Migrate File Server from Server 2003 to 2008R2 or 2012 with Robocopy(with ntfs permissions)

Option 1

:-   You can either use the Microsoft FSMT tool, or you can use Robocopy (more powerful).All robocopy operations are incremental in nature. Which means that only new files/folders, or files that have changed will be copied. Obviously when you perform a robocopy operation for the first time, all folders and files are new on the destination server.

Initial copy of data

Lets assume the 2003 file server’s name is 2003FS, while the 2008 R2 file server’s name is 2008R2FS. And we are going to move two folders, named Finance and General, on the D-drive of the old server to the D-Drive of the new server. Then the syntax for copying data would be as following (the command will obviously be ran at the destination server)

robocopy \\2003FS\d$\Finance D:\Finance /e /zb /copy:DATSOU /r:3 /w:3 /log:c:\robocopylog\finance.log /V /NP

robocopy \\2003FS\d$\General D:\General /e /zb /copy:DATSOU /r:3 /w:3 /log:c:\robocopylog\General.log /V /NP

The switches are explained as such:

/E :: copy subdirectories, including Empty ones.
/ZB :: use restartable mode; if access denied use Backup mode.
/COPY:copyflag[s] :: what to COPY for files (default is /COPY:DAT).
(copyflags : D=Data, A=Attributes, T=Timestamps).
(S=Security=NTFS ACLs, O=Owner info, U=aUditing info).

/R:n :: number of Retries on failed copies: default 1 million.
/W:n :: Wait time between retries: default is 30 seconds.

/LOG:file :: output status to LOG file (overwrite existing log).
/V :: produce Verbose output, showing skipped files.
/NP :: No Progress – don’t display percentage copied.

Copy data for the final time

 robocopy \\2003FS\d$\Finance D:\Finance /e /zb /copy:DATSOU /mir /r:3 /w:3 /log:c:\robocopylog\FinalMirror\Finance.log /v /NP

 robocopy \\2003FS\d$\General D:\General /e /zb /copy:DATSOU /mir /r:3 /w:3 /log:c:\robocopylog\FinalMirror\Finance.log /v /NP

 have included the /mir switch here

/MIR :: MIRror a directory tree (equivalent to /E plus /PURGE).

In other words, /mir will do the same as /e and /purge

/PURGE :: delete dest files/dirs that no longer exist in source.

Keep in mind, it will only delete files/dirs at the destination, NOT at the source. Some people believe, for some strange reason, that files at the source are deleted as well. That is NOT the case.

Synchronizing NTFS permissions and other file related properties only

If you forget to include the /copy:DATSOU or /copyall option for whatever reason, and now are looking for a switch on how to synchronize the NTFS permissions, or other file related properties, then you can use the /secfix option

/SECFIX :: FIX file SECurity on all files, even skipped files.

When using the /SECFIX copy option, specify the type of security information you want to copy by also using one of these additional copy options: /COPYALL /COPY:O /COPY:S /COPY:U /SEC

The following example synchronizes file security information for the Finance folder we copied from the 2003FS server earlier

robocopy \\2003FS\D$\Finance D:\Finance /secfix /copy:SOU /r:3 /w:3 /log:c:\robocopylog\SecFix\Finance.log /V /NP

 Remember this will only synchronize file security information between the source and the destination, it will not copy any files. To completely synchronize data and file security information, use the following command

robocopy \\2003FS\D$\Finance D:\Finance /e /zb /secfix /copy:DATSOU /mir /r:3 /w:3 /log:c:\robocopylog\FinalMirror\Finance.log /v /NP

The /MT option

[:n] :: Do multi-threaded copies with n threads (default 8). n must be at least 1 and not greater than 128.
This option is incompatible with the /IPG and /EFSRAW options

Simply put, it will make the copy operation go faster, but use it with caution, if you define too many threads, you will saturate the network card of your server, or saturate the bandwidth of your network. Personally I rarely use this switch.

Caveat to copying in two phases

There is a small caveat to copying data in two phases. If someone changes only security information of a file/folder between phase 1 and phase 2, but not the content, that file/folder will be skipped during the copy process in phase 2, therefore the new NTFS permissions on the file will not be copied either.

The chances for someone to change only NTFS permissions on a file/folder between phase 1 and phase 2 might not be big, but they are certainly there. So if you know that might happen, you can use the /secfix option at phase 2 to copy NTFS permissions on files/folders, regardless of whether the file/folder has already been copied in phase 1 or not. The command you would use, is the final command in step 4 of this post.

how to retain share names and permissions.

