Migration path from SBS to Office 365 & Windows Server 2016Alex Fields
So many small businesses adopted Microsoft’s Windows Small Business Server (SBS) product–now that the product has been discontinued, these organizations tend to need a little more guidance regarding the migration path forward from SBS 2003, 2008 or 2011.
Do I still need an On-premises Windows Server?
With the option to move most SBS Server functions like Email and file sharing into Office 365 with Exchange Online, SharePoint Online & OneDrive for Business, many small businesses ask whether an on-premises server is still necessary.
Image credit: Microsoft: Improve collaboration in small and midsize businesses
I typically recommend keeping a server on-premises, yes, even with Office 365. But in very small offices, you might just go with a hosted deployment of Windows Server Essentials in the Microsoft Azure cloud, instead. Either way, I see a hybrid deployment of Windows Server + Office 365 as the gold standard for the foreseeable future. Here’s why:
- Active Directory Synchronization: Office 365 can integrate with your existing Active Directory domain to provide an easy migration path and smoother transition into the cloud. Single sign-on, and centralized management of users & groups across on-premises & cloud domains is another benefit. Some Active Directory services just are not available in the cloud at this time; Azure Active Directory Domain Services still has severe limitations that do not yet offer a clear migration path from on-premises AD, so an on-premises Active Directory server is still of benefit.
- Device management: Windows Server gives you the best tools for managing Windows devices such as group policy, and that level of control just is not available in Office 365 (but you do get some nice Mobile Device Management features included).
- Toxic data: Every organization tends to have at least a little bit of uber-sensitive data, that they do not want even accidentally shared outside of the organization (or even beyond certain boundaries within it). Azure Rights Management can help mitigate this risk even in the cloud, but for maximum control, you can keep toxic data sets on-premises, and still protect them with Rights Management, if so desired.
- Latency tolerance (and other technical limitations): Certain file types (like databases) are not supported in SharePoint, and very large files can be cumbersome to use in the cloud. The reality is, some apps & data behave better on a Local Area Network (LAN).
- Line of Business application support: Certain software vendors will not support storing file libraries or other dependencies in a cloud such as Office 365. You may or may not be okay to run them in a Microsoft Azure virtual machine. It is best to verify the solution with your official support channels before migrating.
For all these reasons and more, Windows Server still has a place in the small business network. The good news is, hardware is pretty cheap these days, and most small businesses will be able to offload the vast majority of their data footprint into the cloud, meaning that hardware requirements probably have gone down since the last refresh cycle.
Windows Server: Essentials or Standard?
In general, I recommend purchasing and installing Windows Server Standard edition (not Essentials), enabling the Hyper-V role, and deploying a Windows Server Standard virtual machine as your “replacement” server for SBS. Optionally, you can enable the Essentials Experience role, if you are interested in some of the features it contains like Client PC Backup, Remote Web Access, etc. Here is a quick comparison of the two deployment options:
Image credit: itpromentor.com, adapted from this source
The main advantages to purchasing Standard over Essentials relates to scale–do you need to be able to support:
- more than 25 users?
- more than 50 devices?
- more than a single virtual machine?
If yes to any of the above, go with Standard. Otherwise, if you are sure the answer is no, you can probably stick with Essentials.
Note: Windows Server Standard technically supports unlimited users & devices as long as you own sufficient CAL’s, but the Essentials Experience features will only support up to 500 users / 500 devices in 2016 (increased from 100/200 in 2012 R2).
The other flexibility afforded by Standard is being able to join the Essentials computer as a member server, without promoting it to the role of Domain Controller–perhaps less of a concern for some organizations. Of course, you can also choose to switch to Standard licensing down the road.
Office 365: Which plan should I choose?
This is the best resource I know of for comparing the various Office 365 plans and what features they contain.
Many small businesses will go with the “full boat” of Office 365 features, including Exchange Online for Email, SharePoint Online/OneDrive for file sharing and document collaboration, Skype for Business and all of the Microsoft Office applications. In that case, you might be looking at one of these two plans:
- Small Business Premium ($12.50 USD/user/month)
- Office 365 E3 ($20.00 USD/user/month)
I’d recommend supplementing either of these with Exchange Online Advanced Threat Protection (ATP) for $2.00 USD/user/month–this will help guard against emerging & zero-day threats. The big difference between these two plans is that E3 contains more advanced Enterprise capabilities like information rights management, email encryption, litigation hold (usually an important feature for law firms), data loss prevention and others. Therefore, I generally recommend the Enterprise track for the best features and experience.
Image credit: Microsoft
What if I just want Office 365 for Email?
