Amy Babinchak (MVP) takes your SBS questions Wednesday morning. See http://technet.microsoft.com/talk for air time, topics and guests.

Episode 3 - Small Business Server with Amy Babinchak (2/2/2011) Registration open.

So you use another patching tool and don't want WSUS on your SBS 2011?  Can you uninstall WSUS?

No, please don't.  Doing so will cause WSUS uninstallation to remove the suscomp.dll from the server.  The problem is it doesn't remove it from the IIS config file. 

Cleaning up WSUS Failed Upgrade on SBS 2008:
http://www.sbsfaq.com/?p=2381
HTTP Error 500.19 on SBS 2008:
http://www.sbsfaq.com/?p=2379

So what's the best way to shut off WSUS but not mangle IIS?  You can turn off UpdateServices service and the Windows Internal Database (assuming that you don't have a line of business app using this inside the services. 

Or you can disable all the approval but keep the WSUS engine in place to be an 'auditing' tool of your OTHER patching tool.

To do this go into the security tab on the server and do the following adjustments to the default settings.

Then launch the WSUS console and make an edit in the products and classifications.

Never change the side of "Products" as that will turn the WSUS integration off.

On the classifications tab, add feature packs and updates.  Don't check drivers or tools.

Now the WSUS is set to audit your normal patch tool.   It won't deploy patches, it will just compare your network to what WSUS sees as should be installed. 

When you finish migrating your settings and data to Windows SBS 2011 Standard, you should run Microsoft® Windows® Small Business Server 2011 Best Practices Analyzer.

 Windows SBS 2011 BPA examines a server that is running Windows SBS 2011 Standard, and then it presents a list of issues, errors, and other information, which are sorted by severity, that you should review. The list describes each issue, and it provides a recommendation about what you should do to resolve the issue. The recommendations are developed by the product support organization for Windows SBS 2011 Standard.

For more information about Windows SBS 2011 BPA, see Using the Microsoft Windows Small Business Server 2011 Standard Best Practices Analyzer (http://go.microsoft.com/fwlink/?LinkID=207300 ).
To download Windows SBS 2011 BPA, go to the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkID=206767 ).

So if you are wondering why the BPA is a little... well ... it makes you think it didn't run at all... hang loose as there's an all encompassing BPA being built that will BPA Aurora, SBS v7 (aka SBS 2011 standard) and Breckinridge (Storage Server).

So if you think the BPA didn't run... it did... stay tuned as there will be updates in this area.

Delete DNS entries of the Source Server for Windows SBS 2011 Standard migration

After you decommission the Source Server, the DNS server still contains entries that point to the Source Server. Delete these DNS entries.
 To delete DNS entries that point to the Source Server
1.    On the Destination Server, click Start, click Administrative Tools, and then click DNS.
2.    In the User Account Control dialog box, click Continue.
3.    In the DNS Manager console, expand the server name, and then expand Forward Lookup Zones.
4.    Right-click the first zone, click Properties, and then click the Name Servers tab.
5.    Click an entry in the Name servers text box that points to the Source Server, click Remove, and then click OK.
6.    Repeat step 5 until all pointers to the Source Server are removed.
7.    Click OK to close the Properties window.
8.    In the DNS Manager console, expand Reverse Lookup Zones.
9.    Repeat steps 4 through 7 to remove all Reverse Lookup Zones that point to the Source Server.

The Windows SBS Console displays Active Directory Domain Service (AD DS) computer objects that are in or nested in the Windows SBS 2008 default Organizational Unit (OU), OU=<DomainName>\MyBusiness\Computers\SBSComputers. If you want to manage computer objects that were natively joined to the domain, you must move the computer objects into the default OU.
 To move computer objects to the default OU for Windows Small Business Server 2008
1.    On the Destination Server, click Start, click Administrative Tools, and then click Active Directory Users and Computers.
2.    In the Users Account Control dialog box, click Continue.
3.    In the navigation pane, expand <DomainName>, and then expand the Computers container or the container where the computer objects are located.
4.    Expand the MyBusiness container, expand the Computers container, and then expand the SBSComputers container.
5.    Drag and drop the computer objects from their current location to the SBSComputers container, and then click Yes in the warning dialog box.
6.    When you finish moving the computer objects, close Active Directory Users and Computer.
7.    Open the Windows SBS Console.
8.    In the navigation bar, click the Network tab, and then click Computers.
9.    Verify that all of the computers on your network are displayed.

