Migration (SBS4.5 -> SBS2K) headaches - Recommendations?

I'm in the process of a SBS4.5 to SBS2K migration, and stumbled upon a few
issues that I can't seem to find an answer in any faq, article or white
paper.

Here's my current setup:

PDC:
SBS4.5 - dual homed, running SQL7, Exchange 5.5, IIS4, VPN (SMTP and PPTP
ports open), OfficeScan SBS

Member servers:
NT4 Server
Win2k Server - dual homed, IIS5 (FTP, HTTP and SSL ports open)
Win2k Server - SQL2K

The dual homed NICs on the PCs are on the DMZ side behind firewall, and SBS
is not using MS Proxy Server.

What I am trying to accomplish is this:

a) Install SBS2K on a new PC with SQL2K, Exchange2K, IIS5, VPN, TM C/S/M
Suite (same name as old server, same network addressing scheme -
10.0.0.0/24). This would be a temporary SBS PC.
b) Replace the old SBS PC with 1 above to keep users happy and working.
c) Upgrade old SBS PC hardware (mainly HD upgrades)
d) Reinstall SBS2K on upgraded PC with same services and reimport data

Basically I have to do the migration twice, once to a new PC, have it run
for a few days while I get the old server upgraded, then reinstall SBS2K on
the upgraded PC (this is the one that has RAID, the other PC doesn't). We
want to be able to switch back to the old SBS4.5 PC if there is anything
wrong with the SBS2K PC.

I don't plan on using ISA, since I will be using the firewall as the
gateway. Is there any advantage to installing ISA just to protect the SBS
PC?

Now some of the questions I hope to get answered are:

1a) Is there a way to keep the SMI (Single Message Instance) of Exchange if
I am doing a new installation? I've heard rumors of being able to do some
inplace upgrade by moving databases from 5.5 to 2000, and using the same PC
name, users, etc. Am I dreaming here? I think I'm pretty much stuck with
using ExMerge. The reason here is that I know that SBS limits you to an IS
of 16GB, which may be exceeded if I move individual mailboxes.

1b) Does an inplace upgrade of SBS4.5 to SBS2K maintain the SMI of Exchange?
If so, I can consider doing an inplace upgrade, then backing up the Exchange
data to migrate to the new "temp" SBS2K PC (and then doing that again when I
need to move the data back into the "real" server). Would this work?

1c) How about a site to site transfer from Exchange 5.5 to Exchange2K while
both servers are up? Granted currently both use the same PC name, IP and
domain name.. is there a way to do this with SBS and use the Exchange Tasks
to do that?

At the very worse, I can get around this by doing ExMerge twice.. Once when
I go from Exchange 5.5 to 2K on to the "temp" PC, then once again going back
to the "real" server. What would people recommend here?

2) Okay, done worrying about Exchange. When I'm ready to get the "real"
server back online, and about to take the "temp" SBS PC off, how do I
migrate the AD users and groups, permissions to the "real" SBS PC? Both PCs
will still be named the same, as well as on the same IP and domain. Don't I
need to use ADMT to do something like this? How do I pull this off? (Going
to be reorganizing users into different groups than they currently are
assigned when installing SBS2K the first time. I don't want to go thru this
again when doing the 2nd migration, and I'm not sure how that'll impact the
workstations..)

Sorry for the mega post.. but I've tried to outline it as best I can to get
some answers. ;p

Regards.

Steve
Wed Aug 20 06:50:11 CDT 2003

bgenthusiast wrote:

> SBS4.5 - dual homed, running SQL7, Exchange 5.5, IIS4, VPN (SMTP and
> PPTP ports open), OfficeScan SBS
>
> Member servers:
> NT4 Server
> Win2k Server - dual homed, IIS5 (FTP, HTTP and SSL ports open)
> Win2k Server - SQL2K
>
> The dual homed NICs on the PCs are on the DMZ side behind firewall,
> and SBS is not using MS Proxy Server.

Where's the DMZ? Is this a 3-port firewall?

Why do you have multi-homed servers? Sounds like a big hole in the DMZ
concept to me.

