from the distribution media with or without
service packs included, you probably dont need to add any updates at this
time. The only reason would be if you have hardware that requires updates
for the drivers to work correctly.

Why choose not to install Service Packs or patches now?

The reason is that it takes time, and it might introduce a new problem. If a
patch was released today, you might be the lucky one to discover a new
problem nobody has seen. Better to get through the migration with a full
backup of the server before you discover this issue midway into the project.

Why you might install Service Packs now: Driver Compatibility

In some rare cases you may find that you have a driver for a new network
adapter, disk controller or motherboard that requires a recent Service Pack
in order to install correctly. This is the only reason adding a Service Pack
now would make sense. We handle all required updates later in Phase 2
Step F and Step G.

Milestone

This is the Last Point for Preparations in Advance

This is as far as you can proceed toward building this machine offsite, in
advance, or disconnected from the domain. You will next need to connect to
the established network to communicate with a DC at this point to join the
domain.

This is also a point at which you could build a reusable drive image or virtual
server/pc configuration.

In addition, you might choose to make a System State backup for roll back at
this point.


Page 84

Step B
DCpromo to establish the server as a new DC in the existing Domain

Now we will perform the steps to move this server under construction from a member server up to a
Domain Controller. These are the DCpromo steps, and related configuration, and all tasks in Step B
are performed on the DC you are constructing during this Phase.


Tasks Topic Step B
1
Confirm Use of Fixed IP & Secure LAN Subnet
Domain Controllers require fixed static IP
2
Disable Private LAN Interface Windows Firewall Service
Non-essential service blocks critical replication
3
Join to Domain
Standard member machine domain join
4
Sync with Domain Time
Verify time and time zone settings
5
License Compliance Requirements are Now Applied
Alert Only: No action required
6
Install DNS Server Service
DNS Server required for DC operations as planned
7
Initiate DCpromo Wizard
Establish this server as a DC
8
Validate DC Health and Replication
Observe replication & validation of healthy DCpromo results
9
Troubleshoot DCpromo Issues if Needed
As needed, correct configuration settings

10
Establish Global Catalog Status
Do not remove GC role from existing DC

11
Confirm DNS Zone Replication is Successful
AD Integrated Zones should replicate automatically

12
Establish DNS Settings to Point to Self
Prepare for standalone operations

13
Perform Summary DC Health Audit
Final verification for this phase

14
Shutdown and Detach from Production LAN
Prepare for next Phase


Page 85

Task 1 NIC IP Configuration Phases 2 - Step B

Connect with the
Established DC and
Use a static IP
The next steps that follow require this computer to
communicate with the DC you will replicate from for transfer
of the Active Directory and related domain details.
Important
Concern
Connect via your production LAN.

Its common to connect the machine currently under construction to your production
LAN just as you would any a regular domain member machine.
Tasks
Connecting to the domain on the other DC

o You should have set a static IP on this server in the same subnet as your local
domain is using. Its very important that this was done, so its mentioned again here
at the last point you can make a change without complications in the process as it
is documented here.
o You should confirm that you can communicate to the established DC using the
ping command.

Configure the NIC to obtain DNS requests from the existing DC server

Once connected to the LAN, you should be able to ping the existing DC to confirm basic
network communication is available. If you cant ping in both directions, check for a
software firewall installed on one or both servers. This is discussed further in the next
task.

Expert Tip

Yes, thats right. Im repeating myself.

This entire first Task in Step B just above is redundant for steps you were
previously told to do in Step A.

Sorry, this is where I get a lot of questions, or its the point where the questions
I get lead back to. This is where you avoid wasting a couple of hours.

Ensure you have set a Static IP and can ping the DC.

Point Preferred DNS on the NIC to the opposite server.

Page 86
Copyrigh
Swing It!! T

Task

T
I
E

How t
ht 2004-2009 b
Technician Kit
k 2 Disable
( If Ap
Disable Win
Firew
Tasks

mportant
Concern
Expert Tip
o Perform a
by SBSmigratio
Documentatio
e LAN Firew
pplicable )

ndows 2003
wall Service

How to dis

From the M
review the s

1. Right-c
2. Expand
3. Expand
4. In the s
Sharin
5. Right-c
6. From th
Se
Se
7. Click O

Windows F
Firewall is a
other Doma
NIC to allow
Group Polic
machine is

The best pr
firewall.
Doing this
most secure
Windows Fi
related traff
approach m
that is both
identify the
them. This i

Swing Migra
on.com
on
wall
3 SP1

sable the Wind
Manage Compu
services listed.
click on My Com
d Services and
d Services.
service list show
ng.
click on the serv
he properties p
et the Startup t
et the Service S
OK to close the
Firewall / Inter
active on a LAN
ain Controllers.
w replication. Y
cy enforcement
s otherwise un
ractice is to isol
the more com
e environment
irewall or even
fic while the fire
might be more t
a Domain Con
required ports
is not common
ation from 20
Phases
Note: Some 3
firewalls, the

Windows 200
service and e
In the default
Microsoft Netw
level commun
replication of t
after DCprom
recommend th
a preference,
but I dont pro

Domain Contr
without a Fire
technologies i
discussed now
server you ca
when SBS Se
this server in t
disables the fi
reach that poi
dows Firewall
uter console (r
To review the
mputer, choos
d Applications
wn, locate Win
vice, choose p
panel:
type configurat
Status by choo
properties pan
rnet Connectio
N connected N
You can disab
You may also se
t refresh. You s
nprotected and
late your const
mplicated way?
possible, Micro
an ISA Server
ewall is enabled
rouble than it is
ntroller and app
for each and e
ly done.
003 to SBS 2
s 2 - Step B
3
rd
Party prod
ese issues app
3 SP1 (or later
nables it autom
condition, this
working traffic
nication. In part
the Sysvol onto
o. SBS 2003 d
hat you disable
you can tune t
ovide document
rollers should n
wall. SBS 2003
in addition to th
w. This is why w
n safely disabl
etup is complet
the final config
irewall being di
nt during Phas
Service:
ight-click on M
installed Serv
se Manage.
s.
ndows Firewal
roperties.
tion to Disable
osing Stop if it
nel and exit the
on Sharing is a
IC, it may also
ble the service,
ee later that thi
should not dis
d still connect
truction LAN fro
? If you have
osoft provides
r configuration
d. However, yo
s worth, particu
plications serve
ever application
008
ducts may inst
ply to those as
r), installs the W
matically on all
service will pre
including FRS
ticular, it will pr
o this server fo
does not use th
e the service en
the firewall to a
tation for that h
never be conne
3 provides two
he default firew
with an SBS 20
e this firewall in
ed, a different
uration. SBS S
iscussed in this
se 4.
y Computer, ch
ices list:
ll / Internet Co
ed.
s currently run
e Manage Com
an unusual pro
prevent norma
or filter it on th
is service react
sable the firew
ted directly to
om the Internet
e a preference f
the means to c
to pass domai
ou should unde
ularly in a multi
er. It would be n
n and establish
tall similar
s well.
Windows Firew
network adapte
event all norma
replication and
revent normal
ollowing the reb
is service. I
ntirely. If you ha
allow replication
here.
ected to the Inte
alternative fire
wall being
003 (including
n anticipation t
firewall will pro
Setup normally
s task once you
hoose Manage
onnection
nning.
mputer console.
oblem here. If th
al replication w
he LAN connec
tivates again d
wall if this
o the Internet.
t using a hardw
for running the
configure the
n management
erstand that this
i-function serve
necessary to
h port filters for

wall
ers.
al
d DC
boot
ave
n,
ernet
ewall
R2)
hat
otect
u
e),

he
ith
cted
ue to

ware
e
t
s
er
all of

Page 87

Task 3 Join to Domain Phases 2 - Step B

Join the Domain
The next steps that follow require this computer to
communicate with the existing DC for this domain.
Tasks
How to Join to the Domain:

1. Right-click My Computer, and then click Properties.
2. Select the Computer Name tab.
3. Click the button labeled Change.
4. Toggle the selection option from Workgroup and set it to Domain.
5. Enter the Netbios name of your Domainname in the entry blank.
6. Apply the change, and respond with the requested credentials, typically those of
the Domain Administrator account you use for managing the domain.
7. Restart this machine when prompted.

Important
Concern
Cannot connect to domain?

If you have difficulty joining the domain at this point, this may be an indication of a health
problem with the existing DC or domain configuration. If you have ensured that the
Windows Firewall service is not present or is disabled in the previous task, then
problems with joining the domain are almost always related to either bad NIC
configuration, or an unhealthy condition in the existing domain or DC.

A common error that appears during a Swing Migration is when the TempDC was
created in error without the Sysvol successfully replicating. If you failed to inspect for
this during the construction of that DC, the first hint of this later will be when you are
unable to join a new computer to the domain managed by the TempDC.

Additionally, verify the following:

Ensure you have set a Static IP in the same subnet as the DC.

Point Preferred DNS on the NIC to the opposite server.

Disabled the Windows Firewall (installed by Windows Server SP1).

Expert Tip
Disable the Logon Script? You may find it convenient to disable any existing logon
scripts configured for the Domain Administrator account you will be using with the new
server setup from this point forward.


Page 88

Task 4 Sync to Domain Time Phases 2 - Step B

Sync to Domain Time
All Active Directory operations are dependent upon close
synchronization of the time clock on all domain member
computers as well as Domain Controllers. It is a normal
condition of running DCpromo that time sync should occur at
that point to establish an exact alignment to your domain time
server. However, its also possible that you may have
difficulty with steps preceding that point if your time or date
are substantially out of alignment.
Tasks
Logon as Domain Administrator, sync time to domain.

Net time /domain:[your-domainname] /set

Confirm with Y that you want to sync the time of the local machine
to the domain time server (the DC you are connecting to).

Important
Concern

Time Zone Setting for Both Servers Should Match

This is an easily overlooked problem here. If the time zones dont match you can easily
be fooled into having the wrong real time clock conditions.
Expert Tip
What if your Time or Time Zone is Wrong? You will discover that the Windows
Product Activation will kick in the first time you reboot after joining the domain and the
time sync adjusts the clock if was off by a month or year. When that occurs, you have
the option to activate immediately, or to start the construction of the server over again.

Activating at this time, while unexpected and not preferred, normally would not hinder
you from completing the project unless you end up having to start over yet again with a
new install, or installing to a different server. Therefore, if you get forced into WPA
activation while constructing your TempDC, you probably need to start over again with
the installation making sure the hardware clock on the machine is more accurately set.


Page 89

Task 5 SBS License Requirements Phases 2 - Step B

When using SBS 2003 media,
DCpromo Must be Completed in a
timely manner from this point

You now have a limited number of days to use this server
installation before SBS specific installation protection forces
the computer to reboot every 100 minutes.

The requirement is to complete DCpromo tasks,
effectively meaning you need to complete Step B.

This is not a standard Windows activation issue of the type
you get 30 days to activate, rather this is an SBS specific
setup installation enforcement. It wouldnt matter if you
activated the Windows license or not (so dont do that). This
limitation specifically enforces that you must make a DC of
any installation from SBS media within a specific period of
time, think hours, not days.

What is the impact of this time constraint?

You need to finish Step B within the next few days, thats all.

You need to be aware of about this is that if you build a server with SBS media up to this
point and then stop construction, you will begin to see behavior change from what non-
SBS installations do.

SBS requires you to complete the DCpromo actions within the time limit allowed, and at
worst it means you have to reboot the server in order to have a 100 minute window.
Other than that, you have normal behavior.

Expert Tip
RelaxYou have ample time There is no need for concern for rushing to complete
the remaining tasks in Step B within the first 6 hours, thats not a critical concern. Even if
the server reaches that point where it begins a forced reboot every 100 minutes, this
100 minutes remains a very adequate time to complete balance of the steps within that
time cycle.


Page 90

Technical Background

SBS 2003 License Enforcement: SBCore

You will not be able to preserve any installation from SBS media in the condition of
member server for an extended period of time, but this doesnt affect our project.

Technical blocks are built into the SBS Server setup media to ensure that full
installation of SBS designated as a DC is completed. Permanent use of a server
installed from SBS Media outside this condition is not recommended, in fact, its really
not feasible. This limitation has no impact upon our process related to upgrade and
migration steps other than forcing us to complete the planned DC promo steps in a
timely manner.

Immediately following completion of the first part of setup through Step A described
above, you have a reasonable limitation of just under 6 hrs of uninterrupted grace
time to get past the DCpromo milestone. At that point, a forced server shutdown then
occurs. The forced shutdown now repeats on cycles of every 100 minutes. Note, the
limitation is not to complete the entire SBS installation, just the next 3 steps that follow
to complete DCpromo.

If the server reaches the condition of a forced shutdown every 100 minutes, dont
worry. This forced shutdown is removed by completing the DCpromo cycle of
continuing normal SBS installation, or the steps of DCpromo outlined in the next
section. That time limitation is quite sufficient for a DCpromo in an SBS scale domain,
since the steps can require as little as 15 minutes to complete, including replication
time.

Here are some details of the shutdown related cycle:
o Event Viewer Displays the following related warnings:
Source: SBCore with ID 1013 is a nag that you are required to
complete setup.
Source: SBCore with ID 1014 is a warning, the system will be
shutdown soon
Source: SBCore with ID 1001 is the notice why a shutdown
occurred
o At the initial four hours passes, you receive an Event Viewer Warning to
complete the setup portion of making this server a DC.
o 40 minutes after the (4hr) first warning, you receive an additional warning
that the server will undergo a forced shutdown in 60 minutes.
o When the remaining 60 minutes has passed, the system performs an
automated shutdown without any warning to the operator.
o After the shutdown, you may restart the computer normally again, and
you are provided an Event Warning to complete the steps to make this
machine a DC. The server will now be shutdown in a 100 minute cycle
each time you restart it, and similar events mentioned above will be
posted to the Event Log
You are strongly advised not to attempt to tamper with SBCore in any
way, you may end up rendering your installation unusable and
unrecoverable.


