Custom Technology Solutions, Inc

Corporate Blog

Custom Technology Solutions, Inc - Corporate Blog

Windows Server Essentials 2012/2012 R2 Log Files

[This post comes to us courtesy of Swapnil Rane from Commercial Technical Support] This post will reduce your efforts to identify which log to refer to and where to find it. This can be very useful when you are troubleshooting issues on an Essentials server. We have compiled a list of important logs and their associated wizards below. There can be issues where we may have to refer to multiple logs. Server-side Logs: In Windows Server Essentials 2012 and 2012 R2, the location of the log files is under %programdata%MicrosoftWindows ServerLogs . Service Integration Log Files: O365/On-Premise Exchange/Intune   SharedServiceHost-EmailProviderServiceConfig.log Windows Azure Backup   OnlineBackupGettingStartedWizard.log Backup Log Files: Server Backup Configuration wizard SBCW.log Server Backup restore wizard ServerFFR.log Client Backup Feature server side log Backup- .log Client backup database cleanup RunTask-BackupCleanup.log Client backup database checker RunTask-Consistency check Storage and Devices Log Files: User/Device management feature SharedServiceHost-ManagementServiceConfig.log Storage features Storageservice. .log Storage related feature Storageutil. .log Azure Backup Log Files: Location: C:Program FilesWindows Azure Backup AgentTemp Azure Backup Logs CBEngineCurr.errlog Failed Azure Backup Logs LastBackupFailedFile#####.txt Other Helpful Log Files: DC Promo DCPromo_date.log Health evaluation schedule task RunTask-AlertEvaluation.log Macintosh Clients Status update RunTask-MacintoshStatusReport.log Server DNS status ServerBeacon.log Customer Experience Improvement RunTask-SaveCustomerExperienceImprovementProgramData.log Program and Service Quality Measurement Log Files: CA Role installation CA_ROLE_INSTALL.log Media pack installation (2012 R2) MediaPackInstalltionWizard.xxxx.log Media Service (Specially with RWA) MediaStreamingProvider.log O365 (Assign/Un-assign Accounts) TaskStatus-OIMAddin.log   Client-side Logs: The client-side log files are located in the folder %programdata%MicrosoftWindows Serverlogs . They are as: Client Deployment ClientDeploy.log Client package installation Failures ComputerConnector.log Client backup restore mount driver BackupDriverInstaller.log Client operation for File history Sync ClientOperator.log Main log for client launch pad LaunchPad.log Password synchronization feature in AAD     PasswordSyncClientAlerts.log Add-in feature on client RunTask-Add-in Management.log Health evaluation schedule task RunTask-AlertEvaluation.log Client Backup scheduled task RunTask-ClientComputeBackkup.log Connector uninstall cleanup task RunTask-Connector cleanup.log Update health definition file from server to client task RunTask-HealthDefinitionUpdate.log RDP feature for RWA RunTask-RDP Group Configuration.log Client VPN connectivity issues RunTask-VPN Routes Repair.log Client network status update ServerLocator- .log Client deployment API call (Client deployment fails) Setupapi.dev.log Health alert feature SharedServiceHost-HealthServiceConfig.log The above logs should be able to guide you through the process of troubleshooting effectively on Essentials relevant issues.

