swing it doc1 swing migration 2008 rev1.06

Swing It!! Kits Reference Documentation

Swing It!! Swing Migration: Reference Part 1 How to Perform a Swing Migration 2003 to SBS 2008 Domains Author: Jeff Middleton You may purchase this document in a Swing It!! Kit from SBSmigration.com The Swing It!! Kits Reference Documentation is not free, therefore under no circumstance are you authorized to redistribute or forward to another party your own copy or a duplicated copy of this document, or the associated documents within the kit, or any programming tools which may also be included in the Kit. Please review the related guidelines on the pages that follow. 1.06 - 4.20.2009 Copyright 2004-2009 by Jeff Middleton, SBSmigration.com All rights reserved

How to Perform a Swing Migration from 2003 to SBS 2008

Page 2

Copyright 2004-2009 by SBSmigration.com Swing It!! Technician Kit Documentation

For more information on the Swing It!! Reference Kit, Swing It!! Technician Kit, plus a full range of Swing It!! related products and services, please visit to SBSmigration.com, or send an email requesting information as indicated below.

Swing It!! Kit information is available online or by request. To Contact us:

[email protected] Include the subject line: You Can Swing That! Info Request

Acknowledgments SBSmigration.com is grateful for the cooperation and opportunity to participate in discussions and access with the product teams for Microsoft Small Business Server development, support and community. The inspiration and technical suggestions offered from individual MVPs among the SBS-MVP and the SMB Family are too numerous to cite individually, but worth each and every moment to improve the accuracy and quality of the results. Our customers represent the best of the best IT Professionals worldwide with the enthusiasm, patience and persistence to make the best of what we offer the best of what they deliver, and to keep the target for quality and accuracy constantly improving through feedback and validation. About the Author Jeff Middleton is well recognized worldwide in Microsoft Small Business Server (SBS) community, known as a speaker, author, advisor, and technical community leader. Microsoft has awarded him each year since 1999 with the prestigious Small Business Server Most Valuable Professional recognition. Based upon 20 years of experience as a consultant and system integrator in small business and vertical market applications, hes operated his own business located in New Orleans since 1990. Jeffs name is now synonymous with Swing Migration, the worldwide SMB consultants choice of methodology for SBS Server replacement. He founded SBSmigration.com in 2004 providing a technical mentor and training product as a project consultant to consultants. His work is both published and cited in books and trade journals. As an expert in disaster recovery, domain migration, and a full-range of topics on the SBS and Windows platforms, Jeff travels constantly as a popular speaker. He has presented at conferences internationally including the Microsoft Partner Program, Tech Ed, SMBTN, ITA and SMB Nation, as well as lending his support in person as a guest speaker to over 50 local IT Pro groups of all sizes in North America, Australia and Europe. Starting in 2007, he launched the SBSmigration.com IT Pro Conference held annually during May in New Orleans offering a unique discussion forum for experts in SMB business and technology.


Page 3


Swing It!! Kit Documentation Allowed Use Guidelines This document is not free, and is part of a Swing It!! Kit purchase. Swing It!! Kits are a continuing partnership benefit to us, to our customers, and extended to their customers. Swing It!! Kits build technical skill, improve business practices, and that builds perpetual value for the all of us. SBSmigration.com has every intention to honor our agreements with you when you purchase a Swing It!! Kit, and we are optimistic that you will protect your investment from your loss, or ours. As the owner of a Swing It!! Kit, you received this reference, and may also have received tools with it, all under a license agreement which includes both copyright as well as authorized use restrictions which are enforceable.

You are permitted to use the documentation and tools provided with a Swing It!! Kit exclusively for the purpose of performing work related to what it describes, or preparing yourself in a manner of training or education on that purpose.

We consider it fair that someone you know personally might be given the opportunity to casually

review your materials or tools in the context of deciding if they would value having a Swing It!! Kit of their own. We also consider it fair to present the appropriate portion of your documentation to a customer or prospect for whom related work is involved, where adequate disclosure of the method involved is requested. However, please treat the shared access to our documentation and tools as a training material for which the right to use it in that manner is yours, and yours alone. We would consider a reasonable review as not effectively consuming the value gained in owning it without properly obtaining another technician license.

You may not use this reference to teach others in an educational, instructional, or presentation

manner. You should contact SBSmigration.com for information on how to obtain materials properly licensed for that purpose.


Page 4


Distribution and Duplication Guidelines This document is not free, and is part of a Swing It!! Kit purchase. You can obtain a Swing It!! Kit with complete documentation, tools and associated services by contacting us at SBSmigration.com. This document is only available as part of a Swing It!! Kit purchase. The owner of a Swing It!! Kit receives this reference, and may also receive tools with it, via license agreement conditions which define copyright as well as restrictions of use which are enforceable. If you received this document from any other source than SBSmigration.com, please contact us to obtain a fully licensed Swing It!! Kit of your own, the complete related documentation, services and total value intended. Swing It!! Kits are licensed per technician, therefore our services and support are extended only to the original purchaser.

SBSmigration.com understands your need to protect your investment in the tools and documentation provided in your Swing It!! Kit. We consider it fair and reasonable use for you to make as many backup copies of any of these items as is necessary to protect yourself from loss or damage. We also understand that you may wish to maintain multiple copies for the purpose of keeping references and tools in more than one location you can work from in the course of a project, or on more than one device, or for continuing use. We expect at all times that you would have the thought in mind that each copy you make is either for a backup to protect against loss, or a copy you have made to facilitate your active work process, but for no other reasons. Leaving copies for others to use is not a permitted use.

You may not place any hard copy or electronic copy of any portion of a Swing It!! Kit

documentation or tool (or tool code) in a location that provides anonymous access.

You may not store or locate the Swing It!! Kit tools or documents in a manner which encourages, or permits violation of the license agreement or copyright such as with file swapping technologies.

Under no circumstances are you permitted to abstract portions of this document and share

them with anyone else, without obtaining specific and written authorization from SBSmigration.com for that purpose, and on that occasion, such as for a periodical review. This means that posting sections of documentation to the Internet or public network, or a chat room, or a private network are all examples in violation of our license and copyrights because they do not represent a backup or reasonable use.


Page 5



Page 6


Contents Swing Migration: How to Perform a Swing Migration

Part 1 Doc 1

Overview: How to Perform a Swing Migration

Understanding the Swing Workflow and References o Distinguishing between the Server Name References Used o Summary Timeline Considerations o Pre-Upgrade Disaster Recovery Precautions

Phase 0: Migration Notes & Server / Domain Audit

Review of Your Domain and Existing DC Confirmation Phase 1: Existing DC and Domain Preparation

Prepare the existing Domain and Production DC Server Configuration Prepare Your Migration Notes and Automated Migration Tools

Phase 2: Transfer AD from the OriginalDC to TempDC

Step A. Install a clean baseline of Server 2003 only (SBS 2003 Media) Step B. DCpromo to establish the server as a new DC in the existing Domain Step C. Root Domain Management Transfer/Seizure Step D. Perform Required Active Directory Cleanup of Exchange Step E. Remove Domain Controller entries: AD, DNS, WINS, DHCP Step F. TempDC Pre-Setup Housekeeping Preparations Step G. TempDC Exchange Installation

Phase 3: (This resumes in Part 2)


Page 7


Contents Swing Migration: How to Perform a Swing Migration

Part 2 Doc 2

Phase 3: SBS 2008 Setup: Join to Domain from TempDC to FinalDC

Step H. SBS 2008 Join to Domain Installation Phase 4: Post-SBS 2008 Setup Tasks and Customization

Step I. Post-Setup SBS 2008 Configuration Step I. Server Applications and Customization Step I. Strategic Migration Testing

Phase 5: Transition: Exchange, Data, and Shared Network Resources

Step J. Exchange Information Store Transfer o Stage 1: Exchange Forklift Compliance Review o Stage 2: Store Forklift Transfer and Mount o Stage 3: Reset Exchange Configuration Bindings to AD and Clients o Stage 4: Exchange Mailbox & Public Folder Migration

Step K. Additional Final Server Configuration Issues o Migrating Data Files o Migrating Shared Folder Definitions o Migrating SharePoint CompanyWeb o Shared Printer Configuration o Shared Fax Configuration

