Mastering Microsoft® Windows® Small Business Server 2008
Mastering Microsoft® Windows® Small Business Server 2008
Steven Johnson
Wiley Publishing, Inc.
Acquisitions Editor: Agatha Kim Development Editors: Toni Ackley; Amy Breguet Technical Editor: Tom Carpenter Production Editor: Dassi Zeidel Copy Editor: Kim Wimpsett Editorial Manager: Pete Gaughan Production Manager: Tim Tate Vice President and Executive Group Publisher: Richard Swadley Vice President and Publisher: Neil Edde Book Designers: Maureen Forys, Happenstance Type-O-Rama; Judy Fung Proofreader: Nancy Bell Indexer: Robert Swanson Project Coordinator, Cover: Lynsey Stanford Cover Designer: Ryan Sneed Cover Image: © Pete Gardner/Digital Vision/Getty Images Copyright © 2010 by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-0-470-50372-0 No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read. For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. Library of Congress Cataloging-in-Publication Data is available from the publisher. TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. Microsoft and Windows are registered trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book. 10 9 8 7 6 5 4 3 2 1
Dear Reader, Thank you for choosing Mastering Microsoft Windows Small Business Server 2008. This book is part of a family of premium-quality Sybex books, all of which are written by outstanding authors who combine practical experience with a gift for teaching. Sybex was founded in 1976. More than 30 years later, we’re still committed to producing consistently exceptional books. With each of our titles, we’re working hard to set a new standard for the industry. From the paper we print on, to the authors we work with, our goal is to bring you the best books available. I hope you see all that reflected in these pages. I’d be very interested to hear your comments and get your feedback on how we’re doing. Feel free to let me know what you think about this or any other Sybex book by sending me an email at
[email protected]. If you think you’ve found a technical error in this book, please visit http://sybex.custhelp.com. Customer feedback is critical to our efforts at Sybex. Best regards,
Neil Edde Vice President and Publisher Sybex, an Imprint of Wiley
Acknowledgments No one deserves more credit for the creation of this book than my acquisitions editor, Agatha Kim, and my development editors, Toni Zuccarini-Ackley and Amy Breguet. In times that I was overly stressed, decidedly uncomfortable, and even a little freaked out, they were solid as rocks. I’d also like to thank my technical editor, Tom Carpenter, and the whole team at Sybex. Their exceptional professionalism and extremely rigid process helps to make a very high-quality product. Additionally, I’d like to thank Acey Bunch for his additions on SQL Server in this book. We all have our weaker areas, and it’s nice to have somebody by our sides to help make some enhancements. On top of that, my family has been a huge supporter in my life. Without them, I couldn’t have gotten as far as I have. I’d also like to send out a special thanks to Mark Hartley. The man taught me more about being an administrator than anybody I’ve ever met in just a few days, making up for a lifetime of poor examples. Thanks, Mark!
About the Author Steven Johnson is a technical writer on concepts including computer programming, Windows, Linux, and network administration. He is a graduate of Texas Tech University, a C++ and DirectX enthusiast, and an avid private pilot. Steven is the author of many technical books, study guides, and certification-based practice exams. He’s worked for IT training companies, for software development companies, and even as a salesperson — although that was a long, long time ago. In addition to geeking out on Windows, Linux, and just about every form of computer, Steve likes to go back to the basics and work on an original 6502 processor, ‘‘just for fun!’’ When we go back to the very beginning, it lets us appreciate how far we’ve really come and understand more about where we really are right now. In his spare time, Steve flies around the country on numerous piloting adventures, including crossing the United States and soon the Atlantic. Sooner rather than later, he’d like to do some commercial work for a little bit of fun, and maybe even a living.
Contents at a Glance Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi Chapter 1
•
Installing Windows Small Business Server 2008 . . . . . . . . . . . . . . . . . . . . 1
Chapter 2
•
Setting Up and Utilizing an SBS 2008 Network . . . . . . . . . . . . . . . . . . . 25
Chapter 3
•
Migrating and ‘‘Upgrading’’ to Small Business Server 2008 . . . . . . . . . . 53
Chapter 4
•
Implementing a DNS Name Server and File Sharing with SBS 2008 . . . 79
Chapter 5
•
Configuring and Administering Active Directory with SBS 2008 . . . . . 115
Chapter 6
•
Configuring and Managing Groups and User Accounts with SBS 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Chapter 7
•
Managing Group Policy with SBS 2008 . . . . . . . . . . . . . . . . . . . . . . . . . 171
Chapter 8
•
Backing Up and Performing Disaster Recovery . . . . . . . . . . . . . . . . . . 195
Chapter 9
•
Remote Access, Security, and Adding Servers with SBS 2008 . . . . . . . 217
Chapter 10
•
Configuring Exchange Server 2007 for Small Business . . . . . . . . . . . . 245
Chapter 11
•
Managing Clients, Troubleshooting, and Recovering from Disaster with Exchange for SBS . . . . . . . . . . . . . . . . . . . . . . . . . 269
Chapter 12
•
Introducing SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Chapter 13
•
Using SharePoint with Your Small Business Server . . . . . . . . . . . . . . 325
Appendix
•
The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Chapter 1
•
Installing Windows Small Business Server 2008 . . . . . . . . . . . . . 1
Windows Small Business Server 2008 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 What’s Included in SBS 2008? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Limitations of Small Business Server 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Supported Client Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Upgrading to Windows Small Business Server 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Special Installation Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Windows SBS 2008 Server Core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Windows SBS 2008 Read-Only Domain Controller . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Installing Windows Small Business Server 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 SBS 2008 Initial Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Time Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Company Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Server/Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Administrator Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 The Windows SBS Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Addressing Alerts, Warnings, and Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Updates with the Summary Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Security Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Other Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Getting Started Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Reviewing Your Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Chapter 2
•
Setting Up and Utilizing an SBS 2008 Network . . . . . . . . . . . . . 25
Understanding SOHO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Planning an SBS Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Addressing Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Choosing an Address Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Anatomy of IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IPv6 Address Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dynamic Host Configuration Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DHCP Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
25 26 27 27 27 27 28 30 31 32 32
xii
CONTENTS
DHCP Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DHCP Server Conflicts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Expanding an SBS 2008 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding a New User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding Computer Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Manually Joining the SBS Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using the Command Line with Network Administration . . . . . . . . . . . . . . . . . . . . . . IPconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Pathping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . nslookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Diagnosing Network Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Connectivity Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Implementing Wireless Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Limitations of Wireless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wireless Speeds and Frequencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wireless Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 3
•
32 33 34 34 36 44 45 45 45 45 46 46 47 48 48 49 50 52
Migrating and ‘‘Upgrading’’ to Small Business Server 2008 . . . . 53
SBS 2008 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Overview of Migrating from SBS 2003 to SBS 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preparing for Migration by Creating Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Stage 1: Backing Up Critical Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Stage 2: Backing Up Exchange Server Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Stage 3: Making an Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Stage 4: Conducting a Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preparing Your Network for Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reconfiguring DHCP for Shorter Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Removing the Second Network Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reconfiguring the Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preparing Your Server for Migration to SBS 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Prepping Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preparing Your Users for Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Logons and Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Mailboxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Checking the Best Practices Analyzer (BPA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Migrating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Upgrading Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Answer File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Exchange Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Migration Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing SBS 2008 in Migration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Migration Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
53 54 55 55 57 59 59 59 61 61 62 64 65 67 67 67 67 68 68 70 72 72 72 76 78
CONTENTS
Chapter 4
•
Implementing a DNS Name Server and File Sharing with SBS 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
The Domain Name System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Anatomy of DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Manual DNS Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 DNS Resolution Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 DNS Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 DNS Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 DNS Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Implementing File Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Default Shares . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Creating a New Share . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 The Distributed File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 DFS Namespaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 DFS Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 DFS Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Setting Up DFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 DFS Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 DFS Replication Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 The File Server Resource Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Chapter 5
•
Configuring and Administering Active Directory with SBS 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Active Directory Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Forests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Active Directory Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Object Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SBS Business Design Models Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Flexible Single Master Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Domain Operations Masters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Forest Operations Masters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Limitations on FSMO Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Organizational Units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OU Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating OUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing OUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Renaming and Deleting OUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Understanding Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Delegating OUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OU Grouping and Subgrouping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating Objects with Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
115 116 117 117 118 118 119 119 120 120 121 121 122 123 123 125 127 127 128 131 133
xiii
xiv
CONTENTS
Large Object Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LDIFDE.exe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CSVDE.exe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 6
•
Configuring and Managing Groups and User Accounts with SBS 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Group Structure with SBS 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Distribution Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Group Scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Group Membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Default Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Nesting Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Local Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating a Group Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Planning Group Layouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating Users and Groups with SBS 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Administering Security Groups with SBS 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating Distribution Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Administering Distribution Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Permissions Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . File and Folder Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Assigning Security Group File Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Folder Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 7
•
135 136 140 140
143 143 144 145 146 146 150 150 150 151 152 157 160 162 164 164 165 169 170 170
Managing Group Policy with SBS 2008 . . . . . . . . . . . . . . . . . . 171
The History of Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Why We Use Group Policy with SBS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Group Policy Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Group Policy Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Administering Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deploy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Maintain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Special Uses of Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Software Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Group Policy Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Group Policy Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
171 172 172 173 173 174 175 179 184 189 189 191 193 193
CONTENTS
Chapter 8
•
Backing Up and Performing Disaster Recovery . . . . . . . . . . . . 195
RAID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Software RAIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hardware RAIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RAID Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RAID 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RAID 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RAID 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hybrid (RAID 01) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Backup Media Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . External Disks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tape Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SAN/NAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Direct Attached Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Implementing a Backup Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Windows NT Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Exchange/SQL Server Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Noncritical Business Data Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Unsorted/Extra Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Restoring SBS 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Simple File Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Bare-Bones Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 9
•
195 196 197 198 198 198 199 200 201 201 203 205 208 208 209 211 211 212 212 212 212 216
Remote Access, Security, and Adding Servers with SBS 2008 . . 217
Reasons to Add a Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . What Is Clustering? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Types of Clusters in the ‘‘Full’’ Windows Server 2008 Edition . . . . . . . . . . . . . . . Alternatives to Clustering with SBS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding a Second Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Domain Controllers and Their Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction to Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction to Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Basic Ciphers and Encryption/Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Common Encryptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Asymmetric and Symmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Methods of Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Types of VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting Up a VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling Groups to Use the VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Connecting to the VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using Remote Desktop Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
217 218 219 220 222 223 224 224 225 226 228 229 229 229 231 232 232 234
xv
xvi
CONTENTS
Introducing the Remote Web Workplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Assigning Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting Up Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Accessing Remote Web Workplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using the Remote Web Workplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Terminal Services Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Remote Web Workplace Gadget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Customizing Remote Web Workplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 10
•
Configuring Exchange Server 2007 for Small Business . . . . . . 245