What does all that mean?  If you manually join a PC to the domain, you'll need to move them to the My Business OU if you want them in the SBS console. 

Let's try this again... as that was from the old SBS 2008 migration docs that I somehow copied accidentally.  Manually joined PCs will automagically be placed the the SBScoumputers organizational unit. The only reason they wouldn't be is if they were created in another OU prior to officially joining the PC to the domain.

The Windows SBS 2011 Standard Console displays AD DS computer objects that are in or nested in the Windows SBS 2011 Standard default organizational unit (OU), OU=<YourNetworkDomainName>\MyBusiness\Computers\SBSComputers. If you want to manage computer objects that were natively joined to the domain, you must move the computer objects into the default OU.
 To move computer objects to the default OU
1.    On the Destination Server, click Start, click Administrative Tools, and then click Active Directory Users and Computers.
2.    In the Users Account Control dialog box, click Continue.
3.    In the navigation pane, expand <YourNetworkDomainName>, and then expand the Computers container or the container where the computer objects are located.
4.    Expand the MyBusiness container, expand the Computers container, and then expand the SBSComputers container.
5.    Drag-and-drop the computer objects from their current location to the SBSComputers container, and then click Yes in the warning dialog box.
6.    When you finish moving the computer objects, close Active Directory Users and Computers.
7.    Open the Windows SBS 2011 Standard Console.
8.    In the navigation bar, click the Network tab, and then click Computers.
9.    Verify that all of the computers on your network are displayed.

The only thing you need to move is Servers out of the SBSComputers OU into the server bucket.  You'll notice this mostly wtih Terminal Server/Remote Desktop Servers.  (more on this in an upcoming blog post)

Next up is clean up time... first up we need to give the built in admin the right to log on as a batch job.

Give the built-in Administrator group the right to log on as a batch job for migration
 Note
After you migrate, you should give the Administrator group the right to log on as a batch job.
After you migrate an existing Windows SBS 2003 domain to Windows SBS 2011, verify that the built-in Administrator group still has the right to log on as a batch job to the Destination Server. Administrators need this right in order to run an alert on the Destination Server without logging on.
 To give the built-in Administrator group the right to log on as a batch job
1.    On the Destination Server, click Start, click All Programs, and then click Administrative Tools.
2.    In the Administrative Tools menu, select Group Policy Management.
3.    In the Group Policy Management console tree, click Forest: <ServerName>, and then click Domains.
4.    Click the name of your server, expand Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.

5.    In the Group Policy Management Editor, click Default Domain Controllers Policy <ServerName> Policy, expand Computer Configuration, and then click Policies.
6.    In the Policies tree, expand Windows Setting, and then click Security Settings.
7.    In the Security Settings tree, expand Local Policies, and then click User Rights Assignment.

8.    In the results pane, scroll to and then click Log on as a batch job.
9.    In the Log on as a batch job Properties dialog box, click Add User or Group.

10.    In the Add User or Group dialog box, click Browse.
11.    In the Select Users, Computers, or Groups dialog box, type Administrators.
12.    Click Check Names to verify that the Administrators group appears, and then click OK three times.

CiNPA SBS 2011 LoadFest, Server build of SBS 2011 in Cincinnati Ohio w/ Kevin Royalty, Matt Hester & Tim Barrett timbarrett on USTREAM. Technology:
http://www.ustream.tv/recorded/12326012

http://www.ustream.tv/recorded/12323588

Watch the "server build day" of the Cinn Ohio Load fest of SBS 2011.

