Migrate SBS 2008 Domain to Windows 2008

Migrate SBS 2008 to Windows 2008 Server

Step 1: Backup the SBS 2008 Box (Make sure SBS 2008 is in Healthy State)

Step 2: Introduce Windows 2008 to the SBS 2008 Domain
Use the below link to make it an additional domain controller in the same domain as SBS 2008
Installing an Additional Domain Controller

Step 3: Introduce another Windows 2008 as a member server
* Install Windows 2008 on another new box
* This Windows 2008 server would be used for Exchange server 2007 installation as it is not recommended that you run Exchange on a domain controller
* Use the below link to make this Windows 2008 as a member server and join it to the SBS 2008 domain

Introduce a Windows Server 2008-Based Member Server

Join a Domain from a Workgroup

Step 4: Install Exchange 2007 on the Windows 2008 member server
*Install Exchange 2007 on the Windows 2008 member server

How to Perform a Typical Installation Using Exchange Server 2007 Setup

Step 5: Remove POP3 connectors from SBS 2008 because these are not supported in Exchange 2007

Step 6: Public Folder Replication from SBS 2008 to Exchange 2007
* Start replicating the public folders between the Exchange 2007(part of SBS 2008) and the standalone product of Exchange 2007

How to Configure Public Folder Replication

* After replication of public folders, move the Public folder content

How to Move Public Folder Content from one Public Folder Database to Another Public Folder Database

Step 7: Move Offline Address Book from SBS 2008 to Exchange 2007
How to Move the Offline Address Book Generation Process to another Server

 Step 8: Move Mailboxes from SBS 2008 to Exchange 2007
How to Move a Mailbox Within a Single Forest

Step 9: Similarly, all the other server data(WSS, WSUS, SQL) can be moved to the standalone server.

Step 10: Transfer the FSMO roles

* Transfer the FSMO roles to the Windows 2008 which is running as an additional domain controller.
* From this point on, you have 7 days to complete the migration.

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

Step 11: Uninstall Exchange 2007
How to Completely Remove Exchange 2007 from a Server

Step 12: Demote the SBS 2008 as a domain controller
Demote a domain controller

Step 13: Format the SBS 2008 box


Universal groups, global groups, domain local groups

AD Group types: universal groups, global groups, domain local groups


Distribution Groups — Used for email. Useful for programs such as MS Exchange.
Security Groups – Used to secure file/folders, printers, etc.

Local – Stored on the local SAM (Local Computers)
Domain Local – Stored on Domain Controllers.
Global Groups – Gives you a greater group scope.
Universal – Gives you an even broader group scope.

Group Scopes

Group scope normally describes the type of users that should be clubbed together in a way that is easy for their administration. Therefore, groups play an important part in domain. One group can be a member of other group(s), which is known as Group nesting. One or more groups can be members of any group in the entire domain(s) within a forest.

  • Domain Local Group: Use this scope to grant permissions to domain resources that are located in the same domain in which the domain local group was created. Domain local groups can exist in all mixed, native, and interim functional level of domains and forests. Domain local group memberships are not limited as users can add members as user accounts and universal and global groups from any domain. Nesting cannot be done in a domain local group. A domain local group will not be a member of another Domain Local or any other groups in the same domain.
  • Global Group: Users with similar functions can be grouped under global scope and can be given permission to access a resource (like a printer or shared folder and files) available in local or another domain in the same forest. Simply put, global groups can be use to grant permissions to gain access to resources that are located in any domain but in a single forest as their memberships are limited. User accounts and global groups can be added only from the domain in which the global group is created. Nesting is possible in Global groups within other groups as users can add a global group into another global group from any domain. They can be members of a Domain Local group to provide permission to domain specific resources (like printers and published folder). Global groups exist in all mixed, native, and interim functional level of domains and forests.
  • Universal Group Scope: these groups are precisely used for email distribution and can be granted access to resources in all trusted domain as these groups can only be used as a security principal (security group type) in a windows 2000 native or windows server 2003 domain functional level domain. Universal group memberships are not limited like global groups. All domain user accounts and groups can be a member of a universal group. Universal groups can be nested under a global or Domain Local group in any domain. 

Universal Group: can contain users and groups (global and universal) from any domain in the forest.  Universal groups do not care about trust.  Universal groups can be a member of domain local groups or other universal groups but NOT global groups.

Global Group: can contain users, computers and groups from same domain but NOT universal groups.  Can be a member of global groups of the same domain, domain local groups or universal groups of any domain in the forest or trusted domains.

Domain Local Group:  Can contain users, computers, global groups and universal groups from any domain in the forest and any trusted domain, and domain local groups from the same domain.  Can be a member of any domain local group in the same domain.

The short answer is that domain local groups are the only groups that can have members from outside the forest. And use global groups if you have trust, universal groups if you don’t care about trust.

When do we need to use local, global and universal group permission?

Use global security groups to group user (or computer) accounts with similar characteristics, for example members of Sales department.

Use domain local security groups to define access to resources (share, NTFS, printer),
for example you would create domain local group “DL ColorPrinter Print” and assign print permission to this group. Then you would put global security group Sales in “DL ColorPrinter Print” group to enable printing for sales department. If marketing department wants to use the same printer you have to create global group Marketing and put this group in “DL ColorPrinter Print” group. This strategy is called A-G-DL-P. Put accounts in global groups, global groups in domain local groups and assign permissions to domain local groups and you will assign permission only once. Everything else happens in Active Directory Users and Computers when you modify groups memberships.

Universal groups should only be used in multiple domain forest. Universal groups are used to nest global groups. Group strategy is then called A-G-U-DL-P.

In shot below are the details

Global Groups:
Use these to group users with similar needs within the organisation, sales people, finance people, manager’s etc

Domain Local Groups:
Use these to specify access to resources e.g. database users, Colour Printer Users.

Universal Groups
Use only in mulitiple domains to give forest wide privileges.