Page 91

Swing It!! Tools Tip

Swing It!! Kit Tool EventDmp can easily help you document your
incremental progress while performing a new installation. This tool is
a simple way to create a record of all your Event Logs
simultaneously, with a single click.

After you export the logs with EventDmp, you may be surprised how
much they compress using WinZip or similar tools in order to archive
them, or send the logs by email.


Page 92

Task 6 DNS Server Setup Phases 2 - Step B

Install DNS Server Service
As a normal and recommended condition, each Domain
Controller in a small domain should be running Active
Directory Integrated DNS Server service to provide fault-
tolerance and optimized operations. Im recommending you
install this service prior to the DCpromo command to ensure
a consistent installation result.
Tasks
If you have not already done so, install DNS on the new server now. (If you plan to
install WINS, that is discussed further below.)

Leave the DNS queries (on your NIC configuration) pointing at the opposite server for
now, dont worry about configuring DNS forwarders.

To install DNS Server:

1. Open the Control Panel option for Add/Remove Programs.
2. Select Add/Remove Windows Components.
3. From the component list show, highlight (but dont enable the checkbox) for the
Network Services option, click Details.
4. In the selection list you should now enable the checkbox for DNS Server in addition
to any other options already selected.
5. If you inadvertently enable additional options, you should cancel out of this
operation and start over. Its important not to install services you dont need.
6. Click OK to install DNS Server.
7. Upon completion of the installation wizard, close out of the Control Panel.

Expert Tip
Replication Occurs after the DCpromo You do not need to be concerned to force
replication or configuration of the DNS Server contents at this point in most cases.
Replication will happen automatically in the next steps when AD replication takes place
as part of the DCpromo process. AD Integrated zones replicate the DNS records
automatically with AD replication.

Page 93
Copyrigh
Swing It!! T

Task

E
I
T
How t
ht 2004-2009 b
Technician Kit
k 7 DCpro
Execute the
mportant
Concern
Tasks

o Perform a
by SBSmigratio
Documentatio
omo Wizard
DCpromo W
You mus
errors and
Domain Ad
To Launch

Click Start,
OK button.
To comple

1. Confirm
not co
your do
2. When p
domai
3. You lik
accoun
4. The de
options
5. When p
Passw
accoun
on the
having
degree
6. You wi
7. Restart
replicat
Swing Migra
on.com
on

Wizard
st be logged
d the process
dministrator
DCpromo:
choose Run, e
te DCpromo:
m that are acce
mpatible to co
omain meets th
prompted, chan
n controller fo
ely will indicate
nt to execute th
efault prompts f
s.
prompted to pr
word, you may w
nt. SBS Setup w
final server. Th
them agree in
e of delegation
ll observe a gra
t the machine w
tion sequence.
ation from 20
Phas
DCpromo as a
behaves as a
this command
establish this
the server is a
demote the m
prompt indica
you should no
initiated by the

DCpromo doe
or to establish
our scenarios
Additional d

d on as a Dom
will fail if yo
enabled acco
enter DCprom
(SBS/Window
epting the cond
ommunicate w
hese requireme
nge from the d
or an existing
e the Domain A
he DCpromo ac
for folder locati
rovide a Direct
wish to indicate
will force this a
here is general
an SBS based
of Administrati
aphical indicati
when prompted

003 to SBS 2
ses 2 - Step
a wizard based
n installation to
d on a member
server as a Do
already a Doma
machine back to
ting what the w
ot be concerned
e launch of the
es offer you the
h this server as
, we always ar
domain contro
main Admin
u are not cur
ount.
o in the entry b
ws 2003 media
dition, that a Wi
with Win95 and
ents.
efault selection
domain.
Administrator a
ction.
ons should be
tory Services R
e the same pas
anyway at the p
ly no significan
d network due t
ve authority.
ion that objects
d upon comple
008
B
d command. Ex
oggle. Therefor
r server, the wiz
omain Controlle
ain Controller,
o a member se
wizard is offerin
d about confus
e command.
e option to crea
s the first DC in
e going to choo
oller for an exis
nistrator. Yo
rrently logged
blank, then con
)
indows 2003 S
d NT4.0 works
n to instead ind
ccount you are
suitable for oth
Restore Mode
ssword as the
point you run S
nt security impl
to the small sc
s are being cop
etion of the AD
xecuting DCpro
re, when you ru
zard offers to
er. Conversely,
the wizard offe
rver. You recei
ng to do, theref
sing the action
ate a new doma
a new domain
ose indicate
sting domain
ou will receive
d on as a
nfirm by clicking
Server as DC i
stations, and t
dicate Additio
e using as the
her prompted
e Administrato
Root Administr
BS configuratio
ications from
ale and limited
pied/replicated.
database

omo
un
, if
ers to
ive a
fore
ain,
n. In
.
e
g the
is
that
onal
or
rator
on

.

Page 94

Important
Concern
DCpromo fails with Access is Denied

Duplicate Machine name that already exists as DC in Active Directory
Resolve this by renaming the machine, and following a restart, run DCpromo again.

Administrators Group was not granted Trusted for Delegation rights

The DCpromo operation failed, with a message like:

The Active Directory Installation Wizard was unable to convert the computer account
[MACHINENAME]$ to a domain controller account. Access is denied.

Failed to modify the necessary properties for the machine account [MACHINENAME]$
"Access is denied. "

1. Open the Active Directory Users and Computers snap-in.
2. Expand the Domain object (named for your domain)
revealing the containers (OUs) below it.
3. Locate the Domain Controllers Organizational Unit. Right-
Click, then choose Properties.
4. Select the Group Policy tab on the panel that opens.
5. The contents shown on the tab panel can have two
variations in appearance. (It varies depending upon the
Windows version of this DC, and if the Group Policy
Management snap-in feature has been installed.)
If only a single button marked Open shows in the
center of the tab panel now, click that button to
open the Group Policy Management console
window. The steps continue below in this new
panel.
6. For either variation (either in the new console window if you
opened it, or the original tab panel), you should now have a
list of Group Policies to view. Identify the Default Domain
Controllers Policy, Right-click on it, then choose Edit.
7. Expand out the tree indicated here, and confirm the policy
items that follow just below:

Computer Configuration
Windows Settings
Security Settings
Local Policies
User Rights Assignment
8. Add the Administrators group to the policy for Enable
Computer and User Accounts to be trusted for
Delegation

Expert Tip
It is critical that you verify the health of this new DC in the next task. Do not skip
the validation steps in the next task. While the DCpromo wizard does provide you a
good indicator that the actual AD database (NTDS.DIT) was successfully replicated,
that is not the only critical requirement to create a healthy new DC. You must validate
the additional steps that follow. There is absolutely no way to know based upon the
wizard screens shown during DCpromo if the essential completion follow-up steps that
occur following a required reboot will be fully completed successfully.


Page 95

Task 8 Post-DCpromo Health Check Phases 2 - Step B

Validate the DC Health
& DCpromo Follow-up Results
The DCpromo wizard initiates the transition of a member server to
becoming a Domain Controller. While the DCpromo wizard
provides an indication of the successful replication of the Active
Directory database itself (NTDS.DIT) as well as some related
security configuration changes, this is not the final and complete
condition that produces a healthy new Domain Controller. More
actions must occur after the reboot.

Following the reboot required at the conclusion of the DCpromo,
the new DC appears in most respects to be a Domain Controller,
but it cannot operate as a DC until several critical but automatic
completion and validation checks occur. In a healthy domain
condition with healthy existing DCs as replication partners, and
healthy DNS configuration, the completion will typically occur faster
than you can logon to confirm it. Therefore, the normal post-
DCpromo validation and replication will occur immediately, if not
within no longer than 10 minutes. In a properly configured small
domain environment, you should never need to wait more than 15
minutes for replication, it always should occur that fast. A possible
exception would be if your domain includes slow WAN links
between DCs.
Task 8 Validation Tasks

Confirming Healthy DCpromo Results

Each item in the the summary table on validation below is discussed in more detail in
the balance of this task. This is a quick reference list. If you can confirm each item in
the reference list below, you will not need to perform the task items, though it may be
help as orientation on how to confirm each of these conditions.

Validation File Replication and DC Health

Sysvol and Netlogon shares appear in the list of Shared Folders in the
Manage Computer console.

Sysvol contains a subfolder for Policies folder with at least two policies
listed (using a GUID name for the folder). The location is in the path
further below the Sysvol, beneath the folder named for your domain.

The File Replication Service Event Logs show a 13516 Event has
occurred at least once since the reboot after DCpromo of this machine
was completed.

You can view a complete list of the expected Users, Groups and
Computers in the Active Directory Users and Groups console.

The DNS Server Forward Lookup Zones include an automatically
replicated copy of the zone named for your domain, and the top level of
zone entries match what you see on the DC you replicated over from.

You can open the Domain Security Policy and the Domain Controller
Security Policy without receiving a permission or access error. Start
Menu shortcuts to open these policy consoles are listed in the
Administrator Tools section.


Page 96
Copyrigh
Swing It!! T

Task

Ta
Ex
Task

T
Impor
Conti

How t
ht 2004-2009 b
Technician Kit
8.1 Sysvol a
asks

xpert Tip
8.2 FRS Eve
Tasks
rtant Concern
inued with fo
o Perform a
by SBSmigratio
Documentatio
and Netlog
1. Following
task), logo
Verify the Sys

2. Open the
3. Expand th
4. Under nor
should ob

A newly in
DCpromo

The Sysvol an
and their autom
they appear, y

Do not attempt
simply foolish.
validation of its
creating share
becoming shar
folders is being
unhealthy or in
ent 13516
Verify the
recorded.

From the M
expand the
entry.

In some cas
Sysvol and
connection
conditions i
move direct
ollowing pag

Swing Migra
on.com
on
gon Shares (
the Restart req
on again to this
svol and Netlo
Manage Com
he left-panel co
rmal conditions
serve that sha
nstalled DC nor
:
Admin$
C$
IPC$
Netlogon
Sysvol
nd Netlogon s
matic appearan
ou can safely a
t to help the p
These two fold
self. If these fol
s, the problem
red because th
g blocked in or
nconsistent Dom
e File Replica

Manage Compu
File Replicatio
ses, it is neces
d Netlogon sha
could take long
n a reasonable
tly to troublesh
ge
ation from 20
(cont.)
quired at the co
s server as the
ogon shared fo
puter console
onsole tree belo
s with only a pe
red folder desig
rmally has at le
hares are gene
nce confirms on
assume you ca
process by atte
ders are syste
lders do not ap
is that a failed
he servers hea
der to protect t
main Controlle
ation Service
uter console tre
on Event Log. Y
ssary to wait no
ares plus Even
ger, perhaps 3
e time, dont wa
oot this conditi
003 to SBS 2
onclusion of th
Domain Adm
older referenc
(right-click on
ow System To
eriodic refresh o
gnations are sh
east the followi
erated automat
ne indicator of
an proceed forw
empting to man
em shares whic
ppear automatic
validation con
alth as a DC is i
the domain from
r condition.
e Event Logs
ee below Syste
You should ide
o more than 15
nt 13516 to app
0-60 minutes.
ait forever, its
ion using the D
008
e DCpromo wiz
inistrator.
ces were creat
My Computer,
ools and click o
of the panel, w
hown for Sysvo
ng shared folde
tically on a Dom
a healthy Dom
ward.
nually share the
ch are controlle
cally, you dont
ntrol is blocking
incomplete. Th
m invalid opera
s show Event
em Tools, loca
ntify Event 135
minutes for th
pear. (Slow WA
If you cannot c
not going to ha
Domain Audit G
zard (the previ
ted.
choose Manag
on Shared Fold
within 5 minutes
ol and Netlogo
ers listed follow
main Controller
main Controller.
ese folders, tha
ed by the syste
t solve anything
g the folders fro
he sharing of th
ations by an
t 13516 was
ate the Event L
516 as a recent
ese entries for
AN or VPN
confirm these
appen. You sho
Guide.

ious
ge).
ders.
s you
on.
wing
r,
If
ats
em
g by
om
hese
Logs,
t
the
ould

Page 97

Task 8.3 - Policies Folder Exists & Contains at least 2 Policies

Tasks
Verify the Sysvol contents includes a Policies folder with at least 2
policies.

The default Sysvol path location is typically defined as on of the following locations,
depending upon the system folder location for your Windows installation:

C:\WINNT\sysvol
C:\WINDOWS\sysvol
C:\WINNT.SBS\sysvol

The name of your domain will be listed below the Sysvol, and below it will be the
Policies and Scripts folder (additional spaces were included to emphasize and improve
readability):

%sysvol%\sysvol\ [yourdomainname.local] \Policies
%sysvol%\sysvol\ [yourdomainname.loca ] \Scripts
Typically, the following two policies are required for authentication and the folder
names are as indicated, including the brackets:
Default Domain
Controllers Policy
{6AC1786C-016F-11D2-945F-00C04fB984F9}
Default Domain
Policy
{31B2F340-016D-11D2-945F-00C04FB984F9}
You may have additional policies depending on the existing Group Policy configuration
for the domain.
Expert Tip
Whats in the Sysvol immediately following DCpromo?

Initially before a reboot. when you examine the folders beneath Sysvol, you may find
only the folder in the following list, and initially no additional files or folders further below:

%Sysvol%\domain
%sysvol%\staging
%sysvol%\staging areas
%sysvol%\sysvol
%sysvol%\sysvol\ [yourdomainname.local]

Following the first reboot, these folders should be fully populated One indication that
File Replication Service has failed to complete a Sysvol replication successfully is that
after a reasonable period of time (30 to 45 minutes), no further population has occurred.
In this case, you would want to look at the next condition. In most cases, correct
replication may finish faster than you can get to the folder to look for this condition.