What's that log file location he's talking about?  Same as it was in SBS 2008:

http://blogs.technet.com/b/sbs/archive/2008/10/01/key-small-business-server-2008-log-files.aspx

http://www.youtube.com/watch?v=qHS3lTrvypo&feature=player_embedded#

http://www.youtube.com/watch?v=YlgiOz4ujTs&feature=related

Hang on, I'd have to donate my Mini Cooper to find out.... hmmm maybe not a good idea then. 

So now that the data is over on the new server, the Exchange is migrated, we have a GOOD backup.. now and ONLY now do I start the patching process.

You can pick another time in the process that you feel comfy but please always do it AFTER a backup.

But my rule is to NEVER EVER do updates during the intial install of the server.  Ever.

More migration docs posted online tonight:

In my real migration at the office, at this point in the migration I turned off the SBS 2003 rather than immediately dcpromo-ing it to ensure that I hadn't forgotten anything still hooked to the SBS 2003.  Remember you will be removing this server and having to reinstall it.  You cannot dcpromo down the SBS 2003 and leave it as a member server. 

Physically disconnect printers that are directly connected to the Source Server
Before you demote the Source Server, physically disconnect any printers that are directly connected to the Source Server and are shared through the Source Server. Ensure that no Active Directory objects remain for the printers that were directly connected to the Source Server. The printers can then be directly connected to the Destination Server and shared from Windows SBS 2011 Standard.

Moving from a 32bit printer world to a 64 bit printer world is a bit painful... I'll do a series of blog posts on how to do this exactly... stay tuned for more.

For now just move the printers around and plan ahead for 64bit drivers and possibly 32bit workarounds.

<FOR ANYONE READING THIS AFTER THE FACT -- PLEASE READ THIS CAVEAT FIRST:>

Please note, I got here because I got stuck.  This isn't how you should normally uninstall or remove Exchange.  Normally you just go into add/remove and do it from there. Remember I got stuck here.  I also had previously moved the recepient update services ahead of time.  I also had a safety net.  I had a full backup of the entire server.  I had a system state backup of the server.  I knew that I could dig myself out of a hole and call in support if I needed to.    Do not start ripping out Exchange without knowing that you have a backup, a system state backup and a safety net.  This should be your absolute last resort should you get stuck.  Got it?

It's party time on a Friday night and I'm manually ripping out Exchange...wooo hooo!  (yeah yeah I need a life, what can I say)

http://support.microsoft.com/kb/833396

This article describes the steps to automatically or manually remove Microsoft Exchange Server 2003 from your computer.

Before you can remove Exchange Server 2003, you must disconnect all mailbox-enabled users from the mailboxes on the Exchange server. After all mailbox-enabled users have been disconnected, you can use the Exchange 2003 Setup program to remove Exchange Server 2003.

However, you may be unable to use the Exchange 2003 Setup program to remove Exchange 2003. In this scenario, you can manually remove Exchange 2003. To do this, you must first stop and disable all Exchange services. You can then use Registry Editor to remove registry keys that are part of the Exchange installation. After you have removed the registry keys, you must remove and then reinstall Internet Information Services (IIS). Then, you must reinstall any service packs or security updates that are installed on the server.

Actually I don't need to reinstall IIS as I'm going to dcpromo down this server.

If you must remove Microsoft Exchange Server 2003 from your computer, you must first disconnect all mailbox-enabled users from the mailboxes on the Exchange server. You can then run the Exchange Server 2003 Installation Wizard. In the wizard, click the Remove option for the installed components on the Component Selection screen.

However, if you cannot use the Exchange Server 2003 Installation Wizard to remove Exchange Server 2003, you can use Registry Editor to manually remove the registry settings for Exchange Server 2003.

I know that all the mailboxes have moved so we don't need to nuke users..

Use the Active Directory User and Computers snap-in to disconnect all mailbox-enabled users

You cannot remove the Exchange Server 2003 components if the Exchange server still has mailboxes for mailbox-enabled users. To use the Active Directory User and Computers snap-in to disconnect all mailbox-enabled users, follow these steps:

Ignore these steps all of my mailboxes don't say "legacy" in the SBS 2011 so I know they have moved.

