Update information
How to obtain this update
To obtain the update, run the Windows Small Business Server 2011 Standard Migration Preparation Tool.
Prerequisites
To apply this update, you must have the Windows Small Business Server 2011 Standard Migration Preparation Tool installed on the migration source server.
Registry information
To use the update in this package, you do not have to make any changes to the registry.
Restart requirement
You do not have to restart the computer after you apply this update.Update replacement information
This update does not replace a previously released update.For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates
Issues that are fixed by this update
Issue 1
The Windows Small Business Server 2011 Standard Migration Preparation Tool only detects journal wrap errors that occurred within the past 24 hours. After you install this update, the Windows Small Business Server 2011 Standard Migration Preparation Tool checks for the most recent journal wrap errors.
Issue 2
The SourceTool.log file includes the following incorrect statement that a line should not exist in the release version of the Windows Small Business Server 2011 Standard Migration Preparation Tool:
datetime Health scan: Execution policy is set to remotesigned. THIS LINE SHOULD NOT APPEAR IN THE OFFICIAL BUILD.
Issue 3
You receive a warning from The Windows Small Business Server 2011 Standard Migration Preparation Tool if the DNS server service is not started on the migration source server. After you install this update, the tool raises an error instead of a warning if the DNS server service is not started.
Rules that are added by this update
Rule 1
This update adds the following rule to check whether the _msdcs DNS zone exists on the migration source server:
Rule: _msdcs zone is not found on DNS server
Severity: Error
Description: The _msdcs DNS zone is not found on the DNS server. You might need to restart NETLOGON service on the source server, or go to http://support.microsoft.com/kb/310568 for more details.
Rule 2
This update adds the following rule to check whether the
Allow inheritable permissions option is enabled for the mailbox store and for the public folder in Active Directory:
Rule: Access control list (ACL) inheritance is blocked
Severity: Error
Description: Exchange setup requires that Access Control List (ACL) inheritance be enabled. Go to http://technet.microsoft.com/en-us/library/bb643112(EXCHG.80).aspx for more details.
Note This rule only applies to migration source servers that are running Windows Small Business Server 2003 or Windows Small Business Server 2008.
Rule 3
This update adds the following rule to check whether the MyBusiness organization unit (OU) structure is present on the migration source server.
Rule: MyBusiness OU is not found on the Windows SBS server
Severity: Error
Description: MyBusiness OU and its structure do not exist on the migration source server. Go to http://support.microsoft.com/kb/2578426 to create the structure.
Note This rule only applies to migration source servers that are running Windows Small Business Server 2003 or Windows Small Business Server 2008.
Actions to take if this rule is violatedTo resolve this rule violation, re-create the MyBusiness OU manually. To do this, follow these steps:
- Open Active Directory Users and Computers.
- Right-click the domain name object. In the shortcut menu, point to New…, and then click Organizational Unit. Type MyBusiness to name the new object.
Note Type MyBusiness as one word. - In the MyBusiness OU that you created in step 2, create the following OUs:
- Computers
- Distribution Groups
- Security Groups
- Users
- In the Computers OU that you created in step 3, create the following OUs:
- In the Users OU that you created in step 3, create the following OU:
After you finish these steps, you should have a structure that resembles the following:
Rule 4
This update adds the following rule to check whether the
Enable Distributed COM on this computer option is enabled:
Rule: Distributed COM is not enabled on this computer
Severity: Error
Description: Distributed COM must be enabled on this computer. Go to http://technet.microsoft.com/en-us/library/cc771387.aspx to learn how to enable Distributed COM.
Rule 5
This update adds the following rule to check whether the "abuse@domain.local" email address is present on the migration source server:
Rule: abuse@localdomain proxy address is found
Severity: Error
Description: abuse@domain.local is found in the directory on account [specify the account(s) on which it was found]. This email address will conflict with a distribution group SMTP proxy address created during setup, which will result in a setup installation error. Find and change this email address.