>
> What I am trying to accomplish is this:
>
> a) Install SBS2K on a new PC with SQL2K, Exchange2K, IIS5, VPN, TM
> C/S/M Suite (same name as old server, same network addressing scheme -
> 10.0.0.0/24). This would be a temporary SBS PC.
> b) Replace the old SBS PC with 1 above to keep users happy and
> working. c) Upgrade old SBS PC hardware (mainly HD upgrades)
> d) Reinstall SBS2K on upgraded PC with same services and reimport data
>
> Basically I have to do the migration twice, once to a new PC, have it
> run for a few days while I get the old server upgraded, then
> reinstall SBS2K on the upgraded PC (this is the one that has RAID,
> the other PC doesn't). We want to be able to switch back to the old
> SBS4.5 PC if there is anything wrong with the SBS2K PC.

Once you begin upgrading the existing SBS4.5 hardware, there'll
probably be no going back...

>
> I don't plan on using ISA, since I will be using the firewall as the
> gateway. Is there any advantage to installing ISA just to protect the
> SBS PC?
>
> Now some of the questions I hope to get answered are:
>
> 1a) Is there a way to keep the SMI (Single Message Instance) of
> Exchange if I am doing a new installation? I've heard rumors of being
> able to do some inplace upgrade by moving databases from 5.5 to 2000,
> and using the same PC name, users, etc. Am I dreaming here? I think
> I'm pretty much stuck with using ExMerge. The reason here is that I
> know that SBS limits you to an IS of 16GB, which may be exceeded if I
> move individual mailboxes.

Yes, you forklift the exchange databases. Basically, you install Ex5.5
SP3/4 (to match SBS4.5) on the SBS2K using the exact same server name,
org name and site name, shut it down, replace the priv and pub
databases with the SBS4.5 ones, and run ISINTEG -patch. Do not copy the
DIR.edb.

Once you've tested it out, you can do an in-place upgrade to Exchange
2000.

>
> 1b) Does an inplace upgrade of SBS4.5 to SBS2K maintain the SMI of
> Exchange? If so, I can consider doing an inplace upgrade, then
> backing up the Exchange data to migrate to the new "temp" SBS2K PC
> (and then doing that again when I need to move the data back into the
> "real" server). Would this work?

Yes, it should.

>
> 1c) How about a site to site transfer from Exchange 5.5 to Exchange2K
> while both servers are up? Granted currently both use the same PC
> name, IP and domain name.. is there a way to do this with SBS and use
> the Exchange Tasks to do that?

Not an option, since both servers cannot be up simultaneously, and even
if they were, they wouldn't talk to one another.

>
> At the very worse, I can get around this by doing ExMerge twice..
> Once when I go from Exchange 5.5 to 2K on to the "temp" PC, then once
> again going back to the "real" server. What would people recommend
> here?

I use the forklift method. I also migrate the domain, so no recreating
of user accounts or SID changes (which is positively evil if you have
member servers and NT/Win2K/XP workstations).

>
> 2) Okay, done worrying about Exchange. When I'm ready to get the
> "real" server back online, and about to take the "temp" SBS PC off,
> how do I migrate the AD users and groups, permissions to the "real"
> SBS PC? Both PCs will still be named the same, as well as on the same
> IP and domain. Don't I need to use ADMT to do something like this?
> How do I pull this off? (Going to be reorganizing users into
> different groups than they currently are assigned when installing
> SBS2K the first time. I don't want to go thru this again when doing
> the 2nd migration, and I'm not sure how that'll impact the
> workstations..)

Use another temp PC to migrate the domain to AD. Install NT4 as BDC,
disconnect SBS4.5, promote tempPC to PDC, delete SBS4.5 from domain and
upgrade to Win2K.

Next, install Win2K Server on SBS-to-be using original SBS name,
manually DCPROMO into the AD domain and transfer AD Roles. Now run SBS
setup, but do not install Exchange 2000. Install Ex5.5 from the SBS4.5
CDs.

Once you're done, you can demote and remove the tempPC.

Note that you need plain NT4 and Win2K Server available to do this
(sounds like that's not a problem!).

You would use a similar process to migrate again, but you'd just use a
temp Win2K Server instead, DCPromo it into a DC, transfer the Roles,
offline the tempSBS, delete it from the domain, and then proceed as
before.


--
Steve Foster [SBS MVP]
---------------------------------------
MVPs do not work for Microsoft. Please reply only to the newsgroups.

