Thursday, 14 October 2010

SBS 2008 Setup Guide V1.7.0

This will be our preliminary set up checklist for getting an SBS 2008 install configured once the base OS install has completed. This post will compliment what is in our SBS 2008 Blueprint book. It will also provide the foundation for a chapter in our upcoming SBS 2008 Advanced Blueprint book.

There will be some minor tweaks and modifications to this list as we go along with our installs. If things change a lot, then we will run a new post and call it V2. :)

For the most part, items in the list will be fleshed out in the SBS 2008 Blueprint book. Items that we have encountered beyond the book, will be addressed in existing or subsequent blog posts.

The following assumes that the server manufacturer’s prep disk was used to update the BIOS, motherboard firmware, RAID controller firmware, backplane firmware, and any other device’s onboard firmware prior to installing the SBS 2008 OS. The firmware update step is an absolutely critical one for the stability of the server.

Here is our list so far:

  1. Install the manufacturer’s drivers.
      1. RAID including RAID monitoring/status software.
      2. Chipset.
      3. Video.
      4. NIC (Do not team). Unplug or disable any extra NICs for now.
      5. Management suites from the hardware manufacturers will be installed later on in this process.
      6. We do not install System Center Essentials that is provided by Intel on our Intel based SBS 2008 servers.
    1. Desktop
        1. Set the desktop resolution for the monitor attached.
          • Keep in mind that some remote management modules such as Dell’s DRAC may not work if the monitor’s resolution is set too high.
        2. Enable desktop icons.
      1. GUI Customization
          1. Windows Explorer.
          2. Start Menu.
          3. Notification Area.
          4. Add a Desktop Toolbar to the Task Bar .
          5. Internet Explorer.
            1. Add http://download.microsoft.com to Trusted Sites.
          6. Task Manager Process Column Customization.
        1. Partitioning
            • RAID 1+0 is our default (4 disks) + hot spare. Name after the amount of storage is the drive label.
              • 640GB (4x 320GB SATA)
              • C: 100GB SS-SBS (Rename to SBS name)
              • S: 25GB SwapFile (8GB RAM * 1.5 with wiggle room)
              • L: 515GB NetworkData
          • Move the optical drive letter to Z:.
          • Move the Swap File (Reboot and use the above script to speed it up).
          • Copy and paste this services shutdown batch file onto the desktop (previous blog post).
            • Right click and Run as Administrator.
            • Batch file will improve reboot times by 50%-75%!
          • Install and configure Print Services Role: SBS 2008 Terminal Services and HP Printer Drivers (previous blog post).
          • Windows Native Tools Management Console modifications
              1. Add the Group Policy Management Console
              2. Add the Print Management snap-In (after adding the Print Server Role).
              3. Add the Share and Storage Management snap-in.
              4. Add the File Server Resource Manager snap-in.
              5. Add the TS Gateway Manager.
              6. Add the Windows Server Backup snap-in.
            1. Run MMC and add the local Computer Certificate store snap-in and save to the desktop for later use.
                • Can be found in the SBS Native Tools console.
              • Configure an authoritative time source for the SBS OS.
                1. Blog Post: SBS 2008 Physical And Hyper-V – Set Up the Domain Time Structure.
                2. TechNet: Synchronize the Source Server time with an external time source for Windows SBS 2008 migration.
                3. Once the commands have run, an error message or two may show in the Event Logs soon to be replaced by a successful connection to the authoritative time source.
                4. Note Oliver Sommer’s comments in the above article.
              • Enable ShadowCopies on the NetworkData partition and set a schedule. We use before hours, coffee, lunch, coffee, and after hours for the schedule.
              • DHCP IPv4 Properties (DNS updates & credentials)
                • Domain: SBSDomain.local
                  • Extension is required.
              • DHCP additional exclusions for printers (x.1-10) and servers (x.250-254).
              • DNS Settings for Scavenging at 7 days and AD integrated zones.
              • Create a 5GB Soft Quota (File Server Resource Manager).
              • Add Network Service to IIS WAMREG admin service to eliminate DCOM 10016 errors in the event logs (links to MS KB920783 article).
                • Note that the BPA will pick up any previous log entries and claim that the problem still exists. The error is safe to ignore once the edit has been completed.
