Migrate SBS 2011 Standard to Windows Server 2016
March 28, 2017 138 Comments
Your trusty old SBS 2011 is finally being retired. It had a good run. It probably still works but you cant get the parts, and the cloud is so appealing and for whatever reason you have, you are putting in a new on premises DC.
Hey, you don’t have to justify it to me. Chances are you shipped Exchange off to the cloud long ago, your clients never really ‘got’ SharePoint and SQL was just used by the backup software and WSUS.
The only thing we want to migrate is Active Directory and File & Print services.
Moving to 2016 makes a lot of sense, even if it is not for the seven year slog many of us are used to with our client servers. It is an elegant OS for a less Civilised time. it also gives us plenty of options for cloud integrations that we just don’t have with 2008 R2.
Many of our SMB clients will have skipped over 2012, and 2012 R2, in fact I am just finishing up my last SBS 2008 migration this week. That client has 20 staff and 100mb leased line. They wanted an on premises solution. Now that they have Server 2016 running, we have a lot more scope to link in services like Azure AD even if they don’t know they want them yet.
That’s enough rambling. Lets migrate.
In my lab examples I have a Single SBS 2011 Standard DC, and a Server 2016 Hyper V Server, which will host a 2016 DC and a 2016 File & Print Server.
Prep SBS 2011
The secret to any migration is preparation. In that vein we need to spend a little time checking our 2011 server for anything that might cause us an issue later on.
First thing we are going to do is a System State backup.
I have attached a 120gb USB Hard Drive just for this backup.
Open an Elevated Command Prompt window on your 2011 and enter:
wbadmin start systemstatebackup –backuptarget:f:
When prompted select Y to continue the backup.
On my lab system it took about an hour to complete.
Now we have this, we can go ahead and make system changes and not worry too much about not being able to roll back. Of course this should be a supplement to your already robust backup regime.
Next we look at DNS.
Open up the DNS Manager and find your internal domain name.
We want to make sure we have no left overs from any previous SBS Servers or Domain Controllers.
Go to the properties of your zone, and click on the Name Servers tab.
Well this is embarrassing isn’t it, apparently I did have another server on this network at some point. Long since forgotten.
If you find anything here that does not belong, select the server in question then click the remove button.
Go through every folder in the zone to make sure there are no references to servers that do not belong.
Pay special attention here and don’t get click happy, because there will be multiple entries for the SBS 2011 server in the same folder which we want to keep!
Repeat the process for the zone named _msdcs,yourdomain.local, including checking the name servers tab.
Next we can run everyone’s favourite AD Test tool, DCDiag.
in our CMD window, enter:
dcdiag /e /v /f:dcdiag.log /c
Now we need to review the log.
notepad dcdiag.log
Of course I cannot review your log for you, so this next step is all on you. Chances are, in a single domain controller environment you won’t have any major problems. There is plenty of information out there to solve most things, including the dreaded Journal Wrap.
We can also run a quick netdom command to check the current FSMO role holders, this is unlikely to show up anything you didn’t already know, because SBS would have been complaining wildly about it if there was a problem.
netdom query fsmo
Do you know what functional level your domain and forest are on?
If you don’t have the ActiveDirectory PowerShell Module installed, you should install it right now.
In SBS 2011 the default is 2003 Forest, and 2003 Domain mode. For the next process we need to raise up to 2008.
If you have old 2003 era DCs, now is the time to destroy them.
In an elevated PowerShell, run the following:
import-module activedirectory (get-adforest).forestMode (get-addomain).domainMode
In my environment I had already raised the Domain functional level to make use of Fine Grained Password Policies.
Now I am going to upgrade both forest and domain to 2008R2.
$currentForest = get-adforest $currentDomain = get-addomain set-adforestmode $currentforest -forestmode 4 set-addomainmode $currentdomain -domainmode 4
Next we can migrate SYSVOL replication from FRS to DFSR which is nicely explained here.
The process consists of running a few commands, and waiting for them to finish, which is my kind of work!
dfsrmig /getglobalstate
This should return that the migration has yet to begin.
Proceed as follows:
dfsrmig /setglobalstate 1
Then wait a minute or two and run:
dfsrmig /getglobalstate
This should return that Step 1 has succeeded and the DFSR Globalstate is ‘prepared’.
Proceed to run step 2.
dfsrmig /setglobalstate 2
Again waiting for this to arrive in the succeeded state. We can then run a new command to check the status of the migration.
dfsrmig /getmigrationstate
With any luck you will see that ‘migration has reached a consistent state on all Domain Controllers’ which in my environment is great because I only have the one DC.
The final command is:
dfsrmig /setglobalstate 3
This completes our prep on our SBS Server. In summary we have cleaned up DNS of any values pointing to old servers. We have updated our domain functional level, and migrated NTFRS to DFS-R. You can perform another System State Backup at this point if you wish.
Install Server 2016
Next, install your Windows Server 2016 Hyper-V Server. Create a new Guest machine to serve as your Server 2016 DC, if you are not familiar with 2016 yet, I would suggest sticking to the Desktop Experience version.
When you get to Server Manager of your Server16 DC Box. go to local server, enable Remote Desktop.
Next open an Elevated PowerShell window. Enter the following to set your new servers IP Statically:
$currentIP = get-netIPConfiguration ipconfig /release New-NetIPAddress -interfaceIndex $currentIP.InterfaceIndex -IPAddress $currentIP.IPv4Address.IPAddress -PrefixLength $currentIP.IPAddress.PrefixLength -DefaultGateway $currentIP.IPv4DefaultGateway.NextHop Set-DNSClientServerAddress -interfaceIndex $currentIP.InterfaceIndex -ServerAddresses $currentIP.DNSServer.serverAddresses # end
This will take whatever IP was issued to it via DHCP and convert it to a Static IP.
If you run this command over RDP you will lose your connection temporarily, so i reccomend you run this from a direct VM Connection on the Hyper-V Server.
If you would prefer to manually set the IP of your Server, then do that.
Next we can rename our Server:
Rename-Computer Server16-DC0
After we restart the server we can install some roles and features.
