Joining a client to an SBS 2011 Essentials network
August 30, 2011 31 Comments
Adding client computers to an SBS Essentials network should be straight forward, you just go to the sbs essentials server ‘connect’ website, install the software and it does the rest.. Or so it should.
Lots of threads on the SBS forums suggest otherwise, and also there are questions relating to profiles not being moved with the accounts and it can all get a bit messy.
I wanted to know for myself what actually happens as although i have added clients in a lab system, it is not something i had really paid much attention to.
So i have picked Windows XP and Windows 7. The Windows XP machine is at SP3 but apart from that is out of the box (fresh install) and the Win 7 is Win 7 Professional and is running SP1, i have multiple accounts on both and a mixture of local admin and standard user. My aim is to show what happens when you add one of these computers to the Essentials network and to add some guidance on what to do if things don’t happen as you expect.
Where’s my stuff gone?
When you run the connect wizard there are a few different paths it can take, and the results will vary depending on what is true about who is running the wizard. I put together a little flow chart to try and show you what is likely to happen.
What we see from the above, is that if you are logged on as a standard user account, then you cannot run the connect wizard.
If you are logged on as a local admin, you can. When you get to enter your domain credentials, make sure to enter those of the person who uses the computer, not the administrator (unless they are the same person)
Why? Because, if you enter a network administrator account, for say, DonF, and the user of this computer is PeterVenkman, then Peters profile is migrated into the DonF profile on that computer.
Peter is free to logon and create a new profile, but he wont have any of his documents or settings.
Below i go into more detailed explanation of what happens on the machine, and what happens if you have multiple local accounts.
Windows XP
The first thing we should do, is backup our computer. I know i know, a lot of you will skip this step, but i think having a roll back point prior to attempting this is critical, especially given that a number of people have struggled with getting this working.
You can use your favourite disk imaging tool to a USB drive, but i am just going to make use of System Restore, i am going to make sure it is enabled and create a restore point before we start.
So, Click on Start, then right click on My Computer, then select properties with a left click.
Switch to the System Restore Tab.
We can see System Restore is running, as it shows the status of C is Monitoring. Also the Check box marked ‘turn off system restore’ is unchecked.
Click Ok to close.
Now we can go ahead and create a restore point.
Click Start, All Programs, Accessories, System Tools and finally System Restore.
System Restore Opens up, and you have the choice to Create a Restore Point. Select the radio button for that, and click Next.
You will need to enter a name for the Restore Point so you can identify it later.
Click on Create to finish the process.
Click on Close when the Restore Point has been created.
So now we know we have a fall back position, we can move on to running the connect wizard.
Just as a side note i’m assuming your PC is already in a workgroup, as moving from an existing domain, to an SBS Essentials domain would be part of a migration, which i am not covering here.
So, next open up Internet Explorer and browse to http://sbsserver/connect There are prerequisites you will need to have installed before you can complete the /connect process lucky for us, it will detect and fix most if not all of them silently.
Click On the Download Software for Windows link. When prompted, you want to Run the software.
Just as another side note, i am currently logged onto the Windows XP machine with a local admin account.
You will be prompted again whether you want to run or don’t run the software. There is a second option named, ‘more options’ click that, and then choose to always run software from Microsoft. Then click Run.
The Connect wizard begins, and helpfully tells you what using the wizard enables you to do. First off it is going to verify we meet the requirements.. click next.
This section of the wizard installed the .NET Framework for me silently, so don’t be surprised it it takes some time to complete.
It will then prompt for your username and password on the network. You might want to add in the Domain Admin username and password – if you do you will see a warning.
So, click Yes, and let’s enter a normal standard user account.
I have setup accounts for the users of this PC already on the Dashboard,
Enter the details for the user who will be using this PC and click next, it will whizz away and prompt you to reboot.
After a reboot you will be shown a screen asking you to choose if you want to move your data and settings to your new account, you can leave the box checked if you agree, or un-check if you don’t. Click next to continue.
You will then be asked to enter a computer description, fill this out and click next.
Do you want to wake up the computer for backups – umm let me think… (actually you may need to make a decision here based on whether this is a mobile computer or desktop, ultimately you want to backup but it can freak out users if their laptop starts up of it’s own accord in the middle of the night)
Do you want to join the Windows Customer Experience Improvement Program?