How to enable verbose logging for Windows Server 2012/2012 R2 Essentials

[This post comes to us courtesy of Swapnil Rane and Rituraj Choudhary from Global Business Support] This post explains how to increase the logging level for the individual components of Server Essentials role for troubleshooting purposes. In order to accomplish this, we need to modify the Logging.config file. This file can be located at C:Program FilesWindows ServerBin on a Windows Server 2012 Essentials machine. On a Windows Server 2012 R2 Essentials this file is present at C:WindowsSystem32Essentials . Make sure to save a backup copy of the file before modifying it. You need to change the ownership of Logging.config file and give the user adequate permissions to save any modifications to it. You may use the following commands on an elevated Command Prompt to make modifications to the file: For Windows Server 2012 R2 Essentials: takeown /f C:WindowsSystem32EssentialsLogging.config icacls C:WindowsSystem32EssentialsLogging.config /grant administrators:F icacls C:WindowsSystem32EssentialsLogging.config /setowner “NT ServiceTrustedInstaller” notepad C:WindowsSystem32EssentialsLogging.config For Windows Server 2012 Essentials: takeown /f “C:Program FilesWindows ServerBinLogging.config” icacls “C:Program FilesWindows ServerBinLogging.config” /grant administrators:F icacls “C:Program FilesWindows ServerBinLogging.config” /setowner “NT ServiceTrustedInstaller” notepad “C:Program FilesWindows ServerBinLogging.config” The file Logging.config is now ready for editing. Search for the string level= and replace the string next to level= to All if it is set otherwise. For example: Change it as: Changing the level to All enables verbose logging. There are other values that the level can be set to, but mostly verbose logging is preferred, and can be achieved as mentioned above. When the issue is reproduced subsequently, the logs at C:ProgramDataMicrosoftWindows ServerLogs folder should now contain verbose information. Note : You may use the same procedure to enable verbose logging on the Essentials clients.

Announcing the availability of enabling Windows Server 2012 R2 Essentials’ integration of Microsoft online services in environments with multiple…

In Windows Server Essentials 2012 R2, all of our online services integration features, including Azure Active Directory and Office 365, are supported only in environments that have a single domain controller. In environments with more than one domain controller, integration of these services is blocked due limitations in the user account and password synchronization mechanism in Windows Server Essentials.  I am happy to announce that with the recent Windows August Update released on (8/12/2014, PST), this limitation has been removed.  This update adds support for both Azure Active Directory integration and Office 365 integration features in domain environments consisting of a single domain controller, multiple domain controllers, or Windows Server Essentials as a domain member server. For more information, please go to http://support.microsoft.com/kb/2974308 .

