THE OFFICIAL BLOG OF THE SBS "DIVA"

http://msmvps.com/blogs/bradley/archive/2009/11/02/pre-migration-steps.aspx

So we're once again in our series of how to prepare for a migration.

To recap, we read, we watched. 

We ran the www.sbsbpa.com on the server

We ran the IT Environmental Health scanner - http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=dd7a00df-1a5b-4fb6-a8a6-657a7968bd11 to ensure all was well.

We checked the primary account.

We took a backup.

We took a system state backup.

{heck we even used the Disk2vhd to move it to a test bed just so we can run this test before doing this for real}

We're now ready for the Migration prep tool:

H.  On the Source Server, run the SBS 2008 migration prep tool.

This tool performs the following actions:

1. Installs update 943494 on the SBS 2003 server to extend the migration grace period from 7 to 21 days.
2. Runs ADPREP to update the forest, domain, and group policy object access control entries.
3. Changes Exchange 2003 from Mixed mode to Native mode.
4. Adds the Authenticated Users group to the Pre-Windows 2000 security group.

If Exchange 2003 is not running in Native mode, Exchange Server 2007 will not be installed and you will have to start all over. The error message is Exchange Server 2007 cannot be installed. For more information, see this.

If the Authenticated Users group is not a member of the Pre-Windows 2000 security group, then standard users will not be able to access the Remote Web Workplace. The error message they will see is: Cannot connect to the Remote Web Workplace site. To continue, contact your network administrator.

The tool can be found on the SBS 2008 media under the tools folder.  If you don't have a DVD on the SBS 2003 (like I don't) stick the DVD in any other computer, copy the tools folder onto removable media and put it on the SBS 2003.

Now that we have umpteen backups, on the SBS 2003 box launch that Sourcetool.exe file

We have a backup so we're going to check the box.

The installer starts

When it finishes it's now prepared the SBS 2003 for the migration.

What it did in the background is install

Application KB943494 (Hotfix for Windows Server 2003 (KB943494)) was installed.
Does the ADprep and flips Exchange to native mode
Adds the Authenticated Users group to the Pre-Windows 2000 security group

  MESSAGE Security Enabled Local Group Changed:
Target Account Name: Pre-Windows 2000 Compatible Access
Target Domain: Builtin
Target Account ID: BUILTIN\Pre-Windows 2000 Compatible Access

Reboot and we're ready for the next step.

Next step building the answer file.

Holy cow this really works! - THE OFFICIAL BLOG OF THE SBS "DIVA":
http://msmvps.com/blogs/bradley/archive/2009/11/05/holy-cow-this-really-works.aspx

Please keep in mind that in the next few days as I blog about the migration from SBS 2003 to SBS 2008 test run that I'm doing that the SBS 2003 installed in HyperV is totally and utterly unsupported when it's in that HyperV like that.  Exchange 2003 is not supported in HyperV, only in Virtual Server. 

If you put SBS 2003 on a platform that virtualization is not supported, you will get push back from support where they will tell you you have to recreate the issue on a supported platform.

Support policy for Microsoft software running in non-Microsoft hardware virtualization software:
http://support.microsoft.com/default.aspx/kb/897615

Exchange is normally the one that sets the support line in the sand.

Summary Support Statement*
 This configuration is Not Supported.

 Support Statement Details

 Search the Knowledge Base for information related to this configuration  More Information

http://www.windowsservercatalog.com/svvp.aspx?svvppage=svvpwizard.htm

For those asking about ESXi

 Summary Support Statement*
 This configuration is Supported.

  Support Statement Details

 
 Search the Knowledge Base for information related to this configuration

 More Information

I have eventsentry.com on my existing SBS 2003 which also means it's now on my HyperV clone.  So I kept getting a time change alert..

DATE / TIME   11/5/2009 9:36:21 PM MESSAGE The system time was changed.
Process ID: 1368
Process Name: C:\WINDOWS\system32\vmicsvc.exe

I had forgotten to uncheck the box on the time sync setting on the HyperV.  You still want the DC inside the HyperV to get and grab it's own time from the various ntp time sync portals and not try to sync up with the HyperV parent.

Uncheck the box in that settings window and all is well.

And I'm not talking about the cleaning products either!

http://www.holycowproducts.com/

I'm talking about the Disk2VHD tool here:

http://technet.microsoft.com/en-us/sysinternals/ee656415.aspx

So merely using that... we first make VHDs of our existing physical box.  Mind you the first time I tried to cheat and only backup the C and the E as the F is data, but because the E and F are on a single volume, the system would not fully load those two drives.  So make sure if you have multiple drives on a single volume that you backup the drives on that volume as a whole.

I backed it up on an external usb harddrive.  It took from about 10 p.m to 3 a.m to back up my entire server.  I then moved the usb harddrive over to the new HyperV server and copied the VHD files over to the new server.  I set up the settings for the new SBS 2003 on the server with 4 gigs of ram, 4 processors, and two harddrives, matching the vhd's and browsing to their location on the box.  I then turned on the HyperV server, sat back and waited for the blue screen......

THAT NEVER OCCURRED.  Yes, you read that right.  I took a physical SBS 2003 that was installed with HP management software on a five year old ML370 G4 and plopped it up into a HyperV sitting on a brand new ML370 G6 and there was no blue screen freak out.