Rule 6
This update adds the following rule to check whether the File Replication Service is stopped or disabled on the migration source server.
Rule: File Replication Service is not running
Severity: Error
Description: File Replication Service is not running on this server. By default, this service is running and startup type is set to Automatic.
Rule 7
This update adds the following rule to check whether the "'enable computer and user accounts to be trusted for delegation" user right in the Default Domain Controllers Group Policy object (GPO) applies to the Administrators group on the migration source server:
Rule: User accounts are not trusted for delegation
Severity: Error
Description: The Administrators group must be trusted for delegation in default domain controllers policy. Go to http://support.microsoft.com/kb/2578426 for more details.
Actions to take if this rule is violatedTo resolve this rule violation, edit the Default Domain Controllers GPO. To do this, follow these steps:
- Start the Group Policy Management Console (Gpmc.msc).
- Expand the Group Policy Objects container.
- Right-click Default Domain Controllers Policy, and then click Edit.
- Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then expand User Right Assignment.
- Under User Rights Assignment, locate and double-click Enable Computer and user accounts to be trusted for delegation.
- Make sure that the Define these policy settings check box is selected.
- Click Add User or Group, add the Administrators group, and then click OK.
- Refresh Group Policy on the server. To do this, open a command prompt, type the following command, and then press Enter:
gpupdate /force
After you finish these steps, you should have Group Policy settings that resemble the following:
Rule 8
This update adds the following rule to check whether the "Log on as a batch job" user right in the Default Domain Controllers GPO applies to the Administrators group on the migration source server:
Rule: "Log on as a batch job" user right assignment is not correct
Severity: Error
Description: The Default Domain Controller group policy setting "Log on as a batch job" should include BUILTIN\Administrators. Go to http://support.microsoft.com/kb/2578426 for more information.
Actions to take if this rule is violatedTo resolve this rule violation, edit the Default Domain Controllers GPO. To do this, follow these steps:
- Start the Group Policy Management Console (Gpmc.msc).
- Expand the Group Policy Objects container.
- Right-click Default Domain Controllers Policy, and then click Edit.
- Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then expand User Right Assignment.
- Under User Rights Assignment, locate and double-click Log on as a batch job.
- Make sure that the Define these policy settings check box is selected.
- Click Add User or Group and make sure that the following groups are in the list:
- Administrators
- PerformanceLogUser
If any of these groups are not in the list, add them by clicking Add User or Group…. Then, click OK. - Refresh Group Policy on the server. To do this, open a command prompt, type the following command, and then press Enter:
gpupdate /force
Rule 9
This update adds the following rule to check whether KB 939820 is installed on the migration source server:
Rule: KB939820 is not installed
Severity: Warning
Description: KB939820 must be installed on Windows 2003 or Windows SBS 2003 computer. Go to http://support.microsoft.com/kb/939820 for download details.
Note This rule only applies to migration source servers that are running Windows Small Business Server 2003 Windows Server 2003.
For more information about KB 939820, see
Events 1925, 1006, 1645, 1055, 40961 on a Windows Server 2008-based domain controller or authentication errorsRule 10
This update adds the following sub-rules to Active Directory Health Check:
Sub-rule 1
The following sub-rule checks whether subdomains exist in Active Directory:
Rule: There are subdomains present
Severity: Error
Description: Windows SBS cannot be installed when subdomains are present. Go to http://support.microsoft.com/kb/2578426 for more information.
Actions to take if this sub-rule is violatedTo resolve this sub-rule violation,
remove Active Directory from the domain controllers in the subdomain, and then enable the
This is the last domain controller in this domain option. The subdomain is removed as soon as you perform this operation on the last domain controller.
Note Windows Small Business Server does not support trusts. This includes trusts that are created by child domains. Therefore, Windows Small Business Server does not support scenarios that include subdomains.