Basically you need to do this;

1.Export this registry key“HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares” on the old Server
2. Import it on the new server
3. Restart the new server

KB from Microsoft http://support.microsoft.com/kb/125996

windows server 2003 set wallpaper for all users through GPO

I have tested the procedures below on my side. In order to set the uniform wallpaper for users, you can refer to the steps below:

1. Create an OU and put all users that you want to set the wallpaper into it on domain.

2. Create a share folder and grant everyone has full control permission on it and put the wallpaper picture into this share.

3. Create a GPO, navigate to

User Configuration\Administrative Templates\Desktop\Active Desktop \Active Desktop Wallpaper

Set this item enable and in the wallpaper name column, input the share path that we created in step 2, for example \\servername\share\picture.jpg

After finishing, please click OK to confirm.

4. On the client pc, logon to PC using the user account included in the OU defined in first one step to test the result.

Unexpected Error 0x8ffe2740 when starting FTP or IIS

Another one of Microsoft’s descriptive errors is 0x8ffe2740 when trying to start an FTP or Web Server from the IIS Administration module. The error itself means that there is a port conflict with another service. This is a relatively easy diagnosis, as you should already know what ports your ftp or web servers use.

Use the netstat command in the command console to find out what program is using a particular TCP port. Replace the ## with the port you wish to test. This works on Windows Server 2003 and 2008.

netstat -anop TCP|find “:##”

The above command will return a PID (process ID). You will need to match that to a running program or service. Type the following command:

tasklist /SVC /FI “PID eq ####”

Here is an example using port 21. In this example you can see the “ftpsvc” service is using port 21 through svchost.exe – which is normal. In a client’s machine, it was MSUpdate2.exe that was using port 21 – a piece of malware using an FTP server to serve pirated movies!

Migrating websites from IIS6 to IIS7

Below are the steps required to move a website hosted on IIS6 to IIS7 (Internet Information Services 6 to 7). IIS7 replaces the aging metabase with a more convenient applicationHost.config which stores the configuration in XML.

There are two versions of MS Deploy, the program needed to migrate. Download the 32bit version here, and the x64 version here.

Installing MS Deploy on the Source IIS6 Server

1.       You must have .NET Framework 2.0 SP1 or 3.5 installed on the server.

2.       Download the file and open it. Choose Setup Type: Typical. Be sure to use the x64 version if you have Windows 2003 x64. There is no entry in the Start Menu; you need to start the program through the command prompt. C:\Program Files\Microsoft Web Deploy\msdeploy followed by the command.

Installing MS Deploy on the Destination IIS7 Server

1.       Same as above. Be sure to use the x64 version if you have Windows 2008 x64.

Create a Backup of the IIS7 configuration

It is important to create a backup of the IIS7 configuration before you start. You never know when you’ll make a mistake, and restoring IIS to the default configuration without a backup isn’t fun.

IIS7 comes with the appcmd.exe command line tool, which is new for IIS7, and simplifies configuration backups immensely. It is located in the %windir%\system32\inetsrv\ folder, which isn’t in the path variables, so you’ll need to navigate to that path with the command prompt first.

1.       Click Start -> Run -> type “cmd” and press OK.

2.       At the command prompt, navigate to the %windir%\system32\inetsrv\ folder. (type “cd \” and then “cd C:\Windows\system32\inetsrv” if windows is in the default path)

3.       Once in the target directory, type: appcmd add backup “BackupPreMigrate”

4.       Press Enter. All done.

5.       To display a list of previous backups type: appcmd list backup

6.       To restore a backup, type: appcmd restore backup “BackupPreMigrate”

Verify Dependencies on Source IIS6 Server

Below is a screenshot of all the variables supported by the migrate tool. All instructions below assume you are in the C:\Program Files\Microsoft Web Deploy\ directory at the command prompt.

1.     At the command prompt (In the C:\Program Files\Microsoft Web Deploy\ directory), type:

msdeploy –verb:getDependencies –source:metakey=lm/w3svc/#siteidentifier

The list that is returned is fairly comprehensive as to what components are installed and available for use on the particular website. It does not, however, distinguish which components are actually in use.

Installing Required Components on Destination IIS7 Server

From the dependency list you can determine which roles need to be installed on the destination IIS7 Server. Any dependencies listed in the XML file that is saved during the migration will need to be installed on the destination server or else the migration will not complete. You can remove dependencies beforehand or from within the XML file found in the backup directory after the sync command.

Migrate Website

• On the source IIS6 Server type:

msdeploy -verb:sync  -source:metakey=lm/w3svc/# siteidentifier -dest:archivedir=c:\backup_name

Move the backup folder (c:\backup_name) to the destination server, or if on a network simply backup to the final destination on the IIS7 server or SAN.

• On the destination IIS7 Server type:

msdeploy -verb:migrate -source:archivedir=c:\backup_name -dest:metakey=lm/w3svc/# siteidentifier

After Migration

After the migration is complete, some elements will need to be re-configured. PHP, ASP.NET Ajax and others will need to be configured independently of the IIS migration to match the source server’s settings.