From an Elevated PowerShell Window:
Add-WindowsFeature AD-Domain-Services,DHCP,DNS,FS-DFS-NameSpace,FS-DFS-Replication -includeAllSubFeature -IncludeManagementTools
Next we can promote our Server16 to be a domain controller.
$currentDomain = Read-Host -Prompt "Enter your internal domain name:" $cred = Get-Credential -Message "Enter Domain Administrator Credentials" Install-ADDSDomainController -NoGlobalCatalog:$false -CreateDnsDelegation:$false -CriticalReplicationOnly:$false -DatabasePath "C:\Windows\NTDS" -DomainName $currentDomain -InstallDns:$true -LogPath "C:\Windows\NTDS" -NoRebootOnCompletion:$true -SysvolPath "C:\Windows\SYSVOL" -credential $cred -Force:$true -Confirm:$false -SafeModeAdministratorPassword (ConvertTo-SecureString 'ntADRSM0deP@ssword!!' -AsPlainText -Force)
This will prompt you to enter your internal domain name, and your domain admin credentials.
Of course, with our expert preparation, the install will succeed and you will be prompted to reboot your server.
Logon as the Domain Admin.
Open an Elevated PowerShell window.
Now we can configure DNS Scavenging and a Reverse Lookup Zone if needed, and copy DNS forwarders from the SBS 2011.
$ipv4 = (Get-NetIPAddress -AddressFamily IPv4 | select *)
$ipA = $ipv4[0].IPAddress
$sMask = $ipv4[0].PrefixLength
$ipNet = $ipv4.IPAddress[0].Split(".")
$ipNet = $ipNet[0] + "." + $ipNet[1] + "." + $ipNet[2] + ".0"
$sNet = $ipNet + "/" + $sMask
Set-DnsServerScavenging -ScavengingState $true -ApplyonAllZones -ScavengingInterval "7.00:00:00"
try
{
Add-DnsServerPrimaryZone -NetworkID $sNet -ReplicationScope "Forest" -errorAction Stop
}
catch
{
Write-Output "Reverse Zone Already Exists"
}
$pdc = (get-addomain).pdcemulator
$forwarders = (get-dnsserverforwarder -computername $pdc).ipaddress.ipaddresstostring
set-dnsserverforwarder -computername $env:computername -ipaddress $forwarders
You may receive an error if you already have a Reverse Lookup Zone for your subnet, but many people don’t have them.
Now we can set our Destination server to use itself for DNS.
$currentIP = get-netIPConfiguration Set-DNSClientServerAddress -interfaceIndex $currentIP.InterfaceIndex -ServerAddresses $currentIP.IPv4Address.IPAddress
Referring back to an earlier post I did, i was reminded of another bit of PowerShell to setup DHCP.
Whilst that is certainly useful, I decided to spruce it up a bit and I have now built a new script that will pull all of your existing DHCP Configuration from the Source server using NETSH and then import that into the Destination server.
Once processed it then proceeds to disable DHCP on the Source server. It leaves the scope and settings intact, so if you want to roll back simply enable the DHCP Server service on the Source server and you are back where you started.
It seems even though we have configured DHCP with PowerShell we need to complete the post install wizard in Server Manager.
Just click through the pages without changing anything.
Update 01/11/2018
It seems this is a bug of some sort and a registry key change will resolve it. https://dimitri.janczak.net/2016/11/21/dhcp-server-wizard-error/
Next we take a look at something I had to learn the hard way.
You may be familiar with EFS, Encrypted File System. Ok, you may have heard of EFS but in practice I think people using it are few and far between. EFS provides an interface from within File Explorer to Encrypt your files and folders. EFS uses digital certificates as the keys to encrypt and decrypt the files.
As a precaution to potential data loss, EFS provides something called a Data Recovery Agent, which is a nominated account that also has a key to unlock the files. By default the built-in Administrator account is recognised as the EFS recovery Agent.
That is relatively straight forward, however…. Did you know that the EFS Recovery Agent Certificate is only available on the FIRST Domain Controller promoted into that domain.
It is fair to say a topic like this really deserves its own post, of which there are plenty from folks much smarter than me.
I can, however, show you how to backup this certificate and keep it safe, which you can read here.
Once we have dealt with the drama of our EFS Recovery Agent, we can look at migrating our Certificate Authority.
The migration article is quite straight forward to follow.
We start off by backing up some data from our Source Server, tweak some settings and then restore the data to our Destination server.
First on our SBS Server we will backup the CA Database and Private Key, from an elevated command prompt:
certutil -backupDB c:\caBackup certutil -backupKey c:\cabackup
Next, stop the CA Services.
net stop certsvc
Next backup the CA registry settings.
reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc c:\cabackup\CA.reg
The next step in the TechNet article relates to using a custom CA Policy.inf file, on my SBS I did not have one so I will assume you also do not have one, so move along.
We now come to uninstall our Source CA. From an elevated PowerShell Window:
Import-Module ServerManager Remove-WindowsFeature AD-Certificate
As the output suggests we should now reboot our SBS 2011.
I have copied the CA Backup folder from my Source server to my Destination server and Now we can begin restoring things.
On our Destination server we can Add the Certificate Services role.
Add-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools
Next, we can use this command to complete the install of our new CA.
Install-AdcsCertificationAuthority -CAType EnterpriseRootCA -CertFile C:\cabackup\trsbs11-SERVER-CA.p12 -CertFilePassword (read-host "Set user password" -assecurestring)
Next we can restore our DB Backup.
net stop CertSvc certutil -f -restoreDB c:\cabackup
Open your Source CA.reg file in notepad.
The TechnetArticle on this process is uncharacteristically vague about this next step.
Some registry parameters should be migrated without changes from the source CA computer, and some should not be migrated. If they are migrated, they should be updated in the target system after migration because some values are associated with the CA itself, whereas others are associated with the domain environment, the physical host, the Windows version, or other factors that may be different in the target system.
In my Source CA.reg I modified two lines only.