If the Enterprise stuff is just too fancy for you, or if all you really need is Exchange Online for email, then there is an Exchange Online only plan as well, available for $4.00 USD/user/month at the time of this writing. However, you might consider supplementing this plan with some of the following add-ons:
- Advanced Threat Protection (ATP): Protect against emerging/zero-day threats with Safe Attachments & Safe Links; $2.00 USD/user/month
- Exchange Online Archiving (EOA): Add unlimited email archiving; $3.00 USD/user/month
- Azure Rights Management (RMS): Secure your email with IRM templates & email encryption–not necessary if you choose an EMS subscription; $2.00 USD/user/month
- Enterprise Mobility Suite (EMS): Azure AD Premium, Intune for Mobile device management and Azure Rights Management for IRM templates & encryption options; $8.75 USD/user/month
Will Office 365 be compatible with my Line of Business applications?
The other caveat here is that certain Line of Business applications may not integrate with the Office 365 versions of the Microsoft Office suite (Word, Excel, etc.). This is becoming less and less of an issue these days, but it is definitely something to include in your checklist. Therefore, in some cases, you may need to stick with a lower level of licensing such as Office 365 Business Essentials or E1–which do not include the desktop apps. In that case, you’d have to purchase Office apps and any desired extras separately.
Another sticky point for some customers: it can be difficult to combine the Office 365 “click-to-run” desktop applications with other Microsoft applications, for example previous versions of Microsoft Visio or Project. This is obviously frustrating, and something else to have on your radar. Some customers may be eligible for a free upgrade to resolve these compatibility issues.
Recommended Migration Path
The most common migration path for parting ways with your legacy Small Business Servers is the following:
- Migrate Email from SBS/on-prem Exchange server to Office 365 Exchange Online using either:
- Migrate Companyweb / WSS to Office 365 SharePoint Online
- Migrate personal/redirected Documents folders to OneDrive for Business
- Migrate Active Directory/DNS and DHCP roles to Windows Server Standard/Essentials Experience
- Migrate company-wide printer & file shares to Windows Server Standard/Essentials Experience
- Migrate Remote Access (if applicable) to Windows Server Standard/Essentials Experience
- Properly remove Exchange Server from the SBS server
- Decommission the SBS Server (& other legacy servers)
After the migration tasks are complete, don’t stop moving! Office 365 has so much to offer in every area from productivity to security & compliance. Enable online Email archives, deploy Skype for Business, activate Azure Rights Management, turn on Multi-factor authentication and Mobile Device Management–the list goes on. Great new capabilities are right at your fingertips, and they are pretty easy to implement, so don’t be shy about trying them out–your competition certainly is.
Hi Alex, I am looking to migrate from sbs 2003 to server 2016. We are currenlty not using Exchange so it is not a factor in the migration. Whart is the simplest way to migrate the domain? Thanks much!
Well, to be quite honest it has been a while since I moved from a 2003 domain! I know you could go from 2003 to 2012 R2, and it appears as though the same is possible to 2016. For example, when this article was last updated in November of this year, it now reads that it applies to 2012, 2012 R2 & 2016. So I think you are in luck–I assume you could follow the same process that I lay out in my series (which comes from SBS 2008/2011) and it should work for you. And all the better, since you can skip the sections pertaining to Exchange/Office 365!
Thank you Alex for taking the time to write this informative article. You have saved me a lot of time. My sbs 2003 to 2011 was really bad. So bad I thought I would move the 20 users environment to 2016 from scratch. I am changing my mind now.
Thanks! Good luck with the migration!
Quick question: Why deploy Windows Server in Windows Server/Hyper-V configuration? Why not just run Windows Server alone?
Virtualization comes with many benefits–backup and DR options with Hyper-V are at the top of the list–restore the entire virtual machine, or easily move it to new hardware, etc. Not to mention isolation of workloads… Hm… wait a minute… was this a real question?
I’m planning a similar migration: SBS 2008 with Exchange to Office 365 and Server 2016 Essentials. Is it critical that you migrate mail to Office 365 PRIOR to deploying 2016 Essentials? The last thong I want is to add the Server 2016 Essentials domain controller and then break Exchange somehow during that process.
You can do it in any order you prefer, I like to start with Exchange because it’s the “hard part”–everything else after that is cake.
Great article! Say a customer had SBS 2011/Exchange 2010 single machine, and the end goal was to completely remove the server. Could you feasibly perform the Hybrid migration using the existing exchange 2010 server, follow your guide (install a new server “2012/2016” standard edition with essentials role and then remove exchange 2010 role and then the SBS server completely without ever standing up a “management exchange 2013/2016 server”?
Yes that scenario is possible but not necessarily supported, unless you also remove Azure AD Connect after you are done with the hybrid migration.
Thnaks for the great article.
We are migrating from sbs2011 to server 2016.
Also we have migrated the mail to office 365.
We have dirsync/ azure connect enabled for password sync.
Can we uninstall the exchange server without any problems?
If you remove the last Exchange server in the org you need to remove AAD Connect first. See here for more details.
Thank you for the article. We are planning on migrating sbs2011 w/ exchange to server 2016 with O365 of our clients. Is it best to just push email to O365, migrate the DC with roles and then set up Azure?
