Mastering Microsoft Windows Small Business Server 2008

MasteringMicrosoft® Windows®

Small Business Server 2008



Steven Johnson

Wiley Publishing, Inc.

Acquisitions Editor: Agatha KimDevelopment Editors: Toni Ackley; Amy BreguetTechnical Editor: Tom CarpenterProduction Editor: Dassi ZeidelCopy Editor: Kim WimpsettEditorial Manager: Pete GaughanProduction Manager: Tim TateVice President and Executive Group Publisher: Richard SwadleyVice President and Publisher: Neil EddeBook Designers: Maureen Forys, Happenstance Type-O-Rama; Judy FungProofreader: Nancy BellIndexer: Robert SwansonProject Coordinator, Cover: Lynsey StanfordCover Designer: Ryan SneedCover Image: © Pete Gardner/Digital Vision/Getty Images

Copyright © 2010 by Wiley Publishing, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-0-470-50372-0

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by anymeans, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or autho-rization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive,Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressedto the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201)748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties withrespect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, includ-ing without limitation warranties of fitness for a particular purpose. No warranty may be created or extended bysales or promotional materials. The advice and strategies contained herein may not be suitable for every situation.This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or otherprofessional services. If professional assistance is required, the services of a competent professional person shouldbe sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an orga-nization or Web site is referred to in this work as a citation and/or a potential source of further information doesnot mean that the author or the publisher endorses the information the organization or Web site may provide or re-commendations it may make. Further, readers should be aware that Internet Web sites listed in this work may havechanged or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact ourCustomer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be avail-able in electronic books.

Library of Congress Cataloging-in-Publication Data is available from the publisher.

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley &Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permis-sion. Microsoft and Windows are registered trademarks of Microsoft Corporation in the United States and/or othercountries. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associatedwith any product or vendor mentioned in this book.

10 9 8 7 6 5 4 3 2 1

www.wiley.com/go/permissions

Dear Reader,

Thank you for choosing Mastering Microsoft Windows Small Business Server 2008. This bookis part of a family of premium-quality Sybex books, all of which are written by outstandingauthors who combine practical experience with a gift for teaching.

Sybex was founded in 1976. More than 30 years later, we’re still committed to producing con-sistently exceptional books. With each of our titles, we’re working hard to set a new standardfor the industry. From the paper we print on, to the authors we work with, our goal is to bringyou the best books available.

I hope you see all that reflected in these pages. I’d be very interested to hear your commentsand get your feedback on how we’re doing. Feel free to let me know what you think aboutthis or any other Sybex book by sending me an email at [email protected]. If you think you’vefound a technical error in this book, please visit http://sybex.custhelp.com. Customer feed-back is critical to our efforts at Sybex.

Best regards,

Neil EddeVice President and PublisherSybex, an Imprint of Wiley

http://sybex.custhelp.com

AcknowledgmentsNo one deserves more credit for the creation of this book than my acquisitions editor, AgathaKim, and my development editors, Toni Zuccarini-Ackley and Amy Breguet. In times that Iwas overly stressed, decidedly uncomfortable, and even a little freaked out, they were solid asrocks.

I’d also like to thank my technical editor, Tom Carpenter, and the whole team atSybex. Their exceptional professionalism and extremely rigid process helps to make a veryhigh-quality product.

Additionally, I’d like to thank Acey Bunch for his additions on SQL Server in this book.We all have our weaker areas, and it’s nice to have somebody by our sides to help make someenhancements. On top of that, my family has been a huge supporter in my life. Without them,I couldn’t have gotten as far as I have. I’d also like to send out a special thanks to Mark Hart-ley. The man taught me more about being an administrator than anybody I’ve ever met in justa few days, making up for a lifetime of poor examples. Thanks, Mark!

About the AuthorSteven Johnson is a technical writer on concepts including computer programming, Windows,Linux, and network administration. He is a graduate of Texas Tech University, a C++ andDirectX enthusiast, and an avid private pilot. Steven is the author of many technical books,study guides, and certification-based practice exams. He’s worked for IT training companies,for software development companies, and even as a salesperson — although that was a long,long time ago.

In addition to geeking out on Windows, Linux, and just about every form of computer, Stevelikes to go back to the basics and work on an original 6502 processor, ‘‘just for fun!’’ When wego back to the very beginning, it lets us appreciate how far we’ve really come and understandmore about where we really are right now. In his spare time, Steve flies around the countryon numerous piloting adventures, including crossing the United States and soon the Atlantic.Sooner rather than later, he’d like to do some commercial work for a little bit of fun, and maybeeven a living.

Contents at a Glance

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Chapter 1 • Installing Windows Small Business Server 2008 . . . . . . . . . . . . . . . . . . . . 1

Chapter 2 • Setting Up and Utilizing an SBS 2008 Network . . . . . . . . . . . . . . . . . . . 25

Chapter 3 • Migrating and ‘‘Upgrading’’ to Small Business Server 2008 . . . . . . . . . . 53

Chapter 4 • Implementing a DNS Name Server and File Sharing with SBS 2008 . . . 79

Chapter 5 • Configuring and Administering Active Directory with SBS 2008 . . . . . 115

Chapter 6 • Configuring and Managing Groups and User Accountswith SBS 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Chapter 7 • Managing Group Policy with SBS 2008 . . . . . . . . . . . . . . . . . . . . . . . . . 171

Chapter 8 • Backing Up and Performing Disaster Recovery . . . . . . . . . . . . . . . . . . 195

Chapter 9 • Remote Access, Security, and Adding Servers with SBS 2008 . . . . . . . 217

Chapter 10 • Configuring Exchange Server 2007 for Small Business . . . . . . . . . . . . 245

Chapter 11 • Managing Clients, Troubleshooting, and Recoveringfrom Disaster with Exchange for SBS . . . . . . . . . . . . . . . . . . . . . . . . . 269

Chapter 12 • Introducing SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Chapter 13 • Using SharePoint with Your Small Business Server . . . . . . . . . . . . . . 325

Appendix • The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Chapter 1 • Installing Windows Small Business Server 2008 . . . . . . . . . . . . . 1

Windows Small Business Server 2008 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1What’s Included in SBS 2008? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Limitations of Small Business Server 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Supported Client Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Upgrading to Windows Small Business Server 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Special Installation Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Windows SBS 2008 Server Core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Windows SBS 2008 Read-Only Domain Controller . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Installing Windows Small Business Server 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6SBS 2008 Initial Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Time Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Company Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Server/Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Administrator Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

The Windows SBS Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Addressing Alerts, Warnings, and Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Updates with the Summary Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Security Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Other Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Getting Started Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Reviewing Your Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Chapter 2 • Setting Up and Utilizing an SBS 2008 Network . . . . . . . . . . . . . 25

Understanding SOHO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Planning an SBS Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Addressing Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Choosing an Address Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Anatomy of IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30IPv6 Address Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Dynamic Host Configuration Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32DHCP Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

xii CONTENTS

DHCP Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32DHCP Server Conflicts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Expanding an SBS 2008 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Adding a New User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Adding Computer Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Manually Joining the SBS Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Using the Command Line with Network Administration . . . . . . . . . . . . . . . . . . . . . . 45IPconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Pathping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45nslookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Diagnosing Network Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Connectivity Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Implementing Wireless Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Limitations of Wireless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Wireless Speeds and Frequencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Wireless Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Chapter 3 • Migrating and ‘‘Upgrading’’ to Small Business Server 2008 . . . . 53

SBS 2008 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Overview of Migrating from SBS 2003 to SBS 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Preparing for Migration by Creating Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Stage 1: Backing Up Critical Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Stage 2: Backing Up Exchange Server Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Stage 3: Making an Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Stage 4: Conducting a Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Preparing Your Network for Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Reconfiguring DHCP for Shorter Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Removing the Second Network Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Reconfiguring the Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Preparing Your Server for Migration to SBS 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Prepping Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Preparing Your Users for Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67User Logons and Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67User Mailboxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Checking the Best Practices Analyzer (BPA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Migrating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Upgrading Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68The Answer File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Exchange Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72The Migration Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Installing SBS 2008 in Migration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72The Migration Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

CONTENTS xiii

Chapter 4 • Implementing a DNS Name Server and File Sharingwith SBS 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

The Domain Name System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Anatomy of DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Manual DNS Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81DNS Resolution Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82DNS Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84DNS Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85DNS Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Implementing File Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Default Shares . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Creating a New Share . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

The Distributed File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103DFS Namespaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104DFS Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104DFS Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Setting Up DFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105DFS Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108DFS Replication Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

The File Server Resource Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Chapter 5 • Configuring and Administering Active Directorywith SBS 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Active Directory Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Forests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Active Directory Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Object Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

SBS Business Design Models Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Flexible Single Master Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Domain Operations Masters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Forest Operations Masters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121Limitations on FSMO Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Organizational Units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122OU Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123Creating OUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123Managing OUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Renaming and Deleting OUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127Understanding Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127Delegating OUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128OU Grouping and Subgrouping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Creating Objects with Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

xiv CONTENTS

Large Object Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135LDIFDE.exe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136CSVDE.exe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Chapter 6 • Configuring and Managing Groups and User Accountswith SBS 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Group Structure with SBS 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Security Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Distribution Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Group Scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Group Membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Default Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Nesting Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150Local Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Creating a Group Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150Planning Group Layouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Creating Users and Groups with SBS 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Administering Security Groups with SBS 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Creating Distribution Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Administering Distribution Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162Security Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Permissions Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164File and Folder Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Assigning Security Group File Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169Folder Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Chapter 7 • Managing Group Policy with SBS 2008 . . . . . . . . . . . . . . . . . . 171

The History of Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Why We Use Group Policy with SBS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172Group Policy Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172Group Policy Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173Administering Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Deploy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179Maintain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Special Uses of Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189Software Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Group Policy Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191Group Policy Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

CONTENTS xv

Chapter 8 • Backing Up and Performing Disaster Recovery . . . . . . . . . . . . 195

RAID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195Software RAIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196Hardware RAIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

RAID Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198RAID 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198RAID 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198RAID 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199Hybrid (RAID 01) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Backup Media Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201External Disks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201Tape Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203SAN/NAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205Direct Attached Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Implementing a Backup Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208Windows NT Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209Exchange/SQL Server Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211Noncritical Business Data Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211Unsorted/Extra Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Restoring SBS 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212Simple File Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212Bare-Bones Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Chapter 9 • Remote Access, Security, and Adding Servers with SBS 2008 . . 217

Reasons to Add a Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217What Is Clustering? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218Types of Clusters in the ‘‘Full’’ Windows Server 2008 Edition . . . . . . . . . . . . . . . 219Alternatives to Clustering with SBS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Adding a Second Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222Domain Controllers and Their Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223Introduction to Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224Introduction to Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

Basic Ciphers and Encryption/Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225Common Encryptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226Asymmetric and Symmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

Methods of Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Types of VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229Setting Up a VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231Enabling Groups to Use the VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232Connecting to the VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

Using Remote Desktop Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

xvi CONTENTS

Introducing the Remote Web Workplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237Assigning Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237Setting Up Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237Accessing Remote Web Workplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Using the Remote Web Workplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239Terminal Services Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240The Remote Web Workplace Gadget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Customizing Remote Web Workplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Chapter 10 • Configuring Exchange Server 2007 for Small Business . . . . . . 245

Limitations of Exchange Server for Small Business . . . . . . . . . . . . . . . . . . . . . . . . . . . 245SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246The Hub Transport Server Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

Mail Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248Categorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249Delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249Transport Rules Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250Journaling Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

The Mailbox Server Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250MAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

The Client Access Server Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252POP3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252IMAP4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252Outlook Web Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252ActiveSync . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

The Unified Messaging Server Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253The Edge Transport Server Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255Journaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Common Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255The Journaling Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

The Exchange Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256The Toolbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259Mailbox Tasks with the EMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262Client Access Tasks with the EMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

The Exchange Management Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265EMS Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265EMS Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Chapter 11 • Managing Clients, Troubleshooting, and Recoveringfrom Disaster with Exchange for SBS . . . . . . . . . . . . . . . . . . 269

Exchange Server Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269Outlook 2007 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

CONTENTS xvii

Entourage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270Alternatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

External Access to Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271Outlook Anywhere . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271Outlook Web Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

ActiveSync . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274New Features in ActiveSync for Exchange Server 2007 . . . . . . . . . . . . . . . . . . . . . 274Using ActiveSync . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275ActiveSync Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

Database Structure and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276File Structure of the Exchange Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276Exchange Server Transaction Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277Backing Up Exchange Server Completely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280Restoring Exchange Server from Full Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281Creating a ‘‘Recovery’’ for Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281Creating a Recovery Storage Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282Mounting the Recovered Database for Merging . . . . . . . . . . . . . . . . . . . . . . . . . . . 283Recovering Corrupted Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284Merging the Mailboxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

Troubleshooting Mailflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285Overview of Mailflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285SMTP Connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286Message Transportation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

Submission Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286Store Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287Microsoft Exchange Mail Submission Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287Pickup Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287Categorizer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

SMTP Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287SMTP Error 450: Requested Mail Action Not Taken: Mailbox Unavailable . . . . . . 288SMTP Error 553: Requested Action Not Taken: Mailbox Name Not Allowed . . . . 289Error 452: Requested Action Not Taken: Insufficient System Storage . . . . . . . . . . 289Error 512: The Host Server for the Recipient’s Domain Name Cannot Be Found

(DNS Error) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

Chapter 12 • Introducing SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

What Is SQL Server? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291SQL Server Editions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292SQL Server Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

How Does SQL Server Fit in with Small Business Server? . . . . . . . . . . . . . . . . . . . . . 295Installing and Configuring SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

Installation and Licensing Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296Installing SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

Using SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306Logging into SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306

xviii CONTENTS

Using SQL Server Management Studio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307Creating a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310Creating Tables in a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312Inserting Data into a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315Viewing Data in a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

Administering SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317Managing SQL Server Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317Backing Up a SQL Server Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318Moving SQL Server Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

Chapter 13 • Using SharePoint with Your Small Business Server . . . . . . . . 325

Overview of SharePoint Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326SharePoint Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326Network Components of SharePoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

Initially Configuring SharePoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329Companyweb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329Initial Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Moving SharePoint Data to Another Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330Checking the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331Performing SharePoint Administration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332Creating a New SharePoint Website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

Configuring Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333IIS Web Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334Security Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335Load Balanced URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335Application Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335Reset Internet Information Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336Database Name and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336Search Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336Creating the Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

Server Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337Configuring Workflow Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

Setting Up Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338Setting Up User-Defined Workflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338Setting Up Workflow Task Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338Enabling Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

Configuring Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338Restoring from Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340Troubleshooting Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

Setting Up SharePoint Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343Editing Your SharePoint Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Appendix • The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

Chapter 1: Installing Windows Small Business Server 2008 . . . . . . . . . . . . . . . . . . . . 349

CONTENTS xix

Chapter 2: Setting Up and Utilizing an SBS 2008 Network . . . . . . . . . . . . . . . . . . . . . 349Chapter 3: Migrating and ‘‘Upgrading’’ to Small Business Server 2008 . . . . . . . . . . . 351Chapter 4: Implementing a DNS Name Server and File Sharing with SBS 2008 . . . . . 352Chapter 5: Configuring and Administering Active Directory with SBS 2008 . . . . . . . 353Chapter 6: Configuring and Managing Groups and User Accounts with SBS 2008 . . 354Chapter 7: Managing Group Policy with SBS 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . 354Chapter 8: Backing Up and Performing Disaster Recovery . . . . . . . . . . . . . . . . . . . . 355Chapter 9: Remote Access, Security, and Adding Servers with SBS 2008 . . . . . . . . . . 356Chapter 10: Configuring Exchange Server 2007 for Small Business . . . . . . . . . . . . . . 357Chapter 11: Managing Clients, Troubleshooting, and Recovering from Disaster

with Exchange for SBS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358Chapter 12: Introducing SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360Chapter 13: Using SharePoint with Your Small Business Server . . . . . . . . . . . . . . . . 361

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

Introduction

The book you have in your possession is the culmination of a lot of work from thousands ofpeople, from the original programmers at Microsoft to the team at Sybex that helped put ittogether. From the first days of Windows, Microsoft strived to create an easy-to-use and help-ful program that would be available and accessible to anyone who wanted to use and own acomputer.

Today, the person Microsoft is focusing upon is the small-business owner. For thesmall-business owner or the information technology consultant, Small Business Server 2008provides an easy-to-use and exceptionally powerful platform that can do just about anythingof which a large business is capable. If you’ve wanted to learn more about Active Directory,Exchange for Small Business, SharePoint, or SQL, then this is the book for you.

This book has been designed from the ground up to provide thorough coverage ofSmall Business Server’s many features and technologies so that you can easily use it in asmall-business environment. The approach this book takes is to analyze each of the full-bodiedfeatures of Small Business Server and discuss how they’re implemented, as well as how theydiffer from the full editions of Windows Server 2008. Instead of focusing on a medium or largeenterprise, this book is entirely focused upon the small business’s goal of ‘‘getting the jobdone’’ in the fastest and most elegant way possible.

Throughout this book, I’ve assumed that you are either a small-business owner or an ITprofessional consulting with a small business. In other words, the book is written from thatperspective. It doesn’t spend a lot of time describing the intricacies of every system, but it doescover all the aspects of Windows Small Business Server in a method that will allow you toadminister it easily.

Who Should Read This BookThis book is designed for anyone who wants to learn more about Microsoft Windows SmallBusiness Server or Microsoft products in general. Specifically, you should read this book if youare any of the following:

◆ An IT professional who wants to know what is new to Small Business Server 2008 and thetechnologies it brings to the Microsoft Windows Server family of operating systems

◆ A small-business owner who likes to do your own administration and IT work

◆ An end user who wants to move from the desktop administration side of IT to theserver side

xxii INTRODUCTION

Overall, this book is designed for just about anyone. If you have an interest in Small Busi-ness Server, you’d do well to read this book. It will further your knowledge of the product andhelp you become a more informed information technology professional.

What You Will LearnIn this book you’ll learn about the following:

◆ Microsoft Exchange

◆ Active Directory

◆ SQL Server 2008

◆ SharePoint Server

◆ Internet Information Services

What You NeedTo properly use both this book and the software that is described and utilized in this book, youwill need to have a server or virtual machine that meets the operating system requirements forWindows Small Business Server 2008. These requirements include the following:

◆ A 64-bit processor of at least 2GHz (1.5GHz for multicore)

◆ At least 4GB of RAM (preferably more)

◆ 60GB of hard disk space

◆ A fax modem (optional)

You do not need to own a licensed copy of Small Business Server 2008 to test everything inthis server, but to use it in a production environment you will need to use a licensed server inorder to be legally compliant.

The Mastering SeriesThe Mastering series from Sybex provides outstanding instruction for readers with intermedi-ate and advanced skills, in the form of top-notch training and development for those alreadyworking in their field and clear, serious education for those aspiring to become pros. EveryMastering book features the following:

◆ The Sybex ‘‘by professionals for professionals’’ commitment. Mastering authors are them-selves practitioners, with plenty of credentials in their areas of specialty.

◆ A practical perspective for a reader who already knows the basics — someone who needssolutions, not a primer.

◆ Real-world scenarios, ranging from case studies to interviews, that show how to apply thetool, technique, or knowledge presented in actual practice.

◆ Skill-based instruction, with chapters organized around real tasks rather than abstract con-cepts or subjects.

◆ Self-review ‘‘Master It’’ problems and questions, so you can be certain you’re equipped todo the job right.

INTRODUCTION xxiii

What Is Covered in This BookMastering Microsoft Windows Small Business Server 2008 includes the following chapters:

Chapter 1, ‘‘Installing Windows Small Business Server 2008,’’ takes you through the stepsof installing Windows Small Business Server 2008 and all that’s required to do so.Chapter 2, ‘‘Setting Up and Utilizing an SBS 2008 Network,’’ takes you all the way throughsetting up a Small Business Server 2008 network, including DHCP.Chapter 3, ‘‘Migrating and ‘Upgrading’ to Small Business Server 2008,’’ will teach you howto move from your old version of Microsoft Windows Server to SBS 2008, including how tomigrate your Active Directory objects.Chapter 4, ‘‘Implementing a DNS Name Server and File Sharing with SBS 2008,’’ will showyou how to set up DNS and shared folders for your small-business server in order to supportshared files for your users.Chapter 5, ‘‘Configuring and Administering Active Directory with SBS 2008,’’ will take youthrough the process of administering and managing Active Directory objects, including users,computers, and printers.Chapter 6, ‘‘Configuring and Managing Groups and User Accounts with SBS 2008,’’teaches you how to manage Active Directory security groups and create a proper grouptopology for your end users.Chapter 7, ‘‘Managing Group Policy with SBS 2008,’’ shows you how to create GPO objectsand link it to your Active Directory infrastructure in order to control user behavior.Chapter 8, ‘‘Backing Up and Performing Disaster Recovery,’’ show you how to protect yourdata and quickly recover from any unfortunate circumstances that might strike your smallbusiness.Chapter 9, ‘‘Remote Access, Security, and Adding Servers with SBS 2008,’’ shows you howto set up SBS 2008 to allow remote access from multiple users across the world with transpar-ent functionality.Chapter 10, ‘‘Configuring Exchange Server 2007 for Small Business,’’ explains the compo-nents of Exchange as they function within SBS 2008.Chapter 11, ‘‘Managing Clients, Troubleshooting, and Recovering from Disaster withExchange for SBS,’’ shows you how to properly administer your Windows server.Chapter 12, ‘‘Introducing SQL Server,’’ provides a general overview of SQL Server andexplains how it fits in with the SBS environment, how to install it, and how to use and admin-ister it.Chapter 13, ‘‘Using SharePoint with Your Small Business Server,’’ allows you to utilizeSharePoint features with SBS 2008, including how to manage your web portal.

How to Contact the AuthorI welcome feedback from you about this book or about books you’d like to see from me in thefuture. You can reach me by writing to [email protected].

Sybex strives to keep you supplied with the latest tools and information you need foryour work. Please check its website at www.sybex.com, where we’ll post additional contentand updates that supplement this book if the need arises. Enter small business server in theSearch box (or type the book’s ISBN — 9780470503720), and click the link to get to the book’supdate page.

www.sybex.com



Chapter 1

Installing Windows Small BusinessServer 2008

Hello and welcome to Mastering Windows Small Business Server 2008. Chances are if you’vepicked up this book, you fall into one of two very distinct groups. If you’re in the first group,you’re a Windows or network administrator, and you’re looking to expand your horizons intothe realm of Windows Small Business Server. The second group is the majority of WindowsSmall Business Server users, which includes junior admins, help-desk support personnel, andthe occasional ambitious small-business owner who would like to expand their knowledge ofWindows Small Business Server and understand the piece of information technology that willrun the majority of their business. Regardless of which group you fall into, this chapterwill familiarize you with Windows Small Business Server 2008’s basic requirements and itsinstallation procedures.

In this chapter, you will learn to

◆ Identify the requirements of Windows Small Business Server 2008

◆ Install Windows Small Business Server 2008

Windows Small Business Server 2008 OverviewThe most beautiful part of Windows Small Business Server 2008 is that, on the surface, whenyou first start to use it, it’s very difficult to tell apart from Windows Server (other than the hugesplash screen identifying it as Windows Small Business Server 2008 when you start it). Mostof the icons, tabs, start buttons, and everything else you’ve become familiar with are still rightwhere you left them. This is done intentionally. In Microsoft’s opinion (and in mine), it’s a goodidea to get small businesses running on Windows Small Business Server so they will be readyto upgrade and expand to the full catalog of Windows Server products when they’re ready todo so.

To make this easier, Microsoft starts the customer with a full catalog of products, easilyrolled into one server. Unlike many other server products, Windows Small Business Server2008 isn’t just an operating system. Instead, it’s an entire productivity suite. In the next section,

2 CHAPTER 1 INSTALLING WINDOWS SMALL BUSINESS SERVER 2008

I’ll carefully examine the products available with Windows Small Business Server (SBS) 2008and Microsoft’s comparative products offered with Windows Server 2008 Standard, Enterprise,Datacenter, and Web edition.

What’s Included in SBS 2008?Windows Small Business Server 2008 comes with a whole lot of toys, bells, and whistles. Infact, so many features are available that Windows Small Business Server has been broken upinto two editions: Small Business Server 2008 Standard and Small Business Server 2008 Pre-mium. Let’s review the differences now:

Windows Small Business Server 2008 Standard

◆ Windows Server 2008 Standard Technologies

◆ Microsoft Exchange 2007 Standard Edition

◆ Windows SharePoint Services 3.0

◆ PowerShell

◆ Windows Server Update Services 3.0

◆ Microsoft Forefront Security for Exchange Server

◆ Integration with Office Live Small Business

Windows Small Business Server 2008 Premium

◆ All of the above, plus Microsoft SQL Server 2008 Standard for Small Business

Let’s talk about all the major aspects of Windows Small Business Server 2008 first, line byline. I’ll save a discussion of Server Update Services, Microsoft Forefront Security for ExchangeServer, and Integration with Office Live Small Business for later in this chapter.

Windows Server 2008 Standard Technologies

What Microsoft means by ‘‘Standard’’ is that every edition of Windows Small Business Server2008 comes with the ability to create, administer, and utilize the basic aspects of WindowsServer such as creating accounts, adding computers, and organizing Active Directory for yourbusiness. This is really important to note, because a recurring theme with Windows SmallBusiness Server 2008 is that it really is quite similar to the full-blown version of the WindowsServer 2008 suite.

Microsoft Exchange 2007 Standard Edition

Quite possibly the biggest feather in Small Business Server’s cap is that it contains a live andfully integrated version of Microsoft Exchange Server 2007. And that’s because Exchange Serveris a really, really big deal. Microsoft Exchange is the server technology that Microsoft-basedbusinesses use to send and receive email. Using Exchange, businesses have instant access toemail through a robust and efficient platform that supports the exchange of emails through theenterprise.

If purchased separately, Exchange 2007 can be quite expensive. But with SBS 2008, busi-ness owners can set up a simple ‘‘one-stop shop’’ for their entire organization’s email. It evenincludes a web client!

WINDOWS SMALL BUSINESS SERVER 2008 OVERVIEW 3

Windows SharePoint Services 3.0

In 2008 and 2009, Windows administrators have been raving nonstop about SharePoint. Butthat’s because it actually is really useful for any given business. Boiled down, SharePoint givesa business the ability to launch a simple and fully functioning web portal that can be used toexchange Office files, set up blogs, support intranet websites, and just generally serve as a pointof reference for multiple employees.

PowerShell

One of the best new features of SBS 2008 is the incorporation of the Windows PowerShell usingcmdlets (pronounced ‘‘commandlets’’). These cmdlets enable administrators to quickly exe-cute multiple commands in a lightweight command interface. However, most SBS 2008 usersdon’t use scripting, so in this book, I will only briefly touch on a few commands throughoutthe remaining chapters.

Microsoft SQL Server 2008 Standard for Small Business

If you cut through a lot of the marketing associated with SBS 2008, you’ll find that the realadvantage of SBS 2008 over competing platforms is that it contains a ton of very useful andvery powerful features. Additionally, it contains what is arguably the most versatile databasesolution possible — that is, if you purchase the Premium edition.

This powerful feature included with SBS 2008 Premium is Windows SQL Server 2008 forSmall Business. Structured Query Language (SQL) is a language reserved for retrieving, insert-ing, and manipulating data in a database. With SQL, businesses can launch multiple applica-tions and lines-of-business solutions that use a large amount of data. I’ll go into more depthon SQL Server 2008 in Chapter 11, but for right now, I’ll go over a simple example of how youmight use SQL Server 2008 for Small Business.

Say you wanted to make a site called RosesAndGardens.com. With SBS, you could launchthis site through Small Business Server and then begin serving users through it. But, with-out a way to store data on that website, you’d have no way to collect customer information,store various products, or sell anything. And that’s where SQL Server 2008 comes in. Usingthat, a small business can create a simple ecommerce store, begin to collect data, and run theentire operation through their one server. With SQL Server 2008, SBS 2008 becomes a completeline-of-business (which is just a fancy term for ‘‘required to do business’’) platform that can, byitself, serve as an entire business. Pretty neat, eh?

Free Trial of SBS 2008

If you are interested in learning more about SBS 2008 through this book but you don’t neces-sarily want to purchase a license for it through Microsoft (or just can’t afford it quite yet withyour small-business budget), you can download a free trial of SBS 2008 through Microsoft.com.As of this book’s publication, it’s available in the Small Business Server area of its website.Just remember the following:

◆ The trial lasts 120 days.

◆ You can upgrade the trial edition to the full edition without reinstalling.

◆ No features are turned off during the trial.


Limitations of Small Business Server 2008Now that you know about the advantages and power of Small Business Server 2008, it’s time totalk about the limitations. After all, Microsoft can’t give away everything with a small-businessproduct. So, without further ado, here are the limitations specified by Microsoft TechNet:

◆ Small Business Server 2008 doesn’t support more than 75 users or devices.

Unless you upgrade from Small Business Server, this number is an absolute. But keep inmind, 75 employees is a lot of employees! A ‘‘medium-sized’’ business is a business thathas more than 50 employees, according to the Microsoft mind-set.

◆ The SBS 2008 Standard edition server must be the root domain controller of the forest.

This isn’t necessarily a big deal, but it means you can’t join an SBS 2008 Standard server toa complex Enterprise edition environment and thus correspondingly benefit from all thecontained features. Microsoft disallows this because it suspects if you’re doing this, you areprobably just trying to get out of paying for the entire the product line.

◆ The SBS 2008 Standard edition server must hold the flexible single master operations(FSMO) roles.

This is another hard-lined rule, but it effectively means that the Small Business Server mustbe ‘‘in charge’’ of its network.

◆ The SBS 2008 Standard edition server must be a global catalog:

Similar to FSMO, the Small Business Server needs to be the main global catalog for theenterprise.

◆ There can be no interforest trusts or child domains.

The real restriction here is that this means Small Business Server 2008 can’t be joinedor attached to extra forests or child domains, and thus it can’t be used for large-scaleexpansion.

◆ Terminal Services Application Mode is disabled on SBS 2008 Standard edition server.

This is a real limitation compared to Windows Server 2008 Standard or Enterprise edition.The use of Terminal Services has become popular of late, and removing these features is areal inhibitor. However, not all Terminal Services features are unavailable. For one, userscan still utilize Remote Desktop.

◆ The Premium edition server must be a member server or an additional domain controllerof an SBS 2008 network.

This is not really an inhibitor, but this does mean that the Premium server requires a bitmore licensing.

If you remember from a bit earlier, I mentioned that Windows Small Business Server 2008comes with Forefront Security and Windows Live OneCare. Well, that’s true. It does come with

UPGRADING TO WINDOWS SMALL BUSINESS SERVER 2008 5

versions of them. Unfortunately, the ‘‘gotcha’’ is that they are only 120-day trials. It’s a littlemisleading, but these components don’t come ‘‘off the shelf’’ with Small Business Server 2008.Additionally, there are a few other hardware and SBS 2008–specific limitations, discussed in thefollowing sections.

Network Cards

On the books, both the Premium and Standard editions of SBS 2008 are designed to use onlyone network card. If you are using more than one network card, Microsoft recommends thatyou install the Premium edition of SBS 2008. A second network card isn’t necessarily unsup-ported, but it’s not recommended. This is a pretty big change from SBS 2003, and not necessar-ily a positive one.

Several common installations of SBS include attaching network attached storage, which mayrequire multiple network interface cards (NICs). Additionally, using DHCP is fairly difficult todo without having multiple NICs, though it is possible.

Proxy Servers

Although most small businesses don’t use them, it’s important to note that SBS 2008 doesn’tsupport Microsoft Internet Security and Acceleration Server (ISA). However, you can placean ISA server in the perimeter network and connect the separate server (running its own ISAserver licenses) to the SBS 2008 server so that the SBS 2008 server can use the ISA server as aproxy.

Removal of the MMC

This is the one limitation that irks most administrators. With SBS 2008, there is no longer anysort of Microsoft Management Console. Instead, SBS 2008 relies on a ‘‘task-based’’ system thatis designed to be as quick and easy as possible for novice users. However, this can create somesmall problems for administrators who aren’t familiar with some of the decisions that SBS 2008decides to make during its task process.

Supported Client Operating SystemsIf you’re working by the book, to connect to a SBS 2008 domain controller, you must be run-ning Microsoft Vista or Windows XP. However, installs with Windows Server operating sys-tems (such as Windows 2000 Server, Windows Server 2003, and Windows Server 2008) arepossible, so long as these installs are just joining the domain controller as individual machinesand not acting as central parts of the domain or forest.

Later, in Chapter 4 on Active Directory, I’ll go over the process of joining clients to thedomain controller and how that’s achieved with Windows Small Business Server 2008.

Upgrading to Windows Small Business Server 2008One of the major limitations of Windows Small Business Server 2008 is that you can’t justupgrade from one version to another. Instead, to upgrade to SBS 2008, you have to migrateuser accounts from one Windows version (that is, SBS 2003 or Windows Server 2003) toanother.


This can prove to be a bit tedious, but it’s set up this way because there are some very dra-matic differences between SBS 2008 and SBS 2003 — or any other given edition of Windows, forthat matter. No other edition has quite held the range and scope of applications and features,so it doesn’t exactly ‘‘play well with others.’’ (I’ll cover upgrading in more detail in Chapter 3.)

Special Installation TypesSBS 2008 includes several special types of installations with Premium edition, including ServerCore and a Read-Only Domain Controller.

Windows SBS 2008 Server CoreIt may come as a surprise, but SBS 2008 supports Server Core — that is, of course, if you pur-chase the Premium edition. Just in case you’re unfamiliar with it (since Server Core is new toWindows Server 2008), Server Core represents a lightweight, command-line-only server instal-lation that is used to provide a fairly quick and stable installation of Windows Server.

You might be wondering why you would want a Server Core installation of SBS 2008. Theanswer is that, unless you’re using Premium edition, you probably wouldn’t. But, if you are,there are some advantages to running a Premium edition server without a GUI. In the long run,administrators of smaller networks don’t tend to mess around much with command-line instal-lations because the overhead involved with it is drastically more time-consuming than usingthe GUI. In case you’re wondering what Server Core mode looks like, check out Figure 1.1.

Figure 1.1

Windows Server Coreinstallation

Windows SBS 2008 Read-Only Domain ControllerAnother fancy feature from Windows Server 2008 Standard edition that is transferred over tothe new SBS 2008 is the ability to use SBS 2008 as a Read-Only Domain Controller. This is reallyconvenient for users looking to deploy a Premium edition copy of SBS 2008 in an exposed area.It allows users to look at, but not alter, Active Directory and use its features.

Installing Windows Small Business Server 2008Upon purchase or receipt of Windows Small Business Server 2008, you will receive a DVDthat contains the master installation DVD files. This DVD is bootable and usually contains a

INSTALLING WINDOWS SMALL BUSINESS SERVER 2008 7

hologram from Microsoft to signify its authenticity. To install SBS 2008, you have to insertthis DVD into a DVD-ROM drive, select the DVD-ROM drive as a priority bootable device inthe device selection menu of your computer’s BIOS, restart your server, and then boot from theDVD at the prompt ‘‘Press any key to boot from CD or DVD.’’

At this point, you’ll be able to begin the installation. Keep in mind that Windows SBS 2008has the installation requirements shown in Table 1.1

Table 1.1: SBS 2008 Requirements

Component Requirement

Processor 2GHz x64 or faster

Memory 4GB minimum, 32GB maximum

Disk space 60GB minimum

For any additional Premium servers, there is a supported 32-bit version, but it’s recom-mended that you just install the 64-bit version. Additionally, keep in mind that if you’rean advanced IT user and you’re just testing SBS 2008 to keep up your knowledge base, the64-bit installation of SBS requires a 64-bit processor with virtualization technology in order tobe installed on VMware installs. (I’ll cover virtualization in Chapter 9.) For your reference,you can find a list of Intel’s supported processor list on Intel.com, and you can find AMD’sprocessor list on AMD.com.

When you begin installing SBS 2008, you’ll first be greeted with the initial installation screen,as shown in Figure 1.2.

Figure 1.2

SBS 2008 initial installscreen


As you go through the installation, the progress bar will continue to move along in amountscorresponding to how far you’ve gotten. Along the way, you may see a few completely blackscreens or pauses.

You will become intimately familiar with this screen throughout your course of interactingwith SBS 2008. Keep in mind that SBS 2008, like any other version of Windows, requires a greatdeal of interaction (and reboots) in order to function properly. Chances are that if you’re anattentive administrator, you’ll sit through many a reboot.

You should also note that the first time you install Windows there will be one lastscreen that might strike you as unfamiliar. Well, at least it surprised me to see it thefirst time. For lack of a better term, I’ll call it the ‘‘setting up screen.’’ You can see it inFigure 1.3.

Figure 1.3

The setting up screen

This screen can take several minutes, so don’t be alarmed if SBS 2008 pauses here for a longperiod of time.

After this initial and relatively painless install, SBS 2008 begins the user-specific setupprocess. What’s really nice about this process, as opposed to previous iterations of WindowsSBS, is that SBS 2008 asks you questions only after the installation is complete. This isa big change from Windows XP, where you had to occasionally click installations overand over again. Personally, I can’t even imagine how many times I’ve clicked Nextduring Windows installs knowing full well that I’d have to click Next again in another10 minutes.

Manufacturer Installations

A good share of Windows SBS 2008 servers are bought straight from the manufacturer withSBS 2008 preinstalled. In this case, most manufacturers will install SBS 2008 to this point andthen leave the remainder of the installation up to the user, because it is, for the most part,

SBS 2008 INITIAL SETUP 9

self-explanatory. As a system administrator, you can sometimes choose to set up a server inthis very same manner and then leave the rest to the business owner.

Alternatively, as a business owner, you can for the most part disregard the essentials of theinstallation process up until this point. However, if you ever have to reinstall, you may wantto familiarize yourself with it.

SBS 2008 Initial SetupOnce the official installation process has completed, SBS 2008 will take you through sevenscreens that allow you to customize your installation:

◆ Time zone

◆ Company information

◆ Server/network

◆ Administrator setup

◆ Security services

◆ Summary

For the most part they’re self-explanatory, but because each of them has a few hidden warn-ings behind them, I’ll go through each menu one at a time.

Time ZoneOK, I know what you’re thinking: ‘‘This guy included an entire section on the time zone?’’And the answer is yes, but for good reason. There really isn’t a single greater nightmareto the mindful administrator than a change in the time. A change in time can impact thefollowing:

◆ Email synchronization

◆ Email blasts/sent items

◆ Websites/ecommerce

◆ User login times

◆ Group Policy

◆ Application filters

◆ About 100 other administrator nightmares

When you get to the screen you see in Figure 1.4, you’ll be able to click the blue text thatsays Open Date And Time To Verify The Clock And Time Zone Settings.

By clicking this, you’ll be able to set up the time zone and also make sure Windows is setup to synchronize itself with the master clock. This is really useful in case something happensto the time that you’re not aware of, like the President changing the rules regarding when day-light saving time happens.

Other than that, all you have to do is set the time zone and then click Next.


Figure 1.4

Time zone settings

Company InformationOn the Company Information screen, shown in Figure 1.5, an administrator can specify thecompany name and address, which is used in various places throughout the system settings.Unlike the time zone settings, there are no real cautions or warnings expressed or implied here.

Server/NetworkThis is where the fun begins! When the screen in Figure 1.6 appears, you assign your localserver a server name and then your local domain a name.

As it says on the screen, a local domain is not an Internet domain name. However, nor-mally they are quite similar. For example, I may own the domain intellicorp.com, but I will alsouse the intellicorp local domain for my user’s logon. It’s not only easy to remember but alsoconvenient. I’ll talk more about Windows local domains when we get to Chapter 5 on ActiveDirectory, but for now just choose a name.

Further, it’s a good idea to name your server something that can be incremented. I like theconvention of OfficeSvr1, OfficeSvr2, and so on, because it leaves room for expansion.

Administrator SetupOn the next screen, you create a network administrator account. The network administratoraccount is really one of the most powerful accounts in the whole server. It has the ability toadminister the server as well as create user accounts and add computers. When creating youruser account, make sure the name of the account is easy to remember (I use sjohnson, forexample), and then choose your password. Unfortunately, passwords are more difficult andshould not necessarily be easy to remember. A good trick to use is to pick a common wordand then substitute numbers and special characters for vowels. Here’s an example:


Provinces

Pr0v!nc3s

Figure 1.5

Company Informationscreen

Figure 1.6

Server and networkassignment screen


This allows you to remember relatively easily what the password is and to just use somesimple substitution that you can think of in your head. Keep in mind that Windows SBS 2008likes you to use more than seven letters, as well as a number and at least one special character.If you don’t, Windows will give you a warning message, which you can see at the bottom ofthe user account creation page in Figure 1.7. Notice at the bottom it asks for ‘‘3 of the follow-ing 4 types of characters: A–Z, a–z, 0–9, and symbols.’’ But just about any good password willcontain those items.

Figure 1.7

Network administratoraccount creation page

Security ServicesSecurity, security, security. If there’s one major change that’s been made in all the editionsof Windows Server 2008, it’s the addition of major security features. And SBS 2008 is no excep-tion. Windows Small Business Server 2008 comes with two specific security features:

◆ Windows Live OneCare for Server

◆ Microsoft Forefront Security for Exchange Server

In Chapter 12 I’ll go over both of these security features in more detail, so for nowI’ll give you just a basic overview of the features you’ll install on the screen shown inFigure 1.8.


Figure 1.8

Security servicesinstallation screen

Windows Live OneCare for Servers Windows Live OneCare for Servers is effectively a fire-wall, antivirus, antispyware, and overall monitoring program for Windows Server. Throughits use, Windows administrators are relieved of some of the burden involved with the upkeepof a server.

Microsoft Forefront Security for Exchange Server This program, utilized with MicrosoftExchange Server for SBS 2008, monitors email for known viruses, file attachments, and othermalicious software. Through its use, SBS looks after your network to make sure no unautho-rized material can enter your network.

SummaryOnce you’ve gone through all the main installation screens, a summary screen, as shown inFigure 1.9, will appear and confirm the changes you are making. Keep in mind, you will not beable to change the server name or the internal domain name once you pass this screen!

Once you click Next, Windows will begin the final installation process and start to extractfiles to complete its final installation steps. This can take a long time, sometimes as long as 30minutes to an hour. Of course, the faster your computer is, the faster the installation is going tocomplete. But during the process, you’ll see a progress monitor bar.

Assuming everything proceeded correctly, once you’ve completed your installation, youshould see a login screen that looks like Figure 1.10.


Figure 1.9

Installation summaryscreen

Figure 1.10

Initial logon screen

THE WINDOWS SBS CONSOLE 15

Ctrl+Alt+Delete

As most people know, the old-fashioned way that people used to make Windows rebootwhen it stopped working was to hit Ctrl+Alt+Delete. It was actually a back door left by aprogrammer in case he needed to reboot the machine from an error. Unfortunately, it becamecommon knowledge and part of the service manual. With Windows 95, Bill Gates decided hedidn’t like the association of his software not working properly and made Ctrl+Alt+Delete theWindows logon and the process by which the Task Manager opened.

If everything was done properly, you’ll be requested to enter your network administratorpassword. However, if something didn’t go right, you may have to log on to your local admin-istrator account and configure your network settings. In fact, chances are that you may have todo this anyway if your company uses static networking.

The Windows SBS ConsoleOnce you’ve logged in for the first time, you’ll be greeted with the Windows SBS Console, asshown in Figure 1.11. The Windows SBS Console is the central command point of SBS 2008,and it can be used to configure just about every aspect of Windows SBS 2008. In effect, it is avery, very useful administration tool.

Figure 1.11

The Windows SBSconsole


For those of you who are already Windows administrators, keep in mind that the standardServer Manager is not available with SBS 2008. Instead, you use the SBS command console forjust about everything, as you’ll see throughout the rest of this book.

The reasons behind the decision to remove the Server Manager are pretty easy to under-stand. If you think about it, the Server Manager isn’t exactly the most user-friendly tool on theplanet. It’s a little bulky and not very pleasant to look at. The SBS 2008 console, on the otherhand, is simply awesome looking and very easy to use. No thought required. Now, let’s getstarted using it.

Addressing Alerts, Warnings, and ConcernsWith SBS 2008, Microsoft tried to take the thinking out of a lot of major concerns with the sim-ple summary screen shown in Figure 1.12. There, you can see four major concerns: Security,Updates, Backup, and Other (general) alerts. Let’s start with the easiest thing first — updates.

Figure 1.12

Networking EssentialsSummary screen

Updates with the Summary ScreenThankfully, the days of manual updating are long gone. Now it’s simple! To install updateswith the Windows SBS Console, click the Updates picture, and then click Go To Updates. Thiswill bring you to the general Updates tab, shown in Figure 1.13.

The good news is that updates are exceedingly simple now. So, if you’re ready for it, thesteps for updating are as follows:

You’re done.That’s right! Windows SBS 2008 updates automatically with all the critical updates. As you

can see from Figure 1.13, the updates are automatically updating under the Updates In Progresssection. However, you can choose whether to approve or deny updates listed under OptionalUpdates. If you highlight one of these updates, say Update For Windows Server 2008 x64 Edi-tion (KB955839), you will see the image in Figure 1.14 on the right of your screen. This sectionis called the Tasks menu. There, you can click the Deploy The Update button or the DeclineThe Update button. Rocket science, right?

ADDRESSING ALERTS, WARNINGS, AND CONCERNS 17

Figure 1.13

Updates tab

Figure 1.14

The Tasks menu


Clicking the Deployment Update button will display a warning or message regarding theupdate, making you aware of what’s happening. For example, on the update I just selected, Ireceived the message shown in Figure 1.15.

This is really handy, because it lets you know that all computers that require this updatewill now receive it. Next, once you click OK, it will tell you that it will take 4 to 24 hours todeploy the update without bringing your system down. Brilliant! Go ahead and deploy yourupdates now.

Figure 1.15

Update warning

Security ConcernsNext, you need to address any potential security concerns. If you click Security and then go tothe Security tab, you will see a summary of your security settings, as shown in Figure 1.16.

As you can see, this security center has a problem because my Live OneCare files areout-of-date. So, I can select that problem and then click the Open Windows Live OneCare ForServer button on the right, bringing up the screen shown in Figure 1.17.

To appease the security center, I need to update Live OneCare and then address the con-cerns in red — the virus and spyware definitions are not current, and a full OneCare function-ality update is needed. Doing this is especially hard — you have to click the Update OneCarebutton. Tough, eh? This will open the update center for Live OneCare.

Once you get to this screen, you have to click Next and then accept the license agreement.Then the server will begin the update process. Believe it or not, this can actually take quite along time — but there’s a good reason behind that. Namely, Windows Live OneCare is a veryadvanced firewall system that incorporates antivirus features, spyware controls, and a myriadof other things. Therefore, the definition files are really big. Thankfully, as you’ll see, it’s quitepainless, and you can continue doing other administration tasks as you proceed.

BackupTo access the backup information, click Backup and then Go To Backup. This will take you tothe main Backup tab, which should look something like Figure 1.18.

Just as with the other menus, you can configure it by clicking the Configure Server Backupbutton on the right. This might take a little time to start up, but once it’s done loading data,you will be greeted with a screen where you can select a device to set up your backup choices.Since this varies from computer to computer, I won’t show it here, but once you are there, theprocess is fairly self-explanatory.

ADDRESSING ALERTS, WARNINGS, AND CONCERNS 19

Figure 1.16

Security tab

Figure 1.17

Windows Live OneCareinformation

Figure 1.18

Backup tab


Other AlertsThe last main setup task is to address any extra alerts. By going to the Other Alerts section, asyou did with the previous sections, you can observe your server and see its status, as shownin Figure 1.19. As you can see, there is a Critical status flag on OFFICESVR. When this hap-pens, you can click the server and then click the View Computer Alerts button on the right (notvisible in the figure). This opens the general alerts window shown in Figure 1.20.

Figure 1.19

Alert status

Figure 1.20

Computer alerts

By selecting each of these alerts, you can diagnose the reason behind them. In my case,I’ve stopped the Dynamic Host Configuration Protocol (DHCP) service and Windows LiveOneCare because of updates and networking choices I made behind the scene. I will turn theseback on later; therefore, I can dismiss these updates and consider my server initial setup phasecomplete.

Getting Started TasksNow, the elephant in the room that you’ve undoubtedly noticed is the Getting Started Tasksscreen shown in Figure 1.21. Various chapters in this book will address each of these tasks, but

GETTING STARTED TASKS 21

let’s start with a general description of how this screen works. First, the Windows SBS Console,as I’ve said before, is the central command center of SBS 2008. Thus, the tasks that it is outlin-ing for you to do here are tasks recommended or required by Microsoft in order to maintain afunctioning computer.

Figure 1.21

Getting Started Tasksscreen

To use this menu system, you click each of these tasks to open an agenda list, along with therecommended procedures for each task. Because it involves installation, let’s take a look atthe Finish Installation tasks.

If you followed my path step-by-step, you should see the screen in Figure 1.22 once youstart your server. The Installation Issues tasks at hand are creating the network administratoraccount (which you should not have) and the updates installation (which you may have if youwere not connected to the Internet at the time). Regardless, you can see in the figure that thereare easy buttons to address the issues, such as How Do I Fix This Issue?


Figure 1.22

Installation issues

Now, since you’ve already addressed these concerns, you can click the Completed check boxnext to the View Installation Issues item.

Reviewing Your InstallationOnce you’ve completed your final installation of SBS 2008, it’s a good idea to go over whatyou’ve accomplished and check to see whether things are ‘‘in the green.’’ Ideally, on yourserver you should see your networking essentials summary showing Security, Updates,Backup, and Other Alerts as green.

Installing Twice

Believe it or not, whenever I’m faced with a new operating system that I’m unfamiliar with, Iplan on installing it twice. I do this because sometimes I’m just not familiar with the processand I make some decisions I regret later. Take, for example, the installation you just did. Inthis install, you may decide later that you don’t like the naming scheme you chose or thatsome part of the installation wasn’t exactly what you liked.

In the real world, I’ve installed versions of SBS and Standard server alike where I got throughthe process and said, ‘‘You know, I could have designed this better.’’ And usually, the best betis to go back to what you did in the beginning, analyze what you did and did not like aboutit, consider what made you make that decision, and finally see whether you can improve it orwant to maintain it.

THE BOTTOM LINE 23

The Bottom Line

Identify the requirements of Windows Small Business Server 2008 Review and memorizethe server requirements for SBS 2008.

Master It What types of processors can be used to virtualize an install of SBS 2008?

Install Windows Small Business Server 2008 Set up and completely install SBS 2008 on apartition of your creation and choosing.

Master It Install Windows Small Business Server 2008 so the server can access the Internet,download updates, and show all networking essentials as ‘‘in the green.’’

Chapter 2

Setting Up and Utilizing an SBS 2008Network

For seasoned IT professionals and novice computer users alike, the small office networkhas gone from a once fabled invention of the 1980s to a completely commonplace, if notmandatory, feature of any stable business. Accordingly, Microsoft has taken account of this andimplemented many new and advanced networking features in Windows SBS 2008. Namely,Microsoft has tried to make SBS 2008 a central focal point of the entire network, like it shouldarguably already be.


◆ Plan an SBS 2008 network installation

◆ Configure SBS 2008 client computers for networking

◆ Use command-line networking commands

◆ Diagnose small network problems

◆ Implement wireless networking

Understanding SOHOSOHO stands for ‘‘small office/home office,’’ and it’s the primary term used when administra-tors are discussing small offices or home offices, as well as the primary target market of SBS2008. However, the term has a few caveats:

◆ The typical SOHO has fewer than 15 members.

◆ SOHOs do not usually include more than one server.

◆ SOHOs do not typically run websites or other servers.

But with that said, it’s important to remember that SBS 2008 isn’t targeted just to the SOHO,but also to medium-sized businesses. A SOHO is usually fewer than 15 people, and SBS sup-ports up to 75 accounts. And with the informal standardization of a ‘‘medium-sized’’ businessbeing any business with more than 50 employees, you can see how the SOHO isn’t a completepicture of what SBS 2008 is capable of. However, it’s certainly a great starting point for thepurpose of explaining how SBS 2008 works.

26 CHAPTER 2 SETTING UP AND UTILIZING AN SBS 2008 NETWORK

In Figure 2.1 you can see a simple example of a typical SOHO network. As you can see,from the firewall the traffic on the network is fed to a router, which sends out traffic througha switch. There, behind those three devices, an SBS server sits with PCs in a protected area ofthe network. In this type of an environment, an SBS server is protected and able to distributedresources to an entire network. More importantly, it can host important features for an SBS2008 network, such as a DHCP server. But before I discuss that, let’s briefly discuss thecomponents that make up a SOHO network that could be used with SBS 2008.

Figure 2.1

Typical SOHOenvironment Firewall

Router

Switch

PC1 PC2

SBS 2008

RoutersRouters are devices used to transmit logical packets of information from one Internet Proto-col (IP) address to another. Routers by nature are designed to segment networks into logicalbarriers called subnets. Routers pass information back and forth between each of these subnets.

In a constructive diagram called the TCP/IP model, routers fall into the third layer of this dia-gram, called the Network layer. This is because in the Network layer, all segmentation is donelogically through specialized hardware and processors designed to process traffic.

Behind each router in a network, other network devices are connected through other net-work devices, such as switches and hubs, which are discussed in the next section. But once a

PLANNING AN SBS NETWORK 27

router is put in place, these switches and hubs are collected into a network convention calleda broadcast domain, or an area where IP traffic can be sent and received at the Data-Link layer.In effect, traffic within a broadcast domain is transported from Media Access Control (MAC)address to MAC address within a physical connection. But to get outside this small bound-ary of connected network devices, a router is required. That’s because a router can collect onebroadcast domain and connect to another.

SwitchesSwitches are hardware devices that physically segment networks into different collisiondomains that protect traffic from colliding because of transmissions along the same networkpath. What actually happens along a network path is that one device with a network interfacecard (NIC) can connect to another by transmitting a signal. Unfortunately, NICs are actuallyfairly dumb. They just transmit information and don’t really care about what happens after theprocess.

But unbeknownst to the NIC, the signals it sends out may bump into another signal if theyare within the same collision domain. Collision domains are just network areas that share thesame signals without a device to break them up. And that’s where switches show up. Simplyput, switches are devices that separate traffic.

ServersAlthough routers and switches are important to a SOHO or medium-sized business network,this book concentrates on server implementation, not network administration. Accordingly, youneed to understand the roles that servers play in the network. Within a network, servers canbe routers themselves, assign addresses, and administer network resources such as printers andfax machines. But before getting into the specific roles they govern, you need to understand alittle bit about how to plan for a network as a whole.

Planning an SBS NetworkSBS 2008 has two different types of network addresses available to system administrators: IPv4and IPv6. As of the publication of this book, IPv4 is still the uniform standard of the Internet asa whole; IPv6 has only begun to be implemented by governmental organizations, such as theDepartment of Defense. Thus, this book will mostly concentrate on IPv4 and its conventions.In particular, IPv4 has three different methods of being addressed using known addressingtechniques.

Addressing TechniquesIPv4 uses three types of IP addressing techniques: APIPA, static, and dynamic (DHCP). WithServer 2008 (and especially Small Business Server 2008), 99.9 percent of the time you’ll bedealing with dynamic addressing, and thus I’ll spend most of this section and the ‘‘DynamicHost Configuration Protocol’’ section discussing dynamic addressing; however, I’ll briefly coverstatic addressing and APIPA as well.

APIPA

Automatic Private IP Addressing (APIPA) is a Windows default mechanism for assigning IPaddresses when a DHCP server is unreachable. This means, no matter what the situation,


machines running Windows will always have a logical address available to them within the169.254.X.X range. If you ever see an IP address like this within your SBS 2008 network, itusually means that either there is a problem reaching the server or the network card is notproperly set up.

Normally, when you’re running some of the more well-known Windows configurationcommands (which you’ll learn more about in the ‘‘Using the Command Line with NetworkAdministration’’ section), you’ll often see an IP address like 169.254.0.1. This means that thecomputer is unable to communicate with a DHCP server or has not had an address assigned.In this case, you would either try to get the client with the APIPA address to refresh itsdynamically assigned address through the use of command-line utilities or GUI interfacesassociated with the drivers for the network card or manually assign it an address that is notan APIPA or reserved address. Nine times out of ten, this means opening the network cardconfiguration in SBS 2008 (or whichever machine, normally something like a client, has theAPIPA address) and then resolving the issue by running through some simple configuration tomake sure the card is set up properly.

Now, if the computers using APIPA are all client computers that communicate only witheach other within the same broadcast domain, you can use APIPA for peer-to-peer commu-nications without any problems. If the clients must talk to servers on different subnets or theInternet, a static or DHCP assignment will be required.

Static

Static, or manual, addressing is the process of manually assigning an IP address to a machinebased on a design created by an individual engineer or administrator. If network engineerscould have their way, chances are that all IP addresses would be static. Unfortunately, in themodern day, that simply isn’t practical because of the sheer number of addresses that have tobe assigned.

Dynamic

Dynamic addressing is a technique that takes advantage of the Dynamic Host Control Proto-col (DHCP) role that can be added to SBS Server 2008. DHCP automatically assigns addressesto requesting client machines through a predetermined pool within your DHCP server definedby the administrator. At the enterprise level, this is normally the most heavily used and imple-mented standard because of the ease, flexibility, and relatively equal efficiency of its addressingmethods. Later in this chapter, in the section ‘‘Dynamic Host Configuration Protocol,’’ I willdiscuss how to set up DHCP pools.

Choosing an Address RangeWhen designing a network, the first step is to establish precisely how big the network will be.This can vary wildly based on budget, number of users, addressing conventions (IPv4 or IPv6),and expectations of growth. With SBS 2008, chances are that the network will not grow beyond75 users, so that makes the process much easier.

IPv4 Address Ranges

IPv4 uses a set of four octets to create an individual, but not necessarily unique, logical addressthat can be used for the purposes of routing packets across networks. This configuration is thenfurther defined by a subnet mask, which partitions the address into different subnets for the


purpose of sending and receiving broadcast traffic. At the top level, IP addresses are dividedinto five different classes that use a certain amount of bits in the subnet mask for the networkportion of the network, and a certain amount of bits for the various hosts. It’s rare to discover anetwork administrator who uses all five classes of IPv4 addresses, however. For the most part,you’ll be concerned with three class levels of IP addresses: Class A, Class B, and Class C, asdescribed in Table 2.1. Each of these addressing classes has its own strengths and weaknesses,in that they can assign only a certain number of IP addresses based on the number of avail-able host bits in the subnet mask. For the purpose of SBS 2008, I won’t be diving too deeplyinto network design, but it’s important to understand the number of addresses that a networkclass can support. However, because of the limited number of users supported by SBS 2008,this chapter will be covering only Class C addresses.

Table 2.1: Available IPv4 Addresses

Address Classes Number of

Network Bits

Number of Available

Host Bits

Maximum Number

of Hosts

Class A 8 24 16,777,215

Class B 16 16 65,534

Class C 24 8 254

Each of these classes of networks is assigned certain ranges that will be predefined for yournetwork design. Your address class will fall into one of the ranges shown in Table 2.2. That is,unless it falls into a list of ‘‘reserved addresses’’ that are reserved for special purposes, such asthe localhost address, which is responsible for identifying the computer as itself. Telling a com-puter to go to localhost basically means ‘‘go to yourself.’’ Table 2.3 summarizes these reservedaddresses.

Table 2.2: IPv4 Class Ranges

Address Class Network Range

A 1.0.0.0 to 126.255.255.255

B 128.0.0.0 to 191.255.255.255

C 192.0.0.0 to 223.255.255.255

IPv6 Address Ranges

Unlike its younger brother, IPv4, IPv6 no longer uses address classes. Instead, it uses pre-fixes that are subdivided by geographic locations around the world. Within those regions,the addresses are then subdivided more and more until they get down to the individuallevel. In effect, this removes the need for the old fallout of the IPv4 addressing system,Network Address Translation (NAT). By design, IPv6 allows for every individual computer to


theoretically have both a unique MAC address and a unique logical IP address, simply becauseso many addresses are available. Unlike IPv4, IPv6 uses eight quartets, making for a total of128 bits worth of available addressing space.

Table 2.3: IPv4 Reserved Addresses

Address Class Network Range

Localhost 127.0.0.1

Reserved private address 10.0.0.0 to 255.255.0.0

Public data networks 14.0.0.0 to 255.255.0.0

Private network 172.16.0.0 to 255.128.0.0

Private network 192.168.0.0 to 255.255.0.0

IPv6 to IPv4 relay 192.168.0.0 to 255.255.0.0

Broadcast 255.255.255.255

Link-local (APIPA) 169.254.0.0 to 255.255.0.0

Anatomy of IPv6Believe it or not, IPv6 addresses are beautiful because of their absolute simplicity. When deal-ing with an IPv4 address, there can be a lot of confusion. What part of the address belongs tothe Internet service provider? Where is the subnet portion of the address? Better yet, whereis the host? In IPv6, these are no longer concerns.

All IPv6 addresses can be broken down into two distinct portions, which can further be sub-divided to a point that just about every portion of the address is accounted for. On the baselevel, IPv6 addresses are broken into two 64-bit portions, the network portion and the hostportion, or the interface ID. Visually, the address looks like this:

Network Portion Host Portion

It’s easy to explain the second portion of the address. It’s just the host portion of thenetwork. In more technical terms, the 65th to the 128th bit of the address is completelydedicated to assigning the address to your hosts. That’s a lot of hosts! It’s more, in fact, thaneven some of the largest enterprises on the planet would ever use. However, when the IEEEengineers designed IPv6, they didn’t want to run into a situation where anyone would everhave to worry about having ‘‘enough’’ host addresses again. I think it’s safe to say they’vesucceeded. In fact, 264 is such a large number that if you were to take that many pennies andstack them up one after another, you’d be able to reach Mars more than 300,000 times. Or, if


you’d like to think of it more in Microsoft terms, you’d be able to have 230,584,300 times theamount of money of Bill Gates (when he was worth $80 billion).

The first portion of an IPv6 address, called the address prefix, is a little bit more complicated,but not too much so. To begin, one of the real issues that IPv6 was meant to fix was to giveservice providers their own reserved section of the IP address that would identify whatever ser-vice provider was issuing the address. Accordingly, the IEEE engineers assigned the first 48 bitsof the prefix portion of the address to the service provider. Then, with the remaining 16 bits,they allocated a portion to be used for subnet addressing. You can see another visual interpre-tation of this here:

48 bit ISP Portion 64 bit Host Portion16 bit Subnet Portion

The main reason that only 16 bits have been assigned to the subnet portion is actually prettyreasonable. After all, how often do you run across an organization that will need more than65,536 subnets? The answer is not very often. And thus, only a small portion of the overall128 bits is assigned. In just a moment, I’ll go over how subnetting this portion of the addressis slightly different than it was with IPv4. But for the moment, let’s take a step back and talkabout those first 48 bits before the 16 bits of the subnet portion.

Three organizations take a bite out of the first 48 bits of an IPv6 address:

◆ Internet Corporation for Assigned Names and Numbers (ICANN)

◆ Regional Internet Registry (RIR)

◆ Your Internet service provider (ISP)

Thankfully, the exact scope of the importance of these organizations is outside the objectivesof this book. Suffice to say, the Internet address prefix goes through three filters — fromICANN to RIR to ISP — that more and more uniquely define the coverage area of theseaddresses.

IPv6 Address TypesAnother big change that comes with IPv6 is the complete and total removal of the concept of abroadcast address. And if you ask most busy administrators, that’s a good thing. Instead, IPv6has replaced the need for broadcast addresses with the concept of multicast addressing. Theword multicast is getting a little ahead of myself, but I’ll start by defining the three differenttypes of addresses that are available in IPv6:

Unicast A unicast address is assigned to a particular host so that host, and only that oneparticular host, can send and receive data. It’s equivalent to saying ‘‘you and only you areidentified as this.’’

Multicast A multicast address is effectively a grouping of addresses for sending and receiv-ing information to that group. So, if you wanted to send a broadcast of information, you couldsend it to a particular multicast group.

Anycast The name is a bit confusing, but an anycast address is similar to a multicast addressin that the anycast address isn’t sent to a particular group of addresses, but only the address


‘‘nearest’’ to it. So, instead of sending it to every member of the group, it sends it to a particu-larly near member of that group.

Dynamic Host Configuration ProtocolEarlier, in the ‘‘Addressing Techniques’’ section, one of the methods of addressing a given net-work was listed as dynamic. In computer science, the word dynamic has a very specific definitionthat applies through all computing, including small network design. When I say a piece of datais dynamic, this inherently means that it isn’t defined to a set allocation of data. In other words,the given variable of data can switch values all the time.

In the case of SBS networking, this is of concern when you use a technique called DynamicHost Configuration Protocol (DHCP). DHCP is a method of automatically addressing networkson the fly through a set of predefined definitions on either a server or a router. This saves timefor the administrator, because instead of having to manually assign addresses one at a time, theadministrator can instead just implement DHCP. But of course, this requires a little prerequi-site knowledge. Namely, you need to understand the DHCP process and how it’s implementedwithin SBS 2008.

DHCP ProcessA handy method for remembering how the DHCP process works is to remember the acronymDORA. This stands for ‘‘discover, offer, request, and acknowledge’’ and happens to be themethod used by DHCP to create a new IP address. Let’s go over those steps now:

1. Discover.

During this process, a user connects a device capable of receiving an IP address, and thedevice sends out a broadcast called DHCPDISCOVER. This broadcast is sent to any localcomputers and is recognized by the DHCP server.

2. Offer.

After the DHCP receives the DHCPDISCOVER packet, it responds with an offer of an IPaddress, called a DHCPOFFER.

3. Request.

The client device then requests the IP address it desires (usually the offered IP address)with a DHCPREQUEST.

4. Acknowledge.

The client acknowledges the receipt of an IP address with a DHCPACK (acknowledge) orDHCPNAK (not acknowledged), which starts the process over again.

The process is fairly simple to understand and makes a lot of sense when you think about it.Of course, when you look into anything with computers, it can get a lot more complicated. Butthankfully, for the purposes of a small business, it’s not really necessary to understand everyaspect of DHCP servers; however, I will review some key elements of them in the followingsection.

DHCP ElementsAlthough you don’t need to understand every single part of DHCP, you do want to be familiarwith three very important points to be an effective SBS 2008 administrator: scopes, pools,and leases.

DYNAMIC HOST CONFIGURATION PROTOCOL 33

Scopes

A DHCP scope is a range of IP addresses available for assignment. Although it’s not reallyrequired to be an effective SBS administrator, you should know that Windows SBS 2008 usuallyassigns the scope of a Class C address range, such as 192.168.1.1 to 192.168.1.254. But whatyou should take to the bank and keep in your memory is that a DHCP scope is a range ofcontiguous IP addresses available to a DHCP server. However, it doesn’t necessarily mean theyare available to be addressed. You can think of it like a landlord in an apartment community.She may own only a block of the houses, but she lives within the scope of the entire complex.

Pools

A pool, on the other hand, is a true list of available addresses. For instance, your scope may be192.168.1.3 to 192.168.1.254, but you may have only three IP addresses available:

◆ 192.168.1.5

◆ 192.168.1.203

◆ 192.168.1.205

Accordingly, whenever a client asks for an address, the DHCP server will consult its pooland issue addresses only from its remaining resources — in this case, either .5, .203, or .205.Eventually, when a DHCP server runs out of addresses in its DHCP pool, it will display amessage saying it is out of DHCP addresses and then refuse to give any more addresses toconnecting clients.

Leases

A DHCP lease is pretty easy to explain because it’s just the length of time a device is givenan IP address. Once a machine is issued an IP address from the DHCP pool, that address isremoved from the pool and then ‘‘leased’’ to a network device for a period of time set in theserver. DHCP clients will automatically attempt to renew leases before they expire.

DHCP Server ConflictsOne somewhat humorous situation we deal with at the small-to-medium business level is thatsometimes there are just too many darn DHCP servers! In case you weren’t aware of it, mostSOHO routers like to be their own DHCP server, and in a Windows network, that really isn’tsuch a good idea. In fact, Windows SBS 2008 almost demands to be the DHCP server. If it’snot, strange issues can arise, such as whether a computer has access to log on to the server orwhether the SBS realizes that a computer even exists.

Simplifying the User Experience

A near guarantee for business owners and administrators of SBS 2008 is that you are probablygoing to run into what we in the industry refer to as DOs, or dumb operators. Although thename is more mean than it is funny, DOs can be very frustrating and quite true. When itcomes to technology, users want the experience to be as painless as possible. For us IT people,we can usually think of it like you treat your car. At the end of the day, you just want yourcar to get you to work and operate the way you want. Anything else is just a serious pain.


Accordingly, when you’re designing your network and implementing your DHCP server, try tokeep in mind that the simplest solution for the user is usually the best solution, even if it isn’tthe most elegant. This applies to IP addressing conventions, wireless decisions, and securitypolicies. For instance, on network policies, your goal should be the following:

◆ Get the user online.

◆ Make it easy for a user to understand how to navigate to resources.

When I work for small businesses, they usually don’t want to go through the effort of mak-ing DNS entries for all their network devices, such as a printer, a server, or an individualcomputer. So, I make the addresses easy to remember. For instance, if you’re using a 10.0.1.Xconvention in your addressing scheme, make 10.0.1.100 your server. This way, it’s easy toremember. Although you’re at it, you can make 10.0.1.200 your main printer. Even the leasttechnical user can remember that.

This is a lot less technical than it is practical, but sometimes that’s harder for business ownersor IT personnel to understand. The ‘‘best’’ solution often isn’t the easiest solution for the user.And although it might be best to have all addresses be static, all permissions be explicit, andso forth, more often than not it’s a good idea in a small business to just make the most simplesolution the right solution. Just something you can take to heart.

Expanding an SBS 2008 NetworkBelieve it or not, the moment you install SBS 2008, you have begun to grow your SBS 2008 net-work. And that’s because, if you reference Figure 2.1, SBS 2008 serves as the pinnacle pointof focus for all your network resources, such as printers, computer, and user accounts. But atthe end of the day, what really makes an SBS 2008 network grow is the addition of the mostimportant element of any network — computers!

To add a computer to your server in SBS, you first need to click the Network tab in the Win-dows SBS Console and then click the button on the right that says Connect Computers To YourNetwork, as shown in Figure 2.2.

Once you do this, the SBS 2008 Console Wizard will open with a screen telling you that youhave to add users to your account before you add computers for the respective users. Thatseems a little backward, doesn’t it? Well, yes, it is backward in a way. But in another way itmakes complete sense. Consider for a moment that in order to use a computer, there has to bea user who does so, right? With SBS 2008, Windows likes for you to first make a user accountand then have this account be assigned a computer. The concept is that an individual userneeds to be bound to a machine. This alleviates a lot of the burden of users roaming aboutthe network and logging on from one machine to another. So, before I talk about how to adda computer, I’ll talk a little bit about how to add a user account.

Adding a New User AccountLater, in Chapter 6 on Active Directory users and security groups, I’ll dive a lot more deeplyinto user accounts and their respective properties. But for the moment, I’m going to show youhow to add a simple user account so you can add a computer. First, you’ll need to click theUsers And Groups tab in the Windows SBS Console. Then, you need to hit the Add A NewUser Account button in the box on the right of the console.

EXPANDING AN SBS 2008 NETWORK 35

Figure 2.2

Network tab

Once you click that button, SBS will open the Add A New User Account screen. For themost part, this screen is fairly simple. You can add users’ first and last names and assign themspecific email addresses. In Figure 2.3 I’ve filled out that screen, as well as added a special com-ment to describe the user. This description of the user can be referenced when digging throughActive Directory and trying to figure out account-specific data, such as why the account wascreated in the first place or whether there is anything noteworthy about the user.

Figure 2.3

Adding a new user withcomments


Most notably during the new user account creation, you will be able to choose a role foryour new user. By default, you can create a standard user or even a network administrator.And since you need to create a network administrator for this account anyway, you can goahead and do so by selecting the User Role drop-down list in Figure 2.3 and selecting NetworkAdministrator. The network administrator has the ability to log on to any computer on the net-work, as well as the ability to make changes to the server or to Active Directory. You should bevery careful about whom you give this privilege, because it is capable of doing a lot of damageif its powers fall into the wrong hands.

Next you can enter a password, as shown in Figure 2.4. With SBS 2008, passwords mustcontain eight characters by default and include at least three uppercase or lowercase letters,numbers, or symbols. Additionally, the password cannot contain part of the user’s name.

Figure 2.4

Assigning a password

Again, in Chapter 5 I will go over the process of changing user password policies and eventhe process of how to use fine-grained password policies so that certain users can be assigneddifferent password strength requirements than others.

Once you click the Add User Account button, the account will be created, and a summaryprogress screen will pass by. Finally, you will see the screen in Figure 2.5, informing you thatyou have successfully created a user account.

Adding Computer AccountsSo, you’ve made a user account, and now you need to add a computer to it. In the old days(or at least the ‘‘older’’ days), what we used to do is create an individual computer accountand then assign a user account to that computer. Now, it’s a little bit different. With SBS2008, a computer joins SBS 2008 with a user in one of two ways: web activation or portablecontent.


Figure 2.5

User account createdscreen

Web Activation

When a computer is added to the same subnet as an SBS 2008 computer (such as a computerbehind a router with an SBS 2008 computer), those computers can access the web serverthrough the following URL: http://connect.

This command opens the screen you see in Figure 2.6. Note that if you do not have the .NETFramework installed, you will see the image in Figure 2.7 in your web browser. If this happens,just download the .NET framework from Microsoft.

Figure 2.6

Starting the ConnectComputer program

You can proceed from Figure 2.6 by clicking the Start Connect Computer Program button.This will open a security warning, where you will need to click the Run button. Unfortunately,this will open a second security warning. If you do not have the .NET Framework 2.0 installed,you’ll see a warning (Figure 2.7) informing you that your computer doesn’t meet the systemrequirements. You will need to click Run again.

You will then see a dialog box asking you to wait as two folders are transferred from onefolder to another. Eventually, you will see the Connect Computer screen shown in Figure 2.8.


Figure 2.7

.NET error

Figure 2.8

Connect Computerscreen

The two options allow you to set up a computer either as a user or as an administrator.If you select the top choice, Set Up This Computer For Myself, you will be able to set up thecomputer for your own user account, assuming a computer has been assigned to you throughgroup policy or through permission allowances. The second option, Set Up This ComputerFor Other Users, allows an administrator to set up a computer for a user. Since this is amastering-level book, I will assume you are an administrator, so select the second option.

At this point, the utility will run a configuration tool. Usually, you will see the verificationscreen shown in Figure 2.9. If you don’t see this, there will be an error screen that informs youof any problems that may exist in the network. Regardless, you will have to click Next.


Figure 2.9

Connect Computerrequirements screen

On the next screen, the Connect Computer program will ask for the network administratoraccount and password, and you’ll need to enter them. On the next screen, you’ll have to nameyour computer. In my case, as you can see in Figure 2.10, I’ve named the computer Desktop_1.You can then click Next.

Figure 2.10

Connect Computer namescreen


Next, you’ll be able to assign users in the Assign Users To This Computer section. Click theusers you’d like to add on the left, and then click the Add button. It should look like what yousee in Figure 2.11. You can then click Next.

Figure 2.11

Assigning users tocomputers

The next screen you’ll see is the optional existing data screen shown in Figure 2.12. Thepurpose of this screen is to allow administrators an easy way to transition previously existingcomputers with user data and accounts onto a server. This screen allows you to match the SBSuser account with a local user account and copy all the data to the new SBS user settings. It’sreally handy if you have a computer with a lot of preexisting user data and preferences. How-ever, you can just click Next to skip it and leave None selected if you’d like.

On the Assign Level Of Computer Access For Users Of Windows SBS screen, you canassign permission levels for users on the local account. In my experience, it’s handy to keepthem as local administrators (so they can install programs and add features). I’ve done this inFigure 2.13. You can click Next after you’ve made the decision.

Last, you’ll need to confirm your settings on the Confirm User Data And Settings Selectionscreen you see in Figure 2.14. Then, you’ll click Next, and the computer will be assigned.

On the next screen, click Restart. This will then open the progress bar screen, which will gothrough several steps as the machine is attached. If there is an error, the check marks will turna very distinct red.

Once this is completed, you’ll see a simple ‘‘complete’’ notification. The computer is nowconnected to the domain controller.

Portable Content

Alternatively, SBS 2008 can create a deployment package that can be dispersed by a USBdrive, CD, or mapped network drive (if the network has been predefined). Using this method,users take the deployment package for the server and bring it to the individual computer tobe added.


Figure 2.12

Moving existing userdata

Figure 2.13

Assigning access levels


Figure 2.14

Summary screen

In Figure 2.15, you can see how SBS 2008 tells you how to use either of these methods.Should you decide to click Access The Program Through A Web Browser (Recommended), SBS2008 will open the instructions to do so, as shown in Figure 2.16.

Figure 2.15

Computer accountactivation methods


Figure 2.16

Web browser activationmethod

Alternatively, you can choose the portable content method, which will ask for a locationsomewhere on the server. Keep in mind that the portable content method uses the Windowsstandard architectural method to choose a location. This means that, in effect, the deploymentpackage is just an executable file that can be placed anywhere a server would like. You candecide where you want by clicking the Browse button in Figure 2.17.

Figure 2.17

Location-baseddeployment Browsebutton


The obvious advantage of the web deployment method is that it is very easy, quick, andefficient to implement. However, the portable deployment method has its own advantage inthat you can deploy this software to a computer that hasn’t yet been connected to the Internet.Granted, you’d want a computer to be connected to the subnet and theoretically attached to theInternet so you can actually, well, connect to the server. But sometimes network issues or othersecurity concerns make you want to use some type of portable media. It’s ultimately up to yourpersonal preferences or that of your business.

Manually Joining the SBS NetworkMore often than not, I sometimes like to join a Windows XP, Vista, or 7 computer to a domaincontroller or SBS the old-fashioned way. This is done by right-clicking Computer or My Com-puter (depending on your version of Windows), going to Properties, and then navigating tothe computer name. On Windows Vista/7, you will have to first click the Advanced SystemSettings button, but this is automatically done for you with Windows XP.

Regardless of which version of Windows you use, once you click the Change button on theComputer Name tab, you’ll see a configuration similar to what you see in Figure 2.18. Typethe name of your domain, and click OK. Afterward, it will ask you for a name and password.Since SBS 2008 we’ve moved past this method a bit, but it still works, even if it’s the way thatold-timers do it. And it’s always nice to know the old tricks.

Figure 2.18

Computer name/domainchanges

DNS Logins and Associated Problems

To properly use SBS 2008 as a domain controller, you need to make sure that your computershave the domain controller set as their primary DNS. If this is not set, it can cause strangeconnectivity issues that can cause connections of up to one hour on logons (as hard as thatmay be to believe). If you ever see strange logon issues after first joining a computer to thedomain controller, make sure and look for that before anything else.