Troubleshooting Common VPN issues on Windows Server 2012 R2 Essentials

[This post comes to us courtesy of Sabir Chandwale, Harshal Charde, Ajay Sarkaria and Rituraj Choudhary from Global Business Support] In our previous post , we covered steps involved in configuring VPN on Windows Server Essentials. In this post, we will cover common problems that could result in failure of VPN functionality in your Windows Server Essentials environment. In Windows Server 2012 R2 Essentials, VPN is deployed in a way that there is little requirement of manual configurations on the server or a client. Considering correct TCP Ports are open on the firewall and forwarded to the server, and VPN was enabled while running Anywhere Access wizard, VPN should work right out of the box. Also, on the VPN client, make sure the VPN dialer has proper protocols selected. To be able to access the Remote Access management tools, you should first install Remote Access GUI and Command-Line Tools using the following command: Add-WindowsFeature –Name RSAT-RemoteAccess-MGMT Let us now discuss some common issues with VPN connection. Error 850: The Extensible Authentication Protocol type required for authentication of the remote access connection is not installed on your computer. If you have set up the VPN connection manually, you may encounter this error. This error indicates that none of the protocols are chosen in the VPN Connection Properties. The fix is to select Allow these protocols on the Security tab of the VPN connectoid. Microsoft CHAP Version 2 (MS-CHAP v2) would get selected automatically when you click this option. Hit OK to apply the changes. You may also face internet or network resource access issues. It could be that you are using the default gateway of the remote network. On the Networking tab of the VPN connectoid, open the properties of Internet Protocol Version 4 (TCP/IPv4) and click Advanced . Now, on the Advanced TCP/IP Settings window, clear the check for Use default gateway on remote network . That should ensure that the network and internet connection are up and running. Let’s look at another error. Error 800: The remote connection was not made because the attempted VPN tunnels failed. The VPN server might be unreachable. If this connection is attempting to use an L2TP/IPsec tunnel, the security parameters required for IPsec negotiation might not be configured properly. The reason for this connection failure could be either because 443 is not allowed on the firewall or there is a mismatch of certificate in RRAS and IIS (Default Web Site). To fix it, ensure that 443 is allowed and forwarded to the Windows Server 2012 R2 Essentials, and that correct SSL certificate is bound to the Default Web Site for port 443, and the same is associated with SSTP port. You can easily figure out if SSL port 443 is blocked. If you are able to browse RWA from outside, it is open, otherwise it is not. To verify certificates, open Internet Information Services (IIS) Manager on the Server Essentials, and click to open Bindings for the Default Web Site . On the Site Bindings page, choose the binding for the port 443 with blank host name, and click Edit . On the Edit Site Binding page, click View . On the Certificate window, chose Details and make a note of the Thumbprint of the certificate. Alternatively, you could use the following PowerShell command to display the thumbprint of the certificate active on the Default Web Site: Get-WebBinding | Where-Object {$_.bindinginformation -eq “*:443:”} | fl certificateHash Now, open Routing and Remote Access Management console. Right-click the server name, open its properties and click on the Security tab. Click View next to the Certificate. You should have the same certificate thumbprint here as well. If this is a different certificate, change the certificate to match the one on the IIS. Alternatively, you may use this command to modify the thumbprint of this certificate for the Secure Socket Tunneling Protocol (SSTP) Service: reg add HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSstpSvcParameters /v SHA1CertificateHash /t REG_BINARY / /f Once you ensure that the certificate on the Default Web Site and SSTP are same, this issue should have been taken care of. Let’s look at the next error. Error 720: A connection to the remote computer could not be established. You might need to change the network settings for this connection. If VPN client is unable to obtain an IP address from the VPN server, you may see this error. In Server Essentials, usually the DHCP is hosted on a different device. To