Once it booted up in indicated it would need a new activation in three days and that the hardware had change significantly (no kidding dude, that hardware has definitely changed)

Keep in mind should I need to activate this box, I will not impact the running box (as in it will not suck over the activation from the running box).  And normally they are more lenient on servers than they are on workstations and most of the time they will activate again just fine.  The only gotcha you need to watch is two things:

1.  OEM installs should not be doing this from a licensing standpoint.  You are not legal to move that license from an OEM to a HyperV.  The license is bound to that hardware.

2.  Some (not all but some) OEM builds may be BIOS locked.  Certainly the new Foundation Server in the 2008 era has a bios check to ensure it's on HP true hardware and will not install in a virtual setting.  I've even seen some SBS 2008 reseller kits that have this bios check as well. 

So OEMs should not be using this methodology at all.

[Before the licensing police come and say I shouldn't activate this as I still have my running SBS 2003, keep in mind I have SA so I have cold server rights.  Granted the server isn't cold but the only reason I'm doing this is to give me a means to fully and completely and utterly to test my SBS 2003 to SBS 2008 migration in a sandbox before I do it on the real network.  So if anyone wants to arrest me for MS licensing non compliance, you have three weeks to lock me up.  Ping me via the contact box for directions to my office.]

Because the OS is 2003 and not the nice 2008s or Vista/Win7 era that has the hyperV integration bits preinstalled, to get a mouse working remotely you have to go up in the tools and install the HyperV extensions and hit the tab key a lot to get it installed and then reboot it.  Once it comes back up you now need to clean out the old physical nics.

If you try to go in there and reset up the nic with the original IP address you get a warning from the box that network cards are still there:

But if you go into device manager they won't be there.

Step 1: Open up a command prompt

Step 2: Type – “SET DEVMGR_SHOW_NONPRESENT_DEVICES=1″ and hit

Step 3: Type – “START DEVMGMT.MSC” and hit

Step 4: Once the Device Manger opens to the “View” menu and select “Show Hidden Devices”. Expand the Network Interface portion of the device tree and you should be able to remove the phantom NIC.

The go back in and put in the static nic entries and rerun the CEICW (in SBS 2003) and the Fix my network wizard in SBS 2008.

In my case as well, since I have this HyperV box hanging off a totally separate IP address right now, it was not authorized by Exchange Defender to email out, so until I enter in a trouble ticket to add this server temporarily as an authorized outbound emailer through the Exchange defender network, I just bounced it off the smtpauth.sbcglobal.com for the time being to fully test the functions of the box.  So it's actually kinda funny now as I am getting monitoring emails from the two servers now and I actually had to go back in and edit the from address so I'd know which one was coming from the HyperV box and which one was from the regular still running box.

But the beauty of this is, is that I can now do a full trial run of the SBS 2003 to SBS 2008 migration in a sandbox that won't impact my real machine.  Furthermore, should I decide to do so, when it comes time to do the real migration I can theoretically redo this PtoV that I've done here and start the migration from the virtual SBS2003, this time of course turning off/blocking the old existing machine from putting in email during this migration timeframe.  This then leaves the old existing SBS 2003 totally intact and non impacted by the migration process.

http://msmvps.com/blogs/bradley/archive/2009/10/30/so-what-about-those-action-pack-licenses.aspx

It's been several days and I still don't have any word one way or the other about the status of those folks in the MPAN program that no longer "fit" into the new Microsoft Partner Network.

And I'm not feeling good about the fact that the gentleman from the MPN phone number 800-765-7768 hasn't called me back when he said he would the following day.  The problem with dealing with a large blob of a corporation is that it's hard to find the right person to talk to and when you call into 800 numbers you may not be in the right spot to get an authoritative answer.

First off to anyone who signed up for MPAN or who urged their clients to sign up for MPAN, especially if it was due to something I posted, I'm sorry. I'm not feeling good if you did so on my recommendation and now this occurred.  If I were even a moderately rich person, any CPA who was in this limbo state of not possibly now being licensed properly, I'd offer to buy them licenses.  But I can't afford that.  All I can do is say I'm sorry and be more wary about marketing based offers next time.

I still hope that someone in a position of power will understand the situation here and waive the licensing for these impacted folks and just let them continue to use the existing Action pack licenses and grandfather their use rights.  I only hope that someone at Microsoft understand that it's not good business to design a marketing plan for a product that entices folks into a software licensing offer that was designed to get CPAs to be interested in an accounting product, that if they can now no longer qualify for, means that it's a big chunk of change that suddenly comes due that no one was anticipating.  Especially now in this economy.

My firm is not in this category of being affected, because I kept on recommending that we buy the Software assurance via the 3 year licensing.  So maybe that makes me a bit of an ingenuous person since if I kept recommending 'normal licensing' to my firm, in the back of my mind, I guess I always had a doubt that Office Accounting would never stand a chance and that some day Microsoft would pull back on the MPAN program and folks would be left high and dry.

Some of these CPA firms do have an IT side of them, do have folks that are SBSCs, do qualify to be in a competency in the Microsoft Partner Network.  Those firms are not at risk because the qualify as a "traditional" Microsoft Partner.  Either in general IT, or in Microsoft Dynamics, they will fit.  But if they fit, it's probably because they always fit as they had an IT niche.  