USING THE COMMAND LINE WITH NETWORK ADMINISTRATION 45

Using the Command Line with Network AdministrationArguably the handiest tool in the network administrator or server administrator’s pocket isthe Windows command line. Originating in the early editions of the Microsoft Disk OperatingSystem (DOS), the command line can be a quick and powerful way to administer your network.Specifically, for SBS 2008, you need to be familiar with four command-line tools:

◆ IPconfig

◆ Ping

◆ Pathping

◆ nslookup

In this section of the chapter, I’ll review each of these tools one at a time.

IPconfigIPconfig (short for Internet Protocol configuration) is a command-line tool that outputs the cur-rent Transmission Control Protocol/Internet Protocol (TCP/IP) information for your networkinterface. Using IPconfig, an administrator can easily see whether a client has obtained an IPaddress, whether they have a default gateway, and more advanced information, such as whatserver they’re using for their DNS.

Table 2.4, which is available in a longer format at technet.microsoft.com, lists some of themore common switches associated with IPconfig.

Table 2.4: Common IPconfig Switches

Switch Result

/all Shows all available TCP/IP information

/renew Renews a DHCP address

/release Releases a DHCP address

/flushdns Clears DNS information

PingPing is a command that uses the Internet Control Message Protocol (ICMP) to send a packetof information that can be received by another computer and then returned with certain infor-mation, such as the length of time it took to be received and returned. Because Ping is fairlyself-explanatory and most of you are already administrators, I’ve just included a screenshot ofPing in Figure 2.19. You’ll find it a really useful tool for determining whether computers anddevices are attached to an SBS device.

PathpingPathping is another command that uses ICMP to send out a packet of information that canbe received by another computer. The difference is that Pathping provides you the router


information associated with the ping that was sent. This is very useful for determiningconnectivity between two devices and figuring out how ICMP gets to its destination.

Figure 2.19

Ping

nslookupQuite possibly my favorite tool, nslookup is a diagnostic command you can use to look upthe IP address of a website (such as www.google.com). Using nslookup, you can simply typenslookup and then the name of an IP address you desire, and it will tell you its numeric IPaddress. Figure 2.20 shows the output for nslookup. It can be a little more complicated inthat there are authoritative and nonauthoritative responses, but in general at this level it’s ahandy tool because it lets you know where something ‘‘really is’’ on the Internet. In essence,an authoritative response is a response given from an authorized DNS server recognized byeither your ISP or your computer. A nonauthoritative response is from any server runningDNS services for one reason or another.

Figure 2.20

nslookup

Diagnosing Network ProblemsYou can almost be guaranteed that, for the majority of your time as a system administrator ofan SBS network, there are going to be some pretty commonly recurring problems, includingconnectivity, dropped connections, and server availability. Thus, I’ll cover some of the

DIAGNOSING NETWORK PROBLEMS 47

most common issues you’ll see as an SBS administrator and describe what you can do totroubleshoot them.

Connectivity IssuesIn case you’re new to IT, get used to hearing the following words: ‘‘I can’t connect to theInternet!’’

I think in my life I’ve probably heard those words 10,000 times. Perhaps more. But in anyevent, network connectivity issues usually boil down to three issues:

◆ The physical connection

◆ A network device issue

◆ The ISP

Physical Connections

Physical connectivity problems exist when a user is having trouble connecting to devices acrossthe network because of problems directly involved with hardware. Some of the common causesof this are network cables being improperly plugged in, network cards that have slipped out oftheir slots, bad cables, faulty network connections such as a bad switch or router, or somethingaffecting the path of the physical electricity being sent out of the two computers, conflictingalong the way.

Most of the time, a physical problem can be diagnosed by tracing the connective lines of auser’s network connection and determining whether they’re up and running. Is the networkcable plugged in? Are there any obvious errors? Some of the more common signs of a physicalconnection problems include, but aren’t limited to, the following:

◆ The network adapter warning that a cable is unplugged

◆ A device not showing up in the Hardware Manager (accessed in Windows XP byright-clicking My Computer, selecting Properties, and then clicking Hardware; inWindows Vista/7 it’s accessed by right-clicking Computer, selecting Properties, and thenselecting Device Manager)

◆ The link lights on the back of computers not lighting up when a network cable isplugged in

In reality, these sorts of connection problems are pretty easy to diagnose. But they play abig factor in small businesses. This is because most small businesses aren’t perfectly wired, nordo they spend a lot of time and money to make sure that they use the best cable types or therecommended specification. That is because small businesses aren’t trying to stay small busi-nesses. They’re trying to grow! So, as a small business owner or IT consultant/administrator,you’re going to run into this problem a lot.

Network Devices

In a way, this goes back to the lack of availability of extremely high-performance hardware,but a good share of the reason that SBS users experience periodic outages is because of lessthan professional hardware. Most, if not nearly all, small businesses operate on something likea Linksys or Netgear router. And although they’re perfectly good devices, they simply aren’tdesigned to handle constant traffic from up to 75 users.


When I first started in IT, I was working for a small company that went through a move.This was a really good thing, because we were moving up in the world and to a larger busi-ness. But the problem was that when the move occurred, we didn’t plan our IT infrastruc-ture thoroughly, and no one was able to access the Internet, simply because we weren’t usinghigh-end network hardware.

So, if a network problem exists throughout the entirety of your infrastructure, follow themost basic procedures first:

1. Check to see whether the ISP is working (reference the next section, ‘‘ISP Issues’’).

2. Check whether all your network devices are operating.

3. Ensure proper connections.

4. Begin using command-line tools to observe the problem.

ISP Issues

Unlike medium to large-scale businesses, a lot of small businesses rely on technologies such asthese:

◆ Asynchronous digital subscriber line (ADSL)

◆ Cable modems

◆ Satellite

◆ Fiber connections (Verizon FIOS)

Although these are strong connections, they are not backed up by the same guaranteeduptime connections as higher-end bandwidth devices, such as a T subscriber line or an opticalcarrier. Accordingly, you should always check with your Internet service provider whenworking in a small business to see whether there are any issues on their end.

Implementing Wireless NetworkingIt has been more than 10 years, and wireless is still a buzzword within IT. No matter what fieldor industry you’re in within IT, just about everybody wants to see a new computer detachedfrom wires and operating at the amazing speeds to which we have become accustomed. Andthe truth is, we’re starting to get close. As of 2009, the 802.11n draft of wireless networkingprovides home router speeds of up to 600Mbps between the device and a router, which is blaz-ingly fast by any standard. And apart from 802.11n, we have access to several other IEEE com-munication technologies. But before I get to all that, I need to lay down some ground rules forwireless networks so you can understand the limitations they have in terms of SBS 2008 andgeneral Windows servers.

Limitations of WirelessIt goes without saying that wireless is and will always be inherently slower than a wire. Andthat’s mostly because it’s just easier to transmit over a physical wire than it is over radio waves.But other than the obvious, you need to understand the following:

Client computers cannot connect to a domain controller over wireless without extensivemodification to Group Policy Unfortunately, this is a real drag. No matter what, unless you

IMPLEMENTING WIRELESS NETWORKING 49

have an intimate understanding of Group Policy, you cannot connect to a Windows domaincontroller. The reason for this is a little unclear, but it’s probably because wireless is inherentlyless secure than a wire. Furthermore, a domain controller also requires an incredibly clear sig-nal to connect. Little to the user’s knowledge, behind the scenes, when a user joins a domaincontroller, there is a ton going on.

Wireless networks are designed to be supplemental network access Don’t plan on a wirelessnetwork as your central point of Internet access. Not only is it inherently insecure, but it’s alsojust a plain bad idea. Wireless signals can become lost, latency can become a concern, and theadministrative overhead of dealing with all of your users’ problems can become quite taxing.

SBS 2008 resources can be compromised over a wireless network if careful attention to secu-rity is not met Unfortunately, this is quite true. As much as it may sound convenient to attacha wireless network, you have to keep in mind that attaching a wireless network inherentlycreates a security concern for your SBS 2008 server if you don’t pay careful attention to thesecurity implementation.

You must have a wireless router This sounds obvious, but just to be clear, SBS 2008 can’tdo wireless routing by itself. You must have a supported wireless device from a manufacturersuch as Linksys, D-Link, Cisco, or another vendor.

Wireless networks are subject to interference Handsets, baby monitors, cordless phones,and other devices are the bane of wireless networks. Unlike other wireless technologies suchas Bluetooth, Wi-Fi doesn’t have quite the flexibility to ‘‘hop’’ around frequencies. This meansthat you have to be prepared for wireless issues.

Wireless Speeds and FrequenciesThe standards of wireless speeds are controlled through the IEEE by the 802.11 standard. Asof now, this standard breaks down to parts a, b, g, and n. Each of the wireless standards thenbreaks down into different supported speeds and different associated frequencies, summarizedin Table 2.5.

Table 2.5: Wireless Speeds and Frequencies

Wireless

Specification

Frequency Modulation Transfer Rate Range

802.11b 2.4GHz CCK, DSSS Up to 11Mbps Up to 100m

802.11g 2.4GHz OFDM Up to 54Mbps Up to 100m

802.11a 5GHz OFDM Up to 54Mbps Up to 100m

802.11n (draft) 2.4GHz/5GHz MIMO Up to 100Mbps Up to 200m

To most SBS users, what’s important is the information in the first and fourth columns,the specification and the transfer rate. But in addition to that, I’ve also included the type offrequency modulation the technology uses, as well as the range of frequencies.

On top of frequencies, wireless networks are also subject to transmission channels. Sincethis book is for SBS administrators, not network administrators, I’ll keep the discussion of the


subject brief. Wireless routers can broadcast upon 11 channels in the United States within thefrequency spectrum they use, in the 2.4GHz range. And in order to maintain separation fromother wireless networks, you need to be separated from those networks by at least six chan-nels. With Windows clients, such as Windows XP, Windows Vista, and Windows 7, you canlook around your local network and see the channel that nearby wireless networks from otherhomes and businesses are transmitting upon. You can then separate from these by selecting atransmission channel apart from theirs. Figure 2.21 should explain this further.

Figure 2.21

Transmission channels

Channel 1 Channel 6

Channel Overlap

“Normal” Powerand AntennaPlacement

Overpower orImproper AntennaPlacement

Usable in the United States

FrequencyMegahertz 2400 24772412

12417

22422

32427

42432

52437

62442

72447

82452

92457 10

2462 11

2467 12

2472 13

Usable in Most Other Countries

Channel 11

Signal Level

Wireless SecurityIn case you hadn’t picked up on it in the previous sections, nothing is more important in awireless network than these three words: security, security, security! A wireless network with-out security is just asking for trouble. Certain features that you may set up with SBS 2008, suchas an FTP server, mapped drives, or other neat tools I will discuss in later chapters, practicallyissue a written invitation for a malicious hacker to sign on to your network and steal your crit-ical business data. Accordingly, you need to be familiar with the types of security availableto you.

WEP

Wired Equivalent Privacy (WEP) is the ‘‘bottom rung’’ of security choices for a wireless net-work. Normally WEP wouldn’t even be considered, but I include it here because sometimes theunknowing administrator may choose to add WEP and think their network is secure. However,it is most certainly not! WEP uses a 64- or 128-bit hexadecimal shared key that I could crack inabout a minute on a bad day. This said, WEP is better than nothing. So, if you have absolutelyno other option, it’s still a semi-viable form of encryption but a very easily compromised one.

WPA-Personal and WPA2-Personal

The two big kids on the block with wireless security are WPA-Personal and WPA2-Personal.WPA uses the RC4 encryption algorithm to create an extremely strong encryption that is verydifficult to hack. Additionally, it uses the Temporal Key Integrity Protocol (TKIP) to fix theinherent security problems with a standardized key, which WEP does not. The main differencebetween the two is that WPA uses a weaker encryption than WPA2; however, not all devicessupport WPA2 because it is much more taxing.

IMPLEMENTING WIRELESS NETWORKING 51

Oh, How Easy It Is to Be Wicked

In case you aren’t convinced of how easy it is to compromise an unsecured network, thefollowing is a real-life scenario that actually happened to me, along with another author (whoshall remain nameless, and is not discussed in this scenario).

On two separate sides of the nation, both I and the fellow author were logging into our respec-tive Facebook accounts from a local unsecured Starbucks wireless network. Little did we know,but for each of us there was a user logged onto the wireless network and ‘‘sniffing’’ passwordsusing a wireless packet sniffer. There, in plain text, were our harmless Facebook passwords forthe user to compromise. The two of us, thinking nothing really harmful could come of that,moved on with our lives and didn’t think anything of it — that is, until one morning I wasgreeted by nine of my friends, asking me if I’d arrived safely from my accident in London.

It turned out that, since I’d transmitted a password on a wireless network, the hacker hadgotten a hold of it, logged onto Facebook, pretended to be me, and then proceeded to tellfriends of mine that I’d been in an accident in London and that I was deathly injured andwithout money and needed their assistance. Thankfully, for both my friend and me, nothingcame of this. But it showed us just how easy it is. On any given unsecured wireless network,when passwords are transmitted, they are transmitted just as you see here:

User Hacker

Password


They transmit openly and can be received by any user. For a small business, this can bedevastating and should be avoided. Any web, FTP, or unsecured password can be picked upinstantaneously and then exploited.

The Bottom Line

Plan an SBS 2008 network installation Planning an SBS 2008 installation includes theprocess of deciding upon a subnet, preparing hardware network devices, and planning forexpandability.

Master It Create a usable Class C subnet with more than 200 available addresses.

Configure SBS 2008 client computers for networking Planning an SBS 2008 installationincludes the process of deciding upon a subnet, preparing hardware network devices, andplanning for expandability.

Master It Establish a connection with SBS 2008, and ensure that computers can be addedto the network with corresponding user accounts. This means that your network is ready toexpand, along with the small business.

Use command-line networking commands Using the command line greatly enhances yourability to quickly diagnose technical network issues and expedite your process of troubleshoot-ing network issues. To become an effective administrator, you need to be familiar with thesecommands.

Master It Use network commands to determine your DNS server, ping your DNS server,and trace the route to your server.

Diagnose small network problems Even for the most seasoned administrator, small networkproblems can be a tremendous headache. Knowing how to quickly and easily solve these prob-lems is key to saving you and your company time and effort.

Master It Set up a small business network with four different computers, each connectedto your network through a switch. Then, take a spare Ethernet cable, cut five of the eightinternal wires, and connect one of the computers to it — but don’t pay attention to the IPaddress or name of the computer. Go back to your SBS server, and determine which com-puter has been compromised.

Implement wireless networking Setting up a wireless network allows you to access networkresources from anywhere in your SOHO environment. This is critical to maintaining a readilyavailable and effective small business.

Master It Implement WPA2 security on the network with MAC filtering, if it is available.Then go by each of your computers, determine their MAC addresses, and add them to theaccess list.

Chapter 3

Migrating and ‘‘Upgrading’’to Small Business Server 2008

As of the publication of this book, less than 5 percent of the small-business world has upgradedfrom Microsoft Small Business Server 2003 to Microsoft Small Business Server 2008. There aremany reasons for this: SBS 2003 still works perfectly well; certain businesses do not need all thefeatures and functions of SBS 2008; and, based on the age-old adage that serves nearly all ofsystems administration, if not information technology, ‘‘If it ain’t broke, don’t fix it.’’

But if you’ve purchased this book, there is a strong chance either you are a small businesslooking to upgrade from your current infrastructure or you are an information technologyprofessional interested in understanding how to migrate from one SBS infrastructure toanother. The key concept in that sentence is the word migrate. There is no direct way toupgrade from SBS 2003 to SBS 2008, mainly because SBS 2008 uses a 64-bit architecture, ratherthan a 32-bit infrastructure. Moreover, the Active Directory infrastructure has changed a lotsince Windows Server 2003, so overall, the idea of simply migrating to a new server, ratherthan upgrading, is a sound concept. This way, you won’t have to deal with the annoyanceof upgrading to a new version of the operating system and having legacy aspects of the oldsystem bog down the new system. Just imagine what used to happen when people upgradedfrom Windows 98 and 2000 to Windows XP Professional but on a server level!


◆ Set up and plan migration

◆ Create an answer file

◆ Migrate objects

SBS 2008 LimitationsWindows Small Business Server 2008 has some fairly significant limitations compared to SBS2003 that administrators must be aware of before they make the decision to migrate. Some ofthese limitations can impact an entire network design.

Migrating requires a server name change and different IP address This is an unfortunateside effect, but to migrate from SBS 2003 to SBS 2008, your new server must be at a different IP

54 CHAPTER 3 MIGRATING AND ‘‘UPGRADING’’ TO SMALL BUSINESS SERVER 2008

address to communicate with your original server. Additionally, the server has to be given adifferent server name than the original server.

ISA is not supported unless you have SBS 2008 Premium SBS 2003 Premium came with anISA firewall, so you have to make sure you purchase SBS 2008 Premium to support the ISAfirewall.

SBS 2008 can support only one network card This is a dramatic change from SBS 2003,where the recommended installation was a design with two network interface cards (NICs), onefor the WAN and one for the LAN. If your infrastructure relies upon multiple NICs, SBS 2008may not be an advisable migration for your company.

Migration cannot be undone Once migration is complete, the accounts will truly bemigrated from one server to another. This means that if you’re planning on migrating, youneed to ‘‘migrate with a purpose.’’ If you haven’t planned carefully, your old organization willbe undone, and your new organization will be mostly helpless.

Overview of Migrating from SBS 2003 to SBS 2008Switching from SBS 2003 to SBS 2008 isn’t a one-step process. It’s actually quite involved. Thisis so much the case that Microsoft has released a series of articles on how to migrate to SBS2008 on Microsoft TechNet. You can find them at this location:

http://technet.microsoft.com/en-us/library/cc546034.aspx

In the articles, Microsoft describes the steps very well:

1. Prepare your source server for migration.

2. Create a migration answer file.

3. Install Windows Small Business Server 2008 in migration mode.

4. Migrate settings and data to the destination server.

5. Delete the old folder redirection Group Policy object.

6. Perform optional post-migration tasks.

7. Run the Windows Small Business Server 2008 Best Practices Analyzer.

I’ll go over each of these steps in an abstract way over the next few sections, but keep inmind that you can always reference the Knowledge Base article for the official Microsoft docu-mentation. It’s especially useful because there are so many different server versions that can bemigrated to SBS 2008:

◆ Windows Server 2003 Standard

◆ Windows Server 2008 Standard

◆ Windows Small Business Server 2003

◆ Windows Small Business Server 2008 (hardware upgrades)

PREPARING FOR MIGRATION BY CREATING BACKUPS 55

Preparing for Migration by Creating BackupsSince migration with SBS 2008 essentially means removing all Active Directory objects fromyour previously existing installation of SBS 2003, the process of preparing for migration is asfollows:

1. Create a full backup of your current server settings and files.

2. Back up your Exchange Server data.

3. Consider making a ghost image of the current server install.

4. Conduct a test of the installation.

There is no way to undo the process of migration once it’s complete, so it goes without say-ing that the most important thing you can do when preparing for migration is to back up, backup, back up. You can do this using an application such as NTBACKUP, and you can also usethird-party applications, such as Norton Ghost.

Whenever I’m personally making a backup, I make sure to back up at the following fourcritical stages.

Stage 1: Backing Up Critical FilesBefore I begin backing up Windows-specific information, I look through the server to find crit-ical files that are stored on the server. Is there a shared folder I will need to recover? Are thereaccounting documents stored here? These should all be backed up.

At this point in a backup process, I run NTBACKUP to back up NT-specific and Windows-specific files. This way, I know that at the end of the day, the ‘‘important stuff’’ as far as ActiveDirectory is concerned is backed up. NTBACKUP is pretty easy to use, but just in case you’reunfamiliar with it, you can access NTBACKUP on Windows Small Business Server 2003 by nav-igating to Start � Run and typing ntbackup. This launches the NTBACKUP utility you see inFigure 3.1. You can initially choose to back up or restore files in the wizard mode, and thenyou can specifically choose what to back up.

Figure 3.1

NTBACKUP


For this portion of the backup stage with SBS 2003, you should run the Backup utility fromServer Management. You can access this tool by navigating to Backup after opening the ServerManagement console. After the backup agent loads, it should look like you see in Figure 3.2.

Figure 3.2

Backup utility

From this menu, you really only have one option: Configure Backup. Obviously there are acouple other options, like Configure My Documents Redirection and Restore Individual Files,but these are less important than the big green button you can click. Clicking that green Con-figure Backup button opens a menu that asks where you’d like to back up your local data. Themenu system is fairly self-explanatory, but if you look at Figure 3.3, you can see that there is anExclude Folders button. Pay careful attention to this button. With this button, you can chooseto exclude data from a backup. This is really useful if you have a large external or internal arraythat is multiple terabytes. All you have to do is click the button, then click the Add Folder but-ton, choose either the drive or the folder you’d like to exclude, and finally click OK.

Figure 3.3

Excluding folders

Once this wizard runs, it will back up all your important NT data (such as NTDS.dit andyour Active Directory information) and all your server data. Note that unless you click theBackup Now button that appears after you set up the job, the job will not run until the timeyou set. But clicking this button will open the full-blown Backup Utility window you see

PREPARING FOR MIGRATION BY CREATING BACKUPS 57

in Figure 3.4. There, you can manually launch the Backup utility and back up all your dataimmediately.

Figure 3.4

Backup Utility window

Depending on how much data you select and the method you choose in which to store it,the data may take several minutes to several hours to transfer as the Backup tool transfers itfrom one media to another. But once this is completed, you’ll have some of your most impor-tant data backed up into an easily recoverable media format. Next on your list of items to backup is any Microsoft Exchange Server data from your previous server.

Stage 2: Backing Up Exchange Server DataMicrosoft Exchange Server gets its own custom step in the process because Exchange Serverdata is critical to any enterprise, and the loss of it can be devastating. Given that ExchangeServer data is usually smaller than the rest of your remaining NT data (if you aren’t in anextremely large infrastructure), you can usually back this data up to a small hard drive or tapebackup drive that can be placed off-site.

With Small Business Server 2003, Exchange Server data is stored at a custom location basedon each install. Most administrators pick an area to store their Exchange Server data that is sep-arate from the rest of the infrastructure. When I do Exchange Server installs, I usually choose tomake a folder called Production Exchange where I store two important folders:

◆ Priv

◆ Pub

These two folders contain the Exchange Server public and private databases. In some cases,these folders can get rather large because they contain .edb (Exchange database) files. TheseExchange database files, when combined with a few HTML files and other critical componentsof the Exchange database, can recover Exchange Server in the case of a disaster.


The way you choose to back up your Exchange Server data is up to you; you have threeoptions:

Copying manually Dragging and dropping the Exchange Server Priv and Pub files to anexternal location.

Using NTBACKUP/Backup utility Running the Backup utility again and extracting the data toanother location.

Running a third-party Exchange Server backup tool I’ve never had any success withthird-party Exchange Server backup tools, but some of my colleagues swear that there aresome absolutely fantastic system administrator backup tools available for purchase. Keep inmind, however, that these programs tend to be quite expensive (and usually a little difficult towork with).

Recovery from Exchange Server usually isn’t that painful if the proper plans have beenmade. But there is something you need to keep in mind: to import an Exchange database,it must be exactly the same as the Exchange database from the original organization! If thedatabase isn’t named the same, the recovery process will fail. As you can see in Figure 3.5, thedefault organizational name for Small Business Server 2003 is First Organization.

Figure 3.5

Organizational name

Recovering from Exchange

During one of the darkest periods of SuperTeach, its Small Business Server machine experi-enced a SCSI plane failure that resulted in the loss of the operating system volume, its customsoftware, and the ability for all users to log in to the server to access shared files. And moreimportant than anything else, the company lost its ability to send and receive emails.

For most businesses, sending and receiving emails is the way they make money. Numeroussales, negotiations, and backdoor deals have been sealed through the use of this simplebut vital tool. In larger companies, a single hour of lost email connectivity can result in anabsolutely devastating loss of productivity.

As a case in point, a colleague told me once that he worked for a company that decided todeploy a beta patch to its environment, only to have that beta patch cause a massive failurethat resulted in the Exchange Server machines not working for more than two hours. Theestimated loss of revenue to the company was more than $200,000 in loss of labor and poten-tially millions of dollars in loss of receivables, sales, and other revenue. Thus, it behoovesus as administrators to have a simple and effective plan of action in place for the loss of anExchange Server machine.

PREPARING YOUR NETWORK FOR MIGRATION 59

The process in itself is fairly straightforward:

1. Have a plan of action.

2. Ensure that the plan adheres to the limits of Exchange Server.

The plan of action includes the proper maintenance of Exchange Server backups and thecareful consideration of data needed in the case of a failure. The limitations include verifyingthe organizational name in the system manager and understanding the limits of the hardware.

Stage 3: Making an ImageWhenever you have the option, it’s always a fantastic decision to create a complete imagebackup of your current server. In a nutshell, a server image is just an exact bit-by-bit copyof your current installation, placed in the form of a file. Using third-party software, such asNorton Ghost, Acronis, Paragon, or any of the major brands of software, you can make arecoverable installation of your server so that if the migration process doesn’t work, you caneasily revert to the way things used to be and not have any unnecessary downtime.

When given the choice of whether you should complete this process, the answer shouldalmost always be yes. In the rare cases that the answer is no, one of the following conditionsshould exist:

◆ You do not have enough space for the image.

◆ The budget for the software is not available.

◆ The data on the server is not critical.

Otherwise, an image creates a simple and stable recovery point that you can refer to in thefuture, even after a migration.

Stage 4: Conducting a TestThis point of the process is much more nebulous and undefined, but suffice to say that when-ever you’re able, you should do your best to test the recovery process. If you have made a tapebackup, you should try to recover some of the data from the tape. If you’ve copied the datato a hard drive, make sure the data is the same size as the originating data, and so forth. Itnever hurts to double-check, and if you’re careful, it very well may save you a lot of pain andanguish later as you ask yourself, ‘‘Why didn’t I test this to make sure it works?’’

Preparing Your Network for MigrationAs you can see from the previous section, preparing your server for migration basically meansmaking sure all your data is backed up, backed up, and, in case you didn’t test it, backed upagain. Preparing the network for the change, however, is quite a bit more involved.

For one thing, if the SBS 2003 server is set up correctly, the entire topology of the networkhas to be altered! This is because SBS 2003, in a proper setup, functions as a pass-through forLAN and WAN traffic, whereas SBS 2008 is designed to sit behind a firewall.

To get a clearer picture, take a look at Figure 3.6. There, you’ll see that the router connectsdirectly to the SBS 2003 server, where the server functions as a firewall, DHCP server, and


various other network roles. And it’s only after the server has been exposed to the unfilteredtraffic that the data is passed on to the rest of the network.

Figure 3.6

SBS 2003 networkconfiguration

Router Server Switch

Client PC

Client PC Printer

Firewall

With SBS 2008, the SBS server exists on the network, but only behind a firewall and aswitch. From a networking perspective, the server exists behind the firewall like any othergiven client computer. This is a much more secure way of administering your network, becausethe network is protected by a hardware firewall that is impervious to viruses or corruption.Thankfully, this is convenient, but at the same time, this network topology change is necessarybecause SBS 2008 supports only one network card. This means that you can’t possibly supportthe ‘‘old-style’’ infrastructure. You can see a sample of the SBS 2008 network topology style inFigure 3.7.

Figure 3.7

SBS 2008 networkconfiguration

Router Firewall Switch

Client PC

Client PC Printer

Server


So, although the changeover from the old network infrastructure to the new infrastructuremay be nice, the process of switching back and forth is actually quite complicated. Thankfully,Microsoft has a very straightforward path that it recommends:

1. Reconfigure DHCP for shorter licenses.

2. Remove the second network card.

3. Reconfigure the network settings.

4. Make any required network hardware changes.

5. Reconfigure remote access.

6. Verify connectivity and DHCP.

Reconfiguring DHCP for Shorter LicensesAssuming your SBS 2003 server is configured as a DHCP server (which is part of the recom-mended practices), one of the first steps you’ll take when you are rearranging your networktopology is to shorten the DHCP lease that SBS 2003 gives to the rest of the network. The mainreason for this is that if you are rearranging the network and providing client machines with anew DHCP server, new DNS server, and new default gateway, you’ll need to make sure theyreceive the proper IP address as soon as possible. Thereafter, once 24 hours have passed and allthe machines have the proper IP addresses, you can lengthen the time once again to a longerperiod.

By default, SBS 2003 sets its lease time to eight days — which is quite a long time. For thesake of completeness, set it to eight hours instead. You can accomplish this through the DHCPManagement Console in SBS 2003, which you can access by selecting Start � AdministrativeTools � DHCP. Under the Properties menu, you can adjust the Lease Duration setting of yourclients to eight hours.

Removing the Second Network CardSince SBS 2008 supports only one NIC, it’s necessary to remove or disable the second NIC. Youcan do either, and there is a pretty constant debate as to whether it’s a good practice to removethe second NIC or just disable it. Arguments for removing it are that the server can’t use it any-way and that it’s cleaner. Arguments for keeping the NIC are that you won’t have to install itagain later if you switch to an operating system that supports multiple NICs and that removingit can sometimes violate server warranties.

Disabling a NIC

Disabling a NIC is fairly simple. All you have to do is navigate to Start � Control Panel � Net-work Connections, right-click the NIC you’d like to shut down, and select Disable. The networkconnection will then become gray, and the network connection will be unusable. Note that thisdoes not disable the NIC in hardware. There, it will still be a fully functioning connection thatyou can bring back to life in the case of a reinstall.

Removing a NIC

Removing a NIC is an involved but fairly easy process:

1. Shut down the server.

2. Remove the panel attached to the side of the server.


3. Navigate to the network card if it is removable. Note that if it is not removable, you willneed to either disable the NIC in the BIOS or contact the manufacturer of your server forfurther instructions.

4. Reboot the computer.

5. Log on with Administrator credentials — you may see an error from the missingnetwork card.

6. Either run the Configure Email And Internet Connection Wizard or manually assign thecomputer an IP address through the Network Connections menu (Start � Control Panel �Network Connections).

In any event, when you remove your NIC, you want your server to be set up in such a waythat your computer will be able to use a router as its central gateway and so that it is config-ured to receive email and web requests at the proper addresses.

Reconfiguring the Network SettingsWith Windows Server 2008, there are two areas where you need to adjust the network settingsso you’ll have a robust and well-designed network that can support expansion, remote access,network ranges for virtual private networks, and access to various network resources from theInternet. The two points where you need to adjust these settings are the firewall and the net-work range configuration. First you need to examine your firewall.

Firewall Settings

To provide external access to SBS 2003 and 2008 resources, you need to open a series of TCP/IPports to forward over services. Namely, these services are SMTP, HTTP, HTTPS, SharePoint,and optionally Remote Desktop, Remote Web Workplace, File Transfer Protocol, and SSH. Onyour network firewall, you need to make sure to open the following ports:

21: FTP File Transfer Protocol is used by Windows Server to export and import large filesacross the network. This is useful for transferring files that cannot fit into a single email, whichhas limited attachment capabilities.

22: SFTP Secure File Transfer Protocol is similar to FTP, except that it uses RSA encryptionto secure the password exchange, which is sent as plain text with traditional FTP. SFTP shouldnot be used in addition to FTP but rather instead of it.

25: SMTP Simple Mail Transfer Protocol is used by Windows Exchange Server to send outand receive email. Without this, external clients won’t be able to send in email.

80: HTTP Hypertext Transfer Protocol is used to allow access through the Internet to yourwebsite.

443: HTTPS Hypertext Transfer Protocol Secure is used for websites combined with SecureSockets Layer encryption.

444: SharePoint The SharePoint Companyweb intranet site uses this port for external clientsto access collaborative work processes.

3389: Remote Desktop Remote Desktop is used to remotely access the server to administer itand fix issues that may occur from a distance.


4125: Remote Web Workplace Although not required, this allows users to connect to theirdesktop from the Internet.

Depending on your specific installation, you may want to open or close ports to supportyour services. In all circumstances, you want to make sure that you only have ports open forthe services that you need. The more ports that are open on a server, the more vulnerable thatservice is. Thankfully, these most common ports are well secured.

Also note that these firewall settings are based on you having a hardware firewall, not theWindows software firewall. More often than not, you can open hardware firewall ports and stillsee these services blocked. One of the most infamous of these services is SQL Server, which isblocked by default in Windows Firewall and requires an exception.

Deciding What Type of Firewall to Put in Place

With a Small Business Server environment, the type of hardware firewall that you put in placeis very important. In a small business, you usually have a limited budget for informationtechnology, and this mandates that both the server and the firewall have to serve a lot ofroles. Usually, firewalls serve three distinct purposes:

Firewall They act as a front-facing security device that blocks outside network intrusion.

Router Most firewalls come with an internal router placed inside the device, although it’s notusually mentioned in the device information.

Switch To this day, I haven’t seen a small-business firewall that didn’t have a switch placedinto it. To get just a pure firewall that has one port in and one port out, you usually have tojump up to medium- and large-business hardware.

Since the firewall is going to support so many different roles, you need to make sure you choosethe right type of firewall. Various brands, such as WatchGuard and Cisco, have several limita-tions based upon what type of licensing you purchase. High-end firewalls limit the following:

Throughput They limit the amount of bandwidth that can pass through the firewall(10/100/1000 speeds).

VPN Users They limit the number of clients that can authenticate through the firewall inhardware.

NAT Some only support one-to-one network address translation (one address in, one addressout), and some support one-to-one and dynamic NAT, which allows the forwarding of ports andthe actual use of the built-in router.

Antivirus/Anti-intrusion Higher-end hardware firewalls can stop intrusions, viruses, andmalicious software before it even gets access to your network. This is valuable, because it takesaway load from your server.

Balancing Some of the most expensive firewalls can support WAN balancing so that twoInternet connections can be used in case one goes down. For small businesses using cable, DSL,or fiber, this is an excellent solution.


Various firewalls at the small-business level can cost between $100 and $10,000, dependingon your needs. Usually, a well-equipped firewall will cost somewhere in the $1,500 to $2,000range. Don’t be fooled into saving money on this aspect of your network. The SBS 2008software firewall is not sufficient.

Network Addressing Scheme

When using SBS 2003, most administrators kept using the default 192.168.1.X networkingscheme because it was convenient, easy, and mostly effective. However, by default, SBS 2008now uses the 192.168.16.X naming convention. This is because the SBS crew figured that mostexperienced hackers might typically try to connect to the .0, .1, or even .2 subnet. Still, even asan experienced administrator, I was a little confused by this decision, but there are actuallytwo very good reasons for it:

◆ Migrating from SBS 2003 to 2008 requires a different IP address and name on eachserver. Since you have to move from one IP address to another, it makes sense to changeyour address range. This means that your former server, which probably used a significantaddress on your .1 network, such as .1.1 or .1.100, probably occupies a significant digit inthe last octet you’d like to keep. Thus, if you change the range your server is in, chancesare there won’t be any network conflicts.

◆ Using VPNs can cause problems with the default .1 range. At my local office, we use the10.0.1.0/255 range. And, unfortunately, we also use same addresses for our VPN users.I say ‘‘unfortunately’’ because these conflict, so I have to restrict the number of DHCP usersto 200 so that they use .1 to .200, and then I subnet the rest of the addresses so they can stillaccess all the 10.0.1.0/255 addresses. This is really overcomplicated. Instead, you can use aunique local address range so that VPN clients will be on a complete different subnetwork.

Network and Client Preparation

Before you begin the server migration, it’s advisable (if possible) to shut down all client work-stations. Doing this ensures that users will be forced to log on once again after the server hasrebooted, which serves as a nice litmus test once the server settings have been migrated.

Furthermore, on the firewall network, clients, servers, and any external access programs orvirtual private networks should be shut down so there are no issues with address reassignment.In an ideal world, just about everything is shut down.

Obviously, for some environments this is not possible or practical. Thus, Microsoft recom-mends that VPNs be shut down as a mandatory action when migrating. As a side note, thereare many advantages to using a remote web workplace instead of a VPN. They do not requirean additional network connection or additional IP addresses, and they’re actually easier to setup than a traditional VPN.

Preparing Your Server for Migration to SBS 2008To properly migrate your server, you have to complete a several-step process that involvesconfiguring Active Directory, confirming that your server is prepared to migrate, and creatingan answer file. After you’ve completed these steps, you’ll be able to begin installing WindowsSmall Business Server 2008 and eventually transfer the Active Directory data from the SBS 2003

PREPARING YOUR SERVER FOR MIGRATION TO SBS 2008 65

server to the SBS 2008 server. First, before you create the answer file or confirm your server isready to migrate, you have to prepare Active Directory.

Prepping Active DirectoryBy default, SBS 2003 activates at the Windows 2000 Server forest functional level and Windows2000 domain functional level. With the original incarnation of Windows Server 2003, there wereseveral forest functional levels that you could establish:

◆ Windows 2000 Mixed

◆ Windows 2003 Interim

◆ Windows Server 2003

as well as the following domain functional levels:

◆ Windows 2000 Mixed

◆ Windows 2000 Native

◆ Windows 2003 Interim


Thankfully, your job is pretty easy here. All you have to do is raise your SBS 2003 serverto the Windows Server 2003 functional level on both the domain and forest levels. This can bepretty easily accomplished through the Active Directory Domains And Trust snap-in.

Be Careful When Raising Functional Levels

With the advent of Windows Server 2008, the issues that could arise with raising func-tional levels are slowly beginning to fade, but it’s important to note that it’s easy to raisefunctional levels of domains and forest, but it’s impossible to lower them again.

Once, in another life and another era, a young administrator installed a new Windows Server2003 server in an environment, promoted it to a domain controller, and raised the domainand forest functional levels to Windows Server 2003 — to disastrous effects. Unfortunately,this young administrator didn’t realize that the Windows 2000 domain controller would nolonger be supported. And consequently, an entire domain went down.

With SBS 2003 to 2008 migration, this shouldn’t be an issue. However, keep in mind thatalthough this process will be very easy for you, raising a functional level is somethingthat should be done only with a great deal of planning and preparation. Otherwise, disastercan result.

Also, just in case you do somehow have Windows 2000 domain controllers in your environ-ment, you will need to demote these domain controllers from their current roles. This way,they’ll keep functioning, and you won’t notice a difference when you upgrade to SBS 2008.


Raising the Functional Level

As a first step in migrating from SBS 2003 to SBS 2008, you’ll need to upgrade the functionallevel of your infrastructure to Windows Server 2003. This activity will show how to completethat process.

1. First, log on to your SBS 2003 computer as an enterprise administrator account with domainprivileges.

2. Select Start � Administrative Tools � Active Directory Domains And Trusts. This opens thewindow shown here.

3. Right-click the domain, and choose Raise Domain Functional Level.

4. This opens the functional level menu where you can choose your functional level. If you arenot running at Windows Server 2003, you will be able to select Windows Server 2003 and clickRaise.

5. There will be a warning that you cannot undo this change; click OK.

Once the process completes, you’ll see a dialog box indicating that the functional levelhas now been raised on the domain. Note that sometimes this can take quite a while tocomplete.

If your domain functional level is already SBS 2003, a dialog box will tell you that your domainfunctional level is Windows Server 2003.

CHECKING THE BEST PRACTICES ANALYZER (BPA) 67

Preparing Your Users for MigrationContrary to a large-business environment, in the small-business environment, it’s a very goodpractice to keep your users informed of any drastic change that may occur. After all, if themigration fails or there is a problem along the way, this can result in a great deal of downtime.Thus, when you’re migrating, you should prep users by having them log out and prep theirmailboxes.

User Logons and FilesIf you can do so without compromising your standard business practices, have users back upany shared files or folders they have on the server to their personal desktops. With the adventof external hard drives ranging in the 2TB range, it may be a wise investment to give one toeach user to store their files for an easily deployable rapid-restore process.

User MailboxesIt goes without saying that there are some pretty major changes from SBS 2003 to SBS 2008, butthis isn’t necessarily true when you shift from Exchange 2003 for SBS to Exchange 2007 for SBS.For one thing, the entire database is designed slightly differently. Thus, it’s a good idea to dotwo things:

1. Have your users back up their important emails to their dedicated backup areas,which should be separate from your migration server. You can also consider creatingarchives for each of your users and placing these archive folders on external harddrives.

2. Make sure they get rid of any excess data, including junk email, unnecessary sent mail,deleted items, and the like.

Checking the Best Practices Analyzer (BPA)Although it isn’t a required step for migration from SBS 2003 to SBS 2008, Microsoft stronglyrecommends using the Best Practices Analyzer (BPA) to examine your current environment.Should you be interested, you can find the Best Practices Analyzer on Microsoft’s website. It’sdownloadable for free and is well documented in KB article 940439 in the Microsoft Knowl-edge Base.

Installing the BPA is very easy, and running it is even more so. All you really have todo is install the tool and run a scan. After you’ve run the scan, Microsoft’s tool will lookthrough your entire environment and find any errors that may exist. Note that this is a goodpractice in the first place, but before a migration, it’s even more strongly recommended,because you may be unaware of some of the potential snags that may occur during amigration.

Also note that if you are not running SBS 2003 but are instead running the full versions ofWindows Server 2003, you cannot run the BPA; instead, you can run the Windows networkingtools summarized in Table 3.1.


Table 3.1: Windows Networking Tools

Windows Networking Tool Description

Netdiag.exe Helps isolate networking and connectivity issues

Dcdiag.exe Analyzes the state of domain controllers in a forest or enterpriseand reports issues to assist you in troubleshooting

Repadmin.exe Assists you in diagnosing replication issues between domaincontrollers

Source: Microsoft Migration Guide

MigratingNow that you’ve completed the initial migration preparation steps, you can begin the processof truly migrating from SBS 2003 to SBS 2008. This process comes in several distinct stages:

1. Upgrading Active Directory to Server 2008

2. Creating an answer file

3. Prepping Exchange

4. Migrating settings and data

Upgrading Active DirectoryThe process up upgrading Active Directory is actually fairly simple in concept but a little morecomplicated in implementation. Effectively, upgrading Active Directory requires three stages:

1. Updating the schema

2. Migrating objects

3. Completing your transition from SBS 2003 to SBS 2008

The trouble is that, unless you have an SBS 2008 server, you can’t exactly upgrade the serverto SBS 2008 without knowing the SBS 2008 schema because, obviously, SBS 2003 doesn’t under-stand SBS 2008 yet.

To update your SBS 2003 server to SBS 2008, you need to be logged on as an enterpriseadministrator account — or any account that has both domain and forest privileges to changethe schema. By default, the SBS 2003 administrator account should have both of these, butbest security practices says that you should change the name from your default Administratoraccount to something other than Administrator, so it will ultimately depend on how yournetwork is set up.

Regardless, at this point, you are only going to complete the schema update. The remainingportions of this process will be completed throughout the rest of the SBS 2008 upgrade.

The schema update process consists of two portions. The first portion is to insert theWindows SBS 2008 DVD and complete the schema update process; then you will need

MIGRATING 69

to set the sync clock. To update the schema, you will first need to make sure of a couplethings:

1. Make sure Windows Server is updated.

2. Make sure Windows Server is running Service Pack 2.

To upgrade the schema, you will use the ADPREp.exe tools. Directly from Microsoft, theadprep tool extends the schema for SBS 2008 to include the Windows Server 2008 style schema.Note that this is not the same as Windows 2003 or SBS 2003. To successfully migrate, you haveto update the AD DS schema on the source server before migration.

To run this tool, you must be an enterprise administrator with full rights. The defaultAdministrator account should do just fine. You can find the tool on the DVD in the \\tools\SourceTool.exe folder. Double-click it, and you’ll see a screen pop up like in Figure 3.8.Note that you must select the check box to proceed! Also note that running adprep manuallywill fail.

Figure 3.8

Preparing your sourceserver for migration

The tools will run through a small wizard that does the following:

◆ Updates the schema

◆ Provides licensing support

◆ Configures Exchange to support migration

In reality, this tool runs adprep, installs an update that allows the time limit for migration tobe extended for 21 days, and prepares the server for Exchange Server. It’s actually quite a nicefeature set, but it takes a few minutes to run. This is another one of those examples where youcan click it and just go grab a cup of coffee.


If you want to skip ahead to the next step, once the source server is prepared, you can createthe answer file. Additionally, you can review the migration guide from a hotlink in the wizard.Either way, when you click Finish, you will need to reboot your server.

The Answer FileNow that you’ve updated the server schema to SBS 2008, you need to complete another stepalong this process: creating an answer file. With SBS 2008, an answer file does the following:

◆ Starts the migration process during the installation of Windows SBS 2008

◆ Provides information that is automatically entered into the Windows SBS 2008 installationpages

◆ Allows consultants to prepare servers for installation before they even arrive at clientlocations

The answer file for SBS contains three specific types of information:

◆ Clock and time zone settings

◆ Company information

◆ Source server

Table 3.2 summarizes the subfields that these accounts contain.The SBS 2008 DVD contains a tool called the SBS Answer File Generator. With the Answer

File Generator, you can automate a fresh install of SBS. This is normally used for unattended orautomated installations, but with a migration, the answer file is required.

Table 3.2: Answer File Information

Category Information

Clock and Time Zone Settings Sync time information

Company Information Name of business, address

Source Server Domain administrator account namePasswordSource server nameSource domain nameSource server IP addressDefault gatewayWhether or not DHCP is running

Destination Server Destination server nameDestination server IP address

Source: Microsoft

MIGRATING 71

To access the Answer File Generator, you can locate the file SBSAfg.exe on the SBS2008 DVD. Before you start, you of course need to make sure you are familiar with all theaspects of your business and that the whole installation is ready to go. In the ‘‘Generat-ing an Answer File’’ sidebar, I show how to use the Answer File Generator to create ananswer file.

Generating an Answer File

To create an answer file that you can use to migrate your settings from your original server, dothe following:

1. Double-click SBSAfg.exe on the DVD. (It will be in the Tools directory.)

2. Select Migration From Existing Server (Join Existing Domain).

3. Fill in the required information, making sure to not forget anything.

4. You have the option of printing a copy for yourself, but it’s not required. You can also save acopy to your local hard disk, which is what you’ll do here.

5. Save the file locally to your hard drive where you can access it easily for the next step.

6. Close the Answer File Generator (clicking Cancel works as well).

7. Copy the XML file you saved to your hard disk to a removable form of media, such as a CD or aflash drive.

8. Open the XML file in Notepad to verify its contents. It should appear as you see here.


Exchange UpdatesFrom the default installation of SBS 2003, you have to perform several steps to move to SBS2008. Most likely, if you’ve been using this server for a while, you’ll be able to skip some ofthese. But if you’re doing this as an exercise, installing Exchange Server and updating it willrequire you to make Exchange Server go through three steps:

1. Forest preparation

2. Domain preparation

3. Messaging services installation

The easiest way to accomplish these and complete the preparation process is to downloadthe Exchange Service Pack 2 for Exchange 2003. This lets you prepare all the Exchange filesfor the migration process, which will convert all your previous installation’s Exchange Serverinformation into usable Exchange 2007 data.

The Migration ProcessOnce you have completed the initial installation process, the migration process can finally beginwith the migration tool. During this process, SBS 2008 is going to migrate the following fromyour server:

◆ Network settings

◆ Exchange Server mailbox settings

◆ Group Policy settings

◆ Group Policy objects

◆ Legacy Group Policy objects

◆ Users’ shared data

◆ Internal website

◆ Fax data

◆ User accounts and groups

◆ Folder redirection

◆ SQL Server data

◆ Terminal Services licensing

Installing SBS 2008 in Migration ModeThe installation process in migration mode is similar to the clean installation you did inChapter 1, ‘‘Introducing Windows Small Business Server 2008,’’ but there are a few maindifferences. First, you’ll complete similar steps in that you’ll need to take your Windows SmallBusiness Server 2008 and place it into your server. Second, you’ll need to also place yourremovable media in an accessible location. Note that if you chose a CD as your medium, youcan insert this later.

INSTALLING SBS 2008 IN MIGRATION MODE 73

There are a few things you will need:

◆ Small Business Server 2003 Standard key

◆ Small Business Server 2003 Premium key (if applicable)

◆ A partition with 60GB minimum, preferably more

When you begin the initial install process after placing the DVD in the computer and reboot-ing, you’ll need to answer the initial questions and then make sure your unattended.xml file isaccessible to that computer. Once it is, the installation can begin.

Most notably during the install, you’ll need to keep the Unattended Install box selected. Thistells the server to look for the answer file. If you leave it deselected, the server will expect man-ual input.

As usual, this process can take several minutes to a couple hours and require a lot ofreboots. The ‘‘Installing SBS 2008 in Migration Mode’’ sidebar goes through the processstep-by-step.

Installing SBS 2008 in Migration Mode

To complete this activity, it’s assumed that you’ve already installed SBS 2008 and that you’refamiliar with the involved steps. I also assume that you’ve inserted the DVD, done the basicinstallation, and stopped before the regional and language settings you see on the screenshown here during the initial startup.


1. At the screen shown here, insert your CD or USB drive.

2. Click Install Now.

3. Type your product key, and then click Next.

4. Agree to the license agreement.

5. Click Custom on the screen shown here.

6. At the next screen, you’ll need to choose where you want to install Windows. Assuming SBS2008 sees your drives, you can just select the location you’d like.

Note: If you are using RAID, a SCSI controller, or a special type of hardware, you may have toload some drivers for your specific hardware, but the process is relatively simple. You can insertthe required media, click the Browse button, and load the driver from your media.

7. The operating system will begin installation.

8. If the XML file is read correctly, the installation process will begin once the operating systemis installed. You should see the screen shown here, or one of the main screens, depending onwhether you chose an attended or unattended installation.

Note that the Microsoft installation utility will scan every drive available and see whetherthe XML file is in the root directory of each drive. The system is fairly smart, so it can be aCD-ROM, USB drive, or generally any attached media, but it will need to be in the root direc-tory and not in a folder.


9. The Connecting To Your Server screen may appear on your desktop for several minutes ormaybe even several hours, depending on how much information you have on each of yourservers. The best thing you can do right now is go take a break.

10. If you have done something incorrectly during the installation, you will probably see some-thing like the screen shown here.


11. Otherwise, you’ll be presented with a screen that will ask you if you have a current backup.Click the ‘‘I have a current backup’’ check box and the other ‘‘I have read the most recent ver-sion of the Migration Guide’’ — but only if you’ve done so. Then, click Next.

12. If all has gone well, you can sit back and relax as the nearly two-hour-long process of expandingand installing the files takes place. Just for fun, Windows Server will reboot a few times duringthe process. Other than that, you’re done!

The Migration WizardAfter completing the process of setting up your network, servers, users, and essentially yourentire infrastructure for the big change to SBS 2008, you can begin using the tool that will makethe actual migration process easier — the Migration Wizard. The SBS 2008 Migration Wizard iscapable of migrating the following aspects of Windows Server:

◆ Network settings

◆ Exchange settings

◆ Group Policy/logon settings

◆ Users’ data

◆ Companyweb intranet site

◆ Fax info (I will not cover this)

◆ Users and groups

All in all, it’s almost a little dissatisfying to spend all that time setting things up, messingaround with the server, creating an unattended file, and then going through all that rigmaroleto just have to go through a series of wizards — but that’s the way it’s done.

Oh, and that’s not all! One of the big caveats you need to remember about migration is thatmigration must be completed within 21 days of installation. Who knows where Microsoft came upwith that number, but that’s how long you have to complete it.

In this section, I’ll cover the process of migrating using each part of the wizard. Once theexpanding and installing section completes, a Start The Migration link will appear. Click it, andthe wizard will take you through the following sections of the migration process:

◆ Data Stores: The Data Store Wizard will find your stored data with Exchange Server, WSS,and Windows Update.

◆ Network Configuration: This will set up your Internet connection and web access, as wellas configure your custom DNS settings and any remote access or SSL configurations youmay have stored on your server.

◆ Migrate Mail Settings: This allows you to migrate all mail settings.

◆ Remove Legacy Group Policy:

◆ The modified logon scripts should be renamed.

◆ The logon scripts only apply to accounts added by the Add User Wizard.

◆ Delete all Small Business Server GPOs.s

◆ Remove the WMI filters.


◆ Migrate User Shared Folders and Redirects:

◆ Move shared folders.

◆ Alter share permissions on the source server.

◆ Create new shares.

◆ Configure security settings for folders.

◆ The Internal Website (companyweb): You can migrate the entire website, including its datadirectory.

◆ Fax Data

◆ Group Data

To complete these wizards, you’ll need to be logged into the SBS 2008 machine as an admin-istrator. By default, the Windows SBS Console should open automatically, and you should beable to choose the Migrate To Windows Small Business Server 2008 option, which will start thewizard process. This brings up a series of tasks, such as the following:

◆ Changing the Exchange Server data location

◆ Changing the Windows SharePoint services data location

◆ Changing the users’ shared data location

◆ Changing the users’ redirected documents data location

◆ Changing the Windows Update Repository data location

The process of completing this series of tasks is fairly straightforward. You essentially justhave to click Next and then provide the required information as you progress through eachstep of the migration wizard. But ultimately, if you’ve installed Windows even once before(especially if that Windows version happened to be SBS 2008), you should find the processquick and painless.

Now, a couple things to note. First, during the migration process, Exchange Server maydelete ‘‘dangerous’’ attachments. What it defines as dangerous usually includes anything thatisn’t a standard commonly recognized format, like .doc, .xls, or .mp3. Because of this, it’sa good idea to have users back up attachments before you import these settings. Actually, inreality, it’s a good idea to have your users do this anyway. It can really reduce the size of yourExchange Server mailboxes (which is always a good thing) if you have users remove attach-ments as soon as they get them.

Next, you need to be aware that some legacy Group Policy objects may throw an excep-tion or not transfer properly. If you have any that you think might be really important, youmay want to be prepared to hand make the GPO yourself. You can learn more about this inChapter 5, ‘‘Configuring and Administering Active Directory with SBS 2008.’’ Otherwise, theinstall is fairly straightforward.

At the end of the process, you’ll see the Migration Home Wizard complete and the tasks itrequires checked off one at a time. And then you can start to do the optional tasks if you sochoose, although that’s not required. But in any event, you’ll finally be greeted with a FinishMigration Wizard.

Lastly, you’ll need to use the DCPROMO tool that you’ve used in other installations. You canaccess it by clicking Start � Dcpromo. You’ll need to elevate the SBS server to a domain con-troller and complete your installation.


Seamless Migration

When the engineers at Microsoft first designed the migration process of SBS 2008, they createdit in such a way that the migration process could be completed without the need to stop anyuser services and so the process would be relatively transparent to end users. In practice, theproject leads of Microsoft were able to take a sample setup with SBS 2003 and migrate it toSBS 2008 with all users logged on, working, and operating uninterrupted.

Many administrators, including those who were in the alpha process, were able to take theirusers through the process and move their SBS server from one server to another withoutthe users knowing. In this book, however, I don’t recommend this process unless it’s neces-sary. This is because it can be problematic to move Exchange Server public folders and ActiveDirectory information during a live site.

The bottom line is that it’s certainly well designed and well supported. But just because youcan do something doesn’t mean you should. Always consider whether your process is going tobe good for the users or good for the business.

The Bottom Line

Set up and plan migration One of the oldest phrases in IT is referred to as the five Ps: properplanning prevents poor performance. It’s not only a little funny; it’s true. The first step of anyplanned migration is to plan. When you create your plan, you can break it down into areasinvolving your server, network, and objects. Furthermore, you can consider hardware pur-chases that will be required, implementation times and deployment periods that will be themost beneficial, and what would make your migration process the easiest.

Master It Develop a plan for a small business of 30 employees that requires the migrationprocess to be done during business hours. The current network is running SBS 2003 anduses SBS 2003 as an ISA server. However, the ISA server is being replaced with a hardwarefirewall without proxy. Define any bottlenecks and potentially troubling concerns.

Create an answer file Answer files are XML documents designed to massively importsettings from a source server to a destination server. Answer files can be generated from thesource server by using the Windows Server toolkit.

Master It Create an unattended answer file that requires no user input until the migrationprocess has been completed. Click the Install Now button at the Windows Server introduc-tion, and see whether your installation is paused.

Migrate objects Once the migration process has begun, the automated process will bring youto a wizard that allows you to complete the migration. This process is what actually migratesyour settings and allows you to complete the wizard.

Master It Create an installation of SBS 2008, and compare the originating server to the des-tination server. Ensure that the destination server has the appropriate objects.

Chapter 4

Implementing a DNS Name Serverand File Sharing with SBS 2008

Windows has come a really long way since the days of Windows 3.1 and the Disk OperatingSystem (DOS). Twenty years ago, we had no option but to input commands in text-only format,repeating ourselves if we made a mistake with a single letter. It makes you appreciate exactlyhow far we’ve come. Today, tasks that used to take hours can take minutes, even seconds, tocomplete. With Windows Small Business Server 2008, administrators can create a server nam-ing convention system that can request names, pass it on to other naming convention systems,and resolve hosts in a matter of about 10 minutes. Furthermore, administrators can create a cen-tral repository that can share folders and data across a network with ease. In the early days ofcomputers, even a simple connection was barely possible.

But nostalgia aside, the latest iteration of the Small Business Server platform containsa number of dramatic new improvements since the previous version, including CertificateServices that allow us to more easily share and exchange security encryptions through abusiness, Exchange upgrades to more easily send email, and a few new roles that will becovered in various chapters throughout the rest of this book. With all of these strides forwardin not only computing but Small Business Server, you’ll need to know how to implement theimportant roles and special features of SBS 2008.

In this chapter, you’ll learn how to

◆ Set up the Domain Name System

◆ Set up file sharing

◆ Use the File Server Resource Manager

The Domain Name SystemThe Domain Name System (DNS) is a convention for converting IP addresses (discussed inChapter 2) to traditional Internet naming conventions, such as www.google.com. In the modernday, the DNS process occurs from the front end without any end user knowledge necessary.From the perspective of a user accessed the Google search engine, the website and serverbeing accessed is simply an unknown entity called google.com. Chances are, they don’t knowthat .com is actually a portion of the DNS naming convention, nor do they understand thatgoogle.com is just an alias associated with an actual IP address.

80 CHAPTER 4 IMPLEMENTING A DNS NAME SERVER AND FILE SHARING WITH SBS 2008

DNS in a modern small-business server environment plays a critical role. It allowssmall-business owners to host machines under aliases that can be accessed by people in thesmall business. As an example, when you set up Windows Small Business Server 2008 for aweb installation through DHCP, you can simply enter an aliased name into a web browser andthen easily access your server. Without DNS, this wouldn’t be possible.

With Small Business Server, DNS is normally just a handy tool that goes on in the back-ground without anyone really knowing the inner parts of what’s happening. However, admin-istrators using DNS in a larger environment have to pay careful attention to the Domain NameSystem in order to provide a careful method of checks and balances. If proper attention isn’tgiven to the name resolution structure, there can be instances where servers and users can’tproperly reach the clients they’re supposed to, simply because they don’t know the right nameto look for.

With SBS 2008, the process is usually much less arduous because the average business ownerwill start SBS 2008 with DNS automatically functioning and be unaware of what’s happeningunder the hood. In this section, I hope to expand on that knowledge and show you the vitalrole DNS can play in any configuration, large or small. The reason this is important for SBSusers to know is that, although most DNS functions in a small environment occur automaticallyand without administrator or user knowledge, if you understand how to utilize DNS manually,you can drastically improve your overall administration tasks.

Anatomy of DNSThe easiest way to understand the Domain Name System is to understand that DNS functionsthrough a system of tiers called domain namespaces. Each of these tiers of domain namespacesare divided by a dot (.) that separates the levels under which they operate. In the real world,administrators have begun to use dot separations for host and domain names as a logical wayof separating a URL. For example, if you want users to access the fourth accounting server in abusiness, you could easily use the convention fourthserver.accounting.mybusiness.com.

This makes four different levels of separation:

fourthserver

accounting

mybusiness

com

Breaking this down further, a website such as www.intellicorp.com has three specificnamespaces: www, intellicorp, and com. Together, they form a complete domain reference to aspecific location.

To understand how that reference is created, it’s best to read the DNS entry in reverse order.Surprisingly, at the beginning of the address is the com portion. This section is called a top-leveldomain and defines the maximum level under which these references refer. It also describes thetype of organization using the domain. Table 4.1 provides a full list of these top-level domains.

Top-level domains on the Internet are used to specify the overall region and purpose of anInternet domain. The most common type of domain, a .com domain, is a commercial businessin the United States. When a DNS server receives the request for a .com host, it knows at thevery beginning to look for a geographic region and to look for a specific type of account.

Beyond the top level, DNS entries are then broken up into domains that contain variouszones, which I’ll discuss in the ‘‘DNS Zones’’ section a little later in the chapter. In the addresswww.intellicorp.com, the intellicorp portion is a domain that contains a zone. Acrossthe Internet, standard Windows zones are broken down with resource records that indicate

THE DOMAIN NAME SYSTEM 81

individual IP addresses, such as www, which may correspond to a server at 10.0.0.1. This will allbegin to make sense as I continue this explanation.

Table 4.1: Top-Level Domains

Top-Level Domain Name Organization Type

.com Commercial business

.gov Governmental organization

.net Network

.org Organization

.info Informational site

.us United States

.edu Educational

.int International organization

.uk United Kingdom

.jp Japan

Source: Wikipedia

At the small-business level, you don’t have control over top-level domain changes, or some-times you’re even restricted to just one domain, as opposed to a large environment, which mayhave several domains. In this chapter, you’ll see how to manage the domain you have accessto. For the moment, let’s start to enter DNS entries by hand.

Manual DNS EntriesOne of the best ways to start understanding DNS is to just use it. Accordingly, in this sectionI’ll show you the value of adding your own custom DNS entries to the Windows HOSTS file.The HOSTS file is a single file that contains network names and IP addresses, which are man-ually entered by an administrator. If you reference Figure 4.1, you can see a HOSTS file witha very simple configuration. Some comments are listed in the HOSTS file (these are precededby the # symbol), and then there are two hosts, the local host (127.0.0.1) and the local host forIPv6 (::1). Here, in this location, you could specify an IP address you commonly use, such asone of the oldest DNS servers on the planet, which is located at IP address 4.2.2.2. This addressis useful for small-business owners, because it’s one of the most reliable addresses in the entireInternet. You can use it to determine stability, as a last resort DNS server, or even as your pri-mary server — it’s nearly guaranteed to always work.

To show you how to create a DNS entry manually, I’ll use one of the most commonpractices in a small office/home office (SOHO) environment: making sure that the Internet isrunning. From experience, I know that the level-3 DNS server (4.2.2.2) never goes down. I’llplace it into my sample HOSTS file (so I can reference it later) and make an entry like this:

4.2.2.2 online


Figure 4.1

Sample HOSTS file

From now on, if I type the word online in my URL bar, the command window, or any othercommon location, Windows will instantly know that I’m referencing a predetermined host:4.2.2.2. Thus, instead of referencing the address, I can just type the hostname whenever I need it.

Static host entries, such as the one we just created, are the most efficient type of DNS entrypossible because the local host is not required to go through the process of contacting a server.Instead, it can immediately send its request to the network and begin accessing more information.

In your own business, you can use static host entries to improve efficiency. By placing astatic host entry into the HOSTS file of an individual computer, you remove the need to botherany servers with a DNS lookup request and instead can just send your request straight to arouter, which will eventually route your request to your intended destination. This is not onlya good business practice but also a good security practice. By manually installing hostnames,you limit the amount of shared information passed through a network in an insecure manner.Often in security-critical environments, you may not want the address of something classifiedlike supersecretserver.topsecret.gov to even be passed around. After all, once someoneknows where a server is located, it exposes it to attack. Having something exist only at the locallevel reduces this possibility, because a DNS query isn’t sent to anything but the local host. Ifthis isn’t done, the DNS hostname has to be resolved, which I discuss in the next section.

DNS Resolution ProcessWith a simple DNS entry, like the manual entry just discussed, the process of resolving a DNSentry is pretty easy. Effectively, the resolution process begins when the server receives a requestfor an individual host, such as a user requesting to go to Google.com. The server then queriesitself and says, ‘‘Do I know who this entry is?’’ It then looks into its own HOSTS file and says,‘‘Yep, I sure do’’ (or correspondingly ‘‘No, I do not’’ in the case of an undefined entry).

What makes things complicated is that just about 99.9 percent of DNS requests areunknown. The reason for this is that if a local host had every single DNS entry in its ownlocal hosts file, the file would be so massive that it would bog down the entire server. Canyou imagine how unnecessary and inefficient it would be to have a server used for businessknow the name and IP address of every adult website and illegal file–sharing hosting companyon the Internet? It’d be a nightmare. Accordingly, it’s best to understand exactly what happensin the case of an undefined entry, because the process sure doesn’t end there. This all comesdown to DNS queries, which I go into in the ‘‘DNS Queries’’ section a little later in this chapter.

In fact, the DNS process breaks down into three separate processes:

◆ DNS server

◆ DNS client

◆ DNS resolver


DNS Server

A DNS server is a server running Domain Name Services. They’re generally used either in abranch or datacenter or by an Internet service provider to translate its named requests into IPaddresses.

As an example, if Intellicorp is an ebusiness based in Chicago, there may be five or six com-puters running different services somewhere in a datacenter. These servers would probably allbe in the intellicorp.com domain. However, they may carry a lot of different names, such asserverone.intellicorp.com, servertwo.intellicorp.com, and so forth. Accordingly, Intel-licorp would need to use a DNS server to identify the names of these servers to the rest ofthe Internet. This means the server is running a process that accepts queries from clients forIP addresses based on domain names and then returns the IP address.

Usually in a business that involves a datacenter or a branch office, the DNS serversrespond to a DNS server at a higher level. For instance, if I purchase the domain nameintellicorp.com from a domain registrar like GoDaddy.com, I could easily enter the DNSinformation for my intellicorp domain. It’s usually a pretty simple process, such as loggingonto the website that registered your domain name and saying ‘‘My DNS server is at this IPaddress.’’ This means that all requests heading for a server within the intellicorp domainwould be told by the GoDaddy DNS servers that my DNS server is where I specified it withtheir tools.

DNS Client

A DNS client, on the other hand, is any machine that’s requesting a DNS response from agiven server running DNS services. And since anything running the TCP/IP protocol mustuse a DNS query process, you can safely say that all Windows machines are running this. Ina SOHO environment with SBS 2008, chances are that most of the computers connected to theSBS 2008 will function as clients to the SBS 2008 server, which will serve as their primary DNSserver. And as discussed, that DNS server will probably respond to requests that are handeddown from a higher-level DNS server, such as one operated by an ISP or a higher-level DNSserver.

DNS Resolvers

A resolver can be either a server or a software process that actually figures out the correctname address. You can think of it this way: a server serves the information, the client wantsit, and the resolver bridges the gap between the two via either a software service on a DNSserver or a third-party application. With Windows, it’s almost always built into the DNSserver.

The Importance of DNS

Even in the smallest environment, setting up DNS properly is critical. The difference betweenlogging in with DNS set up correctly vs. incorrectly can mean the difference between sec-onds and hours, because the Windows logon system uses DNS to resolve the authenticationprocess.

DNS is used throughout Windows Server 2008 in many roles that are unapparent to theadministrator. By not having your server function with DNS, you can cause programs to ceaseworking properly, as well as categorical errors with applications, including line-of-businessapplications.


As a case in point, a young administrator (who shall remain nameless) once decided to havea router function instead of a server as a DNS provider. Shortly thereafter, the entirety of thebranch office was unable to access any part of the Internet, and business came to a completehalt, resulting in the loss of thousands of dollars worth of productivity. Do not let this happento you.

DNS QueriesYou may have noticed that one of the key words thrown out occasionally in the previous twosections was query, or, specifically, a DNS query. Throughout IT, this word is used to signify anotification that requires a response. In the case of database administration, programmers willuse queries to receive a certain amount of data. And with DNS, clients will ask servers to useresolvers to find the answers to questions.

These questions, or queries, come in three separate types: iterative, recursive, and inverse.

Iterative Query

The first type of query a server can issue is an iterative query. An iterative query is a query iter-ation that starts at one server and then is added and passed on to another server if the serverthat receives the first iteration is unfamiliar with the address. Simply put, a client asks a serverwhether the server is familiar with the hostname. If not, the server passes it on to the next iter-ation of its DNS, or the next stop on the list of DNS servers that it knows of. It’s sort of likesaying ‘‘Yes, I’ve heard of that’’ and ending the process or saying ‘‘Never heard of it — askthis server’’ if it hasn’t.

Recursive Query

Unlike iterative queries, recursive queries do not allow the proverbial buck to be passed, orjust dropped off and never returned. This is because reverse DNS queries absolutely require ananswer. In effect, a recursive query asks a DNS server whether it has the domain and expectsone of three responses: the proper name and IP address resolution, a ‘‘does not exist’’ message,or a temporary ‘‘waiting for response’’ message. Technically, the response it’s looking for iseither yes, along with an IP address; no, with a response that the domain does not exist; or‘‘Hold on, I’m looking for it.’’

Usually, recursive queries are used by Internet service providers (ISPs) that are trying toreduce their overall bandwidth. Unlike iterative queries, recursive queries use a very defin-able amount of bandwidth, because if the server does not know the answer, it can ask anotherserver. As an example of what might happen with a DNS query in a small-business server envi-ronment, the following process may occur:

1. A host queries, ‘‘What is the cool.snarfmagnet.com IP address?’’

2. The SBS DNS server looks up cool.snarfmagnet.com in local tables and either respondswith the right IP address or responds that the host was not found.

3. If not found, the SBS DNS sends a query to a root server for the IP ofcool.snarfmagnet.com, usually your ISP’s DNS server.

4. The ISP DNS server replies with a referral through reverse DNS to the top-level domain fora cool.snarfmagnet.com lookup.


5. The SBS DNS server sends the query ‘‘What is the cool.snarfmagnet.com IP address?’’ toone of the .com top-level domain servers.

6. The top-level domain refers to the snarfmagnet.com DNS server.

7. The snarfmagnet.com DNS server sends a query to itself with ‘‘What is thecool.snarfmagnet.com IP address?’’

8. It discovers the address and sends it back to the first host.

Inverse Query

Inverse queries are when things start to really become interesting. This is because, up untilnow, the only way to achieve a DNS resolution was through the process of asking a DNSserver if it had ever heard of a particular name and then asking it for the IP address associatedwith that name. However, this isn’t the only way the domain name system can resolve. In fact,it can do it the opposite way — by resolving names to IP addresses.

The feat of mapping an IP address to a domain name is accomplished by using pointer(PTR) records. PTR records contain reverse information that binds this name to an IP addressby using the in-addr.arpa convention. This convention uses an octet system that maps IPaddresses from their least to most specific portions. For example, an address such as 10.0.1.5goes from the least specific portion to the most specific:

10: The category A subnet that implies hundreds of millions of addresses

0: The category B subnet that could contains hundreds of thousands of addresses

1: The category C subnet that could in and of itself hold thousands of addresses

5: The most specific address that can be mapped to only one logical device

Thus, when using PTR records, the DNS server would create a PTR record of5.1.0.10.in-addr.arpa for this host.

PTR records may seem a little confusing, and for the most part they are out of the range ofknowledge required to operate SBS 2008 effectively. However, PTR records do usually showup in the small-to-medium business market when an administrator is setting up email. Thisis because a large share of Internet service providers that provide email, such as AT&T andGoogle, require that there be a known PTR record for any addresses functioning as a maildelivery system. Without a PTR, these ISPs have no way to ensure that these servers are notjust random bots or malicious users seeking to crash their mail systems with unnecessary email.

DNS ZonesWith SBS 2008 and all versions of Windows Server 2008, DNS records are placed into collec-tions of records called DNS zones. For those new to DNS, it can be a little confusing, but theeasiest way to think about DNS zones are that they are similar to ‘‘folders’’ of DNS recordsthat contain various host types, which I will discuss in more detail in the next section.

Within DNS, you need to be familiar with four types of zones: primary, secondary, stub, andGlobalNames. I’ll discuss each of these briefly and then discuss how each of these zone typescan be broken down into two categories: forward lookup zones and reverse lookup zones.

Primary Zones

As the name implies, a primary zone is the primary collection of all host records for a DNSserver. With Windows, these primary zones can be either integrated or not integrated into


Active Directory. The advantage of having these zones integrated with Active Directory isthat your Windows server will include these hosts’ records, aliases, and other DNS recordsthroughout the entirety of its Active Directory database so they will be passed on to otherusers who are connected to the server. This greatly reduces network traffic and enhancesnetwork security.

So, because of this nifty feature, most administrators almost always make their primaryzones Active Directory integrated. However, there are some reasons you might choose not todo so. For whatever reason, a user may have specific local hosts that they may not wantto know all of the primary zone information. In a small office, for example, there couldbe a situation where there are multiple joined host computers, one of which is owned bythe small-business owner. And he just may not like the idea of using all the servers’ DNSinformation. It’s rare, but sometimes it happens.

Secondary Zones

If there are primary zones, there just have to be secondary zones, doesn’t there? Well, of course!And that’s because they’re quite useful. Granted, with SBS 2008 they aren’t quite as popularas primary zones, but that’s because SBS 2008 is essentially a one-stop shop for all Windowsfeatures — it usually consists of only one server, two at the max.

Secondary zones do, however, exist throughout the rest of the Internet. In Windows, sec-ondary zones are exact replications of primary zones that are designed to serve as points offault tolerance, as well as replications of primary zones to ease the burden on primary DNSproviders. You see, unlike Active Directory–integrated primary DNS zones, secondary zonesdo not need to be added to a domain controller and can instead be placed on any memberserver — which can really ease the burden on your domain controller.

Another tidbit of information you need to know about secondary zones is that the informa-tion they contain cannot be edited or updated. This is mostly for security reasons, but it makessense when you think about it. Primary zones are integrated into your domain controller andcan be updated based on administrator settings, whether that means whenever the server learnssomething or just when an administrator decides to update. Secondary zones, on the otherhand, always contain the same information, so administrators don’t have to worry about thembeing compromised.

Stub Zones

Stub zones are like light secondary zones. They are secondary zones that can contain only nameserver, host, and alias record types. I’ll go into these record types more in depth in the nextsection, but for right now keep in mind that stub zones are just like secondary zones, exceptthat they can contain only three record types — a lighter, meaner, and even more efficient ver-sion of an already efficient concept.

GlobalNames Zones

Secondary zones aren’t used too much with small businesses, but GlobalNames zones are rarelyused indeed. But, for the sake of thoroughness, I’ll briefly discuss them.

A GlobalNames zone is a modern convention to adapt to the old NetBIOS conventionof using Windows Internet Name Service (WINS) to resolve names. I’m not going to gointo a huge discussion of WINS, but I will go so far as to say that WINS used a seriesof CNAME record types to map locations. However, the implementation proved tobe inefficient on the high end and was therefore replaced. For more about WINS, seehttp://technet.microsoft.com/en-us/library/cc784180.aspx.


Forward and Reverse Lookup Zones

Thinking back to the previous section on inverse queries will help you a lot in understand-ing forward and reverse lookup zones. This is because DNS with Windows SBS 2008 and allother versions of Windows Server 2008 are divided into two different types of zones: thosethat resolve DNS inquiries ‘‘forwardly’’ or by resolving names to IP addresses and those thatresolve names in reverse by using PTR records to resolve IP addresses to host names.

It really isn’t all that hard to understand, but unless you remember that, the zones discussedin the previous sections can get a little confusing. Just keep in mind that all zone types are clas-sified into either forward or reverse and then subcategorized into the categories of primary,secondary, stub, and GlobalNames.

DNS RecordAt last, what you’re really interested in with SBS — DNS records! As I stated earlier, DNSzones are essentially just collections of DNS records. This makes it kind of hard to understandwhat a DNS zone is without understanding DNS records to begin with. This section shouldalleviate that.

Simply put, a DNS record is an assigned location for a specific type of host. These hosts canbe normal hosts, aliases, mail exchangers, or various other types of records that I’ll explain a lit-tle later. When a user sends a query to a DNS server, the DNS server looks into one of its zonesand sees whether it has a record that matches that query. For example, a user may issue aquery that in pseudo-code looks something like this: ‘‘I’m looking for mail.intellicorp.com.’’

The DNS server would then check its primary zone at intellicorp (within the .comdomain) and then look to see whether it has a host called mail. If it did, it would respond withan affirmative response.

Take a look at Figure 4.2. In that figure, I’ve captured the default setting of the DNS servicethat comes with SBS 2008. You can access your own similar server’s DNS Manager by selectingStart � Administrative Tools � DNS.

Figure 4.2

DNS Manager

As you can see, a whole lot of hosts already exist! By default, SBS tries to remove alot of the burden of manually adding DNS host records by autocreating some of them for


you. There is already a record for officesvr1, as well as other records such as Sites andSharepointSMTPServer. What this all means will become clear in a moment, but it’s good totake a look at the big picture before you get too far along the path. But now, you need to startunderstanding DNS records. This is because SBS Server, more so than just about any WindowsServer product, really relies on DNS records. Small offices sometimes know of a few computersonly or are actually part of a larger organization that just needs a centrally located server totake care of all its business needs. With SBS 2008, you can use the DNS Manager to outlinethe network in a very efficient fashion. You can tell it where all of the hosts are or set it up todefine them automatically — as it does by default.

DNS Record Types

With SBS 2008, you need to be familiar with these five record types:

◆ Hosts

◆ Name servers

◆ Aliases

◆ Pointers

◆ Mail exchanger

I’ll discuss each of these record types one at a time, with an example of each.

Host Records

A host address record, or A record, signifies the existence of a single, solitary host that containsan IP address. An example of a host address record is something like this:

www IN A 63.146.189.101

With this record, the categories are as follows:

HostName | Time_to_Live | Record_Type | IP_Address

The hostname is www, the time to live is optional (and shows for how long the record isvalid), the record type is an A record, and the IP address is 63.146.189.101.

The A records are used for individual machines, web boxes, SMTP servers, and just aboutany machine that doesn’t contain one of the other known record types. If you’re like just aboutevery other SBS 2008 administrator, you’ll end up with a whole lot of A records in your DNSdatabase.

Name Servers

If a machine is running DNS, it’s good to have a name server record associated with it. Forexample, the following NS record actually shows that there is a name server in this DNSdatabase:

Cramsession.com. IN NS cramsession.com

Unlike a host record, an IP address isn’t specified (because it’s just a name server record, nota host record), and thus this breaks down as follows:

Name | Address Class | Record Type | NameServerName

◆ The name is cramsession.com.


◆ The address class is IN: Internet.

◆ The record type is NS: name server.

◆ The name server name is the fully qualified domain name of the responsible server:cramsession.com

This means that users looking for the name server cramsession.com will query their ownDNS server for the name cramsession.com.

With SBS 2008, these records become vitally important if you need to set up another optionalname server for your small-business server. Say, for example, you work in a larger environ-ment or are a small company owned by a larger one. The larger company may have anothername server that contains hundreds of thousands of host records. This way, SBS can specifya name server and have the name server on record if it needs to access it. In the cramsessionexample, it may know tons of names you’ve never heard of at the SBS level but that it mayneed if for some reason they’re requested by the larger company. In fact, the name server youspecify for the larger company may have hosts you would have never heard of unless you toldSBS to specifically look for the name server. The name niceexample.cramsession.com maynot even be publicly accessible, for example, unless you know about the cramsession.comname server.