Sub-rule 2
The following sub-rule checks whether all the operations master roles (also known as flexible single master operations or FSMO) are present on the migration source server:
Rule: Some FSMO roles are missing on the source Windows SBS server
Severity: Error
Description: Some FSMO roles are missing on the source Windows SBS server. Go to http://support.microsoft.com/kb/2578426 for more information.
Note This rule only applies to migration source servers that are running Windows Small Business Server 2003 or Windows Small Business Server 2008.
Actions to take if this sub-rule is violatedTo resolve this sub-rule violation, transfer any FSMO roles that are not owned by the Windows Small Business Server server back to the Windows Small Business Server server. To do this, follow these steps.
Note Windows Small Business Server is required to hold all the FSMO roles.
- Verify which FSMO Roles are held by Windows Small Business Server. To do this, open a command prompt, type the following command, and then press Enter:
NETDOM QUERY FSMO
- At an administrative command prompt, type NTDSUTIL, and then press Enter.
- Type activate instance NTDS, and then press Enter.
Note This command is only required in Windows Small Business Server 2008. - Type roles, and then press Enter.
- Type connections, and then press Enter.
- Type connect to server servername, and then press Enter.
Note In this command, servername is a placeholder for the name of the Windows Small Business Server server. - At the server connections prompt, type q, and then press Enter.
- Type seize PDC, press Enter, and then click Yes in the Role Seizure Confirmation dialog box.
- Type seize infrastructure master, press Enter, and then click Yes on the Role Seizure Confirmation dialog box.
- Type seize naming master, press Enter, and then click Yes on the Role Seizure Confirmation dialog box.
- Type seize RID master, press Enter, and then click Yes on the Role Seizure Confirmation dialog box.
- Type seize schema master, press Enter, and then click Yes on the Role Seizure Confirmation dialog box.
- Type q, and then press Enter until you return to the command prompt.
Note You only have to transfer the roles that are not held by Windows Small Business Server. Therefore, you may not have to run all the commands in these steps.
Sub-rule 3
The following sub-rule checks whether Active Directory replication is disabled on the migration source server:
Rule: Active Directory replication is disabled on the server
Severity: Error
Description: Active Directory replication is disabled on the server. Go to http://support.microsoft.com/kb/2578426 for more information.
Actions to take if this sub-rule is violated
Active Directory replication is most frequently disabled because an unsupported restore operation was performed in Active Directory. This operation puts the server into a "USN rollback" state. To resolve the USN rollback issue, view KB 875495. For more information about KB 875945, click the following article number to view the article in the Microsoft Knowledge Base:
875495 How to detect and recover from a USN rollback in Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2
There are other potential causes of this issue. Therefore, you must review the Directory Services log to determine the cause, and resolve the issue appropriately. To manually re-enable Active Directory replication, open a command prompt, type the following command, and then press Enter:
repadmin /options localhost -DISABLE_OUTBOUND_REPL -DISABLE_INBOUND_REPL
Note Before you run this command, make sure that the initial replication issue is resolved. If you do not do this, you will only have a single domain controller remaining after you run the command.
Sub-rule 4
The following sub-rule checks whether offline domain controllers are present in Active Directory:
Rule: Found an offline domain controller present in Active Directory. Server: <server name>
Severity: Error
Description: If the offline domain controller [DC Name] has been retired, remove it from Active Directory. Go to http://support.microsoft.com/kb/216498 for more information.
Sub rule 5
The following sub-rule checks whether the DNS zone name exists on the migration source server:
Rule: Error is found in DNS Zone [DNS zone name]
Severity: Error
Description: DNS zone [DNS zone name] does not exist. Migration will fail without fixing this issue. Go to http://support.microsoft.com/kb/2578426 for more details.
Actions to take if this sub-rule is violatedTo resolve this sub-rule violation, re-create the DNS zone. To do this, follow these steps:
- Open DNS Management Console.
- Right-click Forward Lookup Zones, and then click New Zone….
