Part 3 - Starting with Small Business Server

For a small business, the server is the heart of the network, and the operating system that runs on that server is akin to its soul.
If, during the planning process, it was determined that installing Windows Small Business Server 2003 on your server would be the best bet for the long-term administration of your infrastructure, this and the next two parts of this series will detail what you need to do to get up and running.

However, if you wish to walk the Linux path, there are still a lot of lessons to be learned — infrastructure management techniques are the same regardless of what tools or operating system you use. In three issues’ time, the specifics of running a small business using Linux and open source tools will be covered.

A two-phase installation

Essentially, there are two phases to a base installation of Microsoft Small Business Server. The first phase involves the installation of the core operating system (Windows Server 2003), while the second involves installing the additional Small Business Server components (Exchange 2003, Sharepoint Services, Shared Fax Services).

Both phases of the installation are completed with the Microsoft Small Business Server media (either five CDs or one DVD, depending on your media kit). This point may sound obvious, but it does require re-enforcing (especially for Microsoft Action Pack Subscribers). You cannot install the SBS components on to pure Windows 2003 Server.

The core operating system installation is a relatively ‘next, next, finish’ affair; anyone who has installed Windows from a CD should be able to install the OS components with ease. During the installation, you will have to define your regional settings, enter in ownership details, the product key and administrator password, and finally set the date and time.

The one area that may trip users up is in relation to the server hardware. As mentioned in the previous tutorial, many OEMs provide quick-start CDs that contain the drivers for your server. Attempting to install Windows without using the quick-start CD can often be problematic (especially if your Windows requires drivers in order to see your RAID partitions).

After the operating system installation phase is complete (and all support-related software has been installed by the quick-start CD installer, if you used one), your server should reboot and the regular Windows 2003 Server login screen should appear. After you log in using the Administrator credentials, Microsoft Small Business Server Setup commences.

Meeting requisites

Before the SBS components are installed, a quick requirements check is executed to ensure that your server meets the minimum specification required to run SBS effectively. If any requirements have not been met, you can double-click on the message in question to obtain more information on what you can do to meet the requirement.

Many users encounter the ‘This computer has only one network adapter’ information message. While SBS does not necessarily require two network adapters, this message serves as a reminder to configure the firewall of any router or gateway appliance that you’re using so that relevant SBS services are able to be reached from the internet — and the rest of your network is appropriately protected from nasties online.
Specific instructions on how to configure your gateway appliance will vary depending on which appliance you’re using. General firewall configuration information for SBS can be found at Microsoft. SBS itself can act as a gateway device if you wish. However, in order for it to do so, you will need two network interfaces in most cases.

Provide your details

Once the setup process knows that your server has what it takes to run SBS, you’ll need to provide the setup applet with information relating to your business. Put the tin-foil hat away — this information is not sent to Microsoft or anyone else for that matter. Most of this information is used to create templates for user accounts, mailboxes, the fax service and other SBS features.

Once this information has been entered, you’ll be asked to configure your internal domain information. The setup application recommends that you use a .local suffix for your domain name. As mentioned in last month’s article, this is not necessarily a good idea — especially if you’re planning on using Mac OS X systems on your network. A generic, non-public domain name avoids many namespace issues that small businesses are likely to come across.
 

Address networking

Next up is the network configuration. Due to  the number of services that SBS runs, a static IP address needs to be provided. At this stage, it is appropriate to have a quick think about DHCP.

If you already run a DHCP server (such as on your gateway appliance) and want to keep using this DHCP server, you’ll need to configure it so that it doesn’t try to assign the address used by your server to another host on the network. Once you’ve made this configuration change, enter the reserved IP address into the setup application.

On the other hand, if you aren’t going to use DHCP or plan on using the DHCP service included in Windows Server 2003, enter in any currently unused IP address and continue.

Once you’ve completed this step, the setup application has obtained almost all of the information that it requires to install the
SBS components. The installation of these components does require a couple of reboots,  so the next screen asks you whether you want to supply your administrator password so that the setup process can continue seamlessly after each reboot. Entering your Administrator account credentials at this point does not log on automatically after the setup process has been completed, but does allow you to go away for a couple of hours while all of the SBS components install. If you don’t enter in the password at this point, you’ll need to check the progress of the installation regularly in case the system has been rebooted and is waiting for you to log back on.

Now, click the Next button a couple of times (approving just which SBS components you’d like installed) and go and have a break!

The to-do list

Upon the successful completion of the installation of all SBS components, you’ll be greeted with a to-do list. The purpose of this list is to step you through the final configuration tasks that were not covered during installation.

The first networking task is to view the Security Best Practices — a purely reading-based task that is worthwhile doing, even if you’re tempted to just skip straight to the next task — connecting to the internet.

One of the most important aspects of the Connect to the Internet wizard is to ensure that you configure the server to use the appropriate setting that represents your networking topology and that you only set the web services that you want to have publicly accessible as being that.

If you have two network interfaces on your server, and internet traffic from your clients will pass through the server, the wizard will guide you through the configuration of the firewall that is built in to SBS.

Many of the web services bundled in SBS are accessed via an SSL connection — a web server certificate is used to verify the authenticity of the server that clients communicate with. It is by no means a compulsory requirement to install an SSL certificate that has been generated from a trusted authority — even though this can simplify things for end users who do not understand
the distinction between authentication and authorisation. SBS can create a self-signed certificate which is adequate in most cases.