That, thankfully is the last question for now. Clicking next will begin configuration of your computer.
And with any luck it should complete successfully.
Now let’s logon to our computer using our domain credentials.
We can see that the file i had on the desktop has moved across, that’s good..
So, all in all, it looks like that has worked.
Now let’s move to the second user, Janine, who also uses this computer..
Unfortunately no, Janine’s documents have not been moved across.
So, why is that? Well the Connect wizard is only designed to transfer across documents and settings that are stored in the profile of the person running the wizard. So if you have other accounts on the computer manual intervention is then required to move these into their domain profile.
Let’s have a look at some folders on the PC to get a better idea of how the wizard does this.
Obvious place to look first, is the C:\Documents and Settings\ folder.
Interestingly here we can see a single folder for Louis (albeit spelt incorrectly) and two folders for Janine.
What’s gone on here?
Well firstly, when Louis joined the company, they spelled his name wrong, so although his logon name was renamed correctly to Louis, his profile folder was not changed.
So how does Windows know where to store or look for his data?
To answer that question we need to look in the registry.
Lets open up Regedt32.
Click Start, Run, type Regdt32 and click Ok.
Expand HKEY_Local_Machine > Software > Microsoft > Windows NT > CurrentVersion > ProfileList
Here you can see registry keys defined for each profile stored on the system, and some default ones.
If we take a closer look at the keys we can see that this key, relates to Janines Domain user profile.
And this key is for Janine’s Local user profile.
There is only one key for Louis.
The keys are a series of letters and numbers, and actually are the users, user account SIDs – which is a security identifier. More on that here
When comparing these two sets of SIDs we can see that the Connect process has deleted Louis’s local account SID and replaced it with that of his Domain account. But what else has it done?
It has also changed the NTFS Permissions on the Lewis folder to give the domain account Full Control and remove the local account from the Access Control List (ACL)
If we re-create that process, we can link Janines Domain profile folder to that of her Local profile folder, restoring access to her documents and settings, and saving you the time of copying everything across.
It has to be said, that doing this is likely to produce unexpected results, and i would not recommend it.
A much better way to achieve this would be to use the System Properties applet, and use the User Profile settings section on the Advanced tab.
This produces consistent results and should be a preferred way to do this.
From System Properties you can go to the Advanced Tab, under User Profiles click Settings.
You can see all the profiles stored on the local computer.
Select the local profile you want to transfer, you will see the ‘copy to’ button becomes available. Click This.
Clicking Browse will allow you to search for the folder location to copy the profile folder to. We want to choose to overwrite Janine’s domain user profile folder. (this requires Janine’s domain use account to have logged on already to this pc)
You then need to use the ‘change’ button to select a user who is permitted to use this profile. Obviously we are looking for Janine’s domain account. Then click OK.
Click Yes to acknowledge you will be overwriting this folder.
That is all!
There is also a third method using Forensit’s Profile Wizard, which i am covering under the Windows 7 Machines.
This is a very simple wizard and will allow you to move profiles very quickly.
Windows 7
On the Windows 7 Machine we actually have 4 local user accounts. So what we are going to do is run through the connect wizard, as a network admin, not migrate any of the data, then use Forensit’s wizard to migrate the user profiles.
I am choosing to logon as my Local Admin account, as we know from above this is the only account we can use to run the Connect wizard.
Again before we start we should verify System Restore is running, and create a Restore Point.
Click on Start, then right click Computer and go to properties.
Switch to System Protection.
You can see the status of System Restore highlighted, and you can click on Create, to create a new system restore point.
Enter a name and click on Create to start creation.
After a few moments your restore point will have completed. You can now close all the open windows and open up IE ready to launch Connect.
When you go to http://sbsserver/connect on the Win7 machine you will notice a message appears about Intranet Settings, you can ignore this for now as it will not affect the connect wizard.
The Wizard itself is identical to that on XP so i wont go into much detail here.
Just remember to un-check the box to make sure you don’t migrate documents and settings into your network administrator account.
Once you have finished the wizard, you are ready to logon.
