Part 4 - End User Services under SBS

Getting your server up and running with a basic configuration and adding user accounts and workstations to your domain is not too dissimilar to having machines strewn across your network in an ad hoc fashion. All the work that’s been done so far has been in preparation for what is covered in this article — the provisioning of services to your users from
this central server.

Mail for the masses

The one service that business users rely on more than any other is email, so it’s probably the best place to start. In many cases, the configuration of Exchange that we have done up to this point (during the installation of SBS components) is adequate, and the ‘Set up Client Computers’ wizard should have installed Microsoft Outlook 2003 SP1 on each workstation and configured it so that it automatically connects to the Exchange server (of course, users should also be able to access Outlook Web Access — a webmail applet — via pointing their web browser to http://server-name/Exchange once their user account has been created).
But one size rarely fits all, and some readers may need to perform additional configuration steps in order to get their email services working to their liking. One or more of the following additional tasks tend to be required for many small businesses.

Configure the POP3 connector

If your ISP or web hosting provider already accepts email for your domain and you’d prefer to keep it that way (as opposed to getting mail delivered directly to SBS), the POP3 connector should be configured to regularly pull down messages from the remote server. The option to do this lies under the Advanced Management > POP3 Connection Manager applet within the Server Management Console (SMC).

Once this applet is open, start adding details about the POP3 services that you wish to pull email down from. There are two types of mailboxes that are supported:

• User mailboxes — where mail for a single person only is delivered to the mailbox on the remote POP3 server (and delivered directly to a single mailbox in Exchange); or
• Global mailboxes — where mail for more than one user is delivered to a single remote mailbox and Exchange applies ‘routing rules’ based on the addresses listed in the ‘to’ and ‘cc’ fields of each email to deliver each message to the correct mailbox or mailboxes.
  

If you don’t know which type of rule to configure for a given POP3 mailbox, contact the administrator of the remote mail system — they should easily be able to tell you which type of mailbox configuration you have.

Once you’ve added all of the rules that need to be added, click on to the Scheduling tab and set when and how regularly you want the POP3 connector to check remote servers for email. In order to minimise load on your server and remote servers, it’s best to customise the schedule so that remote mailboxes are polled most frequently during business hours, and infrequently at other times. Also, consider configuring the schedule to not check for messages during a one-hour block each day,
so that the backup (which we’ll configure shortly) can run without tripping over the POP3 connector.

Lastly, it’s a good idea to configure the connector to deliver email that it cannot route to the Administrator’s mailbox — that way, they can review these messages, manually forward them and reconfigure the connector if required.

Adding or removing an email smarthost

As mentioned in last month’s guide, many ISPs do not allow outbound connections on port 25 — which will prevent Exchange from directly sending email to the remote mail server. In these cases, Exchange needs to be configured to use your ISP’s mail server as a smarthost.

If your ISP currently does not filter outbound connections on port 25 but will implement this policy in the future (or vice versa), the easiest way to add (or remove) smarthost settings is to re-run the ‘Configure E-mail and Internet Connection Wizard’. This can be done by selecting Internet and E-mail > Repair Internet and E-mail settings under the SMC.

Additional email domains

The wizards in SBS assume that you have registered only a single domain name that is used for email. As a result, further configuration is required if you wish to receive email addressed to multiple domains (ie. if you want to receive email addressed to ‘contoso.com.au’ as well as ‘contoso.com’).

Additional email domains need to be added via a recipient policy, defined under Advanced Management > Name of your Exchange organisation (Exchange) > Recipients > Recipient Policies from within the SMC. Right-click on the Default Policy and bring up the Properties page (or create a new policy from scratch, if you’re game). Additional domains should be added under the Email Addresses (Policy) tab and should be prefixed with the @ symbol. Once you’ve made your policy change, be sure to right-click on the policy you modified and select ‘Apply this policy now. . .’ in order to force the changes to take effect immediately.

DNS Blacklisting

Unsolicited email is a major annoyance to most people, and DNS Blacklisting is a common method used to reduce the amount of SPAM that ends up in your inbox. DNS Blacklisting services can be added by right-clicking on Message Delivery, located under Advanced Management > Name of your Exchange organisation (Exchange) > Global Settings
from within SMC and navigating to the Connection Filtering tab. To add a blacklist provider, click on the Add button and enter
the address of the blacklist to the DNS Suffix of Provider field.