- Click Next on the Welcome page of the New Zone Wizard.
- Click Primary Zone and make sure that the Store the zone in Active Directory check box is selected.
- Set the replication scope to include all domain controllers in the Active Directory domain.
- In Zone name, enter the Active Directory domain name (for example, contoso.local).
- Set the dynamic update option to Allow only secure dynamic updates.
- Click Finish to create the zone.
Sub rule 6
The following sub-rule checks whether the DNS zone is integrated with Active Directory on the migration source server:
Rule: Error is found in DNS Zone [DNS zone name]
Severity: Error
Description: DNS zone [DNS zone name] is not Active Directory–integrated. Migration will fail without fixing this issue. Go to http://support.microsoft.com/kb/2578426 for more details.
Actions to take if this sub-rule is violatedTo resolve this sub-rule violation, integrate the DNS zone with Active Directory. To do this, follow these steps:
- Open DNS Management Console.
- Expand Forward Lookup Zones.
- Right-click the zone that corresponds to your Active Directory domain name, and then click Properties.
- On the General tab, make sure that the Type setting is set to Active Directory-Integrated and the Dynamic updates setting is set to Secure only, as shown in the following screen shot:
- On the Name Servers tab, make sure that the source server IP address is listed and that the list contains only the IP addresses of valid working internal DNS servers. Remove any IP addresses that are not valid.
Sub-rule 7
The following sub-rule checks whether the server records in the msdcs subdomain of the DNS zone point to a domain controller on the migration source server:
Rule: Error is found in DNS Zone [DNS zone name]
Severity: Error
Description: In DNS zone [DNS zone name], name server records in the msdcs subdomain do not point to a domain controller. Migration will fail without fixing this issue. Go to http://support.microsoft.com/kb/2578426 for more details.
Actions to take if this sub-rule is violatedTo resolve this sub-rule violation, point all name server records to a domain controller. To do this, follow these steps:
- Verify the DNS zone configuration. To do this, follow these steps:
- Open DNS Management Console.
- Expand Forward Lookup Zones.
- Expand the zone that corresponds to your Active Directory domain name.
- Right-click the _msdcs subdomain, and then click Properties.
- On the Name Servers tab, make sure that the list contains only the domain controllers in the domain. Remove any records that are not valid.
- Check the DNS Namespace in WMI. To do this, follow these steps:
- Start Windows Management Instrumentation (WMI) Tester (Wbemtest).
- Click Connect .
- Type root\microsoftdns in the Namespace text box.
- Click Connect .
If it connects, the issue is probably caused by the configuration in the DNS zones or delegation. If you receive an error dialog box as shown in the following screen shot, make a backup of the WMI repository, and then repeat step 2A through 2D. If it connects successfully, press the Scan again button in the Migration Preparation Tool.
To make a backup of the WMI repository, follow these steps:- Start wmimgmt.msc.
- Right-click WMI Control (Local), and then click Properties .
- Click the Backup/Restore tab, click Back Up Now .
- Enter a file name, and then click Save.
- At an elevated command prompt, execute the following commands:
cd %systemroot%\system32\wbem
mofcomp dnsprov.mof
The following screen shot shows a successful output of the commands:
Sub-rule 8
The following sub-rule checks whether the local server is in the name server records on the migration source server:
Rule: Error is found in DNS Zone [DNS zone name]
Severity: Error
Description: In DNS zone [DNS zone name], your local server is not in the name server records. Migration will fail without this record. Go to http://support.microsoft.com/kb/2578426 for more details.
Actions to take if this sub-rule is violatedTo resolve this sub-rule violation, integrate the DNS zone with Active Directory. To do this, follow these steps:
- Open DNS Management Console.
- Expand Forward Lookup Zones.
- Expand the zone that corresponds to your Active Directory domain name.
- Right-click the _msdcs subdomain, and then click Properties.
- On the Name Servers tab, make sure that the source server is listed.