Block IP Addresses using IP Security Policy in Windows Server 2003

Most System Administrators use a hardware firewall to block IP addresses from accessing their network. Co-located servers do not always have the advantage of utilizing a hardware firewall. Software firewalls can often be expensive.

As you may already know, Windows 2003 lets administrators control IP access from the configuration panels in SMTP and IIS, among others. But what if you want to block an IP address from all services with only one motion? This is where the IP Security Policy Management snap-in comes in handy.

Configure the IP Security Policy to block your first IP address

1.       Click “Start” and “Run” – type “MMC” and press OK.

2.       In the MMC, click “File” and “Add/Remove Snap In.”

3.       In the “Standalone” tab, click “Add.”

4.       Select “IP Security Policy Management” and click “Add.”

5.       Select “Local Computer” and click “Finish.”

6.       Close the “Add standalone Snap-in” window and click “OK” on the “Add/Remove Snap-in” window.

7.       Now that you are back in the MMC console, right-click on “IP Security Policies on Local Computer” in the left-hand pane and select “Create IP Security Policy.”

8.       Click “Next.”

9.       Enter a name (ex. IP Block List) and description into the boxes and click “Next.”

10.    Leave “Activate the default response rule” checked. Click “Next.”

11.    Leave “Active Directory default (Kerberos)” checked. Click “Next.”

12.    Leave “Edit properties” checked. Click “Finish.”

13.    The Properties box should be open.

14.    To add your first IP address, click “Add.” Make sure “Use Add Wizard” is checked beside the button.

15.    Click “Next” when the “Create IP Security Rule” wizard opens.

16.    Leave “This rule does not specify a tunnel” checked. Click “Next.”

17.    Select “All network connections” under Network Type (unless you want to specify by adapter). Click “Next.”

18.    You are now at the “IP Filter List.” The “All ICMP Traffic” and “All IP Traffic” options will not meet our needs; we will need to add another. Click “Add.”

19.    Name the IP Filter List (ex. Blocked IP List) and enter a description. Click “Add” to enter the first IP address to block.

20.    The “IP Filter Wizard” will pop up. Click “Next.”

21.    This will be the first IP address or IP range we enter to block. Enter a description (I usually enter the IP itself) and make sure “Mirrored” is selected below. This will ensure packets to/from are blocked, allowing you to create one rule instead of two. Click “Next.”

22.    Keep “Source Address” as “My IP Address” and click “Next.”

23.    Under “Destination Address” select “A specific IP Address” or “A specific IP Subnet.” If you select “Any IP address” it will block all IPs!

24.    Enter in the IP address in the fields below and click “Next.”

25.    Under “select protocol type” choose “Any” (means “All”) unless you specifically want to block from RDP (Remote Desktop), TCP or UDP, etc. Click “Next.”

26.    Click “Finish.”

27.    Now that you are back to the “IP Filter List” click “OK.”

28.    You will be back in the “IP Filter List” list in the Security Rule Wizard – make sure you select your new “Blocked IP List” and not “All IP Traffic” or “All ICMP Traffic.” Click “Next.”

29.    You will be taken to “Filter Action.” The lists: Permit, Request Security (Optional), and Require Security will not meet our needs. Click “Add.”

30.    In the “IP Security Filter Action” wizard, click “Next.”

31.    Select a name (ex. Block all Packets) and click “Next.”

32.    Select “Block” for the filter action behavior. Click “Next.”

33.    Click “Finish.”

34.    You are back to the “Filter Action” list. Select your new list (Block All Packets) and click “Next.”

35.    Click “Finish.”

36.    You are back to your IP Security Policy list (Blocked IP List) Properties. Click “OK.”

37.    Back in the “IP Security Policies on Local Computer” snap-in, you’ll need to assign the new policy. In the right-hand pane, right-click on your new list (IP Block List) and select “assign.”

To make it easier the next time you wish to block an IP address, save the MMC Snap-in configuration as a shortcut. Go to “File” and “Save As” and save it on your Desktop or Start Menu.

To Block Additional IP Addresses

1.       Enter the IP Block List snap-in you saved.

2.       In the right-hand pane double-click your IP Block List.

3.       Under “IP Filter List” select the newly created “Blocked IP List” and click “Edit.” Make sure “Use Add Wizard” is checked.

4.       Under “IP Filter Lists” select your “Blocked IP List” (not All ICMP or IP Traffic) and click “Edit.”

5.       You are now in the “Add IP wizard” area. You will see the first IP address you blocked in a listing under “IP Filters.” Click “Add.”

6.       Follow all previous steps to add the IP address you wish to block. Once finished, exit all dialog boxes.

You may need to restart the server for the settings to take effect.