But it's the folks that are only in the program because Office Accounting thought they'd go after Quickbooks that concern me.  It's these folks, a small group of people that I just can't see fitting anymore into the Microsoft Partner Network.  Their primary focus was and still is Quickbooks and not the Dynamics stack.  I can't see where they fit into the Microsoft Partner Network.  Microsoft can say 'well we separated out the Action pack, Microsoft Partner network and the MPAN program about a year ago'. 

That's all fine and good, but Microsoft, you don't treat your customers like this.  It's not their fault you took on the 80 pound Gorilla of Intuit and you lost.  It's not their fault the economy kicked in and someone decided to retrench. It's not their fault they are not caught in the downsizing, layoffs and product cutting that Microsoft is into now. 

But it is Microsoft's fault that even with the layoffs you are still so big that I can't find the answer, and we're still in limbo. 

I'm still hoping that someone in a position of power will do the right thing and grandfather folks that were in the MPAN program and allow their licenses to be in perpetuity just this one time.  I honestly don't think it's too much to ask for given the circumstances of the reason for the closing of the MPAN program.  I'm hoping that like in most instances of dealing with Microsoft, that silence I'm getting means that someone somewhere is taking action.

I hope.

http://technet.microsoft.com/en-us/sysinternals/ee656415.aspx

Testing this out.  Have a HP ML370G4 that has a physical install of SBS 2003 on a raid/hardware system.  Have a HyperV on an HP ML370G6.  In a test run (where I screwed up because I didn't understand that I needed to ensure I copied the VOLUME which included both an Exchange data drive and a data data drive) I booted up the resulting VHDs and they didn't BSOD with the move.

Mind you they had ghosted nics so that's to be totally expected, and easily removed from the machine and then a rerun of the CEICW and that box was basically a running system.

How to remove ghost nics on vmware machines that have been P2Ved « Ramblings of a semi sane person:
http://secadmin.wordpress.com/2009/02/11/how-to-remove-ghost-nics-on-vmware-machines-that-have-been-p2ved/

Step 1: Open up a command prompt

Step 2: Type – “SET DEVMGR_SHOW_NONPRESENT_DEVICES=1″ and hit

Step 3: Type – “START DEVMGMT.MSC” and hit

Step 4: Once the Device Manger opens to the “View” menu and select “Show Hidden Devices”. Expand the Network Interface portion of the device tree and you should be able to remove the phantom NIC.

I'm doing it again as I need the second volume copied, and it will want reactivation in three days because I just ripped it off the hardware it was tied to, but it appears to do a physical to virtual without causing a bsod.  I'll do a longer blog post explaining the process tomorrow.

The other thing you can use this for (assuming the proper XP movable licenses) is that you can PtoV and make a real XP that XP Mode underneath that Windows 7.  Kinda kewl huh?

So you have an app you want on Win7 and you don't want it to throw off a UAC warning?

LUAbuglight it!

Find the offensive permission sticking part of the program and adjust the registry permissions or file permissions.  Very very very cool tool.  I'll blog it in action later.

http://blogs.msdn.com/aaron_margosis/pages/LuaBuglight.aspx

LUA Buglight 2.1 is here.  LUA Buglight identifies admin-permissions issues ("LUA bugs") in desktop applications.  I've made a lot of changes to LUA Buglight since the last "2.0 Preview" that I posted, so the version number has been bumped up:

• Support for Windows 7, Vista and XP, and corresponding Servers (2008 R2, 2008, 2003)
• Support for x64 (except on XP/2003)
• Completely revamped Reporter -- streamlined and with more detailed results

Note:  The new Reporter has necessitated a new file format, so the new Buglight cannot read reports generated from older versions of Buglight.

One thing that is seriously missing is documentation -- I hope to have that posted here in some form soon.  The basics:

• On XP/2003, you need to run it as a standard user, and you need the username/password for an administrative account; on Vista and higher, you need to run it non-elevated as a member of the Administrators group, with UAC and admin-approval mode enabled.
• Tell it what program to run, then run it.  Whenever your app performs an action that fails unelevated, it will repeat the operation with admin rights before returning control back to the program.  If it fails without admin rights and succeeds with admin rights, details about that operation get logged.
• Click the "Stop Logging" button to close the log file; by default this will also open the Reporter and show the results.

Another feature that isn't present yet is that while LUA Buglight does an excellent job of identifying when a program performs operations that succeed only when run as administrator, right now it doesn't provide the details to fix it if you can't modify the source code.  My plan is to turn that into a community effort by documenting the report's XML format and then providing some PowerShell scripts that process the results and point to app-compat shims, permissions changes, or other mitigations for the identified problems.

I wish I could work on LUA Buglight full time, but it's an unfunded, spare-time effort, outside of my day job.  I know that LUA Buglight would be a lot more useful with documentation, but it's more useful posted without documentation than it is not posted at all waiting for me to write up documentation.

More information will be posted to this blog.

So before you run the source tool on your SBS 2003 box in addition to the normal backup.  In addition to the possibly paranoid backup you need to do with a third party program like Storagecraft, Acronis, DriveImageXML (paid not free), make sure you do ONE MORE BACKUP.

One that I'd argue is the MOST important one of all.

Just and nothing else but, the system state backup.