Steve
Sun Aug 24 09:04:20 CDT 2003

bgenthusiast wrote:

> Alright, now we're cooking. I'm extremely grateful to you MVPs out
> there that take the time and effort to help out.
>
> I've made a step thru for my migration (I realize some of them may be
> simultaneous but it's good to have a detailed plan). I have some
> additional details I'd like answered, and the Qs are in the steps
> below:
>
> Legend:
> "SBS" is old SBS server needing hardware upgrade
> "SBStemp" is the temporary SBS PC while PC-SBS is being upgraded
> "DCtemp" is the AD FSMO transfer point (and initial BDC->PDC)
>
> ----------------
> 1. DCtemp - Install NT4 Server as BDC
>
> 2. SBS - Disconnect from network
>
> 3. DCtemp - Promote from BDC to PDC
>
> 4. DCtemp - Delete SBS from domain
>
> 5. DCtemp - Upgrade to Win2k Server to go to AD
>
> 6. SBStemp - Install Win2k Server using same server name as SBS
> Q: Is the SBS2K install of Win2k Server "normal", or do I need to use
> a "true" Win2k Server install CD? (Not a huge deal but I can save
> time here by restoring the image I made earlier)

Got to be genuine Win2K Server, not SBS2000 Win2K.

>
> 7. SBStemp - DCPROMO promote to AD domain
>
> 8. DCtemp - Do AD Roles transfer for all 5 FSMO roles to SBStemp as DC
>
> 9. SBStemp - Run SBS2k setup without Exchange2k
>
> 10. SBStemp - Install Exchange 5.5 + SP using same org and site name
> as SBS

Note that it must be the same SP as SBS4.5, and it must be SP3 or later
to work on Win2K. So if SBS4.5 is on Ex5.5 SP2 or earlier, you need to
bring the SBS4.5 up to at least SP3 first.

>
> 11. SBStemp - Replace PRIV.EDB and PUB.EDB from SBS PC
> Q1: I assume all Exchange services have to be stopped before touching
> the databases (on both SBS before copying and on SBStemp when
> replacing). Is there a recommended order of stopping Exchange
> services to stop Exchange? Q2: Do I need any other files from the
> mdbdata folder (like the logs)?

Yup, all Exchange services must be shut down. Just shut down the SA and
it will shut everything else down for itself. Log files would not be
needed.

>
> 12. SBStemp - Run "ISINTEG -patch" on the databases
>
> 13. SBStemp - Run Exchange2k setup and do an inplace upgrade, and
> install SP3+rollup
>
> 14. DCtemp - DCPROMO demote DC and disconnect
>
> 15. SBStemp - remove DCtemp from domain (at this point I can install
> other apps, and SBStemp is good to go as my DC)
>
> 16. SBS - Do hardware upgrade/maintenance
>
> 17. DCtemp - DCPROMO promote to AD domain
> Q: I should be able to reuse DCtemp and not have to reinstall Win2k
> Server from scratch, right? All it needs to do is another AD roles
> transfer back to SBS.

Yup, in your particular scenario, you could leave DCtemp online and a
DC right through.

>
> 18. SBStemp - Do AD Roles transfer for all 5 FSMO roles to DCtemp as
> DC
>
> 19. SBStemp - DCPROMO demote DC and disconnect from network
>
> 20. DCtemp - remove SBStemp from domain
>
> 21. SBS - Install Win2k Server
>
> 22. SBS - DCPROMO to AD domain
>
> 23. DCtemp - Do AD Roles transfer for all 5 FSMO roles to SBS as DC
>
> 24. DCtemp - DCPROMO demote DC and disconnect
>
> 25. SBS - Run SBS2k setup with Exchange2k
> Q: Do I run Exchange2k setup with the debug switch so that it doesn't
> mount any stores?

No, since you'll be forklifting the existing databases again.

>
> 26. SBS - restore IS and config settings from SBStemp Exchange2k
> Q: Okay, this is where I need a guide or white paper. Do I use MS
> Backup on SBStemp to backup the stores? What steps are needed here to
> restore the IS on SBS? Is there a way to migrate the configuration
> settings as well? Or is it just possible to copy files and mount
> stores from them?

shutdown services and copy databases again.