workaround this error, open Routing and Remote Access console and open the server Properties . On the server properties, assign a valid static IPv4 address pool for the VPN clients, and exclude it from DHCP server scope. On certain occasions we have seen that the on premise client would show connected to the hosted Windows Server 2012 R2 Essentials, however there may not be any connectivity the between the VPN client and the Server Essentials. In such scenarios, enable and analyze additional Routing and Remote Access information logs at the %windir%tracing directory. Additionally, you may want to check the events for RemoteAccess-MgmtClient and RemoteAccess-RemoteAccessServer on the Event Viewer. These were some common VPN issues we see with Windows Server 2012 R2 Essentials, and they usually show up when VPN server settings or VPN client connectoid has been configured manually. If you enable VPN through the Anywhere Access wizard, you may not see these errors.

Configuring Health Report in Windows Server 2012 R2 Essentials

[This post comes to us courtesy of Harshal Charde, Kriti Thakral and Sandeep Biswas from Global Business Support] In this post we will discuss about configuring Health Report email notification using O365 in Windows Server 2012 R2 Essentials. The Health Report for Windows Server 2012 R2 Essentials provides you with consolidated information about the Windows Server Essentials network and enables you to distribute this information to intended recipients via emails. This information can be viewed on the Health Reports tab of the Dashboard on Windows Server 2012R2 Essentials. We can generate a report on demand or on schedule, customize the content of the report and send them through emails. Reading the Health Reports on the Windows Server Essentials Dashboard may be time consuming. With the email feature, after a report is generated, an email will be sent to a list of specified email addresses with the content of the report. The administrator can easily view this report from any device or any client application, and ensure that the server is running at its best state. In the following example we have used an Office 365 account to configure Health Report email notifications. You may log in and view the SMTP server details of O365 account as follows: 1. Click Outlook tab, click Settings icon   and then click Options. 2. On the next page click account and then click Settings for POP or IMAP access 3. Make a note of the SMTP setting and then click close. To configure the health report on the Window Server 2012 R2 Essentials, open the Windows Server Essentials Dashboard , click the Health Report page on the HOME tab and click Customize Health Report settings . Click the Schedule and Email tab, click to select Generate a health report as its scheduled time check box (customize the recurrence as per your preference) and then click Enable . Type the email address of your O365 mail account, the SMTP server name and the SMTP port. Click to select This server requires a secure connection (SSL) and This server requires authentication check boxes and type the username & password of your O365 account and click OK . On the next page, type the email address of the person that you would like to receive alert notification by email and click OK . If you wish to add multiple email addresses ensure that you separate each email address with a semicolon (;). Alternatively, if you prefer commands over the GUI, there are PowerShell commands built-in to the WssCmdlets module to configure the Health Report: Set-WssReportEmailSetting -Enable -From “healthreport@mysbs.onmicrosoft.com” -SMTPServer “smtp.office365.com” -Port 587 -UseSsl -To MyEssentials@outlook.com -UseAuthentication –Credential (Get-Credential) Set-WssReportSchedule -Enable -Daily -At 16:00 The above commands would take care of the email account configuration and the schedule of the health report. There are additional commands to generate a new report ( New-WssReport ), and send an email with the health report ( Send-WssReport ) that you can utilize too. You can find a list of all the commands of the WssCmdlets module here . Once the configuration is completed, you can click Generate a health report which will automatically send an email notification to the external user mailbox. You can also send an existing report by selecting it and clicking Email the health report . Here is a sample of the email received: You are now ready to receive the Health Report notifications on email. Logon to the subscribed user’s mailbox to verify the receipt of email.

