Tuesday 21 April 2009

SBS 2008 Setup Checklist V1.1.0

*I goofed on an update in WLW. The updated post: SBS 2008 Setup Checklist*

This will be our preliminary set up checklist for getting an SBS 2008 install configured once the base OS install has completed. This post will compliment what is in our SBS 2008 Blueprint book. It will also provide the foundation for a chapter in our upcoming SBS 2008 Advanced Blueprint book.

There will be some minor tweaks and modifications to this list as we go along with our installs. If things change a lot, then we will run a new post and call it V2. :)

For the most part, items in the list will be fleshed out in the SBS 2008 Blueprint book. Items that we have encountered beyond the book, will be addressed in existing or subsequent blog posts.

The following assumes that the server manufacturer’s prep disk was used to update the BIOS, motherboard firmware, RAID controller firmware, backplane firmware, and any other device’s onboard firmware prior to installing the SBS 2008 OS. The firmware update step is an absolutely critical one for the stability of the server.

Here is our list so far:

  1. Install the manufacturer’s drivers.
    1. RAID including RAID monitoring/status software.
    2. Chipset.
    3. Video.
    4. NIC (Do not team). Unplug or disable any extra NICs for now.
  2. GUI Customization
    1. Windows Explorer.
    2. Start Menu.
    3. Notification Area.
    4. Add a Desktop Toolbar to the Task Bar .
    5. Internet Explorer .
    6. Task Manager Process Column Customization.
  3. Partitioning
    • RAID 1+0 is our default (4 disks) + hot spare. Name after the amount of storage is the drive label.
      • 640GB (4x 320GB SATA)
      • C: 100GB SS-SBS (Rename to SBS name)
      • S: 25GB SwapFile (8GB RAM * 1.5 with wiggle room)
      • L: 515GB NetworkData
  4. Move the optical drive letter to Z:.
  5. Move the Swap File (Reboot).
  6. Install and configure Print Services Role: SBS 2008 Terminal Services and HP Printer Drivers (previous blog post).
  7. Windows Native Tools Management Console mods
    1. Add the Group Policy Management Console
    2. Add the Print Management snap-In (after adding the Print Server Role).
    3. Add the Share and Storage Management snap-in.
    4. Add the File Server Resource Manager snap-in.
    5. Add the Windows Server Backup snap-in.
  8. Run MMC and add the local Computer Certificate store snap-in and save to the desktop for later use.
  9. Enable Access-based Enumeration on the NetworkData partition.
  10. Enable ShadowCopies on the NetworkData partition and set a schedule. We use before hours, coffee, lunch, coffee, and after hours for the schedule.
  11. DHCP IPv4 Properties (DNS updates & credentials)
  12. DHCP additional exclusions for printers (x.1-10) and servers (x.250-254).
  13. DNS Settings for Scavenging.
  14. Create a 5GB Soft Quota (File Server Resource Manager).
  15. Add Network Service to IIS WAMREG admin service to eliminate DCOM 10016 errors in the event logs (links to MS KB920783 article).
  16. Enable firewall logging and pop-ups: SBS 2008 Windows Firewall with Advanced Security troubleshooting (previous blog post).
  17. Create the default Company Shared Folder with required NTFS and share permissions on the L: NetworkData partition.
    • Share Name: Company.
    • Quota: 5GB Soft.
    • Enable Access-based Enumeration.
    • NTFS Permissions:
      • Domain Admins = FULL.
      • Domain Users = Modify.
    • Share Permissions:
      • Domain Admins = FULL.
      • Domain Users = FULL.
  18. Create the ClientApps (previous blog post on GP and the ClientApps folder) on the L: NetworkData partition.
    • Share Name: ClientApps.
    • Quota: None.
    • Enable Access-based Enumeration. Subfolders can have custom permissions at a later date to exclude users or groups and thus hide those subfolders at a later date.
    • NTFS and Share Permissions:
      • Domain Admins = FULL.
      • Domain Users = FULL.
      • Domain Controllers = FULL.
      • Domain Computers = FULL
  19. WSUS Classifications: Enable all except Drivers.
  20. WSUS Sync Schedule: Increase synchronization frequency schedule depending on what products are installed on the server.
  21. WSUS Updates: Add an automatic approval for Definition Updates.
  22. Exchange Server 2007 Rollup Install (previous blog post). Microsoft Download site search for Exchange 2007 rollup (Microsoft Download Site Search). Check to make sure there are no newer rollups.