Block IP Addresses using IP Security Policy in Windows Server 2003

Most System Administrators use a hardware firewall to block IP addresses from accessing their network. Co-located servers do not always have the advantage of utilizing a hardware firewall. Software firewalls can often be expensive.

As you may already know, Windows 2003 lets administrators control IP access from the configuration panels in SMTP and IIS, among others. But what if you want to block an IP address from all services with only one motion? This is where the IP Security Policy Management snap-in comes in handy.

Configure the IP Security Policy to block your first IP address

1.       Click “Start” and “Run” – type “MMC” and press OK.

2.       In the MMC, click “File” and “Add/Remove Snap In.”

3.       In the “Standalone” tab, click “Add.”

4.       Select “IP Security Policy Management” and click “Add.”

5.       Select “Local Computer” and click “Finish.”

6.       Close the “Add standalone Snap-in” window and click “OK” on the “Add/Remove Snap-in” window.

7.       Now that you are back in the MMC console, right-click on “IP Security Policies on Local Computer” in the left-hand pane and select “Create IP Security Policy.”

8.       Click “Next.”

9.       Enter a name (ex. IP Block List) and description into the boxes and click “Next.”

10.    Leave “Activate the default response rule” checked. Click “Next.”

11.    Leave “Active Directory default (Kerberos)” checked. Click “Next.”

12.    Leave “Edit properties” checked. Click “Finish.”

13.    The Properties box should be open.

14.    To add your first IP address, click “Add.” Make sure “Use Add Wizard” is checked beside the button.

15.    Click “Next” when the “Create IP Security Rule” wizard opens.

16.    Leave “This rule does not specify a tunnel” checked. Click “Next.”

17.    Select “All network connections” under Network Type (unless you want to specify by adapter). Click “Next.”

18.    You are now at the “IP Filter List.” The “All ICMP Traffic” and “All IP Traffic” options will not meet our needs; we will need to add another. Click “Add.”

19.    Name the IP Filter List (ex. Blocked IP List) and enter a description. Click “Add” to enter the first IP address to block.

20.    The “IP Filter Wizard” will pop up. Click “Next.”

21.    This will be the first IP address or IP range we enter to block. Enter a description (I usually enter the IP itself) and make sure “Mirrored” is selected below. This will ensure packets to/from are blocked, allowing you to create one rule instead of two. Click “Next.”

22.    Keep “Source Address” as “My IP Address” and click “Next.”

23.    Under “Destination Address” select “A specific IP Address” or “A specific IP Subnet.” If you select “Any IP address” it will block all IPs!

24.    Enter in the IP address in the fields below and click “Next.”

25.    Under “select protocol type” choose “Any” (means “All”) unless you specifically want to block from RDP (Remote Desktop), TCP or UDP, etc. Click “Next.”

26.    Click “Finish.”

27.    Now that you are back to the “IP Filter List” click “OK.”

28.    You will be back in the “IP Filter List” list in the Security Rule Wizard – make sure you select your new “Blocked IP List” and not “All IP Traffic” or “All ICMP Traffic.” Click “Next.”

29.    You will be taken to “Filter Action.” The lists: Permit, Request Security (Optional), and Require Security will not meet our needs. Click “Add.”

30.    In the “IP Security Filter Action” wizard, click “Next.”

31.    Select a name (ex. Block all Packets) and click “Next.”

32.    Select “Block” for the filter action behavior. Click “Next.”

33.    Click “Finish.”

34.    You are back to the “Filter Action” list. Select your new list (Block All Packets) and click “Next.”

35.    Click “Finish.”

36.    You are back to your IP Security Policy list (Blocked IP List) Properties. Click “OK.”

37.    Back in the “IP Security Policies on Local Computer” snap-in, you’ll need to assign the new policy. In the right-hand pane, right-click on your new list (IP Block List) and select “assign.”

To make it easier the next time you wish to block an IP address, save the MMC Snap-in configuration as a shortcut. Go to “File” and “Save As” and save it on your Desktop or Start Menu.

To Block Additional IP Addresses

1.       Enter the IP Block List snap-in you saved.

2.       In the right-hand pane double-click your IP Block List.

3.       Under “IP Filter List” select the newly created “Blocked IP List” and click “Edit.” Make sure “Use Add Wizard” is checked.

4.       Under “IP Filter Lists” select your “Blocked IP List” (not All ICMP or IP Traffic) and click “Edit.”

5.       You are now in the “Add IP wizard” area. You will see the first IP address you blocked in a listing under “IP Filters.” Click “Add.”

6.       Follow all previous steps to add the IP address you wish to block. Once finished, exit all dialog boxes.

You may need to restart the server for the settings to take effect.