Monday, 23 July 2012

SBS 2011 Setup Guide v1.13.0

This list is the guide that we use to set up our SBS 2011 boxes or VMs in a consistent manner. As with earlier versions of SBS, this version too will require a number of post OS install tweaks and configuration steps.

The following assumes that the server manufacturer’s prep disk was used to update the BIOS, motherboard firmware, RAID controller firmware, backplane firmware, and any other device’s onboard firmware prior to installing the SBS 2008 OS. The firmware update step is an absolutely critical one for the stability of the server.

Note that we do not input the Product Key into the OS until we are ready to put the server into production or are on the edge of finishing up a migration.

The SBS 2011 Setup Steps
  1. When installing into a VM set the time.
    • MPECS Inc. Blog: Hyper-V- Preparing A High Load VM For Time Skew
    • Standalone: When virtualizing SBS on a standalone server set the host to poll pool.ntp.org for the correct time. Configure the host’s firewall to allow NTP polling on the local subnet. Then set the SBS VM to poll the host’s IP or hostname for time using the above settings.
    • Clustered: Have the standalone DC polling pool.ntp.org and set as the authoritative time source for the domain. Have SBS and other VMs poll the standalone DC for their time using the above settings.
  2. Install the manufacturer’s drivers.
      1. RAID including RAID monitoring/status software.
      2. Chipset.
      3. Video.
      4. NIC (Do not team). Unplug or disable any extra NICs for now.
      5. Management suites from the hardware manufacturers will be installed later on in this process.
      6. We do not install System Center Essentials that is provided by Intel on our Intel based SBS 2008 servers.
    1. Desktop
        1. Set the desktop resolution for the monitor attached.
          • Keep in mind that some remote management modules such as Dell’s DRAC may not work if the monitor’s resolution is set too high.
        2. Enable desktop icons:
          1. Click Start –> type: Desktop Icons [Enter].
            • image
      1. GUI Customization
          1. Windows Explorer.
            • Extensions, Show hidden . . .
            • image
            • image
          2. Start Menu.
          3. Notification Area.
          4. Add a Desktop Toolbar to the Task Bar .
            • image
          5. Internet Explorer.
            1. Add http://download.microsoft.com to Trusted Sites.
          6. Task Manager Process Column Customization.
            • PID, memory usage, maximum memory usage, I/O Bytes (3)
        1. Partitioning
            • NEW: RAID 5 with 4x 15K SAS Spindles (four drives) is now our default RAID setup for small clients.
              • For our 8-15 seat clients we will configure 5 15K SAS spindles in RAID 5 plus a hot spare depending on their I/O requirements.
              • With the advent of the 300GB and 600GB Intel 320 Series SSDs we are looking to SSD going forward for those clients that require ultra-high performing storage systems.
              • For clients with around 15 seats or more we are starting to configure a standalone 1U server for virtualization or Hyper-V Cluster directly attached to a Promise VTrak RAID Subsystem (VTE310sD or VTE610sD) for maximum storage flexibility.
            • Name after the amount of storage is the drive label.
              • ~900GB Usable (4x 300GB 15K SAS)
              • C: 150GB SS-SBS (Rename to SBS server name)
              • S: 1.5x RAM xxGB SwapFile (Min. 10GB RAM * 1.5 with wiggle room)
                • 32GB SwapFile
                • SBS 2011 swap file configuration out of the box:
                  •  image
              • L: 718GB WorkingStorage
            • Note: Exchange 2010 has been designed from the ground up to utilize more RAM. Adding more RAM for Exchange performance would be our priority before adding more spindles to the RAID 10 set.
            • Also, we do not install SATA hard drives of any kind into server settings anymore. In our experience they are too problematic in RAID arrays no matter which manufacturer made them. 
            • MPECS Inc. Blog: SAS versus SATA and Hardware RAID versus Software RAID.
          • Move the optical drive letter to Z:.
          • Move the Swap File (Reboot).
          • SBS 2011: Do _not_ Copy and paste this services shutdown batch file onto the desktop (previous blog post).