Page 98
Copyrigh
Swing It!! T

Task

In
Trou
Su
R
E

How t
ht 2004-2009 b
Technician Kit
k 9 DCpro
Troub
ncomplete D
ubleshooting
Steps
pplemental
Reference
Expert Tip
o Perform a
by SBSmigratio
Documentatio
omo Trouble
bleshooting
DCpromo R

To assist yo
Audit Guid
the SBSmig
additional H
identifies a
on the pre-e
new DC fro

Troublesho

I strongly en
explanation
recognizing
concerns:

1. If y
se
2. Did
Ev
yo
co
3. Sin
req
4. Gr
Sc
un

The Domai
replicate the
the previous

A complete
configuratio
partner or th
In a planned
occurring, a
recovery co
degraded, i
explained in

Swing Migra
on.com
on
eshooting

Results
ou in troublesho
e, a suppleme
gration.com we
Health Check va
checklist to rev
existing DC tha
m becoming fu
ooting Tips:
ncourage you t
of how to reso
the most com
you have Wind
rvice?
d you determin
vent Log that a
u must repair t
uld wait foreve
ngle-label AD d
quire special at
roup Policy sett
ceCli event erro
likely.
n Audit Guide
e Sysvol, and t
s steps would s
checklist to va
on checklist for
he AD domain
d migration pro
and to find out w
ondition where
t is possible to
n the Domain A
ation from 20
Phas
If you do not o
NETLOGON f
within 5-10 mi
with these qui

I strongly reco
Sysvol has no

If these steps
refer to the Do
how to resolve
your existing A
your existing D

ooting issues f
ntal document
ebsite after you
alidation steps
view which nor
at are blocking
ully functional.
to consider the
olve all issues a
mon causes of
ows 2003 SP1
ne if the pre-exi
Journal Wrap
that condition.
er and never se
domains (Doma
ttention.
tings with incom
ors, another ind
e provides a co
therefore why a
still not yet bec
alidate the heal
validating or c
configuration i
oject, its best to
why the Sysvo
the timeline is
work around n
Audit Guide a
003 to SBS 2
ses 2 - Step
observe the ind
folder share de
inutes, or the F
ick troubleshoo
ommend that y
ot replicated fro
do not identify
omain Audit Gu
e this. It is quite
AD Domain set
Domain Contro
from this point,
available to Ki
logon. You ca
for a newly cre
mally will resol
Sysvol replicat
Domain Audit
at this point. Ho
f failed replicat
installed, did y
isting DC indica
condition has b
Its simple to fix
ee replication o
ain, rather than
mpatible setting
dication that se
omplete checkli
a new DC cons
come a healthy
th of a new DC
correcting the c
s covered in S
o solve the ridd
l has not replic
critical or the s
normal replicati
s well.
008
B
dicated SYSVO
efinitions to app
FRS Event 135
oting hints belo
ou begin to tro
om the source D
y or resolve this
uide for detaile
e possible that
ttings or a hea
oller.
I have prepare
it owners that y
an refer to Sect
eated DC. In ad
ve 95% of all c
tion, and theref
Guide as an a
owever, to help
ion of the Sysv
you disable the
ates in the File
been observed
x, but without t
ccur.
n Domain.local
gs for SMB Sig
ecure domain c
ist of issues to
structed exactly
y and functiona
C is presented
onfiguration of
ections A and
dle as to why th
cated on its own
source server is
ion mechanism
OL and
pear independe
516, you can sta
ow.
ubleshoot why
Domain Contro
s condition, ple
d information o
t the problem is
lth problem wit
ed the Domain
you can obtain
ion D to confirm
ddition, Section
cases for condi
fore preventing
authoritative
p you in
vol, here are th
e Windows Fire
e Replication Se
d? If you find th
hat repair, you
or Domain.com
gning will indica
communications
resolve failure
y as indicated i
l DC.
in Section D. A
f a DC replicatio
B.
hese conditions
n. In a disaster
s severely
ms. This is

ently
art
y the
oller.
ease
on
s in
th
n
from
m
n B
itions
g the
e top
ewall
erver
is,

m)
ate
s are
to
in
A
on
s are
r

Page 99

Task 10 Global Catalog Designation Phases 2 - Step B

Establish Global Catalog Server
Designation
An important step in our procedure is to make this machine a
Global Catalog Server.

A common misimpression is that Global Catalog is somehow
related to the FSMO roles or that it is a unique assignment
held by only one computer. Thats not the case, you can have
multiple GCs.

In a single domain condition, all Domain Controllers replicate
and share the entire catalog between them, but only DC with
the Global Catalog attribute set are allowed to respond to
Global Catalog specific requests. Its generally a good idea in
a small domain having a handful of DCs and without any
domain trusts to establish all DCs as Global Catalog servers.

Tasks
To establish this DC as a new global catalog server:
1. On this domain controller you want to assign to keep a Global Catalog, start the
Active Directory Sites and Services snap-in. To start the snap-in, click Start, point
to Programs, point to Administrative Tools, and then click Active Directory
Sites and Services.
2. In the console tree, double-click Sites, and then double-click sitename.
3. Double-click Servers, click the domain controller you want to assign to keep a
Global Catalog, right-click NTDS Settings, and then click Properties.
4. On the General tab, click to select the Global catalog check box to assign the
role of global catalog to this server.
5. Restart this domain controller.


Page 100

Task 11 DNS Zone Replication Phases 2 - Step B

Confirm that DNS Zones
Replicated from the existing DC
to new Server

Ideally, at this point the entire contents of all Forward and
Reverse Lookup Zones on both servers will match, though the
presence of differences is not necessarily the sure sign of a
problem for our purposes.

A full explanation of DNS Zones and configurations is beyond the
scope of this project task summary. In any case, each of the
zones which exist on your source DC and are configured from
replication should have replicated to the target DC (the one in
construction) at this time provided that the zone itself is
established as an Active Directory Integrated Zone.

Tasks
Inspect the DNS Forward and Reverse Lookup Zones to confirm that these are now
populated with the same information from the previous DC/DNS server.

You can compare the DNS Forward and Reverse Lookup Zone between the pre-existing
DC and this one in construction using the Manage Computer console section for DNS.
Specifically, look to see that the zones for _msdcs is apparent in both servers databases,
and if the tree below matches.

If you have established additional zones for other purposes, its at your discretion but
probably likely that you would like to ensure they replicate across by configuring them as
Active Directory Integrated Zones as well. If they are not AD Integrated the zones will
not replicate automatically between the DCs acting as DNS servers. Therefore, the
resolution for non-replicating zones can be as simple as modifying the properties on that
zone to set it as AD Integrated Primary Zone.

Typical small domain configurations in the manner originally used for Windows 2000 level
DNS Servers will have only one Forward Lookup Zone named for the AD Domain name
(i.e. domain.local), plus a Reverse Lookup Zone named for the IP subnet used for the
domain (i.e. 192.168.12.x).

Starting with Windows Server 2003, two additional Forward Lookup Zones are added as
standard zones: DomainDnsZones and ForestDnsZones.

Expert Tip
Stale _msdcs Zone - As a sign of
a simple problem to fix, you may
discover you have more than one
_msdcs container.

Notice the illustration shows an
entire zone dedicated to the
_msdcs.[YourDomainName.local]
in addition to a zone named for
your domain. Typically empty and
the color of the object is gray rather
than yellow. If you observe this
condition it requires attention.

You can safely delete the empty
gray _msdcs and then restart the
server. If you dont correct this
stale zone you may find you have
domain resolution issues with
DNS.

Page 101
Copyrigh
Swing It!! T

Task

T

How t
ht 2004-2009 b
Technician Kit
k 12 NIC s
Reset NIC
DNS s
point to se
Tasks

o Perform a
by SBSmigratio
Documentatio
settings for
C configurat
settings to
lf as DNS S
You can mo

1. Right-c
2. Right-c
Proper
3. Click In
4. Click A
5. Configu
(itself).
should
6. After co
configu

Its recomm
Secondary
configuratio

Swing Migra
on.com
on
DNS Server
tion

Server
odify the DNS c
click My Netwo
click your prima
rties.
nternet Protoc
Advanced, and
ure the Preferr
Leave or set t
be the comput
ompleting thes
uration panel.
mended that you
DNS Server op
on to come.
ation from 20
r Phas
Once you are
properly replic
reset the loca
only as Prima

This supports
and becomes

Later process
to itself as DN

configuration b
ork Places, and
ary adapter, typ
col (TCP/IP), a
d then click the
red DNS serve
he Alternate D
ter's own intern
e steps you ca
u do not to inc
ptions. This ca
003 to SBS 2
ses 2 - Step
satisfied that t
cated the zone
l NIC configura
ary DNS Server
the steps to fo
the only serve
ses will be com
NS provider at t
by following the
d then click Pro
pically Local A
nd then click P
DNS tab.
er address to p
DNS Server as
nal LAN IP add
an close and ex
clude the othe
n tend to confu
008
B
the local DNS S
s to this server
ation on this DC
r.
ollow when this
er it can reach.
plicated if this s
this point.
ese steps:
operties.
Area Connectio
Properties.
point to the LAN
ssignment emp
dress.
xit from the netw
er DNS Server
use the steps o
Server service
r, you can now
C to point at its
s server is deta

server doesnt
on, and then cl
N IP of this serv
ty. Typically th
work adapter
r in the indicate
of cleanup and

has
self
ched
refer
ick
ver
is
ed

Page 102

Task 13 Summary DC Health Check Phases 2 - Step B

Final Inspection for Replication
and DC Health Check
You should confirm at this point that all modifications to AD that
you may have made recently, as well as all DNS and AD
replication has completed. This is not to suggest that
something mysterious has happened since a previous step
above, rather that if you know you have made changes you
have not yet confirmed, do that now.

You could use Reskit tools to do a more technical verification
as well. I dont talk about the Reskit tools at all because, and
honestly I dont even recommend you pursue this unless you
are coming out of a disaster recovery situation, or have a lot of
DCs in the existing domain. In general, these tools are overkill
and unnecessary.
Tasks

Replication Should Complete in 15 Minutes or Less

Standard time delay to allow replication on an SBS domain with just the two DCs is well
under 15 minutes, unless your DNS configuration is flawed.

The main reason for mentioning this point about replication here is that you are at the last
point where replication can still be done before you proceed. If you were to add or remove
a bunch of accounts at this point on one of the DCs, you need to wait to see that result
appear on the other.




was completed.




Expert Tip Domain Audit Guide is your best reference

If you are unfamiliar with verifying the health of a new Domain Controller, or if the above list
of items doesnt reveal an immediate impression that this is a healthy DC now, refer to the
Domain Audit Guide for more information.


Page 103

Task 14 Isolate from Production Phases 2 - Step B

Shutdown and Detach
this Server

This is the last point at which Active Directly replication can
be used to preserve changes within the construction process,
or allow you to reconnect for a missed step.

Detach this DC from the LAN connection you used in the previous DCpromo steps. The
balance of this Phase is conducted without being connected to other machines or LAN,
the server is to be standalone.
Critical
Concern
Once you proceed past this point in into the tasks of Step C, you MUST NOT
RECONNECT this DC you are editing back to a LAN with other pre-existing DCs
again for any reason.

The changes you implement in the following Steps will permanently damage any pre-
existing DCs.

If you disregard this warning, you may find it necessary to first perform a full disaster
recovery of the original production server, followed by repeating every step of the
project from the very beginning.

Expert Tip
From this time forward, it will not be possible to synchronize the production AD
configuration or the DNS settings with the new server we are building. Therefore, do not
make changes to the AD information running on the production server from now on,
otherwise, those changes will not be present in the cloned AD version you will continue
to work with offline from this point. An example of changes not retained would include
add/remove Users/Computers, changes in User information, and even changes in User
Passwords and security memberships. Any changes that must be implemented should
be noted and recreated in the new AD clone context as well. This limitation is not really
a major factor in a small domain because the sort of changes that might occur are easily
recreated, just keep notes of what you need to do.
Supplemental
Reference

At this point in a project during Phase 2, a common question is:

Do I need to worry about cleaning up my production domain before moving
forward? Is it a problem to have the TempDC stuff left behind in AD?

My answer is a resounding NO!

While your Production Domain remains online and you continue to work offline on the
migration DCs, you might be concerned about reversing the changes to your production
SBS for some reason. Im not recommending that you do this without symptoms of a
problem pushing you to concerns.

However, if a crisis developed and it became necessary, Ive outline a process to deal
with it. Refer to the Troubleshooting section with the heading Troubleshooting the
Production Domain after detaching the Migration DC.


Page 104

Milestone

AD transfer completion

We have now replicated a copy of the Active Directory from the source DC to
the DC under construction. This machine will now be detached from the
network or even or relocated.

Construction can Now Move Offline or Offsite

The balance of the migration steps until the start of Phase 5 are performed
fully detached from the production domain.

You will work either your temp server, or the construction steps for the
permanent server that can be completed in advance of returning to the
production network for the data transition.

The obvious exception to going offline for the rest of the project construction is
if you are planning to redeploy the same original hardware as your FinalDC.
Hopefully you were paying attention in Phase 1 when this was discussed
earlier. If not, you might go back and look at that again.

Never Reconnect After Passing this Milestone

This is extremely critical to understand. You cannot reconnect any DC that
moves forward into the procedures of Step C or beyond.

The modifications you perform in Step C through Step E are destructive to
Active Directory data because we will be eliminating all references to the other
DCs and Exchange.

These changes are inconsistent and incompatible with operating all previous
DCs. Reconnection will allow communication that will damage the Active
Directory on earlier condition DCs because the same destructive changes will
become replicated into those machines. You could end up with none of the
DCs in a functional condition.


Page 105

Step C
Root Domain Management Transfer/Seizure

All steps from this point forward are completed on the new server, the DC you are
constructing during this Phase, with this server detached from the production LAN.

We will seize all 5 of the domain controller server roles over to the new DC in progress. To
accomplish this, we need to first install the Windows Server Support Tools which are included on the
SBS Media Set, but have not been installed. We will use several of the tools provided in the
remaining steps of our total process. Its recommended that you install the Windows Server Support
Tools regardless.