Run the Exchange Server 2003 Setup program to remove the installed components

You can remove the Exchange components by running the Exchange Server 2003 Setup program from Programs and Features in Control Panel on the computer that is running Exchange Server 2003. To do this, follow these steps.

Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.

1. Click Start, click Control Panel, and then click Add or Remove Programs.
2. In the Currently installed programs list, right-click Microsoft Exchange, and then click Change/Remove.
3. In Microsoft Exchange Installation Wizard, click Next.
4. In the Action list on the Component Selection page, click the down arrow next to each component that has been installed, and then click Remove.
   
   Note Installed components have a check mark in the Action list. When you click Remove, the check mark is replaced by the word Remove.
5. Click Next two times.
6. Click Finish.

In the case of SBS you are supposed to remove Exchange by going into Windows Small Business Server 2003 (just the 2003 not the 2003 r2 section of add/remove) click on it, and when the integrated components of the server pop up and you see Exchange pull the arrow key down to remove.

If we scroll up to where Exchange is separately listed.. we can't remove it from there

So now we need to stop the services...

Manually remove Exchange Server 2003

If you cannot remove Exchange Server 2003 by using Add or Remove Programs, you can use Registry Editor to remove the Exchange entries from the registry. Before you edit the registry, you must stop and disable all Exchange 2003 services on the computer.

Stop and disable the Exchange Server 2003 services

The following table lists the core Exchange Server 2003 services.

To stop and disable the Exchange Server 2003 services, follow these steps:

1. Click Start, point to Programs, point to Administrative Tools, and then click Services.
2. In the Name list, right-click an Exchange service, and then click Stop.
3. After the service stops, right-click the Exchange service again, and then click Properties.
4. In the Startup Type list, click Disabled, and then click OK.
5. Repeat steps 1 through 4 for every Exchange service.

I've disabled the services that are left

Now we have to remove the registry keys

Use Registry Editor to remove the Exchange registry keys

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

1. Repeat steps 2 and 3 for the following registry keys.

Did that.... but now when they ask me to use the Exchange system manager to remove Exchange stuff from AD I can't.

Remove the Exchange Server 2003 server from Active Directory

To remove the Exchange Server 2003 server from Active Directory, follow these steps.

Note This procedure removes all references to the server in Active Directory. It also removes the mailbox-enabling attributes from all Active Directory users who have mailboxes on the server that you removed.

1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. Expand Administrative Groups/Your_Administrative _Group_Name/Servers.
   
   Note In this step, replace Your_Administrative _Group_Name with the name of your administrative group.
3. Right-click the name of the Exchange Server 2003 server that you want to remove, click All Tasks, and then click Remove Server.

Not to fear, we have adsiedit to the rescue.

If you cannot install or run Exchange System Manager, you can use the Active Directory Service Interfaces (ADSI) Edit snap-in to manually remove enough of the server attributes so that you can try a successful reinstallation. This method does not perform cleanups of references to the server object outside the server's own container. We do not recommend that you use this method unless you intend to immediately reinstall the server in the same administrative group. This is because you may have to manually remove or edit many attributes on objects throughout Active Directory.

The ADSI Edit snap-in is available in Windows Support Tools. For more information about how to install Windows 2000 Support Tools, click the following article number to view the article in the Microsoft Knowledge Base:

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require that you reinstall Microsoft Windows 2000 Server, Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
To use the ADSI Edit snap-in to remove an Exchange Server 2003 server from an Exchange Server 2003 administrative group, follow these steps:

1. Click Start, point to Programs, point to Windows 2000 Support Tools, point to Tools, and then click ADSI Edit.
2. Expand the following items:
   Configuration Container
   CN=Configuration, DC=Domain_Name,DC=com
   CN=Services
   CN=Microsoft Exchange
   CN=Your_Organization_Name
   CN=Administrative Groups
   CN=Your_Administrative_Group_Name_Or_Exchange5.5_Site_Name
   CN=Servers
   Note In this procedure, Domain_Name represents the name of your domain, Your_Organization_Name represents the name of your organization, and Your_Administrative_Group_Name_Or_Exchange5.5_Site_Name represents for the name of your administrative group or Exchange Server 5.5 site.
3. Right-click the Exchange Server 2003 server object, and then click Delete.
4. Click Yes in every adsiedit dialog box that prompts you to confirm the deletion

I can't remember if I installed this on here or not.. but all I had to do was type in adsiedit.msc and it launched the interface.  Now on this one be careful as you can blow up Cleveland in here.