With that you can roll the AD back should something occur.  Don't stick it on your normal backup location as well, ensure that you park it several places, on the local drive, possibly on a usb drive but ensure you have a system state backup as it's key here before you being the migration.

So I'd always heard about this, not seen this in action... well now I did today.  Nvidia video driver and AFTER the installation of .NET family patch (that I had been holding off installing) I could no longer remote to a machine.  I would rdp and the windows would immediately come back.

When remotely connecting to the event viewer I saw this:

Mind you, nothing was actually being seen on the workstation in question, I just couldn't connect to it after the install of the .NET family update. (951847 - http://msmvps.com/blogs/bradley/archive/2009/11/02/net-patch-gets-offered-up-all-by-itself.aspx)

Brad Rutkowski's Blog : \SystemRoot\System32\RDPDD.dll failed to load:
http://blogs.technet.com/brad_rutkowski/archive/2008/01/04/systemroot-system32-rdpdd-dll-failed-to-load.aspx

Getting a new driver didn't help, I had the latest driver.

Only the registry fix worked:

It's a registry fix that increases the size of the session image space.  Add the following key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]

"SessionImageSize"=dword:00000020

Where 00000020 is hex for 32

http://blogs.technet.com/sbs/archive/2009/02/19/sbs-2008-migrations-from-sbs-2003-keys-to-success.aspx

So while I'm in the process of still getting the workstations ready to go for the change out of ISA (removing ISA client on the workstations, ensure that the proxy settings are removed, etc. etc. so let's recap where we are at in our planning stage of the pre-steps of migration.

A. Read through the migration guide before starting.

We've read.  Killed a few trees in the process too.

B. Watch the migration video demos and online training.

We've killed a few electrons in the process. 

C.  Join a SBS 2008 Newsgroup.

Okay I personally kinda have that one covered, but the best 2008 one for migration issues can be signed up to via this link.

D.  Practice a migration in a test environment. 

Right now I'm testing the plain running of a server on the new HyperV environment.  While I have done dry runs/practice runs of clean SBS 2003 boxes, I'm still shooting to use SCVMM to pull a PtoV version of my actual SBS 2003 so that I know EXACTLY what I'm facing. 

E.  On the source server run the SBSBPA.

We already covered how to install www.sbsbpa.com on the server and to ensure all was clean

F.  On the Source Server make sure the Active Directory is healthy.

While we've done dcdiag and what not, we have not showcased how the IT Health Scanner helps in this process.

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=dd7a00df-1a5b-4fb6-a8a6-657a7968bd11

So we install it and run it on our SBS 2003 boxes

First you enter the internal IP address of the firewall (on a SBS 2003 box that's most likely to be the IP address of the server if you have a traditional two nic setup and haven't yet removed ISA fully)

Click scan to start scanning the network.

Let's see what it came up with....

The upper AD section looks clean ...that's good...

It's saying that the domain controller is listening on multiple addresses (well right now it still has two nics so that's kinda to be expected)

It also says I have an orphaned network interface mainly because I'm doing this remotely and it's reacting to that remote session.

One of the unusual errors is pointing to KB 884776 http://support.microsoft.com/default.aspx?scid=kb;en-us;884776 and saying that I have the domain controller configured to allow time connections greater than 172800 seconds.  I honestly haven't seen issues leaving that one as is for purposes of migration.

Now we're up to item G:

G. On the Source server, check the Primary group of the account you will use to install the SBS 2008 server into the domain.

Make sure the Primary group is set to something besides Domain Admins, Enterprise Admins, or Schema Admins. Otherwise, you may receive the following pop-up error during the migration:

The user account does not have the permission that it needs to join the domain. The user account must be a member of the Domain Admins, Enterprise Admins and Schema Admins groups.

1. In the properties of the user account, click the Member Of tab, and at the bottom look for the Primary group.
2. Make sure the Primary group IS NOT : Domain Admins or Enterprise Admins or Schema Admins.
3. To change it, select Domain Users and click the Set Primary Group button.

What some folks do is set up a special migration administrator account for purposes of the migration.

On the member of tab, make sure that the primary membership is domain users.

H.  On the Source Server run the SBS 2008 Migration Preparation tool.This tool performs the following actions:

1. Installs update 943494 on the SBS 2003 server to extend the migration grace period from 7 to 21 days.
2. Runs ADPREP to update the forest, domain, and group policy object access control entries.
3. Changes Exchange 2003 from Mixed mode to Native mode.
4. Adds the Authenticated Users group to the Pre-Windows 2000 security group.

If Exchange 2003 is not running in Native mode, Exchange Server 2007 will not be installed and you will have to start all over. The error message is Exchange Server 2007 cannot be installed. For more information, see this.

If the Authenticated Users group is not a member of the Pre-Windows 2000 security group, then standard users will not be able to access the Remote Web Workplace. The error message they will see is: Cannot connect to the Remote Web Workplace site. To continue, contact your network administrator.

Since I don't have a functioning DVD on my source server, we can move it over to that box via usb or other means.  Just zip up the contents of the tools folder and move it over to your source server box.

So I moved it over to the old server, start the running of the tool and what should smack me upside the head?

The RUN A BACKUP GIRLFRIEND screen.

The system state run a backup screen.

The run an extra backup just because you feel like it screen.