Tasks Topic Step C
1
Isolate the Server (disconnect from LAN)
This DC must not be connected to the prior DC anymore
2
Install Windows Server Support Tools
Standard tools are on distribution media or website link
3
Seize FSMO Roles
This DC obtains right to the AD management roles


Page 106

Expert Tip

Why Seize instead of Transfer FMSO Roles?

One of the more popular questions is why Swing Migration employs the seize
of FSMO roles rather than the transfer option in NTDSutil. The answer is
pretty simple.

In Phase 2, our main goal is to leave the original DC in its current configuration
while modifying the TempDC to work standalone. We dont want to take the
FSMO roles away from the OriginalDC because we want it to remain running in
the production domain.

When would I prefer to Transfer Roles?

The only time it really makes more sense to transfer roles during a Swing
Migration is if you are building two or more DCs to introduce in Phase 5. In that
case, you might build the second DC in Phase 2 as your TempDC, and just
keep it during Phase 3 as a replica DC.


Page 107

Task 1 Confirm you are Offline Phases 2 - Step C

Isolate this Server

Detach the DC you are constructing from the LAN it was
attached to. At this point, if you are sitting in front of it, the
machine should not be connected to any network
connections at all, it should be isolated.
Critical
Concern
You MUST NOT BE CONNECTED to other DCs.

You MUST NOT RECONNECT this DC you are now editing back to a LAN with any
other pre-existing DCs again for any reason.

The changes you implement in the following Steps will permanently damage any pre-
existing DCs.

Expert Tip

Making a backup of the condition at this point of this machine condition is useful,
but not required.

You could make a System State Backup, or a Drive Image, or perhaps if you are
working in Virtual PC/Server you can save a roll-back point. If you make an error in your
editing during this section or through the balance of the Phase, this is a convenient point
to come back to.


Page 108

Task 2 Install Windows Tools Phases 2 - Step C

Install the Required
Windows Server Support Tools

The steps to cleanup Active Directory that following in Steps
C through E require additional tools from Microsoft. These
Windows Support Tools are included on the distribution
media, but you can also download them.

On SBSmigration.com in the Resources section of the Kit
Owners website you will find links to download these tools
directly from Microsofts website if thats convenient for you.
Expert Tip
If you dont have the CDs indicated below available, you can locate a direct from
Microsoft download link on the SBSmigration.com website Resources page.
Tools / Media
Required
SBS 2003 or
SBS R2
CD2 media
Windows Server Support Tools

Install the Windows Server Support Tools. You will need
several of these.

From the set, the installation resource folder is located on the
indicated media CD:

\support\tools\suptools.msi.
Windows Server
2003 or R2
CD1 Media
Tasks

1. Execute the suptools.msi from Explorer or from the Start > Run option.

2. We are primarily interested in two of the tools installed automatically with the entire
set:

NTDSUTIL
o NTDSUTIL is required in order to seize the Server Roles for the
domain. It can also be used for removing domain controllers.
To launch NTDSutil, on any domain controller click: Start, click Run,
type ntdsutil in the Open box, and then click OK.

ADSiEdit
ADSIedit is required in order view or modify the Active Directory
database and structure, and is specifically useful for addressing the
needs to remove the Exchange Server configuration.
To execute ADSIedit, after installing the Support Tools, run the MMC
item or create a shortcut to its location:

C:\Program Files\Support Tools\adsiedit.msc

Important
Concept
Create a shortcut to the ADSiEdit tool and place it somewhere convenient (perhaps the
desktop or in the Start Menu). You will use this tool frequently enough in the next few
Steps to want it easily launched. The tasks to follow assume you know how Launch it.
Expert Tip
For information on the complete contents of the Windows Server Support tools, consult
the help file installed to this location:

Start Menu >Programs >Windows Support Tools >Support Tools Help


Page 109

Task 3 Seize FSMO Roles Phases 2 - Step C

Seize the FSMO Roles

Using NTDSUTIL, you can review and modify the FSMO role
holders in the domain, among other tasks it offers. For our
purposes, we want to use it to seize roles from other servers
that are not accessible, intentionally not accessible. Our
purpose is to allow the existing FMSO role holders to
continue to operate in the production domain as normal,
while proceeding to make this DC in construction capable of
taking over the domain independently while running offline.

Technically, when a server role is moved between two DCs
that can communicate to each other, that process is called a
transfer. A seizure occurs when the hosting DC is
unavailable to communicate, and the seizing DC declares
itself as taking that role without an agreement with the
previous role holder. The end result for the server obtaining
the roles is the same.

Another option with NTDSutil is to confirm that all server
roles have been pulled to the remaining server as an audit
process or for troubleshooting.

Microsoft recommends that you use the domain controller
that is taking on the FSMO roles to execute these
commands, and we will be doing that. To see a list of
available commands at any of the prompts in the Ntdsutil
tool, type ?, and then press ENTER.

Important
Concept
You must be logged on as a Domain Administrator. You will receive
errors and the process will fail if you are not currently logged on as a
Domain Administrator enabled account.
Tasks

KB 255504

To seize or transfer the FSMO roles by using Ntdsutil
1. Proceed by sitting at the Domain Controller you are constructing, click Start, click
Run, type ntdsutil in the Open box, and then click OK.
2. Type roles, and then press ENTER.
3. Type connections, and then press ENTER.
4. Type connect to server [servername], where servername is the name of this
server you are sitting at (or executing the command from), and then press
ENTER.
5. From the server connections: prompt, type q, and then press ENTER again.
6. From the Fsmo maintenance: prompt, we will proceed below to seize each of
the 5 FSMO roles.
If this is your first time working on this task, I recommend you familiarize
yourself with the details of the two Expert Tips now before you move to
complete the rest of the procedures in this task


Page 110

(cont.) Task 3

Expert Tip
The display of the Seize command shows an errorintentionally!

The sequence of command procedures you next run in the form of seize role, where
role is the role you want to seize, may appear confusing at first.

As you type each of the commands, if the syntax is correct, a popup menu prompt
always asks to confirm the role seizure. If you type an erroneous command, or syntax
error, that is explained in the command window itself. If you type a correct command but
the server already owns the role, you may get one of two different prompt replies. While
that inconsistency may be annoying, thats not the point of confusion I want to explain.

Each time you succeed in seizing a role, it still appears without a close reading that
every command you are executing is failing because, in fact, an error result displays
with every command success each time when you do execute the command
correctly. This is because a default feature of NTDSutil is to first attempt a transfer
roles between the servers before doing the seizure you requested. In our situation, that
transfer will always fail because the other server cant be reached.

For a list of roles that you could seize, you could type ? at the prompt, and then press
ENTER, but the list of roles listed in the procedure just below is always the same.

7. To complete the FSMO role seizure step, execute each of the following
commands:
Seize pdc
Seize domain naming master
Seize infrastructure master
Seize RID master
Seize schema master

8. You should now confirm that each of the roles now indicates the same server, the
one in construction, is the FMSO role holder for all roles.
9. Type q, and then press ENTER, and repeat until you exit NTDSutil.

Expert Tip
Each Seize command finishes with an updated summary result displayed

Each time the seize command is executed, the last response it provides is a summary
of role ownership as of that change. When the last seize command above has
completed, you should now see that summary shows all five of the listed Server Roles
are held by the new DC. Thats the indication that we have accomplished our goal.

To understand why this happens, observe that before Seizing, the NTDSutil will first
cause the DC to request transfer of the role from the DC that is the current role holder.
The error indicates that this transfer request failed, which is to be expected. Since the
server currently listed in AD as owning this is unavailable, the transfer request results in
a failure, which is indicated as an error. Immediately after, the seizure step will next
proceed. Therefore dont be surprised to see errors reported, expect them. What
matters is that after executing the seizure on all five of the roles, we will confirm the
success with a command to verify all roles.


Page 111


FSMO Role Transfer Tools

The steps in Step C are outlined directly in Q255504 as indicated to seize all
roles, we use NTDSutil.

Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain
Controller
http://support.microsoft.com/default.aspx?scid=kb;EN-US;255504

The following additional KBs are useful in documenting the process required, or
else alternative processes you could consider in different scenarios:

HOW TO: Find Servers That Hold Flexible Single Master Operations
Roles
http://support.microsoft.com/default.aspx?scid=kb;EN-US;234790

The next KB method will not work unless the DC hosting the role currently is still
accessible to communicate with as the request for transfer is made. This is fine if
you are working in a larger LAN than with a typical SBS based domain. The
problem with SBS is that since its role is intended to be unique in a domain,
transferring the server roles to a different server name essentially ensures that
you have taken the domain out of production already, because otherwise, you are
that point!

Still, one useful approach for an orderly transfer of roles might be to first create a
drive image of the production server, and using that imaged version, transfer the
roles to the offline construction DC. In this way, the production SBS is only offline
for the time it takes to image the server, then transfer the roles. You then restart
the server using the production drives and you have a more orderly transfer of
server roles than the seizure provides, but it also involves additional steps, and
probably 3
rd
party software for the imaging steps.

HOW TO: View and Transfer FSMO Roles in the Graphical User
Interface
http://support.microsoft.com/default.aspx?scid=kb;en-
us;255690&Product=win2000

This next KB illustrates a technique that can be used in scripting the process of
domain controller creation.

Unattended Promotion and Demotion of Windows 2000 Domain
Controllers
http://support.microsoft.com/default.aspx?scid=kb;en-
us;223757&Product=win2000


Page 112

Step D
Required Active Directory Cleanup Exchange Organization


Tasks Topic Step D
1
Remove Exchange Server Objects being replaced
Cleanup of Exchange AD information for predictable tasks
2
Remove any existing Certificate Authority Objects
Cleanup required for compliance with SBS 2008 Setup

Unique points about Step D to consider:

Contrary to steps used in prior versions of Swing Migration
for 2003 Series projects:

DO NOT REMOVE THE ENTIRE
Exchange Organization.

If you are on a rare multi-server or separate Exchange
member server project you must preserve the member
Exchange Server.

Preserve Exchange Member Servers

Please review the Important Documentation Notes that follow
on the next page for details.


Page 113


NORMAL PROCEDURE: APPLIED FOR 99% CASES

DO NOT Remove the Exchange Organization

The project path of previous versions in a Swing Migration normally removes the
entire Exchange Organization, but that would complicate this project.

We want to keep the entire organization for this migration to Exchange 2007, and to
make this project simpler you will have a tool to use in Phase 5 to help with the
cleanup required.

SPECIAL MULTI-SERVER SCENARIOS

Permanent Exchange Servers: Do Not Remove

Only if you have a multi-server production configuration at the end of this project will
this possibly apply to you.

In this variation would you choose to not only keep the Exchange Organization, you
want to preserve the references in AD for that Exchange member server.


Page 114

Expert Tip

The procedures in Step D make substantial changes
to your AD information

This is a safe process primarily because we are working offline from the
production LAN, therefore, if a radical problem occurred, we are not going to be in
trouble because we can start over with the migration process. Doing these same
steps to a production domain are normally only considered as part of a disaster
recovery process in which you have no better choices for recovery steps.
Therefore, this warning is to inform you not to take these steps lightly in a different
circumstance, and to be sure you really are working offline in this case.


Page 115

Task 1 Exchange Org Cleanup Phase 2 - Step D

Remove
Exchange Server Objects
using ADSiEdit

In the past versions of Swing Migration the procedure
dictated to purge the entire Exchange Organization and
proceed with the configuration as a clean install. This no
longer simplifies the project of a Swing Migration when
moving from Exchange 2003 to Exchange 2007. Its much
simpler to deal with the cleanup of the original organization.

The tasks below comply with the outline Microsoft has
defined for doing a Migration Mode transfer of Exchange
2003 to Exchange 2007. In our case, we are doing cleanup
of the Organization to remove the original Exchange Server,
then the TempDC is being constructed as the new Exchange
2003 Server to provide the bridge to transfer into the
Exchange 2007 running on the SBS 2008 server.
Expert Tip
Exchange Organization Cleanup New Procedures!!

We no longer remove the Organization as in the past. We want instead to remove only
the specific Exchange Server objects going out of service during the Swing, and related
objects outlined in this Task.

If you have one or more separate member servers running Exchange now in
production that will continue to run Exchange after the Swing Migration is
completed. In this case, you must preserve those server objects.
Task 1.0 Phases 2 - Step D

Using ADSiEdit: How to locate the objects?

The instructions that follow instruct you to navigate into the AD Tree using ASDiEdit,
and to locate specific objects. In the sample below, note that the names shown in bold-
italic may have a different name specific to what is unique in your Active Directory.

Configuration Naming Context
Configuration Container
CN=Services
CN=Exchange_organization_name
CN=First Administrative Group



Page 116


Tasks

Remove Exchange Server

Locate the Servers container but do NOT remove it, rather you only remove the objects
below it that are named for a specific servers in your domain. Typically the only server
listed will be the OriginalDC you are replacing that is currently also running Exchange.

If you have a member server running Exchange Server which will continue to be operating
after you complete the Swing Migration project, you would leave that object intact in the
Active Directory, dont delete it or object below it.

1. Launch ADSiEdit. You can locate the MMC console here:

C:\Program Files\Support Tools\adsiedit.msc

2. Locate the servers found below the CN=Servers object:

CN=Services
CN=Your Administrative Group
CN=Servers
Important: Do NOT delete the CN=Servers container.
3. Delete only objects below this container, each object will be named for a specific
Exchange Server in your operations.

Remove Connection Agreement Objects

1. Expand the tree to Locate the following object:

CN=Services
CN=Active Directory Connections

2. Below that container, locate the objects now shown in the right-side pane.

3. Make sure that no Connection Agreements objects exist in the CN=Active
Directory Connections container.

If a Connection Agreement objects exist, right-click that Connection
Agreement, and then click DELETE.



Page 117

(Cont.) Task 1.2
KB 325323 Remove Internet Connector Objects

1. Expand the tree to locate and select the following object:

CN=Services
CN= Connections

2. Below that container, locate the objects now shown in the right-side pane.

3. Normally if you have only the one existing Exchange Server to remove because you
are replacing it with your new SBS 2008, you would remove all objects listed below
Connections.