"DisplayName"="@%systemroot%\\system32\\certocm.dll,-347" "DisplayName"="Active Directory Certificate Services" "CASERVERName"="SERVER.trsbs11.local" "CASERVERName"="SERVER16-DC0.trsbs11.local"
Save your changes to the CA.reg file and import the file.
reg import c:\cabackup\CA.reg
Now start the service.
Start-Service CertSvc
You can test the issuance of a certificates by requesting a new certificate from MMC Certificates for the Local Computer. I requested a new DC Certificate and it was issued without any problem!
At this point it might be a good idea to let the dust settle for a week before moving on to remove the SBS from the network.
A few days have now passed and I am ready to proceed with the decomission on the SBS Server.
As I said at the beginning of the post, I am assuming you have already taken care of removing Exchange and SharePoint, to the degree that either they are uninstalled, or there is no data left in them you need to keep.
Moving the FSMO Roles is one of the last tasks you should do, because as you may recall SBS must be the FSMO Holder for your domain.
Once we have transferred the roles to our Destination server, we can shut down the SBS Server for another few days to make sure everything still functions as expected.
From an elevated PowerShell window:
Move-ADDirectoryServerOperationMasterRole -Identity $env:ComputerName -OperationMasterRole 0,1,2,3,4 -confirm:$false netdom query fsmo
Once you are happy your environment can sustain the loss of your SBS Server, it is time to run that final DCPromo, and commit the SBS to the great Data Center in the sky.
On the SBS itself we want to put the DNS Server address to the Destination Server, which we cannot do with PowerShell but we can use NETSH.
netsh int ip set dnsservers "Local Area Connection" static 192.168.16.13 primary
Then run DCPromo.
Make sure to leave the ‘Last DC in the Forest unchecked’ and complete the wizard.
Goodnight, sweet prince.
PS. You can go ahead and remove it out of the domain into a workgroup, or just turn it off and delete the account from AD.
About Robert Pearman
Hi thank you for the great article. It helped me with a sbs migration go smoothly. One question, now that I have server 2016 standard running, I need to install Windows Essentials Experience role. When I start it won’t let me finish b/c it says I have CA role installed. When I google the issue it says I have to remove the role. Will that effect the server in anyway if I remove it?
@Ben indeed that is a good question, i am wondering the same thing as we would like to use the Essentials Experience Role also.
@Robert Pearman in thuis guide u are assuming that Exchange and Sharepoint are already removed correctly, for us this is not the case do u have a guide for this aswell?
I don’t but i believe Robert Crane over at CIAOPs is the guy to ask.
http://blog.ciaops.com/2013/07/migrating-from-companyweb-to-office-365.html
I just ran into the same issue. I can continue the migration, but would really like to get the Essentials Role installed for the on site admin. Anyone figure this out?
Not sure what you mean.
Hi Robert, the Essentials Experience Role will not install on a Server 201 Std box if the CA role is already present. In my case, I removed the CA Role, installed WSE Role, which apparently installs the CA Role as well because it’s there after the WSE installation completes.
Hi David,
My roles are greyed out in server 2016 so I cannot uninstall the CA role. Did you do it via powershell or the GUI?
Are you sure you are clicking on “Remove Roles and Features” when you launch the wizard in Server Manager?
OK, nicely done!! Quick two questions: It seems that you moved to Server 2016 Std instead of 2016 Essentials. If so, is there are reason why you did it that way? And if so can the above process be used to move from SBS 2008 to 2016 Essentials?
I guess that was three questions…
Is there a reason? I think Essentials 16 is quite buggy.
Following this procedure you end up with a single 2016 DC, chances are you got 2016 Standard, so 1 VM is the DC you can make the second VM an Essentials server.
Yes I think you can pretty much follow this for sbs 08.
Will this procedure work with 2008R2 Foundations?
As long as it it at the root of the forest.
Robert, many thanks for this, first time I have attempted a SBS2011 to Server 2016 and it went without a hitch.
This is one awesome article, extremely helpful and well written. Thank you so much.
Hello,
Great help! Really a very good guide on how to.
I’ve only ran into a problem now, doing exactly as you say above:
PS C:\Users\localadmin> $ipv4 = (Get-NetIPAddress -AddressFamily IPv4 | select *)
PS C:\Users\localadmin> $ipA = $ipv4[0].IPAddress
PS C:\Users\localadmin> $sMask = $ipv4[0].PrefixLength
PS C:\Users\localadmin> $ipNet = $ipv4.IPAddress[0].Split(“.”)
PS C:\Users\localadmin> $ipNet = $ipNet[0] + “.” + $ipNet[1] + “.” + $ipNet[2] + “.0”
PS C:\Users\localadmin> $sNet = $ipNet + “/” + $sMask
PS C:\Users\localadmin> Set-DnsServerScavenging -ScavengingState $true -ApplyonAllZones -ScavengingInterval “7.00:00:00”
Set-DnsServerScavenging : Failed to set property ScavengingInterval on server FS.
At line:1 char:1
+ Set-DnsServerScavenging -ScavengingState $true -ApplyonAllZones -Scav …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (ScavengingInterval:root/Microsoft/…erverScavenging) [Set-DnsServerS
cavenging], CimException
+ FullyQualifiedErrorId : WIN32 5,Set-DnsServerScavenging
Set-DnsServerScavenging : Failed to set property DefaultAgingState on server FS.
At line:1 char:1
+ Set-DnsServerScavenging -ScavengingState $true -ApplyonAllZones -Scav …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (DefaultAgingState:root/Microsoft/…erverScavenging) [Set-DnsServerSc
avenging], CimException
+ FullyQualifiedErrorId : WIN32 5,Set-DnsServerScavenging
PS C:\Users\localadmin>
What is causing this and how can I fix this? I hope you can help. I tried to go on with the rest of your guide but DHCP is failing because of (this) DNS error. I’m stuck at the moment although everything is still running on the SBS2011.
Kind regards Mark
Darn.. when joined to domain I needed to open Powershell ‘as administrator’.!… That was all.