Improve collaboration in small and midsize businesses solution guide now available

[This post comes to us courtesy of Kumud Dwivedi from Content Publishing] If you are a small to midsize business that is looking to enable employees and external partners to improve collaboration and securely access shared data, we now have a solution guide to address this. Windows Server 2012 R2 Essentials and Windows Server 2012 R2 provide a solution to easily collaborate with your partners or vendors. If your business has up to 25 users and 50 devices, use Windows Server 2012 R2 Essentials. For up to 100 users and 200 devices, use the Standard or Datacenter editions of Windows Server 2012 R2 with the Windows Server Essentials Experience role installed. To view this solution guide, see Improve collaboration in small and midsize businesses .

Understanding VPN configuration in Windows Server 2012 R2 Essentials

[This post comes to us courtesy of Md. Sabir Chandwale and Rituraj Choudhary from Global Business Support] In this post we will discuss about Virtual Private Network feature on Windows Server 2012 R2 Essentials. Virtual Private Network can be straightforwardly installed and configured on a Windows Server 2012 R2 Essentials by running the Set up Anywhere Access wizard and selecting Virtual Private Network (VPN) option on the following screen. If you want to know about Remote Web Access, or run through the sequential screens of Anywhere Access wizard, please visit this post . When you choose to enable VPN using this wizard, the following roles/features get installed on the Essentials Server: Remote Access, DirectAccess and VPN (RAS), IP and Domain Restrictions, IIS Management Scripts and Tools, Network Policy and Access Services Tools, and Windows Internal Database. You can also enable these roles/features from the Server Manager or PowerShell command-lets, however on Windows Server Essentials we recommend enabling it using the Set up Anywhere Access wizard. It’s noteworthy that Windows Server 2012 R2 Essentials allows client machines to join their server without having to be inside the company network using a feature called Remote Domain Join . So, if VPN is enabled on Server Essentials, you may connect a remote client to the local network via VPN, run the Connect wizard from http:// /connect or http:// .remotewebaccess.com/connect URL and join the remote client to the server. The process is very simple and straightforward. As a prologue to discuss some common issues with VPN on Windows Server 2012 R2 Essentials, let us first glance through the default Routing and Remote Access (RRAS) settings. You may also find the specifics about these settings on TechNet . Note: Server Essentials automatically manages the routing for VPN, and therefore Routing and Remote Access (RRAS) UI is hidden on the server to prevent tampering of RRAS settings. As a result, to view, change or troubleshoot the Remote Access settings, you need to install Remote Access GUI and Command-Line Tools using Server Manager or the following PowerShell command: Add-WindowsFeature RSAT-RemoteAccess-Mgmt This feature enables Routing and Remote Access console and respective command-line tools to manage VPN and DirectAccess. Note that this role may not be required on the server unless you need to change the settings for VPN or DirectAccess. Default Settings of VPN on Windows Server 2012 R2 Essentials To check the default settings for the VPN, open Routing and Remote Access Manager. Right click server name , and select Properties . On the General tab, IPv4 must be enabled: The Security tab consists of the Authentication Methods… and SSL Certificate Binding : The Authentication Methods should have Extensible authentication protocol (EAP) and Microsoft encrypted authentication version 2 (MS-CHAP v2) enabled. You can confirm it by clicking the Authentication Methods… button on the Security tab. The SSL Certificate Binding section on the Security tab displays the certificate active for VPN. This also indicates that we enable VPN on SSL and that you do not have to allow any port other than port 443. Let’s move on to the IPv4 tab. By default the VPN clients are set to receive IP from DHCP, but you may require to change it to a Static address pool for troubleshooting purposes. On the IPv6 tab, the options Enable IPv6 Forwarding and Enable Default Route Advertisement are selected by default. The IKEv2 tab consists of the default options to control the IKEv2 client connections and Security Association expiration. The PPP tab contains the settings for Point-to-Point protocol and are as follows: The Logging tab on the server properties page contains the level of logging enabled for Routing and Remote Access. To enable additional logging for the Routing and Remote Access, select the option Log additional Routing and Remote Access information . Once this option is selected additional log files are created in the %windir%Tracing directory that provide deeper insight to troubleshoot RRAS