If you are preserving a member server in your production domain, you must
either preserve the related connections here, or you will need to recreate
them in Phase 5.
Delete the Default Offline Address Book

1. On the TempDC, using ADSiEdit, locate this object:

Configuration
Services
Microsoft Exchange
CN=[Exchange_organization_name
Address Lists Container
Offline Address Lists

2. Locate this object now shown in the right-side pane:

Default Offline Address List

3. Delete this object, for confirmation this is the name and class describing the object
as you see it in ADSiEdit.

Name: CN=Default Offline Address List
Class: msExchOAB



Page 118

(Cont.) Task 1.2
Delete the stale SMTP Connectors

1. On the TempDC, using ADSiEdit, locate this object:

Services
Microsoft Exchange
CN= Exchange_organization_name
Administrative Groups
CN=Your Administrative Group
Routing Groups
first routing group
Connections

2. Below that container, locate the objects now shown in the right-side pane:

SmallBusiness SMTP connector

Note: The exact name of this connector can vary, and there may be
more than one connector listed here. It will be an object identified with
the Class= msExchRoutingSMTPConnector

3. Action: Delete each object of this type.
Important
Concept

Removing Stale Exchange System Objects Now Orphaned

Earlier in Phase 1 Task 6 you were instructed to run the Kit tool ExchPfReport on the
OriginalDC server. (Refer back to there is needed). That tool produces a reference list
PubFoldersToPurge.txt report of the objects to be removed in the next task.

If the report with this specific is not generated when you run the tool, contact
SBSmigration.com support for assistance in diagnosing the issue.

Critical: Do not edit on the OriginalDC or while OriginalDC is connected with the
TempDC to the production domain earlier in the project. That will damage your production
Exchange. This list generated above must be used here in Step D and only on the
TempDC in isolation.

Remove Stale Exchange System Objects

The Exchange Server objects remaining in the Exchange System Folders in Active
Directory are orphaned, these must be removed to avoid blocks in SBS 2008 setup.

Working on the TempDC, use ADSiEdit identify the Exchange System objects. The folder
location to examine and what to do is:

1. On the TempDC, using ADSiEdit, locate this location:

Domain Naming Context
DC=[yourdomain],DC=[LOCAL]
CN=Microsoft Exchange System Objects

Note: This location contains references to either a mail enabled public folder
reference, or a System Folder.

2. Selectively remove each objects in this list based upon report
PubFoldersToPurge.txt generated from the ExchPfReport tool.


Page 119

Task 2 Certificate Authority Cleanup Phase 2 - Step D

Remove
Certificate Authority Server
Objects

The tasks below comply with the outline Microsoft has
defined for doing a Migration Mode transfer of Exchange
2003 to Exchange 2007.

In our case, we are doing cleanup of the Active Directory to
remove any existing Certificate Authority Server related
objects. SBS 2008 server setup will create a new CA Server
configuration on the SBS 2008.

The most common case is that there is no Certificate
Authority Server installation, therefore you are not likely to
find anything to do here, but you have to check.
Important
Concept
Most Likely Case: No Objects to Remove

The instructions that follow instruct you to navigate into the AD Sites and Services to
locate the objects to be removed. In each case you may actually find there is nothing to
do.

However, if there are objects here and you dont remove them, you can be certain that
your SBS 2008 Setup is going to fail, you will lose 2-3 hours as a result.

Your Organization is really using Certificate Authority Service Now?

In some cases this could be true, but CA Service was never used or installed by default
in SBS 2003 R2 or earlier versions. It was not the provider used by Remote Web
Workplace or for the Exchange, that was not this service or that certificate source.

The only common reason you would be using a CA in a small business operations
would be if you are using Radius Authentication on wireless (WiFi) based remote
access connections or for security token authentication such as AuthAnvil provides.

If you really do need a CA in your operations, it may not be a critical need to have the
CA you have now preserved, you may be fine just using the new one generated by
SBS 2008. However, if you have a priority to continue to use your existing certificates
from your own internally managed Certificate Authority Service, you may need to
backup your CA database and prepare to install it to your new SBS 2008 as a restore
from backup.
Expert Tip

How to Preserve an existing Certificate Authority Configuration?

Please read the Important Concept details, you probably dont need this information.

To ensure that you can restore your CA database, the Certificate Authority Server
name must match the original. You can accomplish that in one of two ways.

Option 1: Specify that name during the SBS 2008 Setup sequence when you are
prompted for the name.

Option 2: Allow SBS 2008 setup to install a default CA configuration. But immediately
after completing SBS Setup (as the first task in Phase 4), you would uninstall and then
reinstall the Certificate Authority Server feature on your server before you run any of
the SBS 2008 post-setup wizards.



Page 120

Task 2 (cont.) Phases 2 - Step D

Using AD Sites and Services to Locate and Remove these Objects

Please review the entire set of tasks procedures below you begin in case you should
need to ask for assistance in determining if your configuration is containing more than
one Certificate of Authority Server.

To identify and remove all Certification Services objects from Active Directory:

1. From the Start Menu locate "Active Directory Sites and Services" in the
Administrative Tools section.

2. From that console, in the left-panel select the top-object. Now click the "View" menu
option, and select "Show Services" Node.

3. Expand the "Services", and then expand "Public Key Services".

4. Select the "AIA" node.

5. In the right-hand pane, locate each "certificateAuthority" object shown for your
Certification Authority. Delete the object.

6. Select the "CDP" node.

7. In the right-hand pane, locate the Container object for the server where Certification
Services is installed. Delete the container and the objects it contains.

8. Select the "Certification Authorities" node.

9. In the right-hand pane, locate each "certificateAuthority" object for your
Certification Authority. Delete the object.

10. Select the "Enrollment Services" node.

11. In the right-hand pane, locate each "pKIEnrollmentService" object for your
Certification Authority,delete it.

12. Select the "Certificate Templates" node.

13. In the right-hand pane, delete all the Certificate Templates.

Note: Delete all the Certificate Templates only if no other Enterprise CAs are
installed in the forest.

14. Click the "Public key Services" node and locate the "NTAuthCertificates" object.

15. If there are no other Enterprise or Stand-alone CAs installed in the forest, delete the
object, otherwise leave it alone.



Page 121

Task 2 (cont.) Phases 2 - Step D

Important
Concept
Did you find any Certificate Authority Objects to Remove?

In the tasks above if you didnt find any objects to remove, you can skip the remaining
tasks below. There will be no Domain Controller cleanup to do if there were no AD objects
found or removed.

Domain Controller Cleanup

Once the CA has been eliminated in the steps above, the certificates that have been
issued to all the domain controllers need to be removed.

1. At the command prompt on a domain controller, type:

certutil -dcinfo deleteBad

Note: This command may be successful, or it may return an error if there are no
existing certificates found to remove. You can ignore the error and continue.

2. Certutil.exe will attempt to validate all the DC certificates issued to the domain
controllers. Certificates that fail to validate will be removed. Normally you would need to
apply this logic to all DCs, but in this Swing Migration condition this will be the only DC in
the domain.

3. Force application of the security policy to update. At the command prompt, type
(exactly the words as it is says below)

gpupdate /target:computer


Page 122

Step E
Remove Domain Controller entries: AD, DNS, WINS, DHCP

The steps below are required in order to purge AD of entries that refer to the previous SBS Server. These
entries must be removed in order to prevent AD from attempting to replicate to the missing DC. In
addition, adding a new DC back into AD with the same name as the previous SBS would be blocked.
Removing the DC entries solves both issues.


Tasks Topic Step E
1
Cleanup Metabase for DCs other than this one
All other DC references are removed from AD
2
Remove other DC Computer Account Objects
3
Remove Replication Object

4
Remove DHCP Authority Objects
These objects are recreated during installation setup

5
Remove Stale Domain Trust Objects
Trusts cannot be sustained within this project path

6
Remove IWAM & IUSR Objects
These objects are recreated during installation setup

7
Cleanup DNS Zone Records
DNS records of DCs and general housekeeping

8
Restart and Verify Normal Operations
Confirmation of tasks and completion

Expert Tip
Normally you must remove references to all other
DCs in the production domain

Your purpose is to remove all other DCs so that by the end of Step E, the
server you are constructing is the only Domain Controller in the Active
Directory. The only exception would be if you are constructing another Domain
Controller offline with this one to be introduced together.


Page 123

Task 1 Remove all other DCs in AD Phases 2 - Step E

Remove References to all
Other Domain Controllers

We use NTDSutil to cleanup the AD Metabase. Based on
the options given, the administrator can perform the
removal once all configuration parameters must be
specified to identify the specific server. Its not a simple as
delete servername until additional information is verified.

Therefore you will start by indicating the Domain
Controller you want to work from, a seemingly obvious
point but you specify the one you are sitting as the one
you want to connect to. From there, you will be making the
selection of the Site, Domain and then Server you want to
remove.

As you proceed, NTDSutil command presents a summary
of all selection characteristic required, even if you have
not yet identified them. Therefore, each command seems
to generate some errors reported. For instance, the first
thing you identify is the domain, yet NTDSutil echoes back
the Domain you selected, plus also echoes back:

No current site
Domain [your domain]
No current server
No current Naming Context

Just continue to step through the commands as indicated,
you will see each item is filled in as needed.
Important
Concept
You must be logged on as a Domain Administrator. You will receive errors
and the process will fail if you are not currently logged on as a Domain
Administrator enabled account.
Expert Tip
Connect to this server, remove all other DC objects
In this task, you should connect by specifying the servername as the computer you are
constructing, the one from which you are running these commands.
Tasks

KB 216498
Removing DC Role references
Click Start, point to Programs, point to Accessories, and then click Command Prompt.
1. At the command prompt, type ntdsutil, and then press ENTER.
2. Type metadata cleanup, and then press ENTER.
3. Type connections and press ENTER.
This menu is used to connect to the specific server where the changes occur. If
the currently logged on user does not have administrative permissions, different
credentials can be supplied by specifying the credentials to use before making the
connection. To do so, type set creds domainname username password and
press ENTER. For a null password, type null for the password parameter.
4. Type connect to server servername, specifying the name of the DC you are
currently working from as the servername, and then press ENTER.
You should receive confirmation that the connection is successfully established. If
an error occurs, verify that the domain controller being used in the connection is
available and the credentials you supplied have administrative permissions on the
server.



Page 124

(cont) Task 1 Phases 2 - Step E

Expert Tip
Note: If you try to connect to the same server that you want to delete, when you
try to delete the server referred to in procedure 5 above, you may receive the
following error message:
Error 2094. The DSA Object cannot be deleted0x2094

5. Type quit, and then press ENTER. The Metadata Cleanup menu appears.
6. Type select operation target and press ENTER.
7. Type list domains and press ENTER. A list of domains in the forest is displayed, each
with an associated number.
8. Type select domain number and press ENTER, where number is the number in the
list associated with the domain for the server you are removing.
The domain you select is used to determine if the server being removed is the last
domain controller of that domain.
Expert Tip
Notice the NTDSutil command presents a summary of all selection required, even
if you have not yet identified them, therefore, each command seems to generate
some errors reported. Just continue to step through the commands as indicated,
you will see each item is filled in as needed.

NTDSutil echoes back the Domain you selected, plus also echoes back:

No current site
Domain [your domain]
No current server
No current Naming Context

9. Type list sites and press ENTER. A list of sites, each with an associated number, is
displayed.
10. Type select site number and press ENTER, where number is the number associated
with the site the server you are removing is a member of. You should receive a
confirmation listing the site and domain you chose.
Important
Concept
Do Not Attempt to Remove the TempDC Object
If the list of servers reported in Procedure 12 below includes more than one server to be
removed, the normal process of Swing Migration would be to loop through this process to
remove all additional servers until only the server left in the list is the one you are
constructing in this current Phase.
Remove all production DCs or stale DC objects, keep only the TempDC.

11. Type list servers in site and press ENTER. A list of servers in the site, each with an
associated number, is displayed.
12. Type select server number, where number is the number associated with the server
you want to remove. You receive a confirmation listing the selected server, its Domain
Name Server (DNS) host name, and the location of the server's computer account you
want to remove.
13. Type quit and press ENTER. The Metadata Cleanup menu appears.
14. Type remove selected server and press ENTER. You should receive confirmation
that the removal completed successfully.


Page 125

(cont) Task 1 Phases 2 - Step E

Expert Tip
Note: If you receive the following error message:
Error 8419 (0x20E3)
The DSA object could not be found
This indicates the NTDS Settings object may already be removed from Active
Directory as the result of another administrator action removing the NTDS
Settings object, or replication of the successful removal of the object after running
the DCPROMO utility.

Note: You may also see this error when you try to bind to the domain controller
that is going to be removed. Ntdsutil has to bind to a domain controller other than
the one that is going to be removed with metadata cleanup.
Important
Concept
Remove all DCs other than the TempDC
If the list of servers reported in Procedure 11 above included additional servers that need
to be removed, proceed to remove those as follows:

Continuing from Procedure 14, loop back through Procedures 11 through 14 above
as needed to address each additional server you identified as needing to be
removed. Once all required DC objects are removed and only this current DC
remains, exit this task with Procedure 15 below.

If your domain has other DCs located in different Sites than the one you chose above, you
would need to cycle back further to Procedure 9 in order to select a different site where the
other DC is located.

Do you have more than one Site?
If you have more than one site in your Active Directory configuration you must remove DCs
from all sites, leaving only the TempDC existing. In this case repeat the procedure above to
review your other sites.
Most common: you have only one site, the Default First Site.
With only one site to address, or if you have reviewed all of your sites, you are now finished
with this task.
15. Type quit at each menu to quit the Ntdsutil utility. You should receive confirmation that
the connection disconnected successfully.


Page 126

Task 2 Confirm Computer Accounts Removed Phases 2 - Step E

Remove Computer Account and
Replication References to all other
Domain Controllers

Using ADSIEdit, we now inspect the Metabase directly for
additional cleanup, as well as to remove the computer
accounts and stale replication references to any other DCs
they still remain.
Important
Concept
Expert Tip
You may not find more objects to remove in Task 2.