However, I get a different error as I am at the last line of the DNS forwarder;
PS C:\Windows\system32> set-dnsserverforwarder -computername $env:computername -ipaddress $forwarders
Set-DnsServerForwarder : Cannot validate argument on parameter ‘IPAddress’. The argument is null or empty. Provide an
argument that is not null or empty, and then try the command again.
At line:1 char:67
+ … erverforwarder -computername $env:computername -ipaddress $forwarders
+ ~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Set-DnsServerForwarder], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Set-DnsServerForwarder
Is this a bad thing?
There should be a ‘get’ command somewhere getting the value for $forwarders
Great information and thanks for taking the time to share it! However, one question, I don’t see the adprep command being used on the SBS2011 server. Our reseller has some communication with Microsoft that seems to indicate this is one of the first steps on SBS. I see in the screenshots when you promote the 2016 server to a DC, there is some output from adprep saying it updated the forest and domain information. Is the 2016 server recognizing the need for it to be done and then doing it for you?
Good question, don’t remember. Will check it out.
Server 2012 and up do the adprep from the target. Prior to 2012 u needed to do it on the source Server. So since 2012 it is done for u automaticly.
Thanks!
I’ve done a half dozen SBS2008 and SBS2011 migrations using this methodology and some tips from Mariette over at server-essentials.com and have never run into the need to adprep a server. I would think that would even be destructive – isn’t it used to sanitize Windows back to “as initially installed” condition?
No adprep and forest prep were for schema extensions for the new OS DCs. I was thinking it was automatically done for you now but really didn’t remember, seems like I would have included it if it was a step I had done.
The command has completed successfully
………………………………………………………………………………………………………… ………………………………………………………………………………………………………… ………………………………………………………………………………………………………… ………………………………………………………………………………………………………… …………………….
………………………………………………………………………………………………………… ………………………………………………………………………………………………………… ………………………………………………………………………………………………………… ………………………………………………………………………………………………………… ……………………………………………………………………………………………
Adprep successfully updated the forest-wide information.
Adprep successfully updated the domain-wide information.
WARNING: Windows Server 2016 domain controllers have a default for the security setting named “Allow cryptography
algorithms compatible with Windows NT 4.0” that prevents weaker cryptography algorithms when establishing security
channel sessions.
For more information about this setting, see Knowledge Base article 942564
(http://go.microsoft.com/fwlink/?LinkId=104751).
WARNING: This computer has at least one physical network adapter that does not have static IP address(es) assigned to
its IP Properties. If both IPv4 and IPv6 are enabled for a network adapter, both IPv4 and IPv6 static IP addresses
should be assigned to both IPv4 and IPv6 Properties of the physical network adapter. Such static IP address(es)
assignment should be done to all the physical network adapters for reliable Domain Name System (DNS) operation.
WARNING: A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it
does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually
create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain
“hill.local”. Otherwise, no action is required.
Does not come with require a reboot or Success status and its been like that for two hours. Any advice will be helpful
Hello Yadi,
I have the same problem.
How did you resolve this ?
Thank you
I have the same issue – did anyone resolve this or do I just do a reboot? Mine has been hanging in the same place for 45 mins.
I had the same problem and fixed it. The info you need is here: https://support.microsoft.com/en-au/help/2737935/active-directory-installation-stalls-at-the-creating-the-ntds-settings
Basically if the local admin account password on the new server is the same as that on the already existing domain controller, it will fail. Also, I changed the bit in the last line in that setup where it says “(ConvertTo-SecureString ‘ntADRSM0deP@ssword!!’ -AsPlainText -Force)” to actually be the existing domain controller password, not ntADRSM0deP@ssword!!. Do that and it should all work fine.
Hello, I’ve ued this script before and it went perfect, Now however I have a DNS problem with the lvery last command and I can’t continue with DHCP because it gives errors. I hope somebody can help me.
With this command I get this error:
PS C:\Windows\system32> set-dnsserverforwarder -computername $env:computername -ipaddress $forwarders
Set-DnsServerForwarder : Cannot validate argument on parameter ‘IPAddress’. The argument is null or empty. Provide an
argument that is not null or empty, and then try the command again.
At line:1 char:67
+ … erverforwarder -computername $env:computername -ipaddress $forwarders
+ ~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Set-DnsServerForwarder], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Set-DnsServerForwarder
Do you get a result for this command?
$pdc = (get-addomain).pdcemulator
$forwarders = (get-dnsserverforwarder -computername $pdc).ipaddress.ipaddresstostring
$forwarders
Great article Robert. Just one dumb question. Can the second server have the same name as the SBS Server after it has been decommisoned so that you can “swing” the shares to a link with the same name? There’s nothing to stop the initial data migrations to go to the DC together with the Essentials role right? The change of folder redirection and drive maps through group policy is fine but with 50+ PCs connecting to a LOB app it is going to need some manual intervention at each desktop. Just thinking aloud but wondered if you have ever tried?
Not tried it but as long as the old server is removed fully first it should be ok to add a server with that name.
Hey Robert,
great write-up as per usual, did run into an error when running your DHCP migration script, maybe have a look at that:
Add-DhcpServerInDC : Cannot process argument transformation on parameter ‘IPAddress’. Cannot convert value “System.Object[]” to type “System.Net.IPAddress”. Error: “An invalid IP address was specified.”
At C:\_install\Migrate-DHCP.ps1:85 char:57
+ Add-DhcpServerInDC -DnsName $destination -IPAddress $destIP
+ ~~~~~~~
+ CategoryInfo : InvalidData: (:) [Add-DhcpServerInDC], ParameterBindingArgumentTransformationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Add-DhcpServerInDC
On another note, not quite sure on how much you want this to be a complete guide, but maybe do refer to some moving of the data to the new server and some of the SBS specific features like redirected folders and how to get those to the 2016 server?
DHCP migration did go through btw.
Great article Robert thank you. Ill be looking to do this very soon with our SBS domain.
Hi, how can I delete the OUs under MyBusiness and the group policies from SBS after migration?
I testet this in my lab and have no rights to do so.
They may be set to prevent accidental deletion. Which is a check box in the OU properties.
The checkbox was unchecked.