Step L. Additional Final Server Configuration Issues o SBS Premium and Line of Business Applications

Step M. New Server Final Deployment o Workstation Connectivity o Outlook Configuration and Synchronization o Connect Internet Wizard o Enable SMTP Email Flow from Internet o Configure User Roles Wizard o SBS 2008 Group Converter Utility

Step N. Decommission TempDC Server Tasks o Remove Exchange Routing Group Connectors o Remove Recipient Update Service Objects o Remove Public Folders Store and Mailbox Store o Uninstall Exchange Server Application o Demote Server Using DCpromo o TempDC AD Object Removal


Page 8


Overview: How to Perform a Swing Migration

In the simplified diagram above, you should immediately observe why this is called a Swing Migration. Notice that we use a third DC temporarily as the pivot point in a Swing of moving Active Directory. The AD is shifted using normal Windows Domain Controller replication. Since that TempDC isnt needed permanently, we dont need additional licenses or care to use a production server for this purpose. This becomes clearer as you review the balance of the overview that follows. Active Directory is the only content moved from the OriginalDC to the TempDC in Phase 2. Therefore your OriginalDC remains in production, unchanged by the construction at that point. The TempDC cleanup and further configuration tasks proceed offline, even offsite for Phase 2-4. The key change in Swing Migration for SBS 2003 to SBS 2008 projects is driven by the need to transfer the Exchange 2003 Information Store via the TempDC. Therefore, during Phase 5 the Store is moved onto the TempDC allowing the mailboxes to be migrated over individually to the FinalDC. This means that the TempDC is not removed from the construction configuration until the end of Phase 5. Just keep in mind that the Exchange Store remains on the OriginalDC continuously into Phase 5, and only at that point is the data moved rapidly across the TempDC into the FinalDC.

Figure 1 Swing Migration Simple View


Page 9


We start now with an orientation on the technical path of construction preparations and implementation. Take a look at the pictorial flow illustration in summary. If you dont see the logic immediately, dont worry. The next few pages go step by step through the technical procedures to highlight individual phases of construction. The main point shown below is that the AD migration and server construction moves on a separate path, the loop around the bottom, followed later by the data migration as the final phase of construction.

If you are already familiar with Swing Migration from having worked a project to migrate to a 2003 platform, you likely will be interested in the summary comparison of that project outline compared to the 2008 series project path. On the other hand, if this is your first introduction to Swing Migration, dont be concerned about analyzing the next section to closely, you will find its followed immediately with a beginners introduction to the Swing Migration project path, you wont need any prior experience to follow that explanation.

Figure 2-1 Swing Migration Overview Illustration


Page 10


Comparing the Swing Project Series: 2003 vs. 2008 Platforms Note: This section is specifically for those experienced in doing a Swing Migration with the 2003 Series projects (that conclude on a 2003 release platform) vs. this project scenario for migration to SBS 2008 platforms. Swing Migration for SBS 2003 to SBS 2008 follows similar logic to past project outlines in Swing Migration to conclude on a 2003 platform. However, to incorporate the migration to Exchange 2007 we also have some additional tasks added. In the original 2003 Series migration the TempDC was only used for just that, a TempDC. Within the logic of the 2008 Series migration the TempDC is employed again initially only as a TempDC during Phase 2. But the new concept is to use it as well as a bridge in the transition of Exchange data in Phase 5. This means it remains attached to the FinalDC all the way through until Phase 5. This is because at the end of Phase 2 we now also install Exchange 2003 on the TempDC. That prepares the Active Directory and for the Exchange Information store to be migrated across the TempDC Exchange 2003 into the FinalDC Exchange 2007. This change is required because Exchange 2007 does provide compatibility to Forklift the Exchange 2003 version Information Store onto Exchange 2007the database formats are now different. In addition, Exmerge has been eliminated with Exchange 2007, and an import from PST combined with PST export is time consuming and a challenge with larger mailbox sizes common today. Not to worry, the Exchange-Swing Migration works quite efficiently, but will require some time depending upon the size of the store. The procedure outlined here identifies how you can address Phase 5 as a Forklift the Exchange 2003 store quickly from the OriginalDC onto the TempDC, then cleanup that stage of work using a new tool that comes with the Kit: ExchSwingTool. Using ExchSwingTool you can mount the original store on the TempDC and take the option to either move for interim production use of that combination of TempDC with Exchange 2003 and FinalDC with Exchange 2007, or working offline you could transfer the mailboxes over to the Exchange 2007 before going live with the FinalDC. Once you have completed the mailbox migration you can decommission the TempDC Exchange Server installation and decommission the TempDC just as Microsofts Migration Mode documentation outlines to do. As a summary perspective on the Exchange Migration, this process of Swing Migration with the TempDC allows the OriginalDC to remain completely unchanged for the entire project. Yet at the point of transition you can quickly move an intact Information Store to the TempDC with your choice on procedure to transfer the mailboxes exactly as Microsoft defines in their documentation. The difference is that we have the OriginalDC unplugged, unchanged and nothing to undo if we need to roll back. If you keep the Exchange 2007 server offline from the Internet, you have full rollback options with no changes required. Keep in mind that these concepts also preserve the option to fully prototype test this deployment scenario offline, using a copy of the originalDC information store for you test. You can test all the way to the end of Step M, with only the decommission of the TempDC remaining. Thats a huge value in preparations! Swing Migration remains the best option that is repeatable and consistent with Microsoft Migration Mode construction, yet vastly more convenient, predictable and transparent in results. And as the bottom line for consults, you retain the convenience to do most work offline, offsite, nothing to undo.


Page 11


4 Phases of Offline Constructionthen 1 Data Transition Phase You can review the pictograph extending across the next several pages to identify how the project flows through the various phases of construction. We start with a pictograph, followed by a chart step summary.

Build Offline: Phases 1- 4 Existing DC and AD Domain Analysis Audit Namespace Verify DNS and AD

Health Configuration

Corrections Prepare Deployment

Notes

Data Transition: Phase 5 Exchange Forklift to

TempDC Exchange transfer to

FinalDC Data Transfer from

OriginalDC to FinalDC as backup then restore

Substitute FinalDC for OriginalDC in production LAN


Page 12


Phase by Phase Review

Phase Zero Health Analysis Review on Existing DC and AD Domain Audit Namespace Verify DNS and AD Health Configuration Corrections Prepare Deployment Notes

Phase 1 Existing 200x DC Server Preparation Update Service Packs Upgrade Compliance

Configuration Changes


Page 13


Phase 2 Build Win 200x TempDC using temporary hardware or Virtual PC/Server Install Baseline Win

200x Configure Network

Adapters DCPromo to DC Verify DNS and AD

Health Cleanup AD Directory

removing all other DCs Cleanup Exchange in

Active Dirctory Remove Domain Trusts Remove DNS

references Clean Install of

Exchange 2003 on TempDC


Page 14


Phase 3 Build SBS 2008 on Final Hardware using SBSAnswerFile SBS 2008 install in

Migration Mode On construction LAN,

setup performs join to domain with TempDC

Assign Name and IP matching original server to be replaced

SBS 2008 Setup completes standard installation sequence

Phase 4 Finalize SBS 2008 Post-Setup installation of Applications and customization Complete required SBS

2008 post-setup specific installation tasks

Install any Windows and Applications, Service Packs or customizations

Complete all configuration which can be done without data migration


Page 15


Phase 5 Transition of Client/Server applications and data including Exchange Information Store Forklift transfer via TempDC Production shutdown

begins for transition to new server

Transfer data via backup and restore onto new server

Forklift Exchange Information Store via TempDC, mailboxes transition into new Exchange 2007 Information Store

ExchSwingTool makes adjustments/repairs to Exchange Mailboxes to resume normal operations

Transfer any additional applications such as Sharepoint, SQL, or Line of Business applications

Return to production operations on new server

Deploy client applications or updates as needed

Decommission TempDC


Page 16


Swing Migration Benefits Continuing with the tradition of safe construction offline, and transparent replacement procedure for the new server, Swing Migration for SBS 2003 to SBS 2008 provides the following benefits:

Same Domain Name (and SIDs) Same Server Name and IP Same Information Store intact No Impact to Workstations or User profiles Business online during construction Work offsite and/or offline, open timeline Nothing to undo migration in progress

Notice that all of the critical path construction and compliance for the migration is performed offline, without making changes to the production domain or server. In addition, all of the data migration tasks can be fully tested with trial data in advance if you prefer to level of planning. Once you are satisfied with the migration results you have tested offline you can commit to a predictable transition online.

