Small Business Server 2011 migration issues

Here are some of the common issues I’ve run into on back to back migrations from Microsoft Small Business Server 2003 to Small Business Server 2011:

Error: Object not found when trying to migrate mailboxes from Exchange 2003
Solution: Add the SBS 2011 computer object to the “Exchange Domain Servers” group manually. Reboot SBS 2011 to complete the process.

Error: Trying to login to Outlook Web Access results in IIS server error 500
Solution: Ensure that the Microsoft Exchange Forms-Based Authentication service is started. One way to ensure this starts in the future is to modify the service to be Automatic (Delayed).

How To: Easiest way to migrate shares from SBS 2003 to SBS 2011
Ycopy (has a easy to use GUI interface)

How To: Migrating Recipient Policies and Address Lists
Get-EmailAddressPolicy | where {$_.RecipientFilterType -eq "Legacy"} | Set-EmailAddressPolicy -IncludedRecipients AllRecipients
Set-AddressList "All Users" -IncludedRecipients MailboxUsers
Set-AddressList "All Groups" -IncludedRecipients Mailgroups
Set-AddressList "All Contacts" -IncludedRecipients MailContacts
Set-AddressList "Public Folders" -RecipientFilter {RecipientType -eq "PublicFolder"}
Set-GlobalAddressList "Default Global Address List" -RecipientFilter {(Alias -ne $null -and (ObjectClass -eq 'user' -or ObjectClass -eq 'contact' -or ObjectClass -eq 'msExchSystemMailbox' -or ObjectClass -eq 'msExchDynamicDistributionList' -or ObjectClass -eq 'group' -or ObjectClass -eq 'publicFolder'))}

Outlook error: Cannot open default mail folders
Option 1. Verify the MS Exchange RPC Client Access service is running
Option 2. Set-RpcClientAccess –Server server_name –EncryptionRequired $False

Running Barracuda Spam and Virus Firewall 300 out of Hyper-V

First of all, thanks very much to this blog: without it, I wouldn’t have been able to get as far as I did. Anyways, now on to virtualizing a Barracuda Spam and Virus Firewall–

Things you will need:
1. Barracuda E-mail Spam Filter
2. Windows 2008 R2 Hyper-V server (VMWare probably works too… only thing I wouldn’t be sure of is how VMware portrays the mount points and what drivers it uses for legacy network adapters)
3. Acronis True Image (or similar bootable “ghosting” media)

The first step is to make an image of a Barracuda. Using the BIOS code from the aforementioned blog, login to the BIOS of the Barracuda and enable Boot from CD as the first boot option. Then connect a USB CD-ROM drive with Acronis True Image. Also connect a USB hard drive with enough space to accommodate at least 32GB worth of data.

Create the TIB image of the entire drive. Remove the USB drive when you are done and connect it to your Windows 2008 R2 Hyper-V server. Create a new virtual machine with 1 CPU, about 1GB RAM (my 300 only came with 512mb… max 2GB according to the motherboard specifications) and a legacy adapter. I also turned on Windows NT CPU support just to play it safe. Remove the SCSI controller and create a fixed 32gb VHD for the OS. Attach an ISO of Acronis True Image and boot the VM to Acronis.

I created a second VHD in the host OS and copied the TIB file into it, then mounted the VHD as a secondary IDE drive. This was the easiest way to get the VM to restore the TIB file… plus at any time I can reboot into Acronis and reimage my system.

Restore the image and reboot. You will want to follow the steps from the previously mentioned blog to gain root access. This is necessary to make the network card work. Once you have root access, modify the /etc/modules.conf file. Change the eth0 alias to use “tulip” instead of “via-rhine.” Type modprobe tulip to verify, then ifconfig to double check eth0 is now available.

This is a great way to avoid having to purchase instant replacement, and in a suitable backup environment… disaster recovery is a breeze if you backup your virtual machines for instant disaster recovery. Creating the image doesn’t void the warranty as long as you can avoid opening the case. However, if you ever experience problems… hopefully they don’t notice your hardware specs 🙂 I’m not sure how much lspci differs from appliance to virtual machine, I haven’t gotten that deep into it yet.

Just an FYI, if you ever need to manually update firmware because the web interface is broken… look for /home/emailswitch/code/firmware/current/bin/ and run with the argument “firmware”

i.e. ./ firmware

Add -c at the end to perform a check only.

Just about every function of the web site is a perl script… doing some cat/grep operations on the index.cgi should help you out if you are ever in a bind.

Lab in a Box

If you are on a budget, but you have a Cisco PIX 515, Cisco layer-3 switch (I’m using a 3550) and a HP DL/ML 3-series server, you can create an entire lab with just these three devices. Obviously, it doesn’t have to be Cisco or HP… but as long as the Firewall supports trunking and VLAN subinterfaces, the switch supports VRF routing and the server supports trunking/vlans, then you should be able to modify this to work for any setup accordingly.

Lets start with the core switch, here is relevant config from the 3550 I’m using:

ip vrf INET
rd 2600:2
route-target export 2600:2
ip vrf NET1
rd 2600:3
route-target export 2600:3
ip vrf NET2
rd 2600:4
route-target export 2600:4

interface FastEthernet0/1
description Trunk to HP Server
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2-4
switchport mode trunk
no ip address
spanning-tree portfast

interface FastEthernet0/10
description Uplink to PIX Outside
switchport access vlan 2
switchport mode access
no ip address
spanning-tree portfast

interface FastEthernet0/11
description Trunk to PIX Inside
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 3-5
switchport mode trunk
no ip address
spanning-tree portfast

interface Vlan2
description LAB-INET
ip vrf forwarding INET
ip address

interface Vlan3
description LAB-NET1
ip vrf forwarding NET1
ip address

interface Vlan4 description LAB-NET2
ip vrf forwarding NET2
ip address

ip route vrf NET1
ip route vrf NET2

Here is the relevant config on the Cisco PIX:

interface Ethernet0
nameif outside
security-level 0
ip address

interface Ethernet1
no nameif
security-level 100
no ip address

interface Ethernet1.10
vlan 3
nameif inside-net1
security-level 100
ip address

interface Ethernet1.20
vlan 4
nameif inside-net2
security-level 100
ip address

access-list OUTSIDE_IN extended permit ip any any

global (outside) 6
global (outside) 7

nat (inside-net1) 6
nat (inside-net2) 7

access-group OUTSIDE_IN in interface outside

route outside 1

On the HP server, configure the trunk interface to have vlan 1, vlan 2, vlan 3 and vlan 4 (name the interfaces appropriately, assign them IP addresses). I used the following IPs:

vlan 1 (n/a)

vlan 2

vlan 3

vlan 4

Then, on the HP server install VMWare Server (free). Configure the VM networks to be bridged to vlan 2, 3 and 4.

Provision a virtual server on each interface and assign a corresponding bridged network.

You now have an “internet” server and two “private” servers behind NAT. On the “internet” server, setup DNS and assign the other servers to use it for DNS.

To test that I had NAT and firewall working properly, I installed IIS on each server and configured a host header and the appropriate DNS A records on the “internet” server.

I set each website to use index.asp (enabled ASP first) and used the following code:

<title>Teh Interwebs</title>
Welcome to teh interwebs.
Your IP Address = <%=Request.ServerVariables("REMOTE_ADDR")%>

You should be able to hit each website and have the correct “WAN” IP address display on each website. If you can successfully hit the “internet” from each server, and each server from the “internet” then you have a working setup. You can now dcpromo, install Exchange… do whatever it is that you want to test. Modify my setup slightly, and you can test DMZ configurations, among other things.