Rules for Windows Server 2012 Essentials Migration Preparation Tool

Summary

This article describes the rules for Windows Server 2012 Essentials Migration Preparation Tool and the actions that you must take if those rules are violated.  

More Information

Rule 1

Rule: MyBusiness OU is not found on the Windows SBS server
Severity: Error
Description: MyBusiness OU and its structure do not exist on the migration source server. Go to http://support.microsoft.com/kb/2908959 to create the structure.

This rule checks whether the MyBusiness organization unit (OU) structure is present on the migration source server. This rule applies only to migration source servers that are running Windows Small Business Server 2003 or Windows Small Business Server 2008.

Actions to take if this rule is violated

To resolve this rule violation, re-create the MyBusiness OU manually. To do this, follow these steps:After you finish these steps, you should have a structure that resembles the following:

Rule 2

Rule: User accounts are not trusted for delegation
Severity: Error
Description: The Administrators group must be trusted for delegation in default domain controllers policy. Go to http://support.microsoft.com/kb/2908959 for more details.

This rule checks whether the "'enable computer and user accounts to be trusted for delegation" user right in the Default Domain Controllers Group Policy Object (GPO) applies to the Administrators group on the migration source server. 

Actions to take if this rule is violated

To resolve this rule violation, edit the Default Domain Controllers GPO. To do this, follow these steps:
  1. Start the Group Policy Management Console (Gpmc.msc).
  2. Expand the Group Policy Objects container.
  3. Right-click Default Domain Controllers Policy, and then click Edit.
  4. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then expand User Right Assignment.
  5. Under User Rights Assignment, locate and then double-click Enable Computer and user accounts to be trusted for delegation.
  6. Make sure that the Define these policy settings check box is selected.
  7. Click Add User or Group, add the Administrators group, and then click OK.
  8. Refresh Group Policy on the server. To do this, at a command prompt, type the following command, and then press Enter: 
    gpupdate /force
After you finish these steps, you should have Group Policy settings that resemble the following:

Rule 3

This rule adds the following sub-rules to Active Directory Health Check. 

Sub-rule 1

Rule: Some FSMO roles are missing on the source Windows SBS server
Severity: Error
Description: Some FSMO roles are missing on the source Windows SBS server. Go to http://support.microsoft.com/kb/2908959 for more information.

This sub-rule checks whether all the operations master roles (also known as flexible single master operations or FSMO) are present on the migration source server. This sub-rule applies only to migration source servers that are running Windows Small Business Server 2003 or Windows Small Business Server 2008.

Actions to take if this sub-rule is violated

To resolve this sub-rule violation, transfer any operations master roles that are not owned by the computer that is running Windows Small Business Server back to that computer. To do this, follow these steps.

Note Windows Small Business Server must hold all the operations master roles.  
  1. Verify which operations master roles are held by Windows Small Business Server. To do this, at a command prompt, type the following command, and then press Enter:
    NETDOM QUERY FSMO
  2. At an administrative command prompt, type NTDSUTIL, and then press Enter.
  3. Type activate instance NTDS, and then press Enter.

    Note This command is required only in Windows Small Business Server 2008. 
  4. Type roles, and then press Enter.
  5. Type connections, and then press Enter.
  6. Type connect to server <servername>, and then press Enter.

    Note In this command, the placeholder <servername> represents the name of the computer that is running Windows Small Business Server. 
  7. At the server connections prompt, type q, and then press Enter.
  8. Type seize PDC, press Enter, and then click Yes in the Role Seizure Confirmation dialog box.
  9. Type seize infrastructure master, press Enter, and then click Yes in the Role Seizure Confirmation dialog box.
  10. Type seize naming master, press Enter, and then click Yes in the Role Seizure Confirmation dialog box.
  11. Type seize RID master, press Enter, and then click Yes in the Role Seizure Confirmation dialog box.
  12. Type seize schema master, press Enter, and then click Yes in the Role Seizure Confirmation dialog box.
  13. Type q, and then press Enter until you return to the command prompt.
Note You have to transfer only the roles that are not held by Windows Small Business Server. Therefore, you may not have to run all the commands in these steps.

Sub-rule 2

Rule: Active Directory replication is disabled on the server
Severity: Error
Description: Active Directory replication is disabled on the server. Go to http://support.microsoft.com/kb/2908959 for more information.

This sub-rule checks whether Active Directory replication is disabled on the migration source server.

Actions to take if this sub-rule is violated

Active Directory replication is most frequently disabled because an unsupported restore operation was performed in Active Directory. This operation puts the server into a "USN rollback" state. To resolve the USN rollback issue, see How to detect and recover from a USN rollback.

There are other potential causes of this issue. Therefore, you must review the Directory Services log to determine the cause and then resolve the issue appropriately. To manually re-enable Active Directory replication, at a command prompt, type the following command, and then press Enter:
repadmin /options localhost -DISABLE_OUTBOUND_REPL -DISABLE_INBOUND_REPL
Note Before you run this command, make sure that the initial replication issue is resolved. If you do not do this, you will have only a single domain controller remaining after you run the command.