The run an extra backup so you don't hate yourself screen.

The no, really you really want a couple of backups to give you options screen.

Our lesson is over tonight because I'm going to make sure I have SEVERAL means of backup right at this point.  The more ways we have backups, the more options we have should something arise.

Class dismissed for the evening, see you next session.  Don't forget your homework assignment to ensure you are signed up for that SBS 2008 newsgroup.

One of the recent changes to the net family patches is now 951847 is offered up all by itself on Microsoft Update.

If you are deploying patches in other ways, it's a wise idea to take from Microsoft update. 

Just do that one all by itself.

http://technet.microsoft.com/en-us/library/dd335033(WS.10).aspx

At what point in time did the technet content pages turn into "the lost souls of support" pages?

The sections at the bottom are for clarifications of content, not to be posting "help me, something broke".

With Microsoft having forums and newsgroups and Partner support forums, isn't  it bad enough that I see Twitter being used as a support channel as well as Facebook, and now the content pages of Technet that no support personnel looks at and it's only PowerShell MVP Thomas Lee who must have carpel tunnel syndrome from posting "this isn't really the place to be for help" in nearly all of the PowerShell Technet content and various security/firewall content I've seen?

Take for example this lovely Technet content on Windows Firewall - http://technet.microsoft.com/en-us/library/cc722062(WS.10).aspx  where we have Skype problems, Limewire problems, virus problems, msn games problems, msn doesn't want to connect, yahoo messenger, msn issues [apparenly MSN and Microsoft firewalls have lots of issues, I see a trend], email issues, xbox 360, wireless issues, games,  start up problems, freezing windows, viruses, paltalk issues, system turning off, can't print, can't play cd's, Norton security issues, Firewall issues, Live messenger issues, internet downloading issues, Frostwire issues,

And tirelessly Thomas posts back: 
[tfl - 22 02 09] You should post questions like this to the Technet Forums at http://forums.microsoft.com/technet or the MS Newsgroups at http://www.microsoft.com/communities/newsgroups/en-us/. You are much more likely get a quick response using the forums than through the Community Content.
For specific help about:
Exchange : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.exchange%2C&
SQL Server : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.sqlserver%2C&
Windows : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.windows%2C&
Windows Server : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.windows.server%2C&
Virtual Server : http://groups.google.com/group/microsoft.public.virtualserver/topics?lnk
Full Public : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public%2C&

It's a wiki type of landing page, it's NOT a support forum.  Google is not doing you any favors here in dumping you into a place that NO ONE LOOKS at.  And some of these posts are recent and they just joined. 

Folks, the technet wiki pages are to add to content, not to ask questions in a forum.  If people can't find their way either because the page where they end up isn't clear where to go, then search that brings you to the wrong spot, isn't helping the issue here. 

We have a failure in content, a failure in search, a failure in support if people aren't finding the right place to go.

Now here's an interesting situation... I have a new server I'm moving to and I've been letting it "bake" as an HyperV hosted SBS box for a few days and I noticed that it blue screened (the SBS, not the HyperV parent) on me.  So we pull out our handy dandy Peter Gallagher blog post and we set up the debugging items we need:

1. Downloaded and installed the current "Debugging Tools for Windows 32-bit version" from http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx, choose "typical".
2. Launch the debugger via Start -> All Programs -> Debugging Tools for Windows -> WinDbg
3. Set the symbol file path:  File -> Symbol File Path.  From http://www.microsoft.com/whdc/devtools/debugging/debugstart.mspx: For example, to download symbols to c:\websymbols, you would add the following to your symbol path:  SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols.  I simply copied and pasted SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols into the Symbol Search Path and then created a directory called "websymbols" on the root of the C drive.  You don't have to create the folder, the debugger *should* create it for you when it connects.
4. I placed the check next to "Reload" and clicked OK.
5. Load the dump file:  click File -> Open Crash Dump and browsed to the memory.dmp
6. Clicked Yes to "Save Information for Workspace"
7. Sit back and wait. 
8. Take a quick look in c:\websymbols, you should see some stuff (symbols) appearing in this folder
9. After some time (one minute to 5 minutes, ymmv), the debugger will be done loading and you will see "0:  kd>" in the small grey window at the bottom left of the screen.

Note the debugger does not *have* to be installed on the server itself.  All you have to do is have local access to the dump file.  You could copy the dump file to a Windows XP workstation and install the debugging tools on the workstation rather than the server.

So I get the dump file off the box and while the problems resolution section says "oh its a driver" , that's nice folks but which one?

And this is in the child, not the parent that gave me this issue?

Now to be fair this is bog standard, no updates, no SP2 which I consider to be bare minimum patching, so I will up' this to SP2 and let it bake a few more days and just make sure all is well.

