Joining a client to an SBS 2011 Essentials network
August 30, 2011 31 Comments
Adding client computers to an SBS Essentials network should be straight forward, you just go to the sbs essentials server ‘connect’ website, install the software and it does the rest.. Or so it should.
Lots of threads on the SBS forums suggest otherwise, and also there are questions relating to profiles not being moved with the accounts and it can all get a bit messy.
I wanted to know for myself what actually happens as although i have added clients in a lab system, it is not something i had really paid much attention to.
So i have picked Windows XP and Windows 7. The Windows XP machine is at SP3 but apart from that is out of the box (fresh install) and the Win 7 is Win 7 Professional and is running SP1, i have multiple accounts on both and a mixture of local admin and standard user. My aim is to show what happens when you add one of these computers to the Essentials network and to add some guidance on what to do if things don’t happen as you expect.
Where’s my stuff gone?
When you run the connect wizard there are a few different paths it can take, and the results will vary depending on what is true about who is running the wizard. I put together a little flow chart to try and show you what is likely to happen.
What we see from the above, is that if you are logged on as a standard user account, then you cannot run the connect wizard.
If you are logged on as a local admin, you can. When you get to enter your domain credentials, make sure to enter those of the person who uses the computer, not the administrator (unless they are the same person)
Why? Because, if you enter a network administrator account, for say, DonF, and the user of this computer is PeterVenkman, then Peters profile is migrated into the DonF profile on that computer.
Peter is free to logon and create a new profile, but he wont have any of his documents or settings.
Below i go into more detailed explanation of what happens on the machine, and what happens if you have multiple local accounts.
The first thing we should do, is backup our computer. I know i know, a lot of you will skip this step, but i think having a roll back point prior to attempting this is critical, especially given that a number of people have struggled with getting this working.
You can use your favourite disk imaging tool to a USB drive, but i am just going to make use of System Restore, i am going to make sure it is enabled and create a restore point before we start.
So, Click on Start, then right click on My Computer, then select properties with a left click.
Switch to the System Restore Tab.
We can see System Restore is running, as it shows the status of C is Monitoring. Also the Check box marked ‘turn off system restore’ is unchecked.
Click Ok to close.
Now we can go ahead and create a restore point.
Click Start, All Programs, Accessories, System Tools and finally System Restore.
System Restore Opens up, and you have the choice to Create a Restore Point. Select the radio button for that, and click Next.
You will need to enter a name for the Restore Point so you can identify it later.
Click on Create to finish the process.
Click on Close when the Restore Point has been created.
So now we know we have a fall back position, we can move on to running the connect wizard.
Just as a side note i’m assuming your PC is already in a workgroup, as moving from an existing domain, to an SBS Essentials domain would be part of a migration, which i am not covering here.
So, next open up Internet Explorer and browse to http://sbsserver/connect There are prerequisites you will need to have installed before you can complete the /connect process lucky for us, it will detect and fix most if not all of them silently.
Click On the Download Software for Windows link. When prompted, you want to Run the software.
Just as another side note, i am currently logged onto the Windows XP machine with a local admin account.
You will be prompted again whether you want to run or don’t run the software. There is a second option named, ‘more options’ click that, and then choose to always run software from Microsoft. Then click Run.
The Connect wizard begins, and helpfully tells you what using the wizard enables you to do. First off it is going to verify we meet the requirements.. click next.
This section of the wizard installed the .NET Framework for me silently, so don’t be surprised it it takes some time to complete.
It will then prompt for your username and password on the network. You might want to add in the Domain Admin username and password – if you do you will see a warning.
So, click Yes, and let’s enter a normal standard user account.
I have setup accounts for the users of this PC already on the Dashboard,
Enter the details for the user who will be using this PC and click next, it will whizz away and prompt you to reboot.
After a reboot you will be shown a screen asking you to choose if you want to move your data and settings to your new account, you can leave the box checked if you agree, or un-check if you don’t. Click next to continue.
You will then be asked to enter a computer description, fill this out and click next.
Do you want to wake up the computer for backups – umm let me think… (actually you may need to make a decision here based on whether this is a mobile computer or desktop, ultimately you want to backup but it can freak out users if their laptop starts up of it’s own accord in the middle of the night)
Do you want to join the Windows Customer Experience Improvement Program?
That, thankfully is the last question for now. Clicking next will begin configuration of your computer.
And with any luck it should complete successfully.
Now let’s logon to our computer using our domain credentials.
We can see that the file i had on the desktop has moved across, that’s good..
So, all in all, it looks like that has worked.