But there is an attribute in the attribut-editor section of the prperties, this attribute is called “systemflags” with a text-valuwe of “DISALLOW_DELETE …”, the real value is -1946157056. I can not edit this, nice editor …
Do you have any objects inside these OUs still?
All objects are moved to a new OU.
Ill try another setup in my lab, but it is not possible to setup a SBS2008 on Hyper-V 2016, so I have to setup this on my slow Hyper-V 2008R2 machine, it takes some time.
Finally I decided to not migrate, I will establish a new domain.
With all this stuff, deinstall Exchange eg. and afterwards you will have objects (admins, groups and policies) in your AD, that you do not need and you partial can not delete, this is more work, than to make it new and clean.
SBS is wasting of lifetime!
Cheers
I may have run into a snag. After running command “dfsrmig /setglobalstate 2”, which was successful, I ran dfsrmig /getmigrationstate and received the following result:
The following Domain Controllers are not in sync with Global state :
Domain Controller – DC Type
– Primary DC
Migration has not yet reached a consistent state on all Domain Controllers
State information might be stale due to AD latency.
I have only the one SBS 2011 server and that is the only DC on the network since it was created. Any help would be appreciated. Thanks!
How long did you leave it before running GetmigrationState?
it was over 24 hours, but we resolved it. The DFSR service was in Starting state. Our guys glanced and thought it showed Started. Ugh! We were able to get the service started and the process completed and SYSVOL migration process completed. Thanks for the quick reply
Another question:
The command to promote the Server 2016 server to a DC was started about 30 min ago. All the results match your documentation, but the last line that should state that a restart is required has not yet shown up. How much time should we allow for this command to complete? Thanks in advace!!
Robert – To be clear on my question about promoting the server to DC using your PS commands, the last lines I see are:
Adprep successfully updated the forest-wide information.
Adprep successfully updated the domain-wide information.
followed by the paragraph:
“WARNING: A delegation for this DNS server cannot be created……..”
It seems all I am missing is the message:
“You must restart this computer…”
It only shows a blinking prompt where the line should be that requires a restart/
It appears that all was successful and that I should be able to restart the server but wanted to get your thoughts first. Thanks in advance for all the help!!!
Sorry for slow reply, hope all is well.
When you run this command:
$cred = Get-Credential -Message “Enter Domain Administrator Credentials”
It is _absolutely vital_ that when you type in the username that you are prompted for, you include the domain name, for example:
mydomain\administrator
and not just administrator (or whatever the administrative username is in your situation.
If you omit the domain name, it will hang at the last step and you’ll have to remove the server from the domain and add it back in as per the link in the Joshua Nash comment on January 4, 2018 at 2:03 am
I went through this pain too. @Robert Pearman, you could update this page to the following:
$cred = Get-Credential -Message “Enter Domain Administrator Credentials in the form yourdomain\adminusername”
:-)
It seems to be hanging for me anyways. It prompts me for the credentials, which I enter. Then it just displays the last command and keeps flashing. I don’t see a progress screen like it’s doing anything. Any thoughts ?
Thank you very much for this great piece of work! You helped me a lot!
Hi Rob, thanks for a great article which some of us are still using.
A quick question: What is the best way to handle shares on SBS server and moving them to new Server? in our case it is new DC server which will also be a file sharing server.
You mean moving the data?
Yes Rob. All the shares on SBS box.
I want to unsubscribe this.
How can I do it????
Good question. Will see what I can do.
Hi Rob, migrated all FSMO roles and shutdown the old SBS(DC) for a few days, occassionally domain clients get permission denied errors and have to restart computers a few times to fix it. Clients have security-kerberos errors and seems they are trying to talk to the SBS server (AD). I suppose this is because the old SBS is shutdown so that AD sync is not working properly and will be fixed after SBS is depromoted? thank you.
Hi Rob, I think you miss some steps, after FSMO transfer, the root domain time service may not be transferred to new PDC. I would assume it’s better to make sure time service is correct before de-promo the old SBS?
Hi Rob, in our case SBS server is also RDP License server. How do I move RDP gateway/ license server over to new Server 2012 r2?
thanks
Do you have any article if I want to keep a Exchange 2016 on premise (on a different Win2016 VM) ? My client has an aging SBS2011 that we will change for a brand new Dell PowerEdge 7425 with 2 x EPYC 7281 (32 cores) :D (will be fun to play with!). The plan is to build the new server with Server 2016 Standard on it, then Install the Hyper-V role, and create 2 VM, one for the DC and one for the Exchange 2016. They also have a 2nd server (2012) that is a RDP server & File+Print Services that will keep those role.
I’m looking for a good article on that scenario and Unfortunately I can’t pay 500$ for server-essentials.com article… (that was free before!) since I only have 1-2 clients and that will eat too much of my profit :O
You should charge more.
Can this guide be followed for a regular Server 2008 R2 domain controller that is not SBS 2011?
Robert – first of all thanks so much for your very helpful step-by-step migration – don’t know what I’d do without it. Hit one snag & have one other question.
1) Running the DHCP script I got an error because the 2016 server has 2 NICs and I’d only connected one, so I went back and disabled #2, then tried to temporarily re-enable/start DHCP at source server but entire scope & settings were GONE (which you said the script leaves intact). I re-ran the script anyway & it DHCP seems OK except there was no DNS Server address (which I did manually) and there are NO address leases showing. So please tell me it’ll be OK when the users try to log in on Thursday morning – or is there something I need to do? Addresses do show in DNS Manager.
2) The EFS steps – necessary? I don’t think it was ever used on the SBS 2011 server or was it enabled there by default when the server was installed? Can I skip the whole section without harm – because all files from source server have been on the W2016 box for a month now – email moved to O365 – & the last thing I need is to mess all that up by adding something that’s not necessary.
Thanks!
Hello Bill,
Check your source server, is DHCP service still running? If it is not (which i expect) disable DHCP on the new server, then start DHCP on the source server, and you should see the settings are still there.
The leases should start to appear when your clients renew their existing leases. You can test that ahead of time with a reboot of a client pc.
EFS – if the certificate is available i would make sure to back it up, its better to have it and never need it than just skip it and find out one day someone encrypted a file that you now cannot recover.
