Monday, September 27, 2010

Password Complexity for SBS 2003 to 2008 Migration

Windwos Server 2008 Password Policy Setting Recomendations

The following excerpt is from the Small Business Server 2008 Setup and Migration Help File:

"Password policies in Windows SBS 2008 enforce strong passwords by default, and the password policies dialog in the Windows SBS Console writes the configuration to the default domain policy. The password policy configuration is not written to the Small Business Server Domain Password Policy object, as in Windows SBS 2003. "

The password complextity is a small over-comeable problem that you could encounter during a migration from SBS2003 to SBS2008. The pasword complexity could lead to an even getting logged in the SBS migration and setup logs. The even doesn't tell you it's thecomplexity of the administrator account password, but instead leads you to believe that it the directory services restore mode password that has a problem.
The complexity of the pasword required varies depending on the stage of the install. The 2008 SBS server when joining the domain is a client and uses it's own local policy which at this point is no password is required. when joining the domain, it uses the default policy for a domain controller not the policy that is already set for the domain controller in the domain group policy. once in the domain, it will use the policy that has already been established.
So, when creating your answer file be sure to have a password complexity matching 8 characters and included uppercase, lower case, a number or a special character (!,@,#,$,%,etc>). If the administrator account that is being used for the migration does not match these characteristics then the migration will fail with and error "FATAL: DcPromo_JoinDomain: The server was not promoted to a domain controller" and an error telling you that "The Directory Services restore Mode password does not meet its complexity criteria" .

BEFORE starting the migration, make the administrator password or the password for the administrator account that will be used for the migration match complexity requirements. I recommend, OVERMATCHING!, or you could be formatting the installation of the new SBS2008 server and trying the migration again. Use 14 characters or more is the main recommended action to over match - that's what I did.