DO NOT DELETE ANY TEMPDC RELATED OBJECTS!

Dont get confused, this inspection process sometimes doesnt reveal any additional objects.
We review this to find any objects that the previous task failed to offer, or failed to properly
delete. In some cases, you may discover objects related to long ago forgotten and dead DCs,
or accidentally created objects from a previous migration attempt. A very common task is
cleaning up from a previous attempt to add a DC for this migration where you decided the best
thing was to start over again with a clean TempDC.
Task 2.1 DC Account Object

Confirm that the TempDC is the only DC computer object remaining here
1. Launch ADSiEdit.
2. Expand the Domain NC container.
3. Expand DC=Your Domain, DC=LOCAL.
Note: Your own domain will be listed with the appropriate extension, whether it is
LOCAL or COM or whatever you used.
4. Expand OU=Domain Controllers.
5. If you identify any DC objects here other than the TempDC, Right-click CN=domain
controller name, and then click Delete that object. (Do not delete the TempdC object.)
Important
Concept
Do Not Attempt to Remove the TempDC Objects
If the list of servers reported here shows only the TempDC object, you are done with Task 2.1
Remove any and all other production DCs or stale DC objects, keep only the TempDC.
Expert Tip
If you find that you cant locate the object indicated above in the Domain Controllers OU,
its possible that the object was moved to a different location in the AD tree. While that
may not have affected operations, it can affect the automated cleanup steps we are using.
Therefore, if you dont find this DC object located where its supposed to be, then use the
AD search feature to find it. To do this, click on the top-most Domain object in the tree, the
right-click and choose Find. Search for the DC name or for all DCs. If you locate the object
in a different OU or folder, delete it from there.
If you locate the DC object, but are not successful in deleting it with a message returned
similar to Access Denied, you can try first deleting the subtree objects below the DC
object first, starting from the bottom and working your way back up to the top.


Page 127

Task 2.2 Delete DC FRS Object Phases 2 - Step E

Expert Tip
You may not find FRS subscriber objects to remove.
The FRS subscriber object is deleted when the computer object is deleted with normal
administration tools because it is a child of the computer account. Older versions of NTDSutil
fail to address all objects, as would variations occur depending upon the use of customer tools
or scripts, ADSiEdit, or with conditions where failed installations or demotions are involved.

Remove FRS member objects as needed (Preserve the TempDC objects)
To do this, follow these steps:
1. Start ADSIEdit.
2. Expand the tree below the Domain NC container as indicated below:
DC=[Your Domain], DC=[LOCAL]
CN=System
CN=File Replication Service
CN=Domain System Volume (SYSVOL share)

3. Looking at the objects below CN=Domain System Volume (SYSVOL share), you
should now observe one or more objects named for Domain Controllers.
4. For any objects other than those for the TempDC, Right-click the domain controller object
you are removing, and then click Delete. (Do not delete the TempDC objects)
Task 2.3 Delete Server Site Reference Phases 2 - Step E

Delete the Site reference container as needed (Preserve the TempDC objects)


1. Start ADSIEdit.
2. Expand the Configuration Container.
3. Expand CN=Sites
4. Expand the tree below CN=Default-First-Site-Name

Typically, only three objects are listed below CN=Sites, you would expect the three objects
listed below named literally as indicated here:

CN=Default-First-Site-Name
CN=Inter-site Transports
CN=Subnets
In most cases, we are only interested in the contents below the CN=Default-First-Site-Name
container because it is the only object present by default which is identified in the right-side
panel details under the column heading Class having the designation of a site.
Important
Concept
If your review find additional objects listed with the Class column designation of site, inspect
them in addition to the CN=Default-First-Site-Name containers. To locate all servername
objects you are trying to delete, its possible that a new site name was created or that the
original CN=Default-First-Site-Name object was renamed. Using the instructions below, you
would want to repeat the procedure below for any other sites listed.

5. You should now see and expand the container named CN=Servers.
6. Expand the tree below CN=Servers.
7. Typically, below the container named CN=Servers you should now see a container named
for the computer object you are looking for. It should read as CN=domain controller name
with the actual name of your server indicated.

If you identify an object named for the computer you are removing, delete only that servername
object, leaving the parent object named CN=Servers even it if is now empty.

Page 128

Task 3 Delete DHCP Authority Object Phases 2 - Step E

Remove the DHCP Authority
Objects Associated with a Server
Removed in Steps Above

Using ADSIEdit, we now inspect the Metabase directly for
additional cleanup, as well as to remove the computer
accounts and stale replication references to any other DCs
they still remain.

When you reinstall DHCP Server later, you will recover this
setting at that time.
Important
Concept
Expert Tip
You may not find more objects to remove.

Dont get confused, this inspection process sometimes doesnt reveal any additional
objects. You may not have installed DHCP Server on the DC you have removed, therefore
that object would not have been created here.

Remove DHCP authority reference objects related to the removed server
1. Launch ADSIEdit.
2. Expand the Configuration Container
3. Expand CN=Services
4. Expand CN=NetServices
5. Right-click the objects that are identified in the right-side panel details under the
column heading Class having the designation of dHCPClass, and then click
Delete.
Note that even if a different server in your domain was associated with this object,
there isnt any impact upon the DHCP Server configuration itself, only that the DHCP
Server itself is returned to a non-authorized state. Once you authorize it again, it
returns to original operations configuration.
6. If you find no objects of this type listed, you need not be concerned, you can continue
to the next task.


Page 129

Task 4 Remove Trusted Domain DCs Phases 2 - Step E

( When Applicable )

Remove Trusted domains
and related Domain Controllers

This is an unlikely condition with an SBS domain, but might
occur if you are using this document to migrate from a
standard Windows Domain that allowed trusts, but you are
now migrating to SBS. In other words, this condition would
not be possible to have occurred in a domain that was an
SBS because Domain Trusts are not allowed. For that same
reason, trusted domains will not be allowed in our final
configuration.
Expert Tip
You may not find more objects to remove when you have no trusts.

Dont get confused, this is unlikely to apply in a small domain. This task is mentioned here
only because in the rare occasion it might apply, this is the point at which you deal with it.

Delete the trustDomain object for the domain trust.

1. Start ADSIEdit.
2. Expand the container referenced as Domain [yourserver.yourdomain.local].

Note this container will be named for your specific domain name.

3. Expand the level below it references similar to DC=Your Domain, DC= LOCAL.

Note this container will be named for your specific domain name.

4. Expand CN=System.
5. Right-click the Trust Domain object, and then click Delete.

Remove any domain controllers remaining from a trusted domain

Use Active Directory Sites and Services to this, following these steps:
1. Start Active Directory Sites and Services.
2. Expand CN=Sites.
3. Expand the server's site. The default site is CN=Default-First-Site-Name.
4. Expand CN=Servers.
5. Right-click the domain controller, and then click Delete.


Page 130

Task 5 Delete stale IIS Accounts Phases 2 - Step E

Remove Obsolete
IWAM_Servername and
IUSR_Servername User Accounts

Internet Information Service uses a pair of uniquely name
user accounts to run as services. These accounts are
created automatically when installing IIS, but run only against
the local machine. By default, these unique accounts are
created have names matching the Servername they were
created for originally.

We want to remove any IWAM_Servername and
IUSR_Servername accounts in AD for which Servername
portion matches a DC you have removed, even if you will be
recreating a new server with that name. Leave the entries
associated with the current server. This is because the
accounts are created by IIS with a unique password. Even
though we will later add a machine back in with the same
name, the accounts will not have a matching password,
therefore it will break the IIS configuration. Its much easier to
remove the account entirely and let IIS do its normal
installation.

If these accounts remain and you later create a new IIS
Server with the same name, a password synchronization
error occurs. In the case of SBS 2003, this will lead to non-
functional service by the OWA, OMA and similar services.
The problem can be resolved if this step is missed, but its
simple to do at this point.

One last complication to mention relates only to Dell OEM
machines. Unique to Dell media and setup operations, the
IWAM and IUSR accounts are created with all the same
issues involved, except that Dell doesnt assign the name of
the account with the servername included in the account
name. Instead, they generate a random string of characters
for the name. The only point of confusion this adds is that
you have to determine which server is associated with which
account by direct inspection of the IIS configuration.
Important
Concept
Expert Tip
You may not find more objects to remove.

Dont get confused, this inspection process sometimes doesnt reveal any additional
objects.
Expert Tip
Dell brand servers use non-standard IWAM and IUSR account names

The IWAM and IUSR account created by Dell branded installation media do not name these
accounts for the server name, rather its an odd alphanumeric string of characters preceded
with the prefix, resulting in IWAM_[characters] and IUSR_[characters] and the character
string is the same for both accounts. To validate which server these are associated with,
you may find it convenient to examine the default website logon account.



Page 131

(Cont.) Task 5

Remove Stale IWAM and IUSR Accounts

Remove any IWAM_Servername and IUSR_Servername accounts in AD for which
Servername portion matches a DC you have removed, even if you will be recreating a new
server with that name.

To locate and remove these accounts:

1. Launch the Active Directory Users and Computers console from Administrator Tools
section of the Start Menu.
2. Right-click the object at the top of the tree which is named for YourDomainName,
right-click and then click Find.
3. The search pane opens by default to the tab for Users, Contacts and Groups.In the
Name blank, enter only the letter I (without quotes) which will result in a search for all
accounts starting with that letter.
4. Review the matches returned from the search to identify the IWAM and IUSR named
accounts matching the servers you are taking out of service and removing in the tasks
above.
5. To remove an account, right-click the name of the account, click Delete, and then click
Yes when you are prompted to confirm the removal.
6. Close the Search panel and the Active Directory Users and Computers console
when you have finished.


Page 132

Task 6 DNS Zone Cleanup Phases 2 - Step E

DNS Records Cleanup

As a result of this upgrade process, you now will have DNS
records remaining that no longer are valid. These need to be
cleaned up for several reasons, its not enough to say they
dont matter, they do.

Some of the records that would otherwise remain will
confuse, degrade or actually block further steps we need to
proceed with because quite literally these records point to
inaccurate or non-existent resources. Some additional
records could be ignored because they are generic, but
thats not unilaterally true either. For instance, the GUID
record for a Domain Controller could stay if we were in the
process of a Disaster Recovery where the exact same server
is to be reintroduced by a System State restore. That creates
problems when a new server with the same name identity is
introduced instead. For any servers we removed with
NTDSutil, the GUID is already now invalid, will always be
invalid.

Most if not all valid records are recreated during the normal
setup and installation of the SBS.

Remove Records for Domain Controllers Deleted in Tasks Above

For any DCs in the domain you have now removed in the tasks above, use the
DNSpurge tool to remove related records. Records for this DC currently in construction
(that you are sitting at) should remain as is.

Remove Other Stale or Invalid Records

While inspecting the DNS Zones, you could also use the DNSpurge tool to remove
stale or invalid records for any DCs or DNS servers no longer valid in the domain, such
as failed servers or failed DCs from other migration attempts.

Important
Concept

Also Remove Production Domain Controllers that will be demoted

The only records for valid Domain Controllers that you should retain are those for
servers currently connected or being deployed as a new server together with the server
in construction.

If you currently operate DCs in your production domain which will remain operating
beyond after the replacement of the from the old domain configuration to the new one,
you will need to demote and then DCpromo them back to this new servers domain
during Phase 5. When they are returned to service, they will re-register themselves with
the required records.

Swing It!!
Tool
The DNSpurge tool is quite simple, launched by dbl-click. After launching DNSpurge, it
requests the DNS server name to communicate with (defaulting to the local server), and
then it requests the computername to search for in the DNS Zones.

After returning the matches as a report, you are given the option to exit the tool or to
proceed into deleting the records selectively one at a time. Therefore its safe to use
DNSpurge to search first without the plan for deleting anything, as long as you dont
proceed when given the option to quit after the search results report is generated.


Page 133


Swing It!! Kit Tool DNSpurge can be used to confirm status
and perform the cleanup steps in Step E (Phase 2 and again in
Phase 3) instead of using the DNS console. You can use it later if
you need to validate that these steps have been successfully
completed.

DNSpurge is much easier to use for this task than manually
editing the Forward and Reverse Lookup Zones. You also get a
log of what you changed.

DNSpurge prompts you first for the DNS Server you will connect
to (the DNS Server database you are editing), with the next
prompt asking for the server record identity you want to cleanup.
You receive an analysis first, with the option to cancel without
any changes or to proceed.

The remaining prompts are self-explanatory confirmations of
individual records available to remove as you proceed through
the zones.


Page 134


Manual Clean-up of DNS Zones
(alternative to DNSpurge)

Even if you are not entirely familiar with all the DNS tree locations and their meaning,
its reasonable if not tedious to browse through all the zones of the DNS tree to identify
if any additional miscellaneous references were retained for a permanently retired DC
name or IP for that DC.

Heres a brief technical explanation, followed by steps for the details of accomplish
this:
o You want to remove the cname record in the _msdcs.root domain of forest
zone in DNS. Assuming that DC is going to be reinstalled and re-promoted,
a new NTDS Settings object is created with a new GUID and a matching
cname record in DNS. You do not want the DC's that exist to use the old
cname record.
o In earlier steps, the NTDS Settings object has been deleted, so now you can
delete the computer account, the FRS member object, the cname (or Alias)
record in the _msdcs container, the A (or Host) record in DNS, the
trustDomain object for a deleted child domain, and the domain controller.
Remove all records for removed DCs from DNS, specifically the GUID specific record
in _msdcs.
To complete these steps in DNS cleanup manually (not using DNSpurge), from the
Manage Computer console, locate the DNS section:
1. Use the DNS MMC to delete the A record in DNS. The A record is also known as
the Host record. To delete the A record, right-click the A record, and then click
Delete.
2. Also delete the cname (also known as the Alias) record in the _msdcs container.
To do so, expand the _msdcs container, right-click the cname, and then click
Delete.
3. Important If this was a DNS server, remove the reference to this DC under the
Name Servers tab. To do this, in the DNS console, click the domain name under
Forward Lookup Zones, and then remove this server from the Name Servers
tab.