  23. Server Updates via WSUS/MU.
  24. Group Policy Configurations (previous blog post):
    1. Default Computer Policy:
      1. Local Policies: User Rights Assignment.
      2. Local Policies: Security Options.
        1. Enable UAC by default in Group Policy (previous blog post).
      3. Remote Connectivity: Remove the Disconnect option from the Start Menu and add the Windows Security option.
    2. Windows SBSUsers Policy:
      1. Configure Screensaver Management. Our default is 45 minutes with logon.scr as the default SS. Password is always required.
      2. Mapped Network Drive (M: = \\SS-SBS\Company) via Group Policy Preferences
      3. Set the Companyweb as the default site in IE.
      4. Add the RWW and OWA URLs to IE’s Favorites.
    3. Windows SBSComputers Policy:
      1. Set up restricted domain user (no e-mail too), deploy to workstations via GPPref, and move new user to Local Administrators group via GPPref as well.
    4. Default Printer Deployment Policy:
      1. Deploy printers to XP Professional x86 (previous blog post).
      2. Deploy printers to Windows Vista using the Printer Management snap-in.
    5. Windows SBSComputers XP Pro Policy:
      1. Deploy Windows Defender to Windows XP Professional (Optional).
  25. Set up Windows Live OneCare if needed. (Soon not to be – SBS Blog)
  26. Install the server hardware manufacturer’s management software suite.
  27. Set the SBS Domain Password Polices (60 days, 10 characters minimum).
  28. Enable Folder Redirection.
  29. Remove the Public share in the SBS Console.
  30. If using the self-issued certificate, copy the package to the Network Admin\SBS folder in the Company shared drive. (We create a Network Admin folder in the Company Shared Folder at all client sites)
  31. Move the relevant data folders to the L: partition. We move all but the Exchange databases.
    1. WSS (SharePoint) Data.
    2. Users’ Shared Folders.
    3. Users’ Redirected Folders Data.
    4. WSUS Update Repository Data.
  32. SBS Console Getting Started Tasks.
    1. Connect to the Internet.
    2. Customer Feedback options.
    3. Set up your Internet address.
    4. Configure a Smart Host for Internet e-mail.
    5. Add a trusted certificate.
    6. Configure server backup: 12:30, 17:30, 23:00.
    7. Windows Live OneCare for Server.
    8. Add new users (use the multiple wizard under users if there are a lot of users to add).
    9. Connect computers: http://connect.
    10. Share Printers via Group Policy for Windows Vista and PushPrinterConnections.exe for Windows XP Pro SP3 (both links are previous blog posts).
    11. Set up Office Live Small Business.
  33. Configure the Reports e-mail addresses.
  34. Copy Logon Failure XML code (CodePlex site) into a new Event ID Filter and set an e-mail to fire when a failed logon occurs.
  35. Configure Workstations on the domain.
  36. Create and configure the Group Policy Central Store.
  37. Download, install, and run the SBS 2008 Best Practices Analyzer.
  38. Change the initial domain administrator’s password if using an Answer File (remember to reset the DHCP credentials, and any Event Log event fired Task too). Note that if the admin account has not been logged off since changing the Password Policies, a log off and log on again will require a password change anyway.
  39. Configure Custom Views and e-mail Task triggers for Event IDs (SBS Native Tools Management):
  40. OPTIONS:
  41. Customize the SBS Console Reports.
  42. Run a backup. Crash the server. Restore the Backup. Deliver.

One thing to keep in mind when it comes to checklists is that they are never meant to be a replacement for the materials they summarize!

It is very important to understand why the various steps need to be accomplished, how those steps can change over time due to changes in the operating system, the hardware configurations underneath the OS, and the technician’s own growth in experience and understanding.

The “why” leads to an ability to understand how things are going wrong when they do. Note that we are saying, “when” and not “if” things go wrong.

UPDATED 2009-05-11: V1.0.1 – Added a step and a few sub steps for Group Policy settings.

UPDATED 2009-05-14: V1.0.2 – Added the IE SBSUsers settings.

UPDATED 2009-05-19: V1.1.0 – Added some tweaks and changes to the existing steps.

Philip Elder
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer


Steve said...

Thanks for summing all of this up!

Philip Elder Cluster MVP said...


You are quite welcome! :)