Login as the Network Administrator, and load up a copy of Forensit’s Profile Wizard.
Forensit’s wizard will guide us through the process.
You will need to uncheck, Join Domain and Also Uncheck Set Default Logon, Enter in your Destination account name, in this case PeterVenkman and click Next,
Select the Source Profile Folder and click Next
When the wizard has completed the task, click next and then you are finished.
If we take a look in the registry at the profiles section, we can see that just like the connect wizard it is replacing the Local registry key with a domain one.
We can do the same process again for Egon’s account, and then look at a before and after shot.
Before – Showing the local SID for Egon’s account.
After – Showing the Domain SID for Egon’s account.
Hopefully this has given you some insight in to how the connect wizard behaves, and what it does to your user profiles when joining and SBS Essentials Network.
About Robert Pearman
Title (Required) 
Hi,
good article but it is lacking one thing that I have noticed MS’s pages do too. When you go to connect a client pc (by server/connect in browser window) what happens if it cant find the server? it does not come up with the wizard or installer or anything. If you could guide me in another way to run this wizard I would muchly appreciate it!
Jaidan
Hi Jaidan,
Essentially this will be down to the router you are using. The http://connect process relies on the fact that your client pc, can resolve the IP address of the server.
If your router doesn’t hold a database of internal clients, then this could be a reason for it failing. My advice here would be to set the IP address of your client pc statically to use the DNS Service on the SBS Server, until the connector software is installed, and then set it back to defaults.
Great article.
MS hasn’t made it clear on how to correctly add other Servers to SBS though.
Here’s the problem in 2011… if you run the connect wizard on Server2008R2 you are advised that it is not compatible with that operating system.
If you do a manual join of the Server2008R2 machine to the SBS2011 domain (through computer properties), it does not appear in the SBS Console.
This problem is evident by the many web pages requiring you to do registry hacks to make Terminal Servers visible to users’ RWW. This is the Terminal Server is not visible in the console and therefore, the remote access permission can not be set on an individual basis to show up in their RWW page.
What is the correct way to do it so it appears in the console, and doesn’t involve registry hacking after the fact?
Hi Ron,
Thanks for your message.
As i understand it, you can install the connector software on a Server 2008 R2 SP1, if that server is not a DC. I’ve only just come by this info and i have not had a chance to confirm it yet.
Can you confirm if you are at SP1?
I did some tests joining a Server2008 R2 member server to SBS2011 here is what I found out:
If the member server is not updated to SP1 you cannot join it using the connect wizard and must do it manually. In this instance, the member server will not show in the SBS console so you cannot use the console to configure TS access to it and the registry hacking begins.
If the member server is updated to SP1 you can join it using the connect wizard… the wizard will still prompt you and give you a warning but you now have the option to continue anyway. Using this method does put the member server in the console and you should be able to treat it as any other computer allowing remote access via the console without delving into the registry.
I put up a post about this yesterday.
http://titlerequired.com/2011/10/25/installing-a-second-server-sbs-2011-essentials/
I just read it, very good, nice work
Thanks.
Hi
I have XP pro PC’s (x25) (all up to date SP3 .net4) We have problems with a sbs2003 server so Clean install of sbs2011.
Sbs 2011; Run ‘Connect’ is OK !! ..On PC’s it ONLY offers old local accounts to transfer ???
it does not; a) pick up the account user I am logged into, and want to transfer from sbs2003 as a domain user to sbs2011. Even if I login as the administrator or login in locally as administrator on a PC … every time I run Connect it only offers me old local accounts to transfer to the user !!!!
I have tried what is mentioned above in control Panel, and copying user profiles – but the option to select the account is greyed out !!!
Has anyone any Idea why the SBS2003 user on the PC, is not offered in the tranfer window of ‘Connect’ ? and how to make it show all account to select from??? ……..any pointers.
TonyB
Hi Tony,
It sounds like you have not really followed a migration guide or anything like that.
With a clean install you have not retained any of the previous Active Directory, even if you have named it the same.
You need to remove those pc’s from the SBS 2003 domain by putting them into a workgroup.
My advice would then be to create a new local user account for each user. Then use Forensits user profile migration tool to copy the old domain user profile to the new local account, then run Connect from that account.