Limitations of Exchange Server for Small Business . . . . . . . . . . . . . . . . . . . . . . . . . . . SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Hub Transport Server Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mail Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Categorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Transport Rules Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Journaling Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Mailbox Server Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Client Access Server Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . POP3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IMAP4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Outlook Web Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ActiveSync . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Unified Messaging Server Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Edge Transport Server Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Journaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Common Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Journaling Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Exchange Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Toolbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mailbox Tasks with the EMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Client Access Tasks with the EMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Exchange Management Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EMS Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EMS Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 11
•
236 237 237 237 238 239 240 241 241 243
245 246 248 248 248 249 249 250 250 250 251 252 252 252 252 253 253 255 255 255 256 256 259 262 263 265 265 266 268
Managing Clients, Troubleshooting, and Recovering from Disaster with Exchange for SBS . . . . . . . . . . . . . . . . . . 269
Exchange Server Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Outlook 2007 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
CONTENTS
Entourage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Alternatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 External Access to Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Outlook Anywhere . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Outlook Web Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 ActiveSync . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 New Features in ActiveSync for Exchange Server 2007 . . . . . . . . . . . . . . . . . . . . . 274 Using ActiveSync . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 ActiveSync Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Database Structure and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 File Structure of the Exchange Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 Exchange Server Transaction Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 Backing Up Exchange Server Completely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Restoring Exchange Server from Full Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Creating a ‘‘Recovery’’ for Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Creating a Recovery Storage Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Mounting the Recovered Database for Merging . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Recovering Corrupted Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Merging the Mailboxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Troubleshooting Mailflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 Overview of Mailflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 SMTP Connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 Message Transportation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 Submission Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 Store Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 Microsoft Exchange Mail Submission Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 Pickup Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 Categorizer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 SMTP Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 SMTP Error 450: Requested Mail Action Not Taken: Mailbox Unavailable . . . . . . 288 SMTP Error 553: Requested Action Not Taken: Mailbox Name Not Allowed . . . . 289 Error 452: Requested Action Not Taken: Insufficient System Storage . . . . . . . . . . 289 Error 512: The Host Server for the Recipient’s Domain Name Cannot Be Found (DNS Error) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Chapter 12
•
Introducing SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
What Is SQL Server? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SQL Server Editions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SQL Server Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How Does SQL Server Fit in with Small Business Server? . . . . . . . . . . . . . . . . . . . . . Installing and Configuring SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installation and Licensing Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Logging into SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
291 292 294 295 296 296 297 306 306
xvii
xviii CONTENTS
Using SQL Server Management Studio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating Tables in a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inserting Data into a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing Data in a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Administering SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing SQL Server Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Backing Up a SQL Server Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Moving SQL Server Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . •
Chapter 13
Using SharePoint with Your Small Business Server . . . . . . . . 325
Overview of SharePoint Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SharePoint Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network Components of SharePoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Initially Configuring SharePoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Companyweb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Initial Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Moving SharePoint Data to Another Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Checking the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Performing SharePoint Administration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating a New SharePoint Website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IIS Web Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Load Balanced URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Application Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reset Internet Information Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Database Name and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Search Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating the Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Server Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Workflow Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting Up Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting Up User-Defined Workflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting Up Workflow Task Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Restoring from Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Troubleshooting Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting Up SharePoint Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Editing Your SharePoint Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Appendix
•
307 310 312 315 316 317 317 318 321 323
326 326 328 329 329 329 330 331 332 333 333 334 335 335 335 336 336 336 336 337 337 338 338 338 338 338 340 341 343 345 347
The Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Chapter 1: Installing Windows Small Business Server 2008 . . . . . . . . . . . . . . . . . . . . 349
CONTENTS
Chapter 2: Setting Up and Utilizing an SBS 2008 Network . . . . . . . . . . . . . . . . . . . . . 349 Chapter 3: Migrating and ‘‘Upgrading’’ to Small Business Server 2008 . . . . . . . . . . . 351 Chapter 4: Implementing a DNS Name Server and File Sharing with SBS 2008 . . . . . 352 Chapter 5: Configuring and Administering Active Directory with SBS 2008 . . . . . . . 353 Chapter 6: Configuring and Managing Groups and User Accounts with SBS 2008 . . 354 Chapter 7: Managing Group Policy with SBS 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 Chapter 8: Backing Up and Performing Disaster Recovery . . . . . . . . . . . . . . . . . . . . 355 Chapter 9: Remote Access, Security, and Adding Servers with SBS 2008 . . . . . . . . . . 356 Chapter 10: Configuring Exchange Server 2007 for Small Business . . . . . . . . . . . . . . 357 Chapter 11: Managing Clients, Troubleshooting, and Recovering from Disaster with Exchange for SBS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 Chapter 12: Introducing SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 Chapter 13: Using SharePoint with Your Small Business Server . . . . . . . . . . . . . . . . 361 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
xix
Introduction The book you have in your possession is the culmination of a lot of work from thousands of people, from the original programmers at Microsoft to the team at Sybex that helped put it together. From the first days of Windows, Microsoft strived to create an easy-to-use and helpful program that would be available and accessible to anyone who wanted to use and own a computer. Today, the person Microsoft is focusing upon is the small-business owner. For the small-business owner or the information technology consultant, Small Business Server 2008 provides an easy-to-use and exceptionally powerful platform that can do just about anything of which a large business is capable. If you’ve wanted to learn more about Active Directory, Exchange for Small Business, SharePoint, or SQL, then this is the book for you. This book has been designed from the ground up to provide thorough coverage of Small Business Server’s many features and technologies so that you can easily use it in a small-business environment. The approach this book takes is to analyze each of the full-bodied features of Small Business Server and discuss how they’re implemented, as well as how they differ from the full editions of Windows Server 2008. Instead of focusing on a medium or large enterprise, this book is entirely focused upon the small business’s goal of ‘‘getting the job done’’ in the fastest and most elegant way possible. Throughout this book, I’ve assumed that you are either a small-business owner or an IT professional consulting with a small business. In other words, the book is written from that perspective. It doesn’t spend a lot of time describing the intricacies of every system, but it does cover all the aspects of Windows Small Business Server in a method that will allow you to administer it easily.
Who Should Read This Book This book is designed for anyone who wants to learn more about Microsoft Windows Small Business Server or Microsoft products in general. Specifically, you should read this book if you are any of the following: ◆
An IT professional who wants to know what is new to Small Business Server 2008 and the technologies it brings to the Microsoft Windows Server family of operating systems
◆
A small-business owner who likes to do your own administration and IT work
◆
An end user who wants to move from the desktop administration side of IT to the server side
xxii
INTRODUCTION
Overall, this book is designed for just about anyone. If you have an interest in Small Business Server, you’d do well to read this book. It will further your knowledge of the product and help you become a more informed information technology professional.
What You Will Learn In this book you’ll learn about the following: ◆
Microsoft Exchange
◆
Active Directory
◆
SQL Server 2008
◆
SharePoint Server
◆
Internet Information Services
What You Need To properly use both this book and the software that is described and utilized in this book, you will need to have a server or virtual machine that meets the operating system requirements for Windows Small Business Server 2008. These requirements include the following: ◆
A 64-bit processor of at least 2GHz (1.5GHz for multicore)
◆
At least 4GB of RAM (preferably more)
◆
60GB of hard disk space
◆
A fax modem (optional)
You do not need to own a licensed copy of Small Business Server 2008 to test everything in this server, but to use it in a production environment you will need to use a licensed server in order to be legally compliant.
The Mastering Series The Mastering series from Sybex provides outstanding instruction for readers with intermediate and advanced skills, in the form of top-notch training and development for those already working in their field and clear, serious education for those aspiring to become pros. Every Mastering book features the following: ◆ The Sybex ‘‘by professionals for professionals’’ commitment. Mastering authors are themselves practitioners, with plenty of credentials in their areas of specialty. ◆
A practical perspective for a reader who already knows the basics — someone who needs solutions, not a primer.
◆
Real-world scenarios, ranging from case studies to interviews, that show how to apply the tool, technique, or knowledge presented in actual practice.
◆
Skill-based instruction, with chapters organized around real tasks rather than abstract concepts or subjects.
◆
Self-review ‘‘Master It’’ problems and questions, so you can be certain you’re equipped to do the job right.
INTRODUCTION xxiii
What Is Covered in This Book Mastering Microsoft Windows Small Business Server 2008 includes the following chapters: Chapter 1, ‘‘Installing Windows Small Business Server 2008,’’ takes you through the steps of installing Windows Small Business Server 2008 and all that’s required to do so. Chapter 2, ‘‘Setting Up and Utilizing an SBS 2008 Network,’’ takes you all the way through setting up a Small Business Server 2008 network, including DHCP. Chapter 3, ‘‘Migrating and ‘Upgrading’ to Small Business Server 2008,’’ will teach you how to move from your old version of Microsoft Windows Server to SBS 2008, including how to migrate your Active Directory objects. Chapter 4, ‘‘Implementing a DNS Name Server and File Sharing with SBS 2008,’’ will show you how to set up DNS and shared folders for your small-business server in order to support shared files for your users. Chapter 5, ‘‘Configuring and Administering Active Directory with SBS 2008,’’ will take you through the process of administering and managing Active Directory objects, including users, computers, and printers. Chapter 6, ‘‘Configuring and Managing Groups and User Accounts with SBS 2008,’’ teaches you how to manage Active Directory security groups and create a proper group topology for your end users. Chapter 7, ‘‘Managing Group Policy with SBS 2008,’’ shows you how to create GPO objects and link it to your Active Directory infrastructure in order to control user behavior. Chapter 8, ‘‘Backing Up and Performing Disaster Recovery,’’ show you how to protect your data and quickly recover from any unfortunate circumstances that might strike your small business. Chapter 9, ‘‘Remote Access, Security, and Adding Servers with SBS 2008,’’ shows you how to set up SBS 2008 to allow remote access from multiple users across the world with transparent functionality. Chapter 10, ‘‘Configuring Exchange Server 2007 for Small Business,’’ nents of Exchange as they function within SBS 2008.
explains the compo-
Chapter 11, ‘‘Managing Clients, Troubleshooting, and Recovering from Disaster with Exchange for SBS,’’ shows you how to properly administer your Windows server. Chapter 12, ‘‘Introducing SQL Server,’’ provides a general overview of SQL Server and explains how it fits in with the SBS environment, how to install it, and how to use and administer it. Chapter 13, ‘‘Using SharePoint with Your Small Business Server,’’ allows you to utilize SharePoint features with SBS 2008, including how to manage your web portal.
How to Contact the Author I welcome feedback from you about this book or about books you’d like to see from me in the future. You can reach me by writing to
[email protected]. Sybex strives to keep you supplied with the latest tools and information you need for your work. Please check its website at www.sybex.com, where we’ll post additional content and updates that supplement this book if the need arises. Enter small business server in the Search box (or type the book’s ISBN — 9780470503720), and click the link to get to the book’s update page.
Mastering Microsoft® Windows® Small Business Server 2008
Chapter 1
Installing Windows Small Business Server 2008 Hello and welcome to Mastering Windows Small Business Server 2008. Chances are if you’ve picked up this book, you fall into one of two very distinct groups. If you’re in the first group, you’re a Windows or network administrator, and you’re looking to expand your horizons into the realm of Windows Small Business Server. The second group is the majority of Windows Small Business Server users, which includes junior admins, help-desk support personnel, and the occasional ambitious small-business owner who would like to expand their knowledge of Windows Small Business Server and understand the piece of information technology that will run the majority of their business. Regardless of which group you fall into, this chapter will familiarize you with Windows Small Business Server 2008’s basic requirements and its installation procedures. In this chapter, you will learn to ◆ Identify the requirements of Windows Small Business Server 2008 ◆ Install Windows Small Business Server 2008
Windows Small Business Server 2008 Overview The most beautiful part of Windows Small Business Server 2008 is that, on the surface, when you first start to use it, it’s very difficult to tell apart from Windows Server (other than the huge splash screen identifying it as Windows Small Business Server 2008 when you start it). Most of the icons, tabs, start buttons, and everything else you’ve become familiar with are still right where you left them. This is done intentionally. In Microsoft’s opinion (and in mine), it’s a good idea to get small businesses running on Windows Small Business Server so they will be ready to upgrade and expand to the full catalog of Windows Server products when they’re ready to do so. To make this easier, Microsoft starts the customer with a full catalog of products, easily rolled into one server. Unlike many other server products, Windows Small Business Server 2008 isn’t just an operating system. Instead, it’s an entire productivity suite. In the next section,
2
CHAPTER 1 INSTALLING WINDOWS SMALL BUSINESS SERVER 2008
I’ll carefully examine the products available with Windows Small Business Server (SBS) 2008 and Microsoft’s comparative products offered with Windows Server 2008 Standard, Enterprise, Datacenter, and Web edition.
What’s Included in SBS 2008? Windows Small Business Server 2008 comes with a whole lot of toys, bells, and whistles. In fact, so many features are available that Windows Small Business Server has been broken up into two editions: Small Business Server 2008 Standard and Small Business Server 2008 Premium. Let’s review the differences now: Windows Small Business Server 2008 Standard ◆
Windows Server 2008 Standard Technologies
◆
Microsoft Exchange 2007 Standard Edition
◆
Windows SharePoint Services 3.0
◆
PowerShell
◆
Windows Server Update Services 3.0
◆
Microsoft Forefront Security for Exchange Server
◆
Integration with Office Live Small Business
Windows Small Business Server 2008 Premium ◆
All of the above, plus Microsoft SQL Server 2008 Standard for Small Business
Let’s talk about all the major aspects of Windows Small Business Server 2008 first, line by line. I’ll save a discussion of Server Update Services, Microsoft Forefront Security for Exchange Server, and Integration with Office Live Small Business for later in this chapter.
Windows Server 2008 Standard Technologies What Microsoft means by ‘‘Standard’’ is that every edition of Windows Small Business Server 2008 comes with the ability to create, administer, and utilize the basic aspects of Windows Server such as creating accounts, adding computers, and organizing Active Directory for your business. This is really important to note, because a recurring theme with Windows Small Business Server 2008 is that it really is quite similar to the full-blown version of the Windows Server 2008 suite.
Microsoft Exchange 2007 Standard Edition Quite possibly the biggest feather in Small Business Server’s cap is that it contains a live and fully integrated version of Microsoft Exchange Server 2007. And that’s because Exchange Server is a really, really big deal. Microsoft Exchange is the server technology that Microsoft-based businesses use to send and receive email. Using Exchange, businesses have instant access to email through a robust and efficient platform that supports the exchange of emails through the enterprise. If purchased separately, Exchange 2007 can be quite expensive. But with SBS 2008, business owners can set up a simple ‘‘one-stop shop’’ for their entire organization’s email. It even includes a web client!
WINDOWS SMALL BUSINESS SERVER 2008 OVERVIEW
Windows SharePoint Services 3.0 In 2008 and 2009, Windows administrators have been raving nonstop about SharePoint. But that’s because it actually is really useful for any given business. Boiled down, SharePoint gives a business the ability to launch a simple and fully functioning web portal that can be used to exchange Office files, set up blogs, support intranet websites, and just generally serve as a point of reference for multiple employees.
PowerShell One of the best new features of SBS 2008 is the incorporation of the Windows PowerShell using cmdlets (pronounced ‘‘commandlets’’). These cmdlets enable administrators to quickly execute multiple commands in a lightweight command interface. However, most SBS 2008 users don’t use scripting, so in this book, I will only briefly touch on a few commands throughout the remaining chapters.
Microsoft SQL Server 2008 Standard for Small Business If you cut through a lot of the marketing associated with SBS 2008, you’ll find that the real advantage of SBS 2008 over competing platforms is that it contains a ton of very useful and very powerful features. Additionally, it contains what is arguably the most versatile database solution possible — that is, if you purchase the Premium edition. This powerful feature included with SBS 2008 Premium is Windows SQL Server 2008 for Small Business. Structured Query Language (SQL) is a language reserved for retrieving, inserting, and manipulating data in a database. With SQL, businesses can launch multiple applications and lines-of-business solutions that use a large amount of data. I’ll go into more depth on SQL Server 2008 in Chapter 11, but for right now, I’ll go over a simple example of how you might use SQL Server 2008 for Small Business. Say you wanted to make a site called RosesAndGardens.com. With SBS, you could launch this site through Small Business Server and then begin serving users through it. But, without a way to store data on that website, you’d have no way to collect customer information, store various products, or sell anything. And that’s where SQL Server 2008 comes in. Using that, a small business can create a simple ecommerce store, begin to collect data, and run the entire operation through their one server. With SQL Server 2008, SBS 2008 becomes a complete line-of-business (which is just a fancy term for ‘‘required to do business’’) platform that can, by itself, serve as an entire business. Pretty neat, eh?
Free Trial of SBS 2008 If you are interested in learning more about SBS 2008 through this book but you don’t necessarily want to purchase a license for it through Microsoft (or just can’t afford it quite yet with your small-business budget), you can download a free trial of SBS 2008 through Microsoft.com. As of this book’s publication, it’s available in the Small Business Server area of its website. Just remember the following: ◆
The trial lasts 120 days.
◆
You can upgrade the trial edition to the full edition without reinstalling.
◆
No features are turned off during the trial.
3
4
CHAPTER 1 INSTALLING WINDOWS SMALL BUSINESS SERVER 2008
Limitations of Small Business Server 2008 Now that you know about the advantages and power of Small Business Server 2008, it’s time to talk about the limitations. After all, Microsoft can’t give away everything with a small-business product. So, without further ado, here are the limitations specified by Microsoft TechNet: ◆
Small Business Server 2008 doesn’t support more than 75 users or devices. Unless you upgrade from Small Business Server, this number is an absolute. But keep in mind, 75 employees is a lot of employees! A ‘‘medium-sized’’ business is a business that has more than 50 employees, according to the Microsoft mind-set.
◆
The SBS 2008 Standard edition server must be the root domain controller of the forest. This isn’t necessarily a big deal, but it means you can’t join an SBS 2008 Standard server to a complex Enterprise edition environment and thus correspondingly benefit from all the contained features. Microsoft disallows this because it suspects if you’re doing this, you are probably just trying to get out of paying for the entire the product line.
◆
The SBS 2008 Standard edition server must hold the flexible single master operations (FSMO) roles. This is another hard-lined rule, but it effectively means that the Small Business Server must be ‘‘in charge’’ of its network.
◆
The SBS 2008 Standard edition server must be a global catalog: Similar to FSMO, the Small Business Server needs to be the main global catalog for the enterprise.
◆
There can be no interforest trusts or child domains. The real restriction here is that this means Small Business Server 2008 can’t be joined or attached to extra forests or child domains, and thus it can’t be used for large-scale expansion.
◆
Terminal Services Application Mode is disabled on SBS 2008 Standard edition server. This is a real limitation compared to Windows Server 2008 Standard or Enterprise edition. The use of Terminal Services has become popular of late, and removing these features is a real inhibitor. However, not all Terminal Services features are unavailable. For one, users can still utilize Remote Desktop.
◆
The Premium edition server must be a member server or an additional domain controller of an SBS 2008 network. This is not really an inhibitor, but this does mean that the Premium server requires a bit more licensing.
If you remember from a bit earlier, I mentioned that Windows Small Business Server 2008 comes with Forefront Security and Windows Live OneCare. Well, that’s true. It does come with
UPGRADING TO WINDOWS SMALL BUSINESS SERVER 2008
versions of them. Unfortunately, the ‘‘gotcha’’ is that they are only 120-day trials. It’s a little misleading, but these components don’t come ‘‘off the shelf’’ with Small Business Server 2008. Additionally, there are a few other hardware and SBS 2008–specific limitations, discussed in the following sections.
Network Cards On the books, both the Premium and Standard editions of SBS 2008 are designed to use only one network card. If you are using more than one network card, Microsoft recommends that you install the Premium edition of SBS 2008. A second network card isn’t necessarily unsupported, but it’s not recommended. This is a pretty big change from SBS 2003, and not necessarily a positive one. Several common installations of SBS include attaching network attached storage, which may require multiple network interface cards (NICs). Additionally, using DHCP is fairly difficult to do without having multiple NICs, though it is possible.
Proxy Servers Although most small businesses don’t use them, it’s important to note that SBS 2008 doesn’t support Microsoft Internet Security and Acceleration Server (ISA). However, you can place an ISA server in the perimeter network and connect the separate server (running its own ISA server licenses) to the SBS 2008 server so that the SBS 2008 server can use the ISA server as a proxy.
Removal of the MMC This is the one limitation that irks most administrators. With SBS 2008, there is no longer any sort of Microsoft Management Console. Instead, SBS 2008 relies on a ‘‘task-based’’ system that is designed to be as quick and easy as possible for novice users. However, this can create some small problems for administrators who aren’t familiar with some of the decisions that SBS 2008 decides to make during its task process.
Supported Client Operating Systems If you’re working by the book, to connect to a SBS 2008 domain controller, you must be running Microsoft Vista or Windows XP. However, installs with Windows Server operating systems (such as Windows 2000 Server, Windows Server 2003, and Windows Server 2008) are possible, so long as these installs are just joining the domain controller as individual machines and not acting as central parts of the domain or forest. Later, in Chapter 4 on Active Directory, I’ll go over the process of joining clients to the domain controller and how that’s achieved with Windows Small Business Server 2008.
Upgrading to Windows Small Business Server 2008 One of the major limitations of Windows Small Business Server 2008 is that you can’t just upgrade from one version to another. Instead, to upgrade to SBS 2008, you have to migrate user accounts from one Windows version (that is, SBS 2003 or Windows Server 2003) to another.
5
6
CHAPTER 1 INSTALLING WINDOWS SMALL BUSINESS SERVER 2008
This can prove to be a bit tedious, but it’s set up this way because there are some very dramatic differences between SBS 2008 and SBS 2003 — or any other given edition of Windows, for that matter. No other edition has quite held the range and scope of applications and features, so it doesn’t exactly ‘‘play well with others.’’ (I’ll cover upgrading in more detail in Chapter 3.)
Special Installation Types SBS 2008 includes several special types of installations with Premium edition, including Server Core and a Read-Only Domain Controller.
Windows SBS 2008 Server Core It may come as a surprise, but SBS 2008 supports Server Core — that is, of course, if you purchase the Premium edition. Just in case you’re unfamiliar with it (since Server Core is new to Windows Server 2008), Server Core represents a lightweight, command-line-only server installation that is used to provide a fairly quick and stable installation of Windows Server. You might be wondering why you would want a Server Core installation of SBS 2008. The answer is that, unless you’re using Premium edition, you probably wouldn’t. But, if you are, there are some advantages to running a Premium edition server without a GUI. In the long run, administrators of smaller networks don’t tend to mess around much with command-line installations because the overhead involved with it is drastically more time-consuming than using the GUI. In case you’re wondering what Server Core mode looks like, check out Figure 1.1.
Figure 1.1 Windows Server Core installation
Windows SBS 2008 Read-Only Domain Controller Another fancy feature from Windows Server 2008 Standard edition that is transferred over to the new SBS 2008 is the ability to use SBS 2008 as a Read-Only Domain Controller. This is really convenient for users looking to deploy a Premium edition copy of SBS 2008 in an exposed area. It allows users to look at, but not alter, Active Directory and use its features.
Installing Windows Small Business Server 2008 Upon purchase or receipt of Windows Small Business Server 2008, you will receive a DVD that contains the master installation DVD files. This DVD is bootable and usually contains a
INSTALLING WINDOWS SMALL BUSINESS SERVER 2008
hologram from Microsoft to signify its authenticity. To install SBS 2008, you have to insert this DVD into a DVD-ROM drive, select the DVD-ROM drive as a priority bootable device in the device selection menu of your computer’s BIOS, restart your server, and then boot from the DVD at the prompt ‘‘Press any key to boot from CD or DVD.’’ At this point, you’ll be able to begin the installation. Keep in mind that Windows SBS 2008 has the installation requirements shown in Table 1.1
Table 1.1:
SBS 2008 Requirements
Component
Requirement
Processor
2GHz x64 or faster
Memory
4GB minimum, 32GB maximum
Disk space
60GB minimum
For any additional Premium servers, there is a supported 32-bit version, but it’s recommended that you just install the 64-bit version. Additionally, keep in mind that if you’re an advanced IT user and you’re just testing SBS 2008 to keep up your knowledge base, the 64-bit installation of SBS requires a 64-bit processor with virtualization technology in order to be installed on VMware installs. (I’ll cover virtualization in Chapter 9.) For your reference, you can find a list of Intel’s supported processor list on Intel.com, and you can find AMD’s processor list on AMD.com. When you begin installing SBS 2008, you’ll first be greeted with the initial installation screen, as shown in Figure 1.2.
Figure 1.2 SBS 2008 initial install screen
7
8
CHAPTER 1 INSTALLING WINDOWS SMALL BUSINESS SERVER 2008
As you go through the installation, the progress bar will continue to move along in amounts corresponding to how far you’ve gotten. Along the way, you may see a few completely black screens or pauses. You will become intimately familiar with this screen throughout your course of interacting with SBS 2008. Keep in mind that SBS 2008, like any other version of Windows, requires a great deal of interaction (and reboots) in order to function properly. Chances are that if you’re an attentive administrator, you’ll sit through many a reboot. You should also note that the first time you install Windows there will be one last screen that might strike you as unfamiliar. Well, at least it surprised me to see it the first time. For lack of a better term, I’ll call it the ‘‘setting up screen.’’ You can see it in Figure 1.3.
Figure 1.3 The setting up screen
This screen can take several minutes, so don’t be alarmed if SBS 2008 pauses here for a long period of time. After this initial and relatively painless install, SBS 2008 begins the user-specific setup process. What’s really nice about this process, as opposed to previous iterations of Windows SBS, is that SBS 2008 asks you questions only after the installation is complete. This is a big change from Windows XP, where you had to occasionally click installations over and over again. Personally, I can’t even imagine how many times I’ve clicked Next during Windows installs knowing full well that I’d have to click Next again in another 10 minutes.
Manufacturer Installations A good share of Windows SBS 2008 servers are bought straight from the manufacturer with SBS 2008 preinstalled. In this case, most manufacturers will install SBS 2008 to this point and then leave the remainder of the installation up to the user, because it is, for the most part,
SBS 2008 INITIAL SETUP
self-explanatory. As a system administrator, you can sometimes choose to set up a server in this very same manner and then leave the rest to the business owner. Alternatively, as a business owner, you can for the most part disregard the essentials of the installation process up until this point. However, if you ever have to reinstall, you may want to familiarize yourself with it.
SBS 2008 Initial Setup Once the official installation process has completed, SBS 2008 will take you through seven screens that allow you to customize your installation: ◆
Time zone
◆
Company information
◆
Server/network
◆
Administrator setup
◆
Security services
◆
Summary
For the most part they’re self-explanatory, but because each of them has a few hidden warnings behind them, I’ll go through each menu one at a time.