Aliases

An alias record is used if you already have an A record for a host and you’d like tohave another name for that host. So, for example, if you already have a www record forintellicorp.com (www.intellicorp.com on the Internet), you could create an alias calledneat.intellicorp.com that would actually point to the same place. This is accomplished bycreating an alias or canonical name (CNAME) that references the previously existing host. So,for example, earlier the hostname was www.intellicorp.com at 63.146.189.101.

To make an alias for this host, called supercool, you could create an alias record that lookslike this:

supercool.intellicorp.com IN CNAME www.intellicorp.com

This makes supercool.intellicorp.com report to the alias of www.intellicorp.com.

Pointers

Pointers, or PTR records (discussed earlier), are reverse records that translate IP addresses tohostnames. In DNS, these records look like this:

Reversed Address.in-addr.arpa | TTL | IN | Target Domain

Earlier, in the simple hosts, a PTR record for that associated query would associate thewww.intellicorp.com host with its given IP address. This would look like this:

101.189.146.63.in-addr.arpa IN PTR www.intellicorp.com

This now makes any user who tries to resolve the IP address of 63.146.189.101 automaticallyresolve to www.intellicorp.com.

Mail Exchangers

A mail exchanger record is used to let external SMTP mail servers and various hosts know thelocation of your company’s (or, more specifically, your DNS zone’s) mail exchanger location.


This type of record, called an MX record, is stored similarly to other records you’ve seen. It usesthis format:

Domain | Class | Type | Host

If you had an Exchange mail server at, say, 10.0.1.100, you could make an entry that lookslike this:

Intellicorp.com IN MX 0 mail.intellicorp.com

This makes the intellicorp.com mail exchanger look for the host at mail.intellicorp.com,which would need its own respective host record.

Creating Records

Now that you have an idea of how DNS records work and understand the zones that containthem, it’s time to create and use some simple records that will familiarize you with how toadminister the SBS 2008 DNS Manager.

In this exercise, you will create and add a standard host record new forward lookup zone calledintellicorp.com. For your own purposes, you can name the zone anything you like, but youwill need to keep track of any changes you make that differ from these exact exercises. Other-wise, future exercises that reference this material will seem unfamiliar.

1. Open the DNS Manager by navigating to Start � Administrative Tools � DNS.

2. Expand your server by clicking the minus symbol, then right-click Forward Lookup Zones, andfinally select New Zone, as shown here:


3. This opens the New Zone Wizard. Click Next after it appears.

4. As shown here, select Primary Zone, and then click Next. Make sure the check box in the StoreThe Zone In Active Directory section is selected.

5. Click Next.

6. On the next screen, you can choose whether you want this zone to be replicated to just thisdomain or to the entire forest. Since you are using only a single domain environment, limitthis to the domain, and click Next.

7. On the New Zone Wizard screen shown here, name your zone intellicorp.com.


8. Click Next.

9. You want to allow only secure dynamic updates, so leave the Dynamic Update selection screenas the default, and click Next.

10. Finish the zone wizard by clicking Finish.

11. Once the wizard is complete, you will see intellicorp.com added to your list of forwardlookup zones. Highlight intellicorp.com by selecting it.

12. In the area to the right of the gray bar separating the locations from the records, right-click anyempty white space area, and select New Host.

13. In the New Host box, enter the name test for the name and an IP address in your subnet, suchas 192.168.0.240.

14. Select Add Host.

15. A message box will appear saying you have completed adding a host file. Once this is complete,you can click OK and see that a host file called test is now in the intellicorp.comlookup zone.

Configure MX Records

Now that you’ve created a DNS zone and added a host, you will configure a mail exchangerrecord for SBS 2008 so that you can understand how this process works. In future installations,you may do in your business or with your respective clients, you will probably have to conductthis exercise often.

1. Open the DNS Manager by navigating to Start � Administrative Tools � DNS.

2. Expand your server by clicking the minus symbol, then right-click Forward Lookup Zones, andfinally select the intellicorp.com zone you just created.

3. Create another host record called mail by repeating the steps you completed in the ‘‘CreatingRecords’’ exercise, except this time name the host mail and give the IP address of your SBS2008 computer.

4. Now, right-click any whitespace available, and select the New Mail Exchanger (MX) record. Youwill see an image like the one shown here:

5. You will see an area in which to place a host or child domain name. As the box says, most ofthe time this is left blank. However, in this case, you’ve actually created a host called mailfor the purpose of illustrating a point. With this host created, you can choose it as your mailserver. However, many administrators choose to leave their domain mail server the same astheir domain name by default. The decision you make is up to you.

6. Next, in the Mail Server Priority section of the screen, you’ll want to leave the default of 10 inthe box. Windows evaluates servers by choosing the server with the lowest mail server priority.This is because a lower number indicates a more preferred server.

IMPLEMENTING FILE SHARING 93

7. Click OK.

The mail server will appear as shown here:

Implementing File SharingAs an administrator, whether you run a small or large business, file sharing is often your bestfriend. Through the effective use of file sharing, users can swap files, provide a central reposi-tory for collective work, give administrators control over where files are stored, and just gener-ally provide a lot of worry- and hassle-free control of file management.

In previous versions of Windows, file sharing was a little onerous to administer because ofthe various levels of protection associated with each of the files, along with the processes ofmapping drives and other little complications that arose along the way. But with SBS 2008, thishas been made much easier.

You can access shared folders through the Windows SBS Console, as shown in Figure 4.3.This is a dramatic change from SBS 2003, in which shared folders were still controlled the‘‘old-fashioned way’’ — with Windows permissions. The SBS 2008 method makes it a lot easier


for administrators new to Windows permissions to make changes quickly and effectively,which allows you to let users access files with ease throughout your environment.

Figure 4.3

Windows SBS Consoleshared folders

Default SharesBy default, SBS 2008 creates three separate shares that you need to pay attention to:

◆ A public share

◆ Redirected folders

◆ User shares

Before I talk about how to add new shares and specify them to your business’s needs, I’llexplore the shares that SBS 2008 has already created. First, one of the most useful folders thatSBS creates is the public share folder, which appears in the */Users/Public location of yoursystem drive.

If you navigate to that folder, you’ll see that Public contains five separate subfolders for pub-lic documents, downloads, music, pictures, and video, as shown in Figure 4.4.

Figure 4.4

Public folder contents

The main purpose behind the Public share folder is pretty simple. Effectively, it’s a file thatcan be accessed by everyone and gives full read and write privileges. This allows employeesor users accessing the folder to download items from this folder, place music or media inthis folder, and just generally put whatever they would like within it. So, you can see thatthe Public folder can be accessed by anyone. Just look at the permissions on the folder bydouble-clicking the Public share. You’ll see it displayed as shown in Figure 4.5.

In general, this is a good practice because it gives a secured area of the server where userscan download virtually anything. However, you should keep in mind that the Public folderis not foolproof. Users can still download viruses to this location and wreak havoc if they placemalicious files there. However, it is considered a good business practice to have a share that can


be accessed by everyone. This way, you don’t need to have as much administrative overhead asyou would with specific shares.

Figure 4.5

Public share default per-missions

Another shared folder that you need to pay attention to with SBS 2008 is the Redirected-Folders default share. Personally, this is my favorite feature of the shared folder improvementsof SBS 2008.

Explaining the RedirectedFolders share when going over basic Windows share permissionsis a bit like putting the cart before the horse, because I haven’t yet discussed some of theconsequences associated with file and folder permissions, but I’m going to go ahead and doit anyway, just because it’s so darn easy. Take another look at Figure 4.3, and you’ll see thatthe second folder on the list is the RedirectedFolders share. This folder is designed to serveas a repository of ‘‘redirected’’ user account folders that are actually on the server and not thelocal machines. These folders include My Documents, Desktop, and anything else a user mayspecify.

If you double-click RedirectedFolders, you’ll see that the share is set by default to Every-one. That’s a little deceiving, because the share is set to be accessible by everyone, but it’s setup internally within SBS 2008 Group Policy to be able to be specified to individual users. Youcan do so by clicking the Redirect Folders for User Account To The Server link, as shown inFigure 4.6.

Clicking this link will open the dialog box shown in Figure 4.7, wherein you can choose thefolder names and user accounts that you want to see redirected. Personally, I’ve gone aheadand decided that I’d like just my documents to be reassigned. I’ve then also checked for myown user account to be the user account that is redirected.

It’s pretty amazing, but just by clicking OK after doing this, Windows SBS 2008 will changethe default policy of all connected user accounts that are specified in this policy to store their


folders within this shared redirected folder, rather than within their default local disk folderon their own computer. If you’d like to see it in action, create a user account for yourself, andthen log out and log in with your computer. You will notice that your Documents folder willoriginally be stored on your local computer, and then when you log in again, it will be auto-matically stored on the server.

Figure 4.6

Folder redirection

Figure 4.7

Folder redirectionproperties

This is not only exceptionally neat but also exceptionally powerful. Having users store theirdocuments on your server is an extremely good business practice because your server mostlikely has redundant technologies such as RAID and server software that is designed to bemore reliable than client software. Additionally, should an employee have to be terminatedor released, having these folders stored on a server gives the small-business owner theassurance that the data is safe with them vs. being embedded within a computer that an angryex-employee can easily tamper with out of retaliation or spite.

Now, just for bonus points, let’s look at what’s going on behind the scenes here. Onceyou’ve done this in the shared folders SBS console utility, a group policy object (GPO) isaltered and applied to your server. You can access this GPO if you’re interested in theGroup Policy Management Editor by going to Administrative Tools and then Group Policy


Management. If you expand your forest, then your domains, and then your .local domain,you will see the policy under Group Policy Objects — it’s called Small Business Server FolderRedirection Policy, as shown in Figure 4.8.

Figure 4.8

Small Business ServerFolder Redirection Policylocation

If you right-click this policy and select Edit, you will open the policy. You can then expandUser Configuration � Policies � Window Settings � Folder Redirection and then right-clickDocuments and select Properties, resulting in the box shown in Figure 4.9.

Figure 4.9

Folder redirectionproperties

Here, you can see that users have been granted exclusive rights to their documents so otherusers cannot modify them, the SBS server moves the contents to their new location automati-cally, and it retroactively applies this policy to older versions of Windows. And to boot, it is set


to redirect if you as the administrator decide to alter the policy. But of course, you can changethat. However, it’s not really a great idea to do so, because you most likely won’t remove thepolicy.

Finally, the last folder available by default through SBS 2008 is the UserShares folder. Thisfolder, similar to RedirectedFolders, is designed to serve as a shared folder that users can placepublicly. This might be useful in an enterprise situation where an individual wants to make afew users aware of a file but share with the entire organization in the Public folder. By default,users joined to SBS 2008 will be given a user share where they can store and share data withthe rest of the organization.

Creating a New ShareIf you’re like just about any other business in the world, you’re going to need more shares thanthose listed by default. Accordingly, you need to understand a little bit more about file per-missions, sharing, and the dangers involved with making information publicly available on ashare.

This section is going to help solve those concerns by explaining how to make a share, howto assign permissions, and how to stop and start sharing a folder based on an immediate needor emergency. So, let’s start with the easy stuff — making the share.

The sheer art of it is mind boggling in its conception. You hit the Add A New Shared Folderbutton. This opens the Shared Folder Location Wizard, which will help you create new sharesfor your business. You can see this wizard in Figure 4.10.

Figure 4.10

Shared Folder LocationWizard

To specify a new location, you can click the Browse button and then specify a previouslyexisting location, or just make a new one with the New Folder button. I’m going to makea new shared folder called Accounting on my server’s C drive. Once I’ve done this, I’ll goahead and click Next. Since I’m going to worry about folder permissions later, I leave the


next screen blank and make sure No, Do Not Change NTFS Permissions is selected. Then Iclick Next.

I can then choose whether I’d like to use Server Message Block (SMB) or Network File Sys-tem (NFS). SMB is the default available method and really the preferred method for Windows.Usually NFS is used for Linux or Unix servers and not for Windows. So, since this is set bydefault, I can just click Next again.

The screen shown in Figure 4.11 is where things start to get interesting because you begin toenter into SMB permissions.

Figure 4.11

SMB Permissions screen

By default, SBS 2008 comes with three instant settings:

◆ All users and groups have only read access.

◆ Administrators have Full Control; all other users and groups have only read access.

◆ Administrators have Full Control; all other users and groups have only read access andwrite access.

These settings are fairly self-defined. With the first setting, everyone can only ‘‘read’’ thefiles in the folder and not write anything to it. Note that this includes accounts with adminis-trator access. With the other two settings, administrators are given full control, and the otherusers are allowed to read or also to read and write to the given folders. The second option isuseful if you’d like to make a document accessible to all users but do not want them to be ableto alter the contents of the folder. The last option is handy if you just want to make a simplefolder share that anyone can add files to.

However, these three are not the only settings available. There is also an optional User AndGroups Have Custom Share Permissions radio button. For learning purposes, let’s select it andthen hit the Permissions button.


In this location, you can specify individual users and groups from Active Directory to beadded into your folder. You can then grant them one of three permissions:

◆ Read

◆ Change

◆ Full Control

The Read permission gives users the ability to read from the folder but not write to it.Change gives users the permission to not only read but to also change filenames and add andremove folders. The Full Control permission allows users to do all of the above, as well as tooverride other users’ decisions.

For my purpose, I’m going to select the second radio button in Figure 4.11, AdministratorsHave Full Control; All Other Users and Groups Have Only Read Access. This is because I wantonly administrators to control what’s put into the Accounting folder, but I want all my users tobe able to read it.

Clicking Next opens the quota policy you see in Figure 4.12. The quota policy allows you tolimit the amount of data accessed by the folder share in one of six template methods, summa-rized in Table 4.2.

Figure 4.12

Quota Policy screen

Because I’m just making a simple Accounting folder, I’m going to select only a 100MB limit.You can then click Next if you’re following along.

The next page, in Figure 4.13, allows you to allow a file-screening option. This is anextremely useful feature if you want to specifically prohibit certain file types from being added.A good example of this is if you have a lot of users who are adding pictures, music, or videosthat you may not want added.


Table 4.2: Quota Templates

Template Description

100 MB Limit Places a hard limit of 100MB on the shared folder

200 MB Limit Reports to User Places a hard limit of 200MB on the share and notifies the user ifit reaches within 10 percent of that threshold (180MB)

200 MB Limit with 50 MBextension

Creates a 200MB share with a 50MB extended threshold for dataoverflow

250 MB Extended Limit Creates a soft limit of 250MB that can be overridden

Monitor 200 GB Volume Usage Monitors a folder and shows whether it has used more than200GB of total input/output

Monitor 500 MB Share Monitors a 500MB share

Figure 4.13

File Screen Policy screen

On this screen, you can apply a policy and select any of the templates listed in Table 4.3.Because I am going to be the only one adding files, I’m not going to add on a filter. How-

ever, if you’d like, you can feel free to do so on your own share. After all, it’s your share! Afteryou make your decision, click Next.

The next section, on DFS namespace publishing, allows you to place a shared folder in adistributed file sharing location. For the moment, I’m going to ignore this section because I willcover it later in this chapter. Go ahead and click Next.


Table 4.3: File Screening Policy Templates

Template Description

Block Audio and Video Files Prohibits audio and video files, such as MP3s of MPEGs, frombeing stored on the file share.

Block E-mail Files Prohibits email messages and archived email files from beingstored on the share.

Block Executable Files Prohibits executable files.

Block Image Files Blocks JPGs, PNGs, GIFs, TIFs, or other image files from theserver. Keep in mind that there are a few odd image types thatmay pass through.

Monitor Executable and SystemFiles

Monitors whether executable or system files have been placed onthe share and sends a notification to the administrator. This ismostly a secure measure against viruses and malicious outbreaks.

On the next screen, you’ll see that all the permissions you’ve set are summarized in aneasy-to-read format, as shown in Figure 4.14. At this point, you can review what you’vecreated, and if it’s to your liking, you simply hit Create. If it’s successful, you should see thegreen check mark shown in Figure 4.15, and you can select Close.

Figure 4.14

Review Settings and Cre-ate Share screen

Now, when you go back to the Shared Folders screen, you’ll see the Accounting folderadded, complete with its 100MB quota.

THE DISTRIBUTED FILE SYSTEM 103

Figure 4.15

Confirmation screen

The Distributed File SystemIn addition to shared folders, one of the other folder sharing options available to WindowsServer 2008 administrators with any version of Windows Server 2008 is the distributed filesystem (DFS). The distributed file system works on the basis that disk space is ultimately lim-ited, and one individual computer may not have enough disk space to accommodate the needsof the entire user base. Furthermore, DFS also takes into consideration that it may be a goodoperating practice for an organization to spread its files through multiple operating systems toenhance reliability. In a small-business environment, this is especially important because of the(usually) small number of computers and lack of space available. With DFS, you can spreadshared folders and their space requirements among many different machines and save a greatdeal of space in your environment.

DFS accomplishes this by using a decentralized store concept that is fairly straightforward.Effectively, DFS creates a shared folder–like share that is spread throughout multiple com-puters through the use of Remote Differential Compression (RDC). Through RDC, WindowsServer detects changes in the file structure and replicates these changes throughout the rest ofthe server system. These folders are collectively placed into a tree-like structure called a DFSnamespace that appears to the user as a centralized collection of folders, with the actual backendprocedures completely obscured from sight. Figure 4.16, copyright of Microsoft, illustrates theconcept extremely effectively.

Figure 4.16

The Distributed FileSystem

Access

Access

Referral

Referral

User inTampa

Server inTampa

DFS replication

Namespace

User inHouston

Server inHouston

The DFS system takes advantage of two important technologies that I mentioned in passingearlier in this chapter but didn’t completely describe:

◆ DFS namespaces

◆ DFS replication


DFS NamespacesDFS namespaces are collective ‘‘virtual’’ trees of shared folders that are stored in a central loca-tion that appears to the user as a simple folder structure. In reality, these folders are spreadthroughout multiple locations, across either LAN or WAN links. DFS namespaces are oftenused when companies are expanding to branch-office locations and need to find a way to easilyshare their data through multiple offices.

DFS namespaces are divided into two types: domain-based and stand-alone namespaces.

Domain-based namespace A domain-based namespace is stored in Active Directory domainservices. This means it’s accessible by multiple servers within the domain and supportsincreased scalability because it’s accessible throughout the domain. Usually with SBS, this isthe only type of DFS namespace you use.

Stand-Alone Namespace A stand-alone namespace is isolated to a single server to isolate itfrom the rest of the environment. Keep in mind, however, that a stand-alone namespace canbe replicated to a failover cluster for reliability. Usually, most organizations don’t choose todo this because it defeats the purpose a little bit. In a small business, you usually don’t getinvolved with stand-alone namespaces.

DFS ReplicationDFS replication is the technology that fuels the distributed file system. It supports scheduling,bandwidth throttling or limitations, and compression through the use of remote differentialcompression. DFS replication keeps folder properties synchronized through multiple-userenvironments in various ‘‘states’’ that are tracked continuously by Windows Server 2008through the use of replication groups. These are groups that are set up by an administratorto replicate the settings of folders among multiple servers either for the purpose of contentsharing or to connect through a hub-and-spoke model where one server functions as a centralhub and another server is set as a spoke in another branch office.

Systems That Support DFS

Note that Windows Server 2008 DFS is supported on Windows Server 2003 SP1, WindowsServer 2003 R2, and Windows Server 2008.

DFS LimitationsKeep in mind that Microsoft notes a few limitations in its DFS documentation:

◆ Each server can be a member of up to 256 replication groups, and each replication groupcan contain up to 256 replicated folders.

◆ Each server can have up to 256 connections (this includes both incoming and outgoing) andcan contain up to 1 terabyte of replicated files.

◆ A replication group also can contain only up to 256 members.

◆ A volume can contain up to 8 million replicated files.

◆ On each server, the number of replication groups is restricted. But thankfully, with SBS2008 and a small environment, it is highly unlikely that you will ever reach this limitation.And if you did? Well, then you should probably be running the full version of WindowsServer 2008.


Setting Up DFSUnlike a lot of the features of SBS 2008, DFS cannot be enabled from the console. Instead, SBShas to be installed as it would be on other Windows Server 2008 operating systems. You cando so by first clicking the Server Manager button in the lower-left portion of your screen, nextto the Start menu, shown in Figure 4.17. This will open the Server Manager menu, shown inFigure 4.18.

Figure 4.17

Server Manager Startmenu

Figure 4.18

Server Manager

On other versions of Windows Server 2008, the Server Manager is the central point of oper-ation for the management of your Windows server. With SBS 2008, since you have the console,it is a little bit less so. However, you can still accomplish a great deal through the use of theServer Manager, including, of course, the installation of DFS.

To install DFS, you will need to select the Roles section on the left of the Server Managerscreen and then scroll down on the right until you see File Services, as shown in Figure 4.19.Once you’re there, click Add Role Services to open the Select Role Services screen that you seein Figure 4.20.

From here, select Distributed File System, which will automatically select DFS Namespacesand DFS Replication. You can then click Next. This will open the namespace wizard screendubbed Create A DFS Namespace. In the box shown in Figure 4.21, you’ll need to enter thename for your namespace. I usually choose something like SharedFiles.

Click Next to open the namespace type selection screen. You’ll see that you can selectthe two different types of namespace, domain-based or stand-alone. Go ahead and chooseDomain-Based Namespace, as shown in Figure 4.22, and click Next. This will open thenamespace configuration screen shown in Figure 4.23.


Figure 4.19

Roles management

Figure 4.20

Select Role Servicesscreen


Figure 4.21

Create A DFSNamespace screen

Figure 4.22

Namespace typeselection


Figure 4.23

Configure Namespacescreen

On this screen, you can choose virtual folders that you want to add to your namespace.Normally at this point, administrators will go throughout their organization and pick sharedfolders, server folders, and other information to add to the namespace by using the Add but-ton and choosing them. If you’d like, you can go ahead and pick a few. But since this is just ademonstration, I’ll just click Next and assume I would have added folders later. Finally, clickInstall. It should take only a few minutes; when it completes, you can click Close.

DFS ManagementDFS comes with a series of nifty tools that you can access once it is installed. To view and usethem, you can navigate to Start � Administrative Tools � DFS Management. This will open theDFS Management tool you see in Figure 4.24.

Here, you can expand the namespaces that you have created, select them, and do some use-ful administrative tasks such as adding new folders, delegating them to other administrators,and then adding them to a replication group, which I will explore now.

DFS Replication GroupsEarlier I discussed how DFS uses RDC to replicate information between servers. Unfortunately,it doesn’t just miraculously do this out of the box. Instead, you have to set it up, which you cando by opening the DFS Management tool and then clicking Replication. Once there, you canselect New Replication Group. This will open the New Replication Group Wizard shown inFigure 4.25.

In this wizard, you can choose two types of groups, one for replication and one for data col-lection. Go ahead and choose a multipurpose group, and click Next. The next screen you’ll seewill allow you to choose the name of a replication group. Here again, I try to stick to simplenaming conventions like DFSrep, just so I remember what it is. In the box below your repli-cation group name, you can choose an optional description of this group. Normally I chooseto leave this blank, but you are the administrator in charge, so you can fill it in if you’d like.Either way, when you’re done, you can click Next.


Figure 4.24

DFS Management

Figure 4.25

New Replication GroupWizard

At the screen shown in Figure 4.26, you can choose servers to add to your replication group.In a large environment, this ends up growing at a pretty rapid rate, but for the moment youhave only one server. So, you can just click the Add button and then type the name of yourserver in the pop-up box; then click OK.

Because you’re dealing only with a small office and you haven’t added a great deal ofservers and members and so forth, I’m not going to show all of the steps involved with settingup DFS, but you can find a lot of documentation on Microsoft’s website.


Figure 4.26

Replication GroupMembers screen

The File Server Resource ManagerWith SBS 2008, Microsoft has included the File Server Resource Manager (FSRM) as anothertool that administrators can use to keep control of the files and shared folders that are con-tained within their server. Using FSRM, administrators can easily create quotas for folders, aswell as file screens.

Earlier, when you used the SBS 2008 console to enable file sharing, you effectively did this.The FSRM is just a more advanced method of doing so. You can access the FSRM by navigatingto Start � Administrative Tools � File Server Resource Manager. Once there, you can access thequota management or file screening management selections on the left.

If you expand Quota Management and then select Quotas, you will see the folders you cre-ated earlier, along with their rules, as depicted in Figure 4.27. Double-clicking any of thesefolders will open the administrative quota template you see in Figure 4.28.

There, you can make any adjustments you’d like. And similarly, you can add a new quotaby clicking the Create Quota button on the right.

Both quotas and file screens were already covered briefly in the section on shared folders,but it’s important that you see them both in action now. Effectively, each of these systemsworks by first creating a quota or file screen and then applying a preexisting template to thescreen. This then applies the predefined template to the files or folders specified and cuts yourwork in half. It’s really quite easy, and a little fun.

The only thing that’s really different about FSRM from what you used in shared folders isthe File Groups section you see in Figure 4.29. The File Groups section is a collection of grouptypes. As an administrator, you can create your own group types to use as filters. For instance,if you’re a programmer, you may have a customer file type called WAD and want only WADfiles to be placed inside a particular folder. With file groups, you can create a file group andselect WAD.

THE FILE SERVER RESOURCE MANAGER 111

Figure 4.27

Quotas with File ServerResource Manager

Figure 4.28

Quota template


Figure 4.29

File groups

Creating a file group is pretty darn easy. You just click the Create File Group link, whichopens the screen in Figure 4.30, and then you can name the file group and select the file typeby typing a * in front of the name. In Figure 4.30, I’ve named the file DOOM FILES in com-memoration of the game DOOM and then used *.WAD as the file type I’d like to add. SelectingOK adds the DOOM FILES template to my selectable templates. It’s just that easy.

Figure 4.30

File group properties

THE BOTTOM LINE 113

The Bottom Line

Set up the Domain Name System The Domain Name System is a critical role in any Win-dows Server environment. Through proper use, it allows for user authentication, Internet nameresolution, and critical server roles to function. Improperly operating DNS will result in slow,inefficient server operation and possibly authentication failure.

Master It Install DNS with static entries to four different servers or known Internet host-names. Make two of these Internet hostnames resolve to correct addresses that will respondto pings, such as google.com, and make two of these addresses resolve to improper, uncom-mon names, such as Funny.TheDomainYouChose.com.

Set up file sharing DFS allocation can create a central repository for users to share folders. Toset up DFS, you will need to set up servers at multiple locations.

Master It Install DFS by sharing at least two folders through two different computers, andplace them inside a namespace. Access this namespace through a client computer.

Use the File Services Resource Manager The File Services Resource Manager is a new toolfrom Microsoft that enables you to select quotas and allocate filters to system resources. Itallows you to carefully administer your file system without being concerned with whether thetemplates or restrictions you place on the server are working.

Master It Use the File Services Resource Manager to create a 250MB extended quota onyour inetpub folder.

Chapter 5

Configuring and AdministeringActive Directory with SBS 2008

The central focus point of all Windows Server products since Windows 2000 has been theadministration and implementation of Microsoft Windows Active Directory technology. ActiveDirectory (AD) is a system of network resource management that controls the use of allobjects within a Microsoft Windows network, including users, computers, servers, printers,and any major resource in a Windows network. Within a Windows network, any change to aMicrosoft-centric resource is made through Active Directory and replicated to different parts ofthe Microsoft environment.

In this chapter, you’ll learn to administer Active Directory through the use of organizationalunits. You’ll also learn the different parts of Active Directory, where they are stored, and theserver roles involved with the use of Active Directory. By the end of this chapter, you shouldeasily be able to segment different portions of your server environment through Active Direc-tory and logically structure your organization in an easily understood manner.


◆ Create organizational units

◆ Understand FSMO roles

◆ Create, delete, and manage objects

Active Directory StructureWithin SBS, it’s a little easy to lose scope of the overall structure of Active Directory. This isbecause SBS does its best to contain the entirety of Active Directory in one centralized loca-tion. This way, SBS makes the overall architecture of the network pretty easy to understand,because it’s all in one place. However, in reality, Active Directory is far more complex. And asan administrator, you need to understand the overall design of Active Directory and the rolethat design plays in a business, from the smallest of small businesses to the greatest of enter-prises.

Active Directory contains three levels of infrastructure:

◆ Sites

◆ Forests

◆ Domains

116 CHAPTER 5 CONFIGURING AND ADMINISTERING ACTIVE DIRECTORY WITH SBS 2008

To effectively administer SBS, you need to understand the difference between these threeActive Directory levels.

SitesIn the Microsoft system administration world, the words site and area are used almost synony-mously because an Active Directory site is designed to identify the physical location and over-all network segmentation of an area within Active Directory. For example, Figure 5.1 showstwo locations, New York City and Tokyo.

Figure 5.1

Two geographic sites

15.1.1.0/24 15.1.2.0/24

New York City Tokyo

As you can see from the figure, which uses the standard ‘‘/24’’ convention to indicate a255.255.255.0 subnet mask for each, each of these different sites holds two completely separatesubnets. To most network administrators, this would mean two completely different ‘‘sites’’;however, with Microsoft technology, this isn’t necessarily the case because sites can contain dif-ferent subnets through WAN links. For example, say that you work for the Floor1-to-Floor2exchange company. You have offices on the first floor and an office on the second. With Win-dows Server, you can represent this by connecting these two locations with a WAN link andmaking these two different locations part of one larger ‘‘site.’’

As shown in Figure 5.2, Active Directory sites are reflected in topological diagrams byshaded circles. These are usually then labeled with corresponding names, such as ‘‘Site1.’’ Inthis figure, both the Floor1 and Floor2 sites are placed into one location.

Figure 5.2

One ActiveDirectory site

15.1.1.0/24 15.1.2.0/24

Floor1 Floor2

Although this makes a great illustration and learning tool, in reality this isn’t very practical.One of the disadvantages of creating sites that are connected through different subnets is thatin order to communicate the Active Directory data through them, they have to transmit theirinformation across a very slow WAN link, which could result in poor communication. So, whenyou are creating sites, you need to keep in mind that these locations are areas where ActiveDirectory information is replicated. If the links between these areas are not quick, it can result inpoor performance.

Another point to keep in mind is that on the SBS level you usually don’t deal with multi-ple subnets. Therefore, I only need to go as far as to explain that a site is a physical locationthat contains the Active Directory logical structure, including domains and forests — which I’lldiscuss now.

ACTIVE DIRECTORY STRUCTURE 117

ForestsThe best way to think of an Active Directory forest is to take a step back from the terms forest,site, and domain. Once you’ve cleared your mind of those concepts, you can separate the termsusing two distinct classifications. First, forests and domains are logical separations, whereas sitesare physical separations.

At the top of the ‘‘logical separations’’ division of Windows Server is the Windows ActiveDirectory forest. Simply put, an Active Directory forest is a lot like a container. It holdsActive Directory domains and all their respective objects, such as printers, users, and comput-ers. These domains are linked through a series of trusts, which are beyond the scope of thisbook, that turn additional domains into Active Directory trees, which together form the forest.Visually, it looks like Figure 5.3.

Figure 5.3

Active Directory forest

sales.intellicorp.com

intellicorp.com

engineering.intellicorp.com sales.sybex.com

sybex.com

engineering.sybex.com

A forest can consist of one or multiple trees. In Figure 5.3, there are actually two trees. Youcan tell this is because there are two different naming conventions that you should recognizefrom Chapter 2. The tree on the left uses the intellicorp.com domain as its root domain, andthe tree on the right uses sybex.com as its domain. These naming conventions are referred toas a domain namespace. Namespaces define the realm to which a domain tree isolates calls toa specific area of the Active Directory infrastructure. A domain that is part of a tree is said tobe a child of a parent domain. Domains that are bonded by parent-child relationships form anautomatic security boundary that allows resources to be passed up and down between them.

Keep in mind that, by default, SBS 2008 has both a domain and a forest. Furthermore, asingle-domain organization has both a domain and a forest. Whether there are additionaldomains or trees is irrelevant. Additionally, in order to create a new tree, you need to makesure that there is a domain controller attached to that tree that can manage the new domain.

DomainsThe next rung on the Active Directory logical hierarchy is an Active Directory domain.Domains in Active Directory are collections of another structure, called organizational units,which I’ll speak about in the following few sections. In a logical topology, domains areseparated by a dot (.) within their own namespace. In Figure 5.4, you can see a domain treewith a root domain called ‘‘intellicorp.com’’ and two subdomains, sales.intellicorp.com andengineering.intellicorp.com.

Earlier, in Chapter 4, you got to experience installing and administering the Active DirectoryDomain Name System (DNS). Just doing that should give you a good idea of exactly what a


Figure 5.4

Domain tree

sales.intellicorp.com

intellicorp.com

engineering.intellicorp.com

domain is, at least on the host level. Domains, like forests, are collective structures. They con-tain host information and objects. Furthermore, domains contain Active Directory master rolesthat you need to be aware of — you can review these in the ‘‘Flexible Single Master Opera-tions’’ section.

Active Directory ObjectsActive Directory contains many types of group objects that you need to pay careful attentionto so you understand how to administer them. Active Directory is organized into associatedsectional groups and then into respective object types.

OrganizationBy default, Active Directory comes with the following organizations associated with SBS 2008:

Built-In Contains default groups

Computers Client computers

Contact A contact card that can be accessed throughout Active Directory by variousapplications

Group Containers of Active Directory objects

Organizational Units Small containers used to apply group policies and organize aninfrastructure

Through the use of the three levels of the Active Directory infrastructure, these objects canbe then applied throughout your SBS server at different locations. Usually, a domain controlleris the device responsible for logging and cataloging these objects. Ultimately, however, the trueresponsibility of organizing these objects rests with the roles shared through flexible single mas-ter operations.

SBS BUSINESS DESIGN MODELS OVERVIEW 119

Object TypesTo properly administer SBS, you must understand the following object types and their purposewithin Active Directory:

Computer Computer objects are client workstations associated within an Active Directoryforest or domain. These computers share the same security database.

Contact Contact objects are used to specify contact information regarding individuals withinActive Directory. Normally, they’re associated with organizational units.

Group Group objects are collections of objects that are primarily designed for security per-missions. Groups can consist of collections of printers, computers, users, and servers as well asa few specialty type objects.

Organizational unit Organizational units are the smallest objects that can have group poli-cies placed upon them. They’re used as a collective structure for administration.

Printer Printer objects are printers visible to Active Directory that can be accessed by otherActive Directory objects.

Shared folder Shared folders, like in Chapter 2, are used to create central repositories of datathat can be shared to other users.

User User objects contain an individual’s name, address, email address, and other associateddata representative of that individual user.

InetOrgPerson These are used with LDAP and X.500.

MSMQ Queue Alias This is a custom object for the MSMQ-Custom-Recipient class.

Within Active Directory, administrators can also create custom object types, and some addi-tional object types are not listed here. However, these nine objects are the most common objectsyou’ll see in a Windows infrastructure.

SBS Business Design Models OverviewSmall Business Server administration models inherit a lot from large administration models

that concentrate on divvying up roles based off of various factors like where an office is located,what departments are contained in the office, and other factors, like who the managers in thedepartment are, which individuals are related to another, and so forth.

In a large office, there are three models that define overall methods for organizing andinfrastructure. They can either use a model that is centrally administered, where all resourcesare located in one area and branched out form that; decentralized, where resources are split upinto various locations and managed independently; or hybrid, where the resources are divviedup and the management of them is concentrated in one central location.

With a small business, there obviously isn’t a need for such a tremendous amount of orga-nizational configuration. After all, we’re usually only dealing with a single office. And for thatmanner, there’s only one domain and one forest and one site! So, on the surface, this may notseem as useful to know.

However, this is actually not quite the case. The reason for this is that once you understandthe concept of divvying up infrastructure, it really helps to lay down solid foundations fororganizing your organizational units and the infrastructure overall. Let’s consider why this is.

For one thing, we know the type of administrative structure that SBS 2008 uses—it’s cen-tralized. All our resources concerning Active Directory are in one basket. Even if you decided


to add another server or offload application-based concerns to another machine, the serverwill still house and contain all of your Active Directory information. This lets us furtherknow that we can treat everything conceptually as if it’s in one location. So, let’s thinkabout that.

If everything is in one location there are going to have to be different criteria we use tocontrol how we access the data that is contained there. For example, say we have variousdepartments. We could use these departments to organize how the information is laid out.Or, we could always arrange it by something geographic, like the floors of a building weoccupy.

Let’s give two examples of a centralized administration method with SBS 2008, one based ondepartments and one based on floors.

If we had an engineering department and a sales department, we could think of our serverin this manner:

◆ SBS Server’s Central Domain and Forest

◆ Engineering Department

◆ Sales Department

And if we had three floors in our office, we could think of it like this:

◆ SBS Server’s Central Domain and Forest

◆ Floor 1

◆ Floor 2

◆ Floor 3

This concept really allows us to understand that we should view our Active Directorydesign as a model for how we run our business. Because, really, that’s all a design model is.It’s a model that reflects how your business infrastructure really works. If you understand that,you’ll be well on your way to not just being a good SBS designer, but a good large businessinfrastructure designer as well.

Flexible Single Master OperationsWithin a domain controller, certain tasks are performed by domain controllers that can onlybe fulfilled by certain servers at certain times. These roles, collectively known as flexible singlemaster operations (FSMO) roles, take advantage of the Active Directory database to do activi-ties on both the domain level and the forest level. I’ll break these down one at a time and thensummarize them in a table for your reference.

Domain Operations MastersWithin every Windows Server domain, including SBS 2008 domains, there are three maindomain ‘‘master roles’’ that are performed by a server in that domain. In the case of SBS 2008,SBS performs all of these roles, but you need to be familiar with their purpose.

Relative ID master (RID master) A relative ID master is a server that contains the uniqueidentifier of every object in Active Directory. It essentially makes sure that even if two thingsare named the same in Active Directory (like two OUs named Sales), they are separated by ahexadecimal identifier that ensures these objects are quite unique in memory.

FLEXIBLE SINGLE MASTER OPERATIONS 121

PDC emulator master Within SBS 2008, the PDC emulator is responsible for making sure thatearlier versions of Windows are supported. On more robust versions of Windows Server 2008(such as Standard, Enterprise, and Datacenter edition), the PDC emulator ensures that serversrunning previous versions of Windows Server are able to communicate with the current ver-sion of Windows Server through their own native processes. The PDC also caches passwordsto ease the network load of traversing passwords across a network. The PDC is still run, evenin native mode.

Infrastructure master Intimidating name aside, the infrastructure master is the machine thatensures Active Directory data involving objects is replicated throughout the forest through aseries of synchronizations.

Forest Operations MastersOn the forest level, there are two master roles you must become familiar with:

Schema master The schema master is responsible for keeping track of all servers in the forestand managing its overall structure. With SBS 2008, this is always contained on the SBS 2008server and is usually not a very complex setup. However, in cases where SBS 2008 has beenjoined to a larger environment for some reason, it can be quite a bit more complicated.

Domain naming master The domain naming master keeps track of (you guessed it) domainnames in the forest and is responsible for adding new domains to the forest. Unfortunately,with SBS 2008, you can have only one domain, so this is now as robust as it could be.

Limitations on FSMO RolesThe full version of Windows Server, and correspondingly Small Business Server 2008, supportsa maximum number of FSMO servers on each level. Table 5.1 makes this much clearer.

Table 5.1: Maximum Number of FSMO Servers

Role Name Scope Description

Schema master 1 per forest Controls and handles updates/modifications to theActive Directory schema.

Domain naming master 1 per forest Controls the addition and removal of domains from theforest if present in root domain.

PDC emulator 1 per domain Provides backward compatibility for NT 4 clients forPDC operations (such as password changes). The PDCsalso run domain-specific processes such as the SecurityDescriptor Propagator (SDPROP) and are the mastertime servers within the domain.

RID master 1 per domain Allocates pools of unique identifiers to domaincontrollers for use when creating objects.

Infrastructure master 1 per domain Synchronizes cross-domain group membership changes.The infrastructure master cannot run on a globalcatalog server (GCS), unless all DCs are also GCs.


Organizational UnitsAt last — the interesting stuff. Organizational units (OUs) are one of the fundamental contain-ers and structural units used in Active Directory for Windows Server, and they comprise thebasis for administering all the objects within Windows Server. An OU is a container for alltypes of Active Directory objects, including users, servers, groups, computers, and other orga-nizational units within its own domain.

The primary purposes of organizational units are twofold. First, OUs are designed to seg-ment Active Directory into a more manageable structure for administrative purposes. Second,OUs are the primary application point for Group Policy.

As you can see in Figure 5.5, the organization of OUs is designed such that larger ActiveDirectory objects should be placed into OUs. Effectively, this means that groups and collectiveobjects should be placed in OUs instead of individual user or computer accounts.

Figure 5.5

Organizational unit

User Group Organizational unit

With the full edition of Windows Server, administrators usually organize an OU structureto model a business, dividing that business into different sectors based on department or onthe business’s needs. With SBS 2008, SBS places all Active Directory objects within the defaultOU called MyBusiness. Within MyBusiness are four directories called Computers, Distribu-tion Groups, Security Groups, and Users. Within Users there is a sub-OU called SBSUsers, asshown in Figure 5.6. There you can see the small amount of user objects that I’ve created in mySBS server.

Figure 5.6

SBSUsers

ORGANIZATIONAL UNITS 123

For most businesses, this layout is actually fairly intuitive. Although there may be a fewdepartments at the SBS level, usually small businesses aren’t formal (or perhaps pretentious)enough to divide up their Active Directory into numerous organizational groups to track theirfew members. That’s usually reserved for large organizations where the bloat of Active Direc-tory objects can become a serious problem. However, businesses often do create OUs for theirown purposes, because these can serve to simply contain and group all objects of a certaintype — for example, your Terminated container.

OU DesignWhen designing OUs, as mentioned in the previous section, it’s best to pick a pattern that mir-rors your business. But like I also said earlier, in SBS this pattern is usually already predefinedby the starting OU structure SBS provides. However, should you want to expand on SBS’sdefault choices, you should keep in mind some of the design decisions laid out in MCTS Win-dows Server 2008 Active Directory Configuration Study Guide by Will Panek and James Chellis(which is a handy book for any administrator, by the way). That book recommends the follow-ing three OU design decisions:

◆ Keep the names and descriptions simple.

◆ Pay attention to the limitations.

◆ Pay attention to the hierarchical consistency.

The authors go on to explain in more detail with what they mean by these, but I thinkthey’re pretty self-explanatory. Keeping the names simple helps reduce congestion causedby excessively long names. As for limitations, you need to keep in mind that OUs have amaximum length of 64 characters, which further emphasizes the first point. On the last point,this means you need to make sure to not have overlapping names or an OU placed in an areawhere it doesn’t belong. This can cause a lot of administrative headache as you look around tofind any given OU that isn’t where it is supposed to be.

Creating OUsThe process of making an organizational unit with SBS is fairly simple. First, you can accessthe OU infrastructure by selecting Start � Administrative Tools � Active Directory Users AndComputers. This will open the administrative tool that contains all your user and computerobjects that are inherently placed within organizational units.

Once you’ve opened that tool, expand the Active Directory OU structure on the left until itmirrors what you see in Figure 5.6. Then, right-click Users, and select New � OrganizationalUnit, as you see in Figure 5.7.

Once you’ve done this, the New Object – Organizational Unit Wizard will open, as you seein Figure 5.8. Two points in this wizard are key. First, you’ll see that the wizard will show youwhere the OU is being placed in the Active Directory infrastructure. Second, you’ll see that thereis a Protect Container From Accidental Deletion check box. Pay careful attention to that. Thischeck box creates an OU that cannot be deleted without a great deal of extreme effort. Person-ally, I don’t like to use this feature, so I deselect it. However, if you are creating a containerthat you know you will never delete, it’s good to keep this box selected. Regardless of whetheryou decide you want to use the check box, enter Managers for the OU name, and thenclick OK.


You’ll notice that the Managers OU will now appear in addition to your SBSUsers OU. Theprocess is really as simple as that. But just as a side note, if you keep the Protect ContainerFrom Accidental Deletion box selected, you can change your mind later by selecting View� Advanced Features from the Active Directory Users And Computers screen. This will open alot of OUs you don’t recognize, as shown in Figure 5.9.

You can then right-click any OU and select Properties. There, on the Object tab you see inFigure 5.10, you can select or deselect the Protect Object From Accidental Deletion box.

Figure 5.7

Creating a new organi-zational unit

Figure 5.8

New Object –OrganizationalUnit Wizard


Figure 5.9

Advanced Features OUselection

Figure 5.10

Advanced properties

Managing OUsOnce OUs have been created, it’s natural that at some point or another you will need to addobjects to them or move them around in order to facilitate your needs as an administrator. WithSBS, this is fairly easy to do, but you need to exercise caution.

This is mainly because there’s really nothing to creating objects in an OU. All you have todo is right-click the OU in question, select New, and then choose your desired object type.Creating a new user, for example, brings up the New Object – User Wizard. I’ve filled in therequired information for my new object, as you see in Figure 5.11.


Figure 5.11

New Object – UserWizard

Once you fill in the same information to create an object, clicking the Next button promptsyou for a password that has to meet your domain requirements, but other than that, the processis relatively painless. Once you’ve done that, you’ll see that the John Q. Manager object I justcreated has been placed inside my Managers OU, as shown in Figure 5.12.

Figure 5.12

Manager object

It’s pretty self-explanatory and pretty darn neat. What’s even more interesting is that if youopen the SBS console, you won’t see this user account because the Windows SBS Console isonly aware of its default user groups. This behooves administrators to stay within the confinesof the SBS OU infrastructure. So, let’s perform an experiment.

So, now you’ve created the Managers OU under the Users OU and not the SBSUsers OU.To move it there, you could move the entire OU. Note, however, that if you try to drag anOU from one place to another, you will receive a warning message. This is because draggingan OU is a bad idea. It can cause invalid replication, and it can also fail to copy over all your


objects! Furthermore, it actually just changes a couple directory locations and doesn’t alter theinfrastructure. Instead, you can right-click the Managers OU and select Move. This will openthe Move dialog box you see in Figure 5.13.

Figure 5.13

Move dialog box

Once there, you can navigate to the SBSUsers OU, select it, and then hit OK. Notice that theOU is still not in the SBS console.

This brings up a truly important point. The Windows SBS Console is not all-knowing, and itis actually quite limited. It is designed to be a simple, easy-to-use tool that administrators canuse to implement complicated administrative practices. However, the console is only aware ofwhat the console does in the console’s own manner. Changes made using the standard meth-ods of user account creation and OU management very well may not be recognized by theconsole.

Renaming and Deleting OUsAlthough moving OUs can be a little tricky, renaming and deleting an organizational unit isjust about the easiest thing to do in all administration. All you have to do is right-click the OUand select Rename. Beyond this, you don’t have to do anything. Additionally, to delete a non-protected OU, all you have to do is right-click and select Delete.

The reason this isn’t complicated is that OUs are containers that are linked to policies.Deleting a container is pretty easy from an administrative level, because everything associatedwith that container is then removed. Additionally, renaming is much easier because ‘‘names’’in Active Directory are really nothing more than aliases. At the end of the day, Microsoft eitherhas security identifiers (SIDs) or memory addresses for every aspect of its administration.Changing a name doesn’t affect performance or linked policies in the slightest.

Understanding InheritanceBy default, Windows Server arranges for OUs to inherent the permissions of parent OUs. Thismeans that whenever you move or copy OUs to locations that are embedded within other OUs,the child OU will inherit the parent’s properties. This will become particularly important whenI begin discussing Group Policy, but for the moment, remember that group policies will bydefault be inherited through child objects.


Delegating OUsBecause of the complexity that can arise with OU infrastructures in both larger and smallerenvironments, Windows Server supports the ability to delegate administrative control to otherusers and security groups for the purpose of applying Group Policy and performing generaladministrative tasks. Because OUs are such small containers in terms of Group Policy, this iscommonly done so that various administrators at different levels of the company can admin-ister their own versions of Group Policy for their users. For example, in a small business, thehead of sales may not want sales users to be able to access the Control Panel, or even accessthe Internet, but instead to be bound only to their computer for the sole purpose of using Exceland taking orders.

Delegation allows for an administrator to easily break up the common tasks associated withadministration by placing them in the hands of others. On the SBS level, this isn’t done as fre-quently, but it may be done two or three times in the course of the business and thereforedeserves your attention.

To delegate an OU, you simply have to right-click the OU in question within the ActiveDirectory Users And Computers MMC and choose Delegate Control. This will open the Del-egation Of Control Wizard.

Click Next to open the Users Or Groups page of the wizard that you see in Figure 5.14.There, you can choose users or groups that will be delegated control of the OU in question.Keep in mind that choosing a security group will allow all members of that security group toapply group policies to that OU, so it behooves administrators to make sure they have chosenthe right group at this screen. You can add a group by clicking the Add button and choosinga user.

Figure 5.14

Adding users or groups

Personally, I’m going to be adding my John Q. Manager user I created earlier. I can do soby just typing john and then clicking the Check Names button (see Figure 5.15). His name willthen appear there as Active Directory looks for any names logically associated with John. Youcan then click OK. The user will then be added into your Delegation Of Control Wizard;you can click Next once you’ve added all the users or groups you desire. This opens thedelegation task list you see in Figure 5.16.


Figure 5.15

Adding a user

Figure 5.16

Tasks to delegate

Windows SBS 2008 contains 11 tasks that can be delegated to individual users, each of whichis fairly self-explanatory:

◆ Create, Delete, And Manage User Accounts

◆ Reset User Passwords And Force Password Change At Next Logon

◆ Read All User Information

◆ Create, Delete, And Manage Groups

◆ Modify The Membership Of A Group

◆ Manage Group Policy Links

◆ Generate Resultant Set Of Policy (Planning)

◆ Generate Resultant Set Of Policy (Logging)

◆ Create, Delete, And Manage inetOrgPerson Accounts

◆ Reset inetOrgPerson Passwords And Force Password Change At Next Logon

◆ Read All inetOrgPerson Information


Figure 5.17

Active Directory ObjectType selection page

The only thing that may strike you as a bit out of place is the inetOrgPerson def-inition. This is a class of user that’s defined within the Lightweight Directory AccessProtocol (LDAP) that was initially created with RFC 2798 from the Internet EngineeringTask Force (IETF). An inetOrgPerson account was designed to retrieve data from LDAPand X.500 protocols. These types of accounts are almost exclusively used in a hetero-geneous environment running Linux or some other brand of Unix. Thankfully, on theSBS end, you normally will not have a heterogeneous environment, so you can will-fully and gleefully ignore inetOrgPerson accounts for the moment. However, should youwant to learn more about them, you can read Scott Fulton’s informIT article available atwww.informit.com/guides/content.aspx?g=windowsserver&seqNum=44.

Moving on, the Delegation Of Control Wizard also allows you to define a custom task thatlimits the scope of the operations the delegated users can perform. If you look at Figure 5.17,you’ll see that you can restrict it to an individual folder, or you can go so far as to definenumerous object types that can be delegated. For our purposes, we’re just going to do somesimple delegation; therefore, at the screen in Figure 5.16, select Create, Delete, And ManageUser Accounts, and then click Next. You will then be greeted with a summary screen showingwhat you’ve done and asking you to finish your task (Figure 5.17). Once you hit Finish,from now on John Q. Manager will be able to create and manage user accounts withinthat OU.

While you are delegating OUs, you should be aware of three important considerations:

◆ Parent-child relationships will be propagated during delegation, and all correspondingauthorities will transfer.

◆ Entire security groups will receive delegation.

◆ Group Policy Link applications must be specified as a delegation control authority in orderto give delegates the associated permission.


Dividing for Power

Within a small business, the president of the company decided that he wanted to use SBSand transition from being the sole operator and administrator of the server to just being theoverseeing manager of the server. Accordingly, inside his business he developed several OUs tomanage his employees. These OUs included OUs for the following:

◆ Engineers

◆ Editors

◆ Sales professionals

◆ Accountants

Once he’d created these OUs, he applied different levels of Group Policy to each. He gavethe engineers access to new programs and development tools. For the accountants and salesprofessionals, he added policies that accounting and financial folders required. And for theeditors, he gave open access to the use of Internet Explorer and the Internet so they couldperform the intensive research they needed to conduct.

Separating these various departments into OUs also provided the president with the abilityto have his respective employees placed together in a logical way within Active Directory;therefore, he could make actions and implement policies for the entire department instead ofone or two individuals.

OU Grouping and SubgroupingWith organizational units, it makes sense to group your OUs according to some type of orga-nizational model and then design that model in such a way that contained OU structures canappear very similar throughout the rest of your design. For example, say you have a businesswith seven departments:

◆ Engineering

◆ Sales

◆ Management

◆ Accounting

◆ Editorial

◆ Production

◆ Graphics


You could have subgroups in this design for each level of employees that designate theamount of authority they have in the company. For example, you could have the following:

◆ Managers

◆ Employees

◆ Assistants

This makes the organization of your Active Directory infrastructure much easier to navi-gate and to understand when you take a few steps back and examine it from a distance. InFigure 5.18, you can see how the Intellicorp infrastructure has been broken down. Active Direc-tory diagrams such as this one allow you to plan your infrastructure very effectively. This way,you get a chance to look at the overall structure and decide whether there is a way you canimprove it. You can apply this same concept to all levels of Active Directory, including usersand groups, computers and servers, and other object levels.

Figure 5.18

Organizationalbreakdown

Employees

Production

Employees

Sales

Employees

Engineering

Managers

Managers

Managers

Thus, when you first start to administer Windows Server technology for any business,including SBS 2008, you should take the time to carefully plan the organizational structure of

CREATING OBJECTS WITH ACTIVE DIRECTORY 133

your business and develop both an overarching model design for that business and a diagramto help you cross-reference your design ideas with your practical application of that design inyour chosen environment.

Creating Objects with Active DirectoryAs I’ve tried to show throughout the course of this chapter, since you’re using Windows Server2008, you are not solely limited to the use of the Windows SBS Console. In fact, an ambitiousSBS administrator can use Windows SBS 2008 exclusively without the console. Thus, in thissection, you’ll perform a few hands-on exercises that show you how to create different ActiveDirectory objects.

Creating Objects

1. Open the Active Directory Users And Computers tool, and expand your local infrastructureuntil you see this screen.

Floor2

Floor1

15.1.1.0/24

15.1.2.0/24

Site link

2. Right-click the subgroup you created earlier, and select New � Computer. This will open thedialog box shown here.


3. In the dialog box, specify the following:

Computer Name: Comp1

Computer Name (Pre–Windows 2000): COMP1

4. In the User Or Group box, you can choose to place the user or group in an area other than thedefault domain. For now, leave this at the default. You can also choose to assign this computeras a pre–Windows 2000 computer, which you will not do either, because these have becomequite rare now.

5. Click OK. This will create the computer object shown here. This object has now been enteredinto Active Directory.

6. Right-click your subgroup, and select New � Contact. This will open the dialog box shown here.

LARGE OBJECT ACTIONS 135

7. Specify the following information in the fields (you can, of course, change the name to yourown):

First Name: Steve

Initials: A

Last Name: Johnson

Full Name: Steve A. Johnson

Display Name: sjohnson

8. Click OK. This will create an Active Directory contact that will now be housed in the ActiveDirectory database.

9. If you do not have a printer installed on your server or network, you are done.

10. If you do have a printer, right-click your subgroup, and select New � Printer. This will open thedialog box shown here.

11. Enter a network location of a printer in your Active Directory, and click OK. SBS 2008 will thenlocate your printer and list it in the subgroup OU.

Large Object ActionsAs you’ve probably noticed from the previous exercise and information, creating objects canbe a little tedious at times. Say, for example, you had to create more than 100 objects foryour employees — one for each of their computers, their user accounts, their printers, andso forth. Unless you had a lot of spare time on your hands, this would take you a very, verylong time. Happily, Windows Server contains a few tools that can make this process a wholelot easier.

Windows SBS 2008 and Windows Server full edition support two very powerful execu-table files:

◆ LDIFDE.exe

◆ CSVDE.exe


Using these tools, administrators can do the following:

◆ Bulk import objects

◆ Modify objects

◆ Export objects

These tools are a lot more advanced than dealing with simple graphical user interfaces andrequire knowledge of the command line. But since this is a mastering-level book, we’ll jumpinto it in full force.

LDIFDE.exeLDIFDE.exe is an abbreviation for LDAP Data Interchange Format Directory Exchange, whichis actually an abbreviation for Lightweight Directory Access Protocol Data Interchange FormatDirectory Exchange. What a mouthful! In short, LDIFDE is a plain-text standard for translatingLDAP directories into easily readable text formats, capable of being understood by humans aswell as computers.

Using LDIFDE.exe is a little tricky and can get confusing. For starters, you can find a niceresource for the complete usage of LDIFDE.exe at http://support.microsoft.com/kb/237677.But just as an introduction, I’ll include a couple simple exercises you can do to familiarize youwith how powerful the tool is.

Exporting Organizational Units

1. Start the command prompt by selecting Start � Administrative Tools � Accessories � Com-mand Prompt or by typing cmd in the Windows Start menu’s search box.

2. At the command prompt, enter the following command (all in one line):

ldifde -f exportOu.ldf -s Officesvr1 -d "dc=intellicorp,dc=local"-p subtree -r "(objectCategory=organizationalUnit)" -l "cn,objectclass,ou"

Notice that the server name is Officesvr1 and the domain name is intellicorp, my domain name.And the branch I’m looking at is local. If the command is entered correctly, you will see outputsimilar to that shown here.

This will create an .ldf file in your default user directory called exportOu.ldf. For mydefault account, it was created in c:\users\steve.


3. Navigate to your .ldf file, and open it with Notepad by right-clicking the OU and selectingOpen With.Note: You may receive a warning message — this is normal. Opening this file with Notepad willnot affect your system.

4. In Notepad, you should see output similar to the following:

changetype: addobjectClass: topobjectClass: organizationalUnit

dn: OU=MyBusiness,DC=intellicorp,DC=localchangetype: addobjectClass: topobjectClass: organizationalUnit

dn: OU=Distribution Groups,OU=MyBusiness,DC=intellicorp,DC=localchangetype: addobjectClass: topobjectClass: organizationalUnit

dn: OU=Security Groups,OU=MyBusiness,DC=intellicorp,DC=localchangetype: addobjectClass: topobjectClass: organizationalUnit

dn: OU=Users,OU=MyBusiness,DC=intellicorp,DC=localchangetype: addobjectClass: topobjectClass: organizationalUnit

dn: OU=SBSUsers,OU=Users,OU=MyBusiness,DC=intellicorp,DC=localchangetype: addobjectClass: topobjectClass: organizationalUnit

dn: OU=Computers,OU=MyBusiness,DC=intellicorp,DC=localchangetype: addobjectClass: topobjectClass: organizationalUnit

dn: OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=intellicorp,DC=localchangetype: addobjectClass: topobjectClass: organizationalUnit

dn: OU=SBSServers,OU=Computers,OU=MyBusiness,DC=intellicorp,DC=localchangetype: add


objectClass: topobjectClass: organizationalUnit

dn: OU=Microsoft Exchange Security Groups,DC=intellicorp,DC=localchangetype: addobjectClass: topobjectClass: organizationalUnit

dn: OU=SubGroup,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=intellicorp,DC=localchangetype: addobjectClass: topobjectClass: organizationalUnit

5. This indicates the command was successful. However, organizational units alone won’t suffice.You also need to have user accounts. This will be discussed in the next project.

Exporting User Accounts

1. Navigate to the command prompt (or simply type cls and press Enter if you’re already there).

2. Enter the following command:

ldifde -f Exportuser.ldf -s OfficeSvr1 -d "dc= intellicorp,dc=local" -psubtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l"cn,givenName,objectclass,samAccountName"

3. If the command completed successfully, you will see output similar to that shown here.

Like the OU exportation, this will create another file in the default directory calledexportuser.ldf.

Note: As you may have guessed, you can change the filename in the beginning by changing thecommand from exportuser.ldf to whatever you’d like.

4. Navigate to the file, and open it with Notepad.


5. When you open it, you should see output like the following:

dn: CN=Steve Johnson,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=intellicorp,DC=localchangetype: addobjectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: usercn: Steve JohnsongivenName: StevesAMAccountName: Steve

dn: CN=John Q. Manager,OU=SubGroup,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=intellicorp,DC=localchangetype: addobjectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: usercn: John Q. ManagergivenName: JohnsAMAccountName: jmanager

Note that I’ve included only two of my three users for the sake of conciseness.

Importing User Accounts

1. If you followed the previous exercises, you will now have a handy file with your usernamesavailable. You can now use this file to import new user accounts.

Note: You must be logged on as administrator for this activity to work.

2. In Notepad, eliminate all but one user entry field, as shown here:

dn: CN=Steve Johnson,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=intellicorp,DC=localchangetype: addobjectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: usercn: Steve JohnsongivenName: StevesAMAccountName: Steve

3. In these user fields, change this information to the new user information, as shown here:

dn: CN=Mary Johnson,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=intellicorp,DC=localchangetype: addobjectClass: topobjectClass: person


objectClass: organizationalPersonobjectClass: usercn: Mary JohnsongivenName: MarysAMAccountName: Mary

4. Once you’ve done this, save the file as type All Files, and call it importuser.ldf.

5. Back at the command prompt, enter the following:

ldifde -i -f importuser.ldf -s officesvr1

6. Press Enter. If the command completes successfully, you’ll see output like that shown here.

If you close and reopen the editor, you will see that Mary has now been added.

CSVDE.exeCSVDE.exe is very similar to LDIFDE.exe; it stands for ‘‘comma-separated value directoryexchange.’’ The only real difference is that CSVDE.exe requires the use of a comma-separatedvalue (.csv) file. Really, it’s so similar that I won’t go over its complete usage. The following isan example command provided by Microsoft:

csvde -i -f c:\filename.csv

This will import information from the given file.Administrators sometimes use CSVDE.exe for specific CSV spreadsheets (which can be made

easily in Microsoft Excel) that require users to be added.

The Bottom Line

Create organizational units Creating an organized OU infrastructure makes the experienceof administering a server easier on administrator and user alike. With SBS 2008, this processhas become easier than ever.

THE BOTTOM LINE 141

Master It Create a centralized hierarchy with two subtiers. This hierarchy should includedepartmental and role-based separation (Production/Managers). It should be robustenough that the structure could be replicated for all departments and subdepartments.

Understand FSMO roles FSMO roles are roles within SBS 2008 that allow you to specifyadministrative tasks throughout your business. These tasks include determining what serveris allowed to control the schema of the forest (the schema master) and selecting the domainnaming master. Through proper use, you can eventually upgrade your SBS environment to aneven more complex environment.

Master It Suppose you have two servers in your environment that could each share FSMOroles. Decide which server would hold the schema master and why. Could you have two?

Create, delete, and manage objects Creating objects in Active Directory allows you to trulymake an organization. Without objects, the process of having a server is pointless. You need tobe able to easily create objects and place them within Active Directory.

Master It Create one user account and one computer account using the server graphicaluser interface. Then, create 10 user accounts and 10 computer accounts using the LDIFE.exeimport tool. Once you’ve done this, import these user accounts to one of the lowest tiers ofyour infrastructure.

Chapter 6

Configuring and Managing Groupsand User Accounts with SBS 2008

Without users, groups, and permissions, there wouldn’t be a lot to Windows SBS 2008. In fact,there wouldn’t be a lot to servers in general. Users and groups within SBS 2008 are the mainobject upon which permissions are placed. Within Windows, they’re also associated with ActiveDirectory, Microsoft Exchange, and even SQL Server.

The Microsoft Active Directory structure has been designed from the ground up to makeuser and group accounts very powerful and the administration of them as painless as possible.However, there are a lot of different group types that have special types of associations thatyou need to understand in order to master SBS 2008.


◆ Create users and security groups

◆ Create distribution groups

◆ Create a permissions list for a group

Group Structure with SBS 2008With Windows Server 2008, you can use groups for many purposes, including setting permis-sions, sending messages, or doing other assorted tasks. Accordingly, Windows Server 2008divides groups into two distinct types: security groups and distribution groups. Securitygroups and distribution groups can be tailored toward the individual needs of your organiza-tion. They’re designed to be able to house any members that you would like to add, includingvarious Active Directory objects that run the gamut of those available (including computers,users, other security groups, and so forth). Each of these group types are described in thefollowing sections.

Security GroupsThe most common type of groups, security groups, are collections of Active Directory objectsthat are placed together for the purpose of assigning permissions. Most commonly in SBS 2008,security groups are used to assign file and folder permissions or to restrict access to certainmaterial throughout an infrastructure. As a good security practice, most organizations use a

144 CHAPTER 6 CONFIGURING AND MANAGING GROUPS AND USER ACCOUNTS WITH SBS 2008

common naming convention for the security groups. For instance, at Intellicorp, we use theconvention ‘‘PRM_.’’ So, in our organization, we have group names like these:

◆ PRM_CustomerService

◆ PRM_Engineering

◆ PRM_Products

◆ PRM_Accounting

◆ PRM_Sales

A good reason for choosing a naming convention with something prepended to the objectname is that when they display in Active Directory, they’ll all appear grouped together. Forexample, in Figure 6.1, you can see that all my groups are in one spot. This makes it easy forme to find them when I’m applying permissions.

Figure 6.1

Security groups inActive Directory

Distribution GroupsDistribution groups, the other type of group in Active Directory, are used for non-security-basedfunctions such as messaging, including email. Distribution groups are tools that can easilygroup together Active Directory objects that can be sent messages at the same time. Anexample of when you might use something like this is when you’d like to send an email toa group of people. For example, at Intellicorp, we have a Sales distribution group, where I’veplaced all the sales department’s users. Then, if someone wants to email all the members ofthat department, they can address the email to the Sales distribution group. Additionally,distribution groups consume less space in the Active Directory database than a security group.For this reason, they are useful any time the group will not be used to assign permissions or toauthenticate logons.

And just like with security groups, it’s a good idea to have a naming convention for distri-bution groups, as you can see in Figure 6.2. Having all these names grouped together makes itreally easy to administer them without a lot of chasing around in the Active Directory databaseby alphabetical order.

Figure 6.2

Distribution groups inActive Directory

Although there are only two types of groups in Active Directory, it’s important to rememberthat there are a lot of applications for these two groups. And it isn’t quite as easy as just

GROUP STRUCTURE WITH SBS 2008 145

creating a group and moving on. In fact, groups have multiple levels at which they canpermeate through Active Directory and assign permissions. These levels of exposure arereferred to as group scope.

Group ScopesWhenever a group is created in Active Directory, you can assign a certain level of permissionsto it. With standard Windows Server 2008, this has a great deal more importance than withSBS 2008 because there are more levels. In a large environment, for example, you may havemultiple domains and multiple forests to contend with. With SBS, you’re limited to the targetdomain of your choice and only one forest. However, behind the scenes, a lot of this group’smembership operations still goes on. Thus, you need to at least be familiar with group scopesbecause, whether you like it or not, membership is still being done the good old-fashioned way,as you can see in Figure 6.3, which is a standard user group in SBS 2008 Active Directory.

Figure 6.3

SBS group scope inActive Directory

In Windows Server 2008, there are three scope levels: universal, global, and domain local.By default, all user groups created in the Windows SBS Console are created as universalgroups, but each of the groups has specific levels of permission that can be assigned.

Universal Groups

The simplest of the group types, universal groups, are groups that can be assigned permissionsfrom any domain in the forest within which they reside. This means that, for example, if youhad two domains, domain1.intellicorp.com and domain2.intellicorp.com, a universal group cre-ated in either domain would be able to be assigned permissions from both domains and beable to contain members from both domains. This is an important difference between universalgroups and global groups.


Another important difference regarding universal groups is that, unlike the rest of the grouptypes, universal groups are stored in the global catalog, and they are replicated throughout theentire forest. In a way, this is convenient, because every server is aware of the universal groups.But in a larger-scale environment, this can be a bit of a pain because the group membership hasto be replicated throughout the whole enterprise.

The rule of thumb most administrators use when it comes to group scope is to first createglobal groups and then create universal groups only when needed. For example, if youhave a small business that has four employees who will most likely be gone in the next fewyears or if you have an entire department that has a lot of turnover, you’ll probably want tocreate them in a global group, discussed in the ‘‘Global Groups’’ section next. On the otherhand, executives who will be around for a while, and who will probably want to accessresources outside of their own domain, will need a universal group because they have roomfor expansion.

Global Groups

Global groups are groups that can contain members only from their own domain, but theycan access resources in any domain. It’s a little confusing, but it makes sense. You’d use aglobal group if you ever wanted to have a group exist on only one domain but have it accessresources on a lot of other domains.

Domain Local Groups

In my opinion, domain local is probably the most utterly confusing name in all informa-tion technology. This is because it implies two basically foreign concepts in one spot. Theword domain inherently implies a large area, and local implies a relatively small area. Regard-less, domain local groups are groups that can only access resources from the domain thatcontains the group. However, it can contain members from any domain.

Think of it like this: domain local means that everything has to be accessed from the localdomain. In fact, the name local domain would probably make a bit more sense. Typicallyadministrators will create a domain local group when they want to ensure that the users andcomputers (or other Active Directory objects) they create are refined to one specific domain.This way, they don’t have to worry about scope membership — because they’ll always knowthat the objects they create in that domain will stay in that domain.

Group MembershipAnother important factor concerning all groups is what type of members they can have. In theprevious section, you saw that there are restrictions regarding where groups can have mem-bers originate from, but there are also a couple concerns regarding what types of other groupsand members each group type can contain. Table 6.1 describes what type of memberships eachgroup can contain.

Default GroupsOut of the box, SBS 2008 comes with several groups. These groups are divided into foursections: user groups, special identity groups, built-in groups, and default local groups. Thesegroups are created by default to fulfill roles that will be used by all SBS servers. Inherently,each of these groups is a security group and not a distribution group.


Table 6.1: Group Scope Membership

Group Scope Allowed Membership

Universal Any group type, any user, any computer

Domain local User accounts, computer accounts, global groups, universal groups, domain localgroups

Global Global groups from the same domain, user accounts and computer accounts fromthe same domain

User Groups

User groups are collections of users placed into a default group. One of the most commonlyreferenced groups in the autodefined user groups is the domain users group, which containsevery user in the domain. User groups that are built in are designed to give administrators aneasy way of referencing every user in their domain by just selecting one group. You’d wantto access this one group when using Group Policy or when installing a third-party applicationthat needed to give permissions to everyone in a domain.

Special Identity Groups

Special identity groups are used to refine users to one specific ‘‘type’’ of group. These groupsare designed so administrators don’t really have to think about what security group would beappropriate when they want to choose who to add based on ‘‘concept,’’ rather than on explicitcasting. These groups include the following:

◆ Everyone

◆ Network Users

◆ Interactive Users

◆ Authenticated Users

◆ Services

◆ Creator/Owner

As you can see, these built-in special identity groups are pretty descriptive. If you wantto add Everyone to a file share, literally everyone in the domain will be able to see it. If youwant only authenticated users to see it, then you can set only Authenticated Users to see it, andso forth.

Built-in Groups

Within SBS 2008, there are several built-in groups placed within the Builtin OU container forthe purpose of general assignment. These groups are summarized in Table 6.2, taken from thedescription of the groups provided in SBS 2008.


Table 6.2: Built-in SBS 2008 Groups

Group Name SBS 2008 Description

Account Operators Members can administer domain user and group accounts.

Administrators Administrators have complete and unrestricted access to thecomputer/domain.

Backup Operators Backup Operators can override security restrictions for the sole purpose ofbacking up or restoring files.

Certificate ServiceDCOM Access

Members of this group are allowed to connect to certification authorities inthe enterprise.

CryptographicOperators

Members are authorized to perform cryptographic operations.

Distributed COM Users Members are allowed to launch, activate, and use Distributed COM objectson this machine.

Event Log Readers Members of this group can read event logs from the local machine.

Guests Guests have the same access as members of the Users group by default,except for the Guest account, which is further restricted.

IIS_IUSRS This is a built-in group used by Internet Information Services.

Incoming Forest TrustBuilders

Members of this group can create incoming, one-way trusts to this forest.

Network ConfigurationOperators

Members in this group can have some administrative privileges to managethe configuration of networking features.

Performance Log Users Members of this group can schedule the logging of performance counters,enable trace providers, and collect event traces both locally and via remoteaccess to this computer.

Performance MonitorUsers

Members of this group can access performance counter data locally andremotely.

Pre-Windows 2000Compatible Access

This is a backward-compatibility group that allows read access on all usersand groups in the domain.

Print Operators Members can administer domain printers.

Remote Desktop Users Members in this group are granted the right to log on remotely.

Replicator This group supports file replication in a domain.

Server Operators Members can administer domain servers.


Table 6.2: Built-in SBS 2008 Groups (CONTINUED)

Group Name SBS 2008 Description

Terminal ServerLicense Servers

Members of this group can update user accounts in Active Directory withinformation about license issuance for the purpose of tracking andreporting TS Per User CAL usage.

Users Users are prevented from making accidental or intentional system-widechanges and can run most applications.

WindowsAuthorization AccessGroup

Members of this group have access to the computedtokenGroupsGlobalAndUniversal attribute on User objects.

Source: SBS 2008

Default Security Groups

When you first open either the Windows SBS Console or the Active Directory Users and Com-puters MMC, you’ll be able to see a list of predefined security groups. Each of these defaultsecurity groups is used to provide permissions for basic uses in SBS 2008. These uses are sum-marized in Table 6.3, which shows the default SBS groups and the description provided in theWindows SBS Console.

Table 6.3: Default Security Groups in SBS 2008

Security Groups Description

Windows SBS Remote Web Workplace Users Can access Remote Web Workplace

Windows SBS Fax Users Can use the Windows SBS Fax service

Windows SBS Fax Administrators Can manage the Fax service in Windows SBS

Windows SBS Folder Redirection Accounts Folders redirected to the server

Windows SBS Virtual Private Network Users Can access network resources remotely

Windows SBS SharePoint_VisitorsGroup Have read-only access to the internal Web site

Windows SBS SharePoint_Members GroupWindows SBS SharePoint_OwnersGroup

Can view, add, update, delete, approve, andcustomize the content

Windows SBS Link Users Can access the Link List in Remote Web Workplace

Windows SBS Admin Tools Group Can access the Administration tools in Remote WebWorkplace

Source: SBS 2008


Nesting GroupsAs an organization grows and more employees, computers, and Active Directory objects arecreated, inevitably the need for more departments and groups for various projects and specialneeds will arise during the course of business. Small Business Server, like all the WindowsServer 2008 products, supports this business need. Group nesting is a simple and effectivemethod of placing groups within groups to ease the burden of applying permissions overmultiple groups.

An area where you may want to do this is in a larger department. For example, if you have20 salespeople in your average-sized small business, there may be multiple sales managers anda couple salespeople who work on corporate sales instead of end user sales. With group nest-ing, you could create an isolated group for the corporate salespeople and another for the enduser salespeople and then create a larger group called MyBusiness_SalesPersons that containsall the various subgroups.

From an administrator’s perspective, this is quite convenient. But be warned — you need tofollow this guideline:

Keep track of your group nesting With system administration, it’s not too common foradministrators to create group documentation to keep track of which people are members ofvarious groups, but that is mostly because administrators keep group nesting classified as an‘‘only if we need it’’ sort of procedure. This isn’t necessarily a good idea. Instead, you shouldconsider keeping user documentation and creating a simple topological map of your users andtheir respective groups.

Local GroupsBecause they aren’t as commonly used with SBS 2008 and higher-level server infrastructures,I won’t spend much time on local groups. Just know that local groups are groups that are localonly to the computer upon which they reside. Note, however, that a local group is not the sameas a domain local group.

Creating a Group StrategyJust like you wouldn’t construct a building or go to war without a lot of planning and care,you’re not going to want to start creating groups on the fly without a lot of forethought. Infact, so much forethought has gone into the creation of groups in larger-scale environmentsthat Microsoft has released an entire knowledge base article on planning and implementingan effective group strategy. Some of it doesn’t apply to SBS, but you can find the article here:http://technet.microsoft.com/en-us/library/cc783634(WS.10).aspx.

Figure 6.4 shows that there is a definite flow to the nesting of groups. Small groupings ofindividuals are placed into larger groupings. This creates a clean and efficient topology thatmakes your job as an administrator much easier.

Just keep in mind as you’re implementing group nesting within your own organization thatcertain groups do have membership requirements, and you’ll need to adhere to those require-ments. With SBS 2008, this should be very easy, but more experienced administrators shoulddo their best to stay up-to-date on good group practices. Some of these practices include thefollowing:

◆ Not placing individual users in global groups to reduce overhead

◆ Altering universal groups as infrequently as you can

PLANNING GROUP LAYOUTS 151

◆ Placing individual users in domain local accounts

◆ Placing individual users in global groups

◆ Assigning permissions to global groups

Figure 6.4

Nesting implementation

Corporate SalesTeam User Accounts

Corporate SalesTeam Global

Group

SalesDepartment

All Employees

Another common practice that a more experienced administrator taught me in my earlieradmin days is to use universal groups for permission statements as little as possible. Thismakes sense when you think about it. If you don’t use universal groups much, the chances ofthem taking up processing time on your global catalog is nearly nil. And you don’t want yourorganization experiencing any slowdowns.

Planning Group LayoutsAs a small-business owner or as a consultant or employee for a small business, you’re going tobe responsible for planning group membership and group strategies. Accordingly, it’s a goodidea to make a group layout strategy that plans for group membership and group scope. Thereis no set method to how this is done, but usually a cautious administrator will use a programsuch as Microsoft Excel and use rows and columns to separate membership. Table 6.4 shows asample group layout from a project management perspective.


Table 6.4: Group Layout

Group Function Number of Access Notes

Name Members Requirements

CORP_Sales End user sales 20 Sales folder Lowest-level security

CORP_Accounting Accountspayable andreceivable

3 Accounting folder,Sales folder

No more than fivemembers

CORP_Managers Management 1 Account folder,Sales folder,Management folder,Engineering folder

Highest-level security

CORP_Engineers Front andback-enddevelopment

10 Sales folder,Engineering folder

Should only accesstwo folders, nevermore

Creating Users and Groups with SBS 2008As I’ve both said and hinted at many times throughout this book, the process of creating usersand groups with Windows Server is extremely common. This is so much the case that Microsoftincorporated just about every feature into the Windows SBS Console that you need in order tomake user accounts and groups.

Since it’s a useful tool, administrators with SBS will commonly just use the console to createuser accounts. After all, it’s designed to do that. However, as shown in Figure 6.5, when youstart the Windows SBS Console in advanced mode and navigate to Administrative Tools � SBSConsole (Advanced Mode) and then Users And Groups, the console will have the added taskof Open Active Directory Users And Computers Snap-In.