              • Enable firewall logging and pop-ups: SBS 2008 Windows Firewall with Advanced Security troubleshooting (previous blog post).
              • Create the default Company Shared Folder with required NTFS and share permissions on the L: NetworkData partition.
                  • Share Name: Company.
                  • Quota: 5GB Soft.
                  • Enable Access-based Enumeration.
                  • NTFS Permissions:
                    • Domain Admins = FULL.
                    • Domain Users = Modify.
                  • Share Permissions:
                    • Domain Admins = FULL.
                    • Domain Users = FULL.
                • Create the ClientApps (previous blog post on GP and the ClientApps folder) on the L: NetworkData partition.
                    • Share Name: ClientApps.
                    • Quota: None.
                    • Enable Access-based Enumeration. Subfolders can have custom permissions at a later date to exclude users or groups and thus hide those subfolders at a later date.
                    • NTFS and Share Permissions:
                      • Domain Admins = FULL.
                      • Domain Users = FULL.
                      • Domain Controllers = FULL.
                      • Domain Computers = FULL
                  • Make changes to the WSUS Setup:
                    • WSUS Classifications: Enable all except Drivers.
                      • Driver delivery for Windows Vista and 7 has 
                    • WSUS Sync Schedule: Increase synchronization frequency schedule depending on what products are installed on the server.
                  • Getting Started Tasks – Out of Order
                    1. Configure and take a backup now.
                    2. Times: 12:30, 17:30, 23:00.
                      • Make sure that the backup times and the Volume Shadow Copy snapshots do not happen at the same time.
                    3. Backup Now by right clicking on the configured backup and running it.
                    4. Backup in between each batch of updates.
                  • Exchange Server 2007 Rollup Install (previous blog post). Microsoft Download site search for Exchange 2007 rollup (Microsoft Download Site Search). Check to make sure there are no newer rollups.
                  • Server Updates via WSUS/MU.
                  • Create a new User Role in the SBS Console.
                    • Name: Standard User – Restricted.
                    • Remove all Group Memberships.
                    • Add the Domain Users security group only.
                    • Remove OWA permission.
                    • No RWW or VPN.
                    • Verify permissions in the User Role after it is created.
                    • This role is used for the local admin account deployed via Group Policy later in this guide.
                  • Group Policy Configurations (previous blog post):
                      1. Default Computer Policy:
                        1. Local Policies: User Rights Assignment.
                        2. Local Policies: Security Options.
                          • Enable UAC by default in Group Policy (previous blog post).
                          • NOTE: The UAC structure can be split up between Computers, SBSComputers, and SBSServers GPOs so that domain admin accounts only get prompted on servers.
                        3. Remote Connectivity: Remove the Disconnect option from the Start Menu and add the Windows Security option.
                      2. Windows SBSUsers Policy:
                        1. Configure Screensaver Management. Our default is 45 minutes with logon.scr as the default SS. Password is always required.
                          • 2010-10-18: For Windows 7 we now use scrnsave.scr as the basis for all screensavers which is a blank screen.
                        2. Mapped Network Drive (M: = \\SS-SBS\Company) via Group Policy Preferences
                        3. Set the Companyweb as the default site in IE.
                        4. Add the RWW and OWA URLs to IE’s Favorites.
                      3. Windows SBSComputers Policy:
                        1. Deploy a restricted domain user to _all_ system’s Local Admin Group.
                          1. Create a new user using the Standard User – Restricted Role.
                          2. Deploy to workstation’s Local Admin Group via Group Policy Preferences.
                          3. Remove the user’s mailbox (previous blog post).
                      4. Default Printer Deployment Policy:
                        1. Deploy printers to XP Professional x86 (previous blog post).
                        2. Deploy printers to Windows Vista using the Printer Management snap-in.
                      5. Windows SBSComputers XP Pro Policy:
                        1. Deploy Windows Defender to Windows XP Professional (Optional).
                    1. Install the server hardware manufacturer’s management software suite.