Swing Migration Workflow Benefits


Page 17


Understanding a Typical Swing Workflow and Server References

Server Name References Swing Migration is described in this documentation as a project with the goal to replace one existing server with a new server retaining the same name and providing the same application services. This documentation assumes that this server is both a Domain Controller and an Exchange Server, and it typically is also your internal network DNS Server. The server name references in this documentation refer to the respective servers instances according to the following logic:

Server References in this Documentation

OriginalDC This is the existing server you are replacing

TempDC This temporary DC is an interim construction machine, not sold or licensed, really just a tool in the process

FinalDC This server is the goal of the project, its what you put into service Distinguishing between the Server Name References Used OriginalDC I refer to this generically as your existing DC, or perhaps as your existing OriginalDC. If you have only one existing server, this would be the originalDC. If you have several servers being replaced at once, we normally think of the OriginalDC as the root DC with all the FSMO roles. If you are consolidating servers down to fewer servers, the OriginalDC is typically the one you are preserving with its original name retained. TempDC The TempDC is the server used temporarily to obtain a copy of the Active Directory off the OriginalDC, its a core part of why this project works offline. The machine holds AD in our offline construction to facilitate the cleanup swing steps removing the OriginalDC objects in AD. You construct the FinalDC server by bringing over a cleaned up copy of the AD, and you will deploy to replace the OriginalDC with this server.


Page 18


FinalDC The server you deploy permanently with the same name as the original server is the FinalDC, and typically this machine has the same name as the previous one. Deploying a FinalDC with a different name adds complications to the project process, so its not a normal project path, though it can be done. More about the TempDC Ive chosen to refer to the temporary DC we construct in Phase 2 as the TempDC, while calling the final machine you intend to deploy as the FinalDC. The TempDC is needed through Phase 5 to facilitate the migration of the Exchange Information Store. This can be an excellent application for virtual server. In some cases, you may be introducing a pair of new servers as part of your project. If one is intended to be a permanent Exchange server and DC, you might use it for the TempDC. Otherwise, using a truly temporary server installation is preferable. For a typical TempDC, theres no value in getting creative since the machine identity will be completely removed from your Active Directory before the end of the project. You are encouraged to use the name TempDC, or TempDC01, TempDC02 if you need to iterate the project starting over in Phase 2.


Page 19


Swing Migration projects provide some unique benefits, and heres where you will see several. OriginalDC To do this project path you dont need to update your OriginalDC to the latest service packs if they are not already installed. Our project path allows us to address the service pack preparations only on the TempDC and only for what we require in our minimal installation. Conspicuously missing below is a requirement for SBS 2003 SP1, its not required. We avoid this problem because our TempDC doesnt have the same service pack preparations as an SBS 2008 server join would involve, thus the construction is simpler and the preparations issimpler. TempDC Our typical project construction allows us to address just current Windows 2003 and Exchange 2003 updates on the TempDC. Even if you are using SBS 2003 media for construction of the TempDC, our construction path doesnt require a fully SBS 2003 installation, only the Windows and Exchange application media is installed from the SBS media. Without installing the additional SBS features we dont need to address the full suite of service packs for all those features we have no use for in our purpose. This avoids and saves you at least 2-3 hrs construction that was non-essential for a TempDC. The Kit tools provide a simple workaround against the SBS 2003 SP1 requirement blocking your setup experience.

Preparation: Original (Existing) Server Supported Media & Requirements

Existing Server: Media/Platform Prerequisites Service Packs Required

2003 Platforms: SBS 2003 Server Media (pre-R2 or R2)

Platforms: Standard or Premium Edition SP Release versions: All Media Source: All

Windows 2003 Server Media (pre-R2 or R2)

Platforms: All SP Release versions: All Media Source: All

Windows 2003 Any installed service pack

level supported (no update is required)

Exchange 2003 Any installed service pack


SharePoint 2.0 Update to SP3 prior to

moving the database

SBS 2000, BOS 2000 or Windows 2000Platforms: All Release versions: All Media Source: All

Exchange Server 2000 or 2003

Platforms: All Release versions: All Media Source: All

Windows 2000 Service Pack 4

Exchange 2000 Service Pack 3

All Media Source includes: OEM, MOPL, Retail, MSDN, Action Pack or Trial media

Service Pack & Platform Version Requirements


Page 20


Construction: TempDC and FinalDC Supported Media & Requirements

TempDC Installation Media Phase

Recommended: SBS 2003 Server Media (pre-R2 or R2)

Platforms: Standard or Premium Edition Release versions: RTM (Gold) release Slipstreamed SP2 Media Source: All



Recommended: Windows 2003 Server Media (pre-R2 or R2)

Platforms: All Release versions:All Media Source: All

Exchange Server 2003 Media Platforms: All Release versions: All Media Source: All



Compatible but not recommended: Windows 2008 Server Media (pre-R2)

Platforms: All Media Source: All Note: Windows 2008 media is not recommended for the TempDC unless you are already running Windows 2008 DCs in the production domain. The Kit documentation does not include instructions for Windows 2008 specific issues.

Windows 2003 (32-bit) Any installed service pack


32-bit platform required to host Exchange 2003 for Information Store transition


FinalDC Installation Media

Required: SBS 2008 Server Media

Platforms: Standard or Premium Edition Release versions: All Media Source: All

Exchange 2008 (Warning!) Service Pack 2 installed

as an update on SBS 2008 will break functionality without other post installation tasks.



Page 21


It used to be that you could talk about the hardware requirements for installing a server and actually be talking about, well, hardware. Times are changing. For the traditional explanation of hardware requirements for installing SBS 2008 as well as for a Swing Migration construction of a TempDC, please use the suggestions just below. These are intended for interpretation to mean that there are no Virtual Server configurations involved as host or guests as part of this decision or analysis. SBS 2008 Hardware Requirements (FinalDC)

Hardware Minimum Requirement

Processor 2.66 GHz 64-bit (x64)

Physical memory 4 GB (8G Recommended)

Storage capacity (System Partition Requirement) 60 GB

DVD drive 1

USB Port Recommended for Setup

Network adapter One 10/100 Ethernet adapter (1Gbit Preferred)

Monitor and video adapter Super VGA (SVGA) monitor and video adapter with 1024 x 768 or higher resolution

Network devices One router that supports IPv4 NAT or IPv6

Optional network devices Device required by your Internet service provider (ISP) to connect to the Internet

One or more switches to connect client computers and other devices to the local network

Source: (Microsoft) SBS 2008 Release Notes June 2008

Using Virtual Servers for SBS 2008 (FinalDC) This information provided is not intended as optimization information. This is provided only as a baseline recommendation as compared to the hardware specification above. You can assume that at least an additional 1 Gb RAM per VM should be provided on a minimally configured host (memory) partition in order to host the Virtual Server guest partition. Therefore you should add 1 Gb for the host, plus the memory environment for each guest OS you plan to use. Disk performance will generally be enhanced for the SBS 2008 running as a guest if you provide separate spindles for the host and guest operating systems to isolate disk activity.

SBS 2008 Server: Minimum Hardware Requirements


Page 22


The illustration above shows a typical workbench arrangement that you might use for the offline construction in Phases 2-5. In addition to the SBS 2008 final server hardware, you will need some spare equipment for the construction phases. Using Spare Hardware for Construction Tasks Remember, a significant advantage of Swing Migration is that you can leave the production domain unchanged, you can work with your construction LAN isolated from the production domain. For IT consultants this includes the idea of doing the majority of the construction tasks in your office, not at the customers place of business. Typically you would like to have the following items for your offline construction:

TempDC A minimal 32-bit workstation class machine to load as the TempDC Consumer grade Network Switch/Router Connects the TempDC and FinalDC USB Hard Drive Convenient for backup/restore of data to FinalDC

Please note: The TempDC is not optional, its a requirement. The optional consideration is deciding what you want to use as the TempDC. It can be anything from spare workstation class hardware to a virtual server installation if you are familiar with using that technology. You can even substitute a spare hard drive into a workstation if you have no better option. Internet Access Not Required Swing Migration procedures generally endorse not connecting to the Internet during your offline construction. Its not required by the procedure, and as a general rule you would be better off to prepare pre-downloaded copies of any service packs or updates.