Figure 6.5

Open Active DirectoryUsers And Comput-ers Snap-In task in theconsole

Clicking Open Active Directory Users And Computers Snap-In will, obviously, open thattool, which you’ve seen before. However, up until this point, you’ve only created user accountsand organizational units. Now, I’ll start diving a bit deeper and show how to do some group

CREATING USERS AND GROUPS WITH SBS 2008 153

creation, along with some group nesting. After all, with this snap-in, you can make all kinds ofnew objects:

◆ Computer objects

◆ Contact objects

◆ Group objects

◆ InetOrgPerson objects

◆ msExchDynamicDistributionList objects

◆ MSMQ Queue Alias objects

◆ OUs

◆ Printer objects

◆ User objects

◆ Shared folders

In Chapter 5, you created organizational units at this screen, so you’ll probably be familiarwith using it. But just in case you’d like a refresher, the ‘‘Creating Groups and Adding Mem-bers’’ exercise will take you through the process of creating a user group and adding members.Keep in mind, an organizational unit is not a security group. Think of it like this: groups getpermissions, and OUs get policies. Security groups are designed to group users into easilydefinable permission blocks, and OUs are designed to create ‘‘containers’’ where Group Policycan be applied.

Creating Groups and Adding Members

To illustrate how to create a group and add members to it, in this exercise you’ll create agroup called Corporate_Sales and then add members to it. This group will help you in otherexercises throughout the rest of the chapter.

1. Open the Active Directory Users and Computers snap-in, and expand nodes until you see theOU structure shown here.


2. Select Users, right-click the whitespace on the right, and select New � Group. By default, thiswill open the screen shown here.

3. SBS 2008 will leave the group scope as global and the group type as a security group.

4. Name this group Corporate_Sales, and leave the pre–Windows 2000 name intact.

5. The Corporate_Sales group will appear in the whitespace with the type Security Group.

6. Double-click the Corporate_Sales security group. This will open the group’s properties dialogbox, as shown here.

CREATING USERS AND GROUPS WITH SBS 2008 155

7. Select the Members tab, and click Add.

8. Type the name of a user in your domain, and then click OK.

9. You will see the user, here Mary Johnson, populate into the Members field.

10. Click OK. This will return you to the default snap-in screen.

11. Alternatively, you can right-click the Corporate_Sales group and select Add to Group.

12. You can then type the name of the user and click OK. The user will then be added to thegroup.

13. Now, click the Security Groups OU in your OU structure.

14. You will notice that the group does not show up here by default. This is because this OU wasmanually created in the snap-in vs. made with the console, which places security groups hereby default. Should you want to place the group here, you can.

Nesting Groups

Now that you’ve created a new Corporate_Sales group, you can add a nested group. Thisis the first step in creating a multiple-tiered group model. Note that you must have completedthe previous exercise to complete this exercise.

1. Open Active Directory Users and Computer, and expand the nodes until you arrive at theSBSUsers OU underneath MyBusiness\Users.

2. Using the method you learned earlier, create a group called Nested Group, but do not add anynew members. Your snap-in should look like the screen shown here.


3. Right-click NestedGroup, and select Add To A Group.

4. Type Corporate_Sales, and click Check Names. If Active Directory finds it, the name willbecome underlined, as shown here.

5. Click OK.

6. You will see that the Add To A Group operation was successfully completed in a dialog box.Note that if there is an error or if the group is already included as a member, you will see adialog box displaying the pertinent error.

7. Verify group membership by right-clicking Corporate_Sales and selecting the Members tab.You will see Nested Group listed, as shown here.

ADMINISTERING SECURITY GROUPS WITH SBS 2008 157

This group is now nested. At this point, this means you can add any group members to theNestedGroup security group, and these groups will automatically be included in the Corpo-rate_Sales group.

Administering Security Groups with SBS 2008Once a security group is created, the real administrative work is actually begun. First you’llneed to add and remove members, nest other groups, and remove groups from Active Direc-tory in total. In particular, deleting groups is interesting with Windows Server because everygroup created has a specific security identifier (SID) associated with it.

A Windows SID identifies a group with a unique number that allows you to add special per-missions to that, and only that, group. In a way, it’s what makes multiple groups with similarnames, group nesting, and other complex group operations possible. The following exercisesshow how to rename groups, remove user groups, and change group scope.

Renaming User Groups

With SBS 2008, you can change group names in both the Active Directory Users and Comput-ers snap-in and the Windows SBS Console. We will begin with the Windows SBS Console.

1. Open the Windows SBS Console, select Users And Groups, and then select the Groups tab. Itshould appear as shown here.


2. Right-click TestGroup, and select Edit Group Properties. Alternatively, you can select the groupand click Edit Group Properties in the upper-right corner.

3. When the properties dialog box appears, you can select the TestGroup name and replace it witha new name, such as Awesome Group.

ADMINISTERING SECURITY GROUPS WITH SBS 2008 159

4. Click Apply.

5. The group will then appear in the Security Groups section as Awesome Group. Note that Awe-some Group, although funny, probably isn’t the best idea for a group name. Thus, you’ll changeit now.

6. Navigate to the Security Groups OU in MyBusiness. Note that Awesome Group is there.

7. To change the name of Awesome Group to something more professional, you can right-click itand select Rename.

8. Enter ProfGroup1 as the new name.

9. Another box will open asking you for a group name and for a pre–Windows 2000 group name.Enter ProfGroup1 in both fields.

No matter what you name a group, renaming will never affect a group’s SID in Active Direc-tory. As far as Windows is concerned, it’s still the same group. You have changed only one ofits properties.

Next, I’ll show how to remove a security group that you no longer require.

Removing a Security Group

If a security group has outlived its usefulness, you can remove it from Active Directory witheither the Windows SBS Console or the Active Directory Users and Computers snap-in. Notethat removing a security group does remove the SID associated with that group.

To remove the group with the Active Directory Users and Computers snap-in, follow thesesteps:

1. Select the group.

2. Right-click the group, and select Delete.

3. Click Yes at the prompt.

To use the Windows SBS Console, follow these steps:

1. Navigate to the Groups tab of the Users And Groups section.

2. Select ProfGroup1.

3. Click Remove Group in the upper-right corner.

4. Select Yes.

Removing a group is relatively easy, but keep in mind that whenever you delete a group, allmember associations that are granted access through that group are now deleted. Furthermore,a group deletion does not mean that the members of that group are deleted — just the groupstructure itself.

Changing group scope is another useful skill that can be easily learned and understood. WithSBS, you don’t use this very often, but if you ever need to migrate to a large platform, this isa good skill to master.


Changing Group Scope in SBS 2008

Within SBS 2008, you can change group scope only through Active Directory Users andComputers. You must open a security group through that snap-in.

1. Open the OU containing your user group.

2. Right-click the group, and select Properties. The dialog box that opens should appear similar towhat you saw in Figure 6.3 earlier in the chapter.

3. Change the Group Type setting from Universal to Global.

4. Click Apply.

5. Click OK.

Creating Distribution GroupsTo create an effective messaging structure with SBS 2008, you need to implement distributiongroups within your small-business server to send and receive email to multiple targets.Distribution groups, similar to security groups, are collections of user accounts that areassociated with email addresses, contacts, and other messaging systems within WindowsServer.

To effectively maintain an SBS server, you need to know how to create distribution groupsin both the Windows SBS Console and the Active Directory Users and Computer Snap-in. Thefollowing exercise will familiarize you with both methods.

Adding a Distribution Group

To add a distribution group using the Windows SBS Console, follow these steps:

1. Open the Windows SBS Console, navigate to Users And Groups, and then select theGroups tab.

2. Select Add A New Group.

3. This will open the Getting Started window. You can select the box to not show this page again(which is recommended). If you already have, skip this step. Otherwise, click Next.

4. Under Group Name, enter insiders.

5. Under Group Type, make sure the Distribution Group: Send An E-mail Message To UserAccounts That Belong To This Distribution Group option is selected.

6. Click Next.

7. Keep insiders at the screen shown here. This will create an [email protected] address.

CREATING DISTRIBUTION GROUPS 161

8. Select the option Allow This Group To Receive Emails From People Outside Your Company.This is vital. Without this, the messaging group will be used only for internal emails and willnot be able to be accessed from anyone not within your domain.

9. Click Next.

10. On the Users screen, select the users you want to add, and click Add.

11. Click Next.

12. Click Finish.

Note that once the wizard completes, it will add the ‘‘insiders’’ group to your email distribu-tion groups list.

To add the group in the snap-in, follow these steps:

1. Open the snap-in, and navigate to the SBSUsers OU underneath MyBusiness.

2. Right-Click the whitespace on the right, and select New � Group.

3. Under Group Name, enter insider2.

4. Select the Distribution radio button.

5. Click OK.

As you can see, it’s relatively easy either way, but it’s especially elegant with the snap-in.However, with the snap-in, you have to manually add users on the properties page.


The process of deleting a distribution group isn’t really worth showing, because it’s almostlike creating a security group. Suffice to say that you can simply select a distribution group,right-click, and choose Delete. Note that, just like deleting a security group, this will not deletethe members of that group, but it will delete that group and the SID associated with that group.Additionally, groups that are nested within a group that is deleted will not be affected by thedeletion of the top-level group.

You should also note that you can easily change the internal properties of a distributionlist through the Windows SBS Console. Specifically, using the Windows SBS Console, you canchange email addresses and the ability to receive external emails through the group’s Propertieswindow on the E-mail tab, as shown in Figure 6.6.

Figure 6.6

Email alteration ofdistribution group

In Figure 6.6, you can see that the email address of the distribution group has been changed,and this group has been enabled to receive email from external addresses not within the organi-zation’s domain. All you have to do after this is hit Apply. As shown in Figure 6.7, the insidersgroup now has the same name, but a new email address is associated with it throughout ActiveDirectory.

Figure 6.7

Altered email address

Administering Distribution GroupsUsually in most small businesses, the turnover rate can be fairly high as the business expandsand employees come and go for various reasons. Accordingly, distribution groups are oftenaltered even more than security groups. Thus, you need to be familiar with some of the mostcommon administrative tasks associated with them.

With the Windows SBS Console, you can easily add users and groups by clicking theChange Group Membership button in the Tasks column. This opens the standard ChangeGroup Membership screen you’ve seen before, as shown in Figure 6.8.

ADMINISTERING DISTRIBUTION GROUPS 163

Figure 6.8

Change Group Member-ship screen

All you have to do to add new members to this group is to double-click the member, or youcan select them and click Add. Then, click OK, and these new members are added.

But just like with security groups, you can also nest different levels of distribution groups.For instance, if a small engineering company has four different teams, one for petroleum engi-neering, one for electrical engineering, one for mechanical engineering, and one for chemicalengineering, it may have four distribution groups:

◆ Corp_EE

◆ Corp_ME

◆ Corp_ChE

◆ Corp_PE

And within these groups, there will most likely be users. This is convenient, because insteadof having to create a new distribution group if you wanted to send email to, say, all engineers,you could create an Engineers group and just add the four Corp_groups to a new distributiongroup, instead of manually adding each engineer one at a time.

From a design perspective, distribution groups are much easier to deal with than securitygroups. This is mostly because, at the end of the day, distribution groups only send messages.And although a single email can be pretty damning if it’s received by the wrong person on thesubject of something sensitive, such as whether to fire someone, it’s usually not quite as poten-tially disastrous as an employee opening a secure file that happens to have all the corporateaccounting documents, including a list of usernames and passwords for the bank accounts andinstructions for how to make a withdrawal.

Obviously, any security risk that could potentially cause a serious disaster is unacceptablein any environment. However, as cautious administrators, we need to be prudent in our eval-uation of what security risks we allow. This is because there is no such thing as a completelyrisk-free environment. Unfortunately, there will always be some risks. Some risks just aren’t asgreat as others.


Using Distribution Groups as a Filter

At OmniCorp, a small business specializing in retail sales and customer service, the numberof customer service calls and complaints began to rise to a seriously dangerous level. Salesassociates, who are primarily associated with sales calls but also respond to customer servicecalls and emails, began spending most of their days responding to customer service calls,instead of making outbound sales calls or answering sales email.

Accordingly, management decided that the number of calls and emails the sales staff wasreceiving needed to drop dramatically. Thus, management decided to create a separate cus-tomer service distribution group. The reason behind this was that the salespeople could theneasily set up a rule in their Outlook program that identified the messages that were specificallyfor them (sent through the sales system) and then identify the messages that were sent to [email protected] distribution group.

By doing this, management increased the amount of sales dramatically and actually improvedcustomer service by realizing that they needed to hire individual customer service represen-tatives. But regardless of whether they did that, the distribution list served as a nice filterto guard the salespeople’s ‘‘real’’ email addresses from the anonymous [email protected] email address.

Security PermissionsNow you’ve come to the best part of group structure: assigning permissions. Chances are thatif your administration experience is anything like mine, you’re going to spend a ton of timeworking on permissions. This is because permissions in Windows Server are vital to maintain-ing an effective, job-separated structure that allows users to access the information they needwhile prohibiting them from accessing the items that aren’t required in their position. In thesecurity field, we refer to this process as the CIA triad: confidentiality, availability, and integrity.

Confidentiality Maintaining nondisclosure of information that is considered private

Integrity Maintaining the data contained within a structure

Availability Determining whether the data is ready and available

In the field of systems administration, which is all administering SBS 2008 really is, you areprimarily concerned with the availability field: is the data ready to be accessed, and do theright people have access to the right information at the time? The way you do this in the Win-dows system architecture is through the use of the Windows permissions list.

Permissions ListsIn multiple areas of information technology, including routing and switching, SQL Serveradministration, Unix administration, and especially Windows system administration, per-mission lists (also known as access control lists) play a huge role. This is because Windows

SECURITY PERMISSIONS 165

permissions lists specify who has access to files and folders throughout a Windowsarchitectural system.

With Windows file sharing, file permission takes place in several stages. First, the folder con-taining the files is put into a shared or unshared state. Second, security permissions are setupon the file, and finally these permissions run through an access control list that determineswhether the files are accessible to individuals’ accounts.

File and Folder PermissionsEver since Windows 2000, the Windows architecture has had a standard set of file permissionspublished by Microsoft, as summarized in Table 6.5.

Table 6.5: Microsoft’s File and Folder Permissions

Permission Meaning for Folders Meaning for Files

Read Permits viewing and listing of filesand subfolders

Permits viewing or accessing of thefile’s contents

Write Permits adding of files andsubfolders

Permits writing to a file

Read & Execute Permits viewing and listing of filesand subfolders as well as executingof files; inherited by files andfolders

Permits viewing and accessing ofthe file’s contents as well asexecuting of the file

List Folder Contents Permits viewing and listing of filesand subfolders as well as executingof files; inherited by folders only

Modify Permits reading and writing of filesand subfolders; allows deletion ofthe folder

Permits reading and writing of thefile; allows deletion of the file

Full Control Permits reading, writing, changing,and deleting of files and subfolders

Permits reading, writing, changing,and deleting of the file

Source: Microsoft

As with any Windows user, you have the right to adjust and administer the permissions onfolders and file that you control. This is accessible by right-clicking a file or folder, selectingProperties, and then clicking Edit. For example, in Figure 6.9 you can see the standard Win-dows SBS 2008 permissions placed on a file in a user’s desktop. In my case, it’s off one of myfavorite CDs.

As you can see, by default the Full Control permission is selected, giving me permission toread and write whatever I want that is contained there. Furthermore, if I click the Advancedbutton after the Add button, I can open the Advanced Security Settings screen you see inFigure 6.10.


Figure 6.9

Standard folderpermissions on thedesktop

Figure 6.10

Advanced SecuritySettings dialog box

From this screen, you can set advanced file permissions, audit the folder, and check to seewho the ‘‘owner’’ of a folder is — something I’ll get to in a minute. Furthermore, you can alsolook at the effective permissions of a folder and see who has access to what in that file. Byclicking the Edit button at this screen, you can also access a whole other level of ‘‘special’’folder permissions that you couldn’t see in the standard permissions menu. This is shown inFigure 6.11 and summarized in Table 6.6, along with the abilities that each of these permissionsettings grants you.

SECURITY PERMISSIONS 167

Figure 6.11

Special file permissions

Table 6.6: Microsoft’s Special Folder Permissions

Control Full Execute Read & Write Special

Modify Read Permissions

Traverse Folder/Execute File X X X

List Folder/Read Data X X X X

Read Attributes X X X X

Read Extended Attributes X X X X

Create Files/Write Data X X X

Create Folders/Append Data X X X

Write Attributes X X X

Write Extended Attributes X X X

Delete Subfolders and Files X

Delete X X

Read Permissions X X X X X

Change Permissions X

Take Ownership X


From the Advanced permissions menu, you can click Edit yet again and set a specific secu-rity entry on the folder. As an example, in Figure 6.10, you can see the permissions entries forthe folder. But if you click Edit for Steven Johnson, this will open the screen in Figure 6.12. Onthis screen, you can specifically edit the user’s access to the folder and the specific permissionspertaining to that user. In Figure 6.12, I can adjust each of my permissions individually andthen click the OK button.

Figure 6.12

Advanced securitysettings

It’s also important to note that you’ll see two important check boxes in Figure 6.12:

◆ Include Inheritable Permissions From This Object’s Parent

◆ Replace All Existing Inheritable Permissions On All Descendants With Inheritable Permis-sion From This Object

These two check boxes are very important but easily explained. With Windows Server, sub-folders inherit their permissions from their parent folders by default. This means that if youassign permissions to a folder, all subfolders within that folder will receive those permissions.However, you can easily undo this by deselecting the first box: Include Inheritable PermissionsFrom This Object’s Parent. This means the folder ignores all permissions it once received fromits parent.

The second box, Replace All Existing Inheritable Permissions On All Descendants WithInheritable Permission From This Object, forces the permissions for this specific folder to bepropagated throughout the rest of the child folders. So, through the use of these two checkboxes, you can stop permissions and force them to the rest of your objects. Effectively, throughthe use of all these tools, you can do just about anything you’d like throughout your fileinfrastructure.

ASSIGNING SECURITY GROUP FILE PERMISSIONS 169

Assigning Security Group File PermissionsAs a general rule of thumb, Microsoft recommends that security permission for file and folderstructures should be granted to security groups and not to individual user accounts. The rea-sons behind this are a little complex, but suffice to say that assigning individual user accountspermissions to folders can cause a lot of headache, especially if that user account is deleted inthe future and you suddenly have a folder hanging out with no permissions on it or irrelevantpermissions.

In the following activity, you’ll add a security group to a folder and give the account specificpermissions.

Assigning a Security Group to a Folder

To complete this exercise, you will need to create a folder somewhere within your directorystructure and be able to access that directory as an administrator.

1. Right-click your folder, and select Properties.

2. Click the Security tab.

3. Click the Edit button.

4. Click Add.

5. At the Select Users, Computers, Or Groups screen, add a security group you have created.

6. Click OK.

7. The security structure should appear as shown here.


8. Under the security group’s permissions that you’ve added, select the Full Control permission.This will allow the security group to take ownership of the file and alter the file as if it was itsown.

9. Click Apply and then OK.

10. Click OK.

Folder SharingAnother common task with folder and group permissions is to make a folder available through-out your business. This is referred to as folder sharing. With Windows SBS, folder sharing iseasily accomplished through several wizards, as was done in Chapter 2. What’s important torealize is that, unless a folder has been granted access to a user or another security group, ashared folder either will not be shared or will be accessible by everyone. With Windows fileand folder permissions, you can share a folder and then determine who can access the files andfolders.

The Bottom Line

Create users and security groups Creating users and security groups is the central focuspoint of an IT infrastructure. By creating users and groups, an entire business is virtually cre-ated through Windows Server. Security groups allow you to assign permissions and associateusers with similar job roles.

Master It Create a nested group structure that contains an All Users group with four inter-nal groups for the engineering, accounting, sales, and customer service departments. Placeat least 20 users in all these groups, and attempt to ‘‘double nest’’ a user in the Sales andEngineering groups.

Create distribution groups Distribution groups are used to distribute email and messages.Through a distribution group, you can receive external email and send internal messages.

Master It Create a distribution group for your infrastructure with a different emailaddress than the name of the group. Attempt to send an email to this group.

Create a permissions list for a group Permissions lists and access controls are the primarymethods you use to affect the access of files throughout your infrastructure. They control theavailability of files throughout the infrastructure and, if not done correctly, can compromisethe entire infrastructure.

Master It Create a folder and assign permissions to only one security group, and then tryto access this group from another account.

Chapter 7

Managing Group Policy withSBS 2008

Microsoft Windows Server Group Policy is the system of software management used by ActiveDirectory to control the behavior and access associated with user and computer accounts ona Microsoft network. By utilizing Group Policy through Active Directory, administrators canprohibit or grant access to portions of Microsoft and Group Policy–compatible software, installor remove software throughout the infrastructure, and publish updates to users and computersbased on an administratively defined set of rules.

Within the modern small-business network, Group Policy is becoming more and morecommon. In the older days of system administration, Group Policy was usually seen only inlarge-scale implementations because it used to be a lot more difficult to manage. Group Policyobjects and links were a mystery to most system administrators, but now they’ve becomealmost as common as a simple user account — well, perhaps not that common, but they’reinching ever closer.

What’s certain is that to be an effective administrator with Small Business Server, you needto learn how to use all the tools that SBS makes available to you. Otherwise, a lot of the realadvantages of using SBS, such as the ability to deploy software to your users and set up limitedaccess to potentially unproductive software like Internet Explorer, will be unavailable. In thischapter, you’ll learn about all of these topics and more.


◆ Create Group Policy objects

◆ Link a Group Policy object to an Active Directory object

◆ Edit a Group Policy object

◆ Delete a Group Policy object

The History of Group PolicyWindows Group Policy came onto the scene 10 years ago with Windows 2000. Before Windows200, with Windows NT, system policies were limited to domains and could not permeate toforests; they could not be secured; they could apply only to users, groups of users, andcomputers; and they were just generally buggy overall. Worse than that, the few administrators

172 CHAPTER 7 MANAGING GROUP POLICY WITH SBS 2008

who could actually use the Windows NT system usually managed to mess it up somehow witha crazy system policy that would do something fun and convenient like forbid anyone frominstalling a program within the enterprise.

Thankfully, this all changed with the use of Group Policy. Contrary to system policies,Group Policy is stable, is secure, and can be applied at any level.

The main difference between Group Policy and the old method of implementing systempolicies is that Group Policy takes advantage of policy links that connect one Group Policyobject to another.

Why We Use Group Policy with SBSSmall companies usually come in two flavors — those that are extremely relaxed and under-standing with their security and those that are stricter in their policies. Because of the nature ofsmall businesses, it’s pretty rare that you find anything in between. Usually owners will eitherhave a great deal of trust in their employees or will be very restrictive.

Both types of approaches need specific settings and options to implement such decisions andpolicies. With SBS 2008, you’re enabled to make a vast amount of changes to user and com-puter configuration settings with Group Policy. Some of these changes include the following:

◆ User and group configurations

◆ Registry settings

◆ Software installation

◆ Scripts

◆ Folder redirection

◆ Remote installation services (rarely used in SBS)

◆ Internet Explorer restrictions

◆ Security policies

You can manipulate these settings by understanding how to use the Group Policy snap-inand understanding the elements of Group Policy.

Group Policy ObjectsAs you may remember from earlier chapters in this book, Active Directory is fairly uniform inthat at the end of the day it all comes down to objects. Objects of all types are what composethe core of Active Directory and Windows system administration. Group Policy is no exceptionto this rule.

In fact, group policies are one of the few types of objects in Active Directory that are actu-ally referred to as Group Policy objects. This is because a single group policy is actually an entitywithin Windows Server. You can think of it in terms of building blocks. Users, computers,groups, and other objects like organizational units are all like the small Lego blocks with fourround knobs on the top you used when you were a kid. Group Policy objects, on the otherhand, are like the long rectangular Lego blocks that can stretch across the small square blocks.

Group Policy objects are the essential component of Active Directory. They’re created withinthe normal version of Windows Server 2008 in the Group Policy Management Console. In

ADMINISTERING GROUP POLICY 173

SBS 2008, this is . . . just the same! Well, almost. Technically there are no consoles in SBS, otherthan the Windows SBS Console. Instead, with SBS 2008 you use the Group Policy snap-in,which used to be attached to the Group Policy Management Console, so not much is changed.This means that if you’ve already had a lot of experience with Windows Server 2008 GroupPolicy, the transition to SBS should be very easy for you. Count yourself lucky. If not, I’ll gothrough the process of creating a GPO one step at a time.

Group Policy LinksUnlike other Active Directory objects, such as users or groups, Group Policy objects are notenforced until they are linked to another point in the Active Directory infrastructure. This is apretty major difference from standard Active Directory objects because when you create anyother object in Active Directory, that object is in the system — and accessible. For instance,when you create an Active Directory user account, that user account exists on the system, andusers can log onto the domain they were assigned (unless, of course, their account is disabled).

Conversely, a Group Policy object is made through the Group Policy Management Consoleand then linked to a particular location in Active Directory. But until it’s linked, the GroupPolicy object effectively accomplishes nothing. It’s just another object that floats around withinActive Directory. You can link objects in any Windows Server platform (post–Windows 2000)at one of four locations:

◆ Site

◆ Domain

◆ OU

◆ Local

Obviously, with SBS, you don’t have to care about this quite as much, because it’s all asso-ciated to one small-business domain, but it’s important to understand that SBS does technicallyhave the ability to apply Group Policy at all these levels. That said, most of the time you willdeploy Group Policy only at the domain level, because SBS environments will have one domainto which users can log on.

Administering Group PolicyNow you know that Group Policy is divided into two distinct elements: Group Policy objects(GPOs) and Group Policy links. But the process of implementing Group Policy isn’t quite assimple as designing a Group Policy object and then linking it to various points in the ActiveDirectory infrastructure. Applying Group Policy can have a lot of unexpected results. Forinstance, say you want to apply Group Policy to the OU group Special_Users.

Special_Users, as the name implies, is a special user container that has a few particular rulesthat need to be applied. Let’s say that you don’t want Special_Users to be able to access theControl Panel, but you want Special_Users to be able to access the Internet whenever the mem-bers of that group would like.

On the surface, this seems simple enough. The problem occurs when you have multipleGroup Policy links in place. Consider, for example, what would happen if the Special_UsersOU was a child OU of the standard SBSUsers OU. Were that the case, you could have an issueif the SBSUsers OU prohibits access to Internet Explorer from one point in time to another.


Because of this, you might have a Group Policy conflict. One policy says one thing, and anotherpolicy says another. You need to know which OU will take precedence, and why.

It’s much more efficient and effective to avoid such conflicts from the outset, rather thantrying to solve them when they turn up. So, plan your rollout to anticipate these problems!According to Microsoft, Group Policy should be rolled out in four stages:

◆ Planning

◆ Designing

◆ Deploying

◆ Maintaining

PlanningWhen planning for Group Policy, you first have to consider the objectives you need to accom-plish. What is the policy going to do? Who is it going to affect? Why does it need to be inplace? This initial process is called a policy definition. You define a policy by its purpose andits objectives:

◆ Purpose: The reason the policy is put in place

◆ Objective: What the policy aims to accomplish

As an example, a policy to restrict Internet Explorer should be planned as follows:

◆ Purpose: To remove the temptation to surf the Internet during business hours

◆ Objective: To restrict Internet Explorer from 8 a.m. to 5 p.m. Monday through Friday

This is an essential step in Group Policy, because it provides a point you can reference afteryou’ve put several group policies in place. More often than not, administrators like to createa ton of policies and then sometimes forget what they actually do. In fact, I remember onetime looking at a server I had placed a great deal of GPOs in and saying, ‘‘You know . . . I don’texactly remember what most of these do.’’

That’s a bad thing. Documentation and accountability are key to a successfully running envi-ronment. Without documentation, you can potentially cause hazards for your users. There’snothing quite like being a user and suddenly realizing you can’t access a vital tool for your job.

Technically, what I just gave you was a very boiled-down version of how to plan policies.According to Microsoft, the actual objectives should be to determine the following:

◆ Purpose of each GPO

◆ Owner of each GPO (the person who requested the policy and who is responsible for it)

◆ Number of GPOs to use

◆ Appropriate container to link each GPO (site, domain, or OU)

◆ Types of policy settings contained in each GPO and appropriate policy settings for usersand computers

◆ When to set exceptions to the default processing order for Group Policy

◆ When to set filtering options for Group Policy

◆ The software applications to install and their locations


◆ What network shares to use for redirecting folders

◆ The location of logon, logoff, startup, and shutdown scripts to execute

And, although these objectives (which you can find at http://technet.microsoft.com/en-us/library/cc786212(WS.10).aspx) are important, at the SBS level you can really just boilit down to a simpler question: ‘‘What does this policy hope to accomplish?’’

The next step in planning once you’ve completed your purpose and objective is to designthe policy. At this point, you ask the following:

◆ Where will this policy go?

◆ Who will this policy affect?

Here’s an example:

◆ The policy will be placed on the Special_Users OU.

◆ The policy will affect all user groups placed in Special_Users OU.

After you’ve done this, you need to determine whether there are any conflicts in the policy.Is there another overlapping policy? Is there a contradictory policy? These issues are referred toas interoperability issues.

OU Structure

During your planning phase, you need to think really carefully about how your OU infras-tructure is maintained. In the full-blown version of Windows Server, this is more important,because there are usually a lot more OUs to worry about. With SBS 2008, your OUs are usuallylimited to two or three, but these two or three may be layered in what’s called a tier hierarchy.In Figure 7.1, you can see a simple SBS tiered hierarchy.

As you can see, a Sales and Marketing generalized OU is at the top, and the Sales Usersand Marketing OUs are tiered beneath. Within Sales Users and the Marketing OU there areManagers named specifically for their department, a generalized user group (Salespersons andMarketers) and coordinators. This lets you apply individual policies to that particular OU,instead of having to apply them to all users throughout the infrastructure.

Other Design Factors

At the small-business level, you need to consider a few design factors you may not haveinitially thought about. These include possible internal documents that define securityrequirements and operational guidelines that require more careful attention to Group Policyimplementation. At the medium and enterprise-scale business level, you can easily implementstaging grounds for GPO implementations. This is not so much the case with SBS. Moreoften than not, just one server runs the whole office. Thus, you need to make sure thatimplementation and adherence to any predefined business requirements is maintained. Thisway, you don’t run the risk of creating major server conflicts.

DesignOnce you’ve planned ahead for your Group Policy implementation, you need to begin the nextstep of drafting your design. When designing Group Policy, you need to keep in mind fourimportant design elements:

◆ Inheritance

◆ Scope


◆ Objectives

◆ Delegation

I’ll go over each of these topics one at a time.

Figure 7.1

Tiered OU hierarchy

Sales Managers

Sales Coordinators

Salespersons

Marketing Managers

Marketing Coordinators

Marketers

Sales and Marketing

Sales Users

Marketing

Inheritance

Inheritance is the process of child containers taking linked policies from their parent containers.As an example, consider Figure 7.1 again, with its multiple tiers of infrastructure. With inher-itance, if a GPO is linked to the top container, it will permeate to the remaining containers.


Thus, if you linked a GPO to the SBSUsers container that restricted access to the Control Panel,that policy would be inherited by all other OUs within that container.

Conversely, although inheritance does pass from parent to child, a child will obey any rulesspecifically given to it. Using the previous example, with the accounting OU, you could easilyapply a GPO just to that OU to allow access to the Control Panel. And, because it has beenapplied directly to that child OU, it would override any inherited GPOs.

Scope

Microsoft explained it best in its technical documentation: to define the scope of application ofGroup Policy objects, consider these main questions:

◆ Where will your GPOs be linked?

◆ What security filtering on the GPOs will you use?

◆ What WMI filters will be applied?

There really isn’t a better way to define scope than just like this. The word scope in ITessentially refers to the area in which something has control. For Group Policy, this effectivelymeans, ‘‘Where is it linked?’’ The scope of a GPO can be extremely broad or extremely narrow,depending upon your needs.

Scope with Group Policy can be a little confusing, because higher-level OUs can havepolicies applied to them that permeate to children — who can themselves override parentallylinked GPOs. That’s a lot to swallow. Effectively, children can tell the parents they want tobehave differently than the parent.

But let me ask you a question. When you were a kid, who was ultimately in charge — theparent or the child? You guessed it, the parent. With Group Policy and scope, this is partic-ularly true because parents can enforce policies on their child objects regardless of the childobject’s desires. This is called the no override feature, and it can be set in a Group Policy link.

A WMI filter is a Group Policy mechanism that is used to provide granular applicationtechniques to a GPO. Typically, people use WMI filters to ‘‘filter out’’ exceptions to generalrules. Say, for example, you have a rule that removes the Control Panel for all computers.However, new computers for the executives will not need to have this rule applied. Thus, youcould make a WMI filter to exclude these machines from the GPO. Now, every time GroupPolicy refreshes, a new filter is applied.

Objectives

Group Policy objectives define the exact goals you want to accomplish with yourGPO implementation. In some cases, that means limiting control, and in some cases that meansexpanding the software and capabilities of multiple users. To define a proper Group Policyobjective infrastructure, you need to make some very important objective decisions:

◆ The purpose of the GPO

◆ Why are we implementing this policy? Is there an alternative? If the policy is put inplace, what do you hope it accomplishes?

◆ The owner of the GPO

◆ Is someone, other than the default administrator, responsible for the GPO? If so, why?


◆ Where the GPO is applied

◆ This comes back to scope. Is the scope properly considered?

◆ Exceptions for the GPO

◆ Are there any users of containers in any of the GPOs who need to be exceptions to thatGroup Policy object? If so, is there an alternative method of implementation?

Delegation

One of the abilities you’re granted with the Windows Server platform is the ability to delegateGroup Policy to other users and groups. Through delegation, you can add a user or groupto the Group Policy Creator Owners (GPCO) or explicitly grant users permission to createGPOs. Delegation is useful in small, medium, and large businesses because it allows heads ofdepartments, team leaders, or junior administrators to create and implement Group Policyobjects on specific containers. Through Windows Server 2008 (and technically Windows NT),you can assign five permissions through the Group Policy Management Console (GPMC)snap-in, as summarized in Table 7.1. Delegation can also be granted on higher levels. Techni-cally, you can delegate Group Policy–related decisions to users and groups on the site, domain,and OU levels. With SBS 2008, this is something you may want to use if you have a businessowner or junior administrator within a small business who needs to implement group policiesthroughout the business at whim.

Table 7.1: GPMC Options and Permissions in Access Lists

Option in GPMC User Interface Corresponding NT Permission in ACL Editor

Read Read access granted on the GPO

Edit Settings Read, Write, Create Child Objects, and Delete Child Objectsgranted on the GPO

Edit, Delete, And Modify Security Read, Write, Create Child Objects, Delete Child Objects,Delete, Modify Permissions, and Modify Owner granted onthe GPO

Read (from Security Filtering) Technically cannot be set by an administrators, but appearson the Delegation tab if a delegate has Read and Apply GroupPolicy permissions

Custom A custom set of permissions

Since SBS 2008 disables these default administrator accounts by default as a security bestpractice, it’s really worth it to consider not just making the network administrator defaultaccount but also making an individual user account that has delegated permissions for thebusiness owner or junior administrator. Then, the administrator or business owner can linkGPOs and create GPOs at whim. Furthermore, to keep yourself safe, you can also grantindividual users permission to generate Resultant Set of Policy (RSoP) permission on the site,domain, or OU level. This permission allows individual user accounts beyond the network


administrator account to generate GPOs and simulate what it would be like to link thosepolicies and put them in place.

Overall, through delegation, administrators can save a lot of overhead. On thesmall-business level, various managers or small-department heads will want to imple-ment restrictions and permissions for individuals frequently. Generally, a lot is going on in asmall business, and lots of people share responsibilities. This is a pretty big contrast to a largeenterprise, where users are very segmented in their responsibilities.

The Five Ps

A common phrase in the IT industry that nags us all is what’s called the five Ps: properplanning prevents poor performance. As you can imagine, with all aspects of IT this is true,but in no area more so than Group Policy planning. At the small-business level, the hardwareis generally so capable that it can accommodate most inefficient deployments of Group Policy.However, consider what happens as time moves on and you switch from one Group Policydeployment to another. If you’ve migrated from SBS 2003 to SBS 2008, you’ve already donethis once. But the same thing can happen as you get more users and switch from a smalldeployment to a large one.

Once I administered a small business using SBS 2003 that had to switch to the full versionof Windows Server 2003. Unfortunately, the owner of the business was rather sensitive aboutwho had access to what, so he layered multiple group policies at the site level over whatbecame multiple machines. Eventually, things got bogged down as these policies had to bereplicated to different servers and sent to the entire site.

If the owner had been smart (and if his younger and more foolish administrator would haveadvised him), he would have taken these policies and applied them to the OU level. That way,the policies wouldn’t be placed throughout the entire site, because the scope would be morerefined. Lesson learned, but it sure did take us a long time to fix it once it became a seriousproblem.

DeployOnce you’ve carefully considered the planning and design of your Group Policy, you canfinally deploy it. At the deployment stage, you link the Group Policy object to its propercontainer and put it into action. Usually before this stage administrators have done their bestto test the GPO in a test environment or have chosen to deploy it at a small level. With SBS2008, this unfortunately isn’t really much of an option, because the deployment is so smallalready. But, with proper planning, any damage you create through improper planning shouldbe minor.

Additionally, if you’re on a budget and you’d like to be safe, you could easily implement adesktop with Microsoft Virtual PC, which is available for free. With Virtual PC, you can installthe software on your server and then attempt to virtually deploy your workstation to yourserver to test Internet connectivity. It’s actually not that hard to set up. You just have to installMicrosoft Virtual PC 2007, set up a client, and then connect that client to your SBS 2008 server.


Be Careful with Deployment

You may or may not have noticed, but I tend to use ‘‘removing access to the Control Panel’’in a lot of my examples of what can happen when you make a mistake with Group Policy.Well, there’s a reason for this. One time, a younger and more foolish Steven Johnson decidedto implement a GPO that removed access to the Control Panel for all users. I had thought I’dmade exceptions to the policy in the right places, but I accidentally removed it from my ownuser account — and the Administrator user account.

Before I knew it, I had linked the GPO to the entire domain, and no one in the entire businesscould access the Control Panel. I didn’t know it at the time, but it was an easy fix. Regardless,I had placed myself in a position where I didn’t know what I had done and didn’t know how tofix it. And this is a place you never want to be.

Generally, mistakes that we make in life come in two flavors: small mistakes and big mistakes.With Group Policy deployment, small mistakes rarely happen. (If you’ve ever used a conceptcalled recursion in computer programming, you’ll understand what I mean.) If not, a computerscience professor told me once that there are a couple things in computing that wouldn’tharm you in the least if you did them right, but if you got them wrong, they wouldn’t justblow off your foot, they’d blow off the whole leg.

I’m betting a lot of you veterans out there saying, ‘‘Wow, talk about being a bit dramatic,’’ butI guarantee you that there are just as many administrators saying, ‘‘Yep. Done that before!’’ Asyou mess with Group Policy, strive to be the former and not the latter. One thing that makesIT miserable is war stories. They’re never pleasant to endure . . . or to retell.

At the enterprise level, Group Policy is generally deployed through several stages. Ifyou want to know how it’s done, you can check out the ‘‘Staging Group Policy Deploy-ments’’ article on Microsoft’s website (http://technet.microsoft.com/en-us/library/cc787823(WS.10).aspx). But for our purposes in small business, it will not be necessary. Inthe following sections, I will go over two important parts of Group Policy:

◆ Creating GPOs

◆ Understanding starter GPOs

Creating GPOs

You create GPOs through the Group Policy Management Console, which you can accessthrough the Administrative Tools menu. To create a GPO, select Start � Administrative Tools� Group Policy Management, and select Continue at the User Account Control prompt. Thiswill open the Group Policy Management Console that you see in Figure 7.2.

On the left in the GPMC window, you’ll see a breakdown of your infrastructure from theforest and domain levels. In Figure 7.2, the top level forest is showing, followed by lots of sub-containers. Of particular interest here is the Group Policy Objects container and the DomainControllers container. The Group Policy Objects container holds all the Group Policy objects foryour enterprise. The Domain Controllers container is of interest because in larger environments


the default domain controllers policy can control the effect of implementing Group Policy onyour domain controllers, which manage all your logons.

Figure 7.2

Group PolicyManagement Console

On the right side, you can select a single policy and see the scope, details, settings, and dele-gation of each Group Policy. In this example, I’ve selected Windows SBS Client – Windows XPPolicy. You can see that the location where this is applied is the SBSComputers OU. This meansthat all objects contained within the SBSContainers OU will have this policy linked to them.

The Details tab will give you a lot of information, including the following:

◆ The domain where your GPO resides

◆ The owner of the GPO

◆ The date created

◆ The date modified

◆ The user version

◆ The computer version

◆ The unique ID of the GPO

◆ The status of whether it is enabled or disabled

The Settings tab, shown in Figure 7.3, will display an output of the administrative templates,computer configuration, and user configuration of your GPO. It’s a useful tool for seeing aquick report of how the GPO works and what it’s doing. Last, the Delegation tab, shown inFigure 7.4, will show you the user-specified permission for the GPO. In the case of the Win-dows XP policy, only Domain Admins and Enterprise Admins are allowed to edit or delete thepolicy settings.

You’ll see all these factors come into play when you start to edit and manipulate Group Pol-icy later in this chapter. But for now, you just need to create a new one. Let’s create a policy


that removes access to the Control Panel for users. In the ‘‘Creating a GPO’’ exercise, I’ll gothrough this step-by-step.

Figure 7.3

GPO Settings tab

Creating a GPO

To complete this exercise, you must be logged on as a domain or enterprise administrator.

1. Open the GPMC through Administrative Tools.

2. Right-click Group Policy Objects, and select New.

3. In the New GPO box, name the GPO Remove_ControlPanel.

4. The Remove_ControlPanel GPO will appear in the Group Policy Objects list. Right-click thispolicy, and select Edit. This will open the Group Policy Management Editor shown here.


5. Under User Configuration, expand Policies, and then expand the Administrative Templates:Policy Definitions (ADMX files) retrieved from the local machine.

6. Select the Control Panel folder.

7. On the right, select Prohibit Access To The Control Panel, and double-click. This will open thedialog box shown here.

8. At this screen, you’re presented with three options: Not Configured, Enabled, and Disabled.When Not Configured is selected, the policy is blank and has no settings. Enabled means it hassettings and is in effect; Disabled means it has settings and is not in effect. Select Enabled.Note that if you’re curious about what an individual policy does, you can select the Explain taband see a detailed explanation of the policy. In this example, the Explain tab of this policy saysthe following:

‘‘Disables all Control Panel programs.

‘‘This setting prevents Control.exe, the program file for Control Panel, from starting. As aresult, users cannot start Control Panel or run any Control Panel items.

‘‘This setting also removes Control Panel from the Start menu. This setting also removes theControl Panel folder from Windows Explorer.

‘‘If users try to select a Control Panel item from the Properties item on a context menu, amessage appears explaining that a setting prevents the action.’’

At this point, you have the option of getting a bit more customized. Say you’d like to actuallyallow users to control the sound settings on their computers. This requires a little more effort.

9. Click Next Setting.

10. Select Enabled.

11. Select Show.


12. In the list of allowed Control Panel items, type Sound. Then click OK.

13. Click Apply.

14. Click OK.

15. Navigate to the GPMC. Here, right-click an OU (don’t do the whole domain — you want to testthis policy first), and select Link An Existing GPO.

16. Select Remove_Control Panel. Click OK.

Figure 7.4

GPO Delegation tab

Starter GPOs

If you completed the ‘‘Creating a GPO’’ exercise, you may have noticed that when you createdthe GPO, you had the option to choose a starter GPO as the base for your new Group Policyobject. Starter GPOs are collections of ADMX templates with certain policy settings that allowyou to create a new GPO based on a set of predefined GPO settings. They’re really convenient,because with starter GPOs, a lot of the work you’d have to do to make a more complicatedpolicy is already done for you.

MaintainOnce you have completed the process of planning, designing, and finally creating your GPOs,you get to go through the process of maintaining them. Maintaining Group Policy in Windowsusually involves the processes of editing GPOs, changing link locations and scope, and backingup and restoring GPOs.


Editing GPOs and GPO Links

I’ve already discussed the primary tool you use to edit Group Policy, the Group Policy Man-agement Console. This snap-in is designed to allow you to set Group Policy settings and prefer-ences. However, the GPMC does not allow you to delete a policy or to manage a Group Policylink. This is done using an alternative method described in the following sections.

Deleting a GPO

Removing a GPO from Active Directory is a relatively simple process. To delete a GPO, youonly need to select the GPO and either hit the Delete key on your keyboard or right-clickand select Delete. Additionally, if this GPO is linked in other locations, the GPO links will bedestroyed.

Editing GPO Links

To edit a GPO link, you can navigate to the GPMC, right-click your local domain, andselect Search. As an example, navigate to the Group Policy object search box that you see inFigure 7.5 and select All Domains Shown In This Forest in the drop-down box.

Below that are three drop-down boxes:

◆ Search Item

◆ Condition

◆ Value

Search Item allows you to specify what type of Group Policy–related function you’re lookingfor. This includes the following:

◆ GPO name

◆ GPO links

◆ Security groups

◆ User configuration

◆ Computer configuration

◆ GUIDs

If you put GPO links in that field, you can jump to the next field, Condition. Usually, Condi-tion autofills to Exist In, but you can also choose Do Not Exist In. Leaving it as the default letsyou choose the last field, the value. The Value field allows you to search by Active Directorysite to see where you’d like to search in your infrastructure. As an efficiency buff, I usually tryto refine my searches by the most local method possible, unless I’m working with a really bigenterprise, in which case it can take an extremely long time and be quite confusing.

Once the three fields have been filled in, you can click the Add button. This adds thethree subfields you just populated to one true search criteria field. Note that you can also addanother field if you want by filling out the subfields again. Then, when you search, you’ll beable to see the results all at once. But in any event, hitting the Search button will begin thesearch.

Double-clicking any of the search results will bring you back to the Group Policy Manage-ment Console, where you can review any links present. The Group Policy search function is


very useful if you end up with a lot of Group Policy objects and a lot of Group Policy links.But if you have only a few, you might as well just alter them in the GPMC directly.

Figure 7.5

Searching for GroupPolicy objects

Altering Scope

By default, GPOs apply to all authenticated users in an Active Directory infrastructure. How-ever, sometimes you may want GPOs to apply only to certain users in the environment, like ifyou had some executives you wanted to exclude from a restrictive policy. You can alter this byselecting the Scope tab in the GPMC and clicking Add. There, you can choose a specific user orsecurity group, add it, and then remove the default Authenticated Users group. This makes theGPO only affect the groups you’ve specified. This is the process of group filtering.

Using Loopback Processing

Covering this topic is probably a little overboard for this book, because I can’t recall a sin-gle instance where I’ve used loopback processing with an SBS environment. But I thought I’dexplain what it is for the sake of thoroughness. Loopback processing is using computer policysettings over user policy settings. Effectively what happens is that a user can log on to themachine from any location, and if they do, from that machine the Group Policy options for theuser account aren’t deployed; the computer settings are enabled instead.

A good example of where this might be useful is a computer dedicated to browsing theInternet. Lots of small businesses have a break room or somewhere that they’ll set up a com-puter that employees can use to surf the Web, check their personal email, chat, and so on. Ifyou have a Group Policy that disables all these features for a user account but want someoneto be able to use them while on that machine, loopback processing is for you.


Loopback processing is available in SBS 2008 in the Group Policy Editor snap-in. There aretwo options with loopback processing:

Merge mode In merge mode, all GPOs are placed together in one spot. This means that youcan specify computer settings and user settings. Examples of where you might want to usesomething like this are if you have a machine that you want to be especially restrictive. Thisway, you could enforce all the general user restrictions and beef them up with the computer’sown restrictions.

Replace mode Replace mode is the more commonly used method. With replace mode, userinformation is completely overridden by machine settings. Replace mode is what you’d like touse for the earlier break-room example, with a machine that needs specific privileges outsidethe normal user account privileges.

Group Policy Propagation

With every version of Windows Server since Group Policy was first implemented, Group Policyhas automatically refreshed every 90 minutes as these policies are replicated. This means thatwhenever you place a new Group Policy setting, this policy won’t be enforced unless a majorsystem event happens, such as the computer starting or a user logging out and logging in. Ifyou’ve ever implemented a Group Policy setting and want it to be propagated immediately,you can use the gpupdate command. This command allows you target a specific computer oruser and force them to update their policy. For example, the following command:

gpupdate /target:Computer1 /force

would force computer1 to update its policy immediately.

Backing Up GPOs

If you ask me, or just about any other administrator, Group Policy can be hard work. Andif you have any skill with system administration, you should have already learned that anyadministrator worth his or her salt tries to do as little real honest-to-God hard work as possi-ble. Just kidding. Well, maybe. Regardless, because so much goes into creating Group Policy,it’s important that you back it up so you don’t have to do it again.

Microsoft SBS 2008 has an easy convention for backing up all the GPOs in your infrastruc-ture. From the GPMC, select the Group Policy object, right-click it, and select Backup All. Thisopens the dialog box you see in Figure 7.6. Note that the Backup Object box does not back upIPsec or WMI filters.

To back up your files, you’ll need to click Browse and select a location within your directorystructure to store the backup files. Note that you can add a description to the backup. Person-ally, I find it useful to include a date. For example, 6_09_2013 would show a backup for June9, 2013.

Once you click Back Up, the process begins. Sometimes it can take a little while. But at theend of it, you should see something like this:

GPO: Default Domain Controllers Policy...Succeeded-----------------------------------------------------------------------------GPO: Default Domain Policy...Succeeded-----------------------------------------------------------------------------


GPO: Remove_ControlPanel...Succeeded-----------------------------------------------------------------------------GPO: Small Business Server Folder Redirection Policy...Succeeded-----------------------------------------------------------------------------GPO: Update Services Client Computers Policy...Succeeded-----------------------------------------------------------------------------GPO: Update Services Common Settings Policy...Succeeded-----------------------------------------------------------------------------GPO: Update Services Server Computers Policy...Succeeded-----------------------------------------------------------------------------GPO: Windows SBS Client - Windows Vista Policy...Succeeded-----------------------------------------------------------------------------GPO: Windows SBS Client - Windows XP Policy...Succeeded-----------------------------------------------------------------------------GPO: Windows SBS Client Policy...Succeeded-----------------------------------------------------------------------------GPO: Windows SBS CSE Policy...Succeeded-----------------------------------------------------------------------------GPO: Windows SBS User Policy...Succeeded-----------------------------------------------------------------------------

12 GPOs were successfully backed up.0 GPOs were not backed up.

Figure 7.6

Backing up a GroupPolicy object

If a GPO isn’t backed up for whatever reason, it will be displayed. This can happen some-times if a GPO is linked to multiple different areas and it throws an exception. I’ve seen thismaybe twice, though, so it’s rare.

To restore the backup, you can just right-click the GPO and select Manage Backups. Thenchoose the GPO you want to restore from the backup.

SPECIAL USES OF GROUP POLICY 189

Special Uses of Group PolicyBeyond simple restrictions and permissions, Group Policy has several other special applica-tions you need to be familiar with to properly administer it. These features include the abilityto deploy software, redirect user folders, publish applications, and control user profiles. As asmall-business administrator, you really need to be familiar with how to use Group Policy toaccomplish these applications so that you can remove the need for users to request software,files, folders, or information necessary to do their job. Instead, it’s all automated through a sim-ple application of Group Policy.

Software DeploymentThe grand prize of administration (or certainly the door prize) is the ability to watch your userslog on, retrieve software they need to do their job, and not bother you one little bit.

Through Windows Server Group Policy, you can choose where to apply your Group Policy,whether it’s on users, groups, or even computers. Group Policy allows you to be very specificwith where the applications or software is deployed and who has access to it. In this section,I’ll go through several exercises that will take you through this step-by-step.

Prerequisites for Deployment

Group Policy software deployment requires three essential elements to be completedsuccessfully:

Licenses for the appropriate software Not all software can be deployed at whim. In the caseof programs like Microsoft Office, you need to make sure that you have the proper licenses todeploy the software how you would like.A distributed file system share or shared folder At some point in your infrastructure, youneed a publicly accessible folder that contains the software installation files necessary to com-plete your software. Specifically, this DFS or file share folder should contain the permissionsshown in Table 7.2. Your software should be placed within this folder.

Table 7.2: DFS/File Share Settings

Account Permission

Authenticated Users Read and Execute

Domain Computers Read and Execute

Administrators Full Control

Appropriate Group Policy settings These are set up in your GPO, and the link is created inthe GPMC.

Preparing Your Software for Deployment

Preparing your software for deployment is a prerequisite, so you should have created a sharedfolder or DFS where you have either installed your software or placed your setup files. Theeasiest way to do this is to create a shared folder, share it, and then place all the required files


in that location. By making a shared folder, you allow Active Directory to access the folder andshare all the setup information contained within it.

Creating Software Deployment Policies

To create a software deployment point, you first have to create a Group Policy object in yourdomain like you did earlier in the chapter. Then, in the Group Policy Management Console,you’ll need to define your software deployment policies for the new GPO you’ve just created.You can do this by expanding Computer Configuration � Policies � Software Settings and thenright-clicking Software Settings and choosing Properties. This will open the Software Installa-tion Properties dialog box you see in Figure 7.7.

Figure 7.7

Software InstallationProperties dialog box

In the Default Package Location text box on the General tab, you can either manually enterthe directory of your software or click the Browse button to find it. Then, you can choose fromtwo different sets of settings — one for determining the new package addition settings and theother for installing user interface options.

There are four options contained within the New Packages area:

Display Displays a dialog box to the user that asks if they’d like to install software

Publish Publishes the application with default settings

Assign Automatically assigns the application with default settings

Advanced Offers customized settings with two options:

Basic The user has limited perception of the installation taking place.

Maximum The user can see everything happening during the installation.

GROUP POLICY PREFERENCES 191

On the Advanced tab of the Software Installation Properties dialog box, you can choose touninstall the application when it falls out of scope management, and you can also specify thetypes of applications that can be installed on 64-bit machines (since they natively support x64and not x86). The File Extensions tab allows certain types of files to take priority, but it willbe blank the first time you create a software installation object. Later, it will be populated withknown and associated software packages. Lastly, the Categories tab allows you to create cat-egories of software for user browsing. For example, you could create a category called OfficeSoftware, which could contain Microsoft Office or Microsoft Works.

Once you’ve made your software installation decisions, you can assign a software packageto your Software Installation folder. You can do this by right-clicking the Software InstallationGPO in the Group Policy Management Console and selecting New � Package. You’ll then needto browse to the folder or DFS where you’ve shared your packages (MSI or ZAP files) and clickOpen. After answering a few self-explanatory questions, the policy will complete.

Group Policy PreferencesNew to Windows Server 2008, Group Policy preferences allow administrators to implementpreferences on existing GPO links. This is a really impressive new feature, because GroupPolicy preferences have really changed a lot of the available features and settings you can usewith Windows Active Directory. This includes the ability to map drives, create logon scripts,and administer settings. Overall, there are some very major differences between Group Policypreferences and Group Policy settings that you need to be familiar with, as summarized inTable 7.3.

Table 7.3: Group Policy Preferences vs. Settings

Group Policy Preferences Group Policy Settings

Not enforced Enforced

Can affect individual files Cannot affect individual files

Cannot be used at a local level Can be used at a local level

Supports non–Group Policy applications Can be used only with Group-Policy-aware applications

Overrides settings Does not change settings

Very specific Very general

Easy to use Fairly complicated

Microsoft has published an informative white paper on Group Policy preferences for the fullversion of Windows Server 2008. If you’re interested, you can find it in the Microsoft WhitePaper Downloads section. Microsoft gives a detailed explanation of Group Policy preferences,as well as a decision tree of whether you should used Group Policy preferences. Effectively,you should use Group Policy preferences if any of the following apply to you:


◆ Your application does not understand Group Policy.

◆ The user needs to be able to change the settings in the policy.

◆ You require more finite control of a Group Policy setting.

Group Policy preferences generally tend to take one of four forms:

Create Creates a new Group Policy preference

Replace Replaces another Group Policy preference

Update Updates a Group Policy preference with another setting

Delete Deletes a Group Policy preference

Group Policy preferences are divided in two different areas: Windows Settings and ControlPanel Settings. In Windows Settings, you can control the following:

◆ Applications

◆ Drive maps

◆ Environment settings

◆ Files

◆ Folders

◆ INI files

◆ Registry settings

◆ Shortcuts

In Control Panel Settings, you can control the following:

◆ Data sources

◆ Devices

◆ Folder options

◆ Internet settings

◆ Local users and groups

◆ Network options

◆ Power options

◆ Printers

◆ Regional options

◆ Scheduled tasks

◆ Start menu

Let’s take a look at an example of applying a Group Policy preference in the followingexercise.

THE BOTTOM LINE 193

Applying Group Policy Preferences: Mapping a Drive

To complete this exercise, you will need to be logged on as a domain or enterpriseadministrator.

1. Open the Group Policy Management Console by selecting Start � Administrative Tools �Group Policy Management.

2. Either create a new GPO for your setting or right-click an existing GPO and select Edit.

3. In the Group Policy Management Console, expand User Configuration\Preferences\WindowsSettings, and select Drive Maps.

4. In the whitespace, right-click and select New � Mapped Drive.

5. Select Create as your action.

6. Select the location of your mapped drive by clicking the ellipsis ( . . . ) button by the Locationbutton.

7. Click Find Now at the Active Directory search location.

8. Select your map drive.

9. Click OK.

Group Policy ResultsOne of the last features you need to understand about Group Policy management withWindows Small Business Server 2008 is the Group Policy Results Wizard. The Group PolicyResults Wizard is the primary tool you can use to view group policies and see which policiesare applied first and where they are applied. Like most wizards, the Group Policy ResultsWizard is fairly easy to understand and use.

Using the Group Policy Results Wizard is as simple as opening the GPMC, right-clickingGroup Policy Results, and navigating through the wizard. There are a couple options, such aswho is going to be generating the results and which computer the wizard is being run upon.Once the wizard completes, the results will be displayed underneath the Group Policy Resultsfolder. There, you can view reports of the policy by selecting the report, and you can evenrerun the query. This is a very nifty feature if you ever want to check to see how your policiesare applying across the network.

The Bottom Line

Create Group Policy objects Group Policy objects in Active Directory allow you to createa policy and link it to a location somewhere in Active Directory. GPOs are Active Directoryobjects and do not take effect unless they are linked; otherwise, they are just static objects.

Master It Create a Group Policy object that turns off crash detection for Internet Explorer.


Link a Group Policy object to an Active Directory object Group Policy objects do not haveany effect until they are linked. With Windows Server, you need to link an existing GPO to anarea within Active Directory.

Master It Create a new GPO called Test, and leave it unlinked. Then, manually link Testto an OU in your directory infrastructure.

Edit a Group Policy object Group Policy usually requires a great deal of maintenance. Thisis usually conducted through the Group Policy Management Console.

Master It Edit the Internet Explorer Crash Detection object to allow crash detection, andthen enforce full-screen mode.

Delete a Group Policy object Removing a Group Policy object involves deleting the objectand any links associated with that object. Otherwise, there can be unresolved components ofyour Active Directory infrastructure.

Master It Remove the Test GPO link, and delete the Test GPO with no conflicts.

Chapter 8

Backing Up and PerformingDisaster Recovery

If you can find an administrator who’s never had to restore from some sort of disaster, failure,or act of nature, I’ll give you a prize. More so than any other problem, failure to establish asafe and thorough backup in a small, medium, or large enterprise can result in the loss of tensof thousands, if not millions, of dollars in lost productivity, information, and potential revenue.Furthermore, in the past decade, technology has evolved so fast that we upgrade, change, orevolve our network at a never before seen pace. With these changes there is often a differencein the way we do business, but there’s very rarely a change in the data that we use. At the endof the day, we always seem to keep hold of the same old data.

Therefore, it has become important over the past few years to be exceedingly diligent andattentive with your backup strategy. Without a strong backup plan, you could potentially losefinancial information, sales figures, documentation, websites, programming files, and a cornu-copia of other precious information.

In this chapter, I’ll discuss the myriad of backup opportunities available with Small BusinessServer 2008. In some cases, this method is Windows, but this chapter will also extend to generalbackup strategies and third-party tools and tool types you can use to ensure your company isproperly backed up. I’ll start this discussion by covering one of the most important concepts inall of information technology: RAID.

In this chapter, you will learn how to

◆ Understand RAID

◆ Recognize different backup media types

◆ Implement a backup strategy

◆ Recover data

RAIDIn the world of making backups, the often-used ‘‘first line of defense’’ against a potential prob-lem is the use of a Redundant Array of Independent (or Inexpensive) Disks (RAID). At this

196 CHAPTER 8 BACKING UP AND PERFORMING DISASTER RECOVERY

point in your career, you have probably set up or used machines that have been RAID capable,or you have set up RAID yourself. And if not, RAID isn’t such a bad thing.

RAID is just what it sounds like:

Redundant Meaning more than one

Array An organized collection

Independent In and of itself, belonging to only one portion of the organization

Disks A hard disk drive

RAID is used in businesses to collect large amounts of data into one place for the purpose ofbeing distributed in different ways throughout your business. For example, say your businessneeds 4TB of hard disk space on a shared drive that users in your small business use for storingvideo and music (for business purposes, of course). Well, that’s all fine and dandy, but whathappens if you only have four 1TB drives? You’re out of luck, right? Wrong.

With RAID, you can combine these four independent disks into one very large array. Specif-ically, as an administrator, you can collect these four disks together via RAID and make themone giant collection of data. Effectively, they’re one giant hard drive.

RAID can be achieved in one of two fashions (or types) that each support multiple differenttypes of RAID implementations. The first type of RAID is called software RAID. This is when apiece of software, usually an operating system, collects disk data and uses its own knowledgeof the existing hardware to make another piece of software see these disks as a large volume.It’s a handy trick, and if you don’t care about a couple of limitations — such as that this drivewon’t be able to be booted from, and there are little to no backup measures besides the operat-ing system’s own software configuration — it’s a very handy method.

The second type of RAID is called hardware RAID. This is when a piece of hardware (usuallya RAID configuration card) configures the RAID in such a way that the hardware collects thedata of these drives together through the use of the hardware’s onboard software. I’ll now gointo both of these RAID types in more detail.

Software RAIDsThe simplest form of RAID is configured in software. With this type of configuration, theadministrator uses multiple available drives and storage devices to combine available spaceinto one (or multiple) logical drive for the purpose of storing large amounts of data overseveral volumes. Normally, software RAID is used in situations where there is a large amountof non-mission-critical data space accessible over several drives that are not linked together inhardware.

Using Windows Small Business Server 2008, administrators can easily span a RAID togetherthrough the use of Windows Disk utilities. However, each disk used in the RAID must be con-figured as a dynamic disk. Let’s talk about what that means.

In Windows, there are two types of disks, simple and dynamic. A simple disk is, well, simple!It’s just a disk that isn’t going to do anything special. It’s going to sit there, say ‘‘I’m a harddrive,’’ and spit out data all day long. A dynamic disk, on the other hand, is a disk that hasbeen configured by the operating system to take place in logical partitioning. If you remem-ber from your early computing years, a hard drive partition is a logical separation of a harddrive into multiple parts. A logical partition is the logical separation of an already logically par-titioned drive. Makes perfect sense, right? Well, maybe not. What it really means is that a harddrive, which contains a certain amount of data, was separated when it was first created into

RAID 197

different portions or parts called partitions. Then, each of these partitions has been further sepa-rated into even further ‘‘logical’’ partitions that are taken advantage of in software.

Once a disk is made dynamic, disk utilities can store the software ‘‘RAIDed’’ data in eitherRAID 0, RAID 1, or RAID 5, all of which will be discussed in the ‘‘RAID Configurations’’section, after I go over hardware RAID.

Hardware RAIDsA hardware RAID is a RAID in which individual drives have been partitioned and segmentedthrough the use of a hardware device, such as a RAID card, in such a way that the operatingsystem or software recognizes them as one independent device or a custom number of indepen-dent devices as determined by the administrator during setup. Some advantages of hardwareRAID are that it is faster, is more efficient, and involves less burden on the server to set up thansoftware RAID. However, it is also much more expensive because it requires you to purchasededicated hardware.

One of the biggest advantages to hardware RAID is that it doesn’t rely upon something asfickle as an operating system (not that all operating systems are that bad — some are friendlierthan others). Hardware RAID takes the decision of what a hard drive actually is, whether sim-ple or dynamic, away from the operating system and instead tells the operating system throughhardware that ‘‘these drives are actually one disk.’’ The operating system then just accepts this,because operating systems are software and can complete tasks only so long as the pieces ofhardware allow them. If a piece of hardware says ‘‘I am a 4TB disk’’ to the operating system,the operating system will just say ‘‘OK, got it’’ and move on with its life, treating that disk as a4TB device.

Once you’ve decided whether to use hardware or software RAID, you then have to decidewhich of the multiple RAID types you’ll use to set up your RAID. I’ll talk about these RAIDtypes in the next section, ‘‘RAID Configurations.’’

RAID for Speed!

It’s often surprising that many administrators don’t realize there are other benefits to RAIDbeyond maximizing space and reliability. RAIDs can actually make your applications and oper-ating system blazingly fast! This is because when you spread data across multiple volumes in anarray (like in RAID 0 or RAID 5), multiple hard drives can be working at the same time. So, forexample, say you had four drives all arrayed into one large collection. If you tried to retrieve partof the data from one drive, you would have four different volumes all trying to churn out anypiece of that data they had.

In other words, if you have a 1GB file, such as an operating system installation, and you wantedto retrieve that file, approximately 250MB of that file would be placed on four different volumes.Thus, when you try to retrieve that data, the drives all work together with each one only havingto put out their portion. This means that instead of shooting out 1,000MB for one drive, you onlyhave to shoot out 250MB, just four volumes at a time.

This concept is critical for installations on I/O-intensive applications like SQL Server. If SQLServer is placed on a server with an array spanned across multiple drives, the speed is going to begreatly enhanced. Of course, when you spread out data onto multiple drives, you face a problem:what happens if one of those drives fail? There are ways to recover, as you’ll learn about in the‘‘RAID 1’’ and ‘‘RAID 5’’ configuration sections, but it’s still a risk.


RAID ConfigurationsAdministrators can use RAID in several ways to place data across multiple volumes and cre-ate redundancy and fault tolerance. These different methods exist because every project andevery server has its own purpose. Does it need to be up all the time? Is the data vital to thecompletion of business? Is it wise to have this data spanned across multiple drives for the sakeof speed at the risk of drive volatility? All these questions have to be asked and solutions pro-vided for them.

With most operating systems or RAID cards, there are three RAID types, as well as a hybridof those types. These RAID types are as follows:

◆ RAID 0

◆ RAID 1

◆ RAID 5

◆ Hybrid [Raid 01]

RAID 0RAID 0, or striping, is the process of taking several disks and combining them into one large,maximum-speed disk. In the industry, RAID 0 is often referred to as a span. RAID 0 providesno fault tolerance, and thus it’s used only for data that is not mission critical and can be easilyrecovered. However, RAID 0 does have several important benefits. First, it is the fastest of allRAID types. Using RAID 0, you can achieve speeds of data input and output far greater thanany other RAID configuration. Furthermore, RAID 0 is also the easiest to set up.

A lot of organizations use RAID 0 on a server that is critical to business when on a limitedbudget. This is because RAID 0, in combination with another technology such as tape backup,can provide an excellent means of cost-effective storage.

Obviously, RAID 0 is supported in both hardware and software configurations. However,RAID 0 cannot be booted from in software configuration. This is because the operating systemas it boots has no idea where to find the drive with the existing NT loader. Thus, in order totrick the operating system into understanding RAID 0, a hardware device is required.

When to Use RAID 0

RAID 0 is an incredibly useful feature for small businesses that deal mainly with a large amount ofdata that doesn’t need backup protection. A great example of a company that might use RAID 0 isa graphic design firm, which may use a large scrap volume for their images. They could use RAID0 to collect the volume and place it on the disk and not have to worry about losing the scraps if adrive goes bad.

RAID 1RAID 1 is referred to as mirroring. In RAID 1, a bit-for-bit copy is exchanged from one driveto another. If a change is made to one drive, the change is matched to another drive that is amirror image of it. This way, if one drive ever goes bad, you instantly have access to a directcopy of that drive to pick up where you last left off and recover to your full operating potential.

RAID CONFIGURATIONS 199

The disadvantages of RAID 1 are that it’s slow and provides no methods for data efficiencybut, more important, that it provides less access to space than you would normally have withtwo separate drives. When using RAID 0, you would have access to twice the amount of datathan you would with RAID 1, because for each individual drive that is used, there is a com-pletely separate drive that remains relatively inactive because it just copies data.

When to Use RAID 1

For your small business, RAID 1 is useful in situations that require a drive’s data to be completelyand reliably backed up. This configuration allows not only for critical data backup but alsoprovides the means to restore that data in nearly no time.

RAID 5When RAID 5 was first introduced, a lot of administrators called it ‘‘black magic.’’ That’sbecause they just couldn’t figure out how it worked! Most administrators, including me, justlooked at RAID 5 and knew the following: ‘‘It provides speed increases and redundancy.’’

The truth is, RAID 5 is actually fairly easy to explain — though I imagine it wasn’t quite aseasy to engineer. RAID 5 makes use of a parity bit. A parity bit is just a 1 or 0 that is placed ona drive dedicated to storing parity bits.

What a parity bit is responsible for is answering the question, ‘‘Is this data different?’’ RAID5 uses a minimum of three drives — two that store data and one that stores the parity bits. Theway the parity bit comes about is by taking data on the first drive, comparing it with data onthe second drive, and saying ‘‘Is this different?’’ So, for example, say you have three drives likein Figure 8.1.

Figure 8.1

Parity bits1 0 10 1 11 0 10 0 01 1 00 1 11 0 11 1 0

In row A, Drive1 has a 1 in its first bit, and Drive2 has a 0 in its first bit. Well, those twonumbers are different. Thus, the parity bit is set to 1. On row B, Drive1 has a 1 in its second bit,and Drive2 also has a 1. Since these are the same, the parity bit has been set to 0 and basicallysays, ‘‘False. These are not different.’’

Let’s see what this accomplishes. Say I lose one drive, like Drive1 in Figure 8.2. Well, mydata is gone, right? Wrong. I have a parity drive! By looking at this, I can do as you see inFigure 8.3 to compare this data and say, ‘‘Well, if the parity bit is a 0, I can assume this data isthe same. If it’s a 1, I can place the opposite data from what’s contained in the working drive.’’

Thus, you can see how if you lose one drive with your data on it, the parity bit can help yourebuild the data. Now, of course, if you lose the parity drive, you’ll be perfectly fine because


this drive is used to store only parity information, not actual data like the main drives. In thiscase, you could replace the failed parity drive with a new drive that would rebuild its parityinformation by comparing the two existing drives bit by bit.

Figure 8.2

Failed drive1 × 10 × 11 × 10 × 01 × 00 × 11 × 11 × 0

Figure 8.3

Drive rebuild1 × 1 = 00 × 1 = 11 × 1 = 00 × 0 = 01 × 0 = 10 × 1 = 11 × 1 = 01 × 0 = 1

As you can see, there is a huge advantage to RAID 5. It’s both fast and offers redundancy.But there are also some major downsides. For one thing, it’s expensive and requires at leastthree drives. Also, RAID 5 cannot be booted from unless you have a hardware RAID card, justlike RAID 0. However, for a high-budget enterprise solution, RAID 5 is priceless.

When to Use RAID 5

RAID 5 is the de facto standard of RAID configurations. Unless another configuration offers clear,specific benefits for your situation, use this as your default RAID configuration and the normalizedmethod of RAID (if your budget allows).

Hybrid (RAID 01)RAID 01, also called RAID 0+1, is the first of several ‘‘mixed RAID’’ modes that are availableon the high end of storage solutions. In the enterprise, you’ll often run into situations where asimple storage solution utilizing one of the three main RAID types (0, 1, 5) will not be enough,and so you’ll need the advantage of another type of RAID.

This type of situation most commonly occurs when an organization demands the speed andaccessibility of RAID 0 but also desires the reliability that only RAID 1 can bring. RAID 5 canprovide some of these features, in that it can both provide redundancy and improve speeds,but on its own RAID 5 cannot completely stripe together several volumes and then completelymirror them.

Using RAID 01, an entire stripe is mirrored onto a completely different stripe. This meansthere are effectively two complete RAIDs, each of which contains mirror-like setups of their

BACKUP MEDIA TYPES 201

disk configuration. And these RAIDs have been set up to mirror each other’s data. In otherwords, you’re mirroring an entire RAID, not just a drive.

As mentioned earlier, this is very useful for high-end, demanding environments, but it’snot good for all users. First, RAID 01 is probably the single most expensive implementationof RAID because it requires multiple drives with an exact mirror of the same multiple drives.Thus, you can’t really have RAID 01 without a minimum of four hard drives (two for the stripeand two for the second mirrored stripe). In the real world, you should use this when the orga-nization can afford it and when both speed and reliability are absolutely essential.

When to Use a Hybrid RAID

The main point of using a hybrid RAID is to create a situation where we achieve both speed andredundancy in the same location. Because of this, you should consider implementing a hybridRAID in a spot where you need the advantages of one type of raid, say the speed of ‘‘0’’ and theredundancy of ‘‘1’’ in one place.

Backup Media TypesWith Small Business Server, you have only one central point of access for your infrastructure’sdata. This means you need to make sure this central point of possible failure has its informationoffloaded onto different backup types on a frequent basis. Notably, with SBS 2008 you usuallytake advantage of one of three backup media types:

◆ External disks

◆ Tape backup

◆ SAN/NAS

The type of implementation you use depends a lot on your organizational needs and yourcompany budget. Since you’re using SBS, chances are your budget is relatively small, and someof the more elaborate backup options will not be available to you. But in the following sections,I’ll go over each of these backup media types and a typical scenario where these are commonlyused.

External DisksExternal disk drives are hard drives that are connected externally to a computer through vari-ous media attachment methods, such as FireWire (IEEE 1394) and Universal Serial Bus (USB).USB and FireWire technology have several notably different speeds.

FireWire

FireWire typically comes in two major varieties — FireWire 400 and FireWire 800. FireWire 400is, as of the printing of this book, the most common implementation of FireWire. It supportsthe following speeds:

◆ 100Mb per second




Although technically the rates of these transfer are 98.304, 196.608, and 393.216Mb per sec-ond, the numbers are so relatively close that it’s easier to just condense them to these threespeeds. Small businesses usually use FireWire 400 for single-disk external drives that don’t sup-port any form of redundancy. FireWire 400 is an excellent choice for these types of implemen-tations because FireWire’s speed of 400Mb per second roughly translates to 50MB per second,which is very close to the maximum transfer rate of a single hard drive. However, some newhard drives have been measured to output up to astonishingly high numbers, including 80MBper second. Thus, in the future, FireWire 800 may be the more popular solution.

FireWire 800 supports the same speeds as its predecessor, FireWire 400, along with an evenhigher speed of 800Mb per second (although this is technically 786.432Mb per second). In thesmall-business environment, FireWire 800 is used to transfer data to external hard drives thateither are high performance or have some form of redundancy built in through the enclosure.

The only noticeable physical difference between FireWire 800 and FireWire 400 is thatFireWire 800 has a different connection device attached to the end of it that is much more dis-tinctly square. Some modern hard drives will actually contain both. However, the conundrumthat can pop up is that FireWire supports massively high transfer rates, but most hard drivesare usually peaked in the range of 50MB–100MB/sec, depending on how fast the particulardrive is. But (at least for the foreseeable future), there are no hard drives that can peak out upto the rate of FireWire. Of course, the exception to this is if you have a hard raided device thatcontains multiple hard drives that can put all their data out together in one very fast stream.

At the small-business level, FireWire is especially useful because FireWire, unlike USB (dis-cussed in the next section), requires very little processing power to both attach devices andtransfer data. If you’re operating a Small Business Server that’s under a pretty heavy load, it’sprobably a good idea to consider using FireWire attachments, because they can be easily addedand not tax your server.

USB

USB is the second of two types of external connection methods I’ll discuss. Far more commonthan FireWire, USB is used to attach hard drives, keyboards, mice, and various external devicesto computers. At the small-business level, USB is used for many different purposes, includingbackup. Technically, using USB, Small Business Server can connect up to 127 external devices,which will communicate at potentially extremely fast speeds.

USB comes in two different flavors used with Small Business Server:

◆ USB 1.1

◆ USB 2.0

However, USB 1.1 is nearly obsolete. It’s only important to mention because certain devices,such as mice and keyboards, connect at USB 1.1 instead of 2.0. Also, USB 1.1 is easier on theCPU, because it requires less of a transfer rate. It’s important to note that, unless a USB externaldisk is connected at a speed of USB 2.0, the hard drive will run extremely slow. The differencebetween these two types of USB connections are dramatic:

◆ USB 1.1 transfers at a rate of 12Mb per second.

◆ USB 2.0 transfers at a rate of 480Mb per second.

Using USB 2.0, you can transfer data at an extremely fast rate and connect multiple deviceseasily. The only downside to USB is that it requires processing power to transfer data acrossit, and USB-bootable devices can cause potential problems within the server’s BIOS becauseUSB has a bad habit of placing itself as a priority boot device. If this happens to you for


some reason, you’ll know it because after you’ve attached a bootable USB device (including aCD/DVD-ROM), the machine will boot into a black screen and either not progress or showthat the system disk is invalid. You can easily solve this by just unplugging the USB deviceand rebooting your server — although it’s a bit of a pain sometimes.

Using External Drives with Small Business Server

When I do work with small businesses, I frequently use external drives as an off-site storagemethod. Currently, external hard drives are available in multiple terabyte formats and cancontain a vast amount of data. This means there are many occasions where an entire server’s datacan be transferred to an external hard drive.

The only downside to this is that USB or FireWire hard drives are often slow and a little unreliable,because they’re usually just IDE or SATA drives attached to an (often even more unreliable) enclo-sure. But if you’re willing to look past that they’re a little unreliable, they can be a real lifesaver.More often than not, I use an external hard drive when I just need to know I have a quickly acces-sible backup in case of a failure. However, I don’t plan on using these hard drives as a critical pointof recovery but instead more as a quickly and easily accessible backup medium that may at onetime become needed.

Tape BackupQuite possibly the most common and reliable type of critical recovery backup media is thetried-and-true form of tape backup. Tape backup has been used in the information technologyindustry for more than 20 years. Unlike other older technologies that no longer have their placein a modern world, tape seems to continue being a valuable technology.