            • The Exchange 2010 team has addressed the issues of having Exchange installed on a DC with this version. Exchange 2007 had shutdown timing issues thus the long shutdown times.
          • Install and configure Print Services Role: SBS 2008 Terminal Services and HP Printer Drivers (previous blog post).
            • image
          • Windows Native Tools Management Console modifications
            1. Add the Group Policy Management Console
            2. Add the Print Management snap-In (after adding the Print Server Role).
            3. Add the Share and Storage Management snap-in.
            4. Add the File Server Resource Manager snap-in.
            5. Add the Remote Desktop Services Manager snap-in.
            6. Add the Windows Server Backup snap-in.
              • image
          • Configure an authoritative time source for the SBS OS.
            1. Blog Post: Hyper-V- Preparing A High Load VM For Time Skew
              • This is the best methodology to date for setting up a VM’s Windows Time Service.
            2. Blog Post: SBS 2008 Physical And Hyper-V – Set Up the Domain Time Structure.
              • The default time.windows.com is not a reliable source.
            3. TechNet: Synchronize the Source Server time with an external time source for Windows SBS 2008 migration.
            4. Once the commands have run, an error message or two may show in the Event Logs soon to be replaced by a successful connection to the authoritative time source.
            5. Note Oliver Sommer’s comments in the above article.
          • Enable ShadowCopies on the WorkingStorage partition and set a schedule. We use before hours, coffee, lunch, coffee, and after hours for the schedule.
          • DHCP IPv4 Properties (DNS updates & credentials)
            • image
            • Enable Name Protection and set the credentials.
          • DHCP additional exclusions for printers (x.1-10 if not present) and servers (x.250-254).
          • DNS Settings for Scavenging at 7 days and AD integrated zones.
          • Verify NIC Binding Order Settings: Blog Post: Slow Network Speeds with SBS 2008 and 2011: NIC Binding Order
          • Create a 10GB Soft Quota (File Server Resource Manager).
          • Enable firewall logging and pop-ups: SBS 2008 Windows Firewall with Advanced Security troubleshooting (previous blog post).
            1. Customize the firewall setup for QuickBooks.
              1. QuickBooks Connection Diagnostic Tool Post (Previous blog post).
            2. Customize the firewall setup for Simply Accounting (Previous blog post).
          • Create the default Company Shared Folder with required NTFS and share permissions on the L: WorkingStorage partition.
              • Share Name: Company.
              • Quota: 10GB Soft.
              • Enable Access-based Enumeration.
              • NTFS Permissions:
                • Domain Admins = FULL.
                • Domain Users = Modify.
                • Leave default machine based permissions.
              • Share Permissions:
                • Everyone = FULL.
            • Create the ClientApps (previous blog post on GP and the ClientApps folder) on the L: WorkingStorage partition.
                • Share Name: ClientApps.
                • Quota: None.
                • Enable Access-based Enumeration. Subfolders can have custom permissions at a later date to exclude users or groups and thus hide those subfolders at a later date.
                • NTFS Permissions:
                  • Domain Admins = FULL
                  • Domain Users = FULL
                  • Domain Controllers = FULL
                  • Domain Computers = FULL
                • Share Permissions:
                  • Everyone = FULL
              • Make changes to the WSUS Setup:
                • WSUS Classifications: Enable all.
                • WSUS Sync Schedule: Increase synchronization frequency schedule depending on what products are installed on the server.
              • Getting Started Tasks – Out of Order
                1. Configure and take a backup now.
                2. Times: 12:30, 17:30, 23:30.
                  • Make sure that the backup times and the Volume Shadow Copy snapshots do not happen at the same time.
                3. Backup Now by right clicking on the configured backup and running it.
                4. Backup in between each batch of updates.