Offline Construction: Temporary Hardware Requirements


Page 23


Swing Migration: TempDC Hardware Requirements Note that this is not a permanent machine requirement; you can reasonably use a workstation class machine for this temporary use. The purpose of the TempDC machine used in a Swing Migration is described in the earlier sections on the Swing Migration phases of construction.

Hardware Minimum Requirement

Processor 700 MHz 32-bit (x32)

(1 GHz or above recommended for larger transfer operations above 8G Exchange Store size.)

Physical memory 512 MB (1 GB recommended)

Disk Partitions System Partition: 8 GB

Data Partition: Up total 120 GB for Exchange only

CD/DVD drive 1

Network adapter One 10/100 Ethernet adapter

Monitor and video adapter Super VGA (SVGA) monitor and video adapter with 1024 x 768 or higher resolution

As compared with Swing Migration to a 2003 final platform, the SBS 2008 project involves a significant change in the hardware requirements for the TempDC. The new requirement is to run the TempDC as a fully functional Exchange Server during Phase 3 through Phase 5. This is necessary to facilitate the transfer of the Exchange 2003 Information Store for migration to the Exchange 2007 server. This means that the trivial TempDC requirement for Exchange 2003 to 2003 migrations is no longer applicable, we need a machine with a reasonable amount of RAM. Using Virtual Servers for TempDC in Swing Migration The information provided is not intended as optimization information. This is provided only as a baseline recommendation as compared to the hardware specification above. You can assume that at least an additional 1 Gb RAM per VM should be provided on a minimally configured host (memory) partition in order to host the Virtual Server guest partition. Therefore you should add 1 Gb for the host, plus the memory environment for each guest OS you plan to use. Data Transfer to Final Server: USB Drive based Restore At no time will the OriginalDC and the FinalDC be connected to each other. The data transfer from your original production server should be handled as a backup and restore operation. Typically you can do this using NT Backup to a USB or similar transfer hard drive. The Swing It!! Kit describes the use of NT Backup as a convenient alternative however you should certainly use more efficient products for drive imaging if you have that option.


Page 24


Swing It!! Kit Tools Tools to help with the References The table below outlines some of the tools you have available to take notes and assist you with review of your current server configuration. Details of how to make best use of these tools is summarized in Document 4 of the Kit, the Tools Reference.

Swing It!! Kit Tools

Server Transition Tools o ShareMig Shared Folder definitions/security are intelligently

recorded & re-established without duplicates or invalid entries Updated! o DNSPurge Locates and removes all DNS records related to

a specific server for faster, accurate cleanup. Updated!

Summary Notes and Status

o PrintDef Report all Printer Definitions Settings o MailAddyAll Report all email addresses by user/group Updated! o DialinBy Report all users Dialin permission status o LgnScrpt Report User Logon/Profile Legacy Settings o EventDmp Click to export all Event Logs at once Updated!

Individual User/Group Analysis

o GrpNest Report nested group memberships for a User o AdminSID Report Root Admin & Admin Group memberships

Username/SID by domain or local station

New Tools for SBS 2003 to SBS 2008!! o SwingIT AnswerFile Tool Generates a default

SBSanswerfile.xml file ready for Migration Mode and including defaults obtain for your existing server

New!

o ExchSwingTool Resolves Orphan Mailbox, mismatched attributes and public folder issues

New!

o DcGpoVerify Detect, optimize, & correct flawed DC Security Policy conditions or orphan SID references

New!

o SwingItPreSourceTool Prepares your domain configuration prior to running SBS 2008 setup New!

o ExchPfReport Analyzes and recommend public folders for required cleanup actions New!

o GPO_Review - Analyzes and recommend Group Policy Object required cleanup actions New!

Important: To run these tools you must rename them after you download them. The filename must be changed from .V_B_E to .VBE in order to execute them. Please see the note on the following page for more details.

Copyrigh Swing It!! T

Hints on Just belowsuggestioexample b

How t

ht 2004-2009 bTechnician Kit

n When to u

w you see a tyon hint box mabelow is worth

Swi

Swing incremea simplesimulta After yomuch ththem, o

Impor

Renam The toolthem fro To use tcharacte

Thereforsuch as

(In case Once thesome ad

o Perform a

by SBSmigratio Documentatio

se Tools

ypical reminday also be fouh noting as a

ing It!! To

It!! Kit Tooental progree way to crneously, wi

ou export thhey compreor send the

rtant Note

me the To

s provided wom false-posit

the tools you ers from the fi

Downloaded Use them as

re, as a convec:\swingit, the

Ren C:\swin

you wondere

e tools are redditional docu

Swing Migra

on.com on

der that will beund inline to avaluable sug

ols Tip

ol EventDess while preate a recoith a single

he logs withess using Wlogs by em

: How to U

ool Filena

ith the Kit aretive deletion b

must renameile extension.

d name: [too

s name: [tool

enient solutioen from a CM

git\*.V_B_E

ed, it doesnt

enamed, they umentation on

ation from 20

e offered as aa task page wggestion. You

Dmp can eaerforming aord of all yoclick.

h EventDmpWinZip or simmail.

Use Swin

me to .VB

e names that eby antivirus sc

e them to rem For example

lname].V_B_

lname].VBE

on, you can coMD prompt run

C:\swingit\*

matter if the n

execute with n tools in Doc

003 to SBS 2

a suggestion fwhen appropri

really will val

asily help yoa new instaour Event Lo

p, you may milar tools

g It!! Tool

BE

ends in .V_B_canners.

ove the undee:

_E

opy all these fn the followin

.VBE

name is uppe

a double-clicc4 of the kit.

008

for a tool you ate. By the wlue the Event

ou documellation. Thisogs

be surprisein order to

ls

_E to protect

erscore

files into a sing command:

er or lower cas

ck. You will al

can use. A sway, this partic

DMP tool!

ent your s tool is

ed how archive

ngle folder,

se.)

so find

imilar cular


No

ReplacingAs a pracin this prosingle DCand ExcchallengpreserviServer i

Changingmore tranchange th

possible brway th

Server GroYes, you cto replace having the performingconcurrent

How t


M

ormal 1:1 M

g One Server wctical reality, yoocess, or you mC) environmentchange Server ge in this projecng the original if they are to beg the name asssparent, but do

he name of the reak many UNChat will aggrava

Consolida

oup Replaceman apply the saa group of servsame identity.

g a hardware upt upgrade to the

Server Re

o Perform a


Multi-Serv

Migration

with More thanu might be rep

might be expandt to have multipservices on moct is to determinserver name o

e split across msociated with thoes involve somDC and it is alC path designaate the staff, or

ating

ments as a Setame theory of Svers with a newIn that proces

pgrade only, ore servers at tha

?? name

Swing Migra

on.com on

ver Swing

ReplacIn mostone eximore thExchanyour thithat onethe sam

n One Serverplacing more thding from a sin

ple DCs or a spore than one Dne if you benefon the DC or thmore than one he Exchange Sme additional cso a file/print sations at the woeven break ap

BringinThe samname cfolks wicurrentprocess

t Swing Migratiow group of servs, you can be r even do a at same time.

No SerI get thiTempDControland all candidayou readirectio Swing Mnever reor partiafor the you simprefer a

ation from 20

g and Wor

cing One Servet projects involvsting Domain C

han one existinnge and Domaiinking slightly. e server in part

me name as the

an one server ngle-server (or plit of your DC C. The main fit more from he Exchange new server.

Server can be cleanup. If you server, you will orkstations in applications.

ng Many Serveme issues disc

change, you haill want to retainly use, both to s, but here you

on vers

rver Rename ais question all t

DC? Im firmly clers, Exchangethe other depe

ates for a renamally cant save mon.