However, in the coming years up to 2020, this will probably begin to change. With solidstate drives becoming larger and larger and with hard drives as a backup form becoming moreand more reliable, the need for slow and perishable tape will most likely fall into the annals ofIT history. For the moment, however, you need to keep it in mind, because it’s still the king ofa critical and reliable backup strategy because of its easy implementation, widespread support,and low cost.

Modern tape backup systems come in two different flavors: DAT and LTO.

DAT

The oldest and least common of the tape backup types is digital audio tape (DAT). DAT (asthe name implies) was originally used for recording digital audio onto tape. Originally devel-oped by Sony in the 1980s, DAT has become less common because it has now been relativelyreplaced by LTO technology, which I’ll discuss in the next section. However, in some circum-stances, there may be an occasion where you do some consulting and run into a legacy DATdrive that a company may keep around to store small amounts of data (typically less than50GB). But, in general, newer businesses will frequently use LTO.

LTO

By far the most common type of backup tape system, linear tape open (LTO) is a tape backupconvention created by Hewlett-Packard in the 1990s. LTO currently comes in four differentvarieties:

◆ LTO-1

◆ LTO-2


◆ LTO-3

◆ LTO-4

Additionally, there are two newly planned implementations:

◆ LTO-5

◆ LTO-6

Using LTO, administrators can store up to 800GB per tape, depending on which of the LTOstandards are used. Each of the numbers attached to the LTO standards (1, 2, 3, 4, 5*, 6* [Notethat five and six are not yet released]) indicates the generation of LTO that the tape and driveare. LTO-1 came out in 2000, then LTO-2 in 2003, LTO-3 in 2004, and LTO-4 in 2007. If you’reinterested in seeing all the differences among the LTO generations, through LTO-6, you cancheck out Table 8.1.

Table 8.1: LTO Speeds

Specification LTO-1 LTO-2 LTO-3 LTO-4

Capacity 100 GB 200 GB 400 GB 800 GB

Throughput 15 MB/s 40 MB/s 80 MB/s 120 MB/s

Source: ‘‘Linear Tape-Open,’’ Wikipedia. http://en.wikipedia.org/w/index.php?title=Linear Tape-Open&oldid=319439289 (accessed October 14, 2009).

Note that LTO-4, unlike LTO-1 through LTO-3, supports encryption of its tapes through AESencryption.

When you look at an LTO tape cartridge, like the one in Figure 8.4, you can see that it’s aplastic container that has a red switch on the back of the tape. This switch indicates whetherthe tape is write-protected at a hardware level. When businesses are using LTO tapes, theycommonly use an initial pass to back up their data and then mark the tape as write-protected;therefore, the data will never be overwritten and, theoretically, will be accessible for as long asthe tape’s usable life is maintained.

This brings us to an unfortunate downside of LTO tapes: LTO tapes have a usable life spanthat can be finitely measured in several categories:

Time LTO tapes have a cartridge life span of somewhere between 15 and 30 years if they arearchived and not accessed or written to. Writing to these tapes, loading them, or otherwisealtering them will shorten their life span.

Cartridge loads Every time a cartridge loads or unloads, it shortens the life span. Cartridgescan usually be loaded 5,000 times (with no other wear and tear) before expending theiruseful life.

Passes When a tape is written to or read from, it passes the tape through the container, caus-ing the tape to wear down. The number of times a tape can go through the container varies,depending on the tape length and generation.


Figure 8.4

LTO tape

Tape life can actually be broken down a lot further in an almost mathematical method. See‘‘Linear Tape-Open,’’ on Wikipedia (http://en.wikipedia.org/w/index.php?title=LinearTape-Open&oldid=319439289, accessed October 14, 2009), which shows how the tape atrophy

breakdown works for the currently existing generations of LTO.Overall, tape provides a quick and easy method of critical backup recovery. Using tape, you

can perform full or partial backups using differential, incremental, and other backup methods.All you need to keep in mind is that tape devices have different capacities, speeds, and levels ofatrophy. By default, some Windows backup methods can detect a tape backup device, but it’sbest to use third-party software from vendors such as Symantec and other backup providers.

In my experience with small businesses using SBS 2008, tape backups provide an excellentbackup method that can be used to both initially back up software and then provide differen-tial backup points. Typically with small businesses, you’d set up an initial backup to back upprimary and critical points of the infrastructure that are likely never to change. Then, you’d setup a daily backup on a rotating tape that would keep track of the day-to-day changes and thena monthly backup that would keep track of the major progression changes that occur month tomonth.

SAN/NASStorage area networks (SANs) and network attached storage (NAS) are two types of storagearchitectural methods to attach storage to a server in an attempt to create available storage ondecentralized locations somewhere in an infrastructure. SAN and NAS use different methodsof organization to create a labeled volume that’s accessible throughout the entire infrastruc-ture. At the small-business level, you use SAN and NAS to provide a backup location and alsoto expand the amount of storage that’s accessible to Small Business Server. In the followingsections, I’ll cover these two types of attached storage and then go over the methods used toattach them in a small business.

SAN

Just about every small business could use a SAN. This is because SANs are a fast and efficientmeans of storing data throughout any business. A SAN is a system of network-style storagethat is (in reality) just a computer dedicated to sharing files across the network. A SAN is usu-ally a server that’s been lying around the closet for a while in a small business, but it can be a


full-blown dedicated appliance, like one of Dell’s PowerVault machines. Basically, that machineis a bunch of disk storage with a lightweight operating system. Most companies use SANswhen they have a limited budget and would like to find a solution that will collect a lot of datain one place and yet not drastically lower their throughput speeds. SAN provides an easy wayto take several disks and place them on one single volume.

NAS

In effect, NAS is a self-contained computer connected to a network that supplies data through-out the rest of the network. This data is accessed through an operating system that’s accessingthe formatted data through one of several protocols. The unit itself is not designed to houseprogram files or to be used for general computing tasks but instead to only contain files. NASare controlled and configured over the network, often through TCP/IP over a web browser oneither port 80 or 8080 or through HTTPS on 443 (but this is rare). In effect, a NAS device isalmost the same thing as having a computer that has file sharing enabled. The computer is aself-contained unit that can share files throughout a network, but it is a completely separateentity.

In much the same way as SAN, NAS can be accessed throughout an enterprise. NAS allowsmultiple computers to access data contained in the self-sufficient unit. At the small-businesslevel, you normally use NAS as a separate point of access for general data, other than theSmall Business Server itself. NAS can use several formatting styles, including FAT32, NTFS4,and NTFS5. However, with Small Business Server, you’re normally only accustomed to NTFSfiles, unless for some reason you need to support Linux devices on your network.

NAS devices are usually accessed by computers throughout your network through one ofthree major network file systems:

◆ Andrew File System (AFS)

◆ Network File System (NFS)

◆ Small Message Block (SMB)

These file systems allow multiple computers to access the data at any given time. Withoutthese network file systems, you’d be restricted by the number of computers that could accessthe data. Each of these network file systems is available to you as a Windows System admin-istrator, and each of these has its own strengths and weaknesses. At the small-business level,which one to actually implement in your environment depends a lot upon the type of businessyour small business was doing, along with how much security you require. I’ll go through eachof these file systems one at a time.

AFS

The first of these file systems is the Andrew File System. In small businesses, this is the leastcommonly used; basically, the AFS file system takes advantage of extreme security methodsthrough access control lists and quotas. AFS is not very common in the small business envi-ronment because AFS can take advantage of multiple computers by spreading data through-out various locations. There usually aren’t enough computers in small businesses to make thisendeavor worthwhile.

That said, AFS is extremely advanced and very fast. Larger networks can use thismultiple-location-based system for a fast network access system. However, files that arechanged frequently are probably not the best application of it, because it has to distribute dataacross multiple locations. This said, if you just need to read data, you really can’t beat thespeed. Tons of machines send you data all at once!


NFS

A second NFS system available to you with Small Business Server is NFS. NFS is a system ofnetwork sharing used with Unix and Linux computers. In most environments, NFS is the defacto standard, and SBS 2008 can understand, read, and write to it. However, it’s not SBS’s pre-ferred method, because Microsoft developed its own method: SMB. Small businesses tend touse NFS when they are supporting Linux clients. Linux (like all forms of Unix) understandsNFS very well, and Windows Server 2008 supports the ability to implement an NFS share onthe server itself. This means that, for the monetarily savvy consumer, they can download freecopies of Linux distributions and then point them toward an NFS share. Not only is it easy toset up, but it’s cheap, too.

SMB

Other than being an acronym for ‘‘small to medium business,’’ SMB also stands for Server Mes-sage Block system, and it is the preferred NFS method used by Microsoft. SMB was originallydeveloped by Microsoft in conjunction with IBM to form a network file system that could beused with Microsoft networks (preferably) but still be accessible to Unix and Linux machines.

Because SBS is a Microsoft standard, it is the preferred network file system method. Techni-cally, the preferred method is actually SMB2 — a new implementation of SMB that’s availablewith Windows Vista, Windows 7, and all forms of Windows Server 2008. Using SMB, you caneasily attach network shares. With NAS, the process is completely simple and often goes onwithout you knowing it.

For example, if you have a NAS drive, you can use the web interface to attach the NASto your Windows Server and share the folder. Afterward, you can access it by going to yourclient machine (or your server) and entering the path of the file into the Explorer window. Asan example, you could attach a client to your SBS computer and type the following:

\\MyServer\MyShare

where MyServer is the name of your SBS computer, and MyShare is the name of your sharedfolder. Without the user knowing, Small Business Server would use SMB to transport that nameand access files across the network. This is important to point out because Windows Small Busi-ness Server makes this operation easy (and it does it straight out of the box), but it isn’t the onlymethod available. You can use NFS and AFS in a similar manner. In fact, if you’re interested,you could probably play around a little bit with your Small Business Server and get SMB to goover NFS — but that’s beyond the scope of this section. Suffice to say, you need to know thatSMB is the method used by your Windows Server to access network shares, just in case youhave Linux, Macintosh, or Unix machines that have trouble accessing the data on your networkfile shares. These machines have to physically be told to use the SMB protocol.

For example, on a Macintosh, you’d need to navigate to the Finder � Connect area and thentell it to point to a virtual network path of SMB://MyServer/MyShare. Without this, the Macin-tosh would spend all day wondering where the NFS share of \MyServer\MyShare was, becausethat’s what it uses by default, since it’s a Unix system.

Differences Between NAS and SAN

To clarify, there are two primary differences between NAS and SAN. First, SAN and NAS arephysically accessed through different types of connection devices. Second, SAN and NAS logi-cally separate their data differently.

NAS uses one of the three NFS methods, as well as the possibility of the TCP/IP proto-col. You can think of it this way — a SAN is a nearly or completely physical connection that’sattached to the server, and a NAS is attached logically across your network.


To give you a little history, NAS was with Novell’s NetWare file-sharing server softwarewith something called the NCP protocol. For the most part, NCP is almost completely obsolete,because Unix came out with NFS only a year later. But it’s only in the past few years that NAShas become exceedingly popular because of the extremely fast access speeds of gigabit andhigher-speed networks. Now, in the small business, you can use both SAN and NAS dependingon which flavor suits you. And the best part? They both work really well!

Direct Attached StorageAnother type of storage strategy available to you, and one that is quite attractive to mostadministrators, is directly attached storage. Directly attached storage is an array system that’sbeen placed directly onto a server through either a Fibre Channel, iSCSI, or other high-speedconnection method and accessed through a RAID card — just like internal RAID drives. Smallbusinesses can use DAS to provide speedy and redundant array access. This would be a goodtechnique for something under a lot of read/write demand, like a SQL Server database.

Implementing a Backup StrategyNow that you understand the types of media you can use to create backup methods, you canfinally begin to implement a true Windows Small Business Server 2008 backup strategy. Backupis more important at the small business level than for any other business size. Because of thesmall amount of data and the relatively few number of computers, a single server failure canresult in a disaster. Thus, any mindful administrator of a small business will put together awell-thought-out and well-planned disaster recovery or backup strategy that consists of fivedistinct parts:

Windows NT data This comprises Active Directory and all its components, including userprofiles, computer names, and all accounts throughout your business.

Exchange/SQL data This is your database and mail server data (I have not yet discussed this,but it’s still part of your backup strategy).

Critical business data This is the data that, if lost, would make it difficult if not impossible tocontinue to operate.

Noncritical business data This is data that is essential but not completely required for busi-ness functions.

Unsorted files This is non-mission-critical and more easily replaceable data that can be con-sidered an acceptable loss in the case of a disaster.

Backup is divided into multiple parts at any business level for a simple reason: you don’twant to put all your eggs in one basket! In the case of a disaster, you want to have your datadivided into several sections. And in small businesses, you want to have the data divided intoseveral sections and then, if possible, combined into one central point for ease of restoration. Ineffect, say you have the following amounts of data to back up:

◆ Windows NT data: 50GB

◆ Exchange/SQL data: 3GB

IMPLEMENTING A BACKUP STRATEGY 209

◆ Critical business data: 100GB

◆ Noncritical business data: 200GB

◆ Unsorted files: 1TB

All said and done, this is only 1.353TB. If you would have told me ‘‘only 1.3TB’’ 10 yearsago, I think I would have had a heart attack. Anyway, today all this data can be containedin one single external hard drive, which can be accessed by NAS as you learned earlier inthe chapter. It’s certainly different than the way it used to be. But that said, there are someold-school practices that still serve us well, because as you learned, NAS is for the most partunreliable. Accordingly, you need to treat each of your sections of backup with a different levelof concern. I’ll talk about these sections one at a time, and I’ll also discuss how they can betreated in a small business and the best way to store each kind.

Windows NT DataThe first on the list of suspects with Windows backup is your Windows NT data. With Win-dows Server 2008, this process has gone from fairly complex and tedious to nearly simplistic.To back up Windows NT data, you can start from the SBS Console that you’ve become famil-iar with from the other chapters. Just click the backup. There, you see a distinct button thatallows you to choose to configure backup on Windows Server. However, note that this buttonwill result in an error unless you have a removable drive attached with at least 2.5 times thecapacity of your main Windows drive containing your NT data!

After clicking Next at the wizard that will pop up (assuming you have a storage driveattached), select the drive you want to store the backup on. You can back up your data to anyexternal storage drive that supports USB 2.0 or IEEE 1394 (FireWire). Currently, these drivesare available with capacities of more than 1.5TB and should hold plenty of data. If you needto back up to an internal hard drive, you can select the Show All Valid Internal And ExternalBackup Destinations check box. This way, all drives will show up, so long as they don’t haveany system information on them (Linux counts!).

Windows Small Business Server can actually support multiple drives. In fact, if you do notattach a USB/FireWire drive, Windows Small Business Server will actually recommend thatyou attach two external drives to provide an effective backup strategy.

Justin Crosby and Damian Leibaschoff, noted Microsoft employees and excellent writers onthe subject, wrote in a post on their blog on SBS 2008 backup that when you’re choosing anexternal storage drive for a server backup, you should consider using a drive that is going tobe used for backup only. That way, it won’t (ideally) be used very often, because it will only bewritten to based on scheduling and perhaps a system restore.

Incremental and Differential Backup

Before Windows Small Business Server 2008, Windows Server supported many different typesof backup:

Full A complete and total backup

Partial A backup that backs up all data since the last full backup to supplement the backup

Differential A supplemental backup that measures the differences in backup since the lastfull backup

Incremental A supplemental backup that takes all data ‘‘added on’’ since the last full backupand records them into a supplemental container


With Windows Small Business Server 2008, this tried-and-true notion has changed. This isbecause every backup with Small Business Server 2008 effectively always creates a full and dif-ferential backup with each backup.

Justin Crosby and Damian Leibaschoff, the same two employees of Microsoft credited withmany of the changes in Small Business Server that make it what we know today, wrote anarticle (http://blogs.technet.com/sbs/archive/2008/11/03/introducing-sbs-2008-backup.aspx) that gave this example (roughly paraphrased):

Consider you have a file on your Small Business Server made up of four blocks: A, B, C,and D. This means that on the first backup conducted by SBS, the blocks (hereby referred to asABCD) would transfer something like this:

ABCD (Source) ---> ABCD (Destination)

This means they’re copied from one place in a file structure, directly to another.In the next backup cycle, let’s say the block A changed to A’. So, this time the file is A’BCD.

Therefore, only A’ will be moved to the destination like this, and the block A will be saved in aseparate location:

A’ (Source) ----> <Compared to ABCD> ----> Resolves to A’BCD (Destination)

In the metadata for the backup, the data of the change to A is then recorded.In the next backup let’s say again A’ changed to A’’, so the file is now A’’BCD:

A’’ (Source) ----> <Compared to A’BCD> ----> A’’BCD (Destination)

A’ (Stored in Metadata)

A (Stored in Metadata)

Through this method, there is only ever one ‘‘backup’’ area with Small Business Server,along with some metadata. This is a really handy feature, because with the full versions of Win-dows Server 2008, you are really only left with the old tried-and-true conventions, and thus youend up having to make a lot of full, partial, and differential backups, which isn’t a whole lot offun. SBS just makes everything so darn convenient! In their article, Justin and Damian also notethat Windows Small Business Server 2008 will transfer the blocks only since the last rotation.If you wanted to restore to a particular backup version, the backup logic would go throughthe steps described earlier in reverse order and restore the specific blocks associated with theparticular file and version.

Rotation for Reliability

If your small business has a lot of data that, if lost, would result in catastrophic fiscal loss, you’llwant to use an SBS 2008 method that will result in a reliable and simple backup method. And ofcourse, rather than rely on some of the ‘‘tried-and-true’’ methods described in this chapter, youprobably want it to be quick and easy!

As a best practice, once you’ve set up a Small Business Server, you can set up SBS to transfer yourbackup data to one drive and then another. You can do this in the Windows Backup schedule Wiz-ard, although you can also do this by just physically disconnecting one drive and then connectinganother. This makes sure that the most recent backup is on an external drive, and if it isn’t avail-able for some reason, the other drive can usually be restored with minimal loss.

IMPLEMENTING A BACKUP STRATEGY 211

Performing Backup

To actually perform the backup, you will need to launch Windows Server Backup fromthe Start menu by typing backup. Through the wizard, you can set up a backup schedule,back up once, or recover from a backup. If you want to schedule a backup, you can selectAction � Schedule Backup. This will open the Backup Schedule Wizard, where you can selectBackup Configuration, the time it should be run, and the label of the disk. The wizard is fairlyself-explanatory.

This method is really good in a small business if you need to suddenly back up a lot of data.You can launch it easily and just tell it to ‘‘back up’’ and be done — a very nifty feature.

After the Backup Is Complete

Once your backup is complete, the Windows Small Business Console’s Backup And Recoverysection will change and show you a few new options:

Add Or Remove Backup Destinations This will let you change what is backed up and whereit’s backed up.

Add Or Remove Backup Items You can remove backed-up data that you no longer require.

Change Backup Schedule You can alter the schedule of your backup setup.

View Backup History You can see when backups completed and what they backed up.

Backup Now You can immediately run a backup job.

Pause Backup Schedule This stops all backups until you click Resume.

Disable Backup This undoes any configuration established for a backup that you configured.

Exchange/SQL Server BackupIn a large business, nearly all productivity will stop at the loss of an email infrastructure. At thesmall business level, it’s almost exactly the same. But at the small business level, we have a lotless room for error (and usually a lot less limited budget for it). Thus, it behooves us to knowhow to quickly back up and recover Exchange and SQL.

With Windows Small Business Server, Exchange is included in the backup default action.However, for the sake of completeness and because of its aforesaid importance in the smallbusiness environment, I prefer to use a more tried-and-true method to make sure all data iscompletely backed up. Specifically, I prefer use a third-party backup software to move thesefiles. As part of your backup strategy, you should plan on keeping your Exchange data on ashared folder in your network, preferably on a computer that’s known to be stable. When com-bined with the standard backup method, this will provide a nice redundant path.

Just in case you’re interested in earning extra credit on your ‘‘great administrator’’ scorecard, you can look up this article on TechNet:

http://technet.microsoft.com/en-us/library/ms191253.aspxIt details how to back up SQL Server 2008.

Noncritical Business Data BackupThis is a job for . . . external hard drives! Small businesses use external hard drives to back upnoncritical business data. Additionally, if it’s available, you can take advantage of a spareinternal hard drive or one that contains enough space for some data that is important but not


important enough to stake the future of the company on. With a small business, this type ofdata can just be transferred from one place to another.

Keep in mind, when you’re backing up data by just dragging it from one place to another,a few issues may pop up. For instance, a user might be accessing the data from some loca-tion that may cause a critical fault as Windows attempts to drag the data from one locationto another. This is why if you have to move data, you may consider using the NTBACKUP toolto avoid situations like this. NTBACKUP has the ability to select certain folders and move them toanother location without involving Windows permissions. Windows itself will move the files.

Unsorted/Extra FilesThe last rung on the totem pole of Small Business Server is any unsorted or extra files. Thismay include things such as users’ music files that are stored in a central location, downloadsthat have never been purged, and other files that aren’t really useful for doing business. Withthese files you have two choices:

◆ Back them up just like noncritical business data if the space is available.

◆ Disregard them.

You have to remember that, at least on the small business level, there are going to be a lotof occasions where you have data that is relatively unimportant to your business and can beeasily purged. However, this doesn’t mean that all data in a small business is unimportant, justthat a lot of data will most likely be able to be disregarded without the need for lost sleep atnight when you have to do a disaster recovery implementation and realize that you may havenot restored several gigabytes of files.

Restoring SBS 2008After you’ve implemented an effective backup strategy, you can sleep well at night. You have aplan. The server is probably already backed up, and just in case anything should go wrong, youcan restore it — right? Well . . . what happens when you have to do that?

Restoring SBS 2008 is never a fun process. There’s always part of you that asks, ‘‘Will thebackup work?’’ And more important, there’s another part of you that says, ‘‘Well, I know Iprepared for a backup. But do I really know how to do it?’’

With Small Business Server, there are two different types of backups you need to know howto perform, simple file recovery and bare-bones recovery.

Simple File RecoveryFirst things first — simple file recovery. Truth be told, it’s simple enough. Simple file recoveryis done just like simple file backup, either through NTBACKUP or Windows Explorer.

Windows NT Backup (NTBACKUP) allows you to take a backed-up BKF file created throughthe NTBACKUP tool and convert it back to standard files. This is easily accomplished through theGUI and a selection of Restore. Alternatively, if you’ve just dropped files from one place toanother, you can use Windows Explorer to transfer the files from one location to another.You’ve probably done it a thousand times before — you just drag from one location to another.

Bare-Bones RecoveryIf the worst has happened and you’ve lost all your data, you can always recover from theground up in what I call a ‘‘bare-bones’’ recovery. This means you have no operating systemleft and no accessible hard drive. It’s not fun, but fear not — all is not lost.

RESTORING SBS 2008 213

To recover from a bare-bones situation, you will need to boot from the SBS 2008 disk andload into the SBS 2008 installation menu. Then, once at the screen you see in Figure 8.5, you’llneed to click the Repair Your Computer button at the bottom of the installation window.

Figure 8.5

Repair option

Once you click this, Windows SBS 2008 will scan your local hard drives to find whether anypart of your installation still remains. And, unless you’ve totally and completely destroyed yourinstallation, there will be something left there. Keep in mind, though, that there are a few occa-sions where everything really will be gone, and you’ll have to install from scratch.

Regardless, once you click Repair Your Computer, the screen in Figure 8.6 will appear. Youcan select the hard drive you want to restore, and then you can click Next. This will bring youup to the next, very important, screen that you see in Figure 8.7. Here you’ll see three options:

◆ Windows Complete PC Restore

◆ Windows Memory Diagnostic Tool

◆ Command Prompt

Figure 8.6

System RecoveryOptions


Figure 8.7

Choosing a recovery tool

Each of these options is important, but I bet you can guess which one we’re going to usein this case. The Windows Memory Diagnostic Tool is used to determine whether there is aproblem with either the CPU or the physical memory of the computer, and the commandprompt is used to run command-line utilities, such as chkdsk, that could be used to restoreyour computer. Therefore, at this screen, you’ll need to click Windows Complete PC Restore.After you’ve done this, you’ll see Figure 8.8 if all has gone well. This means that Windows SBS2008 sees the latest backup done by the SBS 2008 backup and restore utility.

Figure 8.8

Backup detection

Clicking Next will bring up what is, in my opinion, a really cool feature. In Figure 8.9, you’llsee only one SBS backup, but you can, in reality, click the Advanced button and choose fromany SBS backup that has been completed and still remembered by the disk. Say, for example,you wanted to do a complete system restore because of a virus that you got five days ago.Selecting the backup from five days ago, rather than the most recent, may be a lot safer. In anyevent, you can just select the one you’d like and then click Next.

RESTORING SBS 2008 215

Figure 8.9

Choosing a backup point

The screen in Figure 8.10 is really important because formatting and repartitioning with abare-bones install is completely optional. You do not have to complete it! However, in my opin-ion, if you’re going to restore, you might as well format and repartition. So, go ahead and selectthe check box (or not if you’d rather not), and then click Next.

Figure 8.10

Format and RepartitionDisks option

After clicking Next, you’ll be asked to confirm your installation, and then you may get awarning that you’re going to reformat the partition if you chose to do that. But in any event,once you’ve completed this process, the restoration will begin. And, boy, will it take a while.Don’t be alarmed if you see Figure 8.11 for a very, very long time. It’s normal, albeit a littletedious.


Figure 8.11

Restore progress bar

The Bottom Line

Understand RAID RAID is used at the Small Business Server level to create a partitioned andredundant system in SBS 2008 that provides for backup in the case of a single or multiple harddrive failure. Through RAID, you can theoretically remove the need for any form of backup,but you do not remove backup methodologies because they’re necessary in the slight chance ofan unrecoverable array failure.

Master It Choose a RAID installation method with Small Business Server that will providefor six disks, with a complete mirror of the array and each side of the mirror containing aparity bit.

Recognize different backup media types Various types of backup media exist in the modernworkplace, and choosing the right one for your situation is often a tough decision. There arenetwork file shares, tape backup, network attached storage, and external disks, just to name afew. The right one depends on the application being used and the right time to use it.

Master It Choose a backup solution that is allowed to be degradable but is easy and costeffective to implement. Moreover, this backup solution has to be able to easily supply extramedia, because of the need to have many different points of recovery, all for a low cost.

Implement a backup strategy With SBS 2008, it’s easy and effective to create a backup strat-egy that not only works but is easily recoverable.

Master It Create a minimum requirement backup installation with SBS 2008, and imple-ment it. This backup solution should enable you to recover in the case of a corrupted harddrive or the loss of a drive in a system array.

Recover data After you’ve set up a backup system, as in the previous ‘‘Master It,’’ you willneed to know that the data can be recovered. All the backups in the world will do you no goodif you don’t know how to take advantage of them in a small-business environment.

Master It Use the Windows SBS 2008 installation disk utility to completely recover with abare-bones installation.

Chapter 9

Remote Access, Security, and AddingServers with SBS 2008

If you ask any given administrator when it is that they actually get to start having ‘‘fun’’with their servers, they’ll say it’s when they finally start to get fancy with their deployment.And that’s what this chapter is entirely about. Once you’ve gotten an SBS 2008 server setup, installed, and running Group Policy, it’s time to start thinking about how you’re goingto access that server — and whether you need to consider adding more servers to theenvironment to support all of your users and your infrastructure as a whole.

The reason I’m covering this now in the book is that all too often in small businesses thisstuff is done after an entire deployment scenario has already been implemented — in otherwords, the small-business owner already has their server set up, policies in place, and useraccounts made. That’s also when people stop and think, ‘‘Hmm, you know, I didn’t actuallyconsider the fact that I need to support my remote users, my database users, and possibly myusers from this other small business that I own.’’

So, with that in mind, you should approach this entire chapter as if you’re working for acompany (or own a company) that already has a full deployment established. In the chapter’sexamples, it will be the familiar Intellicorp.


◆ Deploy a second server to your environment

◆ Set up Remote Web Workplace access

Reasons to Add a ServerSmall businesses decide to add servers for one of two reasons. First, they add them becausethey need the extra processing power, and second, they add them because they need to host anentirely different domain from which their users can log in and log out. Keep in mind that anActive Directory infrastructure has certain physical limits regarding which users can log in andlog out (as well as rules on where this can happen). One of these strict rules is that a box run-ning Windows Server 2008 (any edition) can’t host more than one domain as a domain controller.This means that an SBS 2008 server can’t have users logging in to access system resources withuser accounts like [email protected] and [email protected].

218 CHAPTER 9 REMOTE ACCESS, SECURITY, AND ADDING SERVERS WITH SBS 2008

Users can pick one only. But with that said, administrators can easily fix this by adding aserver and making that server its own domain controller, but I’ll get to that in a minute. For themoment, just keep in mind that SBS 2008 cannot, by default, accept user accounts for anotherdomain.

And, just to make sure you don’t get confused, don’t forget that just because users can’t ‘‘login’’ from a different domain account does not mean they cannot receive email from a differentdomain. Email domains are entirely different from Windows NT domains. Through ExchangeServer (see Chapter 10, ‘‘Configuring Exchange Server 2007 for Small Business’’), you can addan extra recipient domain to do this nicely.

But can you really add a server with SBS? Yes, you just need clustering.

What Is Clustering?Dating back to almost the same era as that of the ENIAC and the first computer, the conceptof clustering has existed throughout computer infrastructure history. Early computer scientistsrealized that sometimes one computer just wasn’t enough to get the job done and they weregoing to need more power to accomplish the job in front of them.

However, there is one problem with getting a more powerful computer to accomplish a task.It’s a lot more difficult to design a single computer to be more powerful than it is to simplytake an existing design, manufacture several computers from that design, and then find an easyway to have them accomplish the same goal all at once.

In its simplest form, all clustering really comprises is the idea that you can have a set numberof tasks that need to be accomplished, and these tasks can be divided among multiple comput-ers in a cluster. For example, say you had an application that needed to count to ‘‘eleventy-billion,’’ a fictitious but incredibly amusing number made up by the comedy lords of SaturdayNight Live. Well, counting to eleventybillion is probably quite a task. So, you could divide thattask into two portions: the first portion could count to half of eleventybillion, and the secondportion could count from half of eleventybillion all the way to eleventybillion.

Assuming that each time a computer completes an iteration, it simply iterates the integer it’sworking on by one, eventually the two computers will accomplish the task of counting all theway up to this number — and making sure that every single number along the way has beenaccounted for in some fashion.

This may seem like a rather nonsensical exercise, but it proves a very important point.All tasks can, in some way, be broken down into smaller forms, and then these tasks can bedivided among multiple computers and accomplished in a more granular format.

The person who actually invented the formal engineering (read: math!) of computingparallel processes (doing multiple processes along the same path at the same time) wasGene Amdahl. Gene worked for IBM in 1967 as an essential uber-genius who was able tomathematically quantify a law, now called Amdahl’s law, that broke down the parallelizationof otherwise serial tasks. The only basis for his mathematics was the idea that clustering(parallelization) would need to be defined in a form where computers were connecting throughinteroperable links, or acting on their own through something called a commodity network.

Today, the links used to connect clusters vary. Some clusters use high-speed infinibandor other supercomputing links to connect computer nodes from one to another. But in theWindows world (and, therefore, most of the ‘‘real’’ world), we use the TCP/IP infrastructureto communicate. If you think about it naturally, what easier way could there be to com-municate between two machines than by a protocol that was already developed purely tocommunicate between two machines in a low-overhead, fast, and effective manner? It’s quitelogical when you break it down to brass tacks.

REASONS TO ADD A SERVER 219

When you think about arranging clusters now in a modern Windows infrastructure, youprobably think about the full-blown editions of Windows Server 2008. This is because WindowsSmall Business Server 2008 does not ship with the ability to take place in a cluster. However,SBS 2008 does have the ability to add a server to an existing server infrastructure. And althoughthe collection of computers this forms may not facilitate the exact definition of a modern paral-lel cluster, it certainly defines the traditional definition of a ‘‘bunch of computers’’ participatingin a single task. Your task, in this case, is the responsibility of maintaining multiple points ofinfrastructure through backup, multipoint failover, or other highly available system models.

Types of Clusters in the ‘‘Full’’ Windows Server 2008 EditionI’m probably digging a bit too far into the clustering topic for a small-business environment.However, just for the sake of informing you how it really works, in the full-blown WindowsServer 2008 infrastructure, there are two types of clusters:

◆ Network load balancing (NLB)

◆ Failover

Having an NLB cluster allows you to greatly enhance the ability of your server’s applicationplatform, while making the front-end portion of it transparent to your end users. The simplestexample is a web pool. In a web pool, multiple servers run Internet Information Services (IIS)and host websites. These sites can feed the same information to clients, who are consistentlyaccessing these web pages from remote locations, but the trick is that Windows Server may notbe letting two different users host the same server. It’s sort of like if you take two host serversand say, ‘‘OK, you two start hosting information,’’ and then tell a second service that runs oneach machine to load-balance the incoming traffic between the two servers. This way, neitherwill be completely overloaded by the work.

In the ‘‘old days,’’ load balancing was used so much that large datacenters would actuallybuy NLB appliances that did nothing but track incoming packets and then feed them fromone computer and then the next. Things were just so cool back in the 1990s. Anyway, addinga load-balanced cluster gives you a lot of benefits, including the following:

Improved availability If one node goes down, the cluster doesn’t completely stop; one serverjust absorbs all the load.

IP scalability You can divvy up the amount of IP addresses and the way you use networkperformance pretty easily.

Now, you may wonder why I described all this stuff about the full edition of WindowsServer. The reason is twofold. First, this information allows you to see the complete packagethat clustering can introduce to your infrastructure, and second, understanding what the fulledition does enables you to comprehend the small-business edition better.

Now, with the next section, you really need to pay attention. That’s because thatsection — on failover — is something that you can sort of pseudo-implement with SmallBusiness Server 2008.

The Concept of Failover

Somewhere around the third or fourth day of actual computer usage (you know, about thetime that someone first flipped the ‘‘on’’ switch), a bunch of professionals in the industry real-ized that there needed to be a way to switch rapidly from one working system to another in the


case of a failure. In the earliest of early days, this wasn’t possible because of the extreme costsassociated with computers, not to mention the vast amount of space they would occupy in anygiven building.

Now, computer costs have gone down so drastically that a simple server can cost less than$1,000. And once room-sized machines shrunk down to the point that a single 1U server (ameasurement used to indicate space used in a rackmount environment) could contain dozensof virtual servers, the effective computing-to-space ration of these devices becomes drasticallylower than anything we’ve ever experienced.

Accordingly, this means you can now afford to have full and completely reliable backupcomputers in place in the unlikely (or perhaps likely) event that your server experiencesa failure. The name failover implies that as soon as a single server experiences a failure, aperfectly good and working copy of that server will come online and start operating in itsplace.

Failover is used in both large and small businesses to provide a method for the businessto continue while administrative repairs are conducted on the machine that experienced thefailure. The most classic example of failover with SBS is a backed-up machine that contains theexact data of the previous machine, through software such as Double-Take.

In a large business, you can set up a machine to completely take over in a cluster. But sincethat is beyond the scope of this book, suffice to say that failover clustering is something youcan look into as an administrator if you find that the need arises in your organization.

Alternatives to Clustering with SBSAlthough SBS cannot provide true clustering, with failover and automatic load balancing, itcan provide benefits similar to those provided by clustering. For example, you can implementmultiple servers to spread file access across more than one machine providing pseudo–loadbalancing. You can implement a second SBS server to act as a redundant domain controller,thereby providing fault tolerance. No, these solutions are not the same as a clustering solutionin the full Microsoft servers. Yes, they do provide similar benefits.

So, what can you do with SBS 2008? That’s a great question. The answer is surprising tomost administrators, because the answer is, actually, quite a lot!

With SBS you can do the following:

◆ Add member servers.

◆ Implement a second server in your SBS network.

◆ Use Hyper-V to virtualize extra servers.

Adding Member Servers

Member servers in Windows forests are servers that don’t serve any real ‘‘server’’ function asfar as Microsoft is concerned but still run server hardware and a server operating system. Theseare some classic examples of why you might add a member server:

◆ For a customer third-party application

◆ To be a dedicated file server

◆ To be a dedicated printing server

REASONS TO ADD A SERVER 221

These tasks aren’t exclusive to Windows, and server-level operating systems can’t help thembecome much more efficient. So long as you possess the appropriate licenses from Microsoft,you can add member servers to your heart’s content.

Reasons for Implementing a Second Server

The flagship feature of SBS 2008 Premium is that it supports the ability to add a second ded-icated server to your existing SBS 2008 environment. For many administrators, this is a veryvaluable feature that allows you to greatly expand the usability of your network. There aremany other reasons you’d probably want to add a second server:

Separation of duties If you have some duties handled on one server and some handled onanother, you don’t have to worry about everything stopping if one server goes down.

Adding a second domain controller This allows you to expand your ability to easily log onto the Windows domain and access logon features, without overburdening your SBS server.

SQL Server Running a dedicated SQL Server machine is always a good practice!

Applications Some applications really need to have their own server, or else they can take alot of memory and bog down the system with excess calls to the CPU or memory that could beused for server-grade threads and processes.

Effectively, as you can see, a second server is mostly used for application-based programs.Things like SQL Server, any application using LDAP, or other such methods will benefit greatlyfrom being placed on their own server because they’re separated entirely from the costly over-head of Active Directory, resource management, SharePoint, and the other fun but costly pro-grams associated with Small Business Server. I’ll discuss the actual process of adding a secondserver a little later in the chapter in the section ‘‘Adding member servers.’’

Using a Second Server

StoopidCorp runs a poorly written application that takes a large amount of memory —sometimes up to 8GB. Because StoopidCorp is not run by effective admins, the companydecided to place all its applications on one SBS 2008 server. Now, whenever the application isrun for excessively long periods, the entire server shuts down because the system runs out ofmemory and causes all programs to have to run off excessive file paging.

Eventually, StoopidCorp got tired of dealing with the consistent slowdown and decided to hireSmartCorp, a consulting company, to fix the situation. SmartCorp’s solution was to create anextra server that ran SQL Server and the application alone. Now, the SQL Server instance andthe application are the only thing running on that computer, and the app isn’t burdening therest of the infrastructure. This way, users do not notice it when the machine runs slower orrequires maintenance.

Additionally, because SmartCorp is full of smart people, SmartCorp decided that the best wayto access the information available on StoopidCorp’s server was through LDAP. SmartCorpinstalled LDAP onto the server and pointed it toward the domain controller. Now, if theapplication requires authentication from users, the main domain controller will be queried butin a very efficient and noninvasive fashion.


Virtualizing Your Servers

Microsoft Windows Hyper-V is a hypervisor program that is available for all 64-bit editions ofWindows Server 2008. Hyper-V is an extremely advanced virtualizer that allows multiple oper-ating systems to be installed through the Microsoft platform. Using Hyper-V, you can virtualizethe following:

◆ Windows Server 2008 R2



◆ Windows Server 2003 R2

◆ Windows Vista

◆ Windows 7

◆ Windows XP

◆ Linux (Redhat)

◆ All of these in 64-bit editions too

There are, of course, many alternatives to Hyper-V. Some alternative companies are VMwareand Citrix. The advantages of Hyper-V are that it is completely free with your SBS 2008license and extremely easy to use. However, it does have some licensing limitations thatyou should be aware of. Most notably, you can only install operating systems that you havelicensed in addition to your SBS 2008 server. So, in other words, you can’t just install Windowsat whim and then instantly have a bunch of extra Windows Servers. Unfortunately, you dohave to pay for them!

Adding a Second ServerThe process of adding a server to your SBS 2008 environment may seem a little complicated,but like all aspects of SBS 2008, it’s not all that complicated once you understand it. First, youneed to install the external server on a location separate from the SBS Server, or virtualizedwithin it. And then, you need to join that server to the domain as a computer.

At this point, you can view second server in the Windows SBS Console by clicking the Net-work tab and then clicking Computers. The second server is listed under Client Computers.At this point, all group policy settings are applied for the client computer, except for the SmallBusiness Server Updates Services Client Group Policy Settings. If you’d like to apply those, youmust manually move the second server to the original SBS server’s organizational unit to applythe appropriate GPOs.

This means that you need to drag the computer into the correct OU and make it a server:

1. On the server that is running Windows SBS 2008, click Start � Administrative Tools, andthen click Active Directory Users And Computers.

2. At the User Account Control prompt, click Continue.

3. In the console tree, expand until you find your domain.

4. Expand MyBusiness, expand Computers, and then click SBSComputers.

5. Right-click the name of the server, and select Move.

6. Place the computer in SBS Server, and click OK.

DOMAIN CONTROLLERS AND THEIR ROLES 223

Hyper-V and SBS

As mentioned, Microsoft Hyper-V is a hypervisor-based virtualization solution that is availablefor all 64-bit editions of Windows Server 2008. There are two Hyper-V products:

◆ A full version included with your SBS 2008 license used on top of Windows Server 2008 andWindows Server 2008 R2

◆ A free, stand-alone version called Microsoft Hyper-V Server

As I mentioned, SBS 2008 Premium gives you the ability to add a server. And therefore, youcan use Hyper-V to add a ‘‘1+1 rights’’ server as a guest of the child member server. Typically,people use this for an implementation of SQL Server 2008. With SBS 2008 Standard, you canvirtualize another Windows instance for domain replication, but technically not as a memberserver (although you should consult a Microsoft licensing expert or a lawyer to find out theexact limitations of your license).

Contrary to what you might think, Hyper-V Server is actually a slimmed-down version ofthe non-stand-alone version. Specifically, it is effectively a Server Core installation of Server2008 with Hyper-V preloaded. Don’t get confused by this description, because the parentpartition in Hyper-V Server 2008 still cannot run enhanced Microsoft services such as IISor IAS server. Also, Hyper-V Server is different from the full version in that you do notget the GUI management tools on the server. Instead, you manage Hyper-V Server from thecommand line.

You will need to license each server you run as a virtual server on Hyper-V Server, but here’sthe benefit: with a single hardware base, you can run several virtual machines. Ultimately,many small businesses can reduce their hardware costs by 40 to 70 percent. One companyin central Ohio was able to implement two Hyper-V Server 2008 servers, each running threevirtual Windows Server 2008 servers, instead of six physical servers. The hardware costswere reduced by more than $7,400. Additionally, power consumption was reduced by morethan 60 percent. For installing the second server using Hyper-V technology, you can findinformation on the Microsoft TechNet website at http://technet.microsoft.com/en-us/library/dd239202(WS.10).aspx.

Domain Controllers and Their RolesIn Active Directory, a domain controller is any machine that has the domain controller roleinstalled and can accept logon requests for a domain. With SBS 2008, you may want to do thisto give the SBS server another server to assist in the burden caused by running a domain con-troller. This can be fairly easily accomplished.

Promoting a Domain Controller

1. Go to the Windows Start bar, type dcpromo, and then press Enter.

2. The binaries will install, and then the Active Directory Domain Services Installation Wizardopens.

3. Click Next.


4. On the Choose A Deployment Configuration page, select Existing Forest And Add A DomainController To An Existing Domain, and then click Next.

5. On the Network Credentials page, type the domain name, and then click Set To Open The Win-dows Credentials Dialog Box.

6. In the Windows Credentials dialog box, type your credentials.

7. On the Select A Domain page, select the Active Directory domain, and then click Next.

8. On the Select A Site page, select the default site Default-First-Site-Name, and then click Next.

9. On the Additional Domain Controller Options page, make the following selections: DNS Serverand Global Catalog.

10. On the Location For Database, Log Files, And SYSVOL page, if desired, choose a folder that’seasily memorable, and then click Next.

11. On the Directory Service Restore Mode Administrator Password page, set a password for theDirectory Service Restore Mode administrator account, and then click Next.

12. On the Summary page, click Next.

13. On the completion page, click Finish.

14. Restart the server.

Introduction to Remote AccessWhen remote access first began to be introduced in the first editions of Windows Server, theconcept was not hip, and not everybody knew what it was, much less how to accomplish it.Today, remote access has become the norm, rather than the exception. Using today’s technologyinfrastructure, even the smallest business can support a vast amount of remote users from allover the world.

The overall design purpose of remote access is to allow all users from a remote locationto access the resources they would normally be able to access in the workplace. Securedinfrastructure-based resources, such as file shares, intranet web portals, secure networks,and other important pieces of the infrastructure often can’t be exposed to the outside world,because the exposure of that material could be potentially dangerous to the company andresult in a loss of valuable data.

To implement this balancing act of weighing the security risk with the ultimate profitabilityof allowing users to be productive from home, the solution that is often reached is to use securemethods of data access, powered by encryption technologies designed to encapsulate the datafrom external access. Let’s talk about that concept for a moment: encryption.

Introduction to EncryptionEncryption has existed in some form or another for thousands of years, dating back to the timeof ancient Egypt. Before computers, encryption was used to conceal important governmental,financial, or otherwise personal information from external sources. Basic encryption involves

INTRODUCTION TO ENCRYPTION 225

the use of a cipher, or algorithm, that translates plain text or verbiage from one form to another.And, unless you know that cipher, you’re unable to translate the information.

Encryption has become a hot topic in the security world for the past 20 years because of thedouble-edged sword it carries. On one hand, encryption can be used to support the encapsula-tion of data to secure it from potentially harmful sources. But on the other, encryption can beused to conceal nefarious activities. As an example, the criminal prison gang dubbed the AryanBrotherhood achieved some level of fame for using an algorithm derived by the famous sci-entist and philosopher Francis Bacon. To the educated, but not necessarily cryptographicallyinclined, prison system, the activities of the gang could be communicated in what appeared tobe useless babble.

Here is a classic example of Bacon’s cipher:

a AAAAA g AABBA n ABBAA t BAABA

b AAAAB h AABBB o ABBAB u-v BAABB

c AAABA i-j ABAAA p ABBBA w BABAA

d AAABB k ABAAB q ABBBB x BABAB

e AABAA l ABABA r BAAAA y BABBA

f AABAB m ABABB s BAAAB z BABBB

And here’s an example of some text you might see, using this cipher:

AAABBAAAAAAAABBAAABBBABBA

Reading this example, you’d have utterly no idea that someone was actually concealing arather malicious message. If you had the cipher for the message, you’d see that it actually saysthis:

Daddy

Quite creepy, eh? Well, thankfully, we’re not hardened criminals. So, let’s take a look atsome simple encryption that can be used with computers.

Basic Ciphers and Encryption/DecryptionOne of the simplest ciphers that has ever been written is a cipher called ROT13. In the earlydays of software design, a lot of people used ROT13 to store serial keys and other informationthey wanted hidden, because it was so simple that even the most novice computer users couldunderstand it. Now, obviously, we’re not complete novices, but it serves as a good overviewfor people who may not be security gurus but would like to learn a little bit about it.

ROT13 is short for ‘‘rotate by 13 places.’’ And the cipher, as you can probably guess, worksby rotating the numerical or letter-based key by 13 places for each character. Take a look at anexample:

FuzzyKitties

FuzzyKitties has 12 characters: F, U, Z, Z, Y, K, I, T, T, I, E, S. If you were to encrypt theseletters using ROT13, you would move each letter correspondingly 13 letters in the alphabet.


If you reach the letter Z, you start over with A. So, as you begin with the letter F, you go 13letters further in the alphabet:

G = 1

H = 2

I = 3

J = 4

K = 5

L = 6

M = 7

N = 8

O = 9

P = 10

Q = 11

R = 12

S = 13

Thus, an S would replace the first character in FuzzyKitties, making it SuzzyKitties. And, ifyou were to apply the encryption to the rest of the word, you would achieve the followingencrypted word:

ShmmnXvggvrf

This, obviously, does not look anything at all like the word FuzzyKitties. The trouble is, for acomputer, that word is very easily ‘‘cracked.’’ Or, that is, it’s very easy for a computer to figureout that cipher. Because, although I did that cipher by hand when writing this book, it took meabout five minutes as my slow brain counted up all the letters (I could have been smart andused a tool on the Internet). A computer could do it in about a quarter of a millisecond. Andthus, this means that the ROT13 encryption, although easy to learn and use, is ultimately use-less for practical applications. Instead, you need to take advantage of more complex encryptionsystems that rely on very large mathematical algorithms using prime numbers.

Common EncryptionsThe following are some of the modern encryptions used today.

PGP

Pretty Good Privacy (PGP) is an encryption method that uses a combination of hashing, com-pression, and symmetric keys to encrypt data. It is widely viewed as a very effective means ofencryption.

AES

Advanced Encryption Standard (AES) is an encryption method commonly used by the U.S.government. AES comes in three standards: AES-128, AES-192, and AES-256. AES is an adap-tation of the encryption originally developed by Rijndael. As of 2009, AES is the most popularalgorithm used on the IT world today.

INTRODUCTION TO ENCRYPTION 227

TKIP

Temporal Key Integrity Protocol (TKIP) is a security protocol that isn’t necessarily used withaccess but is instead used with IEEE 802.11 for wireless access. Normally, it’s used with WPA.

DES

Data Encryption Standard (DES) is a standardized encryption algorithm developed in 1976.DES is also referred to as Data Encryption Algorithm (DEA). The DES algorithm finds its rootsin Horst Feistel’s Lucifer cipher. DES is a block cipher, which means it works on a fixed blockof plain text and then converts it into cipher text. The block size of DES is 64 bits. The key usedin the algorithm is of 64 bits, but 8 of those bits are used for parity purposes; thus, the effectivekey length becomes 56 bits. The basic structure of the algorithm is the Feistel structure, whichinvolves swapping, permutations, and XOR operations done over multiple rounds to increasesecurity.

DES is not considered secure anymore. Because of an increase in processing power and adecrease in hardware costs, it is now possible to implement a successful brute-force attack onDES. The primary reason for this is the key size (56 bits), which is relatively short compared tomodern standards.

Triple DES

Triple DES is a high-security block cipher derived from DES. It was developed by Walter Tuch-man at IBM and was first published in 1978. Like DES, the block size here is 64 bits, and it isbased upon the Feistel structure, but its key size is 168 bits, which happens to be equal to three56-bit keys used in DES. The three steps used in implementing Triple DES are DES encryption,followed by a DES decryption, followed by a DES encryption again.

IDEA

International Data Encryption Algorithm (IDEA) was developed by Xuejia Lai and JamesL. Massey in 1991. It was originally named Improved Proposed Encryption Standard (IPES)because it was meant as a replacement for DES. IDEA is also a block cipher like DES. Its blocksize is also 64 bits, but the key size here is 128 bits. The algorithm has been used in PGP 2.0and is also an option in OpenPGP.

Blowfish

Blowfish is a symmetric block cipher designed in 1993. It was designed by Bruce Schiener as areplacement for DES. The developer has also stated that the algorithm will always remain freefor use by anyone. The underlying structure of the algorithm is Feistel structure, and it dividesthe plain text into 64-bit blocks. The unique thing about the algorithm is that it has a variablekey size ranging from 32 to 448 bits.

RC5

RC5 is a block symmetric key cipher designed in 1994 by Ron Rivest (of RSA Labs). The blocksize in RC5 varies. It can be 32, 64, or 128 bits. The key itself is of variable size and can rangeup to 2,040 bits. This algorithm is also based upon the Feistel structure and has 12 roundsto make cryptanalysis difficult.RC6, one of the candidates of the AES challenge, was basedupon RC5.


Asymmetric and Symmetric EncryptionCompleting the short discussion of encryption as a preamble for the discussion of remote work-place access, I’ll now cover the difference between asymmetric and symmetric encryption.

Symmetric

Symmetric encryption is a simple form of encryption in which a secret code or key is sharedbetween two different sources. The cipher is known by the sender as well as the recipient. And,using this cipher, the two parties can each look at their respective data and decode it using thatcipher. It’s by far the oldest method of encryption and is a little insecure. This is because if athird party knows the key, that person can decrypt the data easily.

Asymmetric

The more secure form of encryption is asymmetric. This form of encryption uses a public keyand a private key to encrypt and decrypt the message. The public key is available to all users,while the private key is known only to certain users. The public key is used to encrypt, but itcan be decrypted only by a private key. Figure 9.1 illustrates how the system works.

Figure 9.1

Private key encryption

Public KeyEncrypts

@#$!@$#LKJIP@!O#!FS–

“Hello, I am amessage!”

Public KeyDecrypts

“Hello, I am amessage!”

VPNs 229

Methods of AccessWith Small Business Server, remote workers can use three methods to gain access to informa-tion stored on a remote server. These methods are a virtual private network, Remote DesktopProtocol, and the Remote Web Workplace.

◆ A VPN is the most common method of access, and it involves the placement of a computerwithin a virtual network created by either a server or a hardware device. Through a virtualnetwork, a computer can act like it’s on the local area network through security mecha-nisms that are discussed in the next section, ‘‘VPNs.’’

◆ Remote Desktop Protocol (RDP) involves the access of your desktop over a TCP connec-tion. Through a simple Internet connection, you can view the contents of a server or work-station without being physically present at the workstation. This is covered in the ‘‘UsingRemote Desktop Protocol’’ section.

◆ The last method of access is called Remote Web Workplace (RWW). In the ‘‘IntroducingRemote Web Workplace’’ and ‘‘Using Remote Web Workplace’’ sections, I’ll discuss thismethod and its uses within SBS 2008 and Essential Business Server 2008. Effectively, forthis short summary, Remote Web Workplace is a web-based consolidation of all the aspectsof remote access in one area.

VPNsA virtual private network is a logical extension to a physical network that is conducted over awide area network link via TCP. In simple terms, all a VPN really does is simulate a person’snetwork location over a secure connection, no matter where they physically are.

Commonly, virtual private networks are used by companies to give employees the ability toaccess secure information from home or from remote locations. Using a VPN, to the server, isjust like being directly connected across a local area network.

College campuses often use VPNs. For example, both the University of Texas and TexasTech use multiple virtual private networks for their students and for the faculty who want toaccess the resources they keep inside their network. This is because it doesn’t make a lot ofsense for just ‘‘anyone’’ on the Internet to have access to campus supercomputing resources orcampus file servers containing information such as student records, student resources, and thelike.

Figure 9.2 shows a sample virtual private network that would work in almost any size busi-ness, large or small. The diagram shows local area network resources and additional clientsconnected through the Internet via WAN links. Here, the personal data assistants, laptops, andother computers can access the resources contained behind the firewall.

Types of VPNsWith Small Business Server 2008, the typical virtual private network looks very much the sameas what you see in Figure 9.2 from a topological standpoint. Machines that exist outside thenetwork will be able to access resources from the inside the network across WAN links. Theonly difference is that with most small-business networks, the firewall or a dedicated SSL clientnormally doesn’t exist. Instead, the burden of authenticating the remote clients is laid at thefeet of Small Business Server. To further explain, virtual private networks typically come in twoforms: hardware based and software based.


Hardware-Based VPNs

With a hardware-based VPN, the authentication to a VPN via Secure Sockets Layer or someother form of encryption is executed by a dedicated hardware device, such as a WatchGuardfirewall or a Cisco ASA device. These devices carry their own operating system (of sorts) andhardware dedicated to authenticating clients and remotely connecting them through some formof encryption.

The advantage of hardware firewalls is that they are typically more secure and additionallyrelieve the burden of authentication from a server. The disadvantages of hardware firewalls arethat they are expensive, require more setup, and can be somewhat more complicated to installon a small-business level, because you have to make sure that the hardware firewall can con-nect to all the small-business resources, which are typically controlled almost completely byone server (or at a maximum two servers).

Figure 9.2

Virtual private network

MicrosoftWindows

AppleMacintosh

MicrosoftHandheld PC

MicrosoftPocket PC

Palm OS

L2TP VPNMicrosoft WindowsVPN-1 Pro

Clientless VPNvia SSL

LAN (Trusted Network)

IPsec VPN

IPsec VPN

Internet

Additionally, most hardware firewalls come with their own VPN software. As a case inpoint, WatchGuard firewalls come with a special (and extremely secure) type of encryptioncalled SSL remote authentication. Instead of using typical authentication, WatchGuard firewallsuse a very complex certificate-based private key encryption that authenticates to the Watch-Guard server and then allows external clients to connect.

Many small businesses choose to implement a hardware firewall because of their need forenhanced security. Small businesses that may need this include law firms, banks, and financialinstitutions with sensitive data. However, the implementation of this is separate from SBS 2008,because SBS 2008 doesn’t actually communicate with a hardware firewall (although there are afew exceptions, such as firewalls that use LDAP to access Active Directory information); thus,you do not have the burden of setting a hardware firewall up.

VPNs 231

The lowest possible level of firewall you can attain is actually a simple router, such as aLinksys or D-Link router. You can pick one of these up at your local Best Buy or other majorretail outlet. However, the tricky part is that you usually won’t see the word firewall anywhereon the device. And the reason for that is that a firewall is technically, well, just a router! Anyrouter running Network Address Translation is technically a firewall because it blocks pack-ets from being forwarded onto devices without specific entries into the NAT table to forwarda packet from one server to another. The only real downsides to consumer-grade products arethat they are slow, they don’t support a lot of features when compared to business-grade prod-ucts, and some administrators think that they provide less security than a high-level firewall,which is fundamentally untrue. If you think a consumer firewall will do the job, pick one up!

Software-Based VPNs

A software-based VPN implementation is where SBS 2008 comes into play. Using SBS, youcan use an external authentication method over Active Directory that takes advantage of SBS’sinternal ability to create a VPN connection and authenticate it using its own certificates, creden-tials, and security information. When budget is a concern (or you just want to get the job donequickly and easily), this is the option you will choose. And since I’m dealing with small busi-nesses (read: frugal businesses), I’ll cover how to set up a small-business VPN with softwarefirewalls.

When a VPN Is Really, Really Needed

A small social network- and commerce-based company I consulted with once was developinga high-end application that was designed to take advantage of the plethora of informationavailable via the Internet by allowing prices to be compared using its application. To developit, the company sought to lower costs by consulting with programmers from India, who wouldwork for dramatically lower rates than United States–based programmers, who often wantedwages in excess of $90,000 a year.

Accordingly, the company needed to set up a system in which the programmers could accessthe local resources from the opposite end of the earth. And thus, the company decided tocreate a test network for the programmers who could accept VPN connections from theprogrammers. These programmers, using their own credentials, could log in to the server,work locally, and then choose to move the data securely from one location to another withoutcompromising any security standards whatsoever!

Setting Up a VPNAnd now, the fun part: setting up the VPN! Just as a warning: port 1723 needs to be open onyour firewall (both Windows Server and hardware) to allow clients into your VPN in order toauthenticate. Once you’ve done that, the steps to set up the VPN are straightforward:

1. Launch Windows SBS Console.

2. Select the Network tab.

3. Select the Connectivity tab.


4. In the main section, you will see the list of statuses.

5. In the right pane, under Tasks, select Configure A Virtual Private Network. This willlaunch the Setup Virtual Private Networking Wizard.

6. Select ‘‘Allow Users To Connect To The Server By Using A VPN,’’ and then click Next.

7. The system will configure virtual private networking on the server and configure yourrouter as well. Note that your firewall or router must have PnP configuration enabled forSBS to configure it.

8. The Setup Virtual Private Networking Wizard will now start and attempt to configure yourrouter/firewall.

If the wizard completes successfully, a confirmation is displayed. If not, it will display awarning error. At which point, you’d need to make sure that the firewall/router was prop-erly configured. Note that if there are any issues or failures in configuring the VPN or thefirewall/router, details on the failures will be linked in the screen that pops up.

9. Once complete, you’ll need to enable the proper users and groups to utilize the VPN byadding them to the ‘‘Remote users’’ group in SBS 2008, as discussed in the next section.

As you can probably tell, the Wizard has done a whole lot of actions here. It has enabled theVPN, created a packet filter through PPTP configured DHCP, and even set up remote access.

Enabling Groups to Use the VPNOnce you’ve managed to set up the VPN using the SBS console, you’ll need to step into theworld of Active Directory and configure your VPN. Because software VPNs are inherently aslight security risk (because you are, after all, opening a port on your firewall), Windows locksdown the security mechanism used by the VPN by requiring it to authenticate to Active Direc-tory. Thus, you need to make sure that Active Directory is ready to accept your clients. You cando this by following these steps:

1. Launch the SBS console.

2. Select Users And Groups, and then select the Users tab.

3. Select the user you wish to allow access rights to the VPN.

4. Open the Properties dialog box for the user, select Remote Access, and then click OK.

Once you’ve completed these steps, your users will now be able to authenticate via the Win-dows SBS VPN. All in all, like most things in SBS, the process is pretty painless!

Connecting to the VPNOnce you’ve set up your firewall and established your VPN setup connection for your clientsto connect, you should be able to connect your clients to the server via VPN. SBS 2008 supportsmany different clients, including other server operating systems and Windows operating sys-tems. Only legacy operating systems (such as Windows 95) will have difficulty connecting toSBS 2008 networking protocols; they may in fact work, but I haven’t tested that.

VPNs 233

On the client side, connecting to a VPN setup is fairly easy, but I’ll talk you through it via asample Windows XP client. On a Windows XP workstation located in a remote location, com-plete the following steps:

1. Navigate to Control Panel.

2. Double-click Network Connections.

3. Click Create A New Connection in the top left.

4. Click Next at the Welcome To The New Connection Wizard screen.

5. Select the Connect To The Network At My Workplace radio button.

6. Select the Virtual Private Network Connection radio button.

7. Click Next.

8. Enter the name of your company (this is actually the name of the VPN connection, but thename of the company is generally a good convention).

9. Click Next.

10. Enter the WAN IP of your SBS 2008 server that has the firewall set to allow VPNconnections.

11. Click Next.

12. Select My Use Only, and click Next.

13. Click Finish. The network will now show up in your network connections area. To connectto it, double-click it.

14. Enter your username and password on the SBS 2008 domain, and click Connect. The clientwill establish and then slowly connect.

When you connect, several things occur:

◆ A DHCP address is assigned to be used by the SBS 2008 server (or other hardware devicerunning DHCP).

◆ A remote gateway is established to route the traffic on the external WAN through the VPN.This allows you to navigate to the Internet as if you were connected locally.

What’s interesting about connecting via VPN to an SBS 2008 server is that the SBS DHCPservice is designed to disable when another DHCP server device is detected on the network.This is a handy feature in some ways, because it prevents different DHCP servers from con-testing agents attached to subnets within their scope. But it can be a little frustrating if you’veadded a client and the DHCP server isn’t running on your server, because the hardware devicemay not recognize it. Because of this, I strongly recommend enabling the DHCP server on SBS2008 instead of your hardware device. When SBS 2008 is properly configured, the process ofremoting into an SBS 2008 VPN is simple and completely transparent to the end user. If youdon’t do this, you have to basically do all the DHCP, tunneling, and other connections yourselfthrough external hardware and software, which is quite a pain.


If you’ve set up everything properly on your network, your IPconfig output should looksimilar to this on your client side:

PPP adapter Intellicorp:

Connection-specific DNS Suffix . :Description . . . . . . . . . . . : IntellicorpPhysical Address. . . . . . . . . :DHCP Enabled. . . . . . . . . . . : NoAutoconfiguration Enabled . . . . : YesIPv4 Address. . . . . . . . . . . : 192.168.16.129(Preferred)Subnet Mask . . . . . . . . . . . : 255.255.255.255Default Gateway . . . . . . . . . : 0.0.0.0DNS Servers . . . . . . . . . . . : 192.168.16.1NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : IntellicorpDescription . . . . . . . . . . . : NVIDIA nForce Networking ControllerPhysical Address. . . . . . . . . : 00-22-15-A1-CA-E9DHCP Enabled. . . . . . . . . . . : YesAutoconfiguration Enabled . . . . : YesIPv4 Address. . . . . . . . . . . : 192.168.0.197(Preferred)Subnet Mask . . . . . . . . . . . : 255.255.255.0Lease Obtained. . . . . . . . . . : Monday, November 16, 2009 9:21:57 PMLease Expires . . . . . . . . . . : Thursday, November 19, 2009 9:21:55 AMDefault Gateway . . . . . . . . . : 192.168.0.1DHCP Server . . . . . . . . . . . : 192.168.0.1DNS Servers . . . . . . . . . . . : 192.168.0.175

192.168.0.1NetBIOS over Tcpip. . . . . . . . : Enabled

NOTE Note that there are two IP addresses now, instead of just one. This is because you havea dedicated IP address on your network card and on the virtual network.

Using Remote Desktop ProtocolRemote Desktop Protocol is simultaneously the easiest way to access a remote machine andany decent administrator’s best friend. RDP is a TCP protocol that uses port 3389 to transporta user’s desktop from the physical computer across a network connection to another location.While using Remote Desktop, the physical desktop of the remote machine appears within acontained window of the desktop where the user is executing the program.

Remote Desktop has been installed by default on all versions of Windows since Windows2000. It’s relatively easy to use, and you can connect to the server relatively easily.

To access your server via Remote Desktop, you need to navigate on the SBS server toStart, right-click Computer, and go to Properties. From there you can select Advanced System

USING REMOTE DESKTOP PROTOCOL 235

Settings. Of course, if you’re an advanced user, you can always do the really complicatedthing — type Advanced System Settings in the Start bar. Isn’t Windows cool?

In Figure 9.3, you can see the System Properties dialog box. On the Remote tab, you’ll havethree options:

Figure 9.3

System Propertiesdialog box

Don’t Allow Connections To The Computer This will not allow any computer to connect tothe SBS server.

Allow Connections From Computers Running Any Version Of Remote Desktop (LessSecure) This will allow just about any version of Remote Desktop to connect to the computer.It’s ‘‘less’’ secure technically but secure enough for government work — literally. The onlydisadvantage is that you can’t use the encryption methods of higher versions of RemoteDesktop.

Allow Connections Only From Computers Running Remote Desktop With NetworkLevel Authentication (More Secure) This allows a connection to the server using a securenetwork-level authentication method. This is the most secure method, but only a few versionsof Windows support this.

Connecting to a Remote Desktop

This exercise will show you a simple example of connecting with Remote Desktop.

To connect via Remote Desktop, you will need to type Remote Desktop in Vista or Windows 7.This will bring up the screen shown here. Afterward, you can type the name of the server ifyou are on your local network or the IP address or FQDN of the server.


This will open the authentication screen. Once you’ve authenticated, you will see the remotedesktop you would normally see otherwise, as shown here. You can work within it as normal.

Introducing the Remote Web WorkplaceOne of the new features implemented on Windows Small Business Server 2008 and EssentialBusiness Server 2008 is the Remote Web Workplace. This feature comes by default withSmall Business Server because it’s designed to alleviate a lot of the pain associated with access-ing central information from locations a great distance. Using the Remote Web Workplace,users can access integrated features of the server, including the following:

◆ SharePoint

◆ Outlook Web Access

INTRODUCING THE REMOTE WEB WORKPLACE 237

◆ Server desktops

◆ Client desktops

PrerequisitesTo use the Remote Web Workplace, you need several prerequisites, most (but not all) of whichare fairly common and set up by default. The prerequisites come in two forms: network andActive Directory.

Network Requirements

◆ To access the Remote Web Workplace, you must forward the following ports: 80, 443, 987,and 3389.

◆ The browser must support and accept cookies.

Active Directory Requirements

◆ Users must be members of the Web Workplace Users group, or they must be DomainAdmins.

Assigning UsersJust like other aspects of access I’ll cover in this chapter, to access Small Business Server, youneed to assign users to the appropriate group. In this case, it’s the Remote Web Workplaceusers. To do this, you can either use the SBS console or the Active Directory Users and Com-puters snap-in. Users may have to log in and log out to access these features.

Assign Users Access to Remote Web Workplace

To add users to the group associated with the Remote Web Workplace, you can follow thesesteps:

1. Open the Windows SBS Console.

2. On the navigation bar, click Shared Folders And Web Sites.

3. Right-click Remote Web Workplace, and then click Manage Permissions.

4. Click Modify.

5. In Users And Groups, select the user or group to whom you want to grant access.

6. Click OK.

Setting Up AccessSetting up access for the Remote Web Workplace is relatively easy. First you have to enable theRemote Web Workplace, and then you have to navigate to it.

How to Enable Remote Web Workplace

You can enable remote web workplace by following these steps:




3. Click the Web Sites tab.

4. Right-click Remote Web Workplace, and then do one of the following:

◆ To enable the Remote Web Workplace so that users can remotely access network features,click Enable This Site.

◆ To prevent users from accessing the Remote Web Workplace, click Disable This Site.

Accessing Remote Web WorkplaceTo complete the setup of the Remote Web Workplace, you need to make sure that port 80 onyour router points toward the SBS server and that the Remote Web Workplace pool in IIS isfunctional. Once you’ve confirmed this, you will need to access the Remote Web Workplacethrough this URL:

https://<yourdomain/serverIP>/remote

This will open the Remote Web Workplace login, as you can see in Figure 9.4.

Figure 9.4

Intellicorp login

From there, you can access the Remote Web Workplace and all its features.

Should you want to change the port through which SBS 2008 accesses it, you can change itby doing the following:

1. In the registry, navigate to HKLM/Software/Microsoft/Small Business Server/RemoteUserPort.

2. Change the port value from 4125 to 4150.

USING THE REMOTE WEB WORKPLACE 239

Customize the Appearance of Remote Web Workplace

Small Business Server 2008 allows you to customize the appearance of the Remote Web Work-place. If you’d like to do this, follow these steps:


2. Click Shared Folders And Web Sites at the top.

3. Right-click Remote Web Workplace, and then click View Site Properties.

4. Click the Customization tab.

5. Do any of the following:

◆ To record the name of your organization, type the name in the Organization Name text box.

◆ To choose a custom background image, select an image in the list, and then click OK.

◆ To display your organization’s logo on the Remote Web Workplace home page, click Choosein the Home page dialog box, select an image in the list, and then click OK.

◆ Click Apply.

Enable or Disable the Remote Web Workplace Links List

The Remote Web Workplace allows you to create a centralized link list. You can add this fromthe console by following these instructions:



3. Right-click Remote Web Workplace, and then click View Site Properties. The Remote WebWorkplace Properties page appears.

4. Click Home Page Links, and then click Manage Links. The Remote Web Workplace Links ListProperties page appears.

5. If it is not selected already, select the Enable The Remote Web Workplace Links List check box.

In the Link sections, follow these steps:

1. Select the check box for each list section that you want to appear on the Remote Web Work-place home page.

2. Clear the check box for each list section that you do not want to appear on the Remote WebWorkplace home page.

3. Click OK.

Using the Remote Web WorkplaceNow that you’ve set up the Remote Web Workplace and configured it how you’d like, you canstart using it! Once you’ve accessed the Remote Web Workplace site, enter the username andcredentials for an administrator account. Once you enter your credentials, you’ll be greeted


with the Remote Web Workplace main screen. From here, you can access all your server’sservices, as well as services relevant to your user account. You can see the main login inFigure 9.5.

Figure 9.5

Remote Web Workplacemain login

In Figure 9.5, you can clearly see two buttons, one for checking email and one for accessingthe internal website. If the user account you were logging into had a computer assigned to it,you would be able to access the computers via Remote Desktop with another button labeledConnect To Computer.

So, the three buttons, in summary, do the following:

Check Email Opens Outlook web access with single sign-on authentication

Internal Web Site Opens the company website

Connect To Computer Starts the terminal services gateway server

Terminal Services GatewayI think I’ve probably used the phrase ‘‘one of the most powerful features of SBS 2008’’ at least100 times, so I’ll spare you the use of that expression. Instead, I will say that my single favoritefeature in SBS 2008 is that it integrates features from Windows Server 2008 into your smallbusiness that otherwise aren’t used by any but the largest organizations. This feature is the ter-minal services gateway.

Remote Desktop Protocol actually takes advantage of the terminal services components ofWindows Server 2008. A terminal service is just a service that enables you to remotely accessportions of the computer from another computer (the terminal) and view them as if theywere on your own desktop. An example of a terminal services connection is Remote Desktop.Through your remote computer, you can access a computer from far away as if it were right infront of you.

On the large, corporate level, terminal services gateways are used to connect to differentcomputers running terminal services from a far distance. For example, you could use a terminalservices gateway to serve as a focal point to access your whole organization. Instead of havingto remember 100 different server names an IP addresses, you can instead just connect to theterminal services gateway and then choose the computer that you need to access.

With SBS 2008, this feature is implemented in the Remote Web Workplace. Using theRemote Web Workplace, you can click the Connect To Computer button and access anycomputer within your small business that you assign access to.

CUSTOMIZING REMOTE WEB WORKPLACE 241

The Remote Web Workplace GadgetWhen you connect a Windows Vista or Windows 7 computer to a SBS 2008 computer, SBS 2008will install a nifty gadget into the desktop by default. This is the SBS 2008 Remote Web Work-place Gadget. This gadget, shown in Figure 9.6, allows you to access areas of the Remote WebWorkplace with just a simple click. One touch, and you’re at Outlook Web Access or connect-ing to a computer.

Figure 9.6

SBS 2008 Remote WebWorkplace Gadget forVista/Windows 7

Additionally, as you can see from the figure, there is an administrator-only section of thegadget that will connect you to SBS 2008’s administrator area for Small Business Server.

Customizing Remote Web WorkplaceFrom within the SBS console, you can select Shared Folders And Web Sites and then selectRemote Web Workplace by double-clicking it on the Web Sites tab. This will bring up whatyou see in Figure 9.7, which gives you several options to choose from:

◆ General

◆ Permissions

◆ Home Page Links

◆ Customization

◆ Advanced Settings

In particular, under Home Page Links, you’re presented with a lot of options, as you can seein Figure 9.8. Here, you can decide whether you want the following links to appear:

◆ Check E-Mail (whether or not OWA opens)

◆ Connect To Computer (Remote Desktop Access)

◆ Internal Website (which is a SharePoint Services website)

◆ Change Password (which is useful if you’re remote)

◆ Connect To Server

◆ Help

◆ Remote Web Workplace Link List


Figure 9.7

Remote Web WorkplaceProperties dialog box

Figure 9.8

Remote Web Workplacehome page links

THE BOTTOM LINE 243

The Bottom Line

Deploy a second server to your environment A second server in your environment allowsyou to offset common tasks, such as adding SQL Server to a dedicated environment.

Master It Set up a second server to offset a dedicated application from your SBS 2008server.

Set up Remote Web Workplace access Remote access, in all its forms, is a critical part of yourinfrastructure. Through it, you can enable your employees to access the system resources froma distance. The Microsoft-recommended method is to set up the Remote Web Workplace, awebsite that consolidates all the remote components of Windows access.

Master It Set up the Remote Web Workplace, and add a computer to the access pool thatyou can access via the Remote Web Workplace site.

Set up a VPN connection Virtual private networks allow you to connect to your SBS serverthrough a secure channel that allows you to communicate with your network resources as ifthey were locally available. Using a VPN allows to be safe, secure, and efficient. You shouldknow how to enable this for your users.

Master It Set up a simple PPP VPN network connection and nest one of your securitygroups (Ex. the Sales security group) inside the remote access users. Attempt to connect.

Chapter 10

Configuring Exchange Server 2007for Small Business

Microsoft has included with Small Business Server (SBS) 2008 what many consider to be itsflagship product: Microsoft Exchange Server 2007. The version that is included with SBS 2008 iscalled Microsoft Exchange 2007 for Small Business. It is a lighter-weight but still extraordinarilypowerful messaging system that — like its bigger brother, the full-blown edition of ExchangeServer 2007 — provides a messaging system for your environment that sends email, filtersspam, allows the creation and propagation of contacts, and integrates directly into ActiveDirectory to provide an elegant email solution for your environment that uses preexistingaccounts to send and receive email to/from external or internal locations.

Microsoft Exchange Server is a messaging service that takes advantage of the Simple MailTransfer Protocol (SMTP) to send messages back and forth across the Internet and withinintranets. A properly functioning Exchange Server can process millions of emails and othermessage types per day, as well as keep track of calendars, tasks, and other critical office rolesthat are used by every business on a day-to-day basis.

Of all the Microsoft products, Exchange Server is considered by many to be the most com-plicated and most troublesome to maintain. This is because Exchange Server has many differentcomponents, and each of these components needs to be functioning properly in order to send,receive, and store email within your small business.


◆ Understand the components of Exchange Server

◆ Understand Exchange Server roles

Limitations of Exchange Server for Small BusinessAccording to Microsoft, ‘‘Essentially there are no limits to the Exchange Server 2007 StandardEdition database size. By default, Exchange 2007 SP1 sets a limit of 250GB that can be changedif needed.’’ It’s also important to note that you can have up to five storage groups with a max-imum of one database per group, meaning that you can have up to five databases. And in nor-mal small-business operations, this is more than enough. In fact, most standard small-businessExchange installations use two at the most. This is because in a standard SBS 2008 installation,

246 CHAPTER 10 CONFIGURING EXCHANGE SERVER 2007 FOR SMALL BUSINESS

two storage groups (two databases) are used by default. As with all aspects of computing, theexact speed and performance of your database depends upon your central processing unit, theamount of memory, the disk I/O, and a number of other components.

SMTPTo understand how Exchange works, you need to learn how Exchange factors into SMTP andthe roles that make Exchange work. First I’ll talk about SMTP. SMTP is an Internet standardthat is used to send email across IP networks. Originally, SMTP was defined in RFC 821 andwas used in conjunction with the Post Office Protocol (POP) or the Internet Message AccessProtocol (IMAP). Later in this chapter, I will discuss both of these protocols in much moredetail. For now, I’ll just say that SMTP is a text-based protocol that transmits over a TCP con-nection. It’s initiated by a series of four processes:

Opening During this phase, the email message is opened and verified to be placed into theproper SMTP format.

Operating parameters exchanged The SMTP message is opened and analyzed, and itsparameters are exchanged with a server.

Recipients specified The location of the recipient of the email is verified, usually through aDNS query for a mail exchanger (MX) record.

Transferred The message is transferred via an email-relay server.

In almost all implementations, SMTP uses TCP port 25 to make a connection. Usually, thismeans that offices have an inbound policy and an outbound policy on port 25 to their ExchangeServer. At the small-business level, this means you should add an exception to your firewallthat allows traffic into and out of port 25 so that mail can flow properly. If mail is set up prop-erly, SMTP will allow mail to be transported between two mailboxes.