I am not 100% following the question that you are asking. I usually migrate email first, which involves setting up Azure AD Connect to sync accounts, and running the hybrid wizard to establish hybrid mail flow with Office 365. After the migration of mailboxes is complete, switch DNS records to 365. Then you can migrate the AD roles and other network resources to new server(s).
Hey just wanted to say thanks for the articles. Planning this soon, and this has got it pretty clear in my head (and calmed be down about the whole process).
One thing I’d like to ask you about (that I couldn’t see anywhere else) is what you do with WSUS?
Our SBS box is currently handling that. Do I need to move these over, or will the client pc’s just fall back to using windows update if the wsus server is no longer there?
Yeah you can move it, but WSUS sucks–I don’t use that nonsense anywhere. Usually an IT provider will have their own tool for managing updates/patching/antivirus/etc.
Thanks for that. Any suggestions for WSUS alternatives?
I’ve always just used it, because it’s there.
Thanx for your efforts and help on this as always.
I managed to set up AD sync and Hybrid connection and moved 1 mailbox to Office 365.
My plan is to move mailboxes a few at a time and complete the individual migration batches as I go along. This means that I need email to flow between on-premise located and Office 365 located mailboxes. This mail flow does not, however, work. I send email but no delivery failure messages.
Does your guide cover for a setup like mine or should I migrate all my users and ‘cut-over’ at a set time for everyone?
If it can work as I explained, can you recommend how to troubleshoot the mail flow issue?
I would do one cutover yes–unless you have several hundred users or something. But, it absolutely can work the way you describe also. When you create a “Full” hybrid then you will have connectors created both on-premises and in the cloud, and these connectors are how mail will be exchanged between the two environments. What you need to make sure of, is that your firewall has a filter policy that allows inbound mail from the Exchange Online Protection IP addresses, which are published by Microsoft, and that you have TLS working. It is also possible to turn off TLS on the connectors and just use SMTP but of course TLS is preferred. Also you should allow outbound mail from your Exchange server to the EOP IP addresses also. If needed, you can also change the accepted domains in your cloud EAC to Internal relay rather than Authoritative (although if Hybrid is setup right it should already know what objects are on-premises–but changing to Internal relay will help if some of the objects aren’t yet synced via AAD Connect). Hope that helps, and good luck!
Great article, this is arguably the best place so far for getting all the info I need for SBS migration!
I have an old SBS 2010 server that I would like to migrate over to new Server 2016 Essential. Should I do the server migration first or the Exchange Migration? If I use hybrid migration for email migration to Office 365, assigned them with Office 365 license, can the migrated mailboxes still sync with their corresponded/migrated AD users using Azure Active Directory and Office 365 integrations?
I hope this makes sense to you, thanks in advance.
Hey Lawrence, I usually take care of Exchange first, that takes a lot of pressure off the rest of the process. You should run the Azure AD Connect tool in order to create the users first, then assign licenses.
Hi Alex. Can the Azure setup cope with Multiple Printers and plotters for a drawing office? The client is verging on a mix of on and offsite and I would prefer it all in the cloud if possible
Yeah I mean there is hardly a reason to keep anything on-prem anymore. With bandwidth being so highly available in so many places around the globe now, and all the options we have now between Azure and Microsoft 365–it’s hard to see why a small business would invest in hardware. For printing in a Windows Server environment (hosted at Azure), see this: Branch Office Direct Printing
They already have the hardware etc and don’t really want to let the print server go. IMHO they don’t need to handle print jobs really but there must be a better solution. The link you sent me looks like it might be for multiple sites but this client only has the one
Ah I see, I thought the question was around hosting a server in Azure, and how does printing work in that case (you would use the link provided and treat your office as the branch and Azure as HQ). But honestly to start ditching the old server you can just configure them to print directly without a print server queue. I wonder if there is any benefit or server-side software they rely on related to those printers/plotters? Possibly but very often this can be handled by a workstation anyway.
Yeah, my thoughts exactly. I will try and persuade them! Thanks for the response, I will probably be back on when we come to do the migration :-)
Great article (as always). Though I can’t help but wonder, being that it was written in 2016, do you still recommend keeping an on-prem Server to create a Hybrid-esque environment? I still have a few clients who’ve refused to move away from SBS2008 and SBS2011 all this time, and now they’re finally *ready* (these are <30 user .local domain, some as small as 5). Is Microsoft 365 and going server-less the *obvious* choice here? I guess part of my problem is flat-out ignorance in that I don't fully grasp the full scope of the Azure platform and all that it encompasses.
No, the migration path I recommend now is to Microsoft 365 Business. But, in the case that there exists some on-prem app that they haven’t been able to replace with cloud counterpart, you can either host it on Azure, or keep it on prem on a newer Windows Server.
Hi Alex, Thanks for the great article.
A question please: is it possible to keep the SBS 2011 server after the migration completes and continue using its other roles or must we change to a non SBS OS?
Since SBS left support you should move to a new OS–or just go all cloud; staying on the old stuff isn’t safe.