Migration neveename a serveally configurednew replaceme

mply construct tas you are build

003 to SBS 2

rkflow Var

er with One Seving Swing MigController befog DC, or if youn Controller opThe documentticular is being e previous one

a

ers down to Ocussed above aave to clean up n the actual prokeep it familiar

u have to comp

Multi-S

as a Step, we cthe time: Why c

convinced that se Servers, Webendencies involme. Its just notmuch if any tim

r applies a techer by literally ch server. For anent server to hathat new serveding it.

008

riations

erver gration, you likere the project s

u have separateperations, you wtation is based replace by a n.

Explodi

One Server apply in reverse

the impact. Oboduction server and to minimiromise.

Server Sw

can build withcant I just renaservers that arb Servers, Shalved at once art predictable. M

me trying to pus

hnical rename hanging the actny project wherave a different r using the diffe

ely have only thstarts. If you hae servers for yowill need to aligupon the prem

new server usin

ng

e. If you force abviously most

er name you ze the technica

ing

h New Name ame the re Domain repoint Serversre not good More importantsh a project in t

process. We tual name of a re your strategyname assigneerent name you

he ave our gn

mise ng

a

al

s

ly, this

full y is d, u


Page 27


Conventions in the Documentation Inline Warning, Tips, and Comments

Many references (that are not part of the actual workflow steps but are related to the situation in progress) are highlighted as sidebar information, in-line to the document steps. Each type of in-line reference includes a unique appearance (box style and color), and labeled to identify the importance it carries. Some of these entries are embedded in the Task Box format, others are standalone because they relate more to a point in the project than a technical aspect of a specific Task. As an example of a standalone comment, the Expert Tip shown below provides additional information about using ADSiEdit and NTDSutil, warning that these are very dangerous command to use on live Active Directory information. Hopefully you already realize this point, but this caution is presented here, both as an illustration of an in-line comment, and to reinforce that very point. Be careful with these tools!

Expert Tip

NTDSutil and ADSiEdit are Efficient Killers And yet, we will use them. You never see a Microsoft KB that discusses the registry editing tool Regedit without a very scary looking warning to the effect you could kill your computer with this tool, so dont blame Microsoft. Okay, its a little less blunt. Nonetheless, during this migration we dont use Regedit specifically, but we do use two other tools that make Regedit look like a beanbag weapon. NTDSutil and ADSiEdit are two of the most efficient killers of Active Directory you could ask for. Any mistake you make with these tools in a production environment would be potentially lethal disasters. Since we work offline with these tools, we have the safety of starting over, but thats about all. You should be prepared to start over from the beginning if you make a mistake. Better yet, dont make a mistake, and be certain that you read the entire step description Ive provided, and understand it fully before you press Delete! There is no Undo command here. Familiarize yourself with the process before you start to use these tools.

On the following page is an illustration of a Task Box with an explanation of the layout it provides to help you move quickly through the indicated tasks, plus some inline comments to emphasize special issues.


Page 28


Understanding the Task Frame Page Layout of this Documentation Please take a moment to review the frame below, it illustrates and explains how the documentation is formatted to make it easier for you to get more or less detailed information on every task. Note that not all Task Frames in the documentation have all of these elements. In fact, most have far fewer elements. Task # Instruction Reference Context that Applies

What This Task is All About at a Glance

Background on Why you have a particular task to do now, and information that helps you to understand if it applies to your circumstance. You probably dont need to read this section after you have done at least one project, or only if an unusual condition you have not encountered before should arise.

Important Concern

Important points that need special consideration for any project are highlighted. These tend to be very critical points you must pay attention to because if you get this wrong, you probably could end up having to redo some or all of your work, or even become blocked in this task.

Media/Tool Requirement

Media A Some tasks involve either installing a tool, or an outside resource that may be available on your original Media.

Media B In some cases, you will have different media requirements with different version of Windows.

Tasks

KB 325379

How to do this Task This section will describe the actual required task steps. Typically the steps are numbered or contain bullets to help you proceed in an orderly manner. In most cases, this section is the minimum requirements for the task. If you are familiar with this task, you probably dont need to read the Why information, just the actual steps. 1. Preparing to work a Swing Migration project the first time, you probably will be

interested to review the WHY information as well as each of the inline comments and alerts. Its educational, and I believe it helps you to remember the process.

2. Once you are familiar with the project steps, you may find that with only a glance at the title block you will know WHAT you need to do. Like any newspaper or journal, this is a headline to frame the entire topic in summary.

3. You may notice the comments sidebar to the left? In addition to label for the Expert Tips, Important Concern or Media/Tool Requirements notifications, look here for Where external references such as Microsoft KBs are cited if you want to troubleshoot something further on background references I have used, or that relate to the process.

Expert Tip The Expert Tips are generally optional information that offers optimization hints or tricks. Occasionally these may do nothing more than remind you to beware for common mistakes other have made, or assumptions you should avoid.

Technical

Background

Technical Background sections are purely educational, and opportunity for me to fill out more information than you need for the task at hand, but that either sketch in the details of the underlying logic of what you are working on, or frame the project with a different perspective. You may find references to or abstracted information from a whitepaper describing a related or alternative approach to a project step.


How Mu A lot of issjust underthat much I try to chaand knowwork:

12

3

That geneproject tak

How t


ch Time Do

sues can shar an hour or oh time alone. A

aracterize thewing your own

. Time requ

. Time requadditional customizat

. Time requhard drive,

eral summarykes a bit long

Impor

Summ I strongwithin a It is veryless thantime as w

o

o I am notcontraryopen-tim Swing Mthe projeeven if yHoweveone of th

o Perform a


Summ

oes a Swing

ape the timelinover ten hoursAn estimate o

e project scop unique cond

ired to performired to build aapplications, tions. ired to transfe, plus the Exc

y could be ester as you are

rtant Proje

mary Sche

gly encouraga fixed comp

y likely that mn 16 hours, awell, provided

A very well cocomplicationsA familiarity w

t trying to scay, I think most meline constru

Migration is noect path is thayou make a mer, the open timhe core benef

Swing Migra

on.com on

mary Tim

g Migration

ne. For instans, right? Unfoof 5-10Gb/hr.

pe in a simpleitions. Look fo

m the Swing sa new SBS 20anti-virus pro

er the data viachange Inform

timated as mie just learning

ect Note

edule Rec

e you not to letion deadli

ost people cand that manyd you have ei

onfigured ands with many of t

re anyone int anyone can uction and tes

ot hard, but it at you can alm

mistake in youmeline is not fits in your su

ation from 20

eline Con

Project Req

nce, the amourtunately, macan apply on

e manner you or the time re

steps includin008 server frooducts, line-of

a a backup anmation Store m

nimum of 12-g and working

commenda

choose youine of 3 days

an finish their y can completther:

d healthy exis

the technical

to believing thlearn the procsting.

is detailed drmost always sr steps, withoonly a benefipport options

003 to SBS 2

nsideration

quire?

unt of data yoilbox and pub

n the Exchang

can relate to equired to be t

ng the TempDom bare metaf-business ap

nd restore semove from Te

-15 hrs, thougg your way thr

ations

r first Swings or less time

second Swinte their first m

sting productio

concepts of d

his is too difficcess and app

riven project wstart over at aout starting bat for you work

s.

008

ns

u need to moblic folder migge Information

based upon the sum of th

DC constructioal to completiopplications, an

quence usingempDC to Fin

gh you may finrough the pro

g Migration e in advance

ng Migration inmigration in tha

on server with

domain/serve

cult to learn. Opreciate the va

work. A uniqua midpoint of pack at the verking in this wa

ove could requgrations can tan Store move

your experienree stages of

on and cleanuon, add any nd preferred

g media such nalDC.

nd your first cess the first

.

n at

hout

er migrations

On the alue of

e feature in progress, ry beginning. ay, its also

uire ake s.

nce f

up.

as

time.