On some occasions, SMTP will not even have to use an external port, because mail isoften transferred within the same domain. As an example, consider the following line-by-lineexample of the communication between a client in the intellicorp.com domain and the SMTPserver in the intellicorp.com domain:

Server: 220 smtp.intellicorp.com ESMTP PostfixClient: HELO smtp.intellicorp.comServer: 250 Hello relay.intellicorp.com, I am glad to meet youClient: MAIL FROM:<[email protected]>Server: 250 OkClient: RCPT TO:<[email protected]>Server: 250 OkClient: RCPT TO:<[email protected]>Server: 250 OkClient: DATAServer: 354 End data with <CR><LF>.<CR><LF>Client: From: "Steve Johnson" <[email protected]>Client: To: Tom Carpenter <[email protected]>Client: Cc: [email protected]: Date: Mon, 21 July 2009 12:00:00 -0500Client: Subject: Mastering Small Business Server SMTP example

SMTP 247

Client:Client: Hello Tom,Client: This is a test message I am sending for all the people that are reading thisbook and loving it!Client: Thanks,Client: SteveClient: .Server: 250 Ok: queued as 12345Client: QUITServer: 221 Bye{Close Connection}

In this line-by-line example, a server receives a request from a client identifying itself [email protected] via the relay.intellicorp.com relay agent. (Once we get into relayagents, transport roles, and so forth, later in the chapter, this will begin to make a bit moresense. But for now, try to follow along line by line.) In this example, an email message isrequested to be sent to Tom Carpenter at the address [email protected]. The client thentransmits all the data. This includes the To field, Cc field, date, subject, and body. Once theclient sends all the data, the server then tells the clients, ‘‘OK, I’ve queued the message to sendout. Goodbye.’’

And this, in a nutshell, is how SMTP works. It sends email through relays, which get sentto servers, which queue the message to be sent. When you boil it down to those few steps, it’sfairly simple. At the small-business level, you sometimes run into problems with SMTP becauseit is too simple. Let me explain what I mean with a real-life example.

Say you’re a small-business owner for intellicorp.com. You rent a small facility in the mid-dle of Arkansas, and you have five employees who you know and trust. You and your fiveemployees spend most of your day creating quotes and sending proposals to prospective clientsin the hope that you can generate business. And since you use Microsoft Exchange, when youemail these messages, Exchange sends them through SMTP to your recipients.

As you’ve seen, the process is fairly simple. But what may very well happen is that youmight receive a message from an email provider that says something like this:

The IP you’re using to send mail is not authorized 550-5.7.1to send email directly to our servers. Please use the SMTP 550-5.7.1relay at your service provider instead. Learn more at 550 5.7.1

In other words, you receive an error that looks rather unfriendly and reads a lot like stereoinstructions. Situations like this happen at the small-business level because SMTP is so simplethat spammers often use it to send out mass emails from numerous IP addresses. Think aboutit. Say you’re a major email provider such as Google, Yahoo!, or MSN. You send and receivebillions of emails through thousands of servers. What would happen if you allowed anyone tosend emails to your servers? You’d probably quintuple the amount of emails you send.

With the ease of deploying an SMTP server through something like Exchange or Linux,large email providers have gotten to the point that they usually require any server runningSMTP to use reverse DNS. Reverse DNS is a method used by IPv4 and IPv6 to map an Internetaddress to a known domain. Say, for example, the IP address for my SMTP server is 10.0.0.1on my LAN but 34.96.230.111 on the Internet. If I knew my WAN address was 34.96.230.111 onthe Internet, I would have to register this IP address with my Internet service provider,which would make a notation in its tables that this IP address is a known IP address for the


intellicorp.com mail server. And thus, the major clients like Gmail and MSN would know thatI’m not just some spammer who set up an SMTP server to send email ad nauseam but that Iam instead a legitimate business.

This small problem with SMTP is a very minute example of what can go wrong with anExchange Server setup. It can be rather complicated. Today, so much email is sent out contain-ing viruses and spam that businesses have to be especially careful. Otherwise, they can eitherinadvertently list themselves as a spammer or stop receiving email altogether.

Now that you understand how SMTP works, you can dive into the actual roles thatExchange plays. In the following discussion, I’ll refer to each role’s general function, as wellas its functions in both Small Business Server 2008 and in a full-blown Exchange Serverenvironment, because the two are so closely related.

The five roles of Exchange Server 2007 are Hub Transport, Mailbox, Client Access, UnifiedMessaging, and Edge Transport. I’ll discuss each of these now.

The Hub Transport Server RoleThe first role I’ll discuss is the Hub Transport server role because this role is required in everysingle installation of Exchange Server 2007 and plays one of the most critical roles in the envi-ronment. Within Exchange Server, the Hub Transport role is responsible for mail flow, cate-gorization, routing, and the delivery of email messages. In effect, you can think of the HubTransport role in much the same way as its name implies. It serves as a hub, because all mes-sages are sent through it, and it is a transport, because it categorizes, routes, and delivers theemail associated with it.

The Hub Transport server role also contains two monitoring agents that you need to befamiliar with to understand how the Hub Transport server processes mail flow. These twoagents are the Transport Rules agent and the Journaling agent.

Mail FlowBefore a message is sent inside or outside an organization, it passes through the Hub Trans-port server role and is routed to the right place. In effect, this means that if the Hub Transportserver role is broken, your users will not be able to send or receive email at all — and that isreally bad. This serves as a good troubleshooting point for your organization. If you’re experi-encing problems with your mail flow, chances are that the issues lie within your Hub Transportserver. This is sometimes hard to detect at the small-business level. Small Business Server willnot suddenly send out a screaming error message if mail flow stops. Instead, you have to trou-bleshoot the problem as it occurs.

On the other end of the mail flow spectrum, when a message is received by ExchangeServer, the Hub Transport server role is called on to analyze the message and categorize it.

CategorizationCategorization in mail flow refers to the process of performing recipient resolution, routing res-olution, and content conversion on all messages that are sent through Exchange Server. Theportion of the Hub Transport server that does this operation is called the categorizer. The cate-gorizer determines what to do with a message based on its recipients.

For example, say an email is received for the [email protected] address, whichpoints to a distribution list that includes all the users of the domain. The categorizer wouldquery the full information of the recipients and use it to apply policies, route the message, con-vert the content to a format that can be understood by Exchange Server, and place the email

THE HUB TRANSPORT SERVER ROLE 249

in the appropriate mailboxes. As you might imagine, the categorizer can start to get a littlebusy. For example, if your Exchange Server receives all emails to a distribution list that contains50 people, this means it has to perform 50 actions for each email sent. And if you receive a cou-ple thousand emails a day to that list, it adds up to a pretty good amount of work.

Some of this work is alleviated by the fact that the Hub Transport server is attached to anExchange Server store that is attached to a mailbox. This means that, most of the time, Exchangecan receive a message sent to a distribution list and then place the message into the recipient’smailbox store. Or, if it needs to, it can use SMTP to send messages to another transport serverthat contains the store of the user. This leads to a process in email called routing.

RoutingRouting with email is not the same as routing with IP packets. IP packets in IPv4 and IPv6 arepassed through a series of routers that use various routing protocols to pass the packets aroundto their ultimate destination. With email, messages are routed but through different Hub Trans-port servers and relays to reach their ultimate destinations. The Hub Transport server looksat the message, determines where it should go, and places it in an outbound queue to bedelivered to the specified location. This applies whether an email is being sent internally orexternally. This means that if any of your clients in a small business send an email, they’lltechnically talk to their Outlook client, which is connected to their Exchange Server, which willtalk to the Hub Transport role, which will queue the message to be sent. At the end of the day,all that matters is that they’re sent, period. Delivery, however, is a bit more of an involvedprocess.

DeliveryThe final purpose of the Hub Transport server role is the delivery of email within your ActiveDirectory forest. Within your small business, your clients will be connected to your ExchangeServer through an Outlook client. This Outlook client will have two important boxes:

◆ Inbox

◆ Outbox

The inbox will connect to the recipient’s mailbox store on your Exchange Server. Theoutbox will be picked up by the store driver on the Exchange Server and put into the sub-mission queue by the Hub Transport server. The Hub Transport server will also apply anytransport rules, journaling policies, or communication with an Edge Transport server (althoughyou would not have one of these in a small-business environment). Since you won’t havean Edge Transport server, the Hub Transport server will relay Internet messages directly.Additionally, the Hub Transport server will provide antispam and antivirus protection foran organization, though not as effectively as a full-blown program such as Ninja Blade orBarracuda.

The choice of whether to implement a hardware mail filter is a tough one, and it depends alot on the kind of work that your company is doing and how exposed the company is to spam.The amount of spam you receive and how that spam is filtered is based partially on how largeyour organization is and partially on how easily spammers can ‘‘see it.’’ The latter is muchmore important. As a case in point, a law firm will usually receive 20 to 200 times as muchspam per employee as a carpentry store. This is because lawyers’ email addresses are exposedin numerous areas, including on websites, in newsletters, and, in the case of cheesy personalinjury lawyers, on the sides of buses. This means that the address is more exposed and thusreceives a lot more bulk mail.


You will know it’s time to implement a hardware filter either when you simply receive toomuch spam for your hub transport or software-based filter to block or when the amount ofemail you’re receiving is bogging down Exchange Server.

Moving on, messages within an organization are sent in one of three ways:

◆ SMTP

◆ The store driver connected to Exchange Server

◆ The Pickup directory

I’ve already discussed how SMTP works, as well as the store driver that containsthe Exchange Server store, which contains mailboxes. The Pickup directory is used inMicrosoft environments to test mail flow. Using the Pickup directory, you can use theSet-TransportServer cmdlet (pronounced ‘‘commandlet’’ — a feature that users can takeadvantage of with PowerShell) to make several configuration changes, including the following:

◆ Enabling/disabling the Pickup directory

◆ Specifying the location of the Pickup directory

◆ Placing a cap on the maximum header size

◆ Specifying a maximum number of recipients accepted by the Pickup directory

◆ Specifying a maximum file processing rate

Transport Rules AgentThis agent runs on the Hub Transport server and allows you to set rules, conditions, andactions for your hub transport. This lets you specify users, distributionlists, and specificconnectors that define what happens if a predefined setting occurs. For example, if you set upthe Transport Rules agent to use a specific SMTP relay to send to the [email protected] address, you could set a transport rule to offset the burden of sending email [email protected] to that relay agent, instead of your server.

Journaling AgentThe Journaling agent provides your organization with the ability to record email messages sentto or received by your organization. With the new government regulations in place for emailthat is sent or received across various networks, journaling has become much more common.I discuss the Journaling agent in more detail later in this chapter, and I cover how to set upjournaling in the next chapter.

The Mailbox Server RoleWithin any Exchange network, servers that contain the Mailbox server role are responsible forholding the user mailboxes in your environment, which contain mail, public folders, calendardates, and tasks related to your users in Active Directory. In addition, the Mailbox server con-tains the offline address book. The Mailbox server communicates directly with Active Directoryon many levels. Specifically, the Mailbox server role communicates with the following:

◆ The Hub Transport server

◆ Active Directory

THE MAILBOX SERVER ROLE 251

◆ The Client Access server

◆ The Unified Messaging server

◆ Outlook (on the client side only)

Don’t be alarmed that I haven’t yet covered these topics. Chances are that you’ve used Out-look before. But, just in case you’re not familiar with it, Outlook is a client-side email programthat is used to send and receive email. Small Business Server comes with a license for Out-look that enables you to install it on your client machines to receive email. You can learn moreabout Outlook by visiting Microsoft.com or just by installing it on your own machine. It doesn’trequire Exchange Server — you can use it with almost any email provider.

I’ll discuss the servers mentioned in the previous list later in this chapter. How the ClientAccess and Unified Message servers fit into the Mailbox server is important, but I won’t goover their roles in the organization until you’re good and ready and, more importantly, afterI’ve explained everything about the Mailbox server.

Just like any part of Exchange Server, the Mailbox server integrates with Active Directorydirectly. This comes in really handy with Small Business Server, because whenever you createa user account, a mailbox is automatically created in your Mailbox server for that user. Thismeans that for every account you have in your business, the Mailbox server is already preparedto receive, alter, and delete email for the account.

What’s interesting about having Exchange roles in SBS 2008 all on one server is that theExchange Server roles still communicate to each other as if they were separate entities. Surpris-ingly, they still communicate using the protocols that they would use if they were installed indifferent locations on the network. However, the Mailbox server almost always uses the Mes-saging Application Programming Interface (MAPI) to communicate.

MAPIMAPI is a messaging architecture and component object model API that enables messaging.Exchange Server 2007 uses MAPI in combination with Remote Procedure Call (RPC) toestablish connections between Exchange Server and Microsoft Outlook. Technically, MAPIcompletely controls the messaging system on a client computer. When coupled with ExchangeServer, MAPI forms a proprietary connection that almost instantly processes mail back andforth between client and server. Technically, using MAPI, a Mailbox server processes mail andcommunicates with the rest of your Exchange Server architecture by doing the following:

1. MAPI queries Active Directory.

2. The Mailbox server transfers the outbox message from the Mailbox server to the HubTransport server.

3. The Client Access server sends a request to the Mailbox server and returns data from theMailbox server to clients.

4. The Unified Messaging server retrieves the information for the client.

At the small-business level, the Mailbox server is the portion of the Exchange Server archi-tecture that you use to store all of your emails and the actual data associated with your mes-saging infrastructure. If you ever find that you’re having issues with actual email data or withretrieving said data from points in your environment, you can look toward the Exchange Servermailbox store to troubleshoot these issues. However, for access issues, you might look towardthe next point in the infrastructure — the Client Access server role.


The Client Access Server RoleNow a required feature in the Exchange Server infrastructure, the Client Access server role isdesigned to allow your Exchange Server to be highly accessible by multiple clients throughvarious connection methods, including the following:


◆ Exchange ActiveSync

◆ POP3/IMAP4

By default, whenever you install SBS 2008 and include Exchange Server, Exchange Server2007 for Small Business will automatically provide your user accounts with Outlook WebAccess, the ability to hook up mobile devices through ActiveSync, and alternative connectionmethods like POP3 and IMAP. I’ll first go over POP3 and IMAP4, and then I’ll talk a little bitabout Outlook Web Access and Exchange ActiveSync.

POP3POP3 stands for Post Office Protocol version 3, and it is an application layer protocol toretrieve email via the Internet. Using POP3, clients can query a server for new email, whichwill be retrieved but not sent via the TCP/IP protocol. An advantage of POP3 is that ithas been around for a long time; an disadvantage is that, by default, POP3 will completelyremove email that it has accessed before by deleting it, or it will skip it and most likely neverdownload it again.

At the small-business level, you may use POP3 for clients that do not support ExchangeMAPI protocols natively. This includes Linux or Unix machines that do not ‘‘speak Microsoft’’with complete fluency. In case you have to support them, you can enable POP3 access to emailand provide them with a known method to access their messages.

IMAP4One of those acronyms that never seems to be written out, IMAP stands for Internet MessageAccess Protocol. It is the second of the two email access protocols frequently used by systemand network administrators. IMAP is a more complicated, and generally more advantageous,method of email access that allows multiple users to be connected to the same web emailaccount at the same time.

In most multiplatform environments, the administrator will choose to enable IMAP insteadof POP3, because it’s a little more powerful and has a lot of advantages, such as server-sidesearches and the ‘‘copy’’ email function. However, since this chapter is mostly about ExchangeServer and not alternative protocols, I will conclude this discussion of it to simply say thatIMAP is a nice alternative for clients that either do not support Outlook or would like to usean alternative email access client.

Outlook Web AccessIn my humble opinion, Outlook Web Access (OWA), which is one of the major componentsof the Client Access server, is basically the neatest thing since sliced bread. Included withSmall Business Server 2008, Outlook Web Access allows your clients to gain direct access totheir mailbox store via a web application that looks, acts, and feels just like Outlook throughthe Web.

THE UNIFIED MESSAGING SERVER ROLE 253

Accessed through the HTTPS protocol, Outlook Web Access is a graphically enabled webportal through which users in your organization can access their email when not on a famil-iar computer. Using their standard credentials that are issued through Active Directory, a usercan log in through the Outlook Web Access program and feel just like they’re on their homecomputer.

One advantage of the newest version of Outlook Web Access with Small Business Server2008 is that Microsoft Windows SharePoint Services and the universal naming convention(UNC) share integration. Furthermore, OWA has been slimmed down enough to where it isextremely fast — so fast, in fact, that it can load on mobile devices at almost-instant speeds.And if that isn’t enough, mobile devices can use ActiveSync.

ActiveSyncSimply put, ActiveSync is the syncing technology that allows mobile devices to connect to desk-top computers and retrieve information from their mailbox stores. This includes email, contacts,calendar information, and tasks. ActiveSync needs to be installed on the mobile device and theclient syncing the device. By default, Group Policy will allow devices to sync, but you can turnthis feature off.

Standardization

With client access, many different users can access the server in many different ways. Thus,it’s important to pick a standard that all your users can use throughout different points ofyour organization. For instance, internally, you could have all clients only use Outlook withMAPI. This allows you to make sure that no clients are using a less common email retrievalformat such as POP3 that will delete their inbox. This way, if you have any trouble with mailflow, you should be able to troubleshoot it a lot easier, because you’ll know what your clientsare using to access their email.

The Unified Messaging Server RoleThe last major portion of the Exchange infrastructure is the Unified Messaging server role.This portion of Exchange allows your Small Business Server to be integrated with thefollowing:

◆ Voice over IP (VoIP): Making phone calls or using voice communication over the InternetProtocol

◆ Visual Voicemail with Outlook: Receiving voice mails through Outlook by clicking them likein Windows Media Player

The Unified Messaging server isn’t commonly used at the small-business level becausesetting it up requires a lot of familiarity with high-level (in other words, enterprise-level)messaging architectures. However, with the Unified Messaging server properly set up, youcan see voicemails in Outlook and manage a VoIP gateway directly with your Small BusinessServer.


Access vs. Security

The amount of security a small business chooses to implement depends a lot upon the natureof the business and the people who own it. Some small-business owners are especially cau-tious of their security, because they’re the sole proprietor of their operation, while others aremore carefree. Regardless, as a system administrator, consultant, or business owner, you haveto decide how much access mandates the need for security.

Say, for example, you want to leave the default settings on your SBS for client access. Thisallows the following:



◆ POP3/IMAP4 (although you must start the services)

Let’s take a look at these one at a time. You’ll find that, surprisingly, each of these defaultoptions leaves a security risk.

Outlook Web Access Quite possibly the most convenient feature on the list, Outlook WebAccess allows the veritable ‘‘front door’’ to be open to your small business. Granted, you stillneed a username and password, but the exposure of easy access to your Exchange Server’s mailstore data allows your business to now be consistently exposed to random password guessingand other attempts of fraudulent access. And this can be very bad. Say, for example, a userhad a password like simple1!. It wouldn’t take long for someone truly malicious to guess thispassword. Or, god forbid, if you had a password policy that actually allowed the word passwordto be used for a password, that wouldn’t take long to guess at all!

Exchange ActiveSync ActiveSync allows users to possibly possess emails, even aftertermination, that could promote risk and exposure to the company. But even worse thanthat, having ActiveSync enabled with the default settings means that PDAs can not onlysync for email but also transfer files from any shared folders on their server or the localcomputer to their mobile device. This is very dangerous. In fact, the risks involved have evenbeen shown in movies — unbeknownst to the protagonist, a secret spy in an organizationattaches a thumb drive to the local server and downloads all the precious data used to bringdown the United States in the latest terror attack. Obviously, at the small-business level, youdon’t deal with anything quite that extreme (which is a relief), but this PDA problem stillapplies. Enabling ActiveSync and leaving all the settings on by default also enables removabledevices to receive a ‘‘write’’ policy. When this is active, they can copy anything they canaccess!

POP3/IMAP4 By default, Microsoft Exchange comes with IMAP4 and POP3 installed. How-ever, the services for each have to be manually started by an admin. If you choose to startthese, you have to be aware that this allows a couple different ports to be opened on yourfirewall and allows other types of clients to try to listen in on those ports and intercept mailmessages. It’s a small risk but still a risk.

JOURNALING 255

The Edge Transport Server RoleIn a large environment, Exchange Server 2007 will implement an Edge Transport server. WithSmall Business Server, you can’t set up this role because it involves the use of multiple servers(usually more than three to do it efficiently). Edge Transport servers sit in front of the firewallin a perimeter network and transfer mail requests from the outside world to the Hub Transportserver. Because it’s a critical role of Exchange and it’s built into Exchange Server 2007 on anygiven install, this role does occur in SBS, but it’s transparent and not visible to the end user.Thus, with SBS, you can’t set up an Edge Transport server role. However, you still need toknow that this process is ongoing.

JournalingWith all versions of Exchange Server 2007, including the small-business version, ExchangeServer supports the ability to journal email messages. Journaling is, in Microsoft’s words, ‘‘theability to record all communications, including e-mail communications, in an organizationfor use in the organization’s e-mail retention or archival strategy.’’ A closely related functionto this is this email archiving, which is the process of storing Exchange data somewhere ina backup location. The two are related, but the only one specifically supported by MicrosoftExchange Server is the process of journaling, or keeping a record of all messages processedby Exchange Server in some manner.

Whether a business implements journaling is entirely up to the business in question. It is notenabled by default in Exchange Server, and the setup menu is not readily apparent during yourinitial install. Journaling is normally implemented by businesses in industries that are regu-lated, such as the financial industry, insurance, health care, commodities and exchange trading,or another industry that requires government or third-party oversight.

In some cases, organizations are required to keep every email sent to or from a company forup to seven years. Imagine, just for a moment, the amount of email and records that could be.Even in small businesses, we sometimes see clients easily sending up to 10,000 messages perday, perhaps even more. That can add up to more than 2 million email messages that have tobe recorded.

Common RegulationsThroughout a business, different levels of regulations apply at different levels. For example,although the accountants and lawyers in a small CPA firm may have to keep the full sevenyears of email required by the government, the IT guru who installs and uninstalls their net-work may not have to apply the same rigorous standards to the rest of the company. Really, itall comes down to what specific regulation applies. The following are a few common regula-tions that Microsoft recognizes in its documentation on journaling:

Sarbanes-Oxley Act of 2002 (SOX) This is a U.S. federal law that requires the preservation ofrecords by certain exchange members, brokers, and dealers.

Security Exchange Commission Rule 17a-4 (SEC Rule 17 A-4) This provides rules regardingthe retention of electronic correspondence and records.

National Association of Securities Dealers 3010 and 3110 (NASD 3010 and 3110) The NASDrequires that member firms establish and maintain a system to ‘‘supervise’’ the activities of


each registered representative, including transactions and correspondence with the public.Also, NASD 3110 requires that member firms implement a retention program for all corre-spondence that involves registered representatives. These regulations affect primarily bro-kers/dealers, registered representatives, and individuals who trade securities or act as brokersfor traders who are subject to the regulations.

Gramm-Leach-Bliley Act (Financial Modernization Act) This is a U.S. federal law that pro-tects consumers’ personal financial information held by financial institutions.

Financial Institution Privacy Protection Acts of 2001 and 2003 These laws amend theGramm-Leach-Bliley Act to provide enhanced protection of nonpublic personal information.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) This is a U.S. fed-eral law that provides rights and protections for participants and beneficiaries in group healthplans.

Uniting and Strengthening America by Providing Appropriate Tools Required to Interceptand Obstruct Terrorism Act of 2001 (Patriot Act) This is a U.S. federal law that expands theauthority of U.S. law enforcement for the stated purpose of fighting terrorist acts in the UnitedStates and abroad.

There are actually many more regulations than these. Also, this brief summary should in noway be considered legal advice on securing your network. The only person who can tell youhow to lock down the journaling and archival strategy for your small business is a lawyer.

The Journaling ProcessIn Exchange Server 2007, the journaling process is accomplished using the Journaling agent, aprocess that runs on your Hub Transport server in one of two modes:

Standard journaling When standard journaling is enabled, the Exchange small-businessserver records all messages passed through a particular mailbox in the mailbox store that youas the administrator have chosen. By default, standard journaling operates only on the mail-boxes you choose and won’t just archive the entire mailbox store. Instead, it’s based on therecipient, and it can’t be replicated throughout your server, because it’s defined by what theJournaling agent calls a journal rule scope, in other words, what the journaling agent is assignedto cover.

Premium journaling Premium journaling requires an Exchange Enterprise license and thuscan’t be completed with Small Business Server 2008. However, for the sake of completeness,Journaling agents with Exchange Server 2007 that run premium services allow users to createjournal rules for a single mailbox or for groups that behave based on finite rule sets.

When you enable standard journaling on a mailbox store, this information is saved in ActiveDirectory and is read by the Journaling agent. Journal rules configured with premium journal-ing are saved in a similar manner.

The Exchange Management ConsoleWith SBS 2008, the Exchange Management Console (EMC) is your central administrative focuspoint for the control of the Organizational Configuration, Server Configuration, and Recipi-ent Configuration areas of your Exchange Server. To access the EMC, you can type ExchangeManagement Console in the server Start bar. This will load the MMC you see in Figure 10.1.

THE EXCHANGE MANAGEMENT CONSOLE 257

Figure 10.1

The Exchange Manage-ment Console

As you can see from Figure 10.1, the EMC has several distinct sections, all of which havenames. The first of these sections, shown in Figure 10.2, is the console tree. The consoletree is the area where you can select the portion of the Exchange Server that you want toadminister. By expanding the Organizational Configuration area, you’ll have access to theMailbox, Client Access, Hub Transport, and Unified Messaging components as they applyto your organization (based on what you’re using). By expanding Server Configuration,you’ll have access to the components that are installed on your Exchange Server, which inFigure 10.1 is all of them — Mailbox, Client Access, Hub Transport, and Unified Messaging.Lastly, under Recipient Configuration, the console will show recipient mailboxes, distributiongroups known to the Exchange Server, a mail contact list, and any known disconnectedmailboxes.

The Actions pane, shown in Figure 10.3, directly relates to the console pane; anythingselected within the console pane will immediately change the options in the Actions pane. Ifyou pick something in your section in the console pane, the Actions pane will adjust the resultpane to show you the options available (see Figure 10.4).

The result pane also displays results based upon which of the options you pick in the con-sole pane. You can also filter results that you receive by using the Create Filter button — whichis handy if you receive a ton of results when selecting a populated area (an area with a greatdeal of messages) of your Exchange Server.

The last pane in the EMC is the work pane, where all the work takes place! The work paneis below the result pane and is where you can refresh any decisions you’ve made, as well aschoose to alter the objects you’ve selected in the work pane. There is almost always a Propertiesbutton, as well as a list of key modifications you might like to make regarding the server andits components.


Figure 10.2

The console tree

Figure 10.3

The Actions pane

Figure 10.4

The result pane

Learning to use the EMC is a bit of a fine art. It takes a little time and some practice, but it’snot that bad. On the high end, many administrators make their entire livings administering justExchange Server and no other portions of Active Directory. The EMC is a power tool, and overthe next few exercises and sections of this chapter, you’ll learn a lot more about it. First I’ll talkabout one of the features you won’t use much in this chapter, just to get it out of the way: theToolbox.


The ToolboxIn Exchange Server 2007, the Toolbox provides diagnostic and troubleshooting tools to trou-bleshoot Exchange. This includes tools like the Queue Viewer (used to see messages that needto be processed), as well as other independent tools.

By default, these tools are organized into three distinct sections:

◆ Disaster Recovery

◆ Mail Flow

◆ Performance

Disaster Recovery

The Disaster Recovery section of the Toolbox comes with two form-based database recoverytools — the Database Recovery Manager and the Database Troubleshooter. Each of thesetools is fairly easy to use, because you just have to answer a couple questions, but they’revery important if something happens to your database. They contain a lot of automatedtools to fix common occurrences within your database, even recovering from a completedisaster. All you have to do is double-click, answer the questions, and move on with youradministrative life.

Mail Flow

Mail flow analysis is probably the single most important part of the Toolbox. It includes fourtools: MailFlow Troubleshooter, Message Tracking, Queue Viewing, and the Routing LogViewer.

MailFlow Troubleshooter and Message Tracking Like the Disaster Recovery and Perfor-mance sections of the Toolbox, the Mail Flow section of the Toolbox includes two form-basedtools to analyze mail flow problems and track messages. And just like the other two, all youhave to do is answer a few questions. You’d want to use the MailFlow Troubleshooter andMessage Tracking tools if you have a problem with mail either not being sent out or not beingreceived by the correct recipient.

Queue Viewer The Queue Viewer is a graphical tool that allows you to see the number ofmessages being sent by the server and that are queued up to do so. In some cases with SBS,many users will attempt to send messages from their outboxes that get stuck. If the messageshave made it to the server, you’ll be able to see the outbound messages here and determinewhether they are in the queue, have been attempted to be sent, and when the machine will tryagain.

Normally, you use the Queue Viewer to determine whether the problem with mail flow is onthe client or the server. If it’s on the client, you wouldn’t see a queue. If it’s on the server, you’dsee either a high total queue count or several messages with retry attempts.

Routing Log Viewer The Routing Log Viewer is a detailed custom program designed to letyou open the custom logs that Exchange keeps for the inbound and outbound email it pro-cesses and to see, in detail, the processes applied to each of your messages. The Routing LogViewer has four tabs, shown in Figure 10.5, each of which can show you the details involvedwith their respective tab names:


Active Directory Sites & Routing Groups Where the objects are and how they’re beingrouted

Servers The servers used in your environment

Send Connectors The outbound send connectors used to send email

Address Spaces The SMTP connectors established at some point in your infrastructure

Figure 10.5

Router Log Viewer

Performance

This section of the Toolbox is designed to help you figure out whether there are any bottleneckswith your messaging system, as well as see the amount of dedicated hardware the ExchangeServer is utilizing while it performs its daily tasks. The tools here include the PerformanceMonitor and the Performance Troubleshooter.

Performance Monitor The Performance Monitor is dedicated to evaluating your ExchangeServer’s hardware utilization. It’s graphical in nature and very intuitive. As you can see fromFigure 10.6, the Performance Monitor is a line graph with check boxes on the bottom. Theseboxes allow to see your CPU utilization, disk writes, and other important information. Usingthe Performance Monitor, you can evaluate your messages sent over time and the amount ofhardware it takes to send them. If your machine is running slow, you can see where the bottle-neck is and where to replace it.

Performance Troubleshooter A form-based tool, the Performance Troubleshooter isdesigned to analyze where a performance problem might be based on your performance logsand advise you how to correct it. To utilize this tool, you only have to open the tool from theToolbox and answer a few questions.


Figure 10.6

The PerformanceMonitor

Adding an Exchange Administrator with the EMC

You can use the EMC to change permissions on accounts to allow users to view, modify, oradminister mailboxes, as well as perform many other Exchange tasks. As an example, let’screate an Exchange administrator that will be able to modify accounts in Exchange Server.

1. Open the Exchange Management Console by typing Exchange Management Console in theWindows Start bar.

2. Expand Organizational Configuration.

3. Select the Exchange Administrators tab.

4. Click Add Exchange Administrator in the Actions pane. This will open the Add ExchangeAdministrator Wizard. There will be five radio buttons:

◆ Exchange Organization Administrator Role

◆ Exchange Public Folder Administrator Role

◆ Exchange Recipient Administrator Role

◆ Exchange View-Only Administrator Role

◆ Exchange Server Administrator Role

5. Leave the default selection (Exchange Organization Administrator Role), and click Browse.

6. Choose either an AD account or a mailbox type to become an administrator. Note that you canalso choose groups. This is perfectly acceptable, but you should keep the group nesting caution-ary tales in mind — sometimes you can make big mistakes!


7. Click Add. The EMC should go through a process with a countdown timer that will only take asecond if you selected one user account, and possibly a few more if you chose several. In somelarge organizations, it can take hours to add numerous accounts.

The Exchange administrator will show up with its complete LDAP name. Note that this will,of course, show the OU that the user is contained within. Keep in mind that sometimes thiscan be a little difficult to find, because it doesn’t show the user’s name; it shows the completeextension. Thus, if you’re adding an administrator, you shouldn’t add one that you may takeaway in the future, because they’re a little hard to find.

Mailbox Tasks with the EMCUsing the EMC, you can do a whole lot with the three different mailbox areas in your Orga-nizational Configuration, Server Configuration, and Recipient Configuration areas. I’ll coverthis in the next few sections so you can be familiar with how to administer the rest of yourExchange Server environment.

_Organizational Configuration Mailbox

Under the Organizational Configuration section’s Mailbox area, you can conduct five commontasks that I’ll summarize here briefly. You can implement each of these by firing up the EMCand going through the very intuitive GUIs associated with each object:

Create a new address list Address lists in the EMC are predefined lists of email addressesthat will be published to your Exchange Server based on your administrative desires. Forexample, you may have a support department that you want all employees to have access to.Thus, you can add the email addresses to the address list and publish the list to the ExchangeServer.

Create a new managed default folder You can create default folders to appear in Exchangeusers’ mailboxes. An example of something like that would be a conversation history folderthat appears by default for your whole organization.

Create a new managed custom folder Custom folders in the EMC allow administrators todefine folders that have custom content contained within them. Additionally, you can placecomments on these messages or allow only certain types of emails to go in them.

Create a new managed folder mailbox A managed folder mailbox policy is sort of like agroup. It collects a bunch of other managed folders and places them within one linked area.This allows you to add multiple folders at the same time.

Create a new offline address book Offline address books are published to users whether ornot they are online. This is very useful in the case of contacts that always need to be reached,even if by phone. Through the EMC, you can publish offline contacts to make sure your usersalways have access to the people they need to be able to access.

_Server Configuration Mailbox

The second area where you can affect mailboxes is Server Configuration. Here, you can create,delete, and manage your storage groups. You can think of a storage group as a collection ofstores, which is really just a collection of mailboxes. Mailboxes go into stores, and stores go into


storage groups. Additionally, storage groups can contain public folders. You can put just aboutanything involving Exchange Server into a storage group in one way or another.

However, you don’t want to make a storage group unless you have to because they use alot of memory and can cause problems if you have too many. Some versions of Windows onlysupport four, for example.

Stores, however, are pretty useful. You can use additional stores for different sets of users.Scott Lowe’s article in Tech Republic on June 28, 2006, used this example: ‘‘You may have oneset of users for which you want to limit their total mailbox size. For other users, you may wantto provide an unlimited mailbox size. One easy way to accomplish this is to use separate mail-box stores and place each user’s mailbox into the appropriate store.’’

A big advantage of SBS 2008 vs. SBS 2003 is that information stores now have no size lim-itation. SBS 2003 was limited to 18GB, which meant you frequently ran into annoying issues.Thankfully, that has changed, although it is worth noting that SBS 2008 does have a default250GB limit on its stores. You can change that, but you really shouldn’t. If your stores on yourserver get really large, you can run into issues where you can’t defragment these files very well,and if they get corrupt, you lose just about everything, instead of just one or two stores.

_Recipient Configuration Mailbox

The last area where you can modify mailboxes is Recipient Configuration. Here, you can adjustuser mailboxes, assign them permissions to other mailboxes, and create new mailboxes. Youcan actually create four different mailbox types:

User mailbox A user-owned mailbox that sends and receives messages

Room mailbox A scheduling mailbox not used by an owner; associated with resources

Equipment mailbox A mailbox used for equipment scheduling and not used by a user; useraccounts associated with it will be disabled

Linked mailbox A mailbox that links to a mailbox by a separate, trusted forest

Client Access Tasks with the EMCThe Client Access portion of the EMC is found within two areas: Organizational Configurationand Server Configuration. The Client Access section of the EMC can manage the following:



◆ Offline address book distribution

◆ POP/IMAP4

You can adjust your client access ActiveSync mailboxes policies in the Organization Configu-ration section; the remainder of these items are under Server Configuration. In Exchange Server2007, Client Access is a separate role because of the heavy burden that clients can place upon aserver. With SBS, this role is forced to consolidate to a small server, but with larger implemen-tations of Exchange, it makes sense to dedicate a server just to Client Access so the remainingportions of Exchange aren’t burdened with having to send emails back and forth and then sendthem out to the user in some manner.

With the EMC, you can select the client access portion of the server and then see the corre-sponding selections based on the server you pick in the view pane. (In the case of SBS, there’s


only one.) Through this pane, you can right-click and examine the properties of any object. Asan example, I opened up the properties of Outlook Web Access. Here, I can see the internaland external address of my server. If I wanted, I could change this to an external URL so that Icould always access my Outlook mail at https://intellicorp.com/exchange, for example.

Unified Messaging with the EMC

The Unified Messaging portion of Exchange Server, like the Client Access portion, is accessedonly via the Organizational Configuration and Server Configuration areas. This portionof Exchange Server is involved with setting up voice mail, phone systems, and VoIP in aWindows environment. Although I’d really like to get into the process of what it takes toset up unified messaging with SBS, it’s beyond the scope of most small businesses. Unifiedmessaging requires a lot of extra portions of Microsoft enterprise-level software that don’tcome with SBS 2008 (which means extra costs).

Accordingly, most small businesses aren’t going to use it. Another thing to keep in mind isthat Small Business Server, by default, uses a ton of memory. Unified messaging, on top of allthe other functions that Exchange does, can use even more. And there reaches a certain limitthat the ‘‘old-school’’ business practices of one server not being able to do every possible taskin the organization tend to keeps ringing in the head of most administrators. They keep think-ing, ‘‘If I add too much to one server, it’s going to explode!’’ When, now, that’s not really thecase. And thankfully, that mind-set is quickly fading — if not completely gone already with theadvent of virtualization.

Adding a Mailbox Database and Setting Up Journaling

Just for fun, let’s say you wanted to set up journaling on a particular user and you wantedthat user to be contained within his or her own dedicated mail store (mailbox database). Let’sdo that now:

1. Open the EMC by typing Exchange Management Console in the Windows Start bar.

2. Expand Server Configuration, and select Mailbox.

3. Select your server.

4. Expand the first storage group.

5. Right-click the first storage group, and select New Mailbox Database. This will open the screenshown here.

6. Name the database journaling, and click New.

7. The server will think for a bit, test the mounted server, and say that it has completed or throwan error with possible reasons. Click Finish.

8. On the Database Management tab, right-click Journaling, and select Properties.

9. Select the Journal Recipient box, and click the Browse button next to it.

10. Select the mailbox where you would like to journal, and then click OK.


From now on, journaling messages will be sent to that mailbox.

THE EXCHANGE MANAGEMENT SHELL 265

The Exchange Management ShellAnother powerful feature that comes with Exchange Server in SBS 2008 is the Exchange Man-agement Shell (EMS). With Small Business Server, you can use this tool to execute commandsand scripts to modify portions of Exchange Server through a command interface. The EMS isa Visual Basic–enabled .NET application that allows you to interact with all Exchange Serverobjects and issue commands on them.

EMS FeaturesAccording to Microsoft, the key features of the EMS are as follows:

Command-line interface The EMS offers the ability to issue multiple commands through acommand-line interface that allows more robust application of complicated commands affect-ing multiple user groups, mail stores, or other Exchange objects.

Piping of data between commands Piping in the EMS allows you to input a command,receive output from that command, and use that output as the input for another command.A layman’s example of how this works would be something like this: ‘‘Tell me the number ofducks in a row, and then use that number to pay the farmer in increments of $100.’’ If therewere four ducks, our command would count the number of ducks, receive the number four,and then give the farmer $400.

Structured data support This one is best explained by Microsoft. It defines structured datasupport as the ability to use ‘‘output from the commands’’ that ‘‘can be acted on and processed


by other commands by using little or no manipulation. Commands in a particular feature setaccept output from other commands in that same feature set, without manipulation.’’

Extensive support for scripting With the EMC, you can script just about anything involv-ing Exchange. Want to add a thousand email addresses to one user account? No problem. Justwrite a script! Visual Basic with .NET is the most readily accepted standard.

Safe scripting Safe scripting allows you to execute a script and see that it does exactly whatyou want. This is helpful if you’re executing a script that could cause a lot of harm to yourenvironment.

Access cmd.exe commands You can now use command prompt commands like ipconfigfrom the EMS.

Trusted scripts Microsoft designed trusted scripts with security in mind. Trusted scripts areused to improve security. ‘‘The Exchange Management Shell requires that all scripts are digi-tally signed before they are allowed to run. This requirement prevents malicious parties frominserting a harmful script in the Exchange Management Shell. Only scripts that you specificallytrust are allowed to run. This precaution helps protect you and your organization.’’

Profile customization Based on your own profile, you can adjust the way the EMS appears.This is kind of handy if you have a particular configuration you’d like to use.

Extensible shell support According to Microsoft, ‘‘The Exchange Management Shell usesXML to let you modify many aspects of its behavior. Developers can create new commandsto integrate with the built-in Exchange Management Shell commands. This extensibility givesyou more control over your Exchange 2007 organization and helps you streamline businessprocesses.’’

EMS CommandsThe full range of available EMS commands is quite extensive. In fact, since the EMS takesadvantage of PowerShell, the range of commands could quite easily encompass an entirebook. In fact, getting a PowerShell book is probably a really good investment, because withthe advent of the EMS, several of the main tools used to modify Exchange Server in the pastare no longer in the GUI and must instead be done through PowerShell. However, there aretwo main tasks that you’ll do quite often with SBS — modify permissions and retrieve mailboxinformation/set quotas.

Adding an Account or Modifying Permissions

Let’s take a look at how easy it is to use the EMS to do what you just did earlier in theEMC — create an Exchange account administrator. Let’s do it again with the EMS. This time,just fire up the EMS by typing Exchange Management Shell in the Start bar, and then enterthe following line:

Add-ExchangeAdministrator -Role OrgAdmin -Identity intellicorp\steve

This does the same thing as the steps you performed in the EMC, with the elegance of just asingle command! Most administrators use commands like this in lieu of using the GUI, which

THE EXCHANGE MANAGEMENT SHELL 267

can take a lot of time to navigate. The downside, of course, is that you have to get used tousing PowerShell, which can have a learning curve.

Using EMS and PowerShell

More often than not, you may have a few users who end up with really big Exchange mail-boxes. You may decide to set quotas for them, which is pretty easy. You can also even list theExchange Server 2007roles. Here are a few PowerShell examples of how you would do that.

Retrieving a Mailbox

Retrieving a mailbox will allow you to see a user’s mailbox and the data involved with it. Usethe following command:

get-Mailbox Domain\User

replacing Domain and User with the correct names. Here’s an example:

get-Mailbox intellicorp\steve

Setting a Quota

With this command, you can set quotas on various parts of a user’s mailbox. Use the followingcommand:

get-Mailbox "Domain\User" | set-Mailbox -ProhibitSendQuota 100MB

Listing Roles in Exchange Server 2007

You can display the roles of your Exchange Server to show what it holds. This is often moreuseful in larger environments, but it can help you debug your SBS server if you have a mailflow problem.

Use the following command:

get-ExchangeServer

This will display all your Exchange Server data; for example, check out Figure 10.7. Thefigure shows just a simple example of powering up PowerShell with Exchange and runninga simple command. If you’re interested in learning more about PowerShell, you can read aboutit in several books dedicated to PowerShell. Upon mastering it, you can display the contents ofthe previous command more clearly, run scripts to display only portions that you want to see,and generally become a much more versatile administrator without the need to learn a drasticdeal more about your server.

PowerShell takes advantage of VBScript, the language that runs its scripting. Mastery ofExchange Server doesn’t necessarily require knowledge of VBScript, but it certainly separatesyou from the pack.


Figure 10.7

Exchange shellcommand output

The Bottom Line

Understand the components of Exchange Server To properly administer Exchange Serverfor a small business, you need to know what controls Exchange Server and how to use it. WithExchange Server, you can control an entire messaging architecture that is rather complex.

Master It One of the components of the Exchange Server infrastructure is PowerShell.How can you use PowerShell to set a quota of 100MB on a mailbox?

Understand Exchange Server roles To properly administer Exchange Server for a smallbusiness, Exchange Server 2007 has implemented new roles and functions. These five rolesare Client Access, Hub Transport, Mailbox, Unified Messaging, and Edge Transport. BeforeExchange Server 2007, these roles either did not exist or were named differently.

Master It Create or draw a picture that illustrates what the server placement would looklike for a company using the full version of Exchange Server 2007 in a LAN environment,with each server holding a role. Show where each server would be placed in reference to thefirewall.

Chapter 11

Managing Clients, Troubleshooting,and Recovering from Disaster withExchange for SBS

In the previous chapter, I focused on the components of Exchange Server 2007, how they differfrom Exchange Server 2003, and what you need to know about them to effectively manage yoursmall-business infrastructure. Both an advantage and a disadvantage of SBS 2008 is the incredi-ble set of tools and features it has access to that are available through enterprise-level licensingagreements. Accordingly, this means that not only will you have to understand a lot about theWindows infrastructure to properly manage your SBS server, but you’ll also need to know a lotabout the Exchange Server infrastructure and how the components are accessed by your clients,along with what you should do if things go wrong.

This chapter will focus on accessing Exchange Server through various clients, as well ashow to troubleshoot mailflow problems. I’ll also spend a couple sections describing how youcan back up Exchange Server and recover from disaster if it strikes your organization. So, thechapter will effectively be broken down into two parts — how to access Exchange Server andhow to handle it when something goes wrong.


◆ Set up Exchange Server clients

◆ Diagnose mailflow issues

◆ Back up Exchange Server 2007

Exchange Server ClientsExchange Server, like any other mail server, is not necessarily picky about the types of clientsoftware programs that access it, but it is picky about how clients access it. If you think aboutthe way email is accessed throughout the entire world — whether it’s through ExchangeServer, POP/SMTP, or any of the other mailing systems — it’s all based around the idea ofprotocols. If you request information in a certain method, the server will respond with therequested information based on that protocol.

270 CHAPTER 11 MANAGING CLIENTS, TROUBLESHOOTING, AND RECOVERING FROM DISASTER WITH EXCHANGE FOR SBS

Here are some of the many choices of email clients you can use to access email:

◆ Outlook 2000/2003/2007

◆ Barca

◆ Calypso

◆ Entourage

◆ Eudora

◆ Lotus Notes

◆ Mozilla Thunderbird

◆ Pegasus

◆ Pine

◆ The Bat

Some support direct connections with Exchange Server and some don’t, but nearly allof them support standard POP/SMTP connections to retrieve email, which is supportedby Exchange Server. Typically, clients connecting to a small-business server are usingeither Microsoft Outlook, Entourage for the Macintosh, or a popular alternate like MozillaThunderbird.

Outlook 2007Microsoft Small Business Server 2008 ships with client licenses for Microsoft Outlook 2007 foryour clients, because it is the preferred client for SBS 2008. Outlook is a messaging tool thatcan be used to send email and handle contacts, tasks, voice mails, and other communicationformats from a client to a server. In and of itself, Outlook can do nothing. It’s only when it’sattached to a server that it will actually become a functioning tool.

Part of your responsibility as an SBS administrator is to know how to set up Outlook 2007for your clients. You can do this in many ways, including using security and mail services otherthan Exchange Server.

EntourageEntourage is the Macintosh alternative for Microsoft Outlook. It is similar to Outlook in itsprocedures and protocols, but it is available only on Macs. Usually users with Entourage aregraphic designers or users who, for whatever reason, need access to a Macintosh computer.

AlternativesOther than the Microsoft-supported mail clients, users can choose to use any of the competingmail browsers. However, Microsoft does not support or recommend using third-partyproducts — so, in short, you can use these types of products, but if something breaks, you’reon your own. Or, you can always contact the vendor that produced the third-party software(assuming it’s available) and see what happens. I haven’t heard of a lot of people havingsuccess with this, however.

EXTERNAL ACCESS TO EMAIL 271

A Multiplatform Environment

During my consulting days in IT support, I often worked for businesses that ran multiplat-form operations to either cut costs or support specific programs that were available onlyon certain platforms. One example was a small business with five employees. Two of theseemployees used Windows XP workstations, one used Ubuntu Linux, and two used Macintosh.It was almost stereotypical in that the two XP users were businesspeople in marketing andaccounting, the Linux user was a programmer, and the Macintosh user was the graphicdesigner.

The president of the company, who used Vista, wanted an email solution that conveyed tothe rest of the world that his company was legitimate, in that they had their own domainname, but he didn’t care at all about logging employee traffic, chronicling email, or setting upany type of journaling archive. Instead, he just wanted to make sure that email was sent anddelivered.

So, I set up a Small Business Server environment that had IMAP enabled. This allowed thethree Outlook-based workstations (two XP, one Vista) to connect to the server, and it alsoallowed the Linux and Macintosh clients, which were both technically Unix machines, toconnect to the email server with ease and retrieve email that would be stored on the serverbut still accessible to the client through a copy — even if they accessed it through IMAP.

When implementing email solutions for a small business, you have to keep in mind that manyof them just don’t need the massive amount of archiving and extra storage or transport rulesassociated with a large business. All you’ll really need to do is set up a simple email solutionthat follows the KISS rule: keep it simple, stupid! If a client asks you to make it easy for theirclients to access the server and doesn’t want anything fancy, just give them what they want.It will make both of you happy.

External Access to EmailMore than just having an Exchange Server enabled only for your network and the users directlyattached to it, modern workers need to be able to access their email through their favorite webclient from just about anywhere. And with laptops becoming more and more ubiquitous insmall, medium, and large businesses, the inability for users to access their email from locationsother than their office has become simply intolerable. With SBS 2008, users are provided withtwo easy and effective means to access their email remotely: Outlook Anywhere and OutlookWeb Access. The following sections discuss what each is and how to enable them.

Outlook AnywhereOutlook clients use Remote Procedure Call (RPC) to connect to a server and retrieve email. Theupside to this is that RPC works very well, and when it’s connected to a LAN, it has very fewproblems. The downside is that RPC doesn’t support transmission over a wide area network forseveral reasons. First, it’s insecure, and second, the protocol sends a lot of data that can becomejumbled fairly easily. This made RPC very impractical for remote users until Microsoft came upwith a very elegant solution.


The solution Microsoft came up with was to use the Hypertext Transfer Protocol (HTTP),a protocol that basically helped defined the Internet as we know it today. This allowed thefollowing:

◆ Remote access to Exchange Server from the Internet via HTTP

◆ Full integration with Outlook Web Access (discussed in the next section)

◆ Secure Sockets Layer (SSL) incorporation for HTTPS

◆ Security from unauthenticated users

◆ Incorporation with known certificate authorities

◆ Elimination of the requirement for virtual private networks (VPNs)

All in all, the feature set that it allows is very impressive. In particular, the ability to useHTTP with SSL (HTTPS) is particularly brilliant in that it allows you to authenticate to thecorrect server without the possibility of its identity being compromised. Another key featureis that with RPC over HTTP, you do not have to use a virtual private network. This is veryimportant, because before RPC over HTTP, any user authenticating from anywhere across theglobe had to set up a VPN connection, which was taxing on your server, firewall/router, andInternet connection. Now, it’s processed just like web traffic.

Setting Up RPC over HTTP

This section explains how to set up RPC over HTTP using SBS 2008. You can complete thisexercise without a certificate, but if you are going to use this server in a live business environ-ment, it’s highly suggested that you purchase one. This will help eliminate the possibility ofyour users connecting to a spoofed email server.

To install the RPC over HTTP Windows Networking component in Windows Server 2008, dothe following:

1. Open Server Manager.

2. Select Features on the left.

3. Check to see whether the RPC Over HTTP Proxy feature is installed. It should be by default. Ifnot, in the right pane, click Add Features.

4. Select the RPC Over HTTP Proxy check box.

5. If the Add Role Services Required For HTTP Proxy dialog box appears, click Add Required RoleServices.

6. Click Next twice.

7. On the Select Role Services page, click Next.

8. On the Confirm Installation Selections page, click Install.

9. When the features are installed, click Close.

To use the Exchange Management Console to enable Outlook Anywhere, follow these steps:

1. In the console tree, expand Server Configuration, and then click Client Access.

EXTERNAL ACCESS TO EMAIL 273

2. In the action pane, click Enable Outlook Anywhere.

3. In the Enable Outlook Anywhere Wizard, type the external hostname for your organization inthe External Host Name box. I will use intellicorp.com.

4. Select an available external authentication method. You can select Basic authentication orNTLM authentication.

5. Select the Allow Secure Channel (SSL) Offloading check box, if you want to do SSL offloading.

6. Click Next.

7. Click Finish at the summary screen.

Outlook Web AccessThe next form of external access available to businesses utilizing Exchange Server for SmallBusiness Server 2008 is Outlook Web Access (OWA). OWA provides direct web integrationwith the Exchange Server mail store through the Client Access server. It allows a user to man-age email over the Web as if they were directly attached to the mail store through an Outlookclient.

You enable OWA through the Exchange Management Console, under Server Configuration.Since it comes enabled by default with Small Business Server, you should know how to do twothings:

◆ Turn it off if it proposes a security risk.

◆ Change the URL for easier user access.

Turning Off OWA

More often than not, organizations concerned with the possibility of email exposure to thepublic have begun turning off Outlook Web Access. Follow these steps:

1. Open the Exchange Management Console by typing Exchange Management Console in theStart menu.

2. Select Client Access under Server Configuration.

3. Select the Outlook Web Access tab.

4. Right-click owa (SBS Web Applications), and select Properties.

5. Ensure the external URL is blank.

6. Open IIS by selecting Administrative Tools � IIS Manager.

7. Select Application Pools underneath your server.

8. Stop the MSExchangeOWAAppPool pool by selecting it and then hitting the Stop button in theaction pane.

This will stop the OWA pool and not interfere with the other aspects of IIS or ExchangeServer. Note that this will just stop the application; it will not necessarily stop the web pool.Should you want to start the application again in the future, you can easily navigate to theapplication pool and then start the application.


Changing the OWA Access Address

The default yoursite.com/owa is sometimes a little inconvenient to type, and if you’re acompany that doesn’t require a web presence, you might want to change it to something assimple as yoursite.com. You can do this by following these steps:

1. Start IIS Manager by accessing it through Administrative Tools.

2. Right-click Default Web Site, and choose Properties.

3. Click the Home Directory tab.

4. Change the first option to A Redirection To A URL.

5. Enter /owa in the box.

6. Change the entry below to A Directory Below URL Entered.


This simple method redirects the traffic from the default /owa to the option you’d like. This isa simple, easy, and elegant way to redirect your traffic.

ActiveSyncExchange ActiveSync is a low-bandwidth synchronization platform designed to work with anysize network. The ActiveSync protocol was originally based on XML and HTTP to provide aconnection-oriented system that could transmit forms through XML while using HTTP to trans-mit across a network of any speed range. Through ActiveSync, mobile devices can access email,calendars, contacts, and tasks. However, ActiveSync will not synchronize Outlook notes, whichis a little bit of a downside but not a deal breaker. That’s really the only feature out of manythat doesn’t work.

Whenever the Client Access server role with Exchange Server is installed, ActiveSync isautomatically installed as well on the Exchange Server. Since you’re dealing with SBS and theClient Access server role will always be installed, it’s a fair statement to say that ActiveSyncwill always be installed, and accordingly you will need to know how to set it up, as well aswhat it can do.

New Features in ActiveSync for Exchange Server 2007The official list of Microsoft features, available at: http://technet.microsoft.com/en-us/library/aa998357.aspx, is:

◆ Support for HTML messages

◆ Support for follow-up flags

◆ Support for fast message retrieval

◆ Meeting attendee information

◆ Enhanced Exchange search

◆ Windows SharePoint Services and UNC document access

ACTIVESYNC 275

◆ PIN reset

◆ Enhanced device security through password policies

◆ Autodiscover for over-the-air provisioning

◆ Support for Out of Office configuration

◆ Support for tasks synchronization

◆ DirectPush

Using ActiveSyncSince ActiveSync is enabled by default, using it is fairly easy. ActiveSync uses the Autodis-cover protocol to detect devices, assuming the device supports it. Autodiscover works a lot likethe Dynamic Host Configuration Protocol (DHCP) in that it’s relatively transparent to the enduser. A user plugs in a device, and it automatically works. Assuming the device uses WindowsMobile, it should just work. Other devices, like Palms and iPhones, can sometimes experienceconflict errors, but most vendors that work with ActiveSync post troubleshooting and diagnos-tic guides for their devices.

ActiveSync SecurityExchange ActiveSync uses SSL to communicate between mobile devices and your ExchangeServer in Small Business Server 2008. This is done so that data transmitted back and forthbetween mobile devices and the Exchange Server is authenticated and secured. Once authenti-cated, the certificate is stored into the device’s memory. ActiveSync also supports RSA SecurIDtwo-factor authentication for the particularly security-conscious administrator.

As part of the public key infrastructure (though the Windows Small Business Server 2008PKI is pretty darn easy), you can authenticate a device to know that it’s dealing with a trustedauthority through Exchange Server. This is particularly useful for large organizations, but forthe extra-paranoid SBS administrator, this is available for kicks. You can enable this in the con-sole. Additionally, you can also set the security features defined by Microsoft in the earlierreferenced ActiveSync article:

Remote wipe If a device is ever lost or stolen, you can issue a command to immediatelypurge the device of all data, adding an extra layer of security in case you have an employeewho, when terminated, could turn malicious.

Password policies Exchange Server 2007 allows a lot of different password options. Some ofthese include the following:

Minimum password length (characters) The default length for ActiveSync passwords isfour, but it can go up to eighteen characters.

Require alphanumeric password This allows you to include a password that requiresboth numbers and letters.

Inactivity time (seconds) This set how long the device can stay inactive before it automat-ically locks.

Wipe device after failed (attempts) Deletes the device after a certain number of attemptsat logging in. This is very useful for PDAs that may contain sensitive data.


Database Structure and RecoveryI’ve already gone over how devastating a disaster can really be on at least three different occa-sions in this book, so I’ll spare you the lecture. In this section, I will go into how to back upyour Exchange Server data separately and restore it in case the worst happens.

More than one small-business administrator has been stuck in a situation where theyhad properly backed up their server but hadn’t considered their email as a completelyseparate entity and therefore lost data. Those of us who use servers to do business on a dailybasis know how much of a pain it can be to lose something like that, and thus we back upaccordingly.

I’ll start by spending some time talking about the design of the Exchange database and howit’s recovered. The Exchange database is the most important part of your information system,and you need to know what to do in case it fails with SBS 2008.

File Structure of the Exchange StoreThe main component of any disaster recovery is the Exchange store and the mail containedwithin. Without the Exchange store, even if every other aspect of your Exchange Serverinfrastructure were up and running, you really couldn’t do much without the actual emailsthemselves, which are stored in your email store. This is why the most important part of anyExchange Server restore is the Exchange store.

The Exchange store in Small Business Server is broken into a specialized set of data files,including Exchange database (.edb) files, transaction logging (.log) files, and checkpoint (.chk)files. These files, for the most part, sit back and collect data with zero user interaction. Together,these files form a storage group that contains the data for your Exchange Server to do business.Let’s go over what each of these files do, one at a time.

Database Files

Exchange database (.edb) files are the repository for mailbox data. They are accessed bythe Extensible Storage Engine (a .dll that allows the application to store records and createindexes) directly and have a B-tree structure (a computer science binary search tree that allowsfor quick data insertion) that is designed for quick access. When running properly, the systemcan access data in as little as four I/O cycles.

Log Files

Before any other file operations are done, when Exchange Server handles any messages, itrecords these changes to a log file with the (.log) file format. This is done so that, no matterwhat Exchange Server tries to do, it records a log of what occurred so a user can look throughit. For the especially ambitious administrator, the Exchange Server logs can provide a wealth ofinformation. However, over time, the Exchange Server logs can expand greatly in size. Thus,it’s a good idea to occasionally delete or replace these with fresh files.

You can remove these logs by stopping a storage group in a clean state and then verifyingthe state in the logs by what is currently being accessed. Then, you can remove the log files ifthey are no longer in use.

Checkpoint Files

Similar to log files, checkpoint (.cdk) files in Exchange Server indicate whenever a databasetransaction has successfully taken place, rather than when one is just attempted. In combination

DATABASE STRUCTURE AND RECOVERY 277

with log files, checkpoint files can help restore a database based on transaction logs of whatwas attempted vs. what was actually recorded to the database.

Exchange Server Transaction LoggingBecause Exchange Server 2007 manages so much data, the process of logging has becomequite important, and therefore it has become very streamlined. Because there is so much data,Exchange Server breaks log files down into individual 1MB files (1024KB) that are sequentiallynumbered in an incremental fashion (for example, Enn00000001.log, Enn00000002.log,Enn00000003.log, and so on). The nn number in the naming convention is a prefix that’sappended to each of the log files. Just like the trailing number, it increments by one for eachnew file.

For example, an extraordinarily large email server may have an E23099991.log file, whichwould represent the 23rd prefixed group of files, file number 99991. But there’s just onetrick — the files are numbered in hexadecimal. This means that, instead base 10 numbers likeyou’re used to (0 through 10), the hexadecimal system runs from 0 through F. So, eventually,instead of going from . . . 009 to . . . 10, the file number would flip to . . . 00A. If you’reinterested, you can learn to count in hexadecimal by reading any entry-level mathematics book,or you could also just follow Microsoft recommendation:

You can convert log file sequence numbers to their decimal values by using the WindowsCalculator (Calc.exe) application in Scientific mode. To do this, run Calc.exe, and then, fromthe View menu, click Scientific.

Source: Microsoft TechNet

But, just in case you don’t want to go through all that effort, you can refer to Table 11.1,which lists the basic sequence of hexadecimal numbers.

As you can see, the file structure is designed to be so large that a database of practically anysize could be logged. I don’t have the number in base 10 offhand, but can you imagine howbit EFFFFFFFFFF.log must be? That’s why you use checkpoint files to sort of stream togetherthese log files. Viewing a specific log file is pretty easy. All you have to do is use the ExchangeServer Database Utilities (eseutil.exe). The information regarding the decimal number of thelog is contained there, along with the log information. If you want to see the header informa-tion, however, you’ll need to use the /ml switch with the eseutil command.

On TechNet, Microsoft cautions the following:

You cannot view the header of a database while it is mounted. You also cannot view the headerof the current log file (Enn.log) while any database in the storage group is mounted. Exchangeholds the current log file open as long as one database is using it. You can, however, view thecheckpoint file header while databases are mounted. Exchange updates the checkpoint file everythirty seconds, and its header is viewable except during the moment when an update isoccurring.

Source: Microsoft TechNet

It’s therefore vital that you understand the Exchange Server header files, because with thesefiles alone, you can determine the order in which the Exchange Server data should be placedand what you’ll need to do in order to properly recover from disaster, because not everythingmay be required.


Table 11.1: Converting Base 10 to Base 16

Base 10 Base 16

0 0

1 1

2 2

3 3

4 4

5 5

6 6

7 7

8 8

9 9

10 A

11 B

12 C

13 D

14 E

15 F

Take a look at the following header file:

Initiating FILE DUMP mode...Base name: e00Log file: e00000005BF.loglGeneration: 1471 (0x5BF)Checkpoint: (0x2C66,8,0)creation time: 09/12/2009 18:54:06prev gen time: 09/12/2009 18:54:04

This log file indicates that it starts at the base e00, which means that it doesn’t have asequence to come after. Instead, the log file will begin at e00 and start its log name as e00.log.The lGeneration information then indicates how much the log file is filled and where itends. The number 11 corresponds to the 5BF in the (0x5BF) address. This means that, since thelog file goes from e00 to e0B, the log file’s name will be E000000005BF.log.


The Checkpoint information indicates where the checkpoint file is located and how far apartthe log is from that checkpoint. In my work as an administrator, I’ve never seen anyone usethis, so I’m not going to discuss it. However, if you’re really into studying logs, you can look itup on Microsoft’s website.

However, what you should know is that even if the checkpoint file is completely and utterlydestroyed, life isn’t over. Exchange Server can scan the log files and begin with the oldest fileavailable. This normally just takes longer, because it has to access the old database. On a nor-mal log file, it takes only a couple seconds to scan whether it’s already been applied to thedatabase. If not, it can take a few minutes, so it’s not the end of the world at the small-businesslevel. It only starts to become a nightmare when the databases get tremendous, like they do inlarge enterprises.

To delete log files, the Exchange database needs to be in a ‘‘clean shutdown’’ position, whichmeans that Exchange Server needs to be shut down in the proper manner. You can see whetherthis has occurred by using the eseutil /mh command to examine the file headers. This doesn’tcause any harm, except that your ability to restore older backups has probably been compro-mised because the earlier log files aren’t available.

Please note that, in general, you shouldn’t delete Exchange Server logs unless you have todo so. Every log that you delete could potentially be a log that you desperately need in case ofa disaster. It’s never fun to be in a situation where you have to say ‘‘Logs? Logs!?’’ And beyondthat, note that you need to shut down your database in a clean state. If you don’t, you’ll needto have every database log from the checkpoint forward before you can mount it. And if youdon’t have them, you have to launch the eseutil command and repair the database.

Circular Logging

It’s not a recommended practice, but you can configure Exchange Server 2007 to save space byusing circular logging. Circular logging enables the Exchange Server to reach a certain point oflog file extension and then circle back to the beginning of where it initiated the logs and recordover the data it’s already processed.

On the rarest of circumstances, if you have an organization that has very little space on thesystem drive that is running Exchange Server, you can enable circular logging to save a greatdeal of disk space. However, you will never be able to recover from any data that you writeover. Thus, it’s generally not a good idea, unless you accompany your circular logging withanother form of backup — or generally don’t care as much about the backup that you’re doing.

To enable (or disable) circular logging, follow these steps:

1. Start the Exchange Management Console.

2. Expand Server Configuration, and then select Mailbox.

3. Right-click the storage group you desire, and then click Properties.

4. Select (or clear) Enable Circular Logging.

5. Click OK.

On more than one occasion, I’ve worked for an organization running SBS that decided toinstall SBS 2008 on the system drive, which places Exchange Server there by default. And insome of those occasions, the system drive was too small to support the installation of bothSmall Business Server and Exchange Server 2007. Thus, after a short period of time, mailflow


ceased because the system drive had become bogged down with logs. If you’re ever in asituation where a customer is operating with a single volume, make sure to check the sizeof the Exchange Server logs. If they’re too large, try to purge as many as you can afford towithout compromising Exchange Server.

Continuous Replication and Continuous Replication Circular Logging

The type of logging you implement is completely up to you, depending on exactly how youwould like to view your logs. Exchange Server 2007 (which you use in SBS 2008) supports twotypes of continuous logging: continuous replication and continuous replication with circularlogging. (The ‘‘with’’ is not technically part of the name; it just helps with the ease of explana-tion.) Continuous replication circular logging is run by the Exchange Server replication servers.Effectively, it runs by not creating an addition file, but it writes on top of the old file. Thishas some upsides, because it keeps logging to a minimum, but it doesn’t allow you to keepas much data, because the logs are constantly overridden. Most administrators either use thisto save space or use it when they need to do a giant operation on a server, such as movingmailboxes or migrating from one server to another. This way, they don’t have to worry aboutmailbox logs growing and causing replication nightmares.

Backing Up Exchange Server CompletelyJust like nearly every other aspect of SBS 2008, Exchange Server can be backed up with theSBS console both with the traditional backup method and in a special manner in additionto the standard system backup. Note, however, that only one backup of Exchange Server isneeded. Since SBS 2008 has simplified the process of backing up Windows so much, thankfullyyou don’t have to worry about the mess that the full-blown versions of Exchange Server 2007have to deal with. That is, in the full version, Exchange Server 2007 is not incorporated withWindows Backup. In the old days, you could use NTBACKUP to copy your system store and goon with your merry life, content that your backup would both be reliable and work. Now, lifeisn’t quite as easy on the high end. You actually have to use a third-party tool.

The SBS console standard system, however, will back up Exchange Server data in a fullsystem backup. But because Exchange Server data is so important, you might want to considerbacking it up with the additional method provided solely for Exchange Server by the console.The method to back up the console is as follows:


2. Click the Backup And Server Storage tab on the navigation bar, and then click the ServerStorage tab.

3. Click the Server Storage tab, and then click Move Exchange Server Data.

4. Click Next at the intro screen.

5. If you haven’t configured Backup, it will present you with a message prompting you to doso. Either way, do one of the following:

◆ If you do not want to configure Backup, click OK.

◆ If you want to configure Backup and back up the data before continuing, click Can-cel. Then configure Backup with the method discussed in Chapter 8, ‘‘Backing Up andPerforming Disaster Recovery.’’


6. On the Choose A New Location For The Data page, click the drive or partition where youwant to move, and then click Move.

7. When the move finishes, click Close. The Exchange Server data is now backed up.

Restoring Exchange Server from Full BackupThe restoration process from an Exchange Server backup is so easy, I almost don’t want to dis-cuss it. But for the sake of thoroughness, if you lose your Exchange Server data, you can easilyrecover your backup by navigating to the Backup And Server Storage menu from the SBS con-sole and then selecting Restore Server Data From A Backup in the Tasks pane. Once you clickthat, you’ll be presented with all the backups you’ve made server-wide. You can select theone that recovers the Exchange Server data you’d like to see.

Creating a ‘‘Recovery’’ for BackupOne of the features available with Exchange Server 2007 is to use an Exchange restore to pro-vide a ‘‘syncable’’ backup that you can use to manage a feature called a recovery storage group,which is discussed in the next section. This backup is an exact copy of your Exchange Serverdata, located in another place on your system — preferably on another drive, but that’s notrequired.

To create a storage backup, select Start � Administrative Tools � Windows Server Backup,and click Recover. This will start the Recovery Wizard.

On the first screen, choose your server, and click Next. You’ll then want to choose thebackup date to recover from on the next screen, similar to what you did in Chapter 8. ClickNext again, and then do the important part: choose Applications as the type of recovery, sinceExchange Server 2007 is an application. This tells Windows Backup, in effect, that the type ofbackup you’re doing is a file-only backup and that it shouldn’t try to restore any Windowsfeatures on the files it’s recovering.

At the next screen, shown in Figure 11.1, you’ll get to choose the type of application. ChooseExchange.

Figure 11.1

Exchange recovery


After that, you can click Next and proceed to the next screen. Here, you will choose torecover to a different location than you can use to separate your ‘‘real’’ Exchange Server fromyour recovery database. A \restore definition does nicely. After you click Next, the wizardwill complete, and you can move on.

Creating a Recovery Storage GroupIn Exchange Server 2003, Microsoft created a simple way for administrators to recover lostemails or mailboxes from a database, without the need to restore from a complete backupor, really, from any form of formal backup media whatsoever — at least as far as the tradi-tional definition of backup media is concerned. Instead, you can just restore from a backupstorage group.

To create a storage recovery group, you can use the Exchange Toolbox. First, open theExchange Management Console, and select the Toolbox. Select the Database Recovery Man-agement toolbox, shown in Figure 11.2. This will open the tool set that will allow you to useExchange Server’s backup methods.

Figure 11.2

Database recoverymanagement

At the welcome screen, you’ll need to enter your Exchange Server name, your domain con-troller name (which should autofill), and a label to associate with the action that you’re doing.I recommend just labeling it recovery storage group. Once you’ve labeled it and entered theright information, you can click Next.

Click Create A Recovery Storage Group, as shown in Figure 11.3. This will open the storagegroup options.

Figure 11.3

Creating a recoverystorage group

At the next screen, shown in Figure 11.4, you’ll be able to select the storage group that you’dlike to associate with your recovery storage group. This group will then ultimately be mergedwith the recovery group you’re making, so be sure to pick the one with your user accounts andnot a backup group of some sort.

Figure 11.4

Storage group selection

At the next screen, you’ll be able to set your log, system, and database folders location.(These are left to the default values in Figure 11.5.) The first, or the ‘‘original,’’ storage group


should be left to the default, and the recovery storage group should be located whereveryou’ve created your backup. This lets you place the files in different locations, making theprocess smoother when they ultimately merge.

Figure 11.5

File locations

If everything went OK, you’ll see a summary screen with results similar to Figure 11.6. Thismeans that your group is set up and working.

Figure 11.6

Results screen

Mounting the Recovered Database for MergingAt this point, you want to take the database that you created through your system restore andmount it to your Exchange Server systems so it can be used. This lets Exchange Server use this


database to create an incredibly efficient merged database that allows for failover in the case oflost messages.

Assuming you followed the previous steps, you can click the Go Back To The Task Centerbutton and then click Mount Or Dismount Databases In The Recovery Storage Group. If youexited, you can access it again by accessing the Database Recovery Management toolbox andthen filling in your server/label information.

Using either method, once you’re at the main action screen, you can click the button you seein Figure 11.7.

Figure 11.7

Mounting ordismounting databasesin the recovery storagegroup

This will open the Mount Or Dismount Database page. Here, select the mailbox databaseyou created, and click the Mount Selected Database option, as shown in Figure 11.8.

Figure 11.8

Mounting the database

Recovering Corrupted DatabasesExchange databases, like almost all databases, can become corrupted. This is especially trueif they are merged, because the Exchange databases are consistently swapping back and forthbetween Exchange Server storage groups. The end result of this swapping can be an inconsis-tent database.

Furthermore, this can happen when you try to mount a database for the purpose of merg-ing. If it does happen, you can go back to the task center and click Repair Database. The GUIis fairly simple to use, and it does a really good job of repairing a database. You can also useeseutil.exe to help recover the database.

Merging the MailboxesFinally, now that you’ve created the restore, mounted the database, and recovered it if it’s cor-rupted, you can merge all the mailboxes that you’re trying to back up!

OVERVIEW OF MAILFLOW 285

You can merge mailboxes in the Exchange Server console by going to the task center andclicking the Merge Or Copy Mailbox Contents button shown in Figure 11.9.

Figure 11.9

Merge or Copy MailboxContents button

On the next screen, select Gather Merge Information. This will start a look through yourrecovery storage group and your first storage group. Then, you can click the Perform Pre-mergeTasks button. To you as a user, the process will almost seem like a ‘‘next, next, next’’ sequence.Eventually, you’ll need to select the mailboxes you would like to merge. Most administratorsjust choose all their mailboxes and continue.

And at that point, you’re done! The last thing you have to do is to dismount the remote stor-age group. You can do that in the tasks pane by clicking Remove The Recovery Storage Group.

Troubleshooting MailflowThe number-one IT concern for just about any business operating with more than five employ-ees can be summarized in one word: mailflow. The process of mailflow is the sending andreceiving of messages across Exchange Server and other mail servers throughout the Internet,intranet, and various connectors that are established through Exchange Server 2007.

As an IT technician or network administrator, you should be particularly concerned withmailflow issues because if there’s a problem with it, someone will most likely end up in frontof your desk, complaining that their mail isn’t flowing. And that ultimately means your day isgoing to get a lot worse — very quickly.

To troubleshoot Exchange Server mailflow issues, you first need to understand how themailflow system works in Exchange Server 2007 and what the stoppages you experience indi-cate in terms of where the problem may lie. Generally, mailflow issues come in two forms:Exchange Server mailflow problems and SMTP mailflow problems. More often than not theseare related, but I’ll cover troubleshooting these as separate issues for the sake of clarity. Firstlet’s talk about mailflow in general.

Overview of MailflowWhen Microsoft released Exchange Server 2007, it made a dramatic move by completely replac-ing the tried-and-true system that Exchange Server 2003 used to route messages with a newsystem designed to more easily divvy up the roles process in Exchange Server 2007. In effect,there is now a server role for all the major portions involved with Exchange Server 2007. How-ever, what’s ironic is that a majority of mailflow problems occur with one portion of ExchangeServer — the Hub Transport.

The Hub Transport, which is responsible for routing external and internal emails, runson the Microsoft Exchange Transport service. You can find it in services.msc by typingservices.msc in the Windows SBS Start menu. This will launch all Windows services. The HubTransport is the service that’s going to handle most of the traffic, including inbound email,outbound email, and local email.

Inbound email Inbound email is sent from outside the server (usually the Internet) tothe Exchange Server through the hub transport. Eventually it is fed to the mail store, if it isallowed.


Outbound email Outbound email is sent from the SBS server to an area outside of its local orrecipient domains, usually to the Internet. For a message to be outbound, it cannot be destinedfor any local recipients or users behind the firewall.

Local email Local mail flow refers to messages that are processed by a Hub Transport serverin an Exchange Server 2007 organization and delivered to a mailbox on the same Active Direc-tory site.

SMTP ConnectorsSMTP connectors in Exchange Server 2007 are links between the Exchange Server and the Inter-net that are established in one-way communication lines. Two types of connectors can exist onyour Exchange Server:

◆ SMTP receive connectors

◆ SMTP send connectors

An SMTP receive connector is required to receive email from another SMTP connection.Typically on Exchange Server 2007 there is only one SMTP receive connector; however,Exchange Server 2007 can accept multiple connections to a single server if an administratorwants the server to receive email from multiple connections. The SMTP connector is connectedto both the Hub Transport and Edge Transport portions of the Exchange Server, because bothneed to receive email.

SMTP send connectors are designed to send outbound email from the Exchange Serveracross the Internet and are connected to the Hub Transport portion of the Exchange Server.Generally, there is only one SMTP outbound connection from the Exchange Server to theInternet. However, you can manage each of them using the Exchange Management Console orExchange Management Shell.

Message TransportationAs messages are passed from the Exchange Server to the outside world, they go through aseries of delivery mechanisms that are established through Exchange Server. These mechanismsare called messaging components. There are five messaging components involved with sending amessage:

◆ Submission queue

◆ Store driver

◆ Microsoft Exchange Mail Submission Service

◆ Pickup directory

◆ Categorizer

Messages from outside your Exchange Server organization enter the transport pipelinethrough an SMTP receive connector. Messages inside enter the pipeline through the HubTransport server role.

Submission QueueWhenever a message needs to be delivered on an Exchange Server, it’s delivered to the submis-sion queue. This queue is a list of messages needing to be processed by the Exchange Server,

SMTP ERRORS 287

and it can sometimes get rather large. For example, some organizations will send mass emailsto customers in the form of newsletters or email marketing advertisements. Each of these emailaddresses is a different message that has to be sent from the message queue. Thus, if you haveabout 100,000 customers (which is not all that many), you will probably send about 80,000 mes-sages, all which must be processed by the queue.

Store DriverWhenever a user sends a message in Outlook, that message is placed initially into an outbox.This outbox is a temporary location that transfers the data from the outbox to (eventually)the submission queue. However, Exchange Server first places it in the outbox and uses thestore driver to transfer the message from the outbox to the submission queue. This is becausemessages are first stored in MAPI format and then converted into Summary Transport NeuralEncapsulation Format (S/TNEF) before they’re placed into queue; the store driver is the enginethat makes this change.

Microsoft Exchange Mail Submission ServiceThe Microsoft Exchange Mail Submission Service runs on Exchange Server and lets the storedriver know to activate and submit the message to the queue. Like many services, it runs onthe Hub Transport service and is used to make sure that the messages are moved to the queue.

Pickup DirectoryOnce messages have been placed into the queue, they’re then ready to be delivered by the HubTransport service. Messages are placed in the Pickup directory until they are processed by theHub Transport service. This directory is designed to store messages until the Hub Transportservice can process them.

CategorizerThe categorizer takes the first message received (the oldest message) from the Pickup directoryand decides whether it needs to be routed internally and then passes it on. Additionally, thecategorizer performs the following tasks:

◆ Identifying and verifying recipients

◆ Expanding distribution lists

◆ Determining routing paths

◆ Converting content formats

◆ Applying message policies

SMTP ErrorsIn cases where the server is either partially or fully running and there’s still an error involvedwith delivering the message, you can learn a great deal from the messages that Outlookor another mail client server provides through SMTP status codes. SMTP status codes aremessages sent by an SMTP-capable server that convey information regarding errors that occurbehind the scenes when an email is sent. Through these error codes, you can often troubleshootthe problems associated with email messages.