              • Windows Server 2008 R2 Service Packs
                1. Download and install the latest Windows Server 2008 R2 Service Pack (Bing Search)
                  1. Be aware that the install process may take a while.
                  2. image
              • Exchange 2010 Updates
              • Server Updates via WSUS/MU.
                • Update to the latest SBS Update Rollup first.
                • Run updates according to the following product groups:
                • Windows Server 2008 Standard R2
                  • Run OS Updates at around 10-15 per reboot cycle.
                  • Run OS Security Updates at around 5-10 per reboot cycle.
                • Exchange SP1/2/3 or Exchange Rollup RU1/2/3/etc 
                • .NET
                  • If .NET v1 is present update first.
                  • Do .NET v2 and v2.x updates one at a time.
                  • Do .NET v3 and v3.x updates one at a time.
                  • Do .NET v4 and v4.x updates one at a time.
                  • Reboot between each cycle as requested.
                • SQL
                  • Start with 2005 versions.
                  • Next to 2008 versions.
                  • Next to 2008 R2 versions.
                • WSUS, and others.
                • SharePoint Foundation Updates should be run separately.
              • Create a new User Role in the SBS Console.
                • Name: Standard User – Restricted.
                • Remove all Group Memberships.
                • Add the Domain Users security group only.
                • Remove OWA permission.
                • No RWW or VPN.
                • Verify permissions in the User Role after it is created.
                • This role is used for the local admin account deployed via Group Policy later in this guide.
              • Create and configure the Group Policy Central Store (Previous blog post).
              • OPTION: Raise both Domain and Forest Functional level to 2008 R2
                • This is accomplished in AD Domains and Trusts.
                • image
              • Group Policy Configurations (previous blog post):
                1. Windows Computer Policy:
                  1. Firewall Exceptions:
                    1. Enable Remote Event Log Management (previous blog post).
                    2. Remote Volume Management
                    3. Remote Desktop Protocol and RemoteFX Protocol
                  2. Set limits to the RDP setup on the server and clients (previous blog post).
                  3. Local Policies: User Rights Assignment.
                  4. Local Policies: Security Options.
                    • Enable UAC by default in Group Policy (previous blog post).
                    • NOTE: The UAC structure can be split up between Computers, SBSComputers, and SBSServers GPOs so that domain/local admin accounts only get prompted on servers.
                  5. Remote Connectivity: Restrict certain RDP related settings (previous blog post).
                2. Windows SBSUsers Policy:
                  1. Configure Screensaver Management. Our default is 45 minutes with logon.scr as the default SS. Password is always required.
                    • 2010-10-18: For Windows 7 we now use scrnsave.scr as the basis for all screensavers which is a blank screen.
                  2. Mapped Network Drive (M: = \\SS-SBS\Company) via Group Policy Preferences
                  3. Set the Companyweb as the default site in IE.
                  4. Add the RWW and OWA URLs to IE’s Favourites.
                3. Windows SBSComputers Policy:
                  1. Deploy a restricted domain user to _all_ system’s Local Admin Group.
                    1. Create a new user using the Standard User – Restricted Role.
                    2. Deploy to workstation’s Local Admin Group via Group Policy Preferences.
                    3. Remove the user’s mailbox (previous blog post).
                4. Windows Printer Deployment Policy:
                  1. Deploy printers to XP Professional x86 (previous blog post).
                  2. Deploy printers to Windows Vista using the Printer Management snap-in.
                5. Windows SBSComputers XP Pro Policy:
                  1. Deploy Windows Defender to Windows XP Professional (Optional).
              • Install the server hardware manufacturer’s management software suite.
              • Set the SBS Domain Password Polices (60-75 days, 10-12 characters minimum with complexity).
                • Note that all user’s passwords will reset to request a new password!
              • Enable Folder Redirection to SBS.
                • Changing the security settings in the default GPO for redirection will show FR as not enabled in the SBS Console.
                • We remove the Exclusive Access setting on any folders redirected to remove complications when it comes time to migrate the client to a new server.
              • OR: Enable Folder Redirection to an separate server (previous blog post).
              • Remove the Public share in the SBS Console.
              • Self-issued certificate: copy the package to the Network Admin\SBS folder in the Company shared drive. (We create a Network Admin folder in the Company Shared Folder at all client sites).
              • If using a GoDaddy certificate, make sure to install the GoDaddy Intermediate certificates (download page) into the Intermediate Certification Authorities store individually to avoid any issues later.
                1. Install the gd_cross_intermediate.crt first
                2. Install the gd_intermediate.crt second