Page 30


How Much Operations Down-Time is Involved When you perform a Swing Migration to replace an existing server with new hardware, 95% of the project tasks are performed offline and in advance of that transition point where your production domain must be taken down. Thats the point where your new server is fully constructed and you now only need to move the data over. In most cases, you more likely will take several days or a week to complete the server construction, but you can take a month if you need to. You have the option to approach the project construction time separately from the downtime as long as you are bringing in new hardware as part of the project. You can prepare the server and then schedule the transition for when its convenient. The crucial timeline pinch is the impact on productivity when you reach Phase 5 and proceed to shutdown for transfer of the Exchange and all data. In a Swing Migration where a new server is being deployed, this period determines the apparent migration time as seen by business operations because they remain in operations for all construction in the preceding time. Everything else is fairly transparent to the business operations and staff. With some experience and familiarity to the process gained, its possible to complete a full production migration, including 3rd party apps with all work completed in one long day, with data migration and interruption to the business operations following that. You might be able to handle the data migration overnight, but this may be optimistic. Practicing the project is the only way to really know the time needed. Time Required for a New Installation back onto the Original Hardware? This is the least optimized project, but its still a pretty good solution. If you are redeploying the same hardware, with or without a product upgrade, you cant work very far into the Swing Migration before you need to shutdown the original server. Its quite simple: you need the hardware for the balance of the construction. The construction time is pretty much the same as before, but you are no longer working offline, and you lose the option to put the old server back online unless you do significant disaster recovery preparations. Therefore, the disaster recovery steps in advance also add to your timeline.

Important Documentation Note!

You Have 21 Days to Complete Your Migration

SBS Product License Enforcement begins in Phase 3 Microsoft designs SBS 2003 and SBS 2008 to enforce that only on SBS server may operate permanently in a singled domain. The time limit for concurrent operations of 2 or more SBS servers is 21 days. The 21 day period countdown begins on the date you initiate the Migration Mode segment of the construction of the SBS 2008 by joining it to your SBS 2003 based domain. This corresponds to the Phase 3 construction tasks in a Swing Migration. Please refer to that section of this documentation for more details on this topic if you are concerned you cant complete your project within 21 days.


Page 31


Pre-Upgrade Disaster Recovery Precautions What follows here are recommend incremental risk analysis regarding the steps we are performing, not a full risk analysis of the business operations overall. (Note: If your project requires redeploying the original hardware, most of these points become critical. You will need a full disaster recovery plan for the entire project.) We have two perspectives on making incremental backups during this project. Obviously the highest priority is to protect against a catastrophe in the production operations. Amazingly enough, its actually possible to work the entire project with no extraordinary or extra disaster recovery preparations provided you are replacing your hardware, and you start with a System State backup to start Phase 1, and an Exchange Online backup to flush the logs, followed by an offline transfer of the files. The old server drives may be all you need as your disaster recovery backup! The second perspective: Protection against losing project progress time. You will find numerous points in the project that identify make a system state backup. This allows you to repeat a sequence of tasks if you have a construction problem. This can save you hours of reconstruction work.

Prior to Phase 1 A System State backup prior to starting is sufficient. You might be comfortable just to confirm the previous nights routine System State backup was successful. We install Service Packs, remove the Exchange Server Instant Messaging if its present. The balance is just preparing notes. If you are very conservative, you may want to make a full system recovery backup in preparing for an Active Directory recovery, assuming you are preparing for the very worst case scenario in the Phase 2 steps as well as the Service Packs.

Phase 2 (Steps A & B) The production domain is only involved during the initial steps of this

phase. During that brief period, we are connected just long enough to add our new Domain Controller to the production domain, replicate AD to it, then we disconnect. We never need to reconnect again. This step generally isnt a high-risk process. Therefore, a System State backup is usually sufficient for disaster recovery. A full AD rollback is probably not anticipated, but we will be adding a DC and DNS changes affecting AD. Technical information on how to back-out the changes to the production domain without requiring an Active Directory restore has been included here.

Phases 2 (Steps C and later) though Phase 4 At this point, we have moved to working entirely

offline, detached from the production domain. Its not necessary to do any disaster recovery process since you are working offline with a clone of the AD, the worst you can do to yourself is kill your AD or your offline DC and need to start over. The production domain isnt at risk, so this is quite safe, and efficient. Yet at the end of Phase 2 a System State backup is critical for roll-back. You may need to repeat Phase 3 more than once to get a clean installation report.

Phase 5 This is the transition point where we are ready to migrate the data and remaining

configuration. Your original server is your backup, plus whatever backup of that you have, because the original server is never introduced to the new one, it has remained unchanged.

Suppose that you are starting your Server transition for a Saturday morning, and you know you got a good complete backup of the production SBS the previous night. If nothing else, you could disable the Internet connection to make a final backup of Exchange before you shift the servers. The backup from the night before would presumably including System State, Online Exchange Stores with logs flushed, and all data files. You might move the backup device over to the new server and do the restore of the data files, but not the Exchange stores (we cant do a restore that way). The Exchange Stores could be migrated to a portable disk drive to transfer a copy over to the new server.


Page 32


Phase Zero: Migration Notes Preparation

and Domain/Server Audit

Figure 2-6 Phase 0 Domain and Server Health Evaluation


Page 33


Why a Phase 0? Project Planning and Health Review

You may be wondering, why have a Phase Zero, why not start with a phase one? The answer is that your migration tasks specific to this one unique project start in Phase One, but for now we are just going to confirm the health and configuration of the existing environment. As you begin with Phase Zero, you will make as close to zero changes as possible to your existing production server and operations unless you find that your existing Domain Controller is actually non-standard or unhealthy. Obviously, you want to start with a healthy server whenever possible. More importantly, the health check we do is intended to ensure that when you begin Phase 1, all the minimum conditions to succeed with the project are met. Once you confirm the proper configuration of the existing server, you will begin taking the notes you will need. One of the reasons for the note taking is also to confirm namespace and configuration details that are critical to your project. While this section isnt trying to walk you through process as theory, please dont be tempted to think Phase Zero is any less important that the five phases that follow it. An omission or oversight in this phase could result in a permanent condition that might lead you to work the entire project over again if you come to realize the error too late. Quite simply, if you dont go through the tasks in the section, you almost certainly will reach a point in the project where you are either stuck and the project halted in need of something you could have obtained from whats covered in Phase Zero. Even worse, you might impact upon a condition that prevents you from moving forward with the work you started without starting over or taking a different course. Phase Zero walks you through validating that you can anticipate a successful Swing Migration on this project, and helps you prepare the information you will need to have on hand as you go forward.


Page 34


Phase 0 Task Outline & Checklist Preparations

Tasks Health Audit: Namespace Part 1 1 Namespace Compliance Audit Verify critical names for server, domain, applications

Tasks Health Audit: Server and Domain Settings Part 2 1 Network Adapter and DNS Configuration Ensure normal configuration for DC operations

2 Multi-Adapter/Host Environment NIC Bindings Ensure functional configuration is established

3 NIC Services Bindings Ensure functional configuration is established

4 Default Services Configuration Confirm required DC configuration and service conditions

5 DNS Server and Forwarders Verify DNS configuration and health

6 DC and Global Catalog Health Verify AD roles and DC resolution behavior

7 Administrator Default Group Memberships Audit for required & incompatible group settings

8 Minimum Required Policy & Rights Configuration Verify and update for required rights & permissions

9 SMB Signing Configuration Audit Verify secure channel communication and policy actions

10 Single Label Domain Name Resolution Validate proper domain name configuration requirements

11 Refresh and Audit Operations Review changes from previous revisions

Tasks Health Audit: FRS Operations Part 3 1 File Replication Service Health Audit & Repair Confirm health of critical replication operations

Tasks Notes Notes Preparation 1 Prepare Migration Settings and Reference Notes Baseline information for remaining project tasks


What makto abando Microsoft Windows

How t


He

kes this sectioon the project

has introduce2000, as wel

Impor

Single What is Typical iwith a .L

Howevemean th

Single-laWindowActive D The maiblocks athe sam This is thWindow As an adfrom 200the use Exchang

o Perform a


ealth CheC

Serv

on critical is of domain/se

ed tighter naml as from Win

rtant Proje

e Label Do

a single-labe

in an SBS enLOCAL label f

Companyna

er if the Activeere is no peri

Companyna abel domain ns domain to h

Directory doma

n change moa single-label e as with Win

he only signifs 2003 doma

dded note, Fo03 version forof ADMT or Rge 2007.

