Category Archives: SBS

Removing SBS 2008 – Step 3: remove from domain / DCPROMO

 

The final step in removing your SBS server is to demote it as a domain controller using the DCPROMO tool.

DCPROMO will do a number of things in terms of removing the server’s ability to operate as an Active Directory server, however the main domain functional ‘operation’ (sorry pun!) you will see from other servers in the network is the moving of the ‘Flexible Single Master of Operation’ (FSMO) or now just ‘Operations Masters’ roles to another AD server.

You can control the transfer of the essential FSMO roles to a preferred AD server (if you have multiple) using the a script e.g. to transfer our roles to our UK/GB Infrastructure server GBINF01 the script is:

ntdsutil

roles

conn

connect to server gbinf01 q

Transfer infrastructure master

Transfer naming master

Transfer PDC

Transfer RID master

Transfer schema master

q

q

And checked with:

netdom /query fsmo

Schema master GBINF01.thefullcircle.local

Domain naming master GBINF01.thefullcircle.local

PDC GBINF01.thefullcircle.local

RID pool manager GBINF01.thefullcircle.local

Infrastructure master GBINF01.thefullcircle.local

The command completed successfully.

Of course if you just have one other AD server (not recommended as best practise but totally feasible and supported by Microsoft) you don’t need to manually control who gets the roles, and DCPROMO will just transfer the roles to the other server.

If you do have multiple servers (with multiple AD sites) then the next available local site server will get the roles.

clip_image001

Move those roles!

clip_image002

clip_image003

clip_image004

clip_image005

clip_image006

Summary review

clip_image007

Remove Active Directory Domain Services from this computer.

When the process is complete, this server will be a member of the domain thefullcircle.local

Remove DNS Delegation: Yes

clip_image008

Good bye domain services!

clip_image009

clip_image010

clip_image011

clip_image012

Checking the FSMO roles to confirm transfer:

C:>netdom query fsmo

Schema master GBINF01.thefullcircle.local

Domain naming master GBINF01.thefullcircle.local

PDC GBINF01.thefullcircle.local

RID pool manager GBINF01.thefullcircle.local

Infrastructure master GBINF01.thefullcircle.local

The command completed successfully.

You can log back onto your SBS server with either the local creds provided earlier, or with a domain account – it is still a domain member server.

Note this machine may no longer be licensed (certainly if an upgrade e.g. to SBS2011).

If the server was an OEM install you can leave what remains (demoted mostly broken SBS server) on the same hardware for whatever use you feel (within license limits – e.g. this is not a 2nd Exchange server!), but the chances are this is now an old and out of warranty bit of kit that is no longer production worthy anyway – reuse, renew, recycle responsibly (see http://blog.thefullcircle.com/2011/05/06/sort-it-out-and-learn-the-3rsreduce-reuse-recycle/).

Removing SBS 2008 – Step 2: ADCS

 

Active Directory Certificate Services removal..

Check the FSMO roles are on your SBS server..

clip_image001

(you don’t actually need the forward slash "/" after the netdom command anymore but that’s a personal hangup from the old LANMAN days.. ūüėČ

As for any server role just remove the role from within Server Manager

clip_image002

(Note the red crosses – this is from a pretty sick SBS 2008 install that had been replaced by Server 2008 R2, SCE (WSUS), and various other Windows network services over a year prior)

Once you’ve started the role removal (after confirming an informational/reading) – head out for a walk / mow the grass / build a model aeroplane.. Basically – leave it some time as you could be watching the screen below longer than paint drying

clip_image003

Later in the process you should see ‘Verifying removal’ and then ‘Collecting removal results‚Ķ’ – ours took almost an hour between the major application events:

Information        29/08/2011 08:57:51        CertificationAuthority        38        None

Log Name: Application

Source: Microsoft-Windows-CertificationAuthority

Date: 29/08/2011 08:57:51

Event ID: 38

Task Category: None

Level: Information

Keywords: Classic

User: SYSTEM

Computer: SBSSRV01.thefullcircle.local

Description:

Active Directory Certificate Services for thefullcircle-SBSSRV01-CA was stopped.

And

Warning        29/08/2011 09:43:15        ServerManager        1619        None

Log Name: Setup

Source: Microsoft-Windows-ServerManager

Date: 29/08/2011 09:43:15

Event ID: 1619

Task Category: None

Level: Warning

Keywords:

User: THEFULLCIRCLEAdministrator

Computer: SBSSRV01.thefullcircle.local

Description:

Removal succeeded. A restart is required.

Roles:

Active Directory Certificate Services

Warning: You must restart this server to finish the removal process.

When complete (if successful) you should get:

clip_image004

And once ‘closed’ the only option is to restart..