                    2. Set the SBS Domain Password Polices (60-75 days, 10-12 characters minimum with complexity).
                      • Note that all user’s passwords will reset to request a new password!
                    3. Enable Folder Redirection.
                      • Changing the security settings in the default GPO for redirection will show FR as not enabled in the SBS Console.
                      • We remove the Exclusive Access setting on any folders redirected to remove complications when it comes time to migrate the client to a new server.
                    4. Remove the Public share in the SBS Console.
                    5. If using the self-issued certificate, copy the package to the Network Admin\SBS folder in the Company shared drive. (We create a Network Admin folder in the Company Shared Folder at all client sites).
                      • If using a GoDaddy certificate, make sure to install the GoDaddy Intermediate certificates (download page) into the Intermediate Certification Authorities store individually to avoid any issues later.
                        1.  gd_intermediate.crt
                        2. gd_cross_intermediate.crt
                        3. Disable All Uses for GoDaddy Class 2 root certificate in Trusted Root Certification Authorities.
                        4. Restart the IISAdmin service.
                        5. Install the GoDaddy certificate using the wizard.
                    6. Move the relevant data folders to the L: partition. We move all but the Exchange databases.
                        1. WSS (SharePoint) Data.
                        2. Users’ Shared Folders.
                          1. Re-enable Access-based Enumeration
                        3. Users’ Redirected Folders Data.
                          1. Re-enable Access-based Enumeration
                        4. WSUS Update Repository Data.
                      1. SBS Console Getting Started Tasks.
                          1. Connect to the Internet.
                          2. Customer Feedback options.
                          3. Set up your Internet address.
                          4. Configure a Smart Host for Internet e-mail.
                          5. Add a trusted certificate.
                          6. Configure server backup: Earlier in this checklist.
                          7. Add new users (use the multiple wizard under users if there are a lot of users to add).
                          8. Connect computers: http://connect.
                          9. Share Printers via Group Policy for Windows Vista and PushPrinterConnections.exe for Windows XP Pro SP3 (both links are previous blog posts).
                          10. Set up Office Live Small Business.
                        1. Configure the Reports e-mail addresses.
                        2. Copy Logon Failure XML code (CodePlex site) into a new Event ID Filter and set an e-mail to fire when a failed logon occurs.
                        3. Configure Workstations on the domain.
                        4. Create and configure the Group Policy Central Store.
                        5. Enable an MFP or Copier to Scan To E-mail Destined To A Companyweb SharePoint Library (previous blog post).
                        6. Enable and configure Windows Search Services on SBS 2008 or a Windows Server 2008 RTM/R2 file server and Libraries on Windows 7 (Official SBS Blog post).
                          1. Install the Search Service.
                          2. Add the share to Windows 7 Libraries.
                          3. Click start and start typing and watch those network files results flow!
                        7. Fix the SharePoint 2436 Search errors (Official SBS Blog post).
                        8. Fix the networking settings for Add-On Congestion Control Provider, Receive Window Auto-Tuning Level, Receive-Side Scaling State, Task Offload (previous blog post)
                        9. Download, install, and run the SBS 2008 Best Practices Analyzer.
                          1. The BPA will pick up a lot of the little things that need to be configured such as advanced OS networking features that should be disabled, the SharePoint 2436 error above, and others.
                        10. Change the initial domain administrator’s password if using an Answer File (remember to reset the DHCP credentials, and any Event Log event fired Task too). Note that if the admin account has not been logged off since changing the Password Policies, a log off and log on again will require a password change anyway.
                        11. Configure Custom Views and e-mail Task triggers for Event IDs (SBS Native Tools Management):
                        12. OPTIONS:
                        13. Customize the SBS Console Reports.
                        14. Run a backup. Crash the server. Restore the Backup. Deliver.