Time Zone OK, I know what you’re thinking: ‘‘This guy included an entire section on the time zone?’’ And the answer is yes, but for good reason. There really isn’t a single greater nightmare to the mindful administrator than a change in the time. A change in time can impact the following: ◆
Email synchronization
◆
Email blasts/sent items
◆
Websites/ecommerce
◆
User login times
◆
Group Policy
◆
Application filters
◆
About 100 other administrator nightmares
When you get to the screen you see in Figure 1.4, you’ll be able to click the blue text that says Open Date And Time To Verify The Clock And Time Zone Settings. By clicking this, you’ll be able to set up the time zone and also make sure Windows is set up to synchronize itself with the master clock. This is really useful in case something happens to the time that you’re not aware of, like the President changing the rules regarding when daylight saving time happens. Other than that, all you have to do is set the time zone and then click Next.
9
10
CHAPTER 1 INSTALLING WINDOWS SMALL BUSINESS SERVER 2008
Figure 1.4 Time zone settings
Company Information On the Company Information screen, shown in Figure 1.5, an administrator can specify the company name and address, which is used in various places throughout the system settings. Unlike the time zone settings, there are no real cautions or warnings expressed or implied here.
Server/Network This is where the fun begins! When the screen in Figure 1.6 appears, you assign your local server a server name and then your local domain a name. As it says on the screen, a local domain is not an Internet domain name. However, normally they are quite similar. For example, I may own the domain intellicorp.com, but I will also use the intellicorp local domain for my user’s logon. It’s not only easy to remember but also convenient. I’ll talk more about Windows local domains when we get to Chapter 5 on Active Directory, but for now just choose a name. Further, it’s a good idea to name your server something that can be incremented. I like the convention of OfficeSvr1, OfficeSvr2, and so on, because it leaves room for expansion.
Administrator Setup On the next screen, you create a network administrator account. The network administrator account is really one of the most powerful accounts in the whole server. It has the ability to administer the server as well as create user accounts and add computers. When creating your user account, make sure the name of the account is easy to remember (I use sjohnson, for example), and then choose your password. Unfortunately, passwords are more difficult and should not necessarily be easy to remember. A good trick to use is to pick a common word and then substitute numbers and special characters for vowels. Here’s an example:
SBS 2008 INITIAL SETUP
Provinces Pr0v!nc3s
Figure 1.5 Company Information screen
Figure 1.6 Server and network assignment screen
11
12
CHAPTER 1 INSTALLING WINDOWS SMALL BUSINESS SERVER 2008
This allows you to remember relatively easily what the password is and to just use some simple substitution that you can think of in your head. Keep in mind that Windows SBS 2008 likes you to use more than seven letters, as well as a number and at least one special character. If you don’t, Windows will give you a warning message, which you can see at the bottom of the user account creation page in Figure 1.7. Notice at the bottom it asks for ‘‘3 of the following 4 types of characters: A–Z, a–z, 0–9, and symbols.’’ But just about any good password will contain those items.
Figure 1.7 Network administrator account creation page
Security Services Security, security, security. If there’s one major change that’s been made in all the editions of Windows Server 2008, it’s the addition of major security features. And SBS 2008 is no exception. Windows Small Business Server 2008 comes with two specific security features: ◆
Windows Live OneCare for Server
◆
Microsoft Forefront Security for Exchange Server
In Chapter 12 I’ll go over both of these security features in more detail, so for now I’ll give you just a basic overview of the features you’ll install on the screen shown in Figure 1.8.
SBS 2008 INITIAL SETUP
Figure 1.8 Security services installation screen
Windows Live OneCare for Servers Windows Live OneCare for Servers is effectively a firewall, antivirus, antispyware, and overall monitoring program for Windows Server. Through its use, Windows administrators are relieved of some of the burden involved with the upkeep of a server. Microsoft Forefront Security for Exchange Server This program, utilized with Microsoft Exchange Server for SBS 2008, monitors email for known viruses, file attachments, and other malicious software. Through its use, SBS looks after your network to make sure no unauthorized material can enter your network.
Summary Once you’ve gone through all the main installation screens, a summary screen, as shown in Figure 1.9, will appear and confirm the changes you are making. Keep in mind, you will not be able to change the server name or the internal domain name once you pass this screen! Once you click Next, Windows will begin the final installation process and start to extract files to complete its final installation steps. This can take a long time, sometimes as long as 30 minutes to an hour. Of course, the faster your computer is, the faster the installation is going to complete. But during the process, you’ll see a progress monitor bar. Assuming everything proceeded correctly, once you’ve completed your installation, you should see a login screen that looks like Figure 1.10.
13
14
CHAPTER 1 INSTALLING WINDOWS SMALL BUSINESS SERVER 2008
Figure 1.9 Installation summary screen
Figure 1.10 Initial logon screen
THE WINDOWS SBS CONSOLE
Ctrl+Alt+Delete As most people know, the old-fashioned way that people used to make Windows reboot when it stopped working was to hit Ctrl+Alt+Delete. It was actually a back door left by a programmer in case he needed to reboot the machine from an error. Unfortunately, it became common knowledge and part of the service manual. With Windows 95, Bill Gates decided he didn’t like the association of his software not working properly and made Ctrl+Alt+Delete the Windows logon and the process by which the Task Manager opened.
If everything was done properly, you’ll be requested to enter your network administrator password. However, if something didn’t go right, you may have to log on to your local administrator account and configure your network settings. In fact, chances are that you may have to do this anyway if your company uses static networking.
The Windows SBS Console Once you’ve logged in for the first time, you’ll be greeted with the Windows SBS Console, as shown in Figure 1.11. The Windows SBS Console is the central command point of SBS 2008, and it can be used to configure just about every aspect of Windows SBS 2008. In effect, it is a very, very useful administration tool.
Figure 1.11 The Windows SBS console
15
16
CHAPTER 1 INSTALLING WINDOWS SMALL BUSINESS SERVER 2008
For those of you who are already Windows administrators, keep in mind that the standard Server Manager is not available with SBS 2008. Instead, you use the SBS command console for just about everything, as you’ll see throughout the rest of this book. The reasons behind the decision to remove the Server Manager are pretty easy to understand. If you think about it, the Server Manager isn’t exactly the most user-friendly tool on the planet. It’s a little bulky and not very pleasant to look at. The SBS 2008 console, on the other hand, is simply awesome looking and very easy to use. No thought required. Now, let’s get started using it.
Addressing Alerts, Warnings, and Concerns With SBS 2008, Microsoft tried to take the thinking out of a lot of major concerns with the simple summary screen shown in Figure 1.12. There, you can see four major concerns: Security, Updates, Backup, and Other (general) alerts. Let’s start with the easiest thing first — updates.
Figure 1.12 Networking Essentials Summary screen
Updates with the Summary Screen Thankfully, the days of manual updating are long gone. Now it’s simple! To install updates with the Windows SBS Console, click the Updates picture, and then click Go To Updates. This will bring you to the general Updates tab, shown in Figure 1.13. The good news is that updates are exceedingly simple now. So, if you’re ready for it, the steps for updating are as follows: You’re done. That’s right! Windows SBS 2008 updates automatically with all the critical updates. As you can see from Figure 1.13, the updates are automatically updating under the Updates In Progress section. However, you can choose whether to approve or deny updates listed under Optional Updates. If you highlight one of these updates, say Update For Windows Server 2008 x64 Edition (KB955839), you will see the image in Figure 1.14 on the right of your screen. This section is called the Tasks menu. There, you can click the Deploy The Update button or the Decline The Update button. Rocket science, right?
ADDRESSING ALERTS, WARNINGS, AND CONCERNS
Figure 1.13 Updates tab
Figure 1.14 The Tasks menu
17
18
CHAPTER 1 INSTALLING WINDOWS SMALL BUSINESS SERVER 2008
Clicking the Deployment Update button will display a warning or message regarding the update, making you aware of what’s happening. For example, on the update I just selected, I received the message shown in Figure 1.15. This is really handy, because it lets you know that all computers that require this update will now receive it. Next, once you click OK, it will tell you that it will take 4 to 24 hours to deploy the update without bringing your system down. Brilliant! Go ahead and deploy your updates now.
Figure 1.15 Update warning
Security Concerns Next, you need to address any potential security concerns. If you click Security and then go to the Security tab, you will see a summary of your security settings, as shown in Figure 1.16. As you can see, this security center has a problem because my Live OneCare files are out-of-date. So, I can select that problem and then click the Open Windows Live OneCare For Server button on the right, bringing up the screen shown in Figure 1.17. To appease the security center, I need to update Live OneCare and then address the concerns in red — the virus and spyware definitions are not current, and a full OneCare functionality update is needed. Doing this is especially hard — you have to click the Update OneCare button. Tough, eh? This will open the update center for Live OneCare. Once you get to this screen, you have to click Next and then accept the license agreement. Then the server will begin the update process. Believe it or not, this can actually take quite a long time — but there’s a good reason behind that. Namely, Windows Live OneCare is a very advanced firewall system that incorporates antivirus features, spyware controls, and a myriad of other things. Therefore, the definition files are really big. Thankfully, as you’ll see, it’s quite painless, and you can continue doing other administration tasks as you proceed.
Backup To access the backup information, click Backup and then Go To Backup. This will take you to the main Backup tab, which should look something like Figure 1.18. Just as with the other menus, you can configure it by clicking the Configure Server Backup button on the right. This might take a little time to start up, but once it’s done loading data, you will be greeted with a screen where you can select a device to set up your backup choices. Since this varies from computer to computer, I won’t show it here, but once you are there, the process is fairly self-explanatory.
ADDRESSING ALERTS, WARNINGS, AND CONCERNS
Figure 1.16 Security tab
Figure 1.17 Windows Live OneCare information
Figure 1.18 Backup tab
19
20
CHAPTER 1 INSTALLING WINDOWS SMALL BUSINESS SERVER 2008
Other Alerts The last main setup task is to address any extra alerts. By going to the Other Alerts section, as you did with the previous sections, you can observe your server and see its status, as shown in Figure 1.19. As you can see, there is a Critical status flag on OFFICESVR. When this happens, you can click the server and then click the View Computer Alerts button on the right (not visible in the figure). This opens the general alerts window shown in Figure 1.20.
Figure 1.19 Alert status
Figure 1.20 Computer alerts
By selecting each of these alerts, you can diagnose the reason behind them. In my case, I’ve stopped the Dynamic Host Configuration Protocol (DHCP) service and Windows Live OneCare because of updates and networking choices I made behind the scene. I will turn these back on later; therefore, I can dismiss these updates and consider my server initial setup phase complete.
Getting Started Tasks Now, the elephant in the room that you’ve undoubtedly noticed is the Getting Started Tasks screen shown in Figure 1.21. Various chapters in this book will address each of these tasks, but
GETTING STARTED TASKS
let’s start with a general description of how this screen works. First, the Windows SBS Console, as I’ve said before, is the central command center of SBS 2008. Thus, the tasks that it is outlining for you to do here are tasks recommended or required by Microsoft in order to maintain a functioning computer.
Figure 1.21 Getting Started Tasks screen
To use this menu system, you click each of these tasks to open an agenda list, along with the recommended procedures for each task. Because it involves installation, let’s take a look at the Finish Installation tasks. If you followed my path step-by-step, you should see the screen in Figure 1.22 once you start your server. The Installation Issues tasks at hand are creating the network administrator account (which you should not have) and the updates installation (which you may have if you were not connected to the Internet at the time). Regardless, you can see in the figure that there are easy buttons to address the issues, such as How Do I Fix This Issue?
21
22
CHAPTER 1 INSTALLING WINDOWS SMALL BUSINESS SERVER 2008
Figure 1.22 Installation issues
Now, since you’ve already addressed these concerns, you can click the Completed check box next to the View Installation Issues item.
Reviewing Your Installation Once you’ve completed your final installation of SBS 2008, it’s a good idea to go over what you’ve accomplished and check to see whether things are ‘‘in the green.’’ Ideally, on your server you should see your networking essentials summary showing Security, Updates, Backup, and Other Alerts as green.
Installing Twice Believe it or not, whenever I’m faced with a new operating system that I’m unfamiliar with, I plan on installing it twice. I do this because sometimes I’m just not familiar with the process and I make some decisions I regret later. Take, for example, the installation you just did. In this install, you may decide later that you don’t like the naming scheme you chose or that some part of the installation wasn’t exactly what you liked. In the real world, I’ve installed versions of SBS and Standard server alike where I got through the process and said, ‘‘You know, I could have designed this better.’’ And usually, the best bet is to go back to what you did in the beginning, analyze what you did and did not like about it, consider what made you make that decision, and finally see whether you can improve it or want to maintain it.
THE BOTTOM LINE
The Bottom Line Identify the requirements of Windows Small Business Server 2008 Review and memorize the server requirements for SBS 2008. Master It What types of processors can be used to virtualize an install of SBS 2008? Install Windows Small Business Server 2008 Set up and completely install SBS 2008 on a partition of your creation and choosing. Master It Install Windows Small Business Server 2008 so the server can access the Internet, download updates, and show all networking essentials as ‘‘in the green.’’
23
Chapter 2
Setting Up and Utilizing an SBS 2008 Network For seasoned IT professionals and novice computer users alike, the small office network has gone from a once fabled invention of the 1980s to a completely commonplace, if not mandatory, feature of any stable business. Accordingly, Microsoft has taken account of this and implemented many new and advanced networking features in Windows SBS 2008. Namely, Microsoft has tried to make SBS 2008 a central focal point of the entire network, like it should arguably already be. In this chapter, you will learn to ◆ Plan an SBS 2008 network installation ◆ Configure SBS 2008 client computers for networking ◆ Use command-line networking commands ◆ Diagnose small network problems ◆ Implement wireless networking
Understanding SOHO SOHO stands for ‘‘small office/home office,’’ and it’s the primary term used when administrators are discussing small offices or home offices, as well as the primary target market of SBS 2008. However, the term has a few caveats: ◆
The typical SOHO has fewer than 15 members.
◆
SOHOs do not usually include more than one server.
◆
SOHOs do not typically run websites or other servers.
But with that said, it’s important to remember that SBS 2008 isn’t targeted just to the SOHO, but also to medium-sized businesses. A SOHO is usually fewer than 15 people, and SBS supports up to 75 accounts. And with the informal standardization of a ‘‘medium-sized’’ business being any business with more than 50 employees, you can see how the SOHO isn’t a complete picture of what SBS 2008 is capable of. However, it’s certainly a great starting point for the purpose of explaining how SBS 2008 works.
26
CHAPTER 2 SETTING UP AND UTILIZING AN SBS 2008 NETWORK
In Figure 2.1 you can see a simple example of a typical SOHO network. As you can see, from the firewall the traffic on the network is fed to a router, which sends out traffic through a switch. There, behind those three devices, an SBS server sits with PCs in a protected area of the network. In this type of an environment, an SBS server is protected and able to distributed resources to an entire network. More importantly, it can host important features for an SBS 2008 network, such as a DHCP server. But before I discuss that, let’s briefly discuss the components that make up a SOHO network that could be used with SBS 2008.
Figure 2.1 Typical SOHO environment
Firewall
Router
Switch
PC1
PC2
SBS 2008
Routers Routers are devices used to transmit logical packets of information from one Internet Protocol (IP) address to another. Routers by nature are designed to segment networks into logical barriers called subnets. Routers pass information back and forth between each of these subnets. In a constructive diagram called the TCP/IP model, routers fall into the third layer of this diagram, called the Network layer. This is because in the Network layer, all segmentation is done logically through specialized hardware and processors designed to process traffic. Behind each router in a network, other network devices are connected through other network devices, such as switches and hubs, which are discussed in the next section. But once a
PLANNING AN SBS NETWORK
router is put in place, these switches and hubs are collected into a network convention called a broadcast domain, or an area where IP traffic can be sent and received at the Data-Link layer. In effect, traffic within a broadcast domain is transported from Media Access Control (MAC) address to MAC address within a physical connection. But to get outside this small boundary of connected network devices, a router is required. That’s because a router can collect one broadcast domain and connect to another.
Switches Switches are hardware devices that physically segment networks into different collision domains that protect traffic from colliding because of transmissions along the same network path. What actually happens along a network path is that one device with a network interface card (NIC) can connect to another by transmitting a signal. Unfortunately, NICs are actually fairly dumb. They just transmit information and don’t really care about what happens after the process. But unbeknownst to the NIC, the signals it sends out may bump into another signal if they are within the same collision domain. Collision domains are just network areas that share the same signals without a device to break them up. And that’s where switches show up. Simply put, switches are devices that separate traffic.
Servers Although routers and switches are important to a SOHO or medium-sized business network, this book concentrates on server implementation, not network administration. Accordingly, you need to understand the roles that servers play in the network. Within a network, servers can be routers themselves, assign addresses, and administer network resources such as printers and fax machines. But before getting into the specific roles they govern, you need to understand a little bit about how to plan for a network as a whole.
Planning an SBS Network SBS 2008 has two different types of network addresses available to system administrators: IPv4 and IPv6. As of the publication of this book, IPv4 is still the uniform standard of the Internet as a whole; IPv6 has only begun to be implemented by governmental organizations, such as the Department of Defense. Thus, this book will mostly concentrate on IPv4 and its conventions. In particular, IPv4 has three different methods of being addressed using known addressing techniques.
Addressing Techniques IPv4 uses three types of IP addressing techniques: APIPA, static, and dynamic (DHCP). With Server 2008 (and especially Small Business Server 2008), 99.9 percent of the time you’ll be dealing with dynamic addressing, and thus I’ll spend most of this section and the ‘‘Dynamic Host Configuration Protocol’’ section discussing dynamic addressing; however, I’ll briefly cover static addressing and APIPA as well.
APIPA Automatic Private IP Addressing (APIPA) is a Windows default mechanism for assigning IP addresses when a DHCP server is unreachable. This means, no matter what the situation,
27
28
CHAPTER 2 SETTING UP AND UTILIZING AN SBS 2008 NETWORK
machines running Windows will always have a logical address available to them within the 169.254.X.X range. If you ever see an IP address like this within your SBS 2008 network, it usually means that either there is a problem reaching the server or the network card is not properly set up. Normally, when you’re running some of the more well-known Windows configuration commands (which you’ll learn more about in the ‘‘Using the Command Line with Network Administration’’ section), you’ll often see an IP address like 169.254.0.1. This means that the computer is unable to communicate with a DHCP server or has not had an address assigned. In this case, you would either try to get the client with the APIPA address to refresh its dynamically assigned address through the use of command-line utilities or GUI interfaces associated with the drivers for the network card or manually assign it an address that is not an APIPA or reserved address. Nine times out of ten, this means opening the network card configuration in SBS 2008 (or whichever machine, normally something like a client, has the APIPA address) and then resolving the issue by running through some simple configuration to make sure the card is set up properly. Now, if the computers using APIPA are all client computers that communicate only with each other within the same broadcast domain, you can use APIPA for peer-to-peer communications without any problems. If the clients must talk to servers on different subnets or the Internet, a static or DHCP assignment will be required.
Static Static, or manual, addressing is the process of manually assigning an IP address to a machine based on a design created by an individual engineer or administrator. If network engineers could have their way, chances are that all IP addresses would be static. Unfortunately, in the modern day, that simply isn’t practical because of the sheer number of addresses that have to be assigned.
Dynamic Dynamic addressing is a technique that takes advantage of the Dynamic Host Control Protocol (DHCP) role that can be added to SBS Server 2008. DHCP automatically assigns addresses to requesting client machines through a predetermined pool within your DHCP server defined by the administrator. At the enterprise level, this is normally the most heavily used and implemented standard because of the ease, flexibility, and relatively equal efficiency of its addressing methods. Later in this chapter, in the section ‘‘Dynamic Host Configuration Protocol,’’ I will discuss how to set up DHCP pools.
Choosing an Address Range When designing a network, the first step is to establish precisely how big the network will be. This can vary wildly based on budget, number of users, addressing conventions (IPv4 or IPv6), and expectations of growth. With SBS 2008, chances are that the network will not grow beyond 75 users, so that makes the process much easier.
IPv4 Address Ranges IPv4 uses a set of four octets to create an individual, but not necessarily unique, logical address that can be used for the purposes of routing packets across networks. This configuration is then further defined by a subnet mask, which partitions the address into different subnets for the
PLANNING AN SBS NETWORK
purpose of sending and receiving broadcast traffic. At the top level, IP addresses are divided into five different classes that use a certain amount of bits in the subnet mask for the network portion of the network, and a certain amount of bits for the various hosts. It’s rare to discover a network administrator who uses all five classes of IPv4 addresses, however. For the most part, you’ll be concerned with three class levels of IP addresses: Class A, Class B, and Class C, as described in Table 2.1. Each of these addressing classes has its own strengths and weaknesses, in that they can assign only a certain number of IP addresses based on the number of available host bits in the subnet mask. For the purpose of SBS 2008, I won’t be diving too deeply into network design, but it’s important to understand the number of addresses that a network class can support. However, because of the limited number of users supported by SBS 2008, this chapter will be covering only Class C addresses.
Table 2.1:
Available IPv4 Addresses
Address Classes
Number of Network Bits
Number of Available Host Bits
Maximum Number of Hosts
Class A
8
24
16,777,215
Class B
16
16
65,534
Class C
24
8
254
Each of these classes of networks is assigned certain ranges that will be predefined for your network design. Your address class will fall into one of the ranges shown in Table 2.2. That is, unless it falls into a list of ‘‘reserved addresses’’ that are reserved for special purposes, such as the localhost address, which is responsible for identifying the computer as itself. Telling a computer to go to localhost basically means ‘‘go to yourself.’’ Table 2.3 summarizes these reserved addresses.
Table 2.2:
IPv4 Class Ranges
Address Class
Network Range
A
1.0.0.0 to 126.255.255.255
B
128.0.0.0 to 191.255.255.255
C
192.0.0.0 to 223.255.255.255
IPv6 Address Ranges Unlike its younger brother, IPv4, IPv6 no longer uses address classes. Instead, it uses prefixes that are subdivided by geographic locations around the world. Within those regions, the addresses are then subdivided more and more until they get down to the individual level. In effect, this removes the need for the old fallout of the IPv4 addressing system, Network Address Translation (NAT). By design, IPv6 allows for every individual computer to
29
30
CHAPTER 2 SETTING UP AND UTILIZING AN SBS 2008 NETWORK
theoretically have both a unique MAC address and a unique logical IP address, simply because so many addresses are available. Unlike IPv4, IPv6 uses eight quartets, making for a total of 128 bits worth of available addressing space.
Table 2.3:
IPv4 Reserved Addresses
Address Class
Network Range
Localhost
127.0.0.1
Reserved private address
10.0.0.0 to 255.255.0.0
Public data networks
14.0.0.0 to 255.255.0.0
Private network
172.16.0.0 to 255.128.0.0
Private network
192.168.0.0 to 255.255.0.0
IPv6 to IPv4 relay
192.168.0.0 to 255.255.0.0
Broadcast
255.255.255.255
Link-local (APIPA)
169.254.0.0 to 255.255.0.0
Anatomy of IPv6 Believe it or not, IPv6 addresses are beautiful because of their absolute simplicity. When dealing with an IPv4 address, there can be a lot of confusion. What part of the address belongs to the Internet service provider? Where is the subnet portion of the address? Better yet, where is the host? In IPv6, these are no longer concerns. All IPv6 addresses can be broken down into two distinct portions, which can further be subdivided to a point that just about every portion of the address is accounted for. On the base level, IPv6 addresses are broken into two 64-bit portions, the network portion and the host portion, or the interface ID. Visually, the address looks like this:
Network Portion
Host Portion
It’s easy to explain the second portion of the address. It’s just the host portion of the network. In more technical terms, the 65th to the 128th bit of the address is completely dedicated to assigning the address to your hosts. That’s a lot of hosts! It’s more, in fact, than even some of the largest enterprises on the planet would ever use. However, when the IEEE engineers designed IPv6, they didn’t want to run into a situation where anyone would ever have to worry about having ‘‘enough’’ host addresses again. I think it’s safe to say they’ve succeeded. In fact, 264 is such a large number that if you were to take that many pennies and stack them up one after another, you’d be able to reach Mars more than 300,000 times. Or, if
PLANNING AN SBS NETWORK
you’d like to think of it more in Microsoft terms, you’d be able to have 230,584,300 times the amount of money of Bill Gates (when he was worth $80 billion). The first portion of an IPv6 address, called the address prefix, is a little bit more complicated, but not too much so. To begin, one of the real issues that IPv6 was meant to fix was to give service providers their own reserved section of the IP address that would identify whatever service provider was issuing the address. Accordingly, the IEEE engineers assigned the first 48 bits of the prefix portion of the address to the service provider. Then, with the remaining 16 bits, they allocated a portion to be used for subnet addressing. You can see another visual interpretation of this here:
48 bit ISP Portion
16 bit Subnet Portion
64 bit Host Portion
The main reason that only 16 bits have been assigned to the subnet portion is actually pretty reasonable. After all, how often do you run across an organization that will need more than 65,536 subnets? The answer is not very often. And thus, only a small portion of the overall 128 bits is assigned. In just a moment, I’ll go over how subnetting this portion of the address is slightly different than it was with IPv4. But for the moment, let’s take a step back and talk about those first 48 bits before the 16 bits of the subnet portion. Three organizations take a bite out of the first 48 bits of an IPv6 address: ◆
Internet Corporation for Assigned Names and Numbers (ICANN)
◆
Regional Internet Registry (RIR)
◆
Your Internet service provider (ISP)
Thankfully, the exact scope of the importance of these organizations is outside the objectives of this book. Suffice to say, the Internet address prefix goes through three filters — from ICANN to RIR to ISP — that more and more uniquely define the coverage area of these addresses.
IPv6 Address Types Another big change that comes with IPv6 is the complete and total removal of the concept of a broadcast address. And if you ask most busy administrators, that’s a good thing. Instead, IPv6 has replaced the need for broadcast addresses with the concept of multicast addressing. The word multicast is getting a little ahead of myself, but I’ll start by defining the three different types of addresses that are available in IPv6: Unicast A unicast address is assigned to a particular host so that host, and only that one particular host, can send and receive data. It’s equivalent to saying ‘‘you and only you are identified as this.’’ Multicast A multicast address is effectively a grouping of addresses for sending and receiving information to that group. So, if you wanted to send a broadcast of information, you could send it to a particular multicast group. Anycast The name is a bit confusing, but an anycast address is similar to a multicast address in that the anycast address isn’t sent to a particular group of addresses, but only the address
31
32
CHAPTER 2 SETTING UP AND UTILIZING AN SBS 2008 NETWORK
‘‘nearest’’ to it. So, instead of sending it to every member of the group, it sends it to a particularly near member of that group.
Dynamic Host Configuration Protocol Earlier, in the ‘‘Addressing Techniques’’ section, one of the methods of addressing a given network was listed as dynamic. In computer science, the word dynamic has a very specific definition that applies through all computing, including small network design. When I say a piece of data is dynamic, this inherently means that it isn’t defined to a set allocation of data. In other words, the given variable of data can switch values all the time. In the case of SBS networking, this is of concern when you use a technique called Dynamic Host Configuration Protocol (DHCP). DHCP is a method of automatically addressing networks on the fly through a set of predefined definitions on either a server or a router. This saves time for the administrator, because instead of having to manually assign addresses one at a time, the administrator can instead just implement DHCP. But of course, this requires a little prerequisite knowledge. Namely, you need to understand the DHCP process and how it’s implemented within SBS 2008.
DHCP Process A handy method for remembering how the DHCP process works is to remember the acronym DORA. This stands for ‘‘discover, offer, request, and acknowledge’’ and happens to be the method used by DHCP to create a new IP address. Let’s go over those steps now:
1. Discover. During this process, a user connects a device capable of receiving an IP address, and the device sends out a broadcast called DHCPDISCOVER. This broadcast is sent to any local computers and is recognized by the DHCP server.
2. Offer. After the DHCP receives the DHCPDISCOVER packet, it responds with an offer of an IP address, called a DHCPOFFER.
3. Request. The client device then requests the IP address it desires (usually the offered IP address) with a DHCPREQUEST.
4. Acknowledge. The client acknowledges the receipt of an IP address with a DHCPACK (acknowledge) or DHCPNAK (not acknowledged), which starts the process over again. The process is fairly simple to understand and makes a lot of sense when you think about it. Of course, when you look into anything with computers, it can get a lot more complicated. But thankfully, for the purposes of a small business, it’s not really necessary to understand every aspect of DHCP servers; however, I will review some key elements of them in the following section.
DHCP Elements Although you don’t need to understand every single part of DHCP, you do want to be familiar with three very important points to be an effective SBS 2008 administrator: scopes, pools, and leases.
DYNAMIC HOST CONFIGURATION PROTOCOL
Scopes A DHCP scope is a range of IP addresses available for assignment. Although it’s not really required to be an effective SBS administrator, you should know that Windows SBS 2008 usually assigns the scope of a Class C address range, such as 192.168.1.1 to 192.168.1.254. But what you should take to the bank and keep in your memory is that a DHCP scope is a range of contiguous IP addresses available to a DHCP server. However, it doesn’t necessarily mean they are available to be addressed. You can think of it like a landlord in an apartment community. She may own only a block of the houses, but she lives within the scope of the entire complex.
Pools A pool, on the other hand, is a true list of available addresses. For instance, your scope may be 192.168.1.3 to 192.168.1.254, but you may have only three IP addresses available: ◆
192.168.1.5
◆
192.168.1.203
◆
192.168.1.205
Accordingly, whenever a client asks for an address, the DHCP server will consult its pool and issue addresses only from its remaining resources — in this case, either .5, .203, or .205. Eventually, when a DHCP server runs out of addresses in its DHCP pool, it will display a message saying it is out of DHCP addresses and then refuse to give any more addresses to connecting clients.
Leases A DHCP lease is pretty easy to explain because it’s just the length of time a device is given an IP address. Once a machine is issued an IP address from the DHCP pool, that address is removed from the pool and then ‘‘leased’’ to a network device for a period of time set in the server. DHCP clients will automatically attempt to renew leases before they expire.
DHCP Server Conflicts One somewhat humorous situation we deal with at the small-to-medium business level is that sometimes there are just too many darn DHCP servers! In case you weren’t aware of it, most SOHO routers like to be their own DHCP server, and in a Windows network, that really isn’t such a good idea. In fact, Windows SBS 2008 almost demands to be the DHCP server. If it’s not, strange issues can arise, such as whether a computer has access to log on to the server or whether the SBS realizes that a computer even exists.
Simplifying the User Experience A near guarantee for business owners and administrators of SBS 2008 is that you are probably going to run into what we in the industry refer to as DOs, or dumb operators. Although the name is more mean than it is funny, DOs can be very frustrating and quite true. When it comes to technology, users want the experience to be as painless as possible. For us IT people, we can usually think of it like you treat your car. At the end of the day, you just want your car to get you to work and operate the way you want. Anything else is just a serious pain.
33
34
CHAPTER 2 SETTING UP AND UTILIZING AN SBS 2008 NETWORK
Accordingly, when you’re designing your network and implementing your DHCP server, try to keep in mind that the simplest solution for the user is usually the best solution, even if it isn’t the most elegant. This applies to IP addressing conventions, wireless decisions, and security policies. For instance, on network policies, your goal should be the following: ◆
Get the user online.
◆
Make it easy for a user to understand how to navigate to resources.
When I work for small businesses, they usually don’t want to go through the effort of making DNS entries for all their network devices, such as a printer, a server, or an individual computer. So, I make the addresses easy to remember. For instance, if you’re using a 10.0.1.X convention in your addressing scheme, make 10.0.1.100 your server. This way, it’s easy to remember. Although you’re at it, you can make 10.0.1.200 your main printer. Even the least technical user can remember that. This is a lot less technical than it is practical, but sometimes that’s harder for business owners or IT personnel to understand. The ‘‘best’’ solution often isn’t the easiest solution for the user. And although it might be best to have all addresses be static, all permissions be explicit, and so forth, more often than not it’s a good idea in a small business to just make the most simple solution the right solution. Just something you can take to heart.
Expanding an SBS 2008 Network Believe it or not, the moment you install SBS 2008, you have begun to grow your SBS 2008 network. And that’s because, if you reference Figure 2.1, SBS 2008 serves as the pinnacle point of focus for all your network resources, such as printers, computer, and user accounts. But at the end of the day, what really makes an SBS 2008 network grow is the addition of the most important element of any network — computers! To add a computer to your server in SBS, you first need to click the Network tab in the Windows SBS Console and then click the button on the right that says Connect Computers To Your Network, as shown in Figure 2.2. Once you do this, the SBS 2008 Console Wizard will open with a screen telling you that you have to add users to your account before you add computers for the respective users. That seems a little backward, doesn’t it? Well, yes, it is backward in a way. But in another way it makes complete sense. Consider for a moment that in order to use a computer, there has to be a user who does so, right? With SBS 2008, Windows likes for you to first make a user account and then have this account be assigned a computer. The concept is that an individual user needs to be bound to a machine. This alleviates a lot of the burden of users roaming about the network and logging on from one machine to another. So, before I talk about how to add a computer, I’ll talk a little bit about how to add a user account.
Adding a New User Account Later, in Chapter 6 on Active Directory users and security groups, I’ll dive a lot more deeply into user accounts and their respective properties. But for the moment, I’m going to show you how to add a simple user account so you can add a computer. First, you’ll need to click the Users And Groups tab in the Windows SBS Console. Then, you need to hit the Add A New User Account button in the box on the right of the console.
EXPANDING AN SBS 2008 NETWORK
Figure 2.2 Network tab
Once you click that button, SBS will open the Add A New User Account screen. For the most part, this screen is fairly simple. You can add users’ first and last names and assign them specific email addresses. In Figure 2.3 I’ve filled out that screen, as well as added a special comment to describe the user. This description of the user can be referenced when digging through Active Directory and trying to figure out account-specific data, such as why the account was created in the first place or whether there is anything noteworthy about the user.
Figure 2.3 Adding a new user with comments
35
36
CHAPTER 2 SETTING UP AND UTILIZING AN SBS 2008 NETWORK
Most notably during the new user account creation, you will be able to choose a role for your new user. By default, you can create a standard user or even a network administrator. And since you need to create a network administrator for this account anyway, you can go ahead and do so by selecting the User Role drop-down list in Figure 2.3 and selecting Network Administrator. The network administrator has the ability to log on to any computer on the network, as well as the ability to make changes to the server or to Active Directory. You should be very careful about whom you give this privilege, because it is capable of doing a lot of damage if its powers fall into the wrong hands. Next you can enter a password, as shown in Figure 2.4. With SBS 2008, passwords must contain eight characters by default and include at least three uppercase or lowercase letters, numbers, or symbols. Additionally, the password cannot contain part of the user’s name.
Figure 2.4 Assigning a password
Again, in Chapter 5 I will go over the process of changing user password policies and even the process of how to use fine-grained password policies so that certain users can be assigned different password strength requirements than others. Once you click the Add User Account button, the account will be created, and a summary progress screen will pass by. Finally, you will see the screen in Figure 2.5, informing you that you have successfully created a user account.
Adding Computer Accounts So, you’ve made a user account, and now you need to add a computer to it. In the old days (or at least the ‘‘older’’ days), what we used to do is create an individual computer account and then assign a user account to that computer. Now, it’s a little bit different. With SBS 2008, a computer joins SBS 2008 with a user in one of two ways: web activation or portable content.
EXPANDING AN SBS 2008 NETWORK
Figure 2.5 User account created screen
Web Activation When a computer is added to the same subnet as an SBS 2008 computer (such as a computer behind a router with an SBS 2008 computer), those computers can access the web server through the following URL: http://connect. This command opens the screen you see in Figure 2.6. Note that if you do not have the .NET Framework installed, you will see the image in Figure 2.7 in your web browser. If this happens, just download the .NET framework from Microsoft.
Figure 2.6 Starting the Connect Computer program
You can proceed from Figure 2.6 by clicking the Start Connect Computer Program button. This will open a security warning, where you will need to click the Run button. Unfortunately, this will open a second security warning. If you do not have the .NET Framework 2.0 installed, you’ll see a warning (Figure 2.7) informing you that your computer doesn’t meet the system requirements. You will need to click Run again. You will then see a dialog box asking you to wait as two folders are transferred from one folder to another. Eventually, you will see the Connect Computer screen shown in Figure 2.8.
37
38
CHAPTER 2 SETTING UP AND UTILIZING AN SBS 2008 NETWORK
Figure 2.7 .NET error
Figure 2.8 Connect Computer screen
The two options allow you to set up a computer either as a user or as an administrator. If you select the top choice, Set Up This Computer For Myself, you will be able to set up the computer for your own user account, assuming a computer has been assigned to you through group policy or through permission allowances. The second option, Set Up This Computer For Other Users, allows an administrator to set up a computer for a user. Since this is a mastering-level book, I will assume you are an administrator, so select the second option. At this point, the utility will run a configuration tool. Usually, you will see the verification screen shown in Figure 2.9. If you don’t see this, there will be an error screen that informs you of any problems that may exist in the network. Regardless, you will have to click Next.
EXPANDING AN SBS 2008 NETWORK
Figure 2.9 Connect Computer requirements screen
On the next screen, the Connect Computer program will ask for the network administrator account and password, and you’ll need to enter them. On the next screen, you’ll have to name your computer. In my case, as you can see in Figure 2.10, I’ve named the computer Desktop_1. You can then click Next.
Figure 2.10 Connect Computer name screen
39
40
CHAPTER 2 SETTING UP AND UTILIZING AN SBS 2008 NETWORK
Next, you’ll be able to assign users in the Assign Users To This Computer section. Click the users you’d like to add on the left, and then click the Add button. It should look like what you see in Figure 2.11. You can then click Next.
Figure 2.11 Assigning users to computers
The next screen you’ll see is the optional existing data screen shown in Figure 2.12. The purpose of this screen is to allow administrators an easy way to transition previously existing computers with user data and accounts onto a server. This screen allows you to match the SBS user account with a local user account and copy all the data to the new SBS user settings. It’s really handy if you have a computer with a lot of preexisting user data and preferences. However, you can just click Next to skip it and leave None selected if you’d like. On the Assign Level Of Computer Access For Users Of Windows SBS screen, you can assign permission levels for users on the local account. In my experience, it’s handy to keep them as local administrators (so they can install programs and add features). I’ve done this in Figure 2.13. You can click Next after you’ve made the decision. Last, you’ll need to confirm your settings on the Confirm User Data And Settings Selection screen you see in Figure 2.14. Then, you’ll click Next, and the computer will be assigned. On the next screen, click Restart. This will then open the progress bar screen, which will go through several steps as the machine is attached. If there is an error, the check marks will turn a very distinct red. Once this is completed, you’ll see a simple ‘‘complete’’ notification. The computer is now connected to the domain controller.
Portable Content Alternatively, SBS 2008 can create a deployment package that can be dispersed by a USB drive, CD, or mapped network drive (if the network has been predefined). Using this method, users take the deployment package for the server and bring it to the individual computer to be added.
EXPANDING AN SBS 2008 NETWORK
Figure 2.12 Moving existing user data
Figure 2.13 Assigning access levels
41
42
CHAPTER 2 SETTING UP AND UTILIZING AN SBS 2008 NETWORK
Figure 2.14 Summary screen
In Figure 2.15, you can see how SBS 2008 tells you how to use either of these methods. Should you decide to click Access The Program Through A Web Browser (Recommended), SBS 2008 will open the instructions to do so, as shown in Figure 2.16.
Figure 2.15 Computer account activation methods
EXPANDING AN SBS 2008 NETWORK
Figure 2.16 Web browser activation method
Alternatively, you can choose the portable content method, which will ask for a location somewhere on the server. Keep in mind that the portable content method uses the Windows standard architectural method to choose a location. This means that, in effect, the deployment package is just an executable file that can be placed anywhere a server would like. You can decide where you want by clicking the Browse button in Figure 2.17.
Figure 2.17 Location-based deployment Browse button
43
44
CHAPTER 2 SETTING UP AND UTILIZING AN SBS 2008 NETWORK
The obvious advantage of the web deployment method is that it is very easy, quick, and efficient to implement. However, the portable deployment method has its own advantage in that you can deploy this software to a computer that hasn’t yet been connected to the Internet. Granted, you’d want a computer to be connected to the subnet and theoretically attached to the Internet so you can actually, well, connect to the server. But sometimes network issues or other security concerns make you want to use some type of portable media. It’s ultimately up to your personal preferences or that of your business.
Manually Joining the SBS Network More often than not, I sometimes like to join a Windows XP, Vista, or 7 computer to a domain controller or SBS the old-fashioned way. This is done by right-clicking Computer or My Computer (depending on your version of Windows), going to Properties, and then navigating to the computer name. On Windows Vista/7, you will have to first click the Advanced System Settings button, but this is automatically done for you with Windows XP. Regardless of which version of Windows you use, once you click the Change button on the Computer Name tab, you’ll see a configuration similar to what you see in Figure 2.18. Type the name of your domain, and click OK. Afterward, it will ask you for a name and password. Since SBS 2008 we’ve moved past this method a bit, but it still works, even if it’s the way that old-timers do it. And it’s always nice to know the old tricks.
Figure 2.18 Computer name/domain changes
DNS Logins and Associated Problems To properly use SBS 2008 as a domain controller, you need to make sure that your computers have the domain controller set as their primary DNS. If this is not set, it can cause strange connectivity issues that can cause connections of up to one hour on logons (as hard as that may be to believe). If you ever see strange logon issues after first joining a computer to the domain controller, make sure and look for that before anything else.
USING THE COMMAND LINE WITH NETWORK ADMINISTRATION
Using the Command Line with Network Administration Arguably the handiest tool in the network administrator or server administrator’s pocket is the Windows command line. Originating in the early editions of the Microsoft Disk Operating System (DOS), the command line can be a quick and powerful way to administer your network. Specifically, for SBS 2008, you need to be familiar with four command-line tools: ◆
IPconfig
◆
Ping
◆
Pathping
◆
nslookup
In this section of the chapter, I’ll review each of these tools one at a time.
IPconfig IPconfig (short for Internet Protocol configuration) is a command-line tool that outputs the current Transmission Control Protocol/Internet Protocol (TCP/IP) information for your network interface. Using IPconfig, an administrator can easily see whether a client has obtained an IP address, whether they have a default gateway, and more advanced information, such as what server they’re using for their DNS. Table 2.4, which is available in a longer format at technet.microsoft.com, lists some of the more common switches associated with IPconfig.
Table 2.4:
Common IPconfig Switches
Switch
Result
/all
Shows all available TCP/IP information
/renew
Renews a DHCP address
/release
Releases a DHCP address
/flushdns
Clears DNS information
Ping Ping is a command that uses the Internet Control Message Protocol (ICMP) to send a packet of information that can be received by another computer and then returned with certain information, such as the length of time it took to be received and returned. Because Ping is fairly self-explanatory and most of you are already administrators, I’ve just included a screenshot of Ping in Figure 2.19. You’ll find it a really useful tool for determining whether computers and devices are attached to an SBS device.
Pathping Pathping is another command that uses ICMP to send out a packet of information that can be received by another computer. The difference is that Pathping provides you the router
45
46
CHAPTER 2 SETTING UP AND UTILIZING AN SBS 2008 NETWORK
information associated with the ping that was sent. This is very useful for determining connectivity between two devices and figuring out how ICMP gets to its destination.
Figure 2.19 Ping
nslookup Quite possibly my favorite tool, nslookup is a diagnostic command you can use to look up the IP address of a website (such as www.google.com). Using nslookup, you can simply type nslookup and then the name of an IP address you desire, and it will tell you its numeric IP address. Figure 2.20 shows the output for nslookup. It can be a little more complicated in that there are authoritative and nonauthoritative responses, but in general at this level it’s a handy tool because it lets you know where something ‘‘really is’’ on the Internet. In essence, an authoritative response is a response given from an authorized DNS server recognized by either your ISP or your computer. A nonauthoritative response is from any server running DNS services for one reason or another.
Figure 2.20 nslookup
Diagnosing Network Problems You can almost be guaranteed that, for the majority of your time as a system administrator of an SBS network, there are going to be some pretty commonly recurring problems, including connectivity, dropped connections, and server availability. Thus, I’ll cover some of the
DIAGNOSING NETWORK PROBLEMS
most common issues you’ll see as an SBS administrator and describe what you can do to troubleshoot them.
Connectivity Issues In case you’re new to IT, get used to hearing the following words: ‘‘I can’t connect to the Internet!’’ I think in my life I’ve probably heard those words 10,000 times. Perhaps more. But in any event, network connectivity issues usually boil down to three issues: ◆
The physical connection
◆
A network device issue
◆
The ISP
Physical Connections Physical connectivity problems exist when a user is having trouble connecting to devices across the network because of problems directly involved with hardware. Some of the common causes of this are network cables being improperly plugged in, network cards that have slipped out of their slots, bad cables, faulty network connections such as a bad switch or router, or something affecting the path of the physical electricity being sent out of the two computers, conflicting along the way. Most of the time, a physical problem can be diagnosed by tracing the connective lines of a user’s network connection and determining whether they’re up and running. Is the network cable plugged in? Are there any obvious errors? Some of the more common signs of a physical connection problems include, but aren’t limited to, the following: ◆
The network adapter warning that a cable is unplugged
◆
A device not showing up in the Hardware Manager (accessed in Windows XP by right-clicking My Computer, selecting Properties, and then clicking Hardware; in Windows Vista/7 it’s accessed by right-clicking Computer, selecting Properties, and then selecting Device Manager)
◆
The link lights on the back of computers not lighting up when a network cable is plugged in
In reality, these sorts of connection problems are pretty easy to diagnose. But they play a big factor in small businesses. This is because most small businesses aren’t perfectly wired, nor do they spend a lot of time and money to make sure that they use the best cable types or the recommended specification. That is because small businesses aren’t trying to stay small businesses. They’re trying to grow! So, as a small business owner or IT consultant/administrator, you’re going to run into this problem a lot.
Network Devices In a way, this goes back to the lack of availability of extremely high-performance hardware, but a good share of the reason that SBS users experience periodic outages is because of less than professional hardware. Most, if not nearly all, small businesses operate on something like a Linksys or Netgear router. And although they’re perfectly good devices, they simply aren’t designed to handle constant traffic from up to 75 users.
47
48
CHAPTER 2 SETTING UP AND UTILIZING AN SBS 2008 NETWORK
When I first started in IT, I was working for a small company that went through a move. This was a really good thing, because we were moving up in the world and to a larger business. But the problem was that when the move occurred, we didn’t plan our IT infrastructure thoroughly, and no one was able to access the Internet, simply because we weren’t using high-end network hardware. So, if a network problem exists throughout the entirety of your infrastructure, follow the most basic procedures first:
1. Check to see whether the ISP is working (reference the next section, ‘‘ISP Issues’’). 2. Check whether all your network devices are operating. 3. Ensure proper connections. 4. Begin using command-line tools to observe the problem.
ISP Issues Unlike medium to large-scale businesses, a lot of small businesses rely on technologies such as these: ◆
Asynchronous digital subscriber line (ADSL)
◆
Cable modems
◆
Satellite
◆
Fiber connections (Verizon FIOS)
Although these are strong connections, they are not backed up by the same guaranteed uptime connections as higher-end bandwidth devices, such as a T subscriber line or an optical carrier. Accordingly, you should always check with your Internet service provider when working in a small business to see whether there are any issues on their end.
Implementing Wireless Networking It has been more than 10 years, and wireless is still a buzzword within IT. No matter what field or industry you’re in within IT, just about everybody wants to see a new computer detached from wires and operating at the amazing speeds to which we have become accustomed. And the truth is, we’re starting to get close. As of 2009, the 802.11n draft of wireless networking provides home router speeds of up to 600Mbps between the device and a router, which is blazingly fast by any standard. And apart from 802.11n, we have access to several other IEEE communication technologies. But before I get to all that, I need to lay down some ground rules for wireless networks so you can understand the limitations they have in terms of SBS 2008 and general Windows servers.
Limitations of Wireless It goes without saying that wireless is and will always be inherently slower than a wire. And that’s mostly because it’s just easier to transmit over a physical wire than it is over radio waves. But other than the obvious, you need to understand the following: Client computers cannot connect to a domain controller over wireless without extensive modification to Group Policy Unfortunately, this is a real drag. No matter what, unless you
IMPLEMENTING WIRELESS NETWORKING
have an intimate understanding of Group Policy, you cannot connect to a Windows domain controller. The reason for this is a little unclear, but it’s probably because wireless is inherently less secure than a wire. Furthermore, a domain controller also requires an incredibly clear signal to connect. Little to the user’s knowledge, behind the scenes, when a user joins a domain controller, there is a ton going on. Wireless networks are designed to be supplemental network access Don’t plan on a wireless network as your central point of Internet access. Not only is it inherently insecure, but it’s also just a plain bad idea. Wireless signals can become lost, latency can become a concern, and the administrative overhead of dealing with all of your users’ problems can become quite taxing. SBS 2008 resources can be compromised over a wireless network if careful attention to security is not met Unfortunately, this is quite true. As much as it may sound convenient to attach a wireless network, you have to keep in mind that attaching a wireless network inherently creates a security concern for your SBS 2008 server if you don’t pay careful attention to the security implementation. You must have a wireless router This sounds obvious, but just to be clear, SBS 2008 can’t do wireless routing by itself. You must have a supported wireless device from a manufacturer such as Linksys, D-Link, Cisco, or another vendor. Wireless networks are subject to interference Handsets, baby monitors, cordless phones, and other devices are the bane of wireless networks. Unlike other wireless technologies such as Bluetooth, Wi-Fi doesn’t have quite the flexibility to ‘‘hop’’ around frequencies. This means that you have to be prepared for wireless issues.