Swing Migra

on.com on

ecklist: PCritical Naver, Applic

that incompaerver preserva

mespace restndows 2000 m

ect Note

omain Na

el domain nam

vironment is tfollowing the

ame.local illus

e Directory doiod in the full

ame without th

names shouldhave both a Nain name is 2

oving now intodomain name

ndows 2003.

ficant change ains or Exchan

orest Name Crward, therefoRendom tool w

ation from 20

Part 1 Eamespacecations an

atible or degraation, or alter

rictions in eacmoving to Win

ames: Bloc

me?

to name the Aroot name. Th

strates a com

omain name isforest domain

he .local is a s

d not be confuNetbios doma2-labels or m

o SBS 2008 pe. Other than

in Namespacnge 2003 org

Changes are nore a Single Lwhile still in W

003 to SBS 2

Existing e Audit nd Domai

aded namespr the path of th

ch increment ndows 2003.

cked from

Active Directoherefore:

mmon 2-label d

s only a singlen name:

single-label d

used with the in name that

more.

platforms is ththat, the nam

ce requiremeanizations.

no longer supLabel domain Windows 2003

008

Domain

n

pace conditionhe project ste

from domain

m Upgrade

ory domain

domain name

e label, this tr

omain name.

continuing feis one word

hat SBS 2008 mespace com

nts from proje

pported by Exis going to re

3 domain, pre

ns could lead eps.

s under NT 4

e

e.

ranslates to

.

eature of a , but the

Setup patibility is

ects with

change equire either e-upgrade to

you

.0 to


How t


Ex Yodo Callout becliter TheSBS.LOAD recosimthis beccon Nobtech Nobdom

o Perform a


xpert Tip

ou do NOTmain nam

l it a myth or cthere on the

cause it is not ral name as y

e confusion orS 2000 refereCAL extensiodomain and pommends youply because yis their sugge

cause it doesnfuses it, but it

body should tohnically just b

body should bmain name to

Swing Migra

on.com on

T need to me to com

call it confusioquestion of reusing .LOCAour public do

riginates fromences and wizon as part of apublic facing u use .LOCALyou have to pestion. They ant really help t doesnt brea

oss out an execause it doe

be concerned the public do

ation from 20

revise anply with .L

on, there is juenaming an eAL in the domamain.

m some badly zard details. Itan SBS domaInternet domaL if you are crpick somethinalso recommesimplify your

ak it regardles

xisting domainesnt comply w

about matchomain name.

003 to SBS 2

n existing LOCAL

ust bad informexisting domaain, or is the s

worded docuts never beenain. Its also nain name matreating your fg when you send not usingr configurationss.

n or attempt towith .LOCAL.

ing or not ma

008

SBS

mation in just same

umentation in n critical to ha

not a problem tch. Microsoftirst AD domastart from scrag your public dn, and potenti

o rename it

atching the AD

the ave the if your

t in atch, domain ally it

D


Page 37


Here is a summary of what is covered in the balance of this section in more detail and included troubleshooting and workaround options to resolve established conditions you have inherited. Depending upon what you discover in reviewing that table, you may find that you will not be able to preserve you existing domain. Potentially, the complications or blocks are so severe, you might start over.

Namespace Summary Guidelines: Restricted Characters

Namespace Situation Explanation

Namespace Character for: o DNS Domain o Netbios domain o Domain Controller Servers o Exchange Servers

o Uppercase letters A through Z o Lowercase letters a through z o Numbers 0 through 9 o Hyphen

Exchange Server Organization Name o All characters as above, plus the space

character is allowed for natural text naming phrases with spaces included.

Most Compatible Domain Name (examples)

o Private.Lan o [GenericName].Local

(provided no Mac computers involved)

Namespace Guidelines: Preferred Naming Choices

AD Domain Name Conditions to Avoid Explanation

To avoid Mac computer complications, do not use .LOCAL

Requires additional configuration of the Mac computers to operate

Do not use the exact public Internet domain name (.COM) for your internal domain name, make them different.

Requires additional DNS record configuration to enable browsing a web hosted website by that name.

Avoid a literal business name for the internal domain name to avoid a future need for renaming it

Renaming the internal domain is complicated, potentially requires a full reinstallation of the entire domain.

Do not reinstall a domain only for a cosmetic namespace change Use the recommended workarounds.

If you find issues identified in the table above that you want to understand with more background explanation, refer to the Domain Audit Guide available from the SBSmigration.com website.


Page 38


Task 1 Namespace Audit Phase 0 Part 1

Blocked Namespace Checklist Windows 2000/2003 Domains

The namespace information below can be critical to your ability to even complete a project, therefore this first task is very important. You need to pay special attention to Domain name and Server name references.

Namespace Planning and Review Allowed Namespace in this next series of tasks applies to any names for: o DNS Domain (Active Directory) o Netbios domain o Domain Controller Servers o Exchange Servers Warning: The underscore _ is no longer supported for use in Windows 2003 based domains. SBS 2003 setup blocks it, as do Exchange Server 2003 setup.

Note: You will be provided a separate list of characters for the Exchange Organization allowed character set.

Task 1.1 Critical Namespace Character Restrictions

Compliant Character Set o Uppercase letters A through Z o Lowercase letters a through z o Numbers 0 through 9 o Hyphen Note: Any additional characters previous allowed in namespace for Windows 2000 or Exchange 2000, but not in the list above, should be considered incompatible for continued future use, therefore a namespace to abandon. Verify each of the following, you can use the table below to record the names if you want.

Validation Server and Domain Namespace

; DNS Domain Name AcmeDomain.local

; NetBios Domain AcmeDomain

; Server Name (DC) Server01

; Server Name (Exchange)Server01

Continued with following page


Page 39


Task 1.2

KB 226144

Netbios domain name o NetBIOS domain name has a 15-character limitation. o Do not use dotted netbios names. Instead, use a hyphen when a dot is needed. Note: NT4 Netbois Domain names can be renamed fairly easily before entering an upgrade to an Active Directory domain. Renaming a Domain after creating Active Directory is a signification project and should be avoided.

Task 1.3

DNS Domain Name o DNS does not allow all numeric character domain name, or first label. (For example:

123456.local is not allowed)

Task 1.4

KB 245809 KB 295710 KB 222823 KB 241980

Domain Controller Name Active Directory domain names on DCs are restricted in total character length. Dcpromo.exe maintains a limit of 52 characters for the fully qualified DNS domain name. (UTF-8 byte characters)

Task 1.5 Exchange 200x Organization Name

o Uppercase letters A through Z o Lowercase letters a through z o Numbers 0 through 9 o Dash or hyphen o Space Note: LegacyDN can be used for a workaround on retaining the Information Store with an Organization Name that isnt compliant. The name of the new Exchange Server used to mount that legacy store must be compliant to current requirements, even if LegacyDN is used to workaround a non-compliant condition in the Information Store namespace.


How t


He

Ex ImAd Do rathstan For WinFromprobstar The25%proj Withchafactsho

o Perform a


ealth CheExisting D

xpert Tip

portant Hdjustment

not think theher these arendards.

instance, supndows 2003 Sm there, you bably find yourted because

e problem that% of the serveject because

hout meeting nce of hitting t, you might nuld take the t

Swing Migra

on.com on

ecklist: PDCs Reco

ealth AudRecomm

ese are Swine standard he

ppose if you wServer as the try out a Swinu dont need athey are alrea

t we face in der project I gethey didnt ins

these minimua problem inot even see atime to review

ation from 20

Part 2 Eommende

dit and Coendations

ng Migration ealthy doma

wanted to do first new Domng Migration fany of these tady establish

doing a Swingt support reqspect the hea

um requireme Phase 2, 3 oa preventablew the health o

003 to SBS 2

Existing ed Configu

onfiguratios

prerequisitein configura

a lab test youmain Controllefrom that macthings to be ined.

g Migration is uests on ran alth of the orig

ents, you stanor 4 that coulde problem untf your existing

008

Domain uration

on

es, tion

u built a new er in a new dochine, and yonspected to g

that approximinto a problemginal server!

nd a pretty god be preventeil Phase 5. Yog server.

omain. u would

get

mately m in the

ood ed. In ou


Page 41


Task 1 NICs set to Internal DNS Only Phase 0 - Locally at Each DC

All Network Adapters DNS entries must point only to internal domain DNS Servers

An Active Directory server that is hosting DNS must have its TCP/IP settings configured properly. TCP/IP on an Active Directory DNS server must be configured to point to itself to allow the server to register with its own DNS server. On a DNS Server, remove any DNS entries on all TCP/IP network interfaces which refer to Internet based DNS Servers. Configure each interface, both internal and external, to point only to the DNS Servers own primary LAN IP, or another internal domain DNS Server as your option. The DNS Server Forwarders feature is the only location where Internet DNS Servers should be configured.