issues. Make sure to disable the additional logging once the troubleshooting is complete. You may also gather and modify information for Remote Access from an elevated Windows PowerShell terminal. Here are some common commands: Command Purpose   Get-Command -Module RemoteAccess   Displays a list of commands available with RemoteAccess module   Get-RemoteAccess   Displays the configuration of VPN and DirectAccess (DA)   Get-VpnAuthProtocol   Displays authentication protocols and parameters set on the VPN   Get-VPNServerConfiguration   Displays VPN server properties Here is a sample output: You can look at the help file of each of these commands for a detailed description. Better yet, you can use the following command to insert the help contents of each of these commands for the module RemoteAccess to a text file as: $(foreach ($command in (Get-Command -Module RemoteAccess)) {Get-Help $command.Name} ) | Out-File HELP.txt We will discuss some common issues with VPN on another post in future.

Configuring and Customizing Remote Web Access on Windows Server 2012 R2 Essentials

[This post comes to us courtesy of Maanavi Bisaria and Rituraj Choudhary from Global Business Support] We will cover the following aspects of Remote Web Access (RWA) on Windows Server 2012 R2 Essentials in this blog: Configuring Remote Web Access Customizing Remote Web Access Configuring Remote Web Access To configure RWA, open the HOME tab on the Windows Server Essentials Dashboard . On the Get Started page, click Set up Anywhere Access , and then click Click to configure Anywhere Access. This will open Set up Anywhere Access wizard. On the first screen, if you don’t have a UPnP router, you should check the option Skip router setup. I want to set up my router manually as indicated below, and then click Next . You would then see a Getting Started page. Click Next to proceed. On the following screen, check the box I want to set up a new domain name . The wizard would search for the available domain name service providers on the next screen and presents you with these two options: The first option Purchase professional domain name from a supported provider offers GoDaddy.com and eNomCentral as the supported domain name service providers. However, if you don’t intend to pay for the domain name services, choose the second option Get a personalized domain from Microsoft . Once you hit Next on this screen, you need to sign in to your Microsoft account with your Live ID. Accept the Privacy Statement and Agreement, and then type a name for your domain ( remotewebaccess.com is provided as a default domain name suffix ). Click on the Check Availability button to check the availability of the domain name. Click on Set Up when you find a suitable domain name available for use. Once your domain name has been set up, you may configure Remote Web Access. To do so, check the box Remote Web Access and click Next . You may also choose to enable VPN in this step, however, we will discuss VPN on a separate blog post. This step in the background installs and configures Network Policy Server, Remote Desktop Gateway, Client Certificate Mapping Authentication, and RPC over HTTP Proxy . You may verify these roles/features in the Server Manager. Once this is completed successfully, your Remote Web Access has been set up successfully and can be browsed at https:// .remotewebaccess.com. Customizing Remote Web Access Once the Anywhere Access Wizard has been completed, open the HOME tab on the Windows Server Essentials Dashboard . On the Get Started page, click Set up Anywhere Access , and then click Click to configure Anywhere Access . This will open the Settings page of Anywhere Access. Please note that once we have configured RWA, you can view the status of Anywhere Access at the top of this window, along with Configure and Repair options. Let’s now click Customize in the Web site settings section to see what it holds. On the Customize Remote Web Access window, you can customize the Logon page , Home page links and Server Connection options . Click on Logon page tab to customize Web site title, Background image and Web site logo . The Home page links tab offers you option of adding or removing links that appear on the RWA home page. The Server connection options page provides the way RDP connection is made to the Server. The default option is Open Dashboard (Default) . You may choose to connect to the Server normally by selecting Open Remote Desktop . To sum up, configuration and customization of Remote Web Access on Windows Server 2012 R2 Essentials is a stress-free procedure, and the result is a clutter free RWA user interface: The Devices tile group contains the computers you have rights to connect to. There are similar tiles for Shared Folders , Links and Microsoft Office 365 . If you click the user account on the top-right of the page, you have an option to change your user account password. We will discuss these features with time. In the meantime you may refer to this TechNet .