Thanks, Robert.
BTW, when I looked under Users/Administrator/ Appdata/Roaming/Microsoft/ Crypto/RSA there is a folder there with 4 private keys (all at least 5 years old), but when I opened the MMC/Certificates/Personal there’s nothing there, so no exporting the private key and if anyone encrypted a file 5 years ago, SOL. I’ll back up what I can but I really don’t think there’ll be a problem going forward. And you were correct on the DHCP. Thanks again.
Hi Robert, Is it the same process from SBS2011 to windows server 2012R2
Yes should be.
Thank you for writing this comprehensive guide, you saved me a lot of typing.
Thank you for the comprehensive article. My migration went without a hitch. I turned off the SBS server and have not looked back. Today I am trying to modify some group policies that came over from the SBS and I did not complete the DC Promo step to remove it from AD. I also see that my 2016 server still has domainMode=Windows 2008R2Domain and forestMode=Windows2008R2Forest. Is there a way to raise these modes?
2008R2 Mode is fine, you can raise that at any time.
You mention the GPOs, do you have an issue editing those?
I have removed the SBS server from the network. I am setting up brand new workstations and they are having trouble with windows updates because “Some settings are managed by your organization”. I had Windows updates running through GPO on the old server with the older server being the WSUS. I decided it was more trouble than it was worth especially now that our bandwidth is so much better. But I cannot see where the GPO migrated to the new server. In the GPME, Computer Configuration->Policies->Administrative Templates->Windows Components->Windows Updates and all settings are “Not Configured”. Is there somewhere else I should look?
Thank you for the great article! It helped me to do my migration with great deal of success!
I’m now a couple of months past the migration to a new W16 server & as I’ve said before, Robert’s guide was so helpful. I now have my client’s OK to wipe the old server, which is still on the domain as an SBSComputer. But when I go to delete it I get a warning (wish I could show screenshot) that the OBJECT contains other objects and if I select “Use Delete Subtree server control” all objects in the subtrees, even delete-protected ones, will be deleted.
Not sure if deleting the old server, now just a member computer, and this subtree, is going to do any harm to the new server or migrated domain.
Also, in the Active Directory Users & Computers the whole “My Business” tree is still there – although all SBS computers & users & groups have been moved out, plus there are other entries such as Microsoft Exchange Security Groups which I’d also like to delete if there’s no harm to be done.
Advice, please! Thanks!!
Bill
Robert – I really was hoping for an answer to this question I posted last month as I need to wipe the old server & want to make sure I’ve completely removed SBS & have a now “clean” domain. Please respond.
Thanks, Bill,
If you go into ADSIEdit does it show what the other sub tree objects are?
They are mostly SBS labeled objects or relate to the now dead Exchange server (everyone’s on O365). I am just wary of the warning when I try to delete the old server and the My Business tree. Showing you a screenshot would be reassuring… Did you – or anyone else – never get these warnings after “retiring” SBS 2011 and demoting the SBS server – then going to delete it?
Thanks, Bill
If you want to delete the my business tree you need to make sure you have redirected the default containers for users and computers.
Yes all the users and computers are out of the My Business tree – and have been for some time. It was just the warnings when I went to delete the tree – and the demoted old SBS server – that concerned me. Thanks.
Just for clarification i am talking about this, https://support.microsoft.com/en-gb/help/324949/redirecting-the-users-and-computers-containers-in-active-directory-dom
Yes, the users & computers are in – and even with SBS I always moved them to CN=USERS and CN=COMPUTERS under the domain. So it would appear to me that I’m “safe” in removing the My Business tree, then?
That’s a good question from Bill. I have done a bunch of migrations with this article now, and cleaning up the groups that SBS puts into AD is something I have never tackled. Can the users and computers be moved out of the “My Business” groups successfully?
Thanks David – you can easily drag & drop the users & computers from the SBS “My Business” tree – used to do it even before any migration without any problems. My questions remain: what about the warnings when I want to delete the now-demoted SBS server & when I want to delete the “My Business” tree & Exchange groups entirely (email is on O365).
Awaiting word from Robert or someone with his level of expertise.
Bill
Did you uninstall Exchange on the SBS Server before trying to remove it? That’s the only part of the migration that is missing from this walk-through. In order to get the SBS Box completely out of AD, you must remove Exchange before demoting it.
Yes, Exchange was long gone before SBS server was demoted.
The first command for system state should be:
wbadmin start systemstatebackup -backupTarget:F:
what did i put?
Hi Robert,
I am running into an issue when attempting run the foll
Move-ADDirectoryServerOperationMasterRole -Identity $env:ComputerName -OperationMasterRole 0,1,2,3,4 -confirm:$false
I get the following;
Move-ADDirectoryServerOperationMasterRole : The server does not support the requested critical extension
At line:1 char:1
+ Move-ADDirectoryServerOperationMasterRole -Identity $env:ComputerName -Operation …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (Microsoft.Activ…DirectoryServer:ADDirectoryServer) [Move-ADDirector…a
tionMasterRole], ADException
+ FullyQualifiedErrorId : The server does not support the requested critical extension,Microsoft.ActiveDirectory.M
anagement.Commands.MoveADDirectoryServerOperationMasterRole
Any help would be most appriciated
Dan
Not seen the specific error before, suggests it is not able to transfer the roles to the host machine. Did you manage to get it to work after a period of time?
Hi Robert, It was me being an idiot. I was trying to run it on the SBS2011 box
Thanks for this migration guide, it is really appreciated!
Hello, Robert. I know I write this on Christmas & Wednesday it’s Boxing Day in Britain where I believe you are, but would hope for a reply later this week.
I’ve gratefully used your guide successfully several times and now am on my final SBS 2011 migration & of course am in a pickle. I performed all the preliminaries on SBS & even brought up a new DC to run beside it while I migrated Exchange to O365. But before I could start that they suddenly lost all connection to Exchange & I could not find a cause at first, so I reversed course on the new DC, removing everything including DNS & DHCP, and restoring those to the SBS box. Still no email, until I realized there had been a Windows Update the night before & when I uninstalled those from the SBS box & rebooted, all returned to normal and I was able to migrate to O365, etc.