You do need to log back in again (recommend same account as started this process) for the server to finalise the removal of ADCS and report ‘Resuming Configuration’ per:

clip_image005

clip_image006

Also event

Information        29/08/2011 10:10:47        ServerManager        1618        None

Log Name: Setup

Source: Microsoft-Windows-ServerManager

Date: 29/08/2011 10:10:47

Event ID: 1618

Task Category: None

Level: Information

Keywords:

User: THEFULLCIRCLEAdministrator

Computer: SBSSRV01.thefullcircle.local

Description:

Removal succeeded.

Roles:

Active Directory Certificate Services

The following role services were removed:

Certification Authority

And then next to DCPROMO out of the domain!

Removing SBS 2008 – Step 1: Exchange 2007

recent migrations as part of SBS 2011 EAP, etc….

 

clip_image001

Screen clipping taken: 28/08/2011 23:26

Summary: 4 item(s). 0 succeeded, 1 failed.

Elapsed time: 00:01:16

Mailbox Role

Failed

Error:

Object is read only because it was created by a future version of Exchange: 0.10 (14.0.100.0). Current supported version is 0.1 (8.0.535.0).

Elapsed Time: 00:01:16

Client Access Role

Cancelled

Hub Transport Role

Cancelled

Remove Exchange Files

Cancelled

http://forums.msexchange.org/m_1800521706/mpage_1/key_/tm.htm

[PS] C:Windowssystem32>Remove-PublicFolderDatabase -Identity "SBSSRV01Second Storage GroupPublic Folder Database"

Confirm

Are you sure you want to perform this action?

Removing Public Folder Database "SBSSRV01Second Storage GroupPublic Folder

Database".

[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help

(default is "Y"):A

Confirm

You are attempting to remove the last public folder database in the

organization. If you remove this database, all of its contents will be lost and

only users running Outlook 2007 or later will be able to connect to your

Exchange organization. Are you sure that you want to delete the last public

folder database?

[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help

(default is "Y"):A

Remove-PublicFolderDatabase : Object is read only because it was created by a f

uture version of Exchange: 0.10 (14.0.100.0). Current supported version is 0.1

(8.0.535.0).

At line:1 char:28

+ Remove-PublicFolderDatabase <<<< -Identity "SBSSRV01Second Storage GroupPu

blic Folder Database"

+ CategoryInfo : NotSpecified: (0:Int32) [Remove-PublicFolderData

base], InvalidADObjectOperationException

+ FullyQualifiedErrorId : E2ABE251,Microsoft.Exchange.Management.SystemCon

figurationTasks.RemovePublicFolderDatabase

Summary: 2 item(s). 0 succeeded, 1 failed.

Elapsed time: 00:00:39

Mailbox Role

Failed

Error:

The public folder database "SBSSRV01Second Storage GroupPublic Folder Database" contains folder replicas. Before deleting the public folder database, remove the folders or move the replicas to another public folder database. For detailed instructions about how to remove a public folder database, see http://go.microsoft.com/fwlink/?linkid=81409.

Elapsed Time: 00:00:39

Remove Exchange Files

Cancelled

http://technet.microsoft.com/en-gb/library/aa998192(EXCHG.80).aspx

http://technet.microsoft.com/en-gb/library/aa997893(EXCHG.80).aspx

http://technet.microsoft.com/en-us/library/bb331970(EXCHG.80).aspx

http://technet.microsoft.com/en-us/library/bb201664(EXCHG.140).aspx

clip_image002

clip_image003

clip_image004

Training – Implementing and Administering Windows Small Business Server 2008

This week is another out of the office on Microsoft partner training – 4 days of SBS 2008…

Course code: 44CO120 – M6445 – Implementing and Administering Windows Small Business Server 2008

Where: QA Tabernacle Street, London, EC2A 4DT

Who: Mark Cresswell (mark.cresswell@qa.com)

44CO120 – M6445 – Implementing and Administering Windows Small Business Server 2008

Summary:
This four-day instructor-led course provides students with the knowledge and skills to plan, implement, and manage Windows Small Business Server 2008
This course is intended for technology consultants, system integrators, and in-house technology staff that serve small and medium- sized businesses

Prerequisites:
In addition to their professional experience, students who attend this training should have technical knowledge and skills equivalent to the following courses:
  Course 6420: Fundamentals of a Windows Sever 2008 Network and Applications Infrastructure
  Course 6424: Fundamentals of Windows Server 2008 Active Directory
  Course 5115: Installing and Configuring the Windows Vista Operating
  System
  Course 5116: Configuring Windows Vista Mobile Computing and Applications

Objectives:
Delegates will learn how to Install Microsoft Windows Small Business Server 2008.
Migrate to Microsoft Windows Small Business Server 2008.
Configure Windows Small Business Server 2008 using the Windows Small Business Server 2008 Console.
Manage users and groups in Windows Small Business Server 2008.
Manage messaging and collaboration in Windows Small Business Server 2008.
Manage and monitor Windows Small Business Server 2008.
Secure a Windows Small Business Server 2008 network.
Expand a Windows Small Business Server 2008 network

Top tips & links¬†picked up during the course…

Microsoft SBS docs – http://tinyurl.com/sbs-docs

Known Post Installation Event Errors from SBS 2008 –¬†http://support.microsoft.com/default.aspx/kb/957713

Microsoft blog guide to WSS3/MOSS alternate access mappings Рhttp://tinyurl.com/wss-aam

more tiny urls..  /sbs-rsg,  /sbs-docs, /sbs-grp

Microsoft OEM site – http://oem.microsoft.com

Top 100 public SharePoint sites – http://www.wssdemo.com/Pages/topwebsites.aspx

Free Block List provider – http://www.spamhaus.org/zen
This is gold!  add zen.spamhaus.org to your Block List Providers and switch on connection filtering.
One caveat to note, every time an email is processed by your server it performs a lookup to zen.spamhaus.org ‚Äď if they receive too many lookups they will suggest that you take up their paid service.¬† The threshold for this is huge (100,000 SMTP connections per day or 300,000 lookups), and you must not be using it commercially i.e. providing a managed service incorporating their service.

Why disable or rename the Administrator account… because it has a well-known SID! (… -500).

Use child domains for all external domain records just like the default remote.yourdomain.com so to get round duplicate maintainence of internal and external resources (and prevent confusion when vpn’d in!)

SBS default groups have an attribute that mark them as created by the SBS setup process or management console.. so be mindful if creating outside of the console!
Fool it by opening AD Users & Computers, open the attribute editor for the group and edit the msSBSCreatedState to ‘Created’

Roaming profiles РSBS has not been designed to support roaming profiles and Microsoft will not support issues with them (in this context), e.g. production of a SBS specific hotfix to address an issue.
Advised not to use roaming profiles bar controlled environments such as standard build, lack of local admins, quotas, group policy lockdown, etc.

Client migration Рabove half a dozen client machines consider using the User State Migration Toolkit (USMT) to script the process,  ROI should be worthwhile in configuration time vs time saved at the desktop.

Segway! – the BBC iPlayer program is a P2P service that shares out content, based on Ch4 4oD package – remove it!

Need to¬†inject drivers into WinRE or WinPE boot¬†environments..?¬† don’t be scared!¬† use drvload and PEImage, more on TechNet Edge – http://edge.technet.com/Media/WinRE-and-free-stuff-with-Sean-Kearney/

SSL certs for SBS – don’t buy single certs unless you have to.¬†¬†¬†Host headers and ssl is tricky, has to be a ucc cert or wildcard cert to support.
Default cert purchase from now on will be a wildcard cert, unless a bloody good reason (or lots of small ones… read $’s) not to!

Security cost triangle – you can have any two but not all 3!
low cost, usability, security

Relability and Performance monitor – what a gem!

migration to SBS2008..

My recommendation is to¬†start with Philip Elder’s great posts at http://blog.mpecsinc.ca/
SBS 2008 deployment checklist – http://blog.mpecsinc.ca/2009/05/sbs-2008-setup-checklist-v111.html
SBS2003 to 2008 migration guide – http://blog.mpecsinc.ca/2009/06/sbs-2003-to-sbs-2008-migration-guide.html

Exchange & Circular Logging…
A potential for lots of debate, but I’d agree with Mark that whilst migrating mailboxes, if circluar logging is not enabled, enable it otherwise run the risk of filling up disks with log files!

Disable circular logging post event and let the Exchange aware backups submit the log clear down.  However, if the store data and logs are on the same spindle you may as well leave circular logging on as you get little or no recovery benefits.

How to remove the last legacy Exchange server from an organisation Рhttp://technet.microsoft.com/en-us/library/bb288905.aspx (http://tinyurl.com/sbs-exmig)

Common mistakes when upgrading Exchange 2000/2003 to 2007 – http://support.microsoft.com/kb/555854/en-us

ipconfig /displaydns

Microsoft Desktop Optimization Pack
http://technet.microsoft.com/en-gb/windows/bb899442.aspx
Advanced Group Policy Management – http://technet.microsoft.com/en-us/library/cc749396(WS.10).aspx
Asset Inventory Service – http://www.microsoft.com/windows/enterprise/products/mdop/ais.aspx
Microsoft Diagnostics and Recovery Toolset (DaRT)
System Center Desktop Error Monitoring (DEM)
Microsoft Asset Inventory Service (AIS)