See where we are at?

 Under Servers it will list your old SBS 2003.

See where you are at? 

1. Right-click the Exchange Server 2003 server object, and then click Delete.
2. Click Yes in every adsiedit dialog box that prompts you to confirm the deletion.

Go look again at what you are deleting and where you are.  You are under the CN=first administrative group and are deleting out the OLD SBS 2003 box.

Are you really sure?

Delete the container?

So right about now you are probably wondering why I didn't just nuke the "CN=first administrative group" right?

Microsoft recommends that you do not remove the original Administrative groups from an organization.

My nicely migrated SBS production 2008 box to this day lists both the Exchange Administrative Group from Exchange 2007 and the first administrative group of SBS 2003

So if you have manually gone in and just nuked that first administrative group thinking that that will not cause issues, guess again, public folders and other such things want that folder there.

So to review, you want to delete the SERVER name out of that adsiedit.msc, you do NOT want to delete that CN=first administrative group that you see there.  Regardless that that's the name of the Exchange group in Exchange 2003, you keep it on the server even after you just have Exchange 2010 in the network.

If an antivirus product indicates that it works on SBS v7 would I install it on SBS 2011?

Take for example this system requirement from this vendor:

http://us.trendmicro.com/us/products/sb/worry-free-business-security/system-requirements/  


*    Windows Small Business Server 7 Beta: No Service Pack
*    Windows Small Business Server V2 Beta: No Service Pack

A reasonable person would look at that system requirement for the product and go ...hey... for sure it must support SBS 2011 standard .. it says it supports Server 2008 R2, it says it supports Exchange 2010... it says it supports SBS v7 beta ... why wouldn't it work on SBS 2011 standard, the released product.

Until an antivirus product specifically says that it works with SBS 2011 standard, don't assume.
So Susan what antivirus do you trust to install on SBS 2011 standard right now? 
Uh... none.
...Susan?  None?  What do you mean none?
I mean none.  No vendor has a version out right now that I would trust just yet on SBS 2011 standard.
...but...but... what do we do?
Install antivirus on your desktops.  Have a mail hygiene filtering like www.Exchangedefender.com, Reflexion or Postini.  Check what end point filtering your firewall can do.  Utilize the paid version of www.opendns.com and for now hold tight until there is an product that specifically states SBS 2011 and that has showcases solid performance.  I haven't heard enough "this works great!" yet in the community from any one just yet.

Stay tuned. 

So if you get something stuck in removing your Exchange 2003

Never fear you can manually pick out Exchange 2003 if you really and truly get stuck.

How to remove Exchange Server 2003 from your computer:
http://support.microsoft.com/kb/833396

Hitting cancel thought keeps the uninstall process going...

Hang on I may have googled up something else that refers back to something I wrote eons ago.. (how funny)

So for some other KBs that you might stumble on if you have issues....

Error message when you try to remove Exchange Server 2003 or Exchange 2000 Server: "0x80072030 (8240): There is no such object on the server":
http://support.microsoft.com/kb/283089

Error: "Setup failed while installing sub-component Exchange ActiveSync with error code 0xC0070643 (please consult the installation logs for a detailed description). You may cancel the installation or try the failed setup again." while installing Exchange 2003 SP2:
http://camie.dyndns.org/technical/ex2003-sp2-msxml3/

Actually I'm kinda glad this old image of a SBS 2003 didn't cleanly uninstall like my real one did.  Stay tuned to a Friday night fest of manually removing an Exchange 2003 box.

Do I know how to party or what?

To remove Exchange Server 2003 from the Source Server, click Windows® Small Business Server 2003 in Add or Remove Programs, and then click Remove. Follow the instructions to finish the procedure.