                        One thing to keep in mind when it comes to checklists is that they are never meant to be a replacement for the materials they summarize!

                        It is very important to understand why the various steps need to be accomplished, how those steps can change over time due to changes in the operating system, the hardware configurations underneath the OS, and the technician’s own growth in experience and understanding.

                        The “why” leads to an ability to understand how things are going wrong when they do. Note that we are saying, “when” and not “if” things go wrong.

                        Troubleshooting

                        UPDATES:

                        • 2009-05-11: V1.0.1 – Added a step and a few sub steps for Group Policy settings.
                        • 2009-05-14: V1.0.2 – Added the IE SBSUsers settings.
                        • 2009-05-19: V1.1.0 – Added some tweaks and changes to the existing steps.
                        • 2009-05-23: V1.1.1 – Added the option to map the Companyweb site to a network drive.
                        • 2009-05-29: V1.2.0 – Significant changes and adjustments made with some additional steps too.
                        • 2009-09-05: V1.2.1 – Added the option for allowing copiers and MFPs to relay e-mail through to users and a SharePoint library, the Troubleshooting section, and some formatting changes.
                        • 2010-01-14: Numerous updates including the Exchange 2007 SP2 mention.
                        • 2010-01-17: v1.4.1 – Added the need to set up time synchronization as well as cleaned up some HTML code.
                        • 2010-01-27: v1.4.2 – Added the blog post link for configuring the time service step.
                        • 2010-05-01: v1.5.0 – Numerous changes and updates to the process.
                        • 2010-10-18: v1.6.0 – Restructured some of the step’s order to better represent the work flow such as backing up SBS _before_ applying the Exchange service place. Numerous other changes.
                        • 2010-10-25: v1.7.0 – Added some steps and some clarifications for the steps.

                        Philip Elder
                        MPECS Inc.
                        Microsoft Small Business Specialists
                        Co-Author: SBS 2008 Blueprint Book

                        *All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

                        Windows Live Writer

                        13 comments:

                        Anonymous said...

                        This is great stuff! Exactly what I was looking for. Thanks for writing all this down.

                        Sebastian said...

                        Great list, testing the steps for myself since a while.

                        One question tho: why do you leave the Exchange files on the system partition (step 33)?

                        Regards,

                        Sebastian

                        PaulG said...

                        Great check list! one thing which we always do is to enable protocol logging on SMTP so that when a client needs to track a specific email, or find out why theirs is getting blocked, we have some info to go on.

                        Philip Elder Cluster MVP said...

                        Sebastian,

                        Primarily due to the disaster recovery situations that we have been in. It is a lot easier to recover two partitions, not including the partition for a swap file, than it is to work with multiple partitions tasked to various server components.

                        Paul,

                        The message tracking mechanism in the Exchange Management Console is phenomenal. As an example, for the photocopier scan to e-mail post, we were able to track down a transmission problem we were having to case sensitivity in the e-mail address.

                        Thanks for the comments!

                        Philip

                        Unknown said...

                        You should add to this list something to ensure that GPP gets installed on all computers.

                        This MVP has a script to ensure it occurs at logon which means it'll get installed as part of the http://connect process increasing the chances of GPO's being applied on the users first logon.

                        http://msmvps.com/blogs/cgross/archive/2008/12/16/installing-group-policy-preferences-client-side-extensions.aspx

                        Anonymous said...

                        This is very useful. But what the hell is "Access-based Enumeration"? Why don't use a language that everybody understands?

                        Regards
                        Ueli

                        Philip Elder Cluster MVP said...

                        Ueli,

                        Access-based Enumeration (AbE) is a feature that is built into the Windows 2008 Server OS and was an add-on feature to the Windows Server 2003 OS.

                        AbE gives us the ability to hide folder shares or the folders themselves that users do not have permission to access.

                        "Out of sight, out of mind".

                        Philip

                        Rich said...

                        ETA on SBS 2008 Advanced book? I have the first SBS 2008 book and it was great.

                        Ken S said...

                        Very help update. I just purchased your Blueprint book and starting planing installation of a SBS 2008 server. In step 6 you state "Move the Swap File (Reboot and use the above script to speed it up)."

                        I don't find the script. Is it in your book or another post?

                        Ken

                        Philip Elder Cluster MVP said...

                        Ken,

                        Good catch!

                        The line should read ... use the batch file below to speed it up.

                        Philip

                        Bjoern Schroeder said...

                        Hi Philip,

                        great blog, great setup-guide :)
                        One question about step 33: why not moving the exchange database to a seperate partition?

                        Bjoern

                        Philip Elder Cluster MVP said...

                        Bjoern,

                        Unless we are dealing with a special situation where I/O is extremely important, we leave the Exchange databases on the system partition for disaster recovery reasons.

                        Performance is not an issue as we put the swap file on its own partition to avoid fragmentation.

                        Philip

                        online options trading said...

                        Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts