Migrating from SBS 2003 to Windows Server 2012 r2 Essentials in Azure

I’ve been considering the idea of migrating customer systems from on-premise Windows Server 2003 SBS to Windows Server 2012 r2 Essentials hosted on Azure for a while now. For one reason or another I’ve stuck to on-premises deployments, mainly due to lack of decent internet connectivity at client sites.

I’ve just completed the first full migration to a fully Azure based infrastructure and it is working well. It was a good fit for this customer because:

  • The old SBS 2003 server was due for replacement anyway.
  • Despite only having six users they have a huge amount of email which was shifted to Office 365.
  • They have closed their office premises and will be working from home based offices from now on.
  • They have a small line of business application which needs a central server to run on.
  • SSL VPN functionality of Essentials makes connectivity straightforward and cheap.

The main benefits of running Windows Server Essentials Experience in the cloud as I see it

  • No hardware to purchase or maintain. The customer had a competitive quote from another IT service provider quoting for physical hardware, which was much more expensive. Cheaper for the customer/more competitive for the partner.
  • Takes a very short time to get up an running, even in a migration scenario. I was able to start the work without waiting for a box to turn up.
  • The server resources can be easily modified to suit customer requirements.
  • The Azure edition of Windows Server Essentials Experience does not have any of the locks or limits of the on-premises edition as it is actually Windows Server 2012 r2 Datacenter edition.
  • The SSL VPN functionality of Essentials Edition enables remote workers to connect and join to the domain without having to be on the same premises as with previous versions.
  • The installation of Windows Server Essentials Experience from the Azure gallery is pre-customized to suit a cloud based deployment.

The good news is that if you have completed an on-premise migration to Windows Server Essentials, then the process of migrating to Azure is really not all that different.

Because the process is so similar and because there is so much documentation that already covers the migration procedure already this post is really only documenting the process that I went though and my thoughts on it where that process would differ from a regular on-premise migration.

Broadly speaking, I followed the procedure laid out on Technet here:


Create your Windows Server Essentials Virtual Machine, storage and network

Follow the instructions on this technet article to build your virtual resources within Azure.


For this deployment I have started with a “Small” virtual machine just to see how it runs, I may well increase it in the future.

I was really surprised at how good the performance of a Small Azure Virtual Machinee is, honestly I expected it to be diabolical, but actually it is perfectly adequate for a lot of tasks. There were a couple of parts of the setup procedure which could have used more resources though, so I did at one stage increase the virtual machine size temporarily.

In addition to the base disk I also added a 10Gb drive for storage of active directory and a 180Gb drive for data storage.

Linking the Azure virtual network linked to your on-premise LAN

This step is not strictly necessary as there are a number of different approaches you could take to move data from the on-premise network into Azure. But I chose to link the local network with the Azure virtual network using the Azure site-site VPN capability. This makes joining the new essentials server on to the existing domain easy and makes transferring data more simple.

In this case the customer had a Draytek router and I have written a separate post on how to create a site to site link between a Draytek and Microsoft Azure. There are lots of guides on the net that explain how to achieve the same thing with different router vendors.

In this scenario the link back to the local network will be removed when the migration is complete, but clearly this approach would work well for providing access to office based clients. In this instance the server will be accessed by clients using the SSTP VPN provided by Azure.

This is how the virtual network looked after transferring data from on-premise LAN to Azure:

Screenshot of Azure Virtual Network after data transfer from on-premise network

Install the and configure Azure Powershell

You need to install the Azure Powershell in order to be able to assign your new virtual machine a Static Internal IP Address as all IPs in Azure are dynamic.

Follow the instructions here to install Azure Powershell:


Installation of Azure Powershell Modules using the Web Platform Installer

Set a Static Internal IP address on your new Essentials VM

Because all VMs in Azure are assigned IP addresses automatically we need to ensure that the essentials server has a static IP address so that we can set that server as a DNS target for the virtual network. In Azure this is referred to as a DIP – I have no idea what the D in DIP stands for, so if anyone knows, please let me know!

This will allow the server itself, clients and other virtual machines to function properly within the AD domain.

Follow the instructions here:


Join the essentials server to the domain and promote to a domain controller.

You should now have everything in place to allow you to move forward and install Active Directory services and promote your new Windows Server Essentials virtual machine to a domain controller. Depending on the speed of your link this may take a while. For me it took around 20 minutes while AD was upgraded on the existing server and the Windows Essentials machine was rebooted.

At this stage you can continue with the migration just as if it were an on-premise deployment, you may need to plan well ahead if you have lots of data to transfer and do not have access to a fast internet connection to do it with.

For copying the data from the source system I just used Robocopy and was able to maintain at least 5Mb upload most of the time.

Allow anywhere access

Anywhere access is one of the things in Essentials that makes it work so well in Azure. The SSL-VPN means that you need only open ports 80 and 443, which I think is really neat..

A word of warning though, if you are migrating from SBS 2003, some of the existing group polices made it difficult for me to run the anywhere access wizard. If you get problems with the VPN wizard failing, see this post.

After you have successfully run the VPN wizard, you need to assign a static address pool in RRAS administrator. See this document for more details:


Add an additional UPN suffix to local domain(Optional)

I always like to add an additional UPN suffix the the local AD so that users can use the same sign-in information on 365 as their regular resources. See here…



Migrating from SBS 2003 to Office 365 and Azure hosted essentials is mostly straightforward. If I was migrating a system with so few users again then I would just fresh install and lose the existing AD, but this was a good opportunity to prove the concept as I will be moving some customer resouces with more sophisticated requirements and greater number of users in the near future and the process will be much the same.

I do have a confession to make though….

I am running Storagecraft Shadowprotect on the VM and sending the data out of Azure back to our own storage running in a co-lo facility near our offices. Why? This is the first real infrastructure that I have run in the cloud that is not on our own hardware where we have complete control over it, having the system backed up to our own servers makes me sleep well at night. Because the upload capacity of Azure is so good it hardly takes any time to run a Storagecraft Backup so I feel OK about it

VPN was not configured successfully in Windows Server 2012 Essentials Experience

During a recent SBS 2003 to Windows Server 2012 r2 Essentials migration I was having a number of problems setting up anywhere access. The two problems that I was getting were:

  • Anywhere access to your server is blocked
  • VPN was not configured successfully

Windows Server Essentials Anywhere access - VPN was not configured successfully

I searched all over but couldn’t come up with anything useful and the dashboard.log file didn’t show anything useful, just the error:

ConnectivityCenter: RemoteAccessAnalyzer: VPN server deployment result: InstallationFailed

The ports 80 and 443 required for Remote Web Access and VPN were without doubt open but it seemed to me that the wizard always failed at the verification stage, so I figured that it must be seeing something different than I was picking up in my tests.

Now, this server has been configured with a custom domain name of remote.companydomain.com and externally this resolved no problems at all.

But if I tried to ping that address or use nslookup on the essentials server to resolve the external DNS address that had been assigned to the server it failed. Then I realized what was going on.

This system/customer is new to me and I had made the new essentials server a domain controller which also meant that it would have replicated DNS records from the source domain controller.

Although the internal domain name was companyname.local there was also a forward lookup zone for the main companyname.com address space, because the essentials server was rightly using itself as a DNS server it was unable to resolve remote.companyname.com using its own DNS forward lookup zone for the external domain as the record for remote.companyname.com had not been added.

So I had two choices, remove the forward lookup zone or add the remote.companyname.com address to it as an A record. It was obvious after a little investigation why the external domain name had been added to the active directory DNS, but the reason it was include it was no longer appropriate, so I deleted the whole zone.

I then restarted the DNS server and cleared the DNS cache from a command prompt with:

ipconfig /flushdns

and tried to resolve the external domain name again and this now resolved correctly.

So I once again tried to run the Windows Essentials Anywhere Access Wizard and it still failed with the exact same issue! Infuriating! .

It did show one less error this time though and I was down to “VPN was not configured successfully” only this time. This error took make ages to figure out though.

Fixing the VPN was not configured successfully error

I ended up looking through the CBS.LOG file in quite some detail and figured out what the problem was. Thanks to someone on this thread on technet for the inspiration to look there.

When the VPN is being enabled Windows Essentials attempts to setup a Windows Internal Database and in my case failed to do so due to a logon failure as it did not have the “Logon as a Service” privilege. Here is a sample of the log:

2014-08-29 23:04:32, Error CSI 00000001 (F) Logged @2014/8/29:22:04:32.768 : [ml:130{65},l:128{64}]"Attempting to start service {MSSQL$MICROSOFT##WID} synchronously"
2014-08-29 23:04:32, Error CSI 00000002 (F) Logged @2014/8/29:22:04:32.893 : [ml:84{42},l:82{41}]"start service MSSQL$MICROSOFT##WID (1069)"
2014-08-29 23:04:32, Error CSI 00000003@2014/8/29:22:04:32.893 (F) CMIADAPTER: Inner Error Message from AI HRESULT = HRESULT_FROM_WIN32(1069)
[51]"The service did not start due to a logon failure.

Now I felt I was getting close to the source of the issue, light at the end of the tunnel (you have no idea how long I spent trying to figure this out).

The knowledge base article 2832204 from Microsoft explains how to make the appropriate group policy changes to stop this prevent the specific issue of being unable to start the MSSQL$MICROSOFT##WID service, which is actually the root cause of the wizard not being able to finish.

Here is a screenshot of how I the corrected group policy looked on the system I was working on:

Changing the logon as a service policy to resolve the error "VPN was not configured" on Windows Server Essentials Experience

After you have changed the policy run a quick “gpupdate” to make the new policy active and then try running the VPN wizard again, the wizard took a long time to complete but I was fairly confident it was going to work as I could see the SQL database becoming active in Task Manager:

Essentials Anywhere Access Creating a Windows Internal SQL Database

The wizard finally finished with success! I spent a long time trying to figure out the cause of this problem and I am so glad to see the back of it. I really hope this helps you if you are having the same issue.