                3. Disable All Uses for GoDaddy Class 2 root certificate in Trusted Root Certification Authorities if present.
                  • Check for this one after installing the actual certificate at step 5.
                4. Restart the IISAdmin service.
                5. Install the GoDaddy certificate using the wizard.
              • Move the relevant data folders to the L: partition. We move all but the Exchange databases.
                  1. WSS (SharePoint) Data.
                  2. Users’ Shared Folders.
                    1. Re-enable Access-based Enumeration
                  3. Users’ Redirected Folders Data.
                    1. Re-enable Access-based Enumeration
                  4. WSUS Update Repository Data.
                1. SBS Console Getting Started Tasks.
                    1. Connect to the Internet.
                    2. Customer Feedback options.
                    3. Set up your Internet address.
                    4. Configure a Smart Host for Internet e-mail.
                    5. Add a trusted certificate.
                    6. Configure server backup: Earlier in this checklist.
                    7. Add new users (use the multiple wizard under users if there are a lot of users to add).
                    8. Connect computers: http://connect.
                    9. Share Printers via Group Policy for Windows Vista and PushPrinterConnections.exe for Windows XP Pro SP3 (both links are previous blog posts).
                  1. Configure the Reports e-mail addresses.
                  2. Configure Workstations on the domain.
                  3. Official SBS Blog: How to Configure SBS 2011 Standard to Accept E-mail for Multiple Authoritative Domains
                  4. E-mail Enable the SharePoint Foundation Companyweb site (Official SBS Blog Post).  Then:
                  5. Enable an MFP or Copier to Scan To E-mail Destined To A Companyweb SharePoint Library (previous blog post).
                    1. Run the following in an elevated Exchange Management Shell to increase the allowed attachment size (100MB is our default):
                      1. Set-ReceiveConnector "Copier Send to E-mail" -MaxMessageSize 100MB
                    2. Make sure to verify the largest file size setting in SharePoint.
                      1. Aimless Ramblings: Large Files in SBS 2008’s Companyweb
                  6. OPTION: If using Exchange 2010 AntiSpam set up a library on Companyweb called Spam.
                    1. E-mail enable the library with spam@companyweb
                    2. Set Exchange AntiSpam to REDIRECT instead of DELETE to spam@companyweb
                  7. Change the Default Message Size Limits for outgoing and inbound messages in the Exchange Management Shell:
                    1. Set-TransportConfig –MaxSendSize 25MB –MaxReceiveSize 25MB
                    2. Set-ReceiveConnector “Windows SBS Internet Receive ServerName” –MaxMessageSize 25MB
                    3. Set-SendConnector “Windows SBS Internet Send ServerName” –MaxMessageSize 25MB
                    4. Check the status for each connector:
                      • Get-TransportConfig | ft name, MaxSendSize, MaxReceiveSize
                      • Get-ReceiveConnector | ft name, MaxMessageSize
                      • Get-SendConnector | ft name, MaxMessageSize
                      • Get-mailbox | ft name, MaxSendSize, MaxReceiveSize
                    5. Hat Tip: LAN-Tech: Quickie: changing message size limits on SBS STD 2008 and 2011
                  8. Enable Single Item Recovery in Exchange Server 2010 – Exchange Team Blog.
                  9. Enable and configure Windows Search Services on SBS 2008 or a Windows Server 2008 RTM/R2 file server and Libraries on Windows 7 (Official SBS Blog post).
                    1. Install the Search Service (On SBS 2011 it may already be installed).
                      1. If so: Click Start –> type Search.
                      2. Click Indexing Options in the results.
                        • imageimage
                      3. Verify that all company shared folders are being indexed.
                    2. Add the Company folder share (or Public folder share) to Windows 7 Libraries.
                    3. Click start and start typing and watch those network files results flow!
                  10. Fix the networking settings for Add-On Congestion Control Provider, Receive Window Auto-Tuning Level, Receive-Side Scaling State, Task Offload (previous blog post).
                    • SBS 2008 related … tentative at this point.
                  11. Download, install, and run the SBS 2011 Best Practices Analyzer.
                    • The BPA will pick up a lot of the little things that need to be configured such as advanced OS networking features that should be disabled and others.
                    • The SBS 2011 BPA requires the Microsoft Baseline Configuration Analyzer 2.0.
                  12. Change the initial domain administrator’s password if using an Answer File (remember to reset the DHCP credentials, and any Event Log event fired Task too).
                    • Note that if the admin account has not been logged off since changing the Password Policies, a log off and log on again will require a password change anyway.
                  13. Input the PID and Activate.
                  14. Control the Microsoft##SSEE WSUS Database’s memory Usage
                  15. Configure Custom Views and e-mail Task triggers for Event IDs (SBS Native Tools Management):
                  16. OPTIONS:
                  17. Customize the SBS Console Reports.
                  18. Run a backup. Crash the server. Restore the Backup. Deliver.

