I’ve been considering the idea of migrating customer systems from on-premise Windows Server 2003 SBS to Windows Server 2012 r2 Essentials hosted on Azure for a while now. For one reason or another I’ve stuck to on-premises deployments, mainly due to lack of decent internet connectivity at client sites.
I’ve just completed the first full migration to a fully Azure based infrastructure and it is working well. It was a good fit for this customer because:
- The old SBS 2003 server was due for replacement anyway.
- Despite only having six users they have a huge amount of email which was shifted to Office 365.
- They have closed their office premises and will be working from home based offices from now on.
- They have a small line of business application which needs a central server to run on.
- SSL VPN functionality of Essentials makes connectivity straightforward and cheap.
The main benefits of running Windows Server Essentials Experience in the cloud as I see it
- No hardware to purchase or maintain. The customer had a competitive quote from another IT service provider quoting for physical hardware, which was much more expensive. Cheaper for the customer/more competitive for the partner.
- Takes a very short time to get up an running, even in a migration scenario. I was able to start the work without waiting for a box to turn up.
- The server resources can be easily modified to suit customer requirements.
- The Azure edition of Windows Server Essentials Experience does not have any of the locks or limits of the on-premises edition as it is actually Windows Server 2012 r2 Datacenter edition.
- The SSL VPN functionality of Essentials Edition enables remote workers to connect and join to the domain without having to be on the same premises as with previous versions.
- The installation of Windows Server Essentials Experience from the Azure gallery is pre-customized to suit a cloud based deployment.
The good news is that if you have completed an on-premise migration to Windows Server Essentials, then the process of migrating to Azure is really not all that different.
Because the process is so similar and because there is so much documentation that already covers the migration procedure already this post is really only documenting the process that I went though and my thoughts on it where that process would differ from a regular on-premise migration.
Broadly speaking, I followed the procedure laid out on Technet here:
Create your Windows Server Essentials Virtual Machine, storage and network
Follow the instructions on this technet article to build your virtual resources within Azure.
For this deployment I have started with a “Small” virtual machine just to see how it runs, I may well increase it in the future.
I was really surprised at how good the performance of a Small Azure Virtual Machinee is, honestly I expected it to be diabolical, but actually it is perfectly adequate for a lot of tasks. There were a couple of parts of the setup procedure which could have used more resources though, so I did at one stage increase the virtual machine size temporarily.
In addition to the base disk I also added a 10Gb drive for storage of active directory and a 180Gb drive for data storage.
Linking the Azure virtual network linked to your on-premise LAN
This step is not strictly necessary as there are a number of different approaches you could take to move data from the on-premise network into Azure. But I chose to link the local network with the Azure virtual network using the Azure site-site VPN capability. This makes joining the new essentials server on to the existing domain easy and makes transferring data more simple.
In this case the customer had a Draytek router and I have written a separate post on how to create a site to site link between a Draytek and Microsoft Azure. There are lots of guides on the net that explain how to achieve the same thing with different router vendors.
In this scenario the link back to the local network will be removed when the migration is complete, but clearly this approach would work well for providing access to office based clients. In this instance the server will be accessed by clients using the SSTP VPN provided by Azure.
This is how the virtual network looked after transferring data from on-premise LAN to Azure:
Install the and configure Azure Powershell
You need to install the Azure Powershell in order to be able to assign your new virtual machine a Static Internal IP Address as all IPs in Azure are dynamic.
Follow the instructions here to install Azure Powershell:
Set a Static Internal IP address on your new Essentials VM
Because all VMs in Azure are assigned IP addresses automatically we need to ensure that the essentials server has a static IP address so that we can set that server as a DNS target for the virtual network. In Azure this is referred to as a DIP – I have no idea what the D in DIP stands for, so if anyone knows, please let me know!
This will allow the server itself, clients and other virtual machines to function properly within the AD domain.
Follow the instructions here:
Join the essentials server to the domain and promote to a domain controller.
You should now have everything in place to allow you to move forward and install Active Directory services and promote your new Windows Server Essentials virtual machine to a domain controller. Depending on the speed of your link this may take a while. For me it took around 20 minutes while AD was upgraded on the existing server and the Windows Essentials machine was rebooted.
At this stage you can continue with the migration just as if it were an on-premise deployment, you may need to plan well ahead if you have lots of data to transfer and do not have access to a fast internet connection to do it with.
For copying the data from the source system I just used Robocopy and was able to maintain at least 5Mb upload most of the time.
Allow anywhere access
Anywhere access is one of the things in Essentials that makes it work so well in Azure. The SSL-VPN means that you need only open ports 80 and 443, which I think is really neat..
A word of warning though, if you are migrating from SBS 2003, some of the existing group polices made it difficult for me to run the anywhere access wizard. If you get problems with the VPN wizard failing, see this post.
After you have successfully run the VPN wizard, you need to assign a static address pool in RRAS administrator. See this document for more details:
Add an additional UPN suffix to local domain(Optional)
I always like to add an additional UPN suffix the the local AD so that users can use the same sign-in information on 365 as their regular resources. See here…
Migrating from SBS 2003 to Office 365 and Azure hosted essentials is mostly straightforward. If I was migrating a system with so few users again then I would just fresh install and lose the existing AD, but this was a good opportunity to prove the concept as I will be moving some customer resouces with more sophisticated requirements and greater number of users in the near future and the process will be much the same.
I do have a confession to make though….
I am running Storagecraft Shadowprotect on the VM and sending the data out of Azure back to our own storage running in a co-lo facility near our offices. Why? This is the first real infrastructure that I have run in the cloud that is not on our own hardware where we have complete control over it, having the system backed up to our own servers makes me sleep well at night. Because the upload capacity of Azure is so good it hardly takes any time to run a Storagecraft Backup so I feel OK about it