But when I run that dmp file through the debugging tools I get this:

Microsoft (R) Windows Debugger Version 6.11.0001.402 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Users\Susanb\Documents\Mini110209-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista Kernel Version 6001 (Service Pack 1) MP (4 procs) Free x64
Product: LanManNt, suite: SmallBusiness TerminalServer SmallBusinessRestricted SingleUserTS
Built by: 6001.18000.amd64fre.longhorn_rtm.080118-1840
Machine Name:
Kernel base = 0xfffff800`01646000 PsLoadedModuleList = 0xfffff800`0180bdb0
Debug session time: Mon Nov  2 04:07:44.800 2009 (GMT-8)
System Uptime: 4 days 9:16:25.609
Loading Kernel Symbols
...............................................................
.............................................................
Loading User Symbols
Loading unloaded module list
....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {fffffa7fbe40b280, 2, 0, fffffa8011f9ba17}

Probably caused by : ataport.SYS ( ataport!RefPdoWithTag+33 )

Followup: MachineOwner
---------

As I go to investigate if SP2 has a newer ataport.sys, I'm installing all the other patches first as it won't offer up SP2 without all other important patches installed first.

How to fix a potential security issue in QuickBooks 2007, 2008, and 2009. - THE OFFICIAL BLOG OF THE SBS "DIVA":
http://msmvps.com/blogs/bradley/archive/2009/11/01/how-to-fix-a-potential-security-issue-in-quickbooks-2007-2008-and-2009.aspx

So... what do you do about this for older versions of Quickbooks that won't get patched? 

1. Urge your client base to upgrade to start with as they won't be patching older versions of the ActiveX.

2.  Uninstall older versions

3.  If you don't want to uninstall older versions, as uninstalling 10 years of Quickbooks is a bit daunting, the you can set a Killbit

4.  To set it via a reg key, see the download here: 
http://msmvps.com/media/p/1736945.aspx

Or you can copy this text and put it in a reg file (if you aren't comfy downloading a file from a blog site)

=============copy from here=================
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{596801D8-2C9D-4627-9C67-195CB81B655A}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{03C3A013-02F2-4e56-87A8-B74A7C5DC75B}]
"Compatibility Flags?=dword:00000400
=============to here=======================

5. To set it via group policy see this:
The GPOGUY-- Group Policy Blog: ActiveX Killbits and Group Policy:
http://sdmsoftware.com/blog/2009/07/activex_killbits_and_group_pol.html

What you are doing is setting a killbit like here: How to stop an ActiveX control from running in Internet Explorer:
http://support.microsoft.com/kb/240797

If you need to undo this, then go into the registry and remove the killbits you set.

For the past two years since we started rolling out Vista, I've felt like Goldilocks.  I can't find an antivirus software I like.  Trend was my choice until it started putting a firewall in there that made it not quite right.  Then I was testing out Nod32 and it nearly was my choice until it too started to have known issues with iTunes and network icon interference. 

So in addition to the desktop icon review tonight, I'm starting the process of removal of the various antivirus' I've been testing on various machines and starting to standardize on the one that I think will be the one I choose.  But I want a wider beta so I'm going to be installing it on more machines.  What is the maybe, hopefully, possibly just right antivirus?  I'm leaning towards Forefront client security now.  For those who have home users or home businesses, the Microsoft security essentials is my current choice of antivirus.  Notice I didn't say "free" antivirus, I said antivirus.  It's discouraging when we're paying annual subscriptions to products that are not catching rogue antivirus, causing slow downs of our systems, and in general, if they were operating systems, we'd be a lot more upset than we are right now.

So before you ask, can the management console of Forefront go on SBS 2008?  Nope.  Can't.  But this is part of my larger test to see if the native notification of antivirus status is good enough for this Goldilocks.

I'll let you know how this fairy tale ends.

Tonight to answer the door of the trick-or-treaters I'm answering the door as Danica Patrick's older, less sexy, sister that is a Mini Cooper race car driver.

Okay so it's a stretch, I'll admit, but with a Mini Cooper racing shirt and a black wig, what do you expect?

I'm also remoting back into the office and doing the annual "what icons landed up on the desktop" review of the desktops.  While most of us do remote work as a matter of ease and efficiency, sometimes the only time you see issues is looking at the actual desktop.  So I'll take my secondary admin account and log into the workstations remotely and see what icons are there.  See if there's patches that WSUS or Shavlik missed, see if the event viewer looks good.  While I have remote tools that also pull this info, sometimes actually LOOKING at the desktop is like most picture experiences, a picture is worth a thousand words.

In my case, that picture of Danica is worth way more than what I look like in my Mini Cooper get up.

F. On the Source server, make sure the Active Directory is healthy.

If there is only one DC, make sure the SYSVOL and NETLOGON shares are present. Also, check the File Replication Service event log to see if it is in Journal Wrap. The event below is an example of what to look for.

Event Type: Error
Event Source: NtFrs
Event ID: 13568
Description:
The File Replication Service has detected that the replica set "DOMAIN SYSTEM
VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.

If there are multiple domain controllers in the source environment, force an Active Directory replication between them in Active Directory Sites and Services and verify it is successful.

You can also run the Microsoft IT Environment Health Scanner in the source environment to uncover any AD health issues.

Microsoft IT Environment Health Scanner

(I'll blog about that in a separate blog post)

An unhealthy Active Directory can result in the following setup errors:

• Windows Small Business Server group policies cannot be configured.
• Windows Server Update Services cannot be configured.

To fix this, you will need to restore the source server, resolve the AD Health issue(s) and start the migration all over again.

