Windows SBS 2011 Migration to Windows Server 2012 R2

I am in the process of planning a Windows SBS 2011 migration to Windows Server 2012 R2 and I had a few questions regarding this.

Exchange 2010 is functional on the SBS server but it is not used.  I have another server that has Exchange 2013 on it, handling all mail.  I found the article below about uninstalling Exchange but it pertains to SBS 2008.  I also didn't know if this would mess with AD at all in causing problems with our Exchange 2013?

We also have SharePoint installed but we do not use it.  I'm guessing I still need to go into add/remove programs and uninstall it to gracefully remove traces of it in AD?

I found this article to move DHCP.

I found this article to move WSUS.

I found this article to transfer FISMO Roles.;EN-US;255504

Do I also need to worry about uninstalling Forefront Client Security before removing the server from the network?

I am going to be using folder redirection again and I was wondering if it's better to reuse the existing Small Business Server Folder Redirection policy or should I just create a new one?  Also, what is the best way to migrate the data to the new server?  Just let the policy handle it?

When it comes time to make the switch over is it okay to un-link/delete the following policies:

Windows SBS CSE Policy
Windows SBS User Policy
Windows SBS Client - Windows 7 and Windows Vista Policy
Windows SBS Client - Windows 8 Policy
Windows SBS Client - Windows XP Policy
Windows SBS Client Policy

I have created but not linked GPOs to enforce what some of the computer and user policies would do that I would be removing.  Is it also safe to un-link/delete these WMI Filter Policies:

Windows SBS Client
Windows SBS Client - Windows 7 and Windows Vista
Windows SBS Client - Windows 8
Windows SBS Client - Windows XP

When I look at the Windows SBS User Policy under the Scope then Security Filtering it has a dynamic list of all the users.  How can I get that to auto populate on my own Windows User Policy that I will be creating?

The one other thing I was questioning was how to move Certification Authority?  Is there going to also be an issue with the certificates staying valid after the move?

Are there any other things that I should be taking into consideration when making this migration?

Who is Participating?
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
We run a lot of migrations from SBS 2008/2011 Standard to our new SBS setup on 2012 R2.

Once Exchange 2013 is in place, all the mailboxes are moved (not relevant here), and public folders are moved Exchange 2010 can be safely removed from SBS. Where is ForeFront installed? If on SBS then yes it needs to be removed.

Folder Redirection: Be careful with this one. Make sure your destination redirection folder ACLs/Share are set up correctly first. (TechNet Article)

Once the destination is set up you can either reuse the existing SBS GPO or create and link a new one on the same OU. Point Desktop and My Documents to the new location (\\ServerName\\FolderShare\%UserName%) and let Folder Redirection take care of moving the contents on its own. So long as the ACLs and Share permissions haven't been mucked with on the source things should move across okay. NOTE: Users will experience a _huge_ logon lag if everyone logs on at the same time and all of their profiles are being transferred together!

We use BeyondCompare to copy data between old and new because it maintains ACLs and it is mult-threaded (we can saturate a 1Gb connection easily).

Use Group Policy Preferences to deploy mapped drive letters. Scripts are no longer required. You can use GPPrefs to deploy printers but we prefer Print Management and a GPO linked to the PC's OU to deploy via Machine Policy (easier).

Existing SBS policies: Safe to Delete once your FSMO roles and SYSVOL and NETLOGON shares are active on the new DC.
Existing WMI Filters: We use WMI filters linked to domain level GPOs to set up update settings on desktops and servers including DCs. Servers/DCs download and prompt while Desktops are Auto Install at 0300.

Windows SBS User Policy: Create and link your own GPO to the OU. Set your settings in place. ENFORCE the GPO. Once you are confident your GPO is good to go then UNLINK this one. Don't delete. Verify settings in the SBS GPO just in case there is something someone added.

You will remove the CA Role on SBS when it comes time to DCPromo SBS out of the domain. It should be blank as it was only used to create and issue self-issued certificates (an SBSism). There should _not_ be anything else done in the CA. If there is, then verify what/where/when the certificates were issued and compensate accordingly before removing the CA Role.

Anything Else to Consider?
 + System State backup before introducing a new DC into the domain
 + System State the new DC once introduced and FSMO Roles are moved (CMD test: netdom /query fsmo [Enter])
 + Your new DC needs to be time authority (w32tm ... /reliable:yes)
 + Your servers should have backups done before and after each step. It's good to have a recovery point.
Simon Butler (Sembee)ConsultantCommented:
If you have Forefront for Exchange installed, then you need to remove that before you touch Exchange 2010.
Then simply follow the guides for removing Exchange 2010 when migrating to Exchange 2013.
The fact that it is an SBS server makes no difference, so don't look for anything SBS specific.
The uninstaller will stop if there is something still being used. That will usually be something like public folders, or a send connector. You want to empty the Exchange 2010 server, so that means removing the public folders, arbitration mailboxes etc.

The filters in SBS group policy I find are often unnecessary, so you can probably get away without them. Otherwise I usually recreate all of the SBS group policy objects myself, and drop the SBS ones.

With regards to the CA, are you using internal certificates? Most sites do not.

The only other thing I can say is forget it is SBS. It makes no difference. Do not go looking for SBS specific articles because they simply do not exist.

ollybubaAuthor Commented:
In CA I have two self-signed certificates one for both of my domain controllers.  Both expire in May.  The certificates say that they are for:

-Proves your identity to a remote computer
-Ensures the identity of a remote computer

I also have a self-signed certificate for my Exchange 2013 server but it looks like the certificate is on the Exchange server.

If I used BeyondCompare to copy the data so I didn't have to wait when the users first log in, would I do anything different with the redirection GPO?

We also use Microsoft Forefront Client Security.
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
You cannot copy data from/to for redirected content. Permissions are customized via the OS. The system needs to move the data on its own.

Or, you copy the data, recreate the permissions, and turn off restrictive name checking. Then share the root folder with the same folder share name as source. Then update source DNS A record to point to the new server. The data should move out of the Source folders into the Destination folders.

That's okay for the CA. You should be GTG.
ollybubaAuthor Commented:
As far as the certificates for the domain controllers, will those certificates automatically recreate on my new CA server?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.