Note: If you have reverse lookup zones, also remove the server from these
zones.


Page 135

Task 7 Final Inspection for Step E Phases 2 - Step E

Restart then Verify
Normal DC Operations

A restart of the remaining DC will confirm normal boot and DC
operations on the remaining DC with the previous DC having
been removed. This restart is a sanity check, it really doesnt
have any special technical requirements. We are really just
trying to see if you get a normal restart and normal behavior
after having performed all of the editing you did in this Phase.




was completed.




Expert Tip
Check for errors mentioned in the Event Logs
Look for normal speed in startup (as opposed to taking 10 minutes or more).
Your logon should be normal, without any unusual delay between the time you confirm
your password until the time you have a working desktop.
We are looking for obvious problems, not super granular issues.


Page 136

Step F
Preparing the TempDC for SBS 2008 Migration Requirements


Tasks Topic Step F
1
Site License Server Reset
Assign TempDC as Site License Server
2
Install Current Service Packs
Windows Server SP2 Required
3
Install Required Component Updates
SBS 2008 requires several component updates


Page 137

Task 1 Site License Server Assignment Reset Phase 2 Step F

Reset the Site License Server
Designation
Each Active Directory Site location requires a designated
License Server to be designated. The process we have
completed in earlier Phases causes the previous server
designation to now be unassigned. You might notice Event
ID 213 is generated after you demote the first Domain
Controller in a site that was the previously designated license
server.

We need to repair this condition by assigning the
responsibility to this server now. This avoids certain
applications generating an error because they cannot locate
a Site License Server.
KB 296681
You can reassign the Licensing Server as follows:

1. Open Active Directory Sites and Services.
2. Click the site on which the server is located.
3. In the details pane, click License Site Settings.
4. On the Action menu, click Properties.
5. Under Licensing Computer, select the new site license server, and then click
Change. (You normally would be assigning the Site License Server reference to point
to this server now.)
6. Click OK to exit.
Important
Concept
Site License Service Error is Now Resolved

After you demote or remove the first domain controller in a site (as was done in the
previous tasks), the following error message appears in the target server's application log:

Event ID: 213
Source: LicenseService
Type: Warning
Description: Replication of license information failed because the License
Logging Service on server ServerName could not be contacted.

This issue is resolved by reassigning the License Server responsibility for the Site to an
existing Domain Controller in that site.


Page 138

Task 2 Current Service Packs Phase 2 - Step F

Install Current
Service Packs
(Required)

patches.


Tasks
The same service pack requirements apply for SBS or non-SBS media. For a project
migration from any previous domain version, the minimum requirements for this DC
server is shown below.
Windows Server 2003
(same with SBS 2003)
Service Pack 2 (Required)

Note: For this Swing Migration project you do not
need to install SBS 2003 SP1 or the balance of
other SBS applications prior to installing the
Windows SP2.

Expert Tip
Do not use Windows Update for update patching during construction While this
update could be implemented by running Windows Update from this server, that is not
recommended. A global Windows Update connection will provide a wide variety of
updates that might delay your progress or certainly make your server configuration
unique for that day of updates. With all patches, service packs or application installation
tasks, you should install from a local copy on local media and obtain updates
individually from a download reference link such as the one suggested above.
Important
Concept
Install the update for KB 948496 (SNP disable)

Very Important: Install the update for KB 948496 (SNP disable) after installing
Windows 2003 SP2. This update resolves a network configuration compatibility issue
that can cause bizarre operations behavior if left unchecked.

The recommended way to install this update is to download this patch individually from
the Microsoft website using a separate computer and transfer the file on a USB
thumbdrive or other convenient method. Do not connect this TempDC machine to the
Internet or production domain.

KB 948496 (SNP disable, Network Performance TCP/IP Chimney, RSS)
An update to turn off default SNP features is available for Windows Server 2003-based
and Small Business Server 2003-based computers
http://support.microsoft.com/kb/948496/

Download: http://www.microsoft.com/downloads/details.aspx?FamilyId=062E954C-
FDEC-45AF-A09C-5A05B8F010A5


Page 139

Task 3 Current Component Updates Phase 2 - Step F

Installation of
MSXML and .NET updates

This is required by SBS 2008 Setup procedures.
Tasks
Additional Updates Required

These component options are required for compatibility to run the SBS 2008 based
utilities you need to prepare this server for the migration wizard setup and installation
sequence.

Media Updates Required

Microsoft .NET Framework Version 2.0 Redistributable Package (x86)
http://go.microsoft.com/fwlink/?LinkId=104397

Microsoft Core XML Services (MSXML) 6.0 Service Pack 1
http://go.microsoft.com/fwlink/?LinkId=87548


Page 140

Expert Tip

Option Housekeeping Possible to do Now

Most of the items listed below will need to be addressed at some point in the
project. Its your option to look at this now (if you prefer to address this in
advance) you have the option (or requirement) to do this either in Phase 4 or 5.

You will find task details on each of these items described in Phase 4.

Administrator Accounts
Create a new Administrator account for your Migration project.
Disable the Administrator account logon script

Server Configuration
Disable Screensaver show logon screen
Enable Remote Desktop Protocol Access

Group Policies
Remove SBS 2003 Product Group Policies
Revise/Disable Folder Redirection Policy

User Object Location/Cleanup
Move Existing Users/Computers to SBS folders

Logon Scripts
Review the Logon Scripts to remove the SBS_LOGIN_SCRIPT.bat
Disable any Printer/Drive letter Connection settings in logon scripts

Why create a new Administrator Account?

One point that you may be curious about is why create a new Administrator
Account? This is because SBS 2008 Migration Mode wizard is blocked from
being run by the root Administrator Account. You will need a different account
later in the steps that MS defines.


Page 141


Swing It!! Kit Tool Several Tools handle this process quite
easily and are the preferred alternative to manual inspections.

DialinBy
Summary Report of Dial-in Status for all Users, indicating
allowed, disallowed, or determined by policy

LgnScrpt
Summary Report of Legacy Logon Script and Profile Folder per
User

GrpNest [Steps J]
(Per User) Report Direct and Nested Group Memberships

AdminSID [Steps J]
(Per Computer/Domain) Report all Domain or Local Admins
(Per Computer/Domain) Identify Root Admin acct., all Admin
members name/SID

Each of these are quite helpful for documenting a site
configuration, or auditing unexpected access, logon or security
behavior.

Expert Tip

Planning To Do User Account Cleanup?

Not Required, but its a good suggestion and you have tools! Look Below.

Admin Rights In circumstances where you have a domain that has been around
awhile, you might want to review the user accounts to validate if the users are
members of only the groups they should be. Nested Groups in Windows 2003 make
it possible for a group to be a member of a group. That makes inheritance much
more tricky to investigate unless you have a tool. (You do!)

Remote Access For that matter, maybe you should think about limiting
membership, or extending options, or just documenting the current status of users for
remote access.

Login Scripts Its common that with a new SBS server version, you may want to
review the logon script assignments and contents.


Page 142

Step G
Installing Exchange Server 2003 on TempDC

This step is required to bring the existing Exchange Information Store from the previous SBS 2003 Server
when we reach the transition stage in Phase 5.

The TempDC is being updated now as a transfer platform to bring the Mailbox and Public Folder stores
over to the new SBS 2008 server.


Tasks Topic Step G Part 1
1
Exchange Prerequisite Components
Add required components for Exchange Server setup
2
Exchange 2000 Only Schema Update (custom setup)
Only for Migrations up from Exchange 2000
3
Exchange Server Setup
Install Exchange Server to existing Administrative Group

4
Exchange Service Pack Update
Required for compliance to SBS 2008 Setup

5
Enable Display Exchange Routing Groups
Prepares Exchange System Manager Console for later

6
Remove Mailbox Management Policies
These policies are not support by Exchange 2007

7
Run SwingIT PreSourceTool
Updates configuration setting as required before SourceTool

8
Run MS Source Tool Configuration
Updates and Confirmation of task completion


Migrating from Exchange Server 2000 or 2003

If your existing operations use Exchange 2000 or 2003 and you will be using
Exchange 2007 on your finalDC, you must perform all of Step G including Part 1 and
Part 2. You prepare your Exchange Organization for an Exchange 2003 server to be
installed on this TempDC used as a transfer point for production Information Store.


Page 143


No Exchange Server Organization to Migrate?

No Exchange Server Previously in Use

If you have never used Exchange Server in your domain, and therefore you do not
have an existing Exchange Organization established in Active Directory or an
Exchange Server Information Store to migrate, you can skip Part 1 of Step G.

Not planning to use Exchange Server 2007

This would also apply if you are not planning to use Exchange 2007 but will move
your previously used Exchange 200x mailboxes to an externally hosted service
provider. That would mean you will not use Exchange at all or will have your
mailboxes hosted on a different server outside of your Active Directory domain.

In this case you do not need to perform Step G Part 1 to install Exchange on the
TempDC, however it is critical that you ensure that you do not have an Exchange
Organization already defined in Active Directory. You will need to use the Alternate
Step D information to completely remove any existing Exchange Organization
details.

My Exchange Server currently runs on a member server

If you use Exchange Server in your domain running currently on a member server
that is in production now, and will remain in production after the Swing Migration
project, you should not install Exchange Server on this TempDC. You do not have
an existing Exchange Server to migrate as part of this Swing Migration project path,
you can skip Step G Part 1. Even if you plan later to migrate your Exchange to your
SBS 2008 from the existing member server, that is outside the scope of work here.

If any case above: Skip Step G Part 1, resume in Step G Part 2.

Note: Step G Part 2 is Always Required on All Projects


Page 144

Customized Exchange Setups

This is the normal path for construction for 2003 to SBS 2008 installations, to install Exchange Server on
the TempDC. Installing Exchange by the normal Exchange setup method is recommended.

In other words, do not use the SBS Setup feature to continue or install the TempDC as an Exchange
Server. This will needlessly add about 2-3 hours to your project path in most cases, and may further
complicate it beyond that.

What follows now are the recommended instructions to install Exchange Server on the TempDC. Keep in
mind that the Organization is already defined in AD, we are just adding a new server to it.

Expert Tip

Do Not Run SBS 2003 Setup to Install Exchange

That will add 2-3 hours to your project time.

SBS Setup not only installs Exchange, it also requires installing all of the SBS
Console, License Tools, Website resources and SharePoint configuration if you
install Exchange using the setup sequence. As a result, you will be required to install
service packs and updates that are detected by SBS 2008 setup are prerequesites.

Its much simpler and faster to just install Exchange directly from the CD2 location
where the Exchange installation files are located.


Page 145

Task 1 Exchange Prerequisite Components Phase 2 Step G Part 1

Configure Exchange Server
Setup Prerequisites
To install Exchange Server 2003 on this machine you must
prepare the server first with the install a number of Windows
core services Exchange requires. These items are detected
during Exchange setup, and if they are missing, Exchange
setup will prevent you from continuing.
Important
Concept
Add These Component to Existing Configuration

During these steps do not uncheck or remove any other items already indicated as
installed. The items specified below are just what we are adding now to the existing
configuration. Keep all the items currently shown as installed components.
Expert Tip
Preinstalled Components If you are wondering why you never had to do this when
running SBS 2003 Setup its because it was addressed transparently by the setup
program without asking. Thats one of the reasons you needed CD1 available to
continue installation of Exchange.

Preparing for Exchange Setup Requirements

Exchange requires the following Windows core services to be available on this server
before Exchange Server installation begins:

Internet Information Service IIS
NNTP
ASP.Net

To confirm these are installed:

1. Open Control Panel, choose Add/Remove Programs.
2. On the left-side button panel, select Add/Remove Windows Components.
3. When the Windows Components Wizard screen appears, from the Components
listbox items select Application Server, then click Details.
4. From the Subcomponents of Application Server listbox items review the status
following items to ensure that they are already checked to indicate as installed, or
by adding a check now they will now be installed:

Note: During these steps do not uncheck or remove any other items already
indicated as installed. The items specified below are just what we are adding now
to the existing configuration. Keep all the items currently shown as installed
components.

Internet Information Service IIS
ASP.Net
NNTP (locate this item by selecting Internet Information Service (IIS), click
Details, and enable this item in addition to those already selected.
5. Click OK closing each panel until you are back at the Windows Components
panel, then select Next.
6. The components you selected will be installed. When prompted, select Finish.
7. Close the Add/Remove Programs panel.


Page 146

Task 2 Exchange 2000 Only Schema Update Phase 2 Step G Part 1

Upgrading Schema from an
Exchange 2000 Organization
Only
This applies only to you if your existing Exchange Server
organization operated with only Exchange 2000 server(s),
and have not previously installed an Exchange 2003 server
in your domain.
Important
Concept
Domains with Existing Exchange 2003 based Organizations

If you have an existing organization previously updated to support Exchange 2003
servers, you can skip forward to the next task to install the TempDC as an Exchange
Server.

KB 271882
Performing a Custom Installation of Exchange

When upgrading your existing Exchange 2000 Organization, this task will not prompt
you to modify the namespace, just to upgrade it.

Your existing configuration might have an Organization name or Administrative Group
name that is different than the default installation creates, and that is fine.
Expert Tip
Source Media - When using a media set for SBS 2003 or SBS 2003 R2, the source
disk required below will be CD2, or the CD2 resource folder on an installation DVD.
KB 312371
Exchange Setup for Forestprep

Run Exchange Setup with the /forestprep switch, when prompted you can create the
organization name that you want.

1. Click Start again, click Run, and in the Run box, type
[source:]\Setup\i386\SETUP.EXE /ForestPrep, and then click OK.
2. In the Welcome screen that appears, click Next.
3. In the End-User License Agreement screen, accept the licensing
agreement by clicking I Agree, and then click Next.
4. In the Product Identification screen, enter the product key of your
Exchange Server 200x installation CD, and then click Next.
5. In the Component Selection screen, under Action for Microsoft
Exchange 200x, make sure that ForestPrep is selected, and then click
Next.
6. In the case of an upgrade of an existing Organization, proceed with the
remaining tasks as prompted to update the Forest.