Table 11.2 presents a handy reference of Exchange Server error codes. I discuss some of themore commonly experienced errors, along with what can cause them, in the following sections.

Table 11.2: SMTP Error Codes

Code What the Message Means

200 Nonstandard message format

250 Completed mail-sending operation

251 Forwarding to another server

450 Mailbox unavailable

451 Processing error

452 Insufficient storage

500 Unrecognized command

501 Syntax error

503 Unrecognized command sequence

510 Bad email address

511 Bad email address format

512 Domain not found

521 Domain refused mail message

SMTP Error 450: Requested Mail Action Not Taken: Mailbox UnavailableIn no particular order, I’m starting with this error because it’s the error I think I’ve seen morethan any other in small businesses. And that’s because there are a lot of reasons that this errorcould display in an email client:

The mailbox is busy Sometimes the Exchange store is occupied or overburdened and can’twrite to the mailbox. If this happens, this error can appear. You can fix it by seeing why themailbox is busy. Perhaps there are a ton of messages waiting to be processed, or maybe theuser has synced a lot of messages recently.

The mailbox is disabled/not allowed/does not exist Technically, this ‘‘shouldn’t’’ happen,but experience has taught me that it does. Sometimes disabled user accounts in Active Direc-tory can cause this very strange, and highly annoying, problem. If this issue comes up andthe mailbox isn’t overburdened, check to see whether that mailbox either is disabled, is notallowed to receive email, or does not exist; then try to resolve the problem.

THE BOTTOM LINE 289

SMTP Error 553: Requested Action Not Taken: Mailbox Name Not AllowedSMTP error 553 is an unusual error that can take many forms. Namely, error 553 can happenon the mailbox, domain, or even server level. For example, error 553 may show up as this:

Error 553: Sorry, that domain is not in my list of allowed rcpthosts

This specific error shows either that your host is not on the allowed list of email senders tothat domain or that your host IP is on a DNS blacklist. Obviously, this error is something thatcould be solved only by the server that hosts this blacklist/restriction method. But that’s notthe only form that this error can come in.

Whenever you receive a 553 error, you need to look at the error itself and find out why themailbox is not allowing mail to be sent to it. Nine times out of ten, it’s a rule like the domainnot being allowed or the host origin IP not being allowed, but it is greatly dependent upon theway you have Exchange Server set up in your organization.

Error 452: Requested Action Not Taken: Insufficient System StorageThis error is pretty obvious, but it can happen a lot. If your mail system becomes too full andthe mail server doesn’t have any space to save an email, well, it won’t! If this happens, tryreducing disk space or see whether there is a data quota set somewhere in your server. Butwhatever you do, do it right away. It’d be a little embarrassing for a company you do businesswith to hear that you simply ‘‘don’t have room’’ for their important emails.

Error 512: The Host Server for the Recipient’s Domain Name Cannot BeFound (DNS Error)If you see this error, it means that somewhere along the way of sending your error, an emailserver checked its DNS records for the corresponding IP address to the domain it was send-ing email to and didn’t find one. It usually means there is a DNS issue on either the otheremail server or your server. For example, Suzy at the email address [email protected] tries tosend an email to [email protected]. As she sends it out, it is rejected because Suzy’smycorp DNS server and the associated DNS servers can’t find the intellicorp.com mail serverIP address.

The Bottom Line

Set up Exchange Server clients You need to learn how to set up Exchange Server clients inorder to properly administer your SBS 2008 server. You can do this by creating mailbox anduser accounts.

Master It Use the Exchange Management Console to add a mailbox user and an accountin Active Directory for John Smalls.

Diagnose mailflow issues Diagnosing a mailflow issue is a major component of becomingan administrator with Exchange Server. Through this, business owners can count on you beingable to fix any issue at any time that may arise.


Master It A mail server has stopped mailflow, and the hard drive shows zero space. Whatshould you do?

Back up Exchange Server 2007 You need to be able to restore Exchange Server 2007 at awhim, regardless of what may occur in your organization. Otherwise, disaster could strike atany time, and you would be without any way to compensate for it.

Master It Create an Exchange Server recovery group to restore from.

Chapter 12

Introducing SQL Server

If you purchased the Premium edition of Small Business Server, you also got a copy ofMicrosoft’s flagship database management product called SQL Server. If you aren’t familiarwith SQL Server, it is an industrial-strength platform for storing, manipulating, and retrievingdata. If you are familiar with SQL Server, then you probably already know how powerful it is.But just because it’s powerful, don’t let it intimidate you. SQL Server comes with a very robustuser interface called SQL Server Management Studio (SSMS) that does an excellent job ofsimplifying the tasks of creating and managing databases. In this chapter, I’ll review how SQLServer fits into the SBS environment, how to install it, and then how to use and administer it.


◆ Install and configure SQL Server

◆ Use SQL Server

◆ Administer SQL Server

What Is SQL Server?As mentioned in the introduction to this chapter, SQL Server is a database management appli-cation (or platform) that is used to store and manipulate data. For example, suppose you needto track your customers and their orders for the products that your company creates and sells.You previously may have been using some type of paper-based system or maybe you havealready gone electronic and use some combination of programs such as Microsoft Word orExcel, but you now realize you need to store all that customer data in a centralized locationthat is readily available and easy to maintain. Using SQL Server, you can create what is knownas a relational database (which is basically a set of interrelated tables), define the data that is tobe contained in those tables, and then populate those tables with your data.

Once you have the tables in your database populated with data, you can then read, update,slice, dice, and process that data in any way you see fit. You can create a Windows applicationfor managing the data, create a web application for viewing reports based on the data, or evenpull the data directly into an Excel spreadsheet or some other data-aware application. The pointis that once you have your data centralized and organized into a SQL Server database, you canpretty much do anything you want with it.

However, SQL Server isn’t just a bucket for storing data; it comes with a slew of tools andfeatures that allow you to define the data, restrict who has access to the data, manage the userswho are using the data, integrate the data with external applications, back up the data . . . the

292 CHAPTER 12 INTRODUCING SQL SERVER

list goes on and on. I’ll cover many of those tools and features in this chapter and provide youwith some pointers for learning about many of the other areas.

In addition to SQL Server, Microsoft sells a few other database products such as Access(part of the Office suite of applications) and Visual FoxPro, and it can get confusing as towhich one you should use and when. If you need a simple database application that will beused by only one or a handful of users, then either Access or Visual FoxPro will work justfine. However, if you think that your database will need to grow to support many differentusers, then SQL Server is definitely your best choice: although it’s easy enough to use to createsmaller databases, it has the power and robustness to handle any amount of data and usersyou may require.

SQL Server EditionsLike many other Microsoft products, SQL Server comes in a variety of flavors, or editions. Theedition that comes with the Premium version of SBS is called Microsoft SQL Server StandardEdition for Small Business, and it is basically the Standard edition of SQL Server with a fewextra licensing restrictions, but more on that later. For now, I’ll review the core SQL Servereditions and the requirements and limitations of each.

SQL Server Compact

This edition of SQL Server comes at my favorite price — free! However, this edition is actuallynot built on the same code base as SQL Server. Instead, it is a greatly simplified, file-based,embedded database targeted for single-user use. It is useful on handheld devices that do notneed multiuser access, and it can also be used on desktops and in websites for very small andcompact databases.

SQL Server Express

This edition of SQL Server is also free but is built on the same code base as the rest of theSQL Server editions, and it is therefore fully compatible with those editions. Let me say thatagain — this free version of SQL Server is fully compatible with the other SQL Server versions,including the small-business version that you got with SBS Premium. I’ve provided an exampleof why this is important in the ‘‘Building Databases with SQL Server Express’’ case study laterin this chapter.

Although SQL Server Express is fully compatible with other versions of SQL Server, it doescome with some limitations on the features that it exposes, the hardware that it supports, andthe sizes of databases that it can handle.

In terms of features, SQL Server Express contains the database engine, SSMS, full-textsearching, and a limited set of reporting services. It does not contain some of the more upscalefeatures such as full replication, database mail, data warehousing, and integration services.Don’t worry if you aren’t sure what all of that means; I’ll go over these and other features laterin the chapter.

In terms of hardware, SQL Server Express can use only one CPU, it can use only 1GB ofmemory, and the database size cannot exceed 4GB.

To download and try SQL Server Express for yourself, visit the SQL Server Express pageon the Microsoft website at www.microsoft.com/express/sql/default.aspx. Note that if youdo decide to try SQL Server Express, make sure that at the very least you get the one with theruntime and management tools. This will ensure that you get the SSMS application that is usedto create and manage databases.

WHAT IS SQL SERVER? 293

SQL Server Standard

This edition of SQL Server is a big step up from the Express version and is in fact the very ver-sion that you get with SBS Premium. In this version, you get the ability to do full replication,send database emails, create data warehouses, and use data integration services, among otherreally cool features.

In terms of hardware, SQL Server Standard can use up to four CPUs, with no limit on theamount of memory and no limit on the size of databases.

Although the version of SQL Server that you get with SBS is the Standard version, thereare some special licensing requirements for using it within a SBS environment. I’ll cover thesespecial licensing requirements in the section ‘‘Installing and Configuring SQL Server’’ later inthe chapter.

SQL Server Enterprise

This edition of SQL Server is the top-of-line version with all the bells and whistles. In additionto all the features that you get with the lesser versions, you also get advanced features such asmirrored backups, database snapshots, and data mining.

In terms of hardware, SQL Server Enterprise is supported on machines with no limit on thenumber of CPUs, no limit on the amount of memory, and no limit on the size of databases.

In addition to the versions of SQL Server discussed earlier, there are also specialized ver-sions of SQL Server targeted to small businesses and developers. These versions include Work-group, Web, and Developer. The differences between these versions are basically their licensingrestrictions in terms of where they can be installed and the features and types of hardware con-figurations that they support.

For more information about the various editions of SQL Server, you can visit the SQLServer editions page on the Microsoft website at www.microsoft.com/sqlserver/2008/en/us/editions.aspx.

Building Databases with SQL Server Express

I once had a client who needed a pretty simple inventory-tracking database, but she expectedit to grow exponentially over time and was worried about making sure that she bought theright database product to do the job. In addition, like many small businesses, she was strappedfor cash and didn’t really want to spend thousands or even hundreds of dollars on somethingthat didn’t fit her needs.

Enter SQL Server Express.

Because SQL Server Express is simply a stripped-down version of SQL Server Standard andEnterprise, I was able to build and deploy her database with that. Then, once she was con-vinced that it would do the job and when she had the money to do so, she a bought a licensefor SQL Server Standard, and I moved the database over to that edition of SQL Server ina matter of minutes; no harm, no foul. The 4GB limit imposed by SQL Server Express wasremoved and now had a robust database for storing all her data that would serve her well formany years to come.


So, the moral of this story is that even though you have a license to use SQL Server Standardwithin your SBS environment, you can still install and use SQL Server Express on othermachines in your environment to create databases. Then, when you’re ready to go ‘‘live’’ withthe databases and make them available for your entire organization to use, move them to theStandard version. I’ll show you how to move databases between servers in the ‘‘Moving SQLServer Databases’’ section.

SQL Server FeaturesThere is no doubt about it, SQL Server is a very robust and complex product, and there is sim-ply no way to cover everything that it is capable of doing in a single chapter. However, I dowant to give you an overview of some of its key features, and that is what this section is allabout.

Database management The key feature of SQL Server is its ability to create and managedatabases. This is done through what is known as the database engine (or runtime) in conjunc-tion with SQL Server Management Studio, which is the graphical user interface for SQL Server.With the database management features of SQL Server, you can create not only databasesbut also the database objects that they contain, including tables, triggers, stored procedures,and views.

User management In addition to database management, SQL Server also provides the abilityto control the access that users have to the databases that it manages. This control is managedthrough the use of user accounts and roles and can be managed at the server, database, anddatabase object levels.

Database administration Although the line between database management and databaseadministration can get a bit blurry, SQL Server supports many different database adminis-tration tasks such as backing up and restoring databases, doing database maintenance, andcustomizing many different options for server and database configurations.

Scheduled jobs Scheduled jobs in SQL Server allow you set up a series of tasks to be com-pleted automatically by SQL Server on a scheduled basis. For example, you can use scheduledjobs to perform routine database maintenance, run scripts, execute integration services pack-ages, or send alerts when specified actions occur.

Database mail Database mail is a SQL Server feature that allows you to configure SQL Serverto generate and send emails. This can be useful for alerting you or your users to problemsoccurring in the database or to notify users when there have been changes within the data inthe database.

For example, suppose that you run a fairly open database environment and allow some usersto create database objects directly such as tables. However, you want to be notified of any suchchange when it occurs. Using database mail and another SQL Server feature called alerts, youcan set up SQL Server so that when a database object change is made in your database, you willbe automatically notified of that change via email, generated directly from SQL Server.

Replication Replication is a feature of SQL Server that gives you the ability to copy and syn-chronize data between databases. This can be useful for scenarios involving data that is spreadacross physical locations — for example, a server in one city that needs to be synchronized witha server in a different city.

HOW DOES SQL SERVER FIT IN WITH SMALL BUSINESS SERVER? 295

Suppose you have two sales offices, one in Atlanta for the East Coast and one in Seattle forthe West Coast, and you need them both to work from the same set of customer-tracking data.However, you want the database centralized in one location. Using replication, you could setup the database located in Atlanta as the primary database (known as the publisher) and the onein Seattle as the secondary database (known as the subscriber). Once you’ve set up the replica-tion, the Atlanta site would act as the central data repository for all sites, and the data betweenall sites would stay in sync.

Reporting Services SQL Server Reporting Services (SSRS) is a relatively new feature of SQLServer that gives you the ability to create, distribute, manage, and use reports. Reports builtusing SSRS can be viewed through a Windows application, website, or SharePoint site.

Integration Services SQL Server Integration Services (SSIS) is an updated version of DataTransformation Services (DTS) that was available in older versions of SQL Server. Using SSIS,you can retrieve, transform, and load data from a wide range of sources.

Analysis Services SQL Server Analysis Services (SSAS) allows you to create and mine datafrom online analytical processing (OLAP) databases. OLAP databases contain data that is orga-nized in a multidimensional (or ‘‘cube’’) structure, which provides many different ways ofanalyzing data.

Full-Text Search SQL Server Full-Text Search is a feature of SQL Server that can be used tofind character-based data in a database using techniques that are more robust than standardSQL language keywords. Using Full-Text Search, you can find words or phrases contained in atext-based column of data within a table.

This list of features of course only scratches the surface in terms of all that SQL Server cando, but I do hope that it at least gives you an idea of some of things that SQL Server is capableof doing.

There is one very important aspect of SQL Server that I want to mention, although it isdebatable if it can be considered a feature, and that is the SQL Server help system known asSQL Server Books Online. No matter whether you love help systems or hate them, SQL ServerBooks Online is a comprehensive and important resource that you would be well served tobecome familiar with. With this resource you can find pretty much anything and everythingthat you might need to know about SQL Server and how to use it. You can install SQL ServerBooks Online when you install SQL Server, but it is also (surprisingly enough consideringits name) available online at the Microsoft website at http://msdn.microsoft.com/en-us/library/ms130214.aspx.

For the remainder of this chapter, I will focus on the features included with the Standardversion of SQL Server because that is the version that comes with SBS Premium. Note, how-ever, that much of what I will cover applies also to the Express and Enterprise versions.

How Does SQL Server Fit in with Small Business Server?Now that you know what SQL Server is, what its different versions are, and some of the fea-tures that it contains, it will be useful to discuss how it fits in with a SBS environment and yourbusiness in general.

As with any business, small businesses need to store useful information, keep it organized,and make it readily available. In addition, they need to be able keep that data secure andaccessible for many different users, whether it is Amy in accounting, John in sales, or Steve thecompany owner who needs to know how his business is performing.


A common problem that all businesses face is how to take the many different types of infor-mation that they have and transform them into a centralized format. This is exactly what SQLServer was designed to do. With SQL Server and the many tools and features that it provides,you can organize your data into a centralized database, thereby providing a common repositoryfor the many different forms of data that your company uses.

But what about SBS specifically? How does SQL Server fit within a SBS environment? Youmay be surprised to learn that when you build a SBS server, you installed a few versions ofSQL Server by default. SBS uses SQL Server Express Edition for SBS monitoring, and WindowsUpdate and Windows SharePoint Services use SQL Server Compact Edition.

Even though SBS itself makes use of SQL Server, you’ll still want to take advantage of theStandard version of SQL Server that you got with your SBS Premium purchase. By putting inplace your own SQL Server, you’ll be able to create and use databases specific to your organi-zation and do so in a manner that is separate from the primary Small Business Server that isused to manage other aspects of your environment.

So, that’s it for the conceptual overview of SQL Server, what it is, and what you can use itfor. Now let’s get down to business so you can get your hands dirty with it. The first step is toget it up and running, and you’ll do that next.

Installing and Configuring SQL ServerAlthough installing SQL Server is a bit time-consuming, I think you’ll find it to be a fairly pain-less process, and I will walk through that process step-by-step in just a bit. However, beforeactually installing SQL Server, you should take the time to understand the licensing restrictionsthat come with SQL Server in an SBS environment.

Installation and Licensing RequirementsAlthough the version of SQL Server that you get with SBS Premium is essentially the Standardversion, it comes with a few installation and licensing requirements:

◆ It can be installed only within an SBS network.

◆ You’ll need a client access license (CAL) for any user or device that accesses it.

◆ Although you can install SQL Server on the SBS domain controller, it is recommended thatyou install it on a separate server.

◆ You should not attempt to migrate the SQL Server databases used by SBS to your separateSQL Server installation. This is an unsupported scenario.

◆ You can move the Windows SharePoint Services content database to your separate SQLServer if you want or need. You can learn all about this at http://technet.microsoft.com/en-us/library/cc794697(WS.10).aspx#BKMK SharePoint.

◆ To install SQL Server, you need to be logged in as a domain administrator, with the serverjoined to the SBS domain.

That’s pretty much it for the installation and licensing requirements. If you want to get amore thorough overview of these requirements, you may do so online at http://technet.microsoft.com/en-us/library/cc794697(WS.10).aspx.

INSTALLING AND CONFIGURING SQL SERVER 297

Installing SQL ServerBefore you get started installing SQL Server, I’ll cover a few ground rules and decisions thatyou need to make. The first thing that you’ll need to decide is whether you want to install SQLServer as a default or named instance. SQL Server allows you to install multiple instances ofthe runtime engine so that you effectively have multiple SQL Servers running on one machine.For the purposes of this chapter, I will show how to install the default, single instance.

The second decision that you’ll need to make is the Windows accounts that you want SQLServer to run under. In general, it’s a good idea to create accounts specifically for SQL Server touse, but you can configure SQL Server to run under standard system accounts, which is whatI’ll show how to do. Note, however, that in a production server environment, you should notrun SQL Server using the standard system accounts but should instead configure your ownspecific accounts because it will provide you with a more secure environment.

Another decision to make is where you want to install SQL Server. Some organizations pre-fer to install SQL Server on a partition separate from the primary operating system partition.However, installing SQL Server on the primary partition will work just fine, so that is whatI will show you how to do.

The final decision to make is which SQL Server features you want to install, but this decisionis not as critical, because you can always go back and add features to an existing installation. Inthe following exercise, you’ll install a fairly minimal set of features.

You’re now ready to begin the installation of SQL Server, so grab your installation disc andproceed to Exercise 12.1.

Exercise 12.1: Installing SQL Server

In this exercise, you will install SQL Server as a default instance using a basic set of SQL Serverfeatures. To begin the process of installing SQL Server, make sure that you are logged into theserver as a domain administrator. Then, perform the following steps:

1. Insert the SQL Server 2008 installation disc into the server’s CD or DVD drive.

2. When the AutoPlay feature activates, you should see a screen similar to the one shown here.


3. Click Run SETUP.EXE. After a few moments, the SQL Server Installation Center will appear asshown here.

4. On the SQL Server Installation Center screen, click the Installation link in the left-side list. Thiswill cause the SQL Server Installation Center screen to change to a list of installation options,as shown here.

5. Since this is a new installation of SQL Server, click New SQL Server Stand-Alone Installation OrAdd Features To An Existing Installation. This will start the Setup Support Rules process that


checks your server for issues that may prevent you from successfully installing SQL Server. Youcan see the rules that were checked by clicking the Show Details button, as shown here.

6. Click OK to move on to the Product Key screen. If your product key has not already been pre-populated, select Enter The Product Key, and enter the product key that came with your SQLServer license. When done, click Next.

7. The next screen that you will see (not shown) is the License Terms screen. Read and accept thelicense terms, and click Next.


8. The next screen that you will see is the Setup Support Files screen. Click Install to install thefiles that are needed for the installation process. Once the setup files are installed, you’ll seethe Setup Support Files screen again with a list of rules that were checked, similar to the screenshown here.

9. Click Next to continue to the Feature Selection screen. This is the screen that you use to selectthe SQL Server features that you want to install. At a minimum, you should select DatabaseEngine Services, SQL Server Books Online, and Management Tools; then click Next.


10. You’ll next see the Instance Configuration screen, which is where you can specify the type ofinstance that you want to install, the name that you want to use for the instance, and the rootdirectory that you want the instance installed in. Select Default Instance, and leave everythingelse set to the default values; then click Next.

11. The next screen is the Disk Space Requirements screen (not shown) that summarizes the diskspace need for the features that you selected to install. Assuming that you don’t have any issueswith the required disk space, click Next.

12. On the Server Configuration screen that next appears, you can set the accounts that the SQLServer services will use to access system resources. Although it is recommended that youuse different accounts for each service, for purposes of this exercise, use the NT AUTHORITY\SYSTEM account for the SQL Server Agent and SQL Server Database Engine services, andleave the defaults for everything else, as shown here; then click Next.


13. On the Database Engine Configuration screen that appears next, you can select the authen-tication mode that you want to use, the accounts that you want to have administrator accessto SQL Server, and the data directories and filestream settings. For this exercise, click theAdd Current User button to add the account that you are currently logged in as, and leave thedefault values for everything else, as shown here; then click Next.

14. The next screen that appears is the Error And Usage Reporting screen (not shown) that allowsyou to optionally send Microsoft information about your SQL Server usage. Make your selec-tions, and then click Next.

15. On the Installation Rules screen that appears next, you’ll see a list of setup rules for the instal-lation. Assuming that you have passed all the rules, click Next.


16. You’re almost there. On the Ready To Install screen that appears next, you’ll see a summary ofall the installation choices that you have made up to this point. Click Install to start the instal-lation of SQL Server, as shown here.

17. The installation will take a while to run, but once it is complete, you’ll see the Completescreen, which will indicate whether the installation was successful, as shown here. To finishthe installation process, click Close, and then close the SQL Server Installation Center screenas well.


That’s it for installing SQL Server. Note that in this exercise, you took the path of least resis-tance and installed SQL Server using pretty much all of the default configurations, but yourenvironment and business needs may require different configurations. For more detailed cov-erage of the different configurations that you can make when installing SQL Server, check outsome of the SQL Server administration books offered by Sybex (such as Mastering SQL Server2008) or SQL Server Books Online.

Now that you have completed the initial installation of SQL Server, it’s a good idea to makesure that you also install the most recent service pack that Microsoft has made available forSQL Server. You can do this in a few different ways. One is to run the SQL Server setup pro-gram again and then on the Installation page of the SQL Server Installation Center screen selectSearch for product updates. Another is to simply run the Windows Update utility that comeswith Windows.

However, you may want to have more control over how SQL Server service packs areinstalled and do so manually. Exercise 12.2 will walk you through the process of installing aSQL Server service pack manually.

Exercise 12.2: Installing a SQL Server Service Pack

In this exercise, you will install the latest SQL Server service pack. To begin the process ofinstalling the service pack, make sure you are logged into the server as a domain administra-tor, and then perform these steps:

1. Open your favorite web browser, and navigate to the SQL Server 2008 Downloads page,which at the time this chapter was written was at http://msdn.microsoft.com/en-us/sqlserver/bb671149.aspx. If that URL doesn’t work, go to the main Microsoft SQL Serverpage at http://www.microsoft.com/sql and look for a SQL Server Downloads link. Onceyou get to the service pack page, click the link to download the service pack to a directory ofyour choosing.

2. Open Windows Explorer, and navigate to the directory where you downloaded the service packfile to; then double-click the service pack file to begin the installation process.

3. As the service pack installation process begins, you’ll see a dialog box indicating that the ser-vice pack files are being extracted to a temporary directory. When the extraction completes,you’ll see the Welcome screen that looks similar to the Setup Rules screen that you saw duringthe SQL Server installation process, as outlined in Exercise 12.1.


4. Click Next to continue to the License Terms screen (not shown). As before, read and accept thelicense terms, and click Next.

5. You’ll next see the Select Features screen with the features automatically selected for you, asshown here. Click Next.


6. The next screen that appears is the Check Files In Use screen. This screen indicates any ser-vices that you may need to stop for the installation to proceed. If there are services listed inthis screen, stop them, and then click Next.

7. On the Ready To Update screen that appears next, you’ll see a summary of the SQL Server fea-tures that will be updated with the service pack. Click Update to begin the installation of theservice pack.

8. Once the install of the service pack is completed, you’ll see the Update Progress screen, whichwill indicate the success or failure of the installation; then click Next.

9. The final screen that you’ll see is the Complete screen (not shown). Click Close to end theinstallation of the service pack.

At this point, SQL Server should now be installed, up-to-date, and ready for use. In the nextsection, I’ll cover some of the core features of SQL Server and show you how to use them, andI’ll even give you a few tricks that you can use as you learn to create and use databases.

Using SQL ServerNow that you have SQL Server installed and ready to go, let’s jump right in and learn the envi-ronment that you’ll be using to work with it. As mentioned earlier, the primary user interfacethat you’ll use to work with SQL Server is called SQL Server Management Studio. But to get toSSMS, you first have to log into SQL Server, so let’s take a look at how to do that.

Logging into SQL ServerLogging into SQL Server is simply a matter of launching SSMS, selecting the SQL Serverinstance that you want to connect to, and entering a username and password with the

USING SQL SERVER 307

authority to access it. Since you installed SQL Server earlier in the chapter using Windowsauthentication, SQL Server will automatically use the username and password associatedwith your Windows domain account when you choose Windows Authentication as theauthentication type.

To launch SSMS, open the Windows Start menu, and then select All Programs � MicrosoftSQL Server 2008 � SQL Server Management Studio. You’ll then see the Connect To Serverscreen, as shown in Figure 12.1.

Figure 12.1

SQL Server’s Connect ToServer screen

The Server Type option should be Database Engine, the Server Name option should be thecomputer name of your server (you can alternatively use ‘‘(local)’’ or ‘‘.’’), and Authenticationshould be set to Windows Authentication. Click Connect to connect to your instance of SQLServer.

Using SQL Server Management StudioOnce you’ve successfully connected to your instance of SQL Server, you’ll see the SSMS envi-ronment as depicted in Figure 12.2. Like most Windows applications, SSMS has a menu baracross the top and a toolbar beneath it. The most important aspect of SSMS, and the one thatyou will spend the most time using, is the Object Explorer that is docked by default to the leftof the SSMS screen and is shown expanded in Figure 12.2.

Using the Object Explorer, you can access all the database objects contained in SQL Serverand perform many tasks associated with those objects. The tasks that you can perform on thedatabase objects are listed in a context menu that you can reach by right-clicking an item in theObject Explorer. For example, if you right-click the server name, which is the first item listed inthe Object Explorer, you’ll see the server context menu, as shown in Figure 12.3.

You can use the server context menu to perform tasks on the server such as connecting anddisconnecting a server, starting and stopping the database engine service, generating serverreports, and configuring the server. For example, if you select Properties from the server con-text menu, you’ll open the Server Properties window, as shown in Figure 12.4.

You can use the Server Properties window to configure and tweak SQL Server above andbeyond what you did during the installation process. The main point is that the Object Exploreris the place to go to manage SQL Server and the many database objects that it contains, andyou do so by right-clicking a node within the Object Explorer to access the tasks associatedwith the selected object.


Figure 12.2

SSMS Object Explorer

Figure 12.3

Server context menu


Figure 12.4

Server Properties

One last feature of SSMS that I will cover, and one that you will use as much if not morethan the Object Explorer, is the Query window, as shown in Figure 12.5, which you can openby clicking the New Query button in the SSMS toolbar.

Figure 12.5

Query window

You can use the Query window to enter and execute Structured Query Language (SQL)statements against both the server and the databases that it manages. In Figure 12.5, you cansee that I executed the following SQL statement:

SELECT @@VERSION;


This SQL statement simply returns information about the version of SQL Server that you areusing. After typing the SQL statement into the Query window, I clicked the Execute button onthe SSMS toolbar. Note that as an alternative to the Execute button, you can press the F5 keyon your keyboard to execute a SQL statement in the Query window.

The subject of SQL statements is far too broad to even try to attempt to cover in a singlechapter, but there are a few keys points that you should understand. First is that SQL is a stan-dardized language, and most if not all database vendors follow it to some degree. In the caseof SQL Server, the SQL implementation that is used is called Transact SQL (T-SQL).

In addition, SQL statements can be broken into two general categories. One is Data Manipu-lation Language (DML) statements, which involve working with the actual data that a databasecontains. Examples of these types of statements include SELECT, INSERT, UPDATE, and DELETE.The second category of SQL statements are Data Definition Language (DDL) statements. Theseare used to work with database objects, such as tables. Examples are CREATE, ALTER, and DROPstatements.

I will be using some of the DML SQL statements throughout the rest of the chapter, but toget more information about the types of SQL statements supported by SQL Server, see SQLBooks Online.

Creating a DatabaseFor SQL Server to be of any real use, you’ll need to create a database for it to manage.Fortunately, creating a database in SQL Server is easy. To create a new database, right-clickthe Databases item in the Object Explorer, and select New Database; this will open the NewDatabase window, as shown in Figure 12.6.

Figure 12.6

New Database window


Using the New Database window, you can name your database, set its owner, set awide range of options, and even specify which files the database should be created in. InExercise 12.3, you’ll create a database named Customers that you’ll be using throughout therest of this chapter.

Exercise 12.3: Creating a Database

In this exercise, you will create a SQL Server database using the default settings that SQLServer provides. To begin the process of creating the database, make sure that you’ve loggedinto SQL Server and the SSMS environment is open, and then perform the following steps:

1. Right-click the Databases item in the Object Explorer to open the Databases context menu.

2. In the Databases context menu, select New Database to open the New Database window (previ-ously shown in Figure 12.6).

3. In the Database Name field of the New Database window, enter Customers, and then click OK.

Once you’ve created a database in SQL Server, the Object Explorer will list the databaseunder the Databases item, as shown in Figure 12.7.

Figure 12.7

New database in theObject Explorer


If you expand the Customers database that you created in Exercise 12.3, you’ll see subitemsfor the database such as Database Diagrams, Tables, Views, and so on. As you may havealready guessed, each of these database items come with their own set of tasks that can beaccessed from their respective context menus.

Creating Tables in a DatabaseThe basic building block of any relational database is the table, because it is the table that con-tains the data that is useful to your users. Within SQL Server, you can create tables either usinga graphical user interface called the Table Designer or using the CREATE TABLE SQL statement.In this section, I’ll show you how to create a table using the Table Designer.

Getting to the Table Designer is simple. While SSMS is open, expand the Databases item,and then expand the database that you want to create the table in. Next, right-click the Tablesitem to bring up the Tables context menu, and then select New Table. This will open the TableDesigner, as shown in Figure 12.8.

Figure 12.8

Table Designer

Using the Table Designer, you can create the columns for your table, specify the types ofdata that the columns will contain, and set the columns properties if needed. In addition, youcan also use the Table Designer to set the table’s primary key, establish relationships betweenmultiple tables, create indexes, and create additional constraints.

Fundamental to understanding how to create tables is the concept of a data type, whichdefines the type of data that will be contained in a column of the table.

SQL Server supports the following types of data:

◆ Numerics

◆ Date and time

◆ Character and Unicode character strings


◆ Binary strings

◆ Special data types

Table 12.1 describes some of the more common data types and what they can contain.

Table 12.1: Common Data Types

Data Type Value Ranges

Int −2,147,483,648 to 2,147,483,647

Decimal −1038 + 1 to 1038 – 1

Money −922,337,203,685,477.5808 to 922,337,203,685,477.5807

Char From 0 to 8,000 characters

Varchar From 0 to 8,000 characters

Varchar(max) From 0 to 2 billion characters

Binary From 0 to 8,000 bytes

Varbinary(max) From 0 to 2 billion bytes

Date 0001-01-01 to 9999-12-31

Datetime 1753-01-01 to 9999-12-31

Timestamp Used for automatic timestamp generation in a database

Uniqueidentifier A globally unique identifier (GUID) that may be generated or manually created

XML For storage of XML data up to 2GB in size

Finally, one aspect of table creation that I would be remiss if I didn’t cover is that of estab-lishing what’s known as a primary key. A primary key for a table is that columns or group ofcolumns that are used to uniquely identify a row within a table, which is important to havebecause it will allow you to easily identify and work with a row of data. Creating a primarykey for a table in SQL Server involves selecting the row or rows that you want to set as the pri-mary key and then choosing to set them as the primary key using either the SSMS menu, thetoolbar, or the column’s context menu. You’ll see how to do this in Exercise 12.4.

Exercise 12.4: Creating a Table

In this exercise, you will create a simple table using the Table Designer. To begin the processof creating the table, make sure that you’ve logged into SQL Server and the SSMS environmentis open, and then perform the following steps:

1. Expand the Databases item in the Object Explorer.

2. Expand the database named Customers, which you created in Exercise 12.3.


3. Expand the Tables item in the Customers database.

4. Right-click the Tables item, and select New Table.

5. In the Table Design window, enter the column information shown here.

6. In the Table Designer window, click the CUSTID column, and then in the column properties forthat column, change the (Is Identity) subproperty of the Identity Specification property to Yes.This sets the column as an identity column, which is basically a numerical column that has itsvalue automatically incremented by SQL Server.

7. In the Table Designer window, right-click the CUSTID column definition, and select Set Pri-mary Key.


8. Click the Close button in the upper-right area of the Table Designer window, which will openthe Choose Name window that you can use to name your table.

9. Enter Customers for the table name, and then click OK to save the table.

Notice that if you now expand the Tables item in the Object Explorer, you will see yournewly created table listed. If you need to make changes to an existing table, you can right-clickthe table name in the Object Explorer and select Design from the context menu.

Inserting Data into a DatabaseOnce you have a table created, the next step is to get some data in it, and you can do that in anumber of ways. One way is to open the table for editing directly in SSMS. You can do this byright-clicking the table in the Object Explorer and then selecting Edit Top 200 Rows. Once thetable is open for editing, you can enter directly in the table.

Another way to enter data into a table is by using the INSERT SQL statement, and I’ll showyou how to do that in Exercise 12.5.

Exercise 12.5: Entering Data in a Table

In this exercise, you will enter data in a table using the INSERT SQL statement. To begin theprocess of entering data in a table, make sure that you’ve logged into SQL Server and theSSMS environment is open, and then perform the following steps:

1. Click the New Query button on the SSMS toolbar to open the Query window.

2. In the Query window, enter the following SQL statements:

USE Customers;INSERT INTO Customers


VALUES (‘Joe’, ‘A.’, ‘Smith’, ‘123 Main Street’, ‘Atlanta’, ‘GA’, ‘30075’,‘555-555-5555’, ‘[email protected]’);INSERT INTO CustomersVALUES (‘Susan’, ‘L.’, ‘Johnson’, ‘456 Main Road’, ‘Charlotte’, ‘NC’, ‘28173’,‘555-555-5555’, ‘[email protected]’);INSERT INTO CustomersVALUES (‘Bill’, ‘H.’, ‘Jones’, ‘789 Main Avenue’, ‘Seattle’, ‘WA’, ‘98205’,‘555-555-5555’, ‘[email protected]’);

3. Press F5 on your keyboard to execute the SQL statements.

In addition to entering data directly into a table using either the SSMS edit table feature ora SQL statement, you can also import data into the table using the SSMS Import Wizard (avail-able as a task on the database context menu) or SQL Server Integration Services.

In the next section, I’ll show a few different ways that you can view the data that you justentered into the Customers table.

Viewing Data in a DatabaseNow that you have some data populated in the Customers table, you’ll learn how to viewthat data, which you can do in a couple of ways within SSMS. A quick way to do this isto right-click the table in the Object Explorer and, then in the table’s context menu, chooseSelect Top 1000 Rows. This will open the Query window with a prebuilt SQL statement, withthe results of executing that statement shown just below the SQL statement, as shown inFigure 12.9.

Figure 12.9

Viewing data in SSMS

Another approach would be to build and execute your own SQL statement, and you’ll dothat in Exercise 12.6.

ADMINISTERING SQL SERVER 317

Exercise 12.6: Viewing Data in a Table

In this exercise, you will view data in a table using the SELECT SQL statement. To begin theprocess of viewing data in a table, make sure that you’ve logged into SQL Server and the SSMSenvironment is open, and then perform the following steps:

1. Click the New Query button on the SSMS toolbar to open the Query window.

2. In the Query window, enter the following SQL statements:

USE Customers;SELECT * FROM Customers;

3. Press F5 on your keyboard to execute the SQL statements.

That ends the discussion of how to use SQL Server for creating and using databases. Someother aspects of SQL Server usage in terms of database creation that you may want to exploreinclude views, stored procedures, triggers, relationships, and indexes. These advanced con-cepts can be found in any good book on SQL programming or administration, but you canalso find resources on SQL programming through the MSDN library. You can find a huge listof free SQL programming books available online at: http://technet.microsoft.com/en-us/library/ms130214.aspx.

Administering SQL ServerNow that you have a basic understanding of how you can use SQL Server to create and usedatabases, you’ll learn a few of the things that you can do to administer both the server andthe databases that you use the server to manage. In this part of the chapter, I’ll review someof the core aspects of SQL Server administration, starting with managing and configuring theSQL Server services.

Managing SQL Server ServicesOne aspect of SQL Server administration is managing and configuring SQL Server services,which are the SQL Server applications that run in the background on the server. In fact, theSQL Server database engine, which is the core program that is SQL Server, runs as a servicecalled — you guessed it — the SQL Server Service. To do anything with SQL Server, the SQLServer Service must be started, and you can use a program called the SQL Service Configura-tion Manager to start and stop the SQL Server Service, along with all the other services that arepart of SQL Server such as the SQL Server Agent and the SQL Server Browser.

The SQL Server Configuration Manager is a Microsoft Management Console (MMC) snap-in,and you can launch it from the All Programs menu by selecting Microsoft SQL Server 2008 �Configuration Tools � SQL Server Configuration Manager. If you select the SQL Server Ser-vices item along the left side of the SQL Server Configuration Manager interface, you’ll see thecurrently installed SQL Server services on the right, along with information about their states,as shown in Figure 12.10.


Figure 12.10

SQL Server Services inthe SQL Server Configu-ration Manager

If you right-click any of the services listed, you can use the context menu that appears tostart, stop, pause, or resume the service; and if you select Properties from the context menu,you can also change the system account that the service uses, change its start mode, or evenchange a few advanced properties of the service.

Note that in addition to the properties associated with the SQL Server services, you can alsouse the SQL Server Configuration Manager to enable, disable, and set the properties for thenetwork protocols that SQL Server uses.

Backing Up a SQL Server DatabaseAnother key aspect of the SQL Server administration is the all-important task of backing updatabases. Many things can go wrong with a database, from basic hardware failures to naturaldisasters to employee tampering. Whatever the case may be, you would be well advised to putin place a solid backup and recovery plan just in case the unforeseen happens. With a solidplan for backing up and restoring the databases that your organization or clients use, you willbe able to quickly and easily get them up and running again with minimal, if any, data loss.

As with most things in SQL Server, database backups can be performed using SSMS orTransact-SQL, but I’ll show you how to perform a quick database backup using SSMS. Toaccess the user interface that is used for database backups, all you have to do is right-click thedatabase in the Object Explorer, and then in the context menu that appears select Tasks andthen Back Up. The Back Up Database window will appear, as shown in Figure 12.11.

On the Back Up Database window, the name of the database to back up is automaticallyselected for you; all you really need to do is select the location (destination) of the backup,and that too is automatically set to the default database backup location, if you want to simplyuse that. You can set many other options for the database backup including the backup type,the backup component, and the days before the backup will expire.

A quick note about the backup type: backup types include full, differential, and transactionlog. A full backup makes a complete copy of the database, a differential backup stores only thedata that has changed since the last backup, and a transaction log backup stores only the trans-actions that have occurred in the database since the last backup. For smaller databases, the Fullbackup type is the best option, because you will always get a full copy of the database. Forlarger databases that may take many hours to back up, you may want to use the differentialbackup.

In terms of recovery models, SQL Server supports three types: simple, full, and bulk-logged.Which one you choose affects the type of backup that you can do, and the general considera-tion to make when choosing a recovery model is how timely you need the backup and restoreto be and how it will affect performance of your server. For example, if you choose the fullrecovery model, you’ll be able to back up and restore the database and its transaction logs,which will allow you to restore the database to the point of failure or a point in time, but itmay take much longer to restore. Alternatively, you can use the simple recovery model, which


makes minimal use of the transaction log and provides for a much quicker backup and restore.Note that the simple recovery model should not be used on production system; it is best suitedfor development systems or databases that are read-only and do not change much.

Figure 12.11

Back Up Databasewindow

In Exercise 12.7, I’ll walk through how to take a quick backup of the Customers databasethat you created earlier in the chapter.

Exercise 12.7: Backing Up a Database

In this exercise, you will back up the Customers database using SQL Server ManagementStudio. To begin the process of backing up the database, make sure that you’ve logged intoSQL Server and the SSMS environment is open, and then perform the following steps:


2. Right-click the Customers database that you created earlier in the chapter.

3. In the context menu that appears, select Tasks and then Back Up.

4. Ensure that the selected database is Customers and that the destination is set to back up to diskin the following default path:

C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Backup\Cusomters.bak


5. Click OK to start the backup.

6. When complete, SQL Server will display a message indicating that the backup was completedsuccessfully, and the Back Up Database window will automatically close.

7. You can verify that the backup was made by opening Windows Explorer and navigating to thedestination path indicated in step 4. There you should see a file named Customers.bak.

It goes without saying that if you back up a database, you also need a way to restore thatdatabase should something go wrong, and restoring a database in SQL Server is an eveneasier process than backing it up. To restore a database in SQL Server, open SSMS, and thenright-click the Databases item in the Object Explorer. In the context menu that appears, selectRestore Database, which will open the Restore Database window, as shown in Figure 12.12.

Figure 12.12

Restore Databasewindow

Using the Restore Database window, you can select the database that you want to restoreto (the destination) and then the backup database that you want to restore from (the source).If you are restoring a database from a database backup, select the From Device option, and thenbrowse to the file that contains the backup. Once you have the database destination and sourceset, click OK. After a few minutes, the restored database will appear in the Object Browser, justas you would expect.

Finally, SQL Server provides a wizard for setting up and scheduling a backup called theDatabase Maintenance Plan Wizard. Using this wizard, you can set up a maintenance plan foryour database that includes performing automated backups. You can access the wizard in the


Object Explorer by selecting Management � Maintenance Plans; then right-click MaintenancePlans, and in the context menu that appears, select Maintenance Plan Wizard.

Moving SQL Server DatabasesAlthough you could use the backup and restore method to move a database from one server toanother, a simpler approach is to use the ‘‘detach and attach’’ method. This approach involvesdetaching a database from SQL Server, moving it to another instance, and then reattaching it.As mentioned in the case study earlier in the chapter, this approach can be very effective whenyou need to move a database from a SQL Server Express instance to your SQL Server Standardinstance.

The processing of detaching and attaching a database is similar to the process of backingup and restoring a database, and it can be done using either SSMS or Transact-SQL. In SSMS,you detach a database by right-clicking the database in Object Explorer, and then in the con-text menu that appears, selecting Tasks and then Detach. This will open the Detach Databasewindow, as shown in Figure 12.13.

Figure 12.13

Detach Databasewindow

Once you have detached a database from SQL Server, you can then move the database filesto a different folder location and then attach the database to SQL Server by right-clicking theDatabases item in Object Explorer and then selecting Attach from the context menu. This willdisplay the Attach Databases window, as shown in Figure 12.14.

While in the Attach Databases window, you can select the database to attach by clicking theAdd button in the middle of the window to locate the database files that contain the databasethat you want to attach.


Figure 12.14

Attach Databaseswindow

In Exercise 12.8, I’ll walk you through how to detach a database from SQL Server, move it toa different folder, and then attach it. You will of course be using the Customers database thatyou have been using throughout the chapter.

Exercise 12.8: Moving a Database

In this exercise, you will detach and then attach a database in SQL Server. To begin theprocess of detaching and attaching a database, make sure that you’ve logged into SQL Serverand the SSMS environment is open, and then perform the following steps:

1. Open Windows Explorer, and create a new folder on the C drive named Databases. This willbe the destination for the copied database files. Be sure to leave Windows Explorer openbecause you will use it in a later step.

2. Switch to SSMS, and expand the Databases item; then right-click the Customers database.

3. In the context menu that appears, select Tasks and then Detach.

4. Click OK in the Detach Database window. Notice that the Customers database no longerappears in the Object Explorer.

5. Switch to Windows Explorer, and locate the Customers database files in the following folder:

C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA

6. Select both the Cusomters.mdf file and the Customers_log.ldf file, and then drag themto the C:\Databases folder that you created in step 1.

THE BOTTOM LINE 323

7. Switch to SSMS, right-click the Databases item in the Object Explorer, and then select Attach.

8. On the Attach Databases screen, click the Add button. Then using the Locate Database Filesscreen, navigate to the C:\Databases folder, select the Customers.ldf file, and thenclick OK.

9. Notice that in the Attach Databases window that the Databases To Attach and CustomersDatabase details sections have been filled out. Click OK to attach the database.

10. Notice that the Customers database now appears in the Object Explorer.

As an alternative to the manual detach and attach process, SQL Server provides a wizardthat walks you step-by-step through the same process. You can access the wizard in the ObjectExplorer by right-clicking a database; then in the database context menu, select Tasks and thenCopy Database.

Well, that’s it for the fast and furious overview of SQL Server. I hope it will help you feelcomfortable installing and using some of the more basic features of SQL Server. I encourageyou to dig even deeper into all of the robust and powerful features that SQL Server supports.

The Bottom Line

Install and configure SQL Server To use SQL Server, you must first install it. But installingSQL Server is not simply a matter of inserting the installation disc and clicking though theinstallation routine; it involves making decisions about which features of SQL Server to install,what accounts you want it to run under, and where it should be installed.

Master It What are the minimum SQL Server features you should choose to install?

Use SQL Server The first step in using a SQL Server database is to create it, and you can dothis easily with the SSMS or with Transact-SQL.

Master It Using SSMS, create a new database, named Accounts, that includes a tablenamed Locations.

Administer SQL Server The most basic and perhaps most important of SQL Server admin-istrative tasks is to create an effective and robust backup and restore routine. As with mostthings in SQL Server, you can do this using SSMS or Transact-SQL.

Master It Back up a SQL Server database using SSMS.

Chapter 13

Using SharePoint with Your SmallBusiness Server

Microsoft SharePoint Server has been around for the past several years, but it only began togain traction around 2006. That’s when businesses discovered that the SharePoint servicesenabled them to have a central, easily manageable web portal where they could store allinformation pertinent to their business and their business associates.

Broadly defined, SharePoint is a suite of tools used to share business processes, information,managerial duties, and communication data. Additionally, SharePoint can be used to managebusiness content, sales, and account data, as well as track the growth and expansion of businessprocesses (such as a sales process) over time.

The way SharePoint is used with Small Business Server 2008 shares a lot of similarities withthe full version of Microsoft Office SharePoint Server in that there are four distinct viewpointsassociated with SBS 2008 and its usage:

◆ Manager

◆ IT Administrator

◆ Developer

◆ End User

SharePoint, unlike a lot of the other features of Small Business Server 2008, is a utility thatcan be accessed by anyone in your organization. Of course, you can implement security sosome users don’t have access to it, but most companies just freely implement SharePoint. Inthis chapter, you’ll learn how to set up SharePoint, perform some common administrative tasks,go through the various ‘‘points’’ of SharePoint, and perform a backup and restoration of theSharePoint services.


◆ Set up SharePoint/Companyweb

◆ Administer SharePoint

◆ Back up and restore SharePoint

326 CHAPTER 13 USING SHAREPOINT WITH YOUR SMALL BUSINESS SERVER

Overview of SharePoint UsageSharePoint Server is a collaborative platform that builds upon many technologies, includingWindows SharePoint Services 3.0 and Microsoft SQL Server. It’s actually an integratedsuite of multiple technologies, placed into one location. Effectively, ‘‘SharePoint’’ is onlyan application-like layer on top of preexisting Microsoft technologies. Typical usages forSharePoint include the following:

Document collaboration SharePoint integrates all Microsoft Office documents, such asWord, Excel, and other document types. With SharePoint, these files can all be centrallyaccessed through SharePoint Server.

Document services SharePoint includes the ability to implement document services, which isa technology that allows multiple users to access documents in document collaboration from awebsite. Furthermore, services allow potentially sensitive data, such as Excel spreadsheets, tobe locked down through security.

Customer tracking SharePoint allows you to track individual companies and keep hold of alldata associated with a customer account. As an example, a salesperson could log into Share-Point and see a customer’s phone number, address, sales performance, and other data.

Employee performance reports With SharePoint, since all data is located in one location,managers or business owners can track business data easily through the SharePoint graph-ical user interface over the Web. You can quickly and easily create performance graphs andevaluations.

Data archival Because of legal constraints that mandate certain businesses to keep track ofbusiness data, SharePoint integrates the ability to set up a repository with data expiration datesto keep data stored from the date it was first created to the date of the archival expiration. Thismakes it easy for sales associates to simply add a file with legally sensitive information to theirrepository for later access.

SharePoint ComponentsSharePoint Server actually integrates into two points of Small Business Server. First, it plugsinto SQL Server, and second, it plugs into IIS. From the SBS console, you can see this by goingto the Shared Folders and then the Web Sites tab and selecting Internal Web Site, as shown inFigure 13.1.

Figure 13.1

Companyweb site

If you open the full version of IIS Manager, you can expand the SBS SharePoint menu andsee all of the data associated with the website, as shown in Figure 13.2.

OVERVIEW OF SHAREPOINT USAGE 327

Figure 13.2

SharePoint in IIS

Additionally, you can view the SQL Server databases associated with SharePoint by navigat-ing to this location:

C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\Data

There, you’ll see the databases shown in Figure 13.3.

Figure 13.3

SQL databases

Every database starting with the word SharePoint houses the SQL Server data associatedwith SharePoint. This includes a lot of information, including user login information, layout,


skins, designs, and other data associated with your web page. For SharePoint to work, both theSQL Server database service and the IIS service have to be running properly. If you experiencean error when accessing your SharePoint Companyweb home page, you can always try to alterit by navigating to services.msc and restarting either service.

Network Components of SharePointSharePoint requires several ports to be opened externally (and internally) on the firewalls run-ning on your server. First, and less obviously, the internal firewall of the SBS 2008 server needsto be adjusted to allow HTTP and HTTPS traffic to the SharePoint site. Thankfully, this is doneby default. Next, to externally access the SharePoint server, you need to forward these ports tothe SharePoint server:

◆ 80: HTTP traffic

◆ 443 and 987: HTTPS traffic

Note that it is very important that you do not forward SQL Server traffic to your SharePointServer instance. Doing this can have catastrophic effects, including SQL injecting, unauthorizedaccess to your SQL databases, and network-based attacks onto your data!

Additionally, you can make your life a little easier by setting up SharePoint as your defaultwebsite. To do so, you can navigate to IIS Manager and disable the Default Website item bysetting it to Stop. Then, you can expand your SBS SharePoint server and select Bindings in theright column. This will open the dialog box shown in Figure 13.4.

Figure 13.4

Site Bindings dialog box

The difference between Figure 13.4 and what you’ll see is that the IP addresses bound onyour server will be * by default. This is so that associated clients can just type companyweb intheir DNS settings and navigate to SharePoint straightaway. This is convenient, but more oftenthan not, you’ll want SharePoint to be accessible to external users. This means you’ll need toset the SharePoint Site to an actual IP address. In this case, I’ve set mine to 192.168.0.4. Youcan change this by clicking Edit and then selecting the IP address you’d like to assign from thedrop-down, as shown in Figure 13.5.

Something you will notice here is that the SharePoint server is actually assigned to both port80 and port 987. This is done for security reasons, but the concept is that SharePoint will acceptauthentication credentials on port 80 and then securely pass this data to port 987. Unless youbind both, you’ll experience network errors. In fact, once you’ve clicked OK and changed thebindings, you might want to navigate to your server and try to just go to the IP address. Com-panyweb should still work when you access it through a web browser.

INITIALLY CONFIGURING SHAREPOINT 329

Figure 13.5

IP address assignment

Initially Configuring SharePointSharePoint configuration is a subject that can take just a few minutes to discuss or severalmonths (and books), depending on just how deep you want to get into it. The bottom line withSharePoint Server is that just about everything is customizable. SharePoint supports the abilityto do the following:

◆ Add wikis.

◆ Create customer searches.

◆ Create a business data catalog.

◆ Create audit policies.

◆ Define a custom web portal for each user.

◆ Check designs.

And much, much more. Just how much you want to add into it depends on how much timeyou want to spend configuring your company home page, Companyweb.

CompanywebWhen you first log into your SBS 2008 server after any given installation, you can accessthe Companyweb Internet web portal by going to a web browser and navigating tohttp://companyweb. After you’ve done so, you will see the Companyweb home screen, asshown in Figure 13.6.

At this point, you’ll need to go through the initial setup portions that you see on the homeweb page. This includes installing the server security certificate and initial configuration.

Initial SetupThe first item listed on the SharePoint website is the Welcome To Your Internal Web Site wel-come message. If you click the link, you’ll be prompted to enter new information that can beshared with the rest of your users. This is really just designed to let you distribute an initial fileacross your website, or really to just ‘‘get things going,’’ for lack of a better phrase. My recom-mendation is to ignore this and go to the next, more important section — installing a securitycertificate.


Figure 13.6

SBS 2008 web portal

If you click Install The Server’s Security Certificate On Your Remote Computer link, a setof instructions will appear. Following the instructions there will allow remote computers toalways trust Small Business Server. If you don’t want to do this before you navigate to theCompanyweb home page, you can install the server’s security certificate on your remote com-puter by doing the following:

1. From a computer that is in the Windows SBS network, open a web browser, and type thefollowing address into the address bar: \\INTELLICOSERVER\public\downloads.

2. Copy the file Install Certificate Package.zip to portable storage media, such as afloppy disk or a USB drive.

3. Insert the floppy disk or USB drive into the computer that is not joined to the Windows SBSdomain and from which you want to access the Remote Web Workplace.

4. In Windows Explorer, navigate to the location where you copied the ZIP file.

5. Right-click the ZIP file, and choose Extract All.

6. In the Extract Compressed (Zipped) Folders dialog box, type a folder location to which youwant to extract the files, and then click Extract.

7. Open the folder where the extracted files are located, and then double-click InstallCertificate.

8. Select Install The Certificate On My Computer, and then click Install.

9. Browse to the Remote Web Workplace website.

Moving SharePoint Data to Another LocationJust like most things in SBS 2008, moving SharePoint data to a dedicated hard drive is prettyeasy, but it’s a little obfuscated unless you know exactly where to look. To back up SharePointdata, you can navigate to the SBS console and select Backup And Server Storage. Then, you

CHECKING THE CONFIGURATION 331

can select the Server Storage tab shown in Figure 13.7 and select the backup link called MoveWindows SharePoint Services Data.

Figure 13.7

Move WindowsSharePoint Services Datalink

You need to have an extra hard drive attached with enough space to contain all the datalocated on your main hard drive; otherwise, the backup routine will fail.

Once the wizard begins, you’ll need to click Next two times so the server can read the con-figuration and prepare for the backup. Then, once this is complete, you will be presented withthe screen shown in Figure 13.8.

Figure 13.8

Moving data

There, you can see the amount of data your SharePoint services are using (in my case, a pal-try 86.3MB) and the amount of space available on your backup drive. All you have to do at thispoint is click Move.

Checking the ConfigurationOne of the tools that comes with SharePoint on SBS 2008 is the SharePoint Products and Tech-nologies Wizard. You can use this wizard to repair portions of SharePoint that come installedwith SBS 2008. If you ever experience problems with SharePoint Services (IIS permissions errors


or SQL Server problems, for example), you can run this tool, which will check the configurationof SharePoint.

You can run this tool by selecting Start � Administrative Tools � SharePoint Products AndTechnologies Configuration Wizard.

This will launch the tool and give you a warning. Clicking Next will walk you through aseries of 10 steps, each of which will look like the screen shown in Figure 13.9. If there are anyissues along the way, the wizard will alert you of a problem and say what needs to be done tocorrect it.

Figure 13.9

Products andTechnologiesConfiguration Wizard

Once the wizard completes, it will bring you to the SharePoint home page and allow you tocheck the integrity of your site. It’s a good idea to run this wizard if you’ve done a backup andrestore.

Performing SharePoint Administration TasksAdministration with SharePoint Server is all done through a centralized web-based console thatis accessible through port 4721 on your SBS server. You can access this either by navigating to<yourservername>:4721 or by selecting Administrative Tools � SharePoint Administration. Thiswill open the main console, which you can see in Figure 13.10.

The administrative area has three important areas:

Home This is the central location, where you can access all other areas.

Operations This page contains links to pages that help you manage your server or serverfarm, such as changing the server farm topology, specifying which services are running oneach server, and changing settings that affect multiple servers or applications.

CREATING A NEW SHAREPOINT WEBSITE 333

Application Management This page contains links to pages that help you configure settingsfor applications and components that are installed on the server or server farm.

Figure 13.10

SharePoint CentralAdministration

When you first access this home page, there will be eight administrative tasks that you’llneed to configure. Some of these will be done with default settings, and some will be set toblank. In the next few sections, you’ll learn how to configure SharePoint Server.

One of the initial settings you have to set up for SharePoint to work properly is email. Youneed to set both the incoming and outgoing email alerts to be configured according to yoursettings. To do this, simply click the Incoming E-Mail Settings item, and then click ConfigureIncoming Email Settings. Do the same for the Outgoing E-Mail Settings item.

Creating a New SharePoint WebsiteSharePoint Server gives you the ability to administer multiple SharePoint web portals for yourusers. In terms of a small business, this may be useful for a business that functions under mul-tiple names or in fact is actually multiple parts. More often than not, Microsoft has found thata small business may have more than one name under which it operates. And if they don’t dothat, business owners very well may operate more than one company. After all, if one companyhas become successful, you might as well start a second!

Configuring SettingsTo create a new website with SharePoint, you need to access the Central Administration site forSharePoint and select Create SharePoint Sites. This will open the menu shown in Figure 13.11.

With SharePoint, all tasks can be centrally managed through the administrator console, andyou can choose who else has the ability to both access the console and perform various tasks.


I’ll go over that in the ‘‘Adding and Editing Items’’ section, so for now you’ll just add a Share-Point site. You can do this by clicking the Create New Web Application action button. This willopen the page partially shown in Figure 13.12.

Figure 13.11

Administrator task:Creating the Site

Figure 13.12

Creating a webapplication

IIS Web SiteIn the IIS Web Site area, you can decide to use an existing website or create a new one. Usually,you’ll want to create a new website, unless you’d like to write SharePoint over a website you’vealready created. Almost always you will want to change the default name. In this example, I’mgoing to change it to ‘‘example.’’

Next, you can set the port that it is hosted upon. I almost always leave this blank, becauseSharePoint is pretty good at picking random ports that the server is not already using. As you

CREATING A NEW SHAREPOINT WEBSITE 335

can see in Figure 13.12, in this case it picked port 27466. Talk about a random port — I thinkthat takes the cake.

You’ll probably want to leave the host header blank unless you have specific requirementsfor your host header in your website. If you have a custom host header, you’ll want to placeit here. But, for the path, you’ll want to place this in a location that is both logical and easilyaccessible. The default inetpub\wwwroot is almost always a good choice. But any directory thatyou choose will suffice.

Security ConfigurationIn the Security Configuration area of SharePoint, you can choose to use Kerberos or NTLMauthentication:

Kerberos Kerberos is a network authentication protocol that was developed at the Mas-sachusetts Institute of Technology. It is an incredibly secure and very reliable private-keyencryption method that is virtually immune to compromise. As a rule of thumb, if you canimplement Kerberos, you should. However, as you can note in the text next to the SharePointsite in the Add A New Site Wizard, ‘‘Kerberos requires the application pool account tobe Network Service or special configuration by the domain administrator.’’ This is a littletroublesome for most small businesses and a little bit outside the scope of this book. However,I must mention that if you want to set up the most secure method of accessing your site, youshould choose this.

NTLM NTLM stands for NT LAN Manager; it’s a Microsoft authentication protocol. It’s verysimilar to MS-CHAP, which is fairly secure, but it’s specified for the SMB network sharingprotocol. You should implement NTLM if you would like quick and easy security, such as aconnection between two machines that are housed behind a firewall and are already relativelysecure. However, it is not as highly specialized (or secure) as Kerberos.

SSL By now, you should be familiar with SSL. Secure Sockets Layer determines whetheryour server will use a security certificate to authenticate to the web portal. Usually this is alittle unnecessary for SharePoint, but there’s a chance that you might be housing some incred-ibly sensitive data or require that your passwords be obfuscated. If this is the case, you shoulduse SSL.

Load Balanced URLThe Load Balanced URL setting is the fully qualified URL that users will use to access theSharePoint site. It’s set to the server name by default, but you can easily change it to the nameof a domain you either own or administer.

Application PoolsApplication pools in IIS are collections of web applications that are placed into pools so thatthey can be distributed across multiple servers. In the case of Small Business Server, you willalmost never use them. Thus, you should not try to make a new pool for yourself. This is thedefault setting.

Also, if you’d like to set specific configuration credentials for the pool, you can enter yourusername and password in the radio box or a username and password that is custom to thatapplication pool. But, as a friendly tip from one administrator to another: unless you’re an IISguru, ‘‘If it ain’t broke, don’t fix it.’’ The default is usually just fine.


Reset Internet Information ServicesThe Reset Internet Information Services setting should be grayed out and left to manual. Hav-ing IIS reset automatically can be problematic, especially if it tends to try to do it again andagain and consistently fails — consequently jamming up your server!

Database Name and AuthenticationHere, you can specify your local SQL Server embedded instance, or you can point to an SQLServer member server. If you do this, you should probably set up a custom SQL Server loginauthentication account or use Windows authentication. Note that the servers are entered in thisformat:

<Server Name> \ < SQL Instance Name>

<Database Name>

Search ServerIf you want to set up Windows SharePoint Search Server, you can select your server in thedrop-down box. However, this is not necessarily a good idea on SBS, because it takes up a lotof processing power.

Creating the SiteOnce you’ve entered all your information, click the OK button. If SharePoint has a problemwith anything you’ve entered, it will display red text to let you know what you’ve done incor-rectly. Now, normally, I don’t show loading screens, but in this case, don’t be surprised if yousee the loading screen in Figure 13.13 for several minutes or several hours. SharePoint can takeits sweet time, and it’s best to not interrupt it.

Figure 13.13

The agonizing processingnotification screen

Once SharePoint is complete, it will show the Application Created screen. At this point,you’ll want to do an IIS reset. You can do this by typing the following command in your com-mand prompt utility:

IISreset /noforce

Assuming the process succeeded, you will see the following message:

Attempting stop...Internet services successfully stoppedAttempting start...Internet services successfully restarted

CONFIGURING WORKFLOW SETTINGS 337

Just as a note, sometimes IIS might hang. If this happens, IIS will tell you that it failed torestart and display various errors. Just open the Windows Start menu, and type services.msc.

This will open the Windows Services menu. From there, you should stop and restart the IISAdmin service.

Now, if you open IIS Manager, you will see your new site listed, as shown in Figure 13.14.

Figure 13.14

Viewing the new site inIIS Manager

From here, you can easily browse to your new site by clicking the Browse button.

Server OperationsOperations is one of the main menus in the Central Administration and part of the heart ofSharePoint administration. Server Operations breaks down into six distinct categories:

Topology and Services The number of servers in your farm, what services they’re running,and how they’re configured

Security Configuration The services accounts, antivirus setup, file type setups, and Adminis-trators group

Logging and Reporting Diagnostics logging and analysis processing

Global Configuration Time syncs and global configurations

Backup And Restore SharePoint manual backups and restoration

Data Configuration Database servers and retrieval services

In the next few sections, I’ll run through some of the more common administrative tasksassociated with SharePoint and essentially give you a guided tour of what you can do with it.At the small-business level, you aren’t necessarily a SharePoint administrator, but you’ll wantto know enough to be able to expand SharePoint’s functionality and, if needed, make basicrepairs.

Configuring Workflow SettingsOnce you’ve set up a site, you can specify the following:

◆ Whether users are allowed to assemble new workflows out of building blocks deployed tothe site

◆ Whether participants without access should be sent a copy of the document as an emailattachment so they can participate in a workflow


You can also accomplish this task from the SBS 2008 SharePoint home page, just like whatyou did when you created a website.

When you configure workflow settings, you can set the following:

◆ Web applications

◆ User-defined workflows

◆ Workflow task notifications

Setting Up Web ApplicationsIn the Web Applications area, you can set the web application that your SharePoint server willutilize. This is all fed from the available web applications seen by your IIS server. Any availableweb applications will be displayed in the drop-down box.

Setting Up User-Defined WorkflowsUser-defined workflows allow SharePoint developers to specify whether their users are able touse administrator-developed applications. With this radio button, you can determine whetherthey have access to code developed by your administrators. Typically, you will leave this but-ton set to Yes, which is the default.

Setting Up Workflow Task NotificationsThis last area is pretty simply defined. It allows you to alert users who do not have site accesswhen they are assigned a workflow task and to alert external users to participate in a workflowby sending them a copy of a document. Usually these options are set to Yes for workflow alertsand No for copies of the document. But you can always change this second option to Yes ifyou’d like external options. And, of course, if you don’t want to receive updates, you can leavethis option set to No.

Enabling AntivirusThis is a very useful yet often overlooked function. If you navigate to Central Administration� Operations � Antivirus, you can turn the Antivirus settings in SharePoint off or on based onyour specifications. You can choose whether documents are scanned on upload or download,whether users are able to download infected documents, the number of threads to dedicate toyour antivirus software, and how long your antivirus software takes to time out.

Configuring Backup and RestoreThe Backup And Restore area located inside the operations area of your site content enablesyou to back up SharePoint-specific data. Unlike general Windows Server backup, SharePointbackups are highly specialized and allow you to custom-configure each aspect of SharePoint,along with exactly what is backed up. As you can see from the following table, you have a lotof options to choose from in the basic menu. (Note: Farm is a term in SharePoint to describe allthe servers that are connected that run the SharePoint services.)

CONFIGURING BACKUP AND RESTORE 339

Farm Farm Content and configurationdata for the entire server farm

SharePoint_Config_29c26fca-17b8-48c1-9704-b869932abcb6

Configuration Database Configuration data for theentire server farm

Windows SharePointServices Web Application

Windows SharePointServices WebApplication

Collection of web applications

Example Web Application Content and configurationdata for this web application

WSS_Content_f70d83581a3946c59e29ee1b1c4da433

Content Database Content for the webapplication

SBS SharePoint Web Application Content and configurationdata for this web application

ShareWebDb Content Database Content for the webapplication

WSS_Administration Central Administration Collection of web application

Web Application Web Application Content and configurationdata for this web application

SharePoint_AdminContent_d4e397f2-a27a-48a0-a628-d25db6672bab

Content Database Content for the webapplication

Windows SharePointServices Search

Index files andDatabases

Searches instances forWindows SharePoint Services

Search instance Index files onINTELLICOSERVER

Searches index files on thesearch server

WSS_Search_WIN-EUGSO7LO7PY

Search database forINTELLICOSERVER

Searches database for thesearch server

On the left side of the page, there are check boxes that allow you to decide exactly howmuch you want to back up. Just as a test, try selecting all the check boxes and then clickingContinue To Backup Options. You should be able to do this by just selecting Farm.

Once you click Next, you’ll be presented with three submenus:

Backup Content This allows you to pick the content you want to back up and should be whatyou selected from the previous menu.

Type Of Backup You can choose either full or differential backups. A full backup backs upeverything with associated history, and a differential copies just what has changed since yourlast full backup.


Backup Files Location You can set where the backup should go with a UNC path, such as\\intellicoservers\Backup. Note that the SQL Service account will need to be able to readthis directory path.

Click OK will queue the backup. You can view the backup process by clicking the Refreshbutton. Check out Figure 13.15 to see what it should look like.

Figure 13.15

Backup and RestoreStatus

Restoring from BackupThe restoration process of restoring from a preexisting backup of SharePoint is a fairly straight-forward process that has four steps:

1. Choosing the backup file location

2. Choosing the backup ‘‘point’’

3. Choosing the components to restore

4. Entering the restoration options

You can access the Restore option under the Backup And Restore area of the Central Admin-istration portion of SharePoint. Choosing to restore is fairly self-explanatory for the first threesteps. First, you choose your backup location; second, you choose which of the backups you’vemade that you’d like to restore. Third, you choose which components of the backups you’veselected that you’d like to implement. But, the last screen is a little trickier.

The last screen allows you to apply new settings to your preexisting installation, includingnew SQL logins, new names for web content, new databases, and even new application pools.The reason that this exists at all is that there are some occasions where a small business mighthave to change some configuration data after having completed a server recovery process thatchanged some of the data of their preexisting configuration.

Say, for example, Intellicorp experienced a server crash because of a failed SATA arrayand had to restore from backup. If you didn’t have your full Windows Small Business Server

CONFIGURING BACKUP AND RESTORE 341

backup image, you’d want to restore from the small SharePoint backup that you made earlier.The trouble is, during the restoration process, say you forgot what SharePoint applicationpool name was, along with the service name, site name, database name, and even databasepassword.

This happens a lot more often than most administrators would care to admit. And becauseof that, this screen exists. Here you can override all the settings that were contained in yourprevious installation. You can reinstall Windows, set it up how you would like (which, giventhe fact that hindsight is usually 20/20, may be different), and then import your SharePointdata with no fear of compatibility problems that result from the loss of important passwords orserver settings.

Ultimately, regardless of whether you decide to change these settings, upon choosing torestore, SharePoint will begin the restoration process. It will update you periodically on theprocess and alert you of any errors that occur along the way. If you take a look at Figure 13.16,you can see what happened when I chose to restore and experienced an error.

Figure 13.16

Restore error

The Restoration information box indicates that I can find more details about the restorationprocess and the errors associated with it by navigating to the event log. Let’s explore that in thenext section.

Troubleshooting Backup and RestoreSharePoint Server is designed to service both the largest and smallest organizations. Andaccordingly, SharePoint gives very detailed records on both the backup and restore process.These details are contained in the SharePoint backup and restore logging files in the backupand restoration directory.

Whenever a user chooses to create a backup directory, SharePoint Backup Services willautomatically create a file infrastructure within that directory to support its backup fileconfiguration. If you look at Figure 13.17, you’ll see that SharePoint has created a directorycalled spbr0000. Within this directory, SharePoint has placed all the associated backup data forthe first backup created with SharePoint.

Figure 13.17

Backups points created


Of course, if I had done more backups, the number of folders would increase. First therewould be an spbr0001, then an spbr0002, and so forth. And in case you hadn’t guessed, spbrstands for SharePoint backup and recovery.

Notice in this home directory there is also an XML document. Because it’s important foryour understanding, let’s examine it now:

<?xml version="1.0" encoding="utf-8"?><SPBackupRestoreHistory>

<SPHistoryObject><SPId>3ec1cd5b-c29c-496c-93c7-25a633b2603c</SPId><SPRestoreId>30c2cc29-15c7-4a91-9bda-e15bfd00af76</SPRestoreId><SPRequestedBy>INTELLICORP\steve</SPRequestedBy><SPBackupMethod>Full</SPBackupMethod><SPRestoreMethod>New</SPRestoreMethod><SPStartTime>10/22/2009 20:24:00</SPStartTime><SPFinishTime>10/22/2009 20:25:52</SPFinishTime><SPIsBackup>False</SPIsBackup><SPBackupDirectory>c:\backup\spbr0000\</SPBackupDirectory><SPDirectoryName /><SPFailure>Object WSS_Search_WIN-EUGSO7LO7PY failed in event OnRestore.

For more information, see the error log located in the backupdirectory.</SPFailure>

<SPTopComponent>Farm</SPTopComponent><SPTopComponentId>12c4078d-47c5-472e-abdf-ea237c8b8f50</SPTopComponentId><SPWarningCount>0</SPWarningCount><SPErrorCount>4</SPErrorCount>

</SPHistoryObject><SPHistoryObject>

<SPId>3ec1cd5b-c29c-496c-93c7-25a633b2603c</SPId><SPRequestedBy>INTELLICORP\steve</SPRequestedBy><SPBackupMethod>Full</SPBackupMethod><SPRestoreMethod>None</SPRestoreMethod><SPStartTime>10/21/2009 01:42:32</SPStartTime><SPFinishTime>10/21/2009 01:44:22</SPFinishTime><SPIsBackup>True</SPIsBackup><SPBackupDirectory>c:\backup\spbr0000\</SPBackupDirectory><SPDirectoryName>spbr0000</SPDirectoryName><SPDirectoryNumber>0</SPDirectoryNumber><SPTopComponent>Farm</SPTopComponent><SPTopComponentId>12c4078d-47c5-472e-abdf-ea237c8b8f50</SPTopComponentId><SPWarningCount>0</SPWarningCount><SPErrorCount>0</SPErrorCount>

</SPHistoryObject></SPBackupRestoreHistory>

This XML contains the entire history of your backup attempts. This includes the last backupyou’ve attempted, the errors associated with it, the directory, and the components upon whichassociation was attempted. You can also see the start time and finish time of the backup in theSPStartTime and SPFinishTime elements.

SETTING UP SHAREPOINT JOBS 343

Now, if you explore the directory spbr0000, you can find these log files. In fact, there aretwo — each available in either TXT or XML format. There is one backup for the Backup logand another for the Restore log.

If you open the Restore log (sprestore.txt), you can see that it has a lot of information,including some random logs like what data it has added and the directory it’s using, asshown here:

[10/22/2009 4:15:24 PM]: Verbose: AddingWSS_Content_f70d83581a3946c59e29ee1b1c4da433 to Restore list.

[10/22/2009 4:15:24 PM]: Verbose: Adding SBS SharePoint to Restore list.[10/22/2009 4:15:24 PM]: Verbose: Adding ShareWebDb to Restore list.[10/22/2009 4:15:24 PM]: Verbose: Adding WSS_Administration to Restore list.[10/22/2009 4:15:25 PM]: Verbose: Adding Web Application to Restore list.[10/22/2009 4:15:25 PM]: Verbose: AddingSharePoint_AdminContent_d4e397f2-a27a-48a0-a628-d25db6672bab to Restore list.[10/22/2009 4:15:25 PM]: Verbose: Adding Windows SharePoint Services Search to

Restore list.[10/22/2009 4:15:25 PM]: Verbose: Adding Search instance to Restore list.[10/22/2009 4:15:25 PM]: Verbose: Adding WSS_Search_WIN-EUGSO7LO7PY to Restore

list.[10/22/2009 4:23:31 PM]: Verbose: Using directory: c:\backup\spbr0000\.

Additionally, you can find errors in these logs by browsing down until you see the wordError. At this point, you’ll see something like this:

[10/22/2009 4:24:08 PM]: Error: ObjectWSS_Content_f70d83581a3946c59e29ee1b1c4da433 failed in event OnRestore. Formore information, see the error log located in the backup directory.

SPException: The specified component exists. You must specify a name that doesnot exist.

Here, it says you received an error because the component already exists. Thus, you can’tcreate a new component on a preexisting name (although that would be a neat trick).

The log files in Backup and Restore are almost always very revealing. Even the best andmost seasoned of techs and administrators will use the phrase ‘‘When all else fails, look at thelogs.’’ Chances are, the logs will give you tremendous insight into what is happening on boththe server and the backup utility that is being processed.

Setting Up SharePoint JobsIf you use SharePoint a lot in your organization, you’ll probably find that you’re consistentlyhaving to complete the same task over and over again. Some of these tasks include purgingunused sites from site collections and creating backups. SharePoint Server allows you to sched-ule the many different tasks that you do on frequent occasions through timer jobs.

You can find a complete list of these jobs by going to the Timer Jobs area of the gui of yourSharePoint server, but Table 13.1 provides a partial list.

Note that in this table there are two tasks for each pool. Because I created a site earlier, theassociated jobs for each site come up.


Table 13.1: SharePoint Jobs

Job Pool Schedule

Backup/Restore N/A One-Time

CEIP Data Collection N/A Daily

Change Log Example Daily

Change Log SBS SharePoint Daily

Config Refresh N/A

Database Statistics Example Weekly

Database Statistics SBS SharePoint Weekly

Dead Site Delete Example Disabled

Dead Site Delete SBS SharePoint Disabled

Disk Quota Warning Example Daily

Disk Quota Warning SBS SharePoint Daily

Immediate Alerts Example Minutes

Immediate Alerts SBS SharePoint Minutes

Recycle Bin Example Daily

Recycle Bin SBS SharePoint Daily

SharePoint Services Search Refresh N/A Minutes

Usage Analysis Example Daily

Usage Analysis SBS SharePoint Daily

Windows SharePoint Services Incoming E-Mail N/A Minutes

Windows SharePoint Services Update Distribution List Status N/A Minutes

Windows SharePoint Services Watson Policy Update N/A One-time

Workflow Example Minutes

Workflow SBS SharePoint Minutes

Workflow Auto Cleanup Example Daily

Workflow Auto Cleanup SBS SharePoint Daily

Workflow Failover Example Minutes

Workflow Failover SBS SharePoint Minutes

EDITING YOUR SHAREPOINT SITE 345

Most of these tasks are fairly straightforward by name (such as Disk Quota Warnings), butthrough the console you can navigate into each one and get a full description if you need it.As an example, the Recycle Bin name is rather nondescript, but with a little investigation, youcan see that there is actually a Recycle Bin link in the Central Administration page, as shown inFigure 13.18. All this task does is empty the Recycle Bin for your applications.

Figure 13.18

Recycle Bin emptier

Editing Your SharePoint SiteSince no discussion of SharePoint Server would be complete without including some basic useof SharePoint, in this section I’ll walk you through some basic SharePoint usage that you mightencounter in a small-business environment. I’ll discuss how to add links to the home page, cus-tomize the appearance of the site, and add new public documents for distribution across yourenterprise.