We're going to check this with a couple of things including this command:

1. The following are run from the command prompt to test Active Directory health:
2. DCDiag

•  
  • DCDiag [Enter]
  • DCDiag /test:DNS
  • DCDiag /? (List of switches)

1. DcDiag
   _______________________________________________
   
   Microsoft Windows [Version 5.2.3790]

(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>dcdiag

Domain Controller Diagnosis

Performing initial setup:

   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DOMAIN

      Starting test: Connectivity

         ......................... DOMAIN passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DOMAIN

      Starting test: Replications

         ......................... DOMAIN passed test Replications

      Starting test: NCSecDesc

         ......................... DOMAIN passed test NCSecDesc

      Starting test: NetLogons

         ......................... DOMAIN passed test NetLogons

      Starting test: Advertising

         ......................... DOMAIN passed test Advertising

      Starting test: KnowsOfRoleHolders

         ......................... DOMAIN passed test KnowsOfRoleHolders

      Starting test: RidManager

         ......................... DOMAIN passed test RidManager

      Starting test: MachineAccount

         ......................... DOMAIN passed test MachineAccount

      Starting test: Services

            IsmServ Service is stopped on [DOMAIN]  <<<< <this is okay and normal on a SBS box -- ignore this

         ......................... DOMAIN failed test Services

      Starting test: ObjectsReplicated

         ......................... DOMAIN passed test ObjectsReplicated

      Starting test: frssysvol

         ......................... DOMAIN passed test frssysvol

      Starting test: frsevent

         ......................... DOMAIN passed test frsevent

      Starting test: kccevent

         ......................... DOMAIN passed test kccevent

      Starting test: systemlog

         ......................... DOMAIN passed test systemlog

      Starting test: VerifyReferences

         ......................... DOMAIN passed test VerifyReferences

   Running partition tests on : ForestDnsZones

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : DOMAINNAME

      Starting test: CrossRefValidation

         ......................... DOMAINNAME passed test CrossRefValidation

      Starting test: CheckSDRefDom

         ......................... DOMAINNAME passed test CheckSDRefDom

   Running enterprise tests on : DOMAINNAME.lan

      Starting test: Intersite

         ......................... DOMAINNAME.lan passed test Intersite

      Starting test: FsmoCheck

         ......................... DOMAINNAME.lan passed test FsmoCheck

C:\Documents and Settings\Administrator>dcdiag /test:DNS

Domain Controller Diagnosis

Performing initial setup:

   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DOMAIN

      Starting test: Connectivity

         ......................... DOMAIN passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DOMAIN

DNS Tests are running and not hung. Please wait a few minutes...

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : DOMAINNAME

   Running enterprise tests on : DOMAINNAME.lan

      Starting test: DNS

         ......................... DOMAINNAME.lan passed test DNS

It should come back "clean"

Then do Netdiag

It starts out with a whole bunch of KBs listed... (hotfixes)

________________________________________________

Netcard queries test . . . . . . . : Passed

Per interface results:

    Adapter : Server Local Area Connection

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : DOMAIN

        IP Address . . . . . . . . : 10.0.0.2  <<< I'm still at that original SBS 4.0 10.0.0.2 range btw

        Subnet Mask. . . . . . . . : 255.255.255.0

        Default Gateway. . . . . . :

        Primary WINS Server. . . . : 10.0.0.2

        Dns Servers. . . . . . . . : 10.0.0.2

        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Skipped

            [WARNING] No gateways defined for this adapter.

        NetBT name test. . . . . . : Passed

        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge

r Service', <20> 'WINS' names is missing.

            No remote names have been found.

        WINS service test. . . . . : Passed

    Adapter : Network Connection

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : DOMAIN

        IP Address . . . . . . . . : 192.168.1.2

        Subnet Mask. . . . . . . . : 255.255.255.0

        Default Gateway. . . . . . : 192.168.1.254

        Primary WINS Server. . . . : 10.0.0.2

        NetBIOS over Tcpip . . . . : Disabled

        Dns Servers. . . . . . . . : 10.0.0.2 <<<< I still have two nics, I need to rerun this after I've removed ISA

        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Skipped

            NetBT is disabled on this interface. [Test skipped]

        WINS service test. . . . . : Skipped

            NetBT is disable on this interface. [Test skipped].

    Adapter : {A89DD362-5097-4A2B-AE4F-D7AB874ED971}

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : DOMAIN

        IP Address . . . . . . . . : 10.0.0.16  <<<< VPN connection going on here

        Subnet Mask. . . . . . . . : 255.255.255.255

        Default Gateway. . . . . . :

        NetBIOS over Tcpip . . . . : Disabled

        Dns Servers. . . . . . . . :

        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Skipped

            [WARNING] No gateways defined for this adapter.

        NetBT name test. . . . . . : Skipped

            NetBT is disabled on this interface. [Test skipped]

        WINS service test. . . . . : Skipped

            NetBT is disable on this interface. [Test skipped].

Global results:

Domain membership test . . . . . . : Passed

NetBT transports test. . . . . . . : Passed

    List of NetBt transports currently configured:

        NetBT_Tcpip_{31680511-DFA0-4A2D-A3A9-D1044337C37A}

    1 NetBt transport currently configured.

Autonet address test . . . . . . . : Passed

IP loopback ping test. . . . . . . : Passed

Default gateway test . . . . . . . : Passed

NetBT name test. . . . . . . . . . : Passed

    [WARNING] You don't have a single interface with the <00> 'WorkStation Servi

ce', <03> 'Messenger Service', <20> 'WINS' names defined.