Expert Tip

As an example, if your SBS 200x Server uses the internal IP of 192.168.16.2 for the LAN IP and is the only DC and DNS Server in your domain, the correct and normal configuration is to list only this IP on all NIC entries to indicate DNS Servers. Do not use NIC entries like these (each of these are wrong):

o Loopback 127.0.0.1 o ISP DNS Servers o The NIC IP on your server facing externally o DNS Servers in remote sites over slow connections

KB 260371 To view the current IP configuration, open a command window and type ipconfig /all to display the details. You can modify the DNS configuration by following these steps: 1. Right-click My Network Places, and then click Properties. 2. Right-click Local Area Connection, and then click Properties. 3. Click Internet Protocol (TCP/IP), and then click Properties. 4. Click Advanced, and then click the DNS tab. Configure the DNS information as

follows: a. Configure the DNS server addresses to point to the DNS server (itself).

Typically this should be the computer's own internal LAN IP address. b. If the resolution of unqualified names setting is set to Append these DNS

suffixes (in order), the Active Directory DNS domain name should be listed first (at the top of the list).

c. Verify that the DNS Suffix for this connection setting is either empty (nothing set), or the same as the Active Directory domain name if present.

d. Verify that the Register this connection's addresses in DNS check box is selected (enabled).

5. At a command prompt, type ipconfig /flushdns to purge the DNS resolver cache, and then type ipconfig /registerdns to register the DNS resource records.

The table below provides an overview of related information in summary form:

Technical Hint: Key network settings on multi-homed DC/ DNS/ Exchange Servers like an SBS would typically be configured in this way:

Network Interface Connections > Primary NIC Internet Other Subnet

IP Assignment Static LAN IP Web IP As needed

Default Gateway (set on 1 NIC only) Gateway

DNS Server (point to self) LAN IP LAN IP LAN IP

Register Connection in DNS enabled disabled enabled

WINS/Netbios/Microsoft Networking enabled disabled disabled

DNS Request Listen On Interface enabled disabled enabled


Page 42


Task 2 NIC Binding Order Phase 0 - Locally at Each DC

Network Interface Bindings Interface Order

Primary LAN IP connected NIC must be at the top of the connections bindings order list.

Next Task Continues from here

To set the network bindings options:

1. Open the Network Connection properties from Control Panel or right-click on My Network Places icon in Windows Explorer.

2. Navigate from the top menu bar option:

Advanced Advanced Settings Adapter and Bindings

3. Sort all NICs in order at the top of the list in the Connections items, specifically placing the NIC with the primary LAN IP at the first position at the top.

4. Click Apply, but do not close the panel. Note: Do not exit the Bindings Panel, your next task resumes with the additional steps performed in the WINS/Netbios Service bindings options.

Task 3 Network Service Bindings Phase 0 - Locally at Each DC

Network Services Bindings WINS/Netbios Services bound only on the primary LAN Network Adapter

The following services should not be bound to the Internet connected NIC, or to more than one network adapter on a DC or DNS Server:

o Client to Microsoft Networking o Microsoft File and Print Service

Bindings for these services to more than one interface on a Domain Controller can cause internal network services to act in abnormal, even a bizarre manner. Binding these services to Internet facing interfaces can become a security threat exposure.

Task steps continued

from above

Beginning with or continuing from the steps indicated in the previous task item just above for correcting the Network Binding Order, next do the following additional steps:

1. Select the primary LAN IP NIC in the Connections list. 2. In the lower are indicated as Bindings for [connection name] review each protocol and

service bound to your internal LAN requires indicated as enabled with a checkbox entry. At a minimum this will normally include: Internet Protocol (TCP/IP) bound to both: o Client for Microsoft Networks o File and Printer Sharing for Microsoft Networks

3. As you review each additional Connection item (network interface) other than your primary LAN connection, you must now disable the bindings for those two same two services. Only the primary LAN IP NIC should be bound to the Microsoft Networks related protocols.

4. Close the Advanced Settings panel when you finish the adjustments for this task.

Note: These changes do not disable TCP/IP on your other interfaces, only the layer of Microsoft Networks protocols. Your Internet traffic will continue to flow normally. If you use a VPN, the Microsoft Networks can still be supported inside the tunnel as well.

Important Concern

Reboot Required for Completion: Modifications in Task 2 or 3 may require a reboot to take full affect with startup services. You may continue forward immediately and reboot at the final task.


Page 43


Task 4 Services Phase 0 - Locally at Each DC

Services required to be installed and running

Its quite possible for a solo DC in a standalone domain to operate normally in supporting client request, yet not have the minimum required services in order to embrace replication operations, or for adding and maintaining additional DCs in the domain. Dont assume that if your existing DC is operating normally, that a DCpromo of an additional DC will complete successfully.

KB 829623 KB 324418

From the Manage Computer console (right-click on My Computer, choose Manage), review the services listed. To review the installed Services list: 1. Right-click on My Computer, choose Manage. 2. Expand Services and Applications. 3. Expand Services. 4. For any service in the list below which is to be set for Automatic, if it is not currently

started, enable and start it.

Distributed File System DNS Client DNS Server File Replication Service Kerberos Key Distribution Center Net Logon Remote Procedure Call (RPC) Security Accounts Manager Server TCP/IP Netbios Helper Service Workstation Windows Time

Automatic

Distributed Link Tracking Client Remote Procedure Call (RPC)

Locator Manual

Distributed Link Tracking Server Intersite Messaging

Disabled (for SBS, single site domains)

Windows Firewall / Internet Connection Sharing Important Concern (see below)

Important Concern

Note: Windows Firewall / Internet Connection Sharing is an unusual case here. However, if the Firewall is active on a LAN connected NIC, it may also prevent normal replication with other Domain Controllers. You can disable the service, or filter it on the LAN connected NIC to allow replication. You may also see later that this service reactivates again due to Group Policy enforcement refresh. You should not disable the firewall if the machine is otherwise unprotected and still connected directly to the Internet.

Expert Tip

If a service listed above is not installed, consult the Windows Components options in Add/Remove Programs to add it.

Other than the firewall service, for any service in the list above which is suggested to be set for Disabled, theres no harm to have that service running. For the DCpromo steps of adding a Domain Controller, our greatest concern is that the minimum number of services required are running, not that we halt others.


Page 44


Task 5 DNS Forwarders Phase 0 - Locally to Each DNS Server

Use Forwarders to resolve Internet based

DNS addresses

In earlier tasks for this Phase 0 you are instruction Do not include Internet DNS Servers on the network adapter based DNS references list. You may be confused how Internet DNS can be resolved in that approach, so this is the answer. After you configure the network adapters for Primary and Alternate DNS Server settings to point to itself, you now should either set Internet based DNS Servers using the Forwarders option or allow Root Hints to resolve Internet Addresses. Root Hints are the top-level Internet DNS servers list. This is further explained in the previous task discussion.

KB 260371 1. Start the DNS Management console.2. Right-click the object named for this server, and then click Properties. 3. Click the Forwarders tab.

Note: Windows 2000 Servers may provide a tickbox selection you must enable to allow the configuration or addition of Forwarders entries.

4. You will see a set of controls that allow you to Add, Remove or change the order of

swing it doc1 swing migration 2008 rev1.06

Documents

swing migration

range of swing

reference kit

kit information

technician kit documentation

sbs server replacement

author jeff middleton

domain migration