Obviously, one of the first things you will want to do with any business, large or small, isto customize the appearance of your SharePoint web portal. To do this, you can click the SiteActions button in the upper-right corner of the screen, and then from the main menu selectEdit Mode, as shown in Figure 13.19.

Figure 13.19

Site Actions menu

Once you’ve selected Edit Mode, it will load the Edit Mode screen modifiers; this allows youto add web parts, which are internal resources that can be added to your site’s web access area.If you click any of the two areas that will allow you to add a web part (the left and right areas),it will bring up a list that will allow you to add the following:

◆ Announcements: Messages on the home page

◆ Calendar: Calendars for group meetings

◆ Fax Center : A document library for managing and sending faxes

◆ Links: Links to web pages

◆ Pictures: Pictures

◆ Shared documents: Shared documents from the document library

◆ Tasks: Tasks lists

◆ Team discussions: Microblog-like newsroom discussions


Additionally, you can add miscellaneous web parts, like the following:

◆ Content Editors

◆ Forms

◆ Images

◆ Page Viewers

◆ Relevant Docs

◆ Site Users

◆ User Tasks

◆ XML

As an example, select Tasks and click Add. This will allow you to add new items to thenewly appeared tasks area, as shown in Figure 13.20.

Figure 13.20

Tasks

Clicking Add New Item will let you fill in the fields shown in Figure 13.21 and add that webpart to the home page.

Figure 13.21

Task fields

Notice that in Figure 13.21 there is an Address Book button that appears next to theAssigned To line. This integrates directly with Exchange Server and allows you to synchronizeyour whole organization! All you have to do is fill out the rest of the fields and click OK.

THE BOTTOM LINE 347

Overall, you can add a lot of customizability to your SharePoint Server site. It’s easy — anda little fun. Around the world, businesses use SharePoint as a collaborative portal to their inter-nal information. In your own business or your consulting, you can use SharePoint to post com-pany policies and increase workflow.

When you combine this feature with the many other features of Microsoft Small BusinessServer, you can see why SBS is truly one of the most powerful business tools available. Ulti-mately, both SharePoint and SBS can facilitate almost every business need . . . and do it exceed-ingly well.

The Bottom Line

Set up SharePoint/Companyweb Setting up SharePoint with Small Business Server enablesyou to take full advantage of your server. Without it, the server is nowhere near as powerful orversatile as it could be.

Master It To secure your SharePoint web portal, you should enable your server to publiclyidentify itself. How can you do this?

Administer SharePoint Administering SharePoint is the primary goal of this chapter and theprimary goal of you as an administrator. From what you’ve learned, you should be enable toenable SharePoint and backup your data appropriate. You should also be able to easily performbasic timer jobs and administer your jobs for your own purposes.

Master It Change the name of your Recycle Bin timer job definition to ‘‘Bin.’’

Back up and restore SharePoint SharePoint backups allow you to specifically back up Share-Point data for later restorations.

Master It A SharePoint Server backup process fails with an error, and you have to trou-bleshoot it. How do you do that?

Appendix

The Bottom Line

Each of The Bottom Line sections in the chapters suggest exercises to deepen skills andunderstanding. Sometimes there is only one possible solution, but often you are encouraged touse your skills and creativity to create something that builds on what you know and lets youexplore one of many possible solutions.

Chapter 1: Installing Windows Small Business Server 2008

Identify the requirements of Windows Small Business Server 2008 Review and memorizethe server requirements for SBS 2008.

Master It What types of processors can be used to virtualize an install of SBS 2008?

Solution The basic processor requirements for Windows Small Business Server 2008 areas follows:

Processor 2GHz x64 or faster

Memory 4GB minimum, 32GB maximum

Disk space 60GB minimum

Install Windows Small Business Server 2008 Set up and completely install SBS 2008 on apartition of your creation and choosing.

Master It Install Windows Small Business Server 2008 so the server can access the Internet,download updates, and show all networking essentials as ‘‘in the green.’’

Solution Upon completion, you will see all settings as ‘‘in the green.’’ Keep in mind thatthis may take up to 24 hours, because of updates being downloaded.

Chapter 2: Setting Up and Utilizing an SBS 2008 Network

Plan an SBS 2008 network installation Planning an SBS 2008 installation includes theprocess of deciding upon a subnet, preparing hardware network devices, and planning forexpandability.

Master It Create a usable Class C subnet with more than 200 available addresses.

Solution Because of its ease of use, you can use the 192.168.0.X subnet or any derivativeof the 192.168.X first three octet ranges. This is because any network with a 255.255.255.0subnet will contain 252 usable addresses.

350 APPENDIX THE BOTTOM LINE

Configure SBS 2008 client computers for networking Planning an SBS 2008 installationincludes the process of deciding upon a subnet, preparing hardware network devices, andplanning for expandability.

Master It Establish a connection with SBS 2008, and ensure that computers can be addedto the network with corresponding user accounts. This means that your network is ready toexpand, along with the small business.

Solution Use the http://connect method to attach a computer to your server. This willbring up the Run The Connect Computer Program screen, which allows you to add a com-puter to the domain controller across the Internet. Alternatively, you can also use somethinglike a jump drive to do this easily and without a lot of administrative overhead.

Use command-line networking commands Using the command line greatly enhances yourability to quickly diagnose technical network issues and expedite your process of troubleshoot-ing network issues. To become an effective administrator, you need to be familiar with thesecommands.

Master It Use network commands to determine your DNS server, ping your DNS server,and trace the route to your server.

Solution If you are connected to an SBS server, your DNS server should be the address ofthe SBS server, your default gateway should be the address of your router, and the race toit should be one hop. For example, on the default SBS installation, your DNS server shouldbe 192.168.16.1, your gateway should be a random address like 192.168.16.10, and the routeshould be one hop.

Diagnose small network problems Even for the most seasoned administrator, small networkproblems can be a tremendous headache. Knowing how to quickly and easily solve these prob-lems is key to saving you and your company time and effort.

Master It Set up a small business network with four different computers, each connectedto your network through a switch. Then, take a spare Ethernet cable, cut five of the eightinternal wires, and connect one of the computers to it — but don’t pay attention to the IPaddress or name of the computer. Go back to your SBS server, and determine which com-puter has been compromised.

Solution Back at your server computer, look at the list of authenticated computers in yourSBS console. Then, use the Ping command to ping the name of each of these computers. Seewhich one of these fails, and determine from that which of the computers is experiencing anetwork problem. Simulate resolving the problem by attempting to complete a file transfer,replacing your network cable, and trying it again.

Implement wireless networking Setting up a wireless network allows you to access networkresources from anywhere in your SOHO environment. This is critical to maintaining a readilyavailable and effective small business.

Master It Implement WPA2 security on the network with MAC filtering, if it is available.Then go by each of your computers, determine their MAC addresses, and add them to theaccess list.

Solution Conduct the same networking essentials from the ‘‘Use command-line network-ing commands’’ scenario without having your wired connection attached. Execute the Ping,

CHAPTER 3: MIGRATING AND ‘‘UPGRADING’’ TO SMALL BUSINESS SERVER 2008 351

Pathping, and Traceroute commands to see whether you are able to authenticate to therouter without the proper MAC address and then with the MAC address. By doing this, youtest the security of your network to see whether you can join the WPA2 connection with thestandard user and password or whether you have to use the exact MAC address.

If for some reason you are unable to connect using either method, there is a chance that youmay have written down the MAC address of the WPA key incorrectly. In that case, you canreattach the network cable, log in to the router, and check the information.

Chapter 3: Migrating and ‘‘Upgrading’’ to Small BusinessServer 2008

Set up and plan migration One of the oldest phrases in IT is referred to as the five Ps: properplanning prevents poor performance. It’s not only a little funny; it’s true. The first step of anyplanned migration is to plan. When you create your plan, you can break it down into areasinvolving your server, network, and objects. Furthermore, you can consider hardware pur-chases that will be required, implementation times and deployment periods that will be themost beneficial, and what would make your migration process the easiest.

Master It Develop a plan for a small business of 30 employees that requires the migrationprocess to be done during business hours. The current network is running SBS 2003 anduses SBS 2003 as an ISA server. However, the ISA server is being replaced with a hardwarefirewall without proxy. Define any bottlenecks and potentially troubling concerns.

Solution There will most likely need to be some downtime because the server cannot bedeployed with the same topology as an SBS 2003 network. You will need to arrange someslight downtime after you have migrated the information. However, the SBS 2003 serverwill not need to go down (optionally) until you have migrated the settings. Eliminating theISA server is relatively easy. You are not required to migrate the ISA settings.

Create an answer file Answer files are XML documents designed to massively importsettings from a source server to a destination server. Answer files can be generated from thesource server by using the Windows Server toolkit.

Master It Create an unattended answer file that requires no user input until the migrationprocess has been completed. Click the Install Now button at the Windows Server introduc-tion, and see whether your installation is paused.

Solution Unattended installations can be performed through the SBS 2008 toolkit andselecting the Unattended Installation Process check box. Below, when the menu extends, theserver’s DHCP, business information, and other important business information will needto be entered in order to proceed. Once complete, the XML file will be placed at a location ofyour choosing and can be exported to a USB flash drive.

Migrate objects Once the migration process has begun, the automated process will bring youto a wizard that allows you to complete the migration. This process is what actually migratesyour settings and allows you to complete the wizard.

Master It Create an installation of SBS 2008, and compare the originating server to the des-tination server. Ensure that the destination server has the appropriate objects.


Solution Once the server has been migrated completely, the objects from the originatingserver will be identical to the objects in the second server. Each of the wizards will allowyou to choose which objects you would like to migrate and which objects you would likenot to migrate.

Chapter 4: Implementing a DNS Name Server and FileSharing with SBS 2008

Set up the Domain Name System The Domain Name System is a critical role in any Win-dows Server environment. Through proper use, it allows for user authentication, Internet nameresolution, and critical server roles to function. Improperly operating DNS will result in slow,inefficient server operation and possibly authentication failure.

Master It Install DNS with static entries to four different servers or known Internet host-names. Make two of these Internet hostnames resolve to correct addresses that will respondto pings, such as google.com, and make two of these addresses resolve to improper, uncom-mon names, such as Funny.TheDomainYouChose.com.

Solution You will need to open DNS Manager in SBS 2008 and create four staticentries in your primary zone. Two of these entries should be to known sites, such asoldestdnsserver at 4.2.2.2 and google.com at 74.125.45.200. The other two should bemade up entries, such as funnyhahaha.com at 10.2.3.4. When you attempt to ping ortraceroute to any of these entries with the command line after creating them in the primaryzone, the first two names should receive replies from ping by the name you chose, and thesecond two should not respond at all.

Set up file sharing DFS allocation can create a central repository for users to share folders. Toset up DFS, you will need to set up servers at multiple locations.

Master It Install DFS by sharing at least two folders through two different computers, andplace them inside a namespace. Access this namespace through a client computer.

Solution First, you will need to install two different servers on two machines runninga version of Windows Server 2003 or newer. Then, you will need to go to AdministrativeTools � Distributed File System on your SBS 2008 server and run through the ‘‘new DFSroot’’ system. The wizard will guide you through the steps necessary. Afterward, youshould be able to access the shared folders from one location and not realize that they arecontained on different computers. You will be able to access the share by entering the nameof the DFS share in the Windows Explorer menu (with the name you set up in the DFSwizard).

Use the File Services Resource Manager The File Services Resource Manager is a new toolfrom Microsoft that enables you to select quotas and allocate filters to system resources. Itallows you to carefully administer your file system without being concerned with whether thetemplates or restrictions you place on the server are working.

Master It Use the File Services Resource Manager to create a 250MB extended quota onyour inetpub folder.

CHAPTER 5: CONFIGURING AND ADMINISTERING ACTIVE DIRECTORY WITH SBS 2008 353

Solution Start the File Services Resource Manager by clicking the Start button and typingfile services. Expand the Quotas Management area if it’s covered up, right-click the Quotassection on the left, and select Create Quota. Click the Browse button, navigate to your maindrive, and select the inetpub folder. Then, from the drop-down menu, click 250 extended.Click OK.

Chapter 5: Configuring and Administering Active Directorywith SBS 2008

Create organizational units Creating an organized OU infrastructure makes the experienceof administering a server easier on administrator and user alike. With SBS 2008, this processhas become easier than ever.

Master It Create a centralized hierarchy with two subtiers. This hierarchy should includedepartmental and role-based separation (Production/Managers). It should be robustenough that the structure could be replicated for all departments and subdepartments.

Solution Your structure should mirror a three-tier Active Directory structure and be readyto accept user accounts. You will need to create these OUs in the Active Directory UsersAnd Computers tool, creating OUs within OUs without dragging. If you need to move anOU, you should right-click and select Move.

Understand FSMO roles FSMO roles are roles within SBS 2008 that allow you to specifyadministrative tasks throughout your business. These tasks include determining what serveris allowed to control the schema of the forest (the schema master) and selecting the domainnaming master. Through proper use, you can eventually upgrade your SBS environment to aneven more complex environment.

Master It Suppose you have two servers in your environment that could each share FSMOroles. Decide which server would hold the schema master and why. Could you have two?

Solution You cannot have two schema masters because the FSMO rules dictate only oneper forest, unless you have two forests. The schema master should be the server that is ableto communicate most easily with new servers or clients that would be frequently added tothe infrastructure. Faster switches and added visibility are important factors.

Create, delete, and manage objects Creating objects in Active Directory allows you to trulymake an organization. Without objects, the process of having a server is pointless. You need tobe able to easily create objects and place them within Active Directory.

Master It Create one user account and one computer account using the server graphicaluser interface. Then, create 10 user accounts and 10 computer accounts using the LDIFE.exeimport tool. Once you’ve done this, import these user accounts to one of the lowest tiers ofyour infrastructure.

Solution You will need to open Notepad, examine the user account syntax, and then spec-ify the target OU. Then, you will have to run the tool successfully and examine your ActiveDirectory user database to make sure the accounts have been imported.


Chapter 6: Configuring and Managing Groups and UserAccounts with SBS 2008

Create users and security groups Creating users and security groups is the central focuspoint of an IT infrastructure. By creating users and groups, an entire business is virtually cre-ated through Windows Server. Security groups allow you to assign permissions and associateusers with similar job roles.

Master It Create a nested group structure that contains an All Users group with four inter-nal groups for the engineering, accounting, sales, and customer service departments. Placeat least 20 users in all these groups, and attempt to ‘‘double nest’’ a user in the Sales andEngineering groups.

Solution You should have 20 users nested within four security groups, plus an All Usersgroup.

Create distribution groups Distribution groups are used to distribute email and messages.Through a distribution group, you can receive external email and send internal messages.

Master It Create a distribution group for your infrastructure with a different emailaddress than the name of the group. Attempt to send an email to this group.

Solution After you’ve created the security group, attempt to send an email to the securitygroup, for example to [email protected]. Once this fails, create a distribution group,and send it an email (make sure that you set the group to receive email). Then, once you’veconfirmed that, create another email address in the distribution list. A user account in thedistribution group should receive an email.

Create a permissions list for a group Permissions lists and access controls are the primarymethods you use to affect the access of files throughout your infrastructure. They control theavailability of files throughout the infrastructure and, if not done correctly, can compromisethe entire infrastructure.

Master It Create a folder and assign permissions to only one security group, and then tryto access this group from another account.

Solution Only one security group should be able to access the folder. Try to log on asa user from a different security group and attempt to access the folder. If you can’t, tryanother and verify that only this group can access it. If you can, recheck your permissionsand try again.

Chapter 7: Managing Group Policy with SBS 2008

Create Group Policy objects Group Policy objects in Active Directory allow you to createa policy and link it to a location somewhere in Active Directory. GPOs are Active Directoryobjects and do not take effect unless they are linked; otherwise, they are just static objects.

Master It Create a Group Policy object that turns off crash detection for Internet Explorer.

Solution Open the Group Policy Management Console, right-click your domain, andselect Create A New GPO And Link It Here. Name the GPO, right-click it, and select Edit.In the Group Policy Management Console, expand Computer Configuration, and then

CHAPTER 8: BACKING UP AND PERFORMING DISASTER RECOVERY 355

expand Administrative Templates\Windows Components\Internet Explorer. Double-clickTurn Off Crash Detection, and select Enabled. Click Apply and then OK.

Link a Group Policy object to an Active Directory object Group Policy objects do not haveany effect until they are linked. With Windows Server, you need to link an existing GPO to anarea within Active Directory.

Master It Create a new GPO called Test, and leave it unlinked. Then, manually link Testto an OU in your directory infrastructure.

Solution Open the Group Policy Management Console, right-click Group Policy Objects,and select New. Name the object Test. Right-click an OU, and select Link An Existing GPO.Select your GPO, and then click OK.

Edit a Group Policy object Group Policy usually requires a great deal of maintenance. Thisis usually conducted through the Group Policy Management Console.

Master It Edit the Internet Explorer Crash Detection object to allow crash detection, andthen enforce full-screen mode.

Solution Open the Group Policy Management Console, and right-click your InternetExplorer policy. Expand your Windows Components folder, and double-click Turn OffCrash Detection. Disable it, then double-click Enforce Full Screen Mode, and finally selectEnabled.

Delete a Group Policy object Removing a Group Policy object involves deleting the objectand any links associated with that object. Otherwise, there can be unresolved components ofyour Active Directory infrastructure.

Master It Remove the Test GPO link, and delete the Test GPO with no conflicts.

Solution Open the Group Policy Management Console, and expand your local domain(intellicorp.local or whatever you’ve chosen). There, select the Test GPO, press the Deletekey, and click OK. Then, expand the Group Policy Objects folder, select the Test GPO, andpress the Delete key. Click OK in the dialog box, and select Yes.

Chapter 8: Backing Up and Performing Disaster Recovery

Understand RAID RAID is used at the Small Business Server level to create a partitioned andredundant system in SBS 2008 that provides for backup in the case of a single or multiple harddrive failure. Through RAID, you can theoretically remove the need for any form of backup,but you do not remove backup methodologies because they’re necessary in the slight chance ofan unrecoverable array failure.

Master It Choose a RAID installation method with Small Business Server that will providefor six disks, with a complete mirror of the array and each side of the mirror containing aparity bit.

Solution Remember, sometimes a combination of two different configurations is actuallyyour best bet. Implement a RAID 5+1 system. With RAID 5 you will provide for a parity bit,and with RAID 1 you will provide a mirror. You can do this by either going to Disk Manage-ment and arranging your disks into two separate RAID 5 disks that are mirrored or using ahardware RAID device, but the important thing you take away from this chapter is the exactprocess involved with setting it up.


Recognize different backup media types Various types of backup media exist in the modernworkplace, and choosing the right one for your situation is often a tough decision. There arenetwork file shares, tape backup, network attached storage, and external disks, just to name afew. The right one depends on the application being used and the right time to use it.

Master It Choose a backup solution that is allowed to be degradable but is easy and costeffective to implement. Moreover, this backup solution has to be able to easily supply extramedia, because of the need to have many different points of recovery, all for a low cost.

Solution Implement a tape backup solution using LTO. This method allows you to choosea backup implementation that is easy to implement and doesn’t cost too much. This way,you can easily swap out tapes based on your need and create extra points of backup.

Implement a backup strategy With SBS 2008, it’s easy and effective to create a backup strat-egy that not only works but is easily recoverable.

Master It Create a minimum requirement backup installation with SBS 2008, and imple-ment it. This backup solution should enable you to recover in the case of a corrupted harddrive or the loss of a drive in a system array.

Solution Through the SBS Console, choose Backup And Recovery. Once you’ve done this,choose Configure Backup. With an attached USB drive, allow your main hard drive to com-plete a scheduled backup. After a few hours, the drive will be completely backed up.

Recover data After you’ve set up a backup system, as in the previous ‘‘Master It,’’ you willneed to know that the data can be recovered. All the backups in the world will do you no goodif you don’t know how to take advantage of them in a small-business environment.

Master It Use the Windows SBS 2008 installation disk utility to completely recover with abare-bones installation.

Solution Insert the SBS 2008 disk into the machine, and attempt to boot up. From themenu on the disk, choose Repair Computer. Follow the steps in the wizard, and choose thebackup that you made. Once you’ve chosen the backup, choose to format the installationand restore the server from the ground up. Once you’re done, you’ll be sure that you knowhow to back up your server, even if the absolute worst should happen.

Chapter 9: Remote Access, Security, and Adding Serverswith SBS 2008

Deploy a second server to your environment A second server in your environment allowsyou to offset common tasks, such as adding SQL Server to a dedicated environment.

Master It Set up a second server to offset a dedicated application from your SBS 2008server.

Solution Here are the steps:

1. Install a Windows Server 2003 or Windows Server 2008 server.

2. Join the Windows Server to the SBS server using http://connect.

3. Move the new server to the SBS Server’s OU.

CHAPTER 10: CONFIGURING EXCHANGE SERVER 2007 FOR SMALL BUSINESS 357

Set up Remote Web Workplace access Remote access, in all its forms, is a critical part of yourinfrastructure. Through it, you can enable your employees to access the system resources froma distance. The Microsoft-recommended method is to set up the Remote Web Workplace, awebsite that consolidates all the remote components of Windows access.

Master It Set up the Remote Web Workplace, and add a computer to the access pool thatyou can access via the Remote Web Workplace site.


1. Install a new version of Windows on a client computer.

2. Use http://connect to connect the computer to the SBS 2008 domain.

3. Set up the Remote Web Workplace in the console by selecting the Websites tab.

4. Ensure the firewall allows remote web access for the Remote Web Workplace.

5. Access the Remote Web Workplace site.

6. Enter your credentials, and then click Remote Access.

Set up a VPN connection Virtual private networks allow you to connect to your SBS serverthrough a secure channel that allows you to communicate with your network resources as ifthey were locally available. Using a VPN allows to be safe, secure, and efficient. You shouldknow how to enable this for your users.

Master It Set up a simple PPP VPN network connection and nest one of your secu-rity groups (Ex. the Sales security group) inside the remote access users. Attempt toconnect.


1. Launch the SBS console.

2. Select the network tab, then the connectivity tab.

3. Select configure Virtual Private Network from the tasks menu.

4. Select ‘‘allow users to connect to the server by using a VPN,’’ and then click Next.

5. Allow the wizard to configure your firewall.

6. Add your security group to the Remote Users group.

Chapter 10: Configuring Exchange Server 2007for Small Business

Understand the components of Exchange Server To properly administer Exchange Serverfor a small business, you need to know what controls Exchange Server and how to useit. With Exchange Server, you can control an entire messaging architecture that is rathercomplex.

Master It One of the components of the Exchange Server infrastructure is PowerShell.How can you use PowerShell to set a quota of 100MB on a mailbox?


Solution PowerShell is a component of Exchange Server that is used to manually executecommands and scripts through a command-like infrastructure. To retrieve a mailbox andset a quota, you would execute the following command:

get-Mailbox "Domain\User" | set-Mailbox-ProhibitSendQuota 100MB

Understand Exchange Server roles To properly administer Exchange Server for a smallbusiness, Exchange Server 2007 has implemented new roles and functions. These five rolesare Client Access, Hub Transport, Mailbox, Unified Messaging, and Edge Transport. BeforeExchange Server 2007, these roles either did not exist or were named differently.

Master It Create or draw a picture that illustrates what the server placement would looklike for a company using the full version of Exchange Server 2007 in a LAN environment,with each server holding a role. Show where each server would be placed in reference to thefirewall.

Solution Your system should look similar to the graphic shown here.

FirewallHub Transport

ComponentUnifiedMessagingComponent

MailboxComponent

Client AccessComponent

EdgeTransport

Component

Internet

Outlook Web Access Clients

Outlook Clients

Mailbox Store

Chapter 11: Managing Clients, Troubleshooting,and Recovering from Disaster with Exchange for SBS

Set up Exchange Server clients You need to learn how to set up Exchange Server clients inorder to properly administer your SBS 2008 server. You can do this by creating mailbox anduser accounts.

Master It Use the Exchange Management Console to add a mailbox user and an accountin Active Directory for John Smalls.

CHAPTER 11: MANAGING CLIENTS, TROUBLESHOOTING, AND RECOVERING FROM DISASTER 359


1. Open the EMC.

2. Expand Recipient Configuration.

3. Select Mailbox.

4. Click New Mailbox.

5. Select User Mailbox. Click Next.

6. Click Next.

7. Enter the username and logon.

8. Enter the user storage group.

Diagnose mailflow issues Diagnosing a mailflow issue is a major component of becomingan administrator with Exchange Server. Through this, business owners can count on you beingable to fix any issue at any time that may arise.

Master It A mail server has stopped mailflow, and the hard drive shows zero space. Whatshould you do?


1. Check to see whether the log files have become too large in Exchange Server’s ProgramFiles menu.

2. If the log files are too large, purge them.

3. If the log files are not too large, check the size of the information store.

4. If the store is too large, convert some data to PSTs or reduce user mailbox sizes.

Back up Exchange Server 2007 You need to be able to restore Exchange Server 2007 at awhim, regardless of what may occur in your organization. Otherwise, disaster could strike atany time, and you would be without any way to compensate for it.

Master It Create an Exchange Server recovery group to restore from.


1. Start the Exchange Database Recovery Management tool from the EMC Toolbox.

2. Enter your server name, and label it as a recovery group.

3. Click Next.

4. Click Create A Recovery Storage Group.

5. Select your first storage group (or the primary storage group you’re operating with).

6. Click Next, give the group an alternative name if you’d like, and then click Create TheRecovery Group.

7. Go back to the task center.


Chapter 12: Introducing SQL Server

Install and configure SQL Server To use SQL Server, you must first install it. But installingSQL Server is not simply a matter of inserting the installation disc and clicking though theinstallation routine; it involves making decisions about which features of SQL Server to install,what accounts you want it to run under, and where it should be installed.

Master It What are the minimum SQL Server features you should choose to install?

Solution Database Engine Services, SQL Server Books Online, and Management Tools. Ata minimum, you’ll need to install Database Engine Services and the management tools. Youcan verify that everything is installed by launching SSMS and connecting to the instance ofthe server that you just installed.

Use SQL Server The first step in using a SQL Server database is to create it, and you can dothis easily with the SSMS or with Transact-SQL.

Master It Using SSMS, create a new database, named Accounts, that includes a tablenamed Locations.


1. In the Object Explorer, right-click Databases, and choose New Database.

2. In the Database name field, enter Accounts, and then click OK.

3. In the Object Explorer, right-click Tables, and choose New Table.

4. Create at least one table column, and then click Close. This will open a window whereyou can name your table.

Administer SQL Server The most basic and perhaps most important of SQL Server admin-istrative tasks is to create an effective and robust backup and restore routine. As with mostthings in SQL Server, you can do this using SSMS or Transact-SQL.

Master It Back up a SQL Server database using SSMS.



2. Right-click the database that you want to back up.

3. In the context menu that appears, select Tasks and then Back Up.

4. Set the destination path that your backup will use. The destination is set to backup to disk in the following default path: C:\Program Files\Microsoft SQLServer\MSSQL10.MSSQLSERVER\MSSQL\Backup\.

5. Click OK to start the backup.

After running your backup, verify that the backup was made by viewing the backup filescreated at the destination path that you specified.

CHAPTER 13: USING SHAREPOINT WITH YOUR SMALL BUSINESS SERVER 361

Chapter 13: Using SharePoint with Your SmallBusiness Server

Set up SharePoint/Companyweb Setting up SharePoint with Small Business Server enablesyou to take full advantage of your server. Without it, the server is nowhere near as powerful orversatile as it could be.

Master It To secure your SharePoint web portal, you should enable your server to publiclyidentify itself. How can you do this?

Solution Enable your SharePoint server to utilize a security certificate. A security cer-tificate both encrypts data and allows your server to publicly identify itself with a uniquecertificate.

Administer SharePoint Administering SharePoint is the primary goal of this chapter and theprimary goal of you as an administrator. From what you’ve learned, you should be enable toenable SharePoint and backup your data appropriate. You should also be able to easily performbasic timer jobs and administer your jobs for your own purposes.

Master It Change the name of your Recycle Bin timer job definition to ‘‘Bin.’’

Solution

1. Navigate to your SharePoint server central administration page.

2. Select Operations.

3. Select Timer Job Definitions.

4. Click Recycle Bin.

5. Change the name of the job title to ‘‘Bin.’’

6. Press OK.

This will change the name of your timer job.

Back up and restore SharePoint SharePoint backups allow you to specifically back up Share-Point data for later restorations.

Master It A SharePoint Server backup process fails with an error, and you have to trou-bleshoot it. How do you do that?


1. Open the logs.

2. Search the logs for errors.

3. See whether the error was based upon communication or security.

4. Fix the communication or security error.

5. Retry the backup.

Index

AA records (host records), 85, 87, 88, 89, 90, 92ABCD blocks, 210access

control panel, 173, 177, 180, 182, 183, 184security v., 254

access control lists. See permission listsAccount Operators group, 148Acknowledge process (DHCP), 32Active Directory, 115–141. See also Group Policy

objects; groupsGPOs and, 172Group Policy and, 171MCTS Windows Server 2008 Active Directory

Configuration Study Guide, 123objects

computer, 119, 153contact, 119, 153creating, 133–140group, 119, 153InetOrgPerson, 119, 153large object actions, 135–140msExchDynamicDistributionList, 153MSMQ Queue Alias, 119, 153printer, 119, 153types, 118–119user, 153

Open Active Directory Users And ComputersSnap-In, 152–153, 155, 157, 159, 160, 161

organizational units, 117, 118, 119, 122–133creating, 123–125, 140–141delegating, 128–130deleting, 127design, 123dividing for power (example) and, 131grouping/subgrouping, 131–133inheritance and, 127managing, 125–127renaming, 127security groups v., 153

SBS migration and, 65, 68–70sites, 116

Active Directory Domain Services InstallationWizard, 223

Active Directory Domains And Trust Snap-in, 65,66

ActiveSync, 252, 253, 254, 263, 274–275Add A New Site Wizard, 335Add Exchange Administrator Wizard, 261Add Role Services Required For HTTP Proxy

dialog box, 272addresses. See IP addressesAddUserWizard, 76Admin Tools Group, 149administration models (SMB), 119–120Administrators group, 148ADMX templates, 183, 184ADPREp.exe tools, 69ADSL (asynchronous digital subscriber line), 48Advanced Encryption Standard (AES), 226Advanced Security Settings dialog box, 166AES (Advanced Encryption Standard), 226AFS (Andrew File System), 206alerts, 20alias records, 86, 89/all, 45ALTER, 310Amdahl, Gene, 218Amdahl’s law, 218Analysis Services (SSAS), 295Andrew File System (AFS), 206answer files, 70–71, 78antivirus protection

Barracuda and, 249email and, 248firewalls and, 60, 63Forefront Security for Exchange Server and, 13Hub Transport server and, 249Live OneCare for Servers and, 4, 12, 13, 18,

19, 20

364 ANYCAST ADDRESS • CATEGORIZATION

Monitor Executable and System Files templateand, 102

Ninja Blade and, 249Public folder and, 94Security Configuration and, 335, 337settings (Central Administration), 338

anycast address, 31APIPA (Automatic Private IP Addressing), 27–28,

30Application Created screen, 336application filters, 9Application Management, 333Application Mode (Terminal Services), 4application pools, 273, 335, 340, 341archived data, 326areas, 116. See also sitesasymmetric encryption, 228asynchronous digital subscriber line (ADSL), 48Authenticated Users (special identity group), 147authentication

ActiveSync Security and, 275DNS and, 83, 113NTLM, 273, 335RDP and, 234–236remote, 230RPC over HTTP and, 273RWW and, 240second server and, 221SharePoint and, 328, 335SQL Server and, 302, 307VPNs and, 230, 231Windows, 307, 336

Automatic Private IP Addressing (APIPA), 27–28,30

availability, 46, 47, 164, 170, 219

BBack up Group Policy object dialog box, 187, 188Backup and Restore, 338–343, 347–348Backup Operators group, 148Backup Schedule Wizard, 210, 211backups, 195–216. See also recovery

databases, 318–321differential, 209–210, 318Exchange Server, 208, 211, 280–285, 290

full, 209, 318GPOs, 187–188incremental, 209–210media types, 201–208, 216

direct attached storage, 208external disks, 201–203FireWire, 201–202NAS, 5, 205, 206–208, 216SANs, 205–206, 207–208tape backup systems, 201, 203–205USB, 202–203

Networking Essentials Summary screen and,18–19

NTBACKUP utility and, 55, 58, 212, 280RAID and, 195–201rotation and, 210SBS migration and

critical files, 55–57Exchange Server data, 57–58

SharePoint Server, 330–331, 338–343SQL Server database, 318–321strategies, 195, 208–212, 216

critical business data, 208Exchange Server/SQL, 208, 211unsorted files, 208, 212Windows NT data, 208, 209

transaction log, 318, 319Bacon, Francis, 225Barca, 270bare–bones recovery, 212–216Barracuda, 249Bat, 270Best Practices Analyzer (BPA), 67blocks, ABCD, 210blowfish, 227Books Online (SQL Server), 295, 300, 304, 310BPA (Best Practices Analyzer), 67broadcast domain, 27, 28built–in groups, 147–149bulk–logged recovery, 318

Ccable modems, 48, 63Calypso, 270categorization, 248–249

CATEGORIZER • CREATOR/OWNER (SPECIAL IDENTITY GROUP) 365

categorizer, 248, 249, 286, 287Central Administration (SharePoint), 332–334

Application Management, 333Home, 332Server Operations, 332, 337

centralized administration method, 119–120Certificate Service DCOM Access group, 148Certificate Services, 79, 148certificate–based private key encryption, 230Change Group Membership screen, 163checkpoint files, 276–277Chellis, James, 123child domains, 4, 92chkdsk, 214CIA (confidentiality, integrity, availability), 164ciphers, 225–226. See also encryptions

Bacon’s, 225encryptions and, 225–226Lucifer, 227ROT13, 225–226

circular logging, 279–280Client Access (EMC)

server role, 252–253tasks, 263–264

client operating systems, 5clients (Exchange Server clients), 269–270clusters, 218–222

alternatives to, 220–222failover, 219–220member servers and, 220–221NLB, 219

cmd.exe commands, 266cmdlets, 3, 250CNAME record types, 86, 89collaboration, 326collision domains, 27command–line

interface (EMS), 265tools, 45–46, 52

commands. See also specific commandschkdsk, 214cmd.exe, 266cmdlets and, 3, 250CSVDE.exe, 140Ctrl+Alt+Delete, 15

Dcdiag.exe, 68EMS, 266–268Get-ExchangeServer, 267Get-Mailbox Domain/User, 267ipconfig, 45, 234, 266LDIFDE.exe, 136–140nslookup, 45, 46Pathping, 45–46ping, 45, 46, 52Repadmin.exe, 68services.msc, 285, 328, 337

commodity network, 218Compact edition (SQL Server), 292Company Information screen, 10, 11Companyweb, 62, 76, 77, 326, 328, 329–330,

347component object model API, 251. See also MAPIcomputer accounts (SBS networks), 36–44

manual joining of, 44portable content, 40–44web activation, 37–40

computer objects (Active Directory), 119, 153confidentiality, integrity, availability (CIA), 164configuration

SharePoint Server, 329–332SQL Server, 296–306, 323

Configuration Manager (SQL Server), 317, 318Configure Email And Internet Connection Wizard,

62Connect Computer program, 34, 37, 38, 39connectivity issues, 47–48Console Wizard, 34contact objects (Active Directory), 119, 153continuous replication, 280continuous replication circular logging, 280control panel access/removal, 173, 177, 180, 182,

183, 184Corporate_Sales group

creating, 153–155nested group in, 155–157

corrupted database recovery, 284CREATE, 310, 312Create New Web Application action button, 334CREATE TABLE, 312Creator/Owner (special identity group), 147

366 CRITICAL BUSINESS DATA (BACKUP STRATEGY) • DIALOG BOXES

critical business data (backup strategy), 208Crosby, Justin, 209, 210cryptographic operations, 148, 225. See also

encryptionsCryptographic Operators group, 148CSVDE.exe, 140Ctrl+Alt+Delete, 15customer tracking, 326Customers (database)

backing up, 318–321creating, 310–312moving, 321–323tables

creating, 312–315data insertion, 315–316data viewing, 316–317

DDAT (digital audio tape), 203data archival, 326Data Definition Language (DDL) statements, 310Data Encryption Standard (DES), 227Data Manipulation Language (DML) statements,

310data types, 312–313database administration (SQL Server), 294database engine, 292, 294Database Engine Services, 300, 301, 302, 307, 317database (.edb) files, 276database mail (SQL Server), 294Database Maintenance Plan Wizard, 320database management (SQL Server), 294Database Troubleshooter, 259databases (relational databases). See also

Customers; tablesbacking up, 318–321corrupted, recovery of, 284creation

with SQL Server, 310–312with SQL Server Express, 293–294

defined, 291moving, 321–323OLAP, 295recovery. See recovery

Data-Link layer, 27

Dcdiag.exe, 68DCPROMO tool, 77, 223DDL (Data Definition Language) statements, 310decentralized administration method, 119decentralized locations (SANs/NAS), 205decentralized store concept (DFS), 103decryption, 225, 227. See also encryptionsdefault groups, 146–150default security groups, 149default shares, 94–98Delegation Of Control Wizard, 128, 130DELETE, 310delivery (Hub Transport server role), 249–250deployment

deployment phase (Group Policy), 179–180software deployment (Group Policy), 189–191

DES (Data Encryption Standard), 227design models (SMB), 119–120design stage (Group Policy), 175–179DFS (distributed file system), 103–110, 113, 189,

191Group Policy software deployment and, 189limitations, 104management, 108, 109namespaces, 101, 103, 104, 105, 107replication groups, 104, 108–110setting up, 105–108supported systems for, 104

DHCP (Dynamic Host Configuration Protocol),32–34

pools, 28, 32, 33shorter licenses for, 61

diagnosing network problems, 46–48, 52dialog boxes

Add Role Services Required For HTTP Proxy,272

Advanced Security Settings, 166Back up Group Policy object, 187, 188Extract Compressed (Zipped) Folders, 330Folder redirection properties, 95, 96functional level, 66Home Page, 239Move, 127New Object–Computer, 133, 134New Object–Printer, 135

DIFFERENTIAL BACKUPS • ENABLE OUTLOOK ANYWHERE WIZARD 367

Prohibit Access To The Control Panel, 183Properties, 154, 156, 158, 160, 232, 235Remote Web Workplace Properties, 242Site Bindings, 328Software Installation Properties, 190, 191System Properties, 235Windows Credentials, 224

differential backups, 209–210, 318digital audio tape (DAT), 203direct attached storage, 208disasters. See also recovery

Exchange Server backups and, 57, 290functional levels and, 65security risks and, 163SQL Server database backups and, 318

discover, offer, request, acknowledge (DORA), 32Discover process (DHCP), 32Disk Operating System (DOS), 45, 79disks

dynamic, 196external, 201–203simple, 196

Distributed COM group, 148distributed file system. See DFSdistribution groups

administering, 162–163creating, 160–162, 170as filter, 164naming convention, 144

DML (Data Manipulation Language) statements,310

DNS (Domain Name System), 79–93, 113anatomy of, 80–81importance of, 83–84login problems, 44manual entries, 81–82queries, 84–85records, 85, 87–93

alias, 86, 89CNAME, 86, 89creation, 90–92host (A), 85, 87, 88, 89, 90, 92MX, 89–90, 92–93, 246name server, 88–89PTR, 85, 88, 89

resolution process, 82–83zones, 80, 85–87

DNS client, 83DNS resolvers, 83DNS server, 83document collaboration, 326document services, 326Domain Controller, Read-Only, 6domain controllers, 223–224Domain Controllers container, 180–181domain functional levels, 65domain local groups, 145, 146, 147, 150, 151Domain Name System. See DNSdomain namespaces, 80, 117domain naming master, 121domain operations masters, 120–121domain-based namespaces, 104, 105domains (Active Directory), 117–118DORA (discover, offer, request, acknowledge), 32DOS (Disk Operating System), 45, 79DOs (dumb operators), 33–34drives, mapped, 40, 50, 93, 193DROP, 310DSL, 63dumb operators (DOs), 33–34dynamic, 32dynamic addressing, 28dynamic disks (RAID), 196Dynamic Host Configuration Protocol. See DHCP

EEdge Transport server role, 25580 port (HTTP traffic), 62, 206, 237, 238, 328802.11 standard, 498080 port, 206email. See also Exchange Server 2007

external access to, 271–273migration, to Exchange Server 2007, 67remote access to, 271–273routing with, 249viruses and, 248

EMC. See Exchange Management Consoleemployee performance reports, 326EMS (Exchange Management Shell), 265–268Enable Outlook Anywhere Wizard, 273

368 ENCRYPTIONS • FOLDER REDIRECTION (DEFAULT SHARE)

encryptions, 224–228AES, 226asymmetric, 228blowfish, 227ciphers and, 225–226DES, 227IDEA, 227PGP, 226private key, 228, 230, 235public key, 228, 275RC4, 50RC5, 27RSA, 62, 227, 275symmetric, 228TKIP, 50, 227triple DES, 227

ENIAC, 218Enterprise edition (SQL Server), 293Entourage, 270errors, SMTP, 287–289Eudora, 270Event Log Readers group, 148Everyone group (special identity group), 147Exchange Management Console (EMC),

256–265Exchange administrator added with,

261–262mailbox tasks, 262–263Toolbox

disaster recovery section, 259mail flow analysis section, 259–260performance section, 260–261

Exchange Management Shell (EMS), 265–268Exchange Server 2007 (Microsoft), 2, 245–290

backups, 208, 211, 280–285, 290clients, 269–270components, 245–268limitations, 245–246migration (Exchange Server 2003 to 2007)

updates/preparation process, 72user email, 67

server roles, 248–255, 268Client Access, 252–253Edge Transport, 255Hub Transport, 248–250

Mailbox, 250–251Unified Messaging, 253

storage recovery group, 282–283Express edition (SQL Server), 292, 293–294extensible shell support (EMS), 266external access, to email, 271–273external disks, 201–203Extract Compressed (Zipped) Folders dialog box,

330

Ffailover clusters, 219–220farms, 332, 333, 337, 338, 339Fax Administrators (security group), 149Fax Users (security group), 149Feistel structure, 227fiber connections, 48, 63file permissions, 165–170file recovery, 212File Screen Policy screen, 101file screening policy templates, 102File Server Resource Manager (FSRM), 110–113file sharing, 93–102, 113File Transfer Protocol (FTP), 50, 52, 62filters

distribution groups as, 164time zone and, 9

Financial Institution Privacy Protection Acts, 256Financial Modernization Act

(Gramm–Leach–Bliley Act), 256firewalls

high-end, 63–64Live OneCare for Servers, 4, 12, 13, 18, 19, 20migration and, 62–63routers and, 26–27, 63selecting, 63–64switches and, 27, 63WatchGuard, 63, 230

FireWire, 201–2025 Ps (proper planning prevents poor performance),

78, 179flexible single master operations (FSMO) roles, 4,

115, 120–121, 141/flushdns, 45folder redirection (default share), 95–98

FOLDER REDIRECTION ACCOUNTS (SECURITY GROUP) • GROUP STRATEGY 369

Folder Redirection Accounts (security group),149

Folder redirection properties dialog box, 95, 96folder sharing, 170. See also DFS; sharesfolders

permissions, 165–168security group added to, 169–170sharing, 170

Forefront Security for Exchange Server (Microsoft),2, 4, 12, 13

forest functional levels, 65forest operations masters, 121forests (Active Directory), 11748 bit ISP Portion, 31forward lookup zones, 87443 port (HTTPS traffic), 62, 206, 237, 328444 port (SharePoint Companyweb), 624125 port (Remote Web Workplace), 63, 2384150 port, 2384721 port, 332free trials, 3, 5frequencies/speeds (wireless networking),

49–50FSMO (flexible single master operations) roles, 4,

115, 120–121, 141FSRM (File Server Resource Manager), 110–113FTP (File Transfer Protocol), 50, 52, 62full backups, 209, 318Full Control (permission), 165full recovery, 318Full–Text Search (SQL Server), 292, 295functional levels, 65–66FuzzyKitties, 225, 226

GGadget (RWW), 241get-ExchangeServer, 267get-Mailbox Domain/User, 267Getting Started Tasks, 20–22global groups, 146GlobalNames zones, 86GPMC. See Group Policy Management ConsoleGPOs. See Group Policy objectsgpupdate command, 187

Gramm-Leach-Bliley Act (Financial ModernizationAct), 256

green alerts, 22, 23group filtering, 186group layouts, 151–152group objects (Active Directory), 119, 153Group Policy, 171–194

Active Directory and, 171administering, 173–188deployment stage, 179–180design stage, 175–179history of, 171–172links, 172, 173, 185–186, 194objectives, 174, 177–178planning stage, 174–175preferences, 191–193propagation, 187purpose and, 174reasons for usage, 172results, 193Results Wizard, 193roll out stages for, 174settings, 72, 185, 187, 189, 191, 192, 222snap-in, 172, 173software deployment, 189–191special uses of, 189–191system policies v., 171–172

Group Policy Management Console (GPMC),172–173, 178

folder redirection and, 96–97GPO creation with, 180–184, 193Group Policy snap-in and, 173

Group Policy objects (GPOs), 172–173backing up, 187–188creating, 180–184, 193deleting, 185, 194editing, 185–186, 194links, 172, 173, 185–186, 194loopback processing, 186–187maintaining, 184–188scope, 177, 186starter, 184

Group Policy Objects container, 180group scopes, 145–146, 159–160group strategy, 150–151

370 GROUPING/SUBGROUPING OUs • INSERT

grouping/subgrouping OUs, 131–133groups. See also specific groups

built–in, 147–149Corporate_Sales

creating, 153–155nested group in, 155–157

creating, 152–157distribution groups

administering, 162–163creating, 160–162, 170as filter, 164naming convention, 144

domain local, 145, 146, 147, 150, 151enabled, for VPNs, 232global, 146local, 150memberships, 146, 147nesting, 150security groups, 143–144

added to folder, 169–170administering, 157–160default, 149file permissions, 169–170naming convention, 144OUs v., 153removing, 159

special identity, 147strategy, 150–151structure of, 143–150universal, 145–146user

creating, 170defined, 147renaming, 157–159

Guests group, 148

Hhardware RAIDs, 196, 197Health Insurance Portability and Accountability

Act of 1996 (HIPAA), 256HIPAA (Health Insurance Portability and

Accountability Act of 1996), 256Home (Central Administration), 332Home Page dialog box, 239host records (A records), 85, 87, 88, 89, 90, 92

HOSTS file, 81–82HTTP (Hypertext Transfer Protocol), 272

port 80 and, 62, 206, 237, 238, 328RPC and, 271–273

HTTPSport 443 and, 62, 206, 237, 328SSL and, 272

Hub Transport server, 249Hub Transport server role, 248–250hybrid administration method, 119hybrid RAID, 198, 200–201Hypertext Transfer Protocol. See HTTPHyper-V, 222–223

IICANN (Internet Corporation for Assigned Names

and Numbers), 31ICMP (Internet Control Message Protocol), 45, 46IDEA (International Data Encryption Algorithm),

227IIS (Internet Information Services)

OWA and, 273, 274Remote Web Workplace pool, 238Reset Internet Information Services setting,

336SharePoint Server and, 326–327web pool, 219, 273Web Site, 334–335

IIS reset, 336IIS_IUSRS group, 148images, 59IMAP4 (Internet Message Access Protocol), 246,

252, 254, 263, 271Improved Proposed Encryption Standard (IPES),

227‘‘in the green,’’ 22, 23Incoming Forest Trust Builders group, 148incremental backups, 209–210InetOrgPerson, 119, 153infrastructure master, 121inheritance

GPOs and, 176–177OUs and, 127

INSERT, 310, 315

INSTALLATION • LINKS (GROUP POLICY) 371

installationSBS 2008, 6–9

customization, 9–14in migration mode, 72–78Server Core, 6, 223twice, 22types, 6

SQL Server, 296–306, 323SQL Server service pack, 304–306

Integration Services. See SSISintegrity, 164Interactive Users (special identity group), 147interforest trusts, 4International Data Encryption Algorithm (IDEA),

227Internet Control Message Protocol (ICMP), 45,

46Internet Corporation for Assigned Names and

Numbers (ICANN), 31Internet Information Services. See IISInternet Message Access Protocol. See IMAP4Internet Security and Acceleration (ISA) server, 5,

54, 78Internet service providers. See ISPsinteroperability, 175, 218inverse queries, 85IP addresses

addressing techniques (IPv4), 27–34APIPA, 27–28, 30dynamic, 28IPv6 ranges, 29–30IPv6 types, 31–32manual, 28mapping, to domain name, 85multicast, 31prefixes, 31ranges, 28–29reserved, 29, 30scheme, migration and, 64static, 28unicast, 31

ipconfig, 45, 234, 266IPES (Improved Proposed Encryption Standard),

227

IPv4, 27address ranges, 28–29addressing techniques, 27–34

IPv6, 27address ranges, 29–30address types, 31–32anatomy, 30–31

ISA (Internet Security and Acceleration) server, 5,54, 78

ISPs (Internet service providers)connectivity issues, 4848 bit ISP Portion (IPv6), 31inverse queries and, 85recursive queries and, 84

iterative queries, 84

Jjobs. See timer jobsjournal rule scope, 256journaling, 255–256

agents, 248, 250, 255, 256mailbox database and, 264–265

Kkeep it simple, stupid (KISS rule), 271Kerberos, 335KISS rule (keep it simple, stupid), 271

LLai, Xuejia, 227large object actions (Active Directory), 135–140layouts, group, 151–152LDIFDE.exe, 136–140leases (DHCP), 33Leibaschoff, Damian, 209, 210licenses/licensing

DHCP, 61Group Policy software deployment and,

189SBS Premium and, 4SQL Server, 296Terminal Services, 72

linear tape open (LTO), 203–205Link Users (security group), 149links (Group Policy), 172, 173, 185–186, 194

372 LINKS LIST (RWW) • MIGRATION (SBS 2003 TO SBS 2008)

links list (RWW), 239List Folder Contents (permission), 165Live OneCare for Servers, 4, 12, 13, 18, 19, 20Load Balanced URL setting, 335load balancing, 219, 220local domain. See domain local groupslocal groups, 150logging

bulk-logged recovery, 318circular, 279–280log files, 276transaction log backups, 318, 319transaction logging, 277–279

logical partitions, 196loopback processing, 186–187Lowe, Scott, 263LTO (linear tape open), 203–205Lucifer cipher, 227

MMAC (Media Access Control), 27, 30, 52mail exchanger (MX) records, 89–90, 92–93,

246Mailbox (EMC)

server role, 250–251tasks, 262–263

mailbox database/journaling, 264–265mailflow

Hub Transport server role and, 248–249issues, 285overview of, 285–286

MailFlow Troubleshooter tool, 259Maintenance Plan Wizard, 321Management Console. See Exchange Management

Console; Group Policy Management Console;MMC

Management Studio. See SSMSmanual addressing, 28manual DNS entries, 81–82MAPI (Messaging Application Programming

Interface), 251, 252, 253, 287mapping

drives, 40, 50, 93, 193IP address, to domain name, 85

Massey, James L., 227

Mastering SQL Server 2008 (Sybex), 304MCTS Windows Server 2008 Active Directory

Configuration Study Guide (Panek & Chellis), 123Media Access Control (MAC), 27, 30, 52media types (for backups), 201–208, 216. See also

backupsdirect attached storage, 208external disks, 201–203FireWire, 201–202NAS, 5, 205, 206–208, 216SANs, 205–206, 207–208tape backup systems, 201, 203–205USB, 202–203

member servers, 220–221Memory Diagnostic Tool (Windows), 213, 214merge mode (loopback processing), 187Message Tracking tool, 259Messaging Application Programming Interface

(MAPI), 251, 252, 253, 287messaging components, 286–287

categorizer, 248, 287Microsoft Exchange Mail Submission Service,

287Pickup directory, 287store driver, 287submission queue, 286–287

Microsoft Entourage, 270Microsoft Exchange Mail Submission Service,

287Microsoft Forefront Security for Exchange Server,

2, 4, 12, 13Microsoft Management Console. See MMCMicrosoft Office SharePoint Server. See SharePoint

ServerMicrosoft Outlook 2007, 270. See also Outlook Web

AccessMicrosoft SQL Server 2008 Standard for Small

Business. See SQL ServerMicrosoft Windows Active Directory. See Active

Directorymigration (SBS 2003 to SBS 2008), 53–78

backupscritical files, 55–57Exchange Server data, 57–58

Exchange Server updates and, 72

MIGRATION HOME WIZARD • NETWORKS 373

overview, 54preparation

BPA and, 67–68firewall settings, 62–63network, 59–64server, 64–66steps, 55–68user preparation, 67

process overview, 72–73seamless, 78server image and, 59testing recovery process, 59upgrading v., 5–6, 53

Migration Home Wizard, 77Migration Wizard, 76–77mirroring, 198mixed RAID modes, 200MMC (Microsoft Management Console), 5, 317Modify (permission), 165mounting recovered database, 283–284Move dialog box, 127Move Windows SharePoint Services Data (link),

331moving

databases (SQL), 321–323SharePoint data, 330–331

Mozilla Thunderbird, 270MSExchangeOWAAppPool pool, 273msExchDynamicDistributionList objects, 153MSMQ Queue Alias objects, 119, 153multicast address, 31multiplatform environment, 271MX (mail exchanger) records, 89–90, 92–93, 246

Nname server records, 88–89namespace wizard screen, 105namespaces

DFS, 101, 103, 104, 105, 107domain, 80, 117domain-based, 104, 105stand-alone, 104, 105

naming conventions. See also DNSDFS Replication Groups, 108distribution groups, 144

DNS, 79, 117192.168.16.X, 64security groups, 144server naming convention system, 79UNC, 253

NAS (network attached storage), 5, 205, 206–208,216

NASD 3010 and 3110 (National Association ofSecurities Dealers 3010 and 3110), 255–256

NAT (Network Address Translation), 29, 63, 231National Association of Securities Dealers 3010

and 3110 (NASD 3010 and 3110), 255–256nesting groups, 150.NET application, Visual Basic–enabled, 265–268NetBIOS convention, 86Netdiag.exe, 68Network Address Translation (NAT), 29, 63, 231network administrator account (SBS installation),

10, 12network attached storage (NAS), 5, 205, 206–208,

216Network Configuration Operators group, 148network device connectivity issues, 47–48Network File System (NFS), 99, 207, 208network interface cards. See NICsnetwork layer, 26network load balancing (NLB) clusters, 219Network Users (special identity group), 147Networking Essentials Summary screen, 16–22, 23networks

commodity, 218SBS 2003

configuration, 60migration, 59–64

SBS 2008, 25–52command–line tools, 45–46computer accounts added to, 36–37configuration, 60connectivity issues, 47–48diagnosing problems, 46–48, 52expanding, 34–44manual joining, 44migration preparation, 59–64planning, 27–32problems, 46–48

374 NEW OBJECT–COMPUTER • PDC EMULATOR MASTER

servers in, 27user accounts added to, 34–36wireless, 48–52

VPNs, 143, 229–234wireless, 48–52

New Object–Computer, 133, 134New Object – Organizational Unit Wizard, 123,

124New Object–Printer, 135New Object – User Wizard, 125, 126New Replication Group Wizard, 108, 109New Zone Wizard, 91NFS (Network File System), 99, 207, 208NICs (network interface cards)

disabling, 61removing, 61–62support for, 5, 61

987 port (HTTPS traffic), 237, 328Ninja Blade, 249NLB (network load balancing) clusters, 219noncritical business data (backup strategy), 208,

211–212nslookup, 45, 46NT LAN Manager (NTLM), 273, 335NTBACKUP utility, 55, 58, 212, 280NTLM (NT LAN Manager), 273, 335

OObject Browser, 320Object Explorer, 307–309, 310, 311, 315, 316, 318,

320, 321, 322, 323objectives (Group Policy), 174, 177–178objects (Active Directory). See also Group Policy

objectscomputer, 119, 153contact, 119, 153creating, 133–140group, 119, 153InetOrgPerson, 119, 153large object actions, 135–140msExchDynamicDistributionList, 153MSMQ Queue Alias, 119, 153printer, 119, 153types, 118–119user, 153

Offer process (DHCP), 32OLAP (online analytical processing) databases, 295OmniCorp, 164192.168.16.X naming convention, 641723 port, 231online analytical processing (OLAP) databases, 295Open Active Directory Users And Computers

Snap–In, 152–153, 155, 157, 159, 160, 161OpenPGP, 227Operations (Server Operations), 332, 337Organizational Configuration Mailbox, 262organizational units (OUs), 117, 118, 119, 122–133

creating, 123–125, 140–141delegating, 128–130deleting, 127design, 123dividing for power (example) and, 131grouping/subgrouping, 131–133inheritance and, 127managing, 125–127renaming, 127security groups v., 153

OUs. See organizational unitsOutlook 2007, 270Outlook Anywhere, 271–273Outlook Web Access (OWA), 241, 251, 252, 253,

273, 274OWA. See Outlook Web AccessOWA pool, 273Owner/Creator (special identity group), 147

PPanek, Will, 123parallelization, 218parity bit, 199partial backups, 209partitions, 197passwords

ActiveSync, 275sniffing, 51–52user account, 36wireless networks (unsecured) and, 51–52

Pathping, 45–46PATRIOT Act, 256PDC emulator master, 121

PEGASUS • PROTOCOLS 375

Pegasus, 270Performance Log Users group, 148Performance Monitor, 260, 261Performance Monitor Users group, 148performance reports, 326Performance Troubleshooter, 260permission lists (access control lists), 164–165, 170,

206permissions, 164–170

default security groups and, 149file/folder, 165–170groups and, 153modifying, EMS and, 266–267special folder, 167

PGP (Pretty Good Privacy), 226physical connectivity issues, 47Pickup directory, 287Pine, 270ping, 45, 46, 52pipeline, transport, 286piping (EMS), 265planning stage (Group Policy), 174–175pointer (PTR) records, 85, 88, 89policy definitions, 174. See also Group PolicyPolicy Definitions (ADMX files), 183pools

application pools, 273, 335, 340, 341DHCP pools, 28, 32, 33MSExchangeOWAAppPool pool, 273OWA pool, 273web pool, 219, 273

POP3 (Post Office Protocol), 246, 252, 253, 254,263, 269, 270

portable content, 40–44ports

8080, 206firewall settings and, 62–63port 21 (FTP), 62port 22 (SFTP), 62port 25 (SMTP), 62, 246port 80 (HTTP traffic), 62, 206, 237, 238, 328port 443 (HTTPS traffic), 62, 206, 237, 328port 444 (SharePoint Companyweb), 62port 987 (HTTPS traffic), 237, 328port 1723, 231

port 3389 (Remote Desktop), 62, 234, 237port 4125 (Remote Web Workplace), 63, 238port 4150, 238port 4721, 332random, 334, 335

Post Office Protocol. See POP3PowerShell, 2, 3, 267–268premium journaling, 256Pretty Good Privacy (PGP), 226Pre-Windows 2000 Compatible Access group,

148primary key, 312, 313, 314primary zones, 85–86Print Operators group, 148printer objects (Active Directory), 119, 153private keys, 228, 230, 235processing notification screen, 336Products and Technologies Wizard (SharePoint),

331–332Prohibit Access To The Control Panel dialog box,

183proper planning prevents poor performance (5 Ps),

78, 179Properties dialog box, 154, 156, 158, 160, 232, 235protocols. See also IP addresses

ActiveSync, 252, 253, 254, 263, 274–275DHCP, 32–34

pools, 28, 32, 33shorter licenses for, 61

FTP, 50, 52, 62HTTP, 272

port 80 and, 62, 206, 237, 238, 328RPC and, 271–273

HTTPSport 443 and, 62, 206, 237, 328SSL and, 272

ICMP, 45, 46IMAP4, 246, 252, 254, 263, 271POP3, 246, 252, 253, 254, 263, 269, 270RDP, 229, 234–236, 243SFTP, 62SMTP, 245, 246–248

errors, 287–289receive connectors, 286send connectors, 286

376 PROXY SERVERS • /RELEASE

TCP/IP, 26, 45, 62, 83, 206, 207, 218, 252TKIP, 50, 227

proxy servers, 5PTR (pointer) records, 85, 88, 89public keys, 228, 275public shares, 94–95publisher, 295purpose (Group Policy), 174

Qqueries, DNS, 84–85Query window, 309, 310, 315, 316, 317Queue Viewer, 259quota policy, 100Quota Policy screen, 100quota templates, 101, 110, 111quotas, with FSRM, 110, 111

RRAID (Redundant Array of Independent Disks),

195–201configurations, 198hybrid, 198, 200–201speed and, 197

RAID 0, 198RAID 0+1, 198, 200–201RAID 1, 198–199RAID 5, 199–200raising functional levels, 65–66random ports, 334, 335RC4, 50RC4 encryption algorithm, 50RC5, 27RDC (Remote Differential Compression), 103, 104,

108RDP (Remote Desktop Protocol), 229, 234–236, 243Read (permission), 165Read & Execute, 165Read-Only Domain Controller, 6read-only domain controller, 6real world scenarios

access v. security, 254answer file, 71database creation with SQL Server Express,

293–294

distribution groups as filters, 164Exchange Server loss/recovery plan, 58–59firewall selection, 63–645 Ps and, 78, 179functional levels, 65–66Group Policy deployment, 180multiplatform environment, 271OUs and dividing for power, 131records (DNS)

creating, 90–92MX configuration, 92–93

SBS 2008 installation in migration mode,73–76

second server, 221unsecured wireless network passwords, 51–52VPNs, 231

receive connectors (SMTP), 286Recipient Configuration Mailbox, 263records (DNS records), 85, 87–93

alias, 86, 89CNAME, 86, 89creation, 90–92host (A), 85, 87, 88, 89, 90, 92MX, 89–90, 92–93, 246name server, 88–89PTR, 85, 88, 89

recovery, 212–216. See also backupsbare-bones, 212–216bulk-logged, 318Exchange Server 2007 and, 276–286file, 212full, 318simple, 318

Recovery Wizard, 281recursion, 180recursive queries, 84–85Recycle Bin timer job, 345, 347redirected folders (default share), 95–98Redundant Array of Independent (or Inexpensive)

Disks. See RAIDRegional Internet Registry (RIR), 31regulations, 255–256relational databases. See databasesrelative ID master (RID master), 120, 121/release, 45

REMOTE ACCESS • SCOPES 377

remote accessemail and, 271–273encryptions, 224–228

AES, 226asymmetric, 228blowfish, 227ciphers and, 225–226DES, 227IDEA, 227PGP, 226RC4, 50RC5, 27symmetric, 228TKIP, 50, 227triple DES, 227

introduction, 224RDP and, 229, 234–236, 243RWW and, 229, 236–243VPNs and, 143, 229–234

remote authentication, 230Remote Desktop Protocol (RDP), 229, 234–236, 243Remote Desktop Users group, 148remote desktops

connecting to, 235–236port 3389 and, 62, 234, 237

Remote Differential Compression (RDC), 103, 104,108

Remote Procedure Call (RPC), 251, 271–273Remote Web Workplace (RWW), 229, 236–243

customization, 239, 241–242Gadget, 241links list, 239pool, 238prerequisites, 237Properties dialog box, 242terminal services gateways and, 240user access setup, 237–238Users (security group), 149using, 239–240

Remove_ControlPanel, 182, 184, 188removing control panel, 173, 177, 180, 182, 183,

184/renew, 45Repadmin.exe, 68replace mode (loopback processing), 187

replicationcontinuous, 280DFS, 103, 104, 105, 108–110groups, 104, 108–110SQL Server and, 294–295

Replicator group, 148Reporting Services (SSRS), 292, 295Request process (DHCP), 32reserved addresses, 29, 30Reset Internet Information Services setting, 336resolution process, DNS, 82–83resolvers (DNS), 83restoration. See Backup and RestoreRestore Database window, 320reverse lookup zones, 87RID (relative ID) master, 120, 121Rijndael, 226RIR (Regional Internet Registry), 31Rivest, Ron, 227roles. See server rolesROT13 cipher, 225–226rotation (backup data), 210routers, 26–27, 63routing (Hub Transport server role), 249Routing Log Viewer, 259–260RPC (Remote Procedure Call), 251, 271–273RSA encryption, 62, 227, 275RWW. See Remote Web Workplace

Ssafe scripting, 266SANs (storage area networks), 205–206, 207–208Sarbanes-Oxley Act of 2002 (SOX), 255satellite technology, 48SBS 2003. See Small Business Server 2003SBS 2008. See Small Business Server 2008SBS Console (Windows SBS Console), 15–22SBS default security groups, 149scheduled jobs, 294schema master, 121Schiener, Bruce, 227scopes

Delegation Of Control Wizard and, 130DHCP, 33domain local groups, 145, 146, 147, 150, 151

378 SCRIPTING (EMS) • SHAREPOINT SERVER

FSMO Servers, 121global groups, 146GPOs, 177, 186group, 145–146, 159–160journal rule scope, 256universal groups, 145–146

scripting (EMS), 266seamless migration, 78Search Server, 336second server, 217–224, 243

clustering and, 218–222reasons for, 217–218, 221

secondary zones, 86Secure File Transfer Protocol (SFTP), 62Secure Sockets Layer (SSL), 76, 229, 230, 272, 273,

275, 335security

access v., 254ActiveSync, 275certificate, 329, 330, 335, 347Networking Essentials Summary screen and,

18SharePoint Server and, 325wireless networking, 50–52

Security Configuration area, 335, 337Security Exchange Commission Rule 17a–4, 255security groups, 143–144

added to folder, 169–170administering, 157–160default, 149file permissions, 169–170naming convention, 144OUs v., 153removing, 159

security identifiers (SIDs), 157security permissions. See permissionssecurity services screen (SBS installation), 12–13.

See also Forefront Security for Exchange Server;Live OneCare for Servers

SELECT, 310, 317send connectors (SMTP), 286Server Configuration Mailbox, 262–263Server Core installation, 6, 223Server Manager, 16, 105, 272Server Message Block (SMB), 99, 207, 335

Server Operations, 332, 337Server Operators group, 148server roles (Exchange Server 2007), 248–255, 268

Client Access, 252–253Edge Transport, 255Hub Transport, 248–250Mailbox, 250–251Unified Messaging, 253

serversadding, 217–224, 243conflicts (DHCP), 33farms, 332, 333, 337, 338, 339images, 59member servers, 220–221naming convention system, 79in network, 27second, 217–224, 243

clustering and, 218–222reasons for, 217–218, 221

server/network screen (SBS installation), 10, 11virtualizing, 222–223

servicesdocument, 326special identity group, 147SQL Server, 317–318terminal, 240

services.msc, 285, 328, 337Setup Virtual Private Networking Wizard, 232SFTP (Secure File Transfer Protocol), 62Shared Folder Location Wizard, 98shared folders (Active Directory), 119, 153Shared Folders And Web Sites, 237, 239, 241, 326SharePoint Products and Technologies Wizard,

331–332SharePoint Server, 325–348

administration tasks, 332–333Backup and Restore, 338–343, 347–348backups, 330–331, 338–343Companyweb, 62, 76, 77, 326, 328, 329–330,

347components, 326–328configuration, 329–332IIS and, 326–327moving data, 330–331network components, 328–329

SHAREPOINT SERVICES • SQL SERVER (SQL SERVER 2008 STANDARD FOR SMALL BUSINESS) 379

overview, 326Products and Technologies Wizard, 331–332timer jobs, 343–345, 347usages for, 326website

creating, 333–337editing, 345–347

website creation with, 333–337SharePoint Services 3.0, 3, 326SharePoint_Members Group, 149SharePoint_OwnersGroup, 149SharePoint_VisitorsGroup, 149shares

creating, 98–102default, 94–98public, 94–95redirected folders, 95–98user, 98

sharing files, 93–102, 113sharing folders, 170SIDs. See security identifierssimple disks (RAID), 196simple recovery, 318simplicity

KISS rule, 271user experience, 33–34

Site Bindings dialog box, 328sites (Active Directory), 11664-bit processors (virtualization), 7, 23Small Business Server (SBS) 2003. See also

migrationadministration models, 119–120design models, 119–120network configuration, 60

Small Business Server (SBS) 2008default security groups, 149installation, 6–9

customization, 9–14in migration mode, 72–78Server Core, 6, 223twice, 22types, 6

limitations, 4–6, 53–54migrating to, 5–6, 53–78MMC and, 5

network, 25–52network configuration, 60overview, 1–5Premium version features, 2read–only domain controller, 6requirements, 1–6SQL Server and, 295–296Standard version features, 2support

client operating systems, 5NICs, 5proxy servers, 5

trial, 3small office/home office. See SOHOSmartCorp, 221SMB (Server Message Block), 99, 207, 335SMTP (Simple Mail Transfer Protocol), 245,

246–248errors, 287–289receive connectors, 286send connectors, 286

snap-insActive Directory Domains And Trust, 65, 66Group Policy, 172, 173Open Active Directory Users And Computers,

152–153, 155, 157, 159, 160, 161sniffing passwords, 51–52software deployment (Group Policy), 189–191Software Installation Properties dialog box, 190,

191software RAIDs, 196–197SOHO (small office/home office), 25–27. See also

networksSOX (Sarbanes-Oxley Act of 2002), 255span, 198special identity groups, 147Special_Users, 173, 175speed

RAID and, 197wireless networking and, 49–50

SQL (Structured Query Language), 3SQL Server (SQL Server 2008 Standard for Small

Business), 3, 291–323. See also databasesadministering, 317–323backup, 318–321

380 SQL SERVER ANALYSIS SERVICES (SSAS) • THROUGHPUT

Books Online, 295, 300, 304, 310configuration, 296–306, 323data (backup strategy), 208, 211database administration, 294database mail, 294database management, 294defined, 291–292editions, 292–293features, 294–295Full-Text Search, 292, 295installation, 296–306, 323licensing requirements, 296logging into, 306–307Mastering SQL Server 2008 (Sybex), 304online information, 318replication and, 294–295SBS environment and, 295–296service pack installation, 304–306using, 306–317, 323

SQL Server Analysis Services (SSAS), 295SQL Server Configuration Manager, 317, 318SQL Server Integration Services (SSIS), 292, 293,

294, 295, 316SQL Server Management Studio. See SSMSSQL Server Reporting Services (SSRS), 292, 295SQL Server services, 317–318SSAS (SQL Server Analysis Services), 295SSIS (SQL Server Integration Services), 292, 293,

294, 295, 316SSL (Secure Sockets Layer), 76, 229, 230, 272, 273,

275, 335SSL remote authentication, 230SSMS (SQL Server Management Studio), 291,

307–310SSMS Import Wizard, 316SSRS (SQL Server Reporting Services), 292, 295stand-alone namespaces, 104, 105Standard edition (SQL Server), 293standard journaling, 256starter GPOs, 184static addressing, 28S/TNEF (Summary Transport Neural

Encapsulation Format), 287StoopidCorp, 221storage area networks (SANs), 205–206, 207–208

storage recovery group (Exchange Server),282–283

store driver, 287striping, 198structured data support (EMS), 265–266Structured Query Language. See SQLstub zones, 86subgrouping/grouping OUs, 131–133submission queue, 286–287subnets, 26subscriber, 295Summary screen (SBS installation), 13–14Summary Transport Neural Encapsulation Format

(S/TNEF), 287switches (IPconfig tool), 45switches (network hardware device), 27, 63Sybex, Mastering SQL Server 2008 and, 304symmetric encryption, 228syncing technology. See ActiveSyncsystem policies, 171–172. See also Group PolicySystem Properties dialog box, 235

TTable Designer, 312, 313, 314, 315tables (database tables)

creating, 312–315data

inserting, 315–316viewing, 316–317

tape backup systems, 201, 203–205DAT, 203LTO, 203–205

task-based system, MMC and, 5TCP/IP, 26, 45, 62, 83, 206, 207, 218, 252Tech Republic, 263Temporal Key Integrity Protocol (TKIP), 50, 227Terminal Server License Servers group, 149Terminal Services, 240

Application Mode, 4gateways, 240licensing, 72

terminal services, 2403389 port (Remote Desktop), 62, 234, 237throughput, 63

THUNDERBIRD • WEB APPLICATIONS 381

Thunderbird, 270time zone, 9–10, 70timer jobs, 343–345, 347TKIP (Temporal Key Integrity Protocol), 50, 227Toolbox (EMC)

disaster recovery section, 259mail flow analysis section, 259–260performance section, 260–261

top-level domains, 80, 81tracking customers, 326Transact SQL (T–SQL), 310, 318, 321, 323transaction log backups, 318, 319transaction logging, 277–279transmission channels, 50transport pipeline, 286Transport Rules agent, 250trials, 3, 5triple DES, 227troubleshooting

Backup and Restore, 341–343, 348–349Database Troubleshooter tool, 259mailflow, 285MailFlow Troubleshooter tool, 259Performance Troubleshooter, 260SMTP errors, 287–289

trusted scripts, 266trusts, 4, 117, 148T-SQL (Transact SQL), 310, 318, 321, 323Tuchman, Walter, 22725 port (SMTP), 62, 24621 port (FTP), 6222 port (SFTP), 62

Uunicast address, 31Unified Messaging

EMC and, 264server role, 253

universal groups, 145–146Universal Serial Bus. See USBunsorted files (backup strategy), 208, 212UPDATE, 310Update Services 3.0, Windows Server, 2Updates (Networking Essentials Summary screen),

16–18

Updates tab, 16, 17upgrading. See also migration

Active Directory, 68–70migration v., 5–6, 53

USB (Universal Serial Bus), 202–203user accounts, 34–36

creating, 152–157LDIFDE.exe and, 139–140

user experience, simplifying, 33–34user groups

creating, 170defined, 147renaming, 157–159

user objects, 153user shares, 98Users group, 149

VVerizon FIOS, 48Virtual Private Network Users (security group),

149virtual private networks (VPNs), 143, 229–234virtual trees (DFS namespaces), 104virtualization, 222–223

Hyper–V and, 222–22364–bit processors and, 7, 23unified messaging and, 264

viruses. See antivirus protectionVisual Basic–enabled .NET application (EMS),

265–268VPNs (virtual private networks), 143, 229–234

connecting to, 232–234groups enabled for, 232hardware–based, 230–231setting up, 231–232software–based, 231

WWAN balancing, 63WatchGuard, 63, 230web activation, 37–40web applications

application pools, 273, 335, 340, 341creating, 333–337editing, 345–347

382 WEB APPLICATIONS AREA • ZONES (DNS)

Web Applications area, 273, 338web parts, 345–346web pool, 219, 273website (SharePoint website)

creating, 333–337editing, 345–347

WEP (Wired Equivalent Privacy), 50Windows authentication, 307, 336Windows Authorization Access Group, 149Windows Credentials dialog box, 224Windows Internet Name Service (WINS), 86Windows Live OneCare for Servers, 4, 12, 13, 18,

19, 20Windows Memory Diagnostic Tool, 213, 214Windows NT data (backup strategy), 208, 209Windows SBS Client –Windows XP Policy,

181–184Windows SBS Console. See SBS ConsoleWindows Server 2008 Standard Technologies, 2Windows Server Group Policy. See Group PolicyWindows Server Update Services 3.0, 2Windows Small Business Server 2008. See Small

Business Server 2008Windows XP

Hyper-V and, 222Windows SBS Client - Windows XP Policy,

181–184WINS (Windows Internet Name Service), 86Wired Equivalent Privacy (WEP), 50wireless networking, 48–52

limitations, 48–49security, 50–52speeds/frequencies, 49–50

wireless packet sniffer, 51–52wizard mode, 55. See also NTBACKUP utilitywizards

Active Directory Domain Services InstallationWizard, 223

Add A New Site Wizard, 335Add Exchange Administrator Wizard, 261AddUserWizard, 76

ADPREp.exe tools and, 69Backup Schedule Wizard, 210, 211Configure Email And Internet Connection

Wizard, 62Console Wizard, 34Database Maintenance Plan Wizard, 320Delegation Of Control Wizard, 128, 130Enable Outlook Anywhere Wizard, 273folder sharing and, 170Group Policy Results Wizard, 193Maintenance Plan Wizard, 321Migration Home Wizard, 77Migration Wizard, 76–77namespace wizard screen, 105New Object –Organizational Unit Wizard, 123,

124New Object –User Wizard, 125, 126New Replication Group Wizard, 108, 109New Zone Wizard, 91Products and Technologies Wizard, 331–332Recovery Wizard, 281Setup Virtual Private Networking Wizard,

232Shared Folder Location Wizard, 98SSMS Import Wizard, 316

workflow settings, 337–338WPA2-Personal, 50WPA-Personal, 50Write (permission), 165

XXML

ActiveSync protocol and, 274answer file and, 71backup directory and, 342, 343EMS and, 266value range, 313web part, 346

Zzones (DNS), 80, 85–87

MASTERING

Window

s® Sm

all Business

Server 2008

Johnson

Run Your Small Business Network Without a Giant IT DepartmentIf you run a small business, you need a network infrastructure fit especially for one. With its rich collection of server and management technologies such as Exchange Server 2007 and SharePoint Services 3.0, Windows SBS 2008 fills this niche perfectly. Master all SBS components, then see how to set up, deploy, and administer SBS 2008 successfully in your organization with the step-by-step instructions in this comprehensive guide.

COVERAGE INCLUDES:

• Planning a Windows Small Business Server 2008 network• Installing, confi guring, or upgrading SBS 2008 for the fi rst time• Using the command line for network administration tasks• Confi guring and using Active Directory®, Group Policy, and SQL Server® • Creating and controlling users, printers, and groups• Setting up Exchange with your network and confi guring email and

webmail accounts• Handling disaster recovery, backup, and disk management

Master All the Technologiesand Components in Windows SBS 2008

Set Up, Deploy, and Administer SBS 2008 in Your Small Business

Create an Enterprise-Class Network at a Lower Cost

Integrate with Windows Server® 2008, SQL Server® 2008, Exchange Server 2007, Windows® SharePoint® Services 3.0, and More

Reinforce Your Skills with Real-World Examples

ABOUT THE AUTHORSteven Johnson is a technical writer and IT consultant who specializes in Windows System Administration, Cisco Networking, and Microsoft Exchange. He holds many certifi cations and is the author of several books, including MCITP: Windows Server 2008 Enterprise Administrator Study Guide (Exam 70-647). Steven is also a frequent speaker at technology events, including CompTIA tradeshows.

CATEGORYCOMPUTERS/Operating Systems/Windows Server & NT

$49.99 US$59.99 CAN SERIOUS SKILLS.

Windows® Small Business Server 2008

MASTERING

Understand SBS and Its Role in a Small Business Environment

Administer a Small Business Network Infrastructure

ISBN 978-0-470-50372-0www.sybex.com

Microsoft®

Steven Johnson

Microsoft®

www.sybex.com

Date post:	08-Dec-2016
Category:	Documents
Upload:	steven-johnson
View:	245 times
Download:	1 times