So this week, while they are closed, I went to putting the new DC back in business, only it’s proving to be impossible despite trying 6 ways to Sunday. The main error message I get – either when running your PowerShell command to DCPromo, or straight from the Server Manager, is that “An Active Directory domain controller for the domain ‘xyz.local’ could not be contacted”
By not installing the DNS & DHCP first, I might get past that a bit, but the DCPromo never completes from your script or Server Manager, and there’s a warning about the FRS being depreciated and that I need to run the DFSRMIG command (not clear which options I need to select).
So I’m pretty much stuck & not sure which way to get out of it – having failed trying several different routes. BTW, the DNS on the SBS box shows Server2 as a nameserver & I cannot remove it, although I’ve manually removed all other DNS references to it, leaving Server1 (the SBS) alone in all roles.
Any guidance here would be VERY appreciated. Thanks.
Bill
You should start back at step 1, with cleaning up dns, doing system state backup, dfsrmig etc.
Thanks Robert, I’ll try it tonight (they’re working this week) or on the weekend. Hopefully all will go back to being without problems.
Bill
Robert – sorry to say I went back & re-did all from the start and wound up at the same place as before – the new server claims not to be able to see the AD DC (the SBS Box) no matter if I do it using the Powershell commands you supplied or straight from Server Mgr. I’d send you screenshots but don’t see how to attach to comments.
Message is the same: “An Active Directory domain controller for the domain “domain.local” could not be contacted.” The server I’m trying to promote is definitely on the domain as a member computer and from the AD tools I can see all members, users etc.
I’m stuck and know no way forward.
Thanks.
Bill
You can contact me via https://windowsserveressentials.com/support
GREAT !!!
Thanx a lot!
Looks like a great article and I will be migrating a domain from SBS 2011 to 2019 Std and hoping there’s not much that’s different! I wondered if you’d used the Storage Migration Service tools to move shares, security settings and data from the SBS 2011 server to the new one? If so did it work effectively?
I have not.
Robert, Following your Article currently to move to 2016. One question I have, I dont see a step to add the new 2016 server to the domain. Forgive my ignorance but when I promote the server to a domain controller is that when it will add the server to the Domain? Or is it a given that I would have added the new 2016 server to the domain at this point?
Yes thats correct.
Im not seeing DNS\DHCP covered in this?
steps for that?
Are in the article.
DNS is configured when you setup the server as a Domain Controller, there is a section on configuring DNS settings like scavenging. There is a section lower down on using a PowerShell script to migrate DHCP from the source SBS server.
right on!
I have 4 sbs2011 to on premise 2016\\Exchange 35+ users on each site.
I Have not committed to the migration vs rebuild from scratch with edb tools and profilewiz.
not going to be a fun spring.
They all have “.local” too so Im leaning towards rebuild.. thoughts?
only Certs needed are for Firewall\Exchange\IIS
What’s the issue with .local?
says the internet, best practice , blah blah.
ive never ran into an issue a quick dns pointer cant fix.
if i need 3rd party certs on on internal AD devices then maybe.
OK. Ta. I’ve looked into it and I guess we’re stuck with the legacy of what was originally an SBS 2003 domain created in 2004 with a .local TLD. I ain’t trying to change it now!
Hi, at what stage and how would you migrate the data and is there a special way to do this?
Thank you for this excellently written article.
You made a potentially very stressful operation a lot more manageable.
I can breathe easy knowing that the dreaded SBS2011 migration is out of the way.
When you dcpromo/demote SBS (and transfer the FSMO roles to the new DC), what happens to SBS? Does it start shutting down or can it exist as a member server indefinitely? All the MS docs say that “The Small Business Server must own all of the forest and domain FSMO roles.” but what happens when it doesn’t?
It would start shutting down.
Amazing Tutorial!
For some reason I restore the SBS to a date before remove the FSMO, so now when I send netdom query fsmo in each of the 2 servers I get that this server own the FSMO. How should I proceed? Can I reconnect the SBS to the network?
I dont know why you restored the server, so i dont know what you are trying to do.
Great article worked very well for me. really appreciated. Now that the SBS2011 is deleted and offline for a month should one raise the functional level to 2012R2 or leave it at 2008R2? I am thinking of adding a 2019 backup DC to the mix.
Cant think of a reason not to.
Just an observation whilst testing this process in a lab – I had to manually add the IP address of the (newly created) DNS server into the DHCP scope options of the SBS 2011 for the client PCs to obtain the “alternate DNS” setting in their dynamically assigned IP addresses. (NB:I have not yet moved DHCP across, and will leave this as is for a few weeks whilst I migrate shares/folder redirection/print server etc…).
I am surprised that this Scope option wasn’t added automatically during the addition of the secondary DNS server?
Anyway, thanks for a great article.
That sounds like normal behaviour.
Hi again. I just wanted to know your thoughts on the implications of migrating SBS 2011 to Server 2019, and the deprecation of WSEE, and thus the lack of the “Implement Group Policy” from the Dashboard. Which group policy objects should be removed after the decommission, and which are important to remain; specifically Folder Redirection, default domain policy, WSUS policies (I will eventually install a new WSUS on the 2019 server), SBS client policies with regards to firewall settings and specifically how these last two tie in with new WMI filters with regards to Windows 10 that won’t have been created under SBS 2011.
Many thanks, Doug.
Hi Robert, I have hit a problem migrating from SBS2011 to Server 2019.
certutil -backupDB c:\caBackup failsBacking up Database files: 0%CertUtil: -backupDB command FAILED: 0x800706ba (WIN
32: 1722)
CertUtil: The RPC server is unavailable.
nltest.exe also fails
Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
I have tried every solution I can find but none of will work
Can I ignore this and move on? or do I need the CA database?
.
Well, I don’t know if you need your CA or not. I don’t know if you are using it. If it is running but won’t back up that could indicate a larger issue that may cause problems later on. I’d want to know why it wasn’t backing up and why nltest failed before proceeding.