Exchange

In most cases, you will want to instruct the wizard to enable internet email. Selecting this option configures the Exchange server running on your server to send and receive email via SMTP. However, it is crucial to configure Exchange to send outbound email correctly. The default option is to use DNS to route email. With this option selected, your server connects directly with the destination SMTP server to deliver a message.

The problem that many users encounter with this setting is due to restrictions that are imposed by their ISP. As a proactive spam and virus mitigation measure, many ISPs prevent their customers from establishing outbound SMTP connections. If your ISP enforces this policy, the default settings will not work. You’ll need to select the ‘Forward all email to email server at your ISP’ option and populate the field with the address to your ISP’s SMTP server.

For email retrieval, it makes sense to enable the Microsoft Connector for POP3 mailboxes, even if you don’t plan on using it (it’s better to have the option available should the need arise, as opposed to having to run through this  wizard again once your server has gone into production). The POP3 connector allows you to configure Exchange to check a POP3 mailbox and download any messages to individual Exchange mailboxes — a very handy feature if you plan on using an external hosting service to provide additional email redundancy.

Once the retrieval options have been set, you can configure Exchange to remove attachments containing certain extensions in their file name. Doing so for various extensions is good security practice — no matter how much you tell end users never to open .exe files that have been sent via email, it only takes one user an instant to forget, spreading a potentially catastrophic worm on your network. Remove (or at least quarantine) suspect attachments and save yourself a weekend of work later.

Your first group policy setting

After you’ve settled on what attachment extensions you’re going to filter out from your clients, the wizard will then go about its business of modifying all of the relevant settings on your server. At the end of this process, you should then be asked whether you want to enable password policies.

It’s always a good idea to enforce a password policy that is secure but reasonable. Enforcing minimum password lengths of 20 characters is not reasonable, because users will get frustrated at having to regularly enter long passwords. Similarly, forcing users to change their password every week just forces them to write their password down — which defeats the purpose of having a password in the first place anyway.

Enabling all three options with the default settings are a good starting point for your password policy, but be aware that the policy may need tuning over time. (If you need to make changes to the policy at a later date, you can do so by clicking Start > Administrative Tools > Domain Security Policy and expanding the Account Policies branch.) The other thing that you will need to educate your users on is what the complexity requirements are for passwords on a Windows domain. Such a strong password is one that adheres to the following criteria:

• At least six characters long (contrary to popular belief, extremely long passwords are statistically not as secure as passwords that are exactly seven or fourteen characters long under Windows, due to how the password is encrypted).
• Contains at least one character from three of the following five categories:
• English upper-case characters (A, B, C etc.)
• English lower-case characters (a, b, c etc.)
• Base 10 digits (0 – 9)
• Non-alphanumeric characters (!, @, #, $ etc.)
• Unicode characters• Does not contain three or more characters from the user’s account name.
  

After the password policy has been created, ensure that you’re connected to the internet and start updating your server via the Windows Update web site (or alternatively, configure automatic updates).

Final Networking Tasks

The next item on the agenda is configuring remote access (meaning dial-in or VPN access to your network, not being able to remotely administer the server via a remote desktop connection). However at this stage, it’s more of a concern to get your server to the stage where users can start work, so we’ll come back to this in a couple of issues’ time zx.

The last networking-related tasks that you have to perform are the activation of the server and the addition of any extra client access licences (over the five CALs that come with retail versions of SBS, if you require them). In regards to CALs, there are two licensing models available for SBS — per user, and per device. You can choose to use both licensing models on your network, but your licensing requirements are easier to identify if you simply stick to one model or the other. In general, if you have more users than devices, you’d use the per device licensing model. If you have more devices than users, the per user model would cost less.

A licensing FAQ for SBS can be found at www.microsoft.com/windowsserver2003/sbs/evaluation/faq/licensing.mspx.
Once your server and the CALs have been activated, close the to-do list. Even though there are more tasks to perform, these can (and will) be done later.

The Server Management Console

The one place where you change almost every setting under SBS is via the Server Management Console (SMC). Those that have solid experience using a native Windows 2003 server should continually remind themselves to use the  SMC instead of some of the tools that they are familiar with, unless they are confident that the modifications that they make to system settings will not have an adverse affect on the console.

This tends to go against conventional wisdom, but SBS was designed be able to be managed by people with fairly limited systems administration experience. If an administrative contractor  comes in and ‘breaks’ the console, day-to-day administration tasks may become more difficult. The SMC can be loaded directly from the  Start menu.

Adding client computers

In a typical Windows 2003 Domain, client computers are joined to the domain by logging on to the client and going through the System properties dialogue in Control Panel. In an  SBS domain however, a slightly different process is used.

To add a computer to the domain, load up the SMC, select ‘Client Computers’ and run the ‘Set Up Client Computers’ wizard. When you complete the wizard, a computer account is created on the domain, and you’ll be instructed to load up a web address on the client computer. Doing so will install various client components on the system (the latest service packs for Internet Explorer, Outlook 2003, the shared fax client etc.) and adjust various settings on the client that allows tighter integration with various SBS components.

Adding User Accounts

A similar process is used for adding user accounts — select the ‘Users’ category from SMC and start the ‘Add a User’ wizard. Essentially, the wizard-created user account is based on pre-defined templates. As a result, an Exchange mailbox, home folder, Sharepoint access and disk quota entries are configured for the user in addition to their account. 

There are four pre-defined templates that you can choose from. In escalating level of permissions, they are User Accounts, Mobile User Accounts, Power User Accounts and Administrator accounts. When creating your account, a description of each template is provided, allowing you to select which template is the best fit for the account that you’re creating.