Picking a dependable blacklist provider  can be tricky, but using one of the following providers is generally a good idea (using more than one provider is not advised):

• relays.ordb.org
• relays.visi.com
• bl.spamcop.net
• blackholes.wirehub.net
• list.dsbl.org
  

Mail administration tasks

Once the core features of Exchange are running properly, it’s time to start becoming familiar with some of the day-to-day Exchange-related administration tasks that you’re likely to be asked to perform.

Group mentality

Groups can be utilised in order to create mailing lists within your organisation. For instance, say that you have a couple of
different teams of people working on different projects and you want to be able to easily email all users associated with a
given project. By creating a group, adding the individual user accounts to the group and sending the email to the group, all members of the group will receive your message.

There are two classes of groups in a Windows Active Directory domain — distribution groups and security groups — and both types of groups can be used to create mailing lists within your Exchange Organisation. In general, you should create a distribution group, unless you also want to restrict or grant access to resources on your network to the members of the group.

Like most tasks under SBS, there are wizards to assist with the creation of both types of groups. If you add a user as the manager of a distribution group, that will provide that user with the ability to change the membership of the group using Outlook.
The final page of each wizard allows you to select whether you want to archive all messages sent to the distribution list to a  public folder (accessible to all members of the group from within Outlook) and whether you want the list accessible by external parties. It’s generally a good idea to disable this last option — imagine if a spammer could email everyone on the list without knowing their actual email address?

Resource mailboxes

Exchange can also be used to manage resources such as meeting rooms, parking spaces, projectors and shared laptops. Initially, an Exchange Administrator would configure a mailbox for each resource, log on to the resource mailbox and adjust the Resource Scheduling settings. The big problem with using this method was that meeting organisers had to categorise the resource properly when planning a meeting. It was too easy to forget (or not know how) to do this in reality, which means that this method is practically useless.

In response to feedback, Microsoft later developed an add-on agent that handles resource requests in a much easier-to-use fashion. This add-on can be downloaded from Microsoft and documentation on the agent can be found here. 

Public folders

There is often a need to share Outlook data  (be it contact, calendar, task or email data) between groups of people within an organisation. Up until recently, this data has almost always been stored in public folders within Exchange. Indeed, a default installation of SBS has two pre-defined public folders — one for shared contacts and the other for storing Newsgroup data (if the NNTP connector is configured and enabled). Public folders are managed under Advanced Management > Name of your Exchange organisation (Exchange) > Folders > Public Folders.

Technically speaking, public folders are now a deprecated feature of Exchange. Even though it’s currently possible (but difficult)
to use public folders under Exchange 2007, Microsoft has stated that public folders will continue to be supported until 2016. By this time they hope that organisations will be utilising SharePoint Services 3.0 or later instead of public folders.

But SharePoint Services 2.0 is already installed on your server, and it’s tightly integrated with SBS. Upgrading SharePoint Services will cause various parts of SBS to no longer function as intended. Additionally, due to a conflict with Exchange 2003, you will also lose the ability to mail-enable public folders.

However, the lesson is clear — unless you have a specific need to, you should not install SharePoint Services 3.0 on SBS. If you must, ensure that you follow the instructions located here before you do so. For everyone else, though, keep using public folders and worry about migration later.

Sharing is caring

One of the next most-critical services that your server can offer is a centralised location to store data. By using the file server functionality of SBS, users can save important documents in defined repositories. Not only does this make finding documents easier, it also makes it easier to get accurate backups of all company data and to restrict access to sensitive information. SBS can also natively share printers in much the same fashion.

The existing shares

At least 15 different locations on your server are shared for various purposes after the installation of SBS (the actual number varies depending on how many disk partitions you have on your server). Most of these are used for administrative purposes, including storing the installation data for client applications and various logs and scripts.

The one share of note that is automatically created is the Users share. A subdirectory is created under this location for every user account created on your server, the idea being that every user has the ability to store certain personal data. It’s important to note that, by default, only Administrators and each specific user have access to any given user’s directory under this share.