Configuring Microsoft Azure Online Backup on Windows Server 2012 R2 Essentials

[This post comes to us courtesy of Mandeep Singh Parmar and Rituraj Choudhary from Global Business Support] Microsoft Azure Backup is a cloud-based backup solution that enables online backup and restore of important data to help protect against loss and corruption. This feature can be comfortably integrated to the Windows Server Essentials Dashboard. Here are some significant features of Microsoft Azure Backup: Simplified setup and configuration via Windows Server Essentials Dashboard Incremental backup Data compression and encryption Retention policies Bandwidth throttling Get started by installing add-in for Microsoft Azure Backup 1. Open the Windows Server Essentials Dashboard. Navigate to HOME tab and then click ADD-INS under the Get Started sub-tab. 2. Select Integrate with Windows Azure Backup , and then click the following links to sign up and download the Online Backup Module respectively: Click to sign up for Windows Azure Backup You may opt for a free trial for a month or you may purchase the services. Click to download Windows Azure Backup integration module Download and save the file OnlineBackupAddin.wssx . 3. Install the Online Backup integration module by running OnlineBackupAddin.wssx. Follow the wizard to complete the installation. After the installation wizard successfully completes, reopen the Dashboard. 4. A new tab named ONLINE BACKUP appears on the Windows Server Essentials Dashboard containing the common online backup/restore administrative tasks. It consists of the following sub-tabs: Online Backup : After you register the server for online backup, this section displays the current backup status, storage status, and account information. Protected Folders : Here you will find the list of all shared folders and File History folders on the server, and any other folders that you have selected to backup in Windows Azure. Backup History : This section would list recent backup and restore operations. Configuring the Server for Microsoft Azure backup To use Microsoft Azure Backup, you must sign up for a Microsoft Azure Account and then: Create a Backup Vault Upload a certificate Register your server Configure backup settings Creating a Backup vault 1. Login to Microsoft Azure Management Portal . 2. Click Recovery Services and then Click Create A New Vault . 3. Click Backup Vault , Click Quick Create , Name your vault and select your Region and then Click Create Vault . 4. Once the Vault is created Recovery Services would show the status as Active for the Backup Vault. Uploading certificate to the vault 1. Navigate to the ONLINE BACKUP tab on the Windows Server Essentials Dashboard . 2. Copy the path specified to the clipboard by clicking the highlighted icon in Step 1: Upload a Certificate . 3. Click Upload certificate to Windows Azure Backup vault . This would open Microsoft Azure Management Portal. Navigate to RECOVERY SERVICES and then click MANAGE CERTIFICATE . 4. Paste the certificate file path copied above in bullet 2 and upload it to the vault 5. Once the certificate is uploaded you would see the following at the bottom of the webpage. Registering your server 1. Navigate to the ONLINE BACKUP tab on the Windows Server Essentials Dashboard . 2. In the Online Backup page, click Register under Register your server section . 3. Choose the certificate that you want to use with the backup vault for your online backups. You may go with the default selection or choose a different one. 4. On the subsequent screen you need to enter a passphrase (keep this passphrase safe!). You will then get a notification that the server is registered. You may now close the wizard. Configuring the backup 1. To configure online backups, on the ONLINE BACKUP tab of the Windows Server Essentials Dashboard , click Configure under Configure backup settings . 2. On the Configure Online Backup wizard, select the folders you want to back up to Microsoft Azure. To include folders that are not shown in the list, click Add Folders . When you finish your selection, click Next . 3. Follow through the wizard to add File History backups, the schedule of the backup, backup retention policy and bandwidth consumption by the online backup. This completes the configuration and you are ready to use Microsoft Azure backup. As the backups are taken, you would start seeing the same in the Backup History page of the ONLINE BACKUP tab on the Windows Server Essentials Dashboard . You can see these backups on the Azure portal as well. We will seed a separate post to explore the Restore options for Microsoft Azure Backup on Windows Server 2012 R2 Essentials. Stay tuned!