Hi Robert, sorry for the late reply.
I eventually found that the CA database was corrupt. (Dirty Shutdown) I managed to repair it then deleted all the logs and then the Active Directory Certificate Service would start service.
Took me 2 days to get it working!!
Thanks for the help.
Your procedure has been a great help. I will use it again soon.
Sorry for the late reply,
I eventually realise the CA Database was corrupt (Dirty Shutdown). I managed to repair it but then had to delete all the logs to get the Active Directory Certificate Service to run.
once that was running I managed to continue.
I took me 2 days of Googleing and trying hundreds of solutions till I got it to work
Thanks for your help
Hi Robert,
I am having difficulties with an SBS migration with replication
Indicates Error: 8418 The replication operation failed because of a schema mismatch between the servers involved.
Have you reviewed this? https://support.microsoft.com/en-gb/help/2734946/troubleshooting-ad-replication-error-8418-the-replication-operation-fa
I’ve been using these instructions a lot lately with the upcoming end-of-support for Server 2008 R2 and Exchange 2010, moving to Server 2019. In addition the the instructions, I’ve found that I must enable the SMB1 feature on the Server 2019, and also disable IPv6. Aside from those two quirks, everything else has worked for me. Thanks Robert for posting this!
Very handy article, I’ve run the powershell script on a 2019 server to promote our Server16 to be a domain controller part of your article. the system has updated the adprep to domain wide, given me the yellow info underneath. like your articles shows. but has been stuck on that for over 12 hours and doesn’t show the last part, confirming that the job was successful or not.
I’m unsure if to close powershell and reboot or re-run the scripts.
What does the event log say
Nice article, whats your thoughts on actually removing the exchange server before decommissioingn the SBS box? Is it a necessary step?
Hi Robert
Great guide!
I’m at the edit CA.reg stage and you say find and replace is not the way to do it but if done manually am i to replace all sbs2011 server names found in the reg file with my new server name?
Greetings,
Awesome tutorial!
I am a newbie with regards to server migration and I wanted to ask if this procedure can be used in migrating Windows Server 2008 R2 over to Windows Server 2019.
Thank you.
Yes it should still work.
Very good tutorial. Other than an issue with a DNS server setting on the new server, the replication is working except for “Folder redirection” (RedirectedFolders share). We use this for all users as if a computer goes down they should be able to go to a new computer and have their files and desktop.
Is there something specific I need to do to get this to work? Or is there a Microsoft document I should be looking at?
Migration —> SBS 2011 to Server 2016 Standard.
Could be folder permissions or GPO setting.
hi Rob
Trying this on server 2019 Essentials
When trying to make it AD Controller
i used the creditals idwe\administrator
Install-ADDSDomainController -NoGlobalCatalog:$false -CreateDnsDelegation:$false -CriticalReplicationOnly:$false -DatabasePath “C:\Windows\NTDS” -DomainName $currentDomain -InstallDns:$true -LogPath “C:\Windows\NTDS” -NoRebootOnCompletion:$true -SysvolPath “C:\Windows\SYSVOL” -credential $cred -Force:$true -Confirm:$false -SafeModeAdministratorPassword (ConvertTo-SecureString ‘ntADRSM0deP@ssword!!’ -AsPlainText -Force)
Install-ADDSDomainController : Verification of user credential permissions failed. The wizard cannot access the list of domains in the forest. The error is:
This user can’t sign in because this account is currently disabled.
At line:1 char:1
+ Install-ADDSDomainController -NoGlobalCatalog:$false -CreateDnsDelega …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Install-ADDSDomainController], TestFailedException
Looks like built in administrator account is disabled, use a different administrator account.
Hi there,
I used your guide to mIgrate 2 SBS 2011 servers to 2016 Std. and it seemed to work quite well. I did stumble onto one Problem:
On both machines the part with the backup and restore of the certificate authotity failed in my installations.
Backing up everything isn’t the Problem, even installing the CA and restoring it does work but:
The CA seems broken and i can’t issue any new certificates because the certificate isn’t trusted and expired.
This happened on both machines …
Tried this on a restore of the SBS and that time everything is working….
The CA Root cer is not trusted?
Thanks for this excellent guide – Covid has me finally making this migration (to 2019). ..
“Of course, with our expert preparation, the install will succeed and you will be prompted to reboot your server.”
This step is taking several hours and just stuck after those last yellow messages (about the delegation). cursor is blinking, but haven’t gotten the “You must restart” message yet.
I can certainly leave it overnight, but just wondering if there’s a way to see if it’s just stuck or actually doing something. Using netstat, I do see that Powershell still has ports open to the old SBS machine….
Any tips?
Thanks!
Check the event logs on both servers.
I ended up rebooting. and everything worked OK.
Thanks again for your write-up here. It helped me move a home lab situation from SBS 2011 to Server 2019.
Robert
I have an sbs 2011 Server that must be migrated soon. On the the SBS 2011 server they are still using Exchange 2010
I followed your steps up to install server 2016
there was an error in dcdiag Failed test NCSecDesc. I will never use Rodc. do I need to go back and run ADrep or can I safely move on
I have a new rack server i have built using windows 2019 STD and joined to the domain. I have created two virtual machines on this server running windows 2019 std that I have also joined to the domain
The physical server running windows 2019 is a member server and the only program it is running is Backup Exec 20. It backs up all other servers nightly. It has has two virtual machines on it running windows 2019 STD. the first virtaul machine is a new SQL server and not a domain controller. It is currently up and working with SQL 2016. the second virtual machine has been created with 2019 STD and is joined to the domain. I also have installed microsoft edge on this server and it seems to be working fine No other software has been added I want it to become the new domain controller but I have not promoted it yet. I have concocerns about how to move forward and some questions
Do you forsee any problems with Microsoft Edge on the server
The existing domain is a .local domain. Is that a problem? It has a digicert license and we got around that with Digicert
Can I promote this server to a domain controller now or Must Exchange be migrated to a new exchange server or the cloud first.
If i promote this server is the 21 day SBS demotion window a concern in all this. if so at what point is it a concern