Create shares

It’s a wise idea to create a number of other shares (pointing to a location on a non-system partition) in order to provide repositories for your users to save other potentially sensitive data (including My Documents Folder Redirection, as detailed below). File shares can be added via — you guessed it — the ‘Add a Shared Folder’ wizard, accessible under Shares (Local) within SMC, while Printer shares are added using the similar wizard located under the Printers section.

Create groups

Avoid the temptation to assign permissions for file-share resources to individual users — while this gives you the most granular control over access, adding permissions for new users to each share is then a long and repetitive process, not to mention that you might forget to grant or deny permissions to particular resources. The best practice is to assign permissions to security groups — and add users to those groups. This way, instead of having to add permissions for a new user to each individual share, you simply add the user to the relevant security groups. If you then need to deny certain rights to access a resource for a particular user, you can then add a permissions entry with an implicit deny for that specific user (implicit deny permissions entries will always override an allow entry).

Share-level vs file-system permissions

The permissions granted to any given user are a union of the share and file-system permissions — so remember to set permissions on the file system as well as on the share definition.

Take the Users share for example. The Domain Users group has Full Control permissions on the share but a limited permission set to the file system. As a result, non-administrator users can connect to the share and obtain a list of directories, but they cannot create files at this location.

Going one level deeper, look at the file-system permissions for the directory that belongs to one of your users. The Domain Users group has no permissions entry on this directory. As a result, all users bar the owner will not have access (the owner has access thanks to their own permissions entry on the directory). In order to grant access to any shared resource, permissions for both the share and file system must be granted.

Quotas

After a while, you may receive complaints from some users that there is insufficient disk space available when they are writing data to a share — especially if the share is located on the system partition. By default, SBS enables disk quotas on the system partition to ensure that users cannot store excessive amounts of data (and to minimise the chance of the system drive filling up). By default, each user is limited to writing 1GB of data to the system partition. Essentially, this is one of the main reasons why user-accessible shares should not be located on the system partition. You can review the quota configuration of a drive under the Quotas tab of that drive’s properties dialog, accessible by right-clicking on the drive in Windows Explorer and selecting Properties.

Shared faxing

If you have a fax modem available to connect to your server, you can configure SBS to send and receive faxes without having to worry about the amount of paper that you use. The most critical step of the Configure Fax Services wizard controls how incoming faxes are routed. You can choose any number of the following routing methods:

• Forwarded by email to an email address, distribution list or public folder
• Stored in a directory on the file system
• Stored on the SharePoint Services web site
• Printed out
  

As was the case with Outlook, a shared fax client should automatically be installed on a workstation once it has been added to the domain (assuming that the appropriate wizard was used). Therefore, if you have a fax modem hooked up to your server and it’s properly configured, sending faxes should be trivial.

Backups

The key to effective backups is to ensure that you are backing up all of the data that you need as frequently as you require (and
that you know how to restore it if required).

As mentioned previously, it’s easier to find what you need to back up if it is stored in a managed way on the server. Another way that you can force users to save things on the server is to use ‘Configure My Documents Redirection’ (which you can do from under the Backup section of SMC). By doing so, when a user creates a file under My Documents, it is written to their directory under the Users share on the server (or another configurable location), instead of under Documents and Settings on the local system. The added advantage of providing a common set of My Documents folders to your users, regardless
of which PC they log on to, is a bonus.

The Configure Backup wizard should be executed to create or make modifications to your backup schedule. The first step of the wizard searches for a tape drive — if you don’t have one, you should definitely store your backups in some location other than on the server. The cheapest, flexible storage media is via hard drives in USB enclosures.

The wizard will bring to your attention various settings that you may not have considered before, including how long deleted items are retained for in Exchange, or whether shadow copies of user data should be retained (allowing your users to revert to previous versions of their documents).

Vista, Office 2007 and SBS

It has recently come to our attention that there are a number of compatibility issues when using the ‘Set up Client Computers’ wizard when deploying Windows Vista or Office 2007 clients with SBS. A several hotfixes for these issues are available here.