Now let’s move to the second user, Janine, who also uses this computer..
Unfortunately no, Janine’s documents have not been moved across.
So, why is that? Well the Connect wizard is only designed to transfer across documents and settings that are stored in the profile of the person running the wizard. So if you have other accounts on the computer manual intervention is then required to move these into their domain profile.
Let’s have a look at some folders on the PC to get a better idea of how the wizard does this.
Obvious place to look first, is the C:\Documents and Settings\ folder.
Interestingly here we can see a single folder for Louis (albeit spelt incorrectly) and two folders for Janine.
What’s gone on here?
Well firstly, when Louis joined the company, they spelled his name wrong, so although his logon name was renamed correctly to Louis, his profile folder was not changed.
So how does Windows know where to store or look for his data?
To answer that question we need to look in the registry.
Lets open up Regedt32.
Click Start, Run, type Regdt32 and click Ok.
Expand HKEY_Local_Machine > Software > Microsoft > Windows NT > CurrentVersion > ProfileList
Here you can see registry keys defined for each profile stored on the system, and some default ones.
If we take a closer look at the keys we can see that this key, relates to Janines Domain user profile.
And this key is for Janine’s Local user profile.
There is only one key for Louis.
The keys are a series of letters and numbers, and actually are the users, user account SIDs – which is a security identifier. More on that here
When comparing these two sets of SIDs we can see that the Connect process has deleted Louis’s local account SID and replaced it with that of his Domain account. But what else has it done?
It has also changed the NTFS Permissions on the Lewis folder to give the domain account Full Control and remove the local account from the Access Control List (ACL)
If we re-create that process, we can link Janines Domain profile folder to that of her Local profile folder, restoring access to her documents and settings, and saving you the time of copying everything across.
It has to be said, that doing this is likely to produce unexpected results, and i would not recommend it.
A much better way to achieve this would be to use the System Properties applet, and use the User Profile settings section on the Advanced tab.
This produces consistent results and should be a preferred way to do this.
From System Properties you can go to the Advanced Tab, under User Profiles click Settings.
You can see all the profiles stored on the local computer.
Select the local profile you want to transfer, you will see the ‘copy to’ button becomes available. Click This.
Clicking Browse will allow you to search for the folder location to copy the profile folder to. We want to choose to overwrite Janine’s domain user profile folder. (this requires Janine’s domain use account to have logged on already to this pc)
You then need to use the ‘change’ button to select a user who is permitted to use this profile. Obviously we are looking for Janine’s domain account. Then click OK.
Click Yes to acknowledge you will be overwriting this folder.
That is all!
There is also a third method using Forensit’s Profile Wizard, which i am covering under the Windows 7 Machines.
This is a very simple wizard and will allow you to move profiles very quickly.
On the Windows 7 Machine we actually have 4 local user accounts. So what we are going to do is run through the connect wizard, as a network admin, not migrate any of the data, then use Forensit’s wizard to migrate the user profiles.
I am choosing to logon as my Local Admin account, as we know from above this is the only account we can use to run the Connect wizard.
Again before we start we should verify System Restore is running, and create a Restore Point.
Click on Start, then right click Computer and go to properties.
Switch to System Protection.
You can see the status of System Restore highlighted, and you can click on Create, to create a new system restore point.
Enter a name and click on Create to start creation.
After a few moments your restore point will have completed. You can now close all the open windows and open up IE ready to launch Connect.
When you go to http://sbsserver/connect on the Win7 machine you will notice a message appears about Intranet Settings, you can ignore this for now as it will not affect the connect wizard.
The Wizard itself is identical to that on XP so i wont go into much detail here.
Just remember to un-check the box to make sure you don’t migrate documents and settings into your network administrator account.
Once you have finished the wizard, you are ready to logon.
Login as the Network Administrator, and load up a copy of Forensit’s Profile Wizard.
Forensit’s wizard will guide us through the process.
You will need to uncheck, Join Domain and Also Uncheck Set Default Logon, Enter in your Destination account name, in this case PeterVenkman and click Next,
Select the Source Profile Folder and click Next
When the wizard has completed the task, click next and then you are finished.
If we take a look in the registry at the profiles section, we can see that just like the connect wizard it is replacing the Local registry key with a domain one.
We can do the same process again for Egon’s account, and then look at a before and after shot.
Before – Showing the local SID for Egon’s account.
After – Showing the Domain SID for Egon’s account.
Hopefully this has given you some insight in to how the connect wizard behaves, and what it does to your user profiles when joining and SBS Essentials Network.