At this step you need ANY SBS 2003 media not necessarily YOUR SBS 2003 media.  I downloaded media and then attached the ISO as a DVD to the SBS 2003.

You'll need just disk 2 of SBS 2003

Now go into add/remove programs.

click next on this one

Oh but wait ..what's this error?

I removed the connectors earlier....

For detailed instructions about how to complete these steps, see the section “To remove the last Exchange 2003 or Exchange 2000 server from an Exchange 2007 organization” in the article "How to Remove the Last Legacy Exchange Server from an Organization" at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=141927).

1.   Move all mailboxes.

2.   Move all contents from the public folders.

3.   Move the Offline Address Book Generation Process.

4.   Remove the public folder mailbox and stores.

5.   Verify that you can send and receive email to and from the Internet.

6.   Delete the routing group connectors.

7.   Delete or reconfigure the Mailbox Manager policies.

8.   Move the public folder hierarchy.

9.   Delete the domain Recipient Update Services.

10.  Delete the Enterprise Recipient Update Service.

You read this one and go... uh.. we just did most of this.

9.   Delete the domain Recipient Update Services.

10.  Delete the Enterprise Recipient Update Service

We need to do those two.

1. Perform the following steps to delete the domain Recipient Update Services:

   1. In Exchange 2003 or Exchange 2000 System Manager, expand Recipients, and then select Recipient Update Services.
   2. Right-click each domain Recipient Update Service, and then select Delete.
   3. Click Yes.

2. You will not be able to delete the Recipient Update Service (Enterprise Configuration) by using Exchange 2003 or Exchange 2000 System Manager. Perform the following steps to delete the Recipient Update Service (Enterprise Configuration) by using ADSI Edit (AdsiEdit.msc):

   1. Open ADSI Edit, expand Configuration, expand CN=Configuration,CN=<domain>, expand CN=Services, expand CN=Microsoft Exchange, expand CN=<Exchange organization name>, expand CN=Address Lists Container, and then select CN=Recipient Update Services.
   2. In the result pane, right-click Recipient Update Service (Enterprise Configuration), click Delete, and then click Yes to confirm the deletion

This is one that in my SBS 2008 migration I punted and moved the exchange server to the new server.

It worked fine.

Got folder redirection -- http://technet.microsoft.com/en-us/library/gg563795.aspx

Got a terminal server? http://technet.microsoft.com/en-us/library/gg563793.aspx

Now mind you we're at the "finish the migration step" http://technet.microsoft.com/en-us/library/gg563804.aspx but we haven't moved over the printers to the new servers ... so we're not quite done... nor have we removed Exchange 2003 yet.

But the finish line is in sight for sure.

By default, user accounts that were migrated from the Source Server do not need to meet the Windows SBS 2011 Standard password policies, which are applied to new user accounts in Windows SBS 2011 Standard. When a user with a migrated user account resets or changes their password, they are required to meet the Windows SBS 2011 Standard password policy. If the Windows SBS 2011 Standard password policy is changed to make it stronger (for example, more complex or longer password length), all users, including users with migrated user accounts, are required to reset their passwords to meet the new password policy.

To help secure your network, we recommend that you delete the STS Worker, SBSBackup, IUSR_SBS, and IWAM_SBS user accounts and any other user account or group that is not used

Map permitted computers to user accounts

In Windows SBS 2003, if a user connects to Remote Web Access, all computers in the network are displayed. This may include computers that the user does not have access rights to. In Windows SBS 2011 Standard, a user must be explicitly assigned to a computer for it to be displayed in Remote Web Access. Each user account that is migrated from Windows SBS 2003 must be mapped to one or more computers.

If you want to set default client computers for remote users, click on the Remote Access tab, and in the User Account Properties set a default client computer for each user who needs remote access.

You do not need to change the configuration of the client computer. The client computer is configured automatically.

Before you migrate user accounts, you can create custom roles by using the Add a New User Role Wizard. You can then use the new user role when you migrate the user accounts to the Destination Server.

This may take a smidge.. and on to the next step