                  One thing to keep in mind when it comes to checklists is that they are never meant to be a replacement for the materials they summarize!

                  It is very important to understand why the various steps need to be accomplished, how those steps can change over time due to changes in the operating system, the hardware configurations underneath the OS, and the technician’s own growth in experience and understanding.

                  The “why” leads to an ability to understand how things are going wrong when they do. Note that we are saying, “when” and not “if” things go wrong.

                  Troubleshooting

                  Post OS Setup

                  Philip Elder
                  MPECS Inc.
                  Microsoft Small Business Specialists
                  Co-Author: SBS 2008 Blueprint Book

                  *Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

                  Windows Live Writer

                  22 comments:

                  Anonymous said...

                  Hi and thanks for the excelent information :)

                  In step 11 you mention "NetworkData" partition, is this the same as the WorkingStorage?

                  Philip Elder Cluster MVP said...

                  Thanks for pointing that out!

                  I have made the necessary changes.

                  Philip

                  Anonymous said...

                  Is there a way to print this out without the left frame? I'm drawing a blank. Philip, Are you taking the SBS 2011 beta exam?

                  Philip Elder Cluster MVP said...

                  A,

                  I highlight everything from step one through to the end then Print --> Selection.

                  That will print out just the number list of steps.

                  We then keep an IE window open to the guide so that we can click through to the other blog posts or resources while working our way through.

                  I have rescheduled my beta exam at least twice now due to client demands taking up time when I was to be writing. I may actually be able to fit it in tomorrow afternoon which is the very last available slot in this part of the province!

                  Thanks,

                  Philip

                  Josh Gay said...

                  I tend to cut and paste into onenote, so the links stay hot.

                  ross said...

                  Great post thanks, the steps are clear however I have a few questions on what drives some of your decisions.

                  What is your thinking in keeping Exchange data on C: drive rather than move to a separate partition e.g. E: as listed in the MS documents.

                  Also similar question as to why move the swap file to separate S: partition from C:

                  Finally with the L: partition. I see that you install client apps here, does that include your Antivirus.

                  Also on L: does having WSUS and clientapps on L: cause issues/large space requirements with the shadowcopy service?

                  Cheers

                  Jon Lee said...

                  First Off I want to thank you for an incredible resource for SBS 2011. I purchsed the Windows SBS 2011 book from Microsoft but its very generic.

                  I have a question about your swap file? I created a swap as your recommended but do I leave the current windows managed swap file on C drive and configure swap file on S Drive as well?