It is not easy to provide support through the comments of a blog so if you need any more detailed questions answered i would suggest you start a thread on the SBS TechNet Forum.
I have question regarding the connect software. Do you absolutely need to connect a workstation to the domain? All I want to do is have a backup of that workstation. I have two options is install WHS 2011, but then I can not backup my exchange. I can install sbs 2011 essentials, backup my exchange server (as part of Server backup profile) but do not necessarily want to have every PC join the domain.
Essentials server backup does not backup additional servers, and you would be advised not to install Exchange on Essentials.
The ‘connect’ wizard will auto join the domain for you if your client machines support it.
Hi Robert,
I want to use SBS 2011 essentials for my home office My problem is that one of the connected clients is my company notebook, which belongs to an existing domain (accessed via VPN) and can’t be changed. I know that there is workaround (reg add “HKLM\SOFTWARE\Microsoft\Windows Server\ClientDeployment” /v SkipDomainJoin /t REG_DWORD /d 1
) for SBS 2012 essentials, but I have some XP clients which are not supported on 2012. Does that work for SBS 2011 too, or is there a similiar solution ? I could use WHS 2011, but I would like to buy a HP ProLiant ML110 G7 which comes ready with SBE 2011 installed, for 550 EUR incl. 500 GB SATA disk. Any idea?
I have added about 10 computers to SBS 2011 with the same steps as above.
One of them doesnt show up in dashborad, I have checked and its in the same OU as others and I cant find anything that may be causing the issue.
Any comments?
Did the Connector Software install?
hey man, can i just go to run, then type my server address and connect to the shared folder in the server? can i connect all pc by using only one user name on that server?
Why do you want to do that?
If a user on sbs essentials has an xp machine and this user is to get a new win 7 machine, how do you transfer user to new machine and put it on sbs?
I would install the Win7 machine to the domain, logon as the user to setup their profile.
You could use Windows Easy Transfer to move files from the XP machine to the Win7.
thank you for your quick reply
so these are the steps i take:
setup local admin user on win 7 machine the same as local admin user on xp machine. Then use connect software on win 7 machine to join sbs essentials and setup profile. Then use easy transfer to move files from xp to win 7
Sounds good to me!
Hi,
I installed the “connect” as the user (with local admin rights) on an XP pc. It looked like it installed okay. Restarted twice and did some copying and rebooted to a locked workstation logged in as the user.
However, when the user browsed from another pc to remote.domain.co.uk and logged in, selected the link for computers to connect to, there were none listed.
Do you have a link that will help me fault find this please or know why this might be?
Thanks.
Sounds like no computers are selected to be allowed access to. Check the dashboard, user properties, one of the tabs you can choose which computers to allow access to.
Hi Robert,
Just looked at the dashboard via the server. There are 10 odd pcs listed all Win7 but the XP pc is not. I removed the pc from the domain and then reconnected it using http://connect – the configuration process from the pc end appears to be successful with no errors and the “Finish” button. Still it is not listed in the list (even when clicking “connect to more computers”). The firewall on the pc is off. Looking at the SBS Console under Network, I cannot see the pc there either I can only see it in ADUC.
It’s as though, it is installing into the domain but not fully in that it will be listed and can be remote connected to…. if that makes sense!?
J.
Got it! Just reading through the above again and picked up on something. I checked the location of the pc object which is not located in the SBSComputers container. I moved it to this container and it appeared in all lists and can now be connected to! Result!
Thanks for your help.
Johnny.
Sounds like you are running SBS Standard, not Essentials.
Ahhh, Standard, Yes. Well, you led me to a good result. Thanks. J.
How do I give a facebook like? I do not usually care but this information was definitely exceptional and it solved my problem so that’s the least I can do.
facebook.com/titlerequired :)
hi,theres a question that was asked above but I dont think the answer was clear so I will ask again, what if say you have a notebook that is not always internet0 connected ,and all you need is a backup of user documents without necessarily having it join a domain?
in 2011 essentials there is no way to prevent domain join in a pro/business computer like there is in 2012. So your choices would be to accept domain join, or use 2012 essentials. using the mobile app i cant see the question above.