Winsock test . . . . . . . . . . . : Passed

DNS test . . . . . . . . . . . . . : Passed

    PASS - All the DNS entries for DC are registered on DNS server '10.0.0.2'.

Redir and Browser test . . . . . . : Passed

    List of NetBt transports currently bound to the Redir

        NetBT_Tcpip_{31680511-DFA0-4A2D-A3A9-D1044337C37A}

    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser

        NetBT_Tcpip_{31680511-DFA0-4A2D-A3A9-D1044337C37A}

    The browser is bound to 1 NetBt transport.

DC discovery test. . . . . . . . . : Passed

DC list test . . . . . . . . . . . : Passed

Trust relationship test. . . . . . : Skipped

Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed

Bindings test. . . . . . . . . . . : Passed

WAN configuration test . . . . . . : Skipped

    No active remote access connections.

Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information

The command completed successfully

C:\Documents and Settings\Administrator>

Next we'll do RepAdmin

1. RepAdmin

•  
  • RepAdmin /viewlist *
  • RepAdmin /SyncAll
  • RepAdmin /KCC

__________________________________________________

Microsoft Windows [Version 5.2.3790]

(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>repadmin /viewlist *

DC_LIST[1] = DOMAIN.DOMAINNAME.lan

C:\Documents and Settings\Administrator>repadmin /syncall

CALLBACK MESSAGE: SyncAll Finished.

SyncAll terminated with no errors.

C:\Documents and Settings\Administrator>repadmin /kcc

repadmin running command /kcc against server localhost

Consistency check on localhost successful.

Next we'll do NetDom /query FSMO

1. NetDom /query FSMO

____________________________

Microsoft Windows [Version 5.2.3790]

(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>netdom /query FSMO

Schema owner                DOMAIN.DOMAINNAME.lan

Domain role owner           DOMAIN.DOMAINNAME.lan

PDC role                    DOMAIN.DOMAINNAME.lan

RID pool manager            DOMAIN.DOMAINNAME.lan

Infrastructure owner        DOMAIN.DOMAINNAME.lan

The command completed successfully.

Other than reruning this after I remove ISA... AD using DCdiag looking fine.

Check out my pumpkin! http://halloween.cloudapp.net/pumpkin/98338f63-ccce-4ee0-a7bd-3ff27ae837d8

Well look at the bright side.  There's no icky disgusting azure and silverlight seeds to scoop out and throw away now is there?

http://blogs.msdn.com/bardak/archive/2009/10/30/happy-halloween-from-the-silverlight-team-and-archetype.aspx

We're going to start doing some scans on a SBS 2003 to make sure we're ready to go for migration.

We're going to take all of these tips mainly from here:  www.sbsmigrationtips.com whcih resolves to http://blogs.technet.com/sbs/archive/2009/02/19/sbs-2008-migrations-from-sbs-2003-keys-to-success.aspx

 And this -- http://blog.mpecsinc.ca/2009/06/sbs-2003-to-sbs-2008-migration-guide.html

So first tonight we're going to run the SBSbpa on the box and go through item by item what it's telling us.

E. On the Source server, run the SBS 2003 BPA.

• SBS 2003 BPA
• Resolve any issues reported in the source environment ahead of time.
• Know that SBS 2003 SP 1 is not the same as Windows 2003 SP 1 or SP 2. See item #4 for an explanation.

Download it from www.sbsbpa.com which resolves to http://www.microsoft.com/downloads/details.aspx?FamilyId=3874527A-DE19-49BB-800F-352F3B6F2922&displaylang=en

Now run it on your system:

Click on the view a report...

So let's go down line by line of the things it found.

1.  Disk space low.  No kidding Sherlock.  It's a five year old server so I think I done pretty darn good to be still with 19% free with about a month left to go before we move to a new box. 

2.  Network interface driver file more than one year old.  If you think I'm going to be flashing network card drivers on this baby now, keep dreaming.  That's an ignore for now. On a server you had not upgrade the nic drivers since it was built that would be another story.  You'd need to look at that and make sure it has newer drivers.  for me, it's going to stay there for now.

3.  Network interface driver file more than one year old.  This is a SBS 2003 with two nics and ISA (for about another week) and so that's why the two warnings.

4.  Windows Update Service v3 is at RTM.  Ignore this.  I actually have SP2 on the box but the BPA hasn't been updated to reflect that.

5.  Your email domain is on the turf list.   Your e-mail domain exists in the list in the msExchTurfListNames attribute. This can cause problems with public folder replication during a migration. To remove the domain from the list, open Exchange System Manager, expand Global Settings, right-click Message Delivery, and then click Properties. Click the Sender Filtering tab, and then remove your domain from the Senders list.

I'm pretty sure that's another bogus error as my domain name is not in that list, but to be safe I'll be removing those addresses and rescanning regardless.

So I removed the entries, rescanned and voila... (except now my external backup drive is indicating it needs more room :-)

 So now we're done with item number E .

E. On the Source server, run the SBS 2003 BPA.

• SBS 2003 BPA
• Resolve any issues reported in the source environment ahead of time.
• Know that SBS 2003 SP 1 is not the same as Windows 2003 SP 1 or SP 2. See item #4 for an explanation.