                  Philip Elder Cluster MVP said...

                  Jon,

                  We leave a fixed 800MB page file on the C: drive so that we get MiniDumps if there is a problem.

                  We usually use 1.5x RAM for the swap on its own partition.

                  Philip

                  Anonymous said...

                  Hi Philip,
                  Thank you so much for this post, this is some great info.

                  I have a question for you.

                  Not sure if it's a setup feature, or IE9...

                  But when I enable incoming emails to my SBS2011, neither the attachments don't save to the root Document Lib, nor is the saved email body details reable (.eml file), either in EI9 or download and save. This happend in both HTML or Plan Text. I have 3 machines right now that are broken, so it must be a missing feature or settings somwhere, but I can't figure out one.

                  Anonymous said...

                  Perhaps this may also come in handy during the post installation process

                  http://blogs.technet.com/b/sbs/archive/2012/01/16/managing-event-alerts-in-your-reports-an-sbs-monitoring-feature-enhancement.aspx

                  Regards
                  /D

                  Anonymous said...

                  Philip,

                  I was reading over you blog and was getting confused on what you are really recommending for setup.

                  1) You make not referance to the setup of the Host OS which I would assume is Win2K8 R2?
                  2) when you set up the Host OS what drive was it installed on and the size of the partition?

                  I think the artical is a great starting point which migh be able to use a few addtions regarding the HOSt OS insall then the Hyper-V side. I felt it jumps around.

                  The stabilty of SATA drives have come along way now and worth looking at. SAS drvie are still very good however at the price point not sure they are anymore reliable then SATA. The SSD drive there are known issue with data loss when it comes time time stamping. There is lost on the net about it and it is NEVER recommended for a NOS install.

                  Looking forward to your reply to the above questions and the artila is a great strating for many to use. keep up the great work.

                  Thanks, JR

                  Anonymous said...

                  Philip,

                  I was reading over you blog and was getting confused on what you are really recommending for setup.

                  1) You make not referance to the setup of the Host OS which I would assume is Win2K8 R2?
                  2) when you set up the Host OS what drive was it installed on and the size of the partition?

                  You ,emtion about raising the "Option of raising the Domain level? If you are installing SBS is it not already a domain already? I'm conmfused! Unless you are referring to the Host OS to be part of the VM SBS2011 guest VM domain?

                  You also mention the service packs and update! yet the picutre shows SBS 2011 screen shot? Can you please clarify what you are really trying to convey?

                  I think the artical is a great starting point which migh be able to use a few addtions regarding the HOSt OS insall then the Hyper-V side. I felt it jumps around.

                  The stabilty of SATA drives have come along way now and worth looking at. SAS drvie are still very good however at the price point not sure they are anymore reliable then SATA. The SSD drive there are known issue with data loss when it comes time time stamping. There is lost on the net about it and it is NEVER recommended for a NOS install.

                  Looking forward to your reply to the above questions and the artila is a great strating for many to use. keep up the great work.

                  Thanks, JR

                  Philip Elder Cluster MVP said...

                  JR,

                  This guide is for setting up the SBS 2011 OS whether on a hypervisor or on a physical box.

                  Other than the time skew problems that we deal with that are specific to installing as a VM there is no reference to the host.

                  We have other blog posts that talk about setting up a hypervisor host for different scenarios such as standalone or clustered.

                  Thanks,

                  Philip

                  Unknown said...

                  Hi Philip!
                  I want to thank you for sharing this guide. I have one question – the partitions for guest sbs 2011 installation will be the same as for physical install? Also is interesting to know about your practices on backup setup in hiper-v.
                  Viorel

                  Ralph said...

                  Hi Phillip,
                  Thanks for the great SBS resource! I didn't see were you mentioned if you use the "go online and get most recent installation updates" or not.

                  Due to the way you apply updates in specific order/stages later on I'm thinking No?

                  Philip Elder Cluster MVP said...