>
> 27. SBS - remove DCtemp from domain (at this point I can install
> other apps, and SBS is good to go as my DC in its final configuration)
> -------------------
>
> Oh yeah, my firewall does have 3 interfaces. One to the router, one
> to the trusted LAN and one to the DMZ. I'm changing it so that it
> uses NAT to get to the member Win2k Server that is running IIS, but I
> am planning to run OWA, VPN and have Exchange SMTP open on the SBS.

So why do you have dual-homed servers? A server should either be in the
DMZ or the internal LAN, but never both.

>
> Phew. Some additional Qs:
>
> Q1: Am I missing anything here, or am I doing too much? I expect
> SBStemp to be running a few days, and then changing it back to SBS
> the next weekend.

If you've determined that the original SBS hardware with upgrades is
going to be suitable for your SBS2000 server, then the only faster way
would be to implement the hardware changes and SBS re-install together.
You'd probably need spare hard disks to do this (since you'd be wanting
to preserve the 4.5 install on one set).


>
> Q2: Do I need to install ISA at all? All the documentation I've seen
> to setup the VPN steps thru the ISA first. Shouldn't I be able to
> just use RRAS to setup my VPN? Since I've got the firewall already
> and my workstations are using that as a gateway, ISA will really only
> be another layer at SBS to control flow between the internal and
> external NICs. Is it worth it to install just for that (and having to
> administer it)? I realize the feature pack has email filtering but
> I'm going to be evaluating a few packages for that (what is the
> consensus on the GFI product vs the Trend eManager?)

You either have the firewall do VPN and remove the load from SBS
entirely, or run SBS with 2 nics and ISA and let ISA/RRAS handle it.
ISA itself never actually does the VPN - it hands it off to RRAS - it
just handles the ports.

--
Steve Foster [SBS MVP]
---------------------------------------
MVPs do not work for Microsoft. Please reply only to the newsgroups.

bgenthusiast
Mon Aug 25 11:37:42 CDT 2003


> > 25. SBS - Run SBS2k setup with Exchange2k
> > Q: Do I run Exchange2k setup with the debug switch so that it doesn't
> > mount any stores?
>
> No, since you'll be forklifting the existing databases again.

So, for a Exchange2k -> Exchange2k forklift, all I need is the pub1.edb and
stm, priv1.edb and stm from the MDBDATA dir?

> > Oh yeah, my firewall does have 3 interfaces. One to the router, one
> > to the trusted LAN and one to the DMZ. I'm changing it so that it
> > uses NAT to get to the member Win2k Server that is running IIS, but I
> > am planning to run OWA, VPN and have Exchange SMTP open on the SBS.
>
> So why do you have dual-homed servers? A server should either be in the
> DMZ or the internal LAN, but never both.

If I'm not using ISA, I need my SBS to be available on a public IP behind my
firewall so that VPN, Exchange and OWA are available to outside. I may not
need it, but I think I ran into problems trying to NAT the PPTP connections
last time with our firewall.

Regards.

bgenthusiast
Tue Aug 26 12:35:36 CDT 2003


"Steve Foster [SBS MVP]" <steve.foster@picamar.co.uk> wrote in message
news:ewgmzV6aDHA.1600@TK2MSFTNGP09.phx.gbl...

> > So, for a Exchange2k -> Exchange2k forklift, all I need is the
> > pub1.edb and stm, priv1.edb and stm from the MDBDATA dir?
>
> I think so. I can't think of any others.

I'll be crossing my fingers. ;p

> > If I'm not using ISA, I need my SBS to be available on a public IP
> > behind my firewall so that VPN, Exchange and OWA are available to
> > outside. I may not need it, but I think I ran into problems trying to
> > NAT the PPTP connections last time with our firewall.
>
> Nope. You do VPN in the firewall in this scenario, and neither Exchange
> nor OWA need public IPs (though if you want to do OWA over SSL, you
> might need a public IP).

I do need to use the SBS as the VPN server. Our firewall does have its own
VPN authentication and clients available, but I don't want to use that as it
doesn't integrate with any Windows Authentication schemes. So, I will have
to have my users use a different set of credentials to log in from
externally, which they will likely not be very happy about.

I'll configure it so that the public IP goes to the ISA side for PPTP, then
use NAT to map the OWA and STMP ports to the internal IP.

Regards.