Windows Server 2012 R2 Essentials Migration – Keys to Success

[Today's post comes to us courtesy of Ajay Sarkaria, Rituraj Choudhary, Harshal Charde and Sandeep Biswas from Global Business Support] The purpose of this post is to help you successfully migrate from a previous Windows Server SKU, Small Business Server SKU, or a Windows Server Essentials SKU current in Product Lifecycle to Windows Server 2012 R2 Essentials. If your business has up to 25 users and 50 devices, you may migrate to Windows Server 2012 R2 Essentials. If the count extends up to 100 users and 200 devices, to use the features empowered by Windows Server Essentials role, you must migrate to the Standard or Datacenter editions of Windows Server 2012 R2 and install the Windows Server Essentials Experience (ServerEssentials) role. The content on this blog extends from the content found at Prepare your Source Server for Windows Server 2012 R2 Essentials migration . Use the following annotated checklist to keep you on track. 1. Read through the Migration Guide before starting. Understand what setup will do for you and what you need to do manually. 2. Get hands-on experience with our Technical Training Series. Windows Server 2012 R2 Essentials technical training series now available on Microsoft Virtual Academy . 3. Join the Windows Server Essentials Forum . You might find an answer to a question you have, seek advice on your migration plan, or simply see what others have encountered that you might not have considered. 4. Practice a migration yourself in a test environment. This way you know what to expect. This also allows you to test the hardware and verify you have the necessary BIOS updates and drivers. 5. On the Source server, run the Best Practices Analyzer(s). Run the Best Practice Analyzer for the respective components, whether you are migrating from Windows Server or Windows Server Essentials or Small Business Server. Make sure to allow the BPA to get updates when first launching. Resolve any issues reported in the source environment ahead of time. Do not ignore Warnings as they might impact the migrations too. Know that SBS 2003 SP 1 is not the same as Windows 2003 SP 1 or SP 2. If you're migrating from Windows Small Business Server 2003 or Windows Server 2003, delete the Log on as a service account setting from Group Policy. 6. Plan your Messaging Deployment options. If your source domain has Exchange Server installed, depending on the source Exchange Server version, you will have to plan the future deployment of Exchange Server or Office 365. Windows Server 2012 R2 Essentials supports integration of On-Premises Exchange server or an Integration with Office 365 Subscription. Compare Office 365 for business plans 7. On the Source server, make sure the Active Directory is healthy. If there is only one DC, make sure the SYSVOL and NETLOGON shares are present. Also, check the File Replication Service event log to see if it is in Journal Wrap. The event below is an example of what to look for. Event Type: Error Event Source: NtFrs Event ID: 13568 Description: The File Replication Service has detected that the replica set “DOMAIN SYSTEM VOLUME (SYSVOL SHARE)” is in JRNL_WRAP_ERROR. If there are multiple domain controllers in the source environment, force an Active Directory replication between them in Active Directory Sites and Services and verify it is successful. You can also run the Microsoft IT Environment Health Scanner in the source environment to uncover any AD health issues. Microsoft IT Environment Health Scanner An unhealthy Active Directory can result in Windows Server 2012 R2 Essentials migration installation failure . 8. On the Source server, check the Primary group of the account you will use to install the Windows Server 2012 R2 Essentials server into the domain. Make sure the Primary group is set to something besides Domain Admins, Enterprise Admins, or Schema Admins. In the properties of the user account, click the Member Of tab, and at the bottom look for the Primary group. Make sure the Primary group IS NOT: Domain Admins or Enterprise Admins or Schema Admins. To change it, select Domain Users and click the Set Primary Group button. 9. Make sure the Admin account you are using for the migration has a STRONG password. Strong passwords must meet the following minimum requirements: Passwords cannot contain the user's account name or parts of the user's full name that exceed two consecutive characters. Passwords must be at least six characters in length. Passwords must contain characters from three of the following four categories: English uppercase characters (A through Z). English lowercase characters (a through z). Base 10 digits (0 through 9). Non-alphabetic characters (for example, !, $, #, %). 10. Install the samsrv.dll update from KB 939820 on all Windows 2003 domain controllers in your environment, including the SBS 2003. 939820 Events 1925, 1006, 1645, 1055, 40961 on a Windows Server 2008-based domain controller or error message: “No authority could be contacted for authentication” when you use Remote Desktop Connection . 11. Disable WSUS on Source domain prior to migration. If you have a deadline set for an update in WSUS that is past-due, your Windows Server 2012 R2 Essentials setup can fail when the update is automatically installed and the Windows Server 2012 R2 Essentials is rebooted. We recommend disabling WSUS on the source server for the duration of the migration. For this, on the source server, open IIS Manager, and stop the “ WSUS Administration ” site. 12. In the source domain, disable anything that may install software on machines added to the domain. Similar to the point above, your Windows Server 2012 R2 Essentials setup can fail if something outside of it initiates a server restart while it’s in the middle of its setup routine. Things to keep an eye out for: Logon Scripts Group Policy Remote Management Tools Devices like printers that may install a driver that requires a reboot. 13. Make a System State Backup of the source server. We recommend a full backup of the source, however at least a system state backup of the source server is required to recover from any failures that may be encountered during the migration. We recommend you use native Windows Server Backup. 14. Do not make any changes on the network. From now until the Windows Server 2012 R2 Essentials migration setup is complete, do not make any changes on the network. This is not a good time to be doing any of the following: Changing passwords Installing Software Removing Domain Controllers Changing out the network hardware Restoring servers Rebooting domain controllers Re-wiring the network 15. Check the “Log on as Batch job” user right assignment on the Default Domain Controllers group policy. Launch gpmc.msc Expand Forest, Domains, your domain, Domain Controllers, and select the Default Domain Controllers Policy. Click on the Settings tab and expand Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies/User Rights Assignment. Find the “Log on as batch job” right, and make sure that you have an entry for BULTINAdministrators If you don't have that entry, do a right-click edit on top of the policy on the left pane, navigate to the location you just checked and edit the right to add the missing value. 16. Start the Migration Process Depending on the Target Operating System edition, Follow one of the below blogs: Deploying Windows Server 2012 R2 Essentials in an Existing Active Directory Environment Deploying Windows Server 2012 R2 Standard/Datacenter with Windows Server Essentials Experience role in an Existing Active Directory Environment On subsequent posts we will cover documentation and tips to help you recover if you have encountered an issue during or post migration.