                  Viorel,

                  Yes, we configure the guest OS the same as a physical install for SBS.

                  Ralph,

                  We _never_ install any updates in the set up process until we reach that phase in this Guide.

                  Thanks for the comments!

                  Philip

                  Gechurch said...

                  Wow. Let me add my voice to the chorus of people thanking you for this post.

                  I work in the same market as you and our checklist is surprisingly similar. You have obviously done more server installs than me though as I hadn't come across every issue or fix that you linked too - I haven't gone through them all yet but it looks like there are a couple that will prove handy.

                  Like others I wonder about the value of moving the pagefile. I understand if it's to keep free space on C: or to get it out of the way if you use image-based backups. It won't have a performance impact though since it's on the same physical disks as C:.

                  I luckily haven't had issue with SATA drives, provided you stick to server-grade drives. We often pair a couple of large SATA drives for mass storage (for things like installers and service packs, and sometimes for client data too - only things like photos that are easy to backup and restore). We also generally install a single SATA drive internally as a redundant backup location. We normally swap external HDDs for the main backup, but configure a single full backup to the internal drive that overwrites ever night. We use HP servers and drives so maybe HP don't have the issues you've seen.

                  We always install free StartSSL certificates. You should definitely check them out.

                  We do things a little differently in DNS. I like to add 8.8.8.8 (google's public DNS server) as a forwarder (there's a known bug that can cause some lookups to fail - nslookup shows 'server failure' until you restart the DNS service). I also add 8.8.8.8 as a secondary DNS for clients through DHCP, although I wouldn't make this as a general recommendation to people out there as it's best to use only servers that know about your local network (we do it in case the server goes down, but we have some very small clients with fairly low-end hardware and small maintenance contracts).

                  With SharePoint, we like to modify the default access mappings and use https://sharepoint.domain.com:442. We leave port 443 open for webmail, and just chose 442 because it's not in use for anything else and is close enough to 443 that we know what it's in use for. We then add sharepoint.domain.com to the local DNS server so the same URL works internally. We add that URL to local intranet zone through GPO (this will have local users login automatically) and set any security we want in the sme GPO. We also install the Office 2003/2007/2010 ADM templates and geneerally set Office to save in 2003 formats (in case the client emails docs to someone external) and we generally add the document mapped drive to trusted locations.

                  I like to modify the SBS Folder Redirection policy to include favorites (this one will depend on the environment - there's not much point in doing this unless there's a mix of XP and Vista/7 which uses different, V2, profiles).

                  Lastly, I like to make backups of a) the full registry b) all GPOs and c) IIS once everything's configured.

                  Philip Elder Cluster MVP said...

                  Gechurch,

                  Quote: "I also add 8.8.8.8 as a secondary DNS for clients through DHCP".

                  This practice is flat out wrong. It will cause all sorts of issues with internal name resolution and thus network performance. It can cause issues with LoBs like QuickBooks and other database structures for example.

                  Please do not do this.

                  Philip

                  Dave said...

                  You mentioned "Deploy a restricted domain user to _all_ system’s Local Admin Group"

                  Can you tell me how to do this? If I use restricted groups, it removes anything that was existing there. It sounded like you have a Group Policy Preferences location for it.

                  André said...

                  what do you mean with:

                  Create a 10GB Soft Quota (File Server Resource Manager).

                  Anonymous said...

                  Thanks for the detailed doco on your build, nice share.

                  Side issue and info back

                  Best application pair on the net for saving just the blog information you want without all the left or right hand clutter.
                  And then being able to edit and add your changes later. Still retains links and all.

                  Evernote Clearly (can stand alone)
                  but combined with
                  Evernote

                  Brilliant

                  Anonymous said...

                  For those having problems installing the SQL Server 2008 R2 Service Pack 1 Update on a non-english SBS 2011 install, here is a cue:

                  Here for the french version I had to set the locale to "Francais - France" instead of "Francais - Canada". The update would then accept to install.