Exchange Setup for Domainprep

Run Exchange Setup with the /domainprep switch to create the security groups for
Exchange (Exchange Domain Servers and Exchange Enterprise Servers).

[source:]\Setup\i386\SETUP.EXE /domainprep
8. In the Component Summary screen, verify the schema update, and then
click OK to start the processing.


Page 147

Task 3 Exchange Server Install Phase 2 Step G Part 1

Setup for TempDC

To install a new Exchange Server into your organization, you
must have previously created the Exchange Organization.
This would be the organization that already existed in your
production domain, this server is going to be added into that
Organization now.

Expert Tip

SBS 2003 or R2 Media

When using a media set for SBS 2003 or SBS 2003 R2, the source disk required below
will be CD2, or the CD2 resource folder on an installation DVD. You can then interpret
the source path as described below.

[Source:] will be your CD/DVD drive letter plus the path folder of \exchsvr65, so if your
DVD drive letter is D:, you would use the entire sources as:

D:\exchsvr65\Setup\i386\SETUP.EXE

Exchange Server Media

[Source:] will be your CD/DVD drive letter plus the indicated path. Therefore if your DVD
drive is D:, the entire source path will be:

D:\Setup\i386\SETUP.EXE

Important
Concept
Setup with Pre-Existing Organizations

If you had an existing organization previously, the instructions below may not match
identically to the prompts you receive. For instance, you will not choose Custom as the
Action, it wont be an option. You will simply install into the existing Administrative Group
and accept the defaults.

Exchange Setup to install a new server

Run Exchange Setup without options in order to launch a server installation.

[source:]\Setup\i386\SETUP.EXE
2. Following the launch of Exchange Setup, proceed to the Component Selection
page.
3. From the Action list in the Microsoft Exchange components, choose Install or
Custom enabling you add the Microsoft Exchange Messaging and Collaboration
Services component to install the server.

Note: It is typical that the server will install into the existing administrative group
without prompting. Some media may prompt to create a different group, but in that
case you must install into the existing Administrative Group. This server must be
located in the Administrative Group that previously held the production Exchange
Server that is the source for the Information Store databases you plan to restore
later in Phase 5.


Page 148

Task 4 Exchange Service Packs Phase 2 Step G Part 1

Install Current
Service Packs
(Required)

patches.


Tasks The same service pack requirements apply for SBS or non-SBS platforms supporting
upon Exchange 2003 product platform.
Exchange Server 2003 Service Pack 2 Required
Important
Concern
Installation of this Service Pack is Required Preparation

If you do not install the Service Pack prior to Phase 3, you will be blocked by SBS 2008
Setup. This is not an optional task.


Page 149

Task 5 Enable Display of Exchange Routing Groups Phase 2 Step G Part 1

Enable Display of Routing Groups
& Administrative Groups

This task is required as preparation for access to these
objects later in the project. We need to have access both
Administrative Groups and Routing Groups. The
instructions that follow in later sections will require you to
navigate into the Exchange System Manager (ESM) to
locate specific objects only visible with these containers
visible.
Tasks
Using Exchange System Manager: How to locate these objects?

To enable display of these Exchange container objects:

1. Open Exchange System Manager on the TempDC, Locate this from the Start
Menu, choose All Programs > Microsoft Exchange > System Manager.
2. Right-click and choose Properties on the top most object in the left pane, the object
will be named for your Exchange Organization.
3. Enable the tickbox options to Display Routing Groups and to Display
Administrative Groups.
4. Apply this change by clicking Ok. You will be warned that you need to restart this
ESM console.
5. Restart the ESM Console.
6. Once reopened the ESM Console now displays the Administrative Groups in the
first level of the tree, and specifically you will see the Exchange 2003
Administrative Group where the TempDC resides.

Expert Tip
Typically you have only one Administrative Group displayed at this point.

Unless you previously installed an Exchange 2007 server, you will not see that new
Administrative group, or any other at this time. After Phase 3 you will see the Exchange
2007 group in this view. Confirm that these container objects are now displayed. Use the
example below as a reference.

In this example shown below, note that the names shown in bold-italic may have a name
specific to what is unique in your Exchange Organization. This is not a complete view of the
entire tree, just identifying the path location of the two containers we just turned on to view
now which may have previously been hidden.

Exchange_organization_name (Exchange)
Administrative Groups
First Administrative Group (this name may vary)
Routing Groups

Now that you can see the Administrative Groups and the Routing Groups you should be
able to locate all objects of interest during the remainder of this project.


Page 150

Task 6 Remove Mailbox Management Policies Phase 2 Step G Part 1

Remove Exchange
Mailbox Management Policies
(Required)
A requirement to complete the transition to Exchange 2007
is that you must remove all Mailbox Management settings in
the Recipient Policies.

In a review of Recipient Policies, a policy can be configured
as any one of these three possible conditions:

1. Email Address Policy (only)
2. Mailbox Management Settings (only)
3. Email Addresses and Mailbox Management (both)

The migration process requires that all Mailbox Management
policies be discontinued, therefore deleted from any
combined policies, and the entire policies is deleted if it is
dedicated only for the purpose of Mailbox Management.
Tasks
Remove Mailbox Management Policies

To inspect for this, from the Start Menu options open Exchange System Manager (or use the
related snap-in of the SBS Server Console in the Advanced Management section). Expand
the tree to view the properties of each policy listed below Recipient Policies:
Exchange System Manager
Recipients
Recipient Policies
Default Policy

Below is an example screen shot of the policy properties panel where no changes are
required. There are no tabs are shown for Mailbox Management, and only domain
addresses templates are listed as defaults for your own Organization are shown:



Page 151

(cont.) Task 6 Phase 2 Step G Part 1
Regarding the tabs, in the screenshot above you notice the top of the panel displays each of
and only the following menu tabs respectively labeled as follows:

General
E-Mail Addresses (Policy)
Details

That is an example of an E-Mail Addresses policy only.

A policy that provides Mailbox Management will have tab showing the label Mailbox
Manager Settings (Policy), and that indicates that the policy handles that feature.

If you see only the Mailbox Management but not the E-Mail Addresses (Policy) tab,
its unique purpose is for Mailbox Management only.
If you see both the E-Mail Addresses tab plus a Mailbox Management tab
shown, the policy is a combined multi-purpose policy to provide both features in a
single policy.
The task required here is to remove the management policy elements from combined
purpose policies, or delete the policy entirely if it is only for Mailbox Management.

Removing a dedicated Mailbox Management Policy

Expand the tree to view each policy listed below Recipient Policies (Default Policy is the
only one listed in the example below):

Recipients
Recipient Policies
Default Policy

1. Right-Click on the policy object, and from the context menu shown you choose the
option for Delete.

Removing the Management from a Combined Management/Address Policy

Expand the tree to view each policy listed below Recipient Policies (Default Policy is the
only one listed in the example below):

Recipients
Recipient Policies
Default Policy

2. Right-Click on the policy object, and from the context menu shown you choose the
option for Change Property Pages.
3. In the option panel that opens will be a pair of option checkboxes labeled for the
respective elements.
4. Uncheck the box for Mailbox Manager Settings to remove that policy element.
5. Choose Ok to exit from the properties.


Page 152

Step G Part 2
TempDC Preparation: PreSourceTool & SourceTool

These tasks are required to complete the SBS 2008 Server Setup in Phase 3. If you omit these tasks you
will be blocked. You cannot simply do the tasks manually, these tools perform tasks that are required to
prevent blocks in setup.


7
Run SwingIT PreSourceTool
Updates configuration setting as required before SourceTool

8
Run MS Source Tool Configuration
Updates and Confirmation of task completion


Page 153

Task 7 SwingIT PreSourceTool Phase 2 Step G Part 2

SBS 2008 SwingIT
PreSource Tool

Microsoft provides a utility with the name SourceTool which is
used to complete a few tasks necessary to validate the SBS
2008 migration and setup sequence. The features detected
and set with this tool confirm conditions that are required by
SBS 2008 Setup procedures.

This Kit provides a tool to run first, the SwingIT PreSource tool
completes tasks that are documented by Microsoft in the
Migration documentation, but require manual tasks that this
tool automates.

Therefore, you should run both the SwingIT PreSource tool
followed by the Microsoft SourceTool.
Important
Concern
Execution of this Tool is Required Preparation

You must run this tool. Otherwise, you will be blocked either by the MS SourceTool
detection in the next task, or by SBS 2008 Setup compliance blocks, or an outright
failure of the installation of SBS 2008. This is not an optional task.
Tasks
Execute the SwingIT PreSource Tool

The SwingIT PreSource Tool addresses a few tasks conveniently to streamline the
required tasks outlined by Microsoft for a Migration Mode installation.

1. Run the tool and follow the prompts or options offered.
2. You must approve the update of the domain and forest to Windows 2003 level
in order to install SBS 2008, this is required.
3. You must approve the update of the domain from Mixed Mode to Native mode.
4. The assignment of Default OU for computer and user objects is an option.
Swing It!!
Tool
SwingITPreSource Tool

This tool performs a few simple but required tasks, it detects and confirms conditions
required as prerequisites to the Microsoft SourceTool and migration in general.


Note: Please read the Expert Tip Below.
Expert Tip
SwingITPreSource Tool: Default Object OU Options

This tool offers several choices on the configuration of the default OU location. SBS
2008 Setup will complete successfully with any of the choices offered. The reason for
the options is to provide you the choice of where you want the default to be as either
Windows default, SBS 2008 documented default, or what SBSmigration.com is offering
as a suggestion.

During SBS 2008 setup a number of new user and group objects are created in
whatever is the default OU for User objects. The tool provides the option of setting a
dedicated location different than the Windows default or the SBS 2008 default in order
to place these system objects in a location that doesnt clutter up your Users OU.

You really can use whatever you want.


Page 154

Task 8 SourceTool Phase 2 Step G Part 2

SBS 2008 Setup
Microsoft SourceTool
Preparation
This is required by SBS 2008 Setup procedures.

The SourceTool is required for compatibility to run the SBS
2008 setup, it prepares this server for the migration wizard
setup and installation sequence. This tool also validates that
your source server complies with requirements to avoid
conditions blocked by SBS 2008.
Expert Tip
Options on How to Install/Run this Tool

Run direct from the tools folder on the DVD is the assumed best option
As alternatives, among the common questions are how do I run this if I have no DVD on
the TempDC, or if I have my TempDC on a Virtual Machine?. Heres some ideas:

A copy on USB key or other device requires the entire Tools folder present
Using VMware a virtual floppy may be more convenient than USB device
Share a DVD/drive location from a network connected machine or host of a VM
Copy the entire Tools folder to a host partition then make that accessible
Tasks
To prepare the Source Server for migration
1. Insert Windows SBS 2008 DVD1 in the DVD drive on this server.
2. When the Windows SBS 2008 installation wizard starts, click Tools, and then
double-click SourceTool.
3. In the Source Server Migration Tool, click I have a backup and am ready to
proceed, and then click Next.
4. You may be prompted to retrieve updates for this tool, this is an option you may
allow or ignore. This only updates this specific tool.

If you receive an error message relating to hotfix installation, follow the
instructions in Method 3: Rename the Catroot2 Folder in the article
You cannot install some updates or programs in the Microsoft
Knowledge Base http://go.microsoft.com/FWLink/?LinkID=118672

4. If you did not create a migration answer file when recommended earlier, click
Create an Answer File and follow the instructions that appear.
5. Click Finish.
6. When the Migration Preparation Tool finishes, you must restart the server
before you begin migrating to Windows SBS 2008.
SBS 2008
Migration Docs
Expert Tip
SourceTool.exe or SourceTool.msi?

The RTM release of SBS 2008 provided an EXE version of this tool, this version can
only be used with the SBS 2008 RTM version release of SBS setup. If you use the EXE
version and then run the later SBS 2008 SP2 Updated version, you will be blocked.

The SourceTool.MSI version can be used with either the original or later release.
Important
Concern
Execution of this Tool is Required Preparation

You must run this tool. Otherwise, you will be blocked either by SBS 2008 Setup
compliance blocks, or an outright failure of the installation of SBS 2008.

This is not an optional task.


Page 155

Expert Tip

Recommended: Perform a System State Backup

Protect the current condition of the TempDC Now!

This is a good point to perform a full System State Backup or even a full backup of
the entire server before you go further. Just think about all the hours of work you
have invested at this point!

Expert Tip

Need to start over again?

How to redo Phase 2

This happens too, you might have missed a critical point like checking for
Sysvol replication and yet you dont discover that until well into Phase 3
when you cant join the domain, because the TempDC isnt healthy and
needs to be reconstructed properly.

In this situation, the chances are you may make it as far as the end of Phase
3 Step A before hitting the wall. You can keep the FinalDC at that point while
you go back to redo the TempDC from scratch. In that situation, the best
answer would be to rebuild the TempDC from scratch using a different name
for the server, and preferably a different IP too. Once you get the problems
solved in Phase 2, you resume where you left off on Phase 3.


Page 156

Phase 3: SBS 2008 Server Build in Migration Mode
(Transfer AD from TempDC to FinalDC)

Figure 2-8 Phase 3 Transfer AD from TempDC to final server FinalDC


Please Proceed Now to Document 2

Phases 3-5 are addressed in the reference Document 2


Page 157

The Swing It!! Kits Reference Documentation is not free, therefore under no
circumstance are you authorized to redistribute or forward to another party your own
copy or a duplicated copy of this document, or the associated documents within the kit,
or any programming tools which may also be included in the Kit. Please review the
related guidelines on the pages that follow.

Copyright 2004-2009 SBSmigration.com
All rights reserved

\

Swing It Doc1 Swing Migration 2008 Rev1.06

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Swing It Doc1 Swing Migration 2008 Rev1.06

Hochgeladen von

Copyright:

Verfügbare Formate

Swing It!!

Das könnte Ihnen auch gefallen