Sub-rule 3

Rule: Error is found in DNS Zone <DNS zone name>
Severity: Error
Description: DNS zone <DNS zone name> does not exist. Migration will fail without fixing this issue. Go to http://support.microsoft.com/kb/2908959 for more details.

This sub-rule checks whether the DNS zone name exists on the migration source server.

Actions to take if this sub-rule is violated

To resolve this sub-rule violation, re-create the DNS zone. To do this, follow these steps:
  1. Open DNS Management Console.
  2. Right-click Forward Lookup Zones, and then click New Zone.
  3. On the Welcome page of the New Zone Wizard, click Next
  4. Click Primary Zone, and then make sure that the Store the zone in Active Directory check box is selected.
  5. Set the replication scope to include all domain controllers in the Active Directory domain.
  6. In Zone name, enter the Active Directory domain name (for example, contoso.local).
  7. Set the dynamic update option to Allow only secure dynamic updates.
  8. Click Finish to create the zone.

Sub-rule 4

Rule: Error is found in DNS Zone <DNS zone name>
Severity: Error
Description: DNS zone <DNS zone name> is not Active Directory–integrated. Migration will fail without fixing this issue. Go to http://support.microsoft.com/kb/2908959 for more details.

This sub-rule checks whether the DNS zone is integrated with Active Directory on the migration source server.

Actions to take if this sub-rule is violated

To resolve this sub-rule violation, integrate the DNS zone with Active Directory. To do this, follow these steps:
  1. Open DNS Management Console.
  2. Expand Forward Lookup Zones.
  3. Right-click the zone that corresponds to your Active Directory domain name, and then click Properties.
  4. On the General tab, make sure that the Type setting is set to Active Directory-Integrated and that the Dynamic updates setting is set to Secure only, as shown in the following screen shot: 
  5. On the Name Servers tab, make sure that the source server IP address is listed and that the list contains only the IP addresses of valid working internal DNS servers. Remove any IP addresses that are not valid.

Sub-rule 5

Rule: Error is found in DNS Zone <DNS zone name>
Severity: Error
Description: In DNS zone <DNS zone name>, name server records in the msdcs subdomain do not point to a domain controller. Migration will fail without fixing this issue. Go to http://support.microsoft.com/kb/2908959 for more details.

This sub-rule checks whether the server records in the msdcs subdomain of the DNS zone point to a domain controller on the migration source server.

Actions to take if this sub-rule is violated

To resolve this sub-rule violation, point all name server records to a domain controller. To do this, follow these steps:
  1. Verify the DNS zone configuration. To do this, follow these steps:
    1. Open DNS Management Console.
    2. Expand Forward Lookup Zones.
    3. Expand the zone that corresponds to your Active Directory domain name.

      DNS Management Console
    4. Right-click the _msdcs subdomain, and then click Properties.

      _MSDCS Properties
    5. On the Name Servers tab, make sure that the list contains only the domain controllers in the domain. Remove any records that are not valid.
  2. Check the DNS Namespace in WMI. To do this, follow these steps:
    1. Start Windows Management Instrumentation (WMI) Tester (Wbemtest).
    2. Click Connect.
    3. Type root\microsoftdns in the Namespace text box.
    4. Click Connect

    If it connects, the issue is probably caused by the configuration in the DNS zones or delegation. If you receive an error dialog box as shown in the following screen shot, make a backup of the WMI repository, and then repeat step 2A through 2D. If it connects successfully, press the Scan again button in the Migration Preparation Tool.

    Namespace error

    To make a backup of the WMI repository, follow these steps:
    1. Start wmimgmt.msc.
    2. Right-click WMI Control (Local), and then click Properties.
    3. Click the Backup/Restore tab, click Back Up Now.
    4. Enter a file name, and then click Save.
    5. At an elevated command prompt, execute the following commands:
      cd %systemroot%\system32\wbem
      mofcomp dnsprov.mof
      The following screen shot shows a successful output of the commands:
      Mofcomp output

Sub-rule 6

Rule: Error is found in DNS Zone <DNS zone name>
Severity: Error
Description: In DNS zone <DNS zone name>, your local server is not in the name server records. Migration will fail without this record. Go to http://support.microsoft.com/kb/2908959 for more details.

This sub-rule checks whether the local server is in the name server records on the migration source server.

Actions to take if this sub-rule is violated

To resolve this sub-rule violation, integrate the DNS zone with Active Directory. To do this, follow these steps:
  1. Open DNS Management Console.
  2. Expand Forward Lookup Zones.
  3. Expand the zone that corresponds to your Active Directory domain name.

    DNS Management Console
  4. Right-click the _msdcs subdomain, and then click Properties.

    _MSDCS Properties
  5. On the Name Servers tab, make sure that the source server is listed.
Properties

Article ID: 2908959 - Last Review: 20 Nov 2013 - Revision: 1

Feedback