Wireless Speeds and Frequencies The standards of wireless speeds are controlled through the IEEE by the 802.11 standard. As of now, this standard breaks down to parts a, b, g, and n. Each of the wireless standards then breaks down into different supported speeds and different associated frequencies, summarized in Table 2.5.
Table 2.5:
Wireless Speeds and Frequencies
Wireless Specification
Frequency
Modulation
Transfer Rate
Range
802.11b
2.4GHz
CCK, DSSS
Up to 11Mbps
Up to 100m
802.11g
2.4GHz
OFDM
Up to 54Mbps
Up to 100m
802.11a
5GHz
OFDM
Up to 54Mbps
Up to 100m
802.11n (draft)
2.4GHz/5GHz
MIMO
Up to 100Mbps
Up to 200m
To most SBS users, what’s important is the information in the first and fourth columns, the specification and the transfer rate. But in addition to that, I’ve also included the type of frequency modulation the technology uses, as well as the range of frequencies. On top of frequencies, wireless networks are also subject to transmission channels. Since this book is for SBS administrators, not network administrators, I’ll keep the discussion of the
49
50
CHAPTER 2 SETTING UP AND UTILIZING AN SBS 2008 NETWORK
subject brief. Wireless routers can broadcast upon 11 channels in the United States within the frequency spectrum they use, in the 2.4GHz range. And in order to maintain separation from other wireless networks, you need to be separated from those networks by at least six channels. With Windows clients, such as Windows XP, Windows Vista, and Windows 7, you can look around your local network and see the channel that nearby wireless networks from other homes and businesses are transmitting upon. You can then separate from these by selecting a transmission channel apart from theirs. Figure 2.21 should explain this further.
Figure 2.21
Signal Level
“Normal” Power and Antenna Placement
Transmission channels Channel 1
Channel 6
Channel Overlap
Channel 11 Overpower or Improper Antenna Placement
Frequency 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472 2477 Megahertz 2400 1 2 3 4 5 6 7 8 9 10 11 12 13 Usable in the United States Usable in Most Other Countries
Wireless Security In case you hadn’t picked up on it in the previous sections, nothing is more important in a wireless network than these three words: security, security, security! A wireless network without security is just asking for trouble. Certain features that you may set up with SBS 2008, such as an FTP server, mapped drives, or other neat tools I will discuss in later chapters, practically issue a written invitation for a malicious hacker to sign on to your network and steal your critical business data. Accordingly, you need to be familiar with the types of security available to you.
WEP Wired Equivalent Privacy (WEP) is the ‘‘bottom rung’’ of security choices for a wireless network. Normally WEP wouldn’t even be considered, but I include it here because sometimes the unknowing administrator may choose to add WEP and think their network is secure. However, it is most certainly not! WEP uses a 64- or 128-bit hexadecimal shared key that I could crack in about a minute on a bad day. This said, WEP is better than nothing. So, if you have absolutely no other option, it’s still a semi-viable form of encryption but a very easily compromised one.
WPA-Personal and WPA2-Personal The two big kids on the block with wireless security are WPA-Personal and WPA2-Personal. WPA uses the RC4 encryption algorithm to create an extremely strong encryption that is very difficult to hack. Additionally, it uses the Temporal Key Integrity Protocol (TKIP) to fix the inherent security problems with a standardized key, which WEP does not. The main difference between the two is that WPA uses a weaker encryption than WPA2; however, not all devices support WPA2 because it is much more taxing.
IMPLEMENTING WIRELESS NETWORKING
Oh, How Easy It Is to Be Wicked In case you aren’t convinced of how easy it is to compromise an unsecured network, the following is a real-life scenario that actually happened to me, along with another author (who shall remain nameless, and is not discussed in this scenario). On two separate sides of the nation, both I and the fellow author were logging into our respective Facebook accounts from a local unsecured Starbucks wireless network. Little did we know, but for each of us there was a user logged onto the wireless network and ‘‘sniffing’’ passwords using a wireless packet sniffer. There, in plain text, were our harmless Facebook passwords for the user to compromise. The two of us, thinking nothing really harmful could come of that, moved on with our lives and didn’t think anything of it — that is, until one morning I was greeted by nine of my friends, asking me if I’d arrived safely from my accident in London. It turned out that, since I’d transmitted a password on a wireless network, the hacker had gotten a hold of it, logged onto Facebook, pretended to be me, and then proceeded to tell friends of mine that I’d been in an accident in London and that I was deathly injured and without money and needed their assistance. Thankfully, for both my friend and me, nothing came of this. But it showed us just how easy it is. On any given unsecured wireless network, when passwords are transmitted, they are transmitted just as you see here:
Password
User
Hacker
51
52
CHAPTER 2 SETTING UP AND UTILIZING AN SBS 2008 NETWORK
They transmit openly and can be received by any user. For a small business, this can be devastating and should be avoided. Any web, FTP, or unsecured password can be picked up instantaneously and then exploited.
The Bottom Line Plan an SBS 2008 network installation Planning an SBS 2008 installation includes the process of deciding upon a subnet, preparing hardware network devices, and planning for expandability. Master It Create a usable Class C subnet with more than 200 available addresses. Configure SBS 2008 client computers for networking Planning an SBS 2008 installation includes the process of deciding upon a subnet, preparing hardware network devices, and planning for expandability. Master It Establish a connection with SBS 2008, and ensure that computers can be added to the network with corresponding user accounts. This means that your network is ready to expand, along with the small business. Use command-line networking commands Using the command line greatly enhances your ability to quickly diagnose technical network issues and expedite your process of troubleshooting network issues. To become an effective administrator, you need to be familiar with these commands. Master It Use network commands to determine your DNS server, ping your DNS server, and trace the route to your server. Diagnose small network problems Even for the most seasoned administrator, small network problems can be a tremendous headache. Knowing how to quickly and easily solve these problems is key to saving you and your company time and effort. Master It Set up a small business network with four different computers, each connected to your network through a switch. Then, take a spare Ethernet cable, cut five of the eight internal wires, and connect one of the computers to it — but don’t pay attention to the IP address or name of the computer. Go back to your SBS server, and determine which computer has been compromised. Implement wireless networking Setting up a wireless network allows you to access network resources from anywhere in your SOHO environment. This is critical to maintaining a readily available and effective small business. Master It Implement WPA2 security on the network with MAC filtering, if it is available. Then go by each of your computers, determine their MAC addresses, and add them to the access list.
Chapter 3
Migrating and ‘‘Upgrading’’ to Small Business Server 2008 As of the publication of this book, less than 5 percent of the small-business world has upgraded from Microsoft Small Business Server 2003 to Microsoft Small Business Server 2008. There are many reasons for this: SBS 2003 still works perfectly well; certain businesses do not need all the features and functions of SBS 2008; and, based on the age-old adage that serves nearly all of systems administration, if not information technology, ‘‘If it ain’t broke, don’t fix it.’’ But if you’ve purchased this book, there is a strong chance either you are a small business looking to upgrade from your current infrastructure or you are an information technology professional interested in understanding how to migrate from one SBS infrastructure to another. The key concept in that sentence is the word migrate. There is no direct way to upgrade from SBS 2003 to SBS 2008, mainly because SBS 2008 uses a 64-bit architecture, rather than a 32-bit infrastructure. Moreover, the Active Directory infrastructure has changed a lot since Windows Server 2003, so overall, the idea of simply migrating to a new server, rather than upgrading, is a sound concept. This way, you won’t have to deal with the annoyance of upgrading to a new version of the operating system and having legacy aspects of the old system bog down the new system. Just imagine what used to happen when people upgraded from Windows 98 and 2000 to Windows XP Professional but on a server level! In this chapter, you will learn to ◆ Set up and plan migration ◆ Create an answer file ◆ Migrate objects
SBS 2008 Limitations Windows Small Business Server 2008 has some fairly significant limitations compared to SBS 2003 that administrators must be aware of before they make the decision to migrate. Some of these limitations can impact an entire network design. Migrating requires a server name change and different IP address This is an unfortunate side effect, but to migrate from SBS 2003 to SBS 2008, your new server must be at a different IP
54
CHAPTER 3 MIGRATING AND ‘‘UPGRADING’’ TO SMALL BUSINESS SERVER 2008
address to communicate with your original server. Additionally, the server has to be given a different server name than the original server. ISA is not supported unless you have SBS 2008 Premium SBS 2003 Premium came with an ISA firewall, so you have to make sure you purchase SBS 2008 Premium to support the ISA firewall. SBS 2008 can support only one network card This is a dramatic change from SBS 2003, where the recommended installation was a design with two network interface cards (NICs), one for the WAN and one for the LAN. If your infrastructure relies upon multiple NICs, SBS 2008 may not be an advisable migration for your company. Migration cannot be undone Once migration is complete, the accounts will truly be migrated from one server to another. This means that if you’re planning on migrating, you need to ‘‘migrate with a purpose.’’ If you haven’t planned carefully, your old organization will be undone, and your new organization will be mostly helpless.
Overview of Migrating from SBS 2003 to SBS 2008 Switching from SBS 2003 to SBS 2008 isn’t a one-step process. It’s actually quite involved. This is so much the case that Microsoft has released a series of articles on how to migrate to SBS 2008 on Microsoft TechNet. You can find them at this location: http://technet.microsoft.com/en-us/library/cc546034.aspx In the articles, Microsoft describes the steps very well:
1. Prepare your source server for migration. 2. Create a migration answer file. 3. Install Windows Small Business Server 2008 in migration mode. 4. Migrate settings and data to the destination server. 5. Delete the old folder redirection Group Policy object. 6. Perform optional post-migration tasks. 7. Run the Windows Small Business Server 2008 Best Practices Analyzer. I’ll go over each of these steps in an abstract way over the next few sections, but keep in mind that you can always reference the Knowledge Base article for the official Microsoft documentation. It’s especially useful because there are so many different server versions that can be migrated to SBS 2008: ◆
Windows Server 2003 Standard
◆
Windows Server 2008 Standard
◆
Windows Small Business Server 2003
◆
Windows Small Business Server 2008 (hardware upgrades)
PREPARING FOR MIGRATION BY CREATING BACKUPS
Preparing for Migration by Creating Backups Since migration with SBS 2008 essentially means removing all Active Directory objects from your previously existing installation of SBS 2003, the process of preparing for migration is as follows:
1. Create a full backup of your current server settings and files. 2. Back up your Exchange Server data. 3. Consider making a ghost image of the current server install. 4. Conduct a test of the installation. There is no way to undo the process of migration once it’s complete, so it goes without saying that the most important thing you can do when preparing for migration is to back up, back up, back up. You can do this using an application such as NTBACKUP, and you can also use third-party applications, such as Norton Ghost. Whenever I’m personally making a backup, I make sure to back up at the following four critical stages.
Stage 1: Backing Up Critical Files Before I begin backing up Windows-specific information, I look through the server to find critical files that are stored on the server. Is there a shared folder I will need to recover? Are there accounting documents stored here? These should all be backed up. At this point in a backup process, I run NTBACKUP to back up NT-specific and Windowsspecific files. This way, I know that at the end of the day, the ‘‘important stuff’’ as far as Active Directory is concerned is backed up. NTBACKUP is pretty easy to use, but just in case you’re unfamiliar with it, you can access NTBACKUP on Windows Small Business Server 2003 by navigating to Start Run and typing ntbackup. This launches the NTBACKUP utility you see in Figure 3.1. You can initially choose to back up or restore files in the wizard mode, and then you can specifically choose what to back up.
Figure 3.1 NTBACKUP
55
56
CHAPTER 3 MIGRATING AND ‘‘UPGRADING’’ TO SMALL BUSINESS SERVER 2008
For this portion of the backup stage with SBS 2003, you should run the Backup utility from Server Management. You can access this tool by navigating to Backup after opening the Server Management console. After the backup agent loads, it should look like you see in Figure 3.2.
Figure 3.2 Backup utility
From this menu, you really only have one option: Configure Backup. Obviously there are a couple other options, like Configure My Documents Redirection and Restore Individual Files, but these are less important than the big green button you can click. Clicking that green Configure Backup button opens a menu that asks where you’d like to back up your local data. The menu system is fairly self-explanatory, but if you look at Figure 3.3, you can see that there is an Exclude Folders button. Pay careful attention to this button. With this button, you can choose to exclude data from a backup. This is really useful if you have a large external or internal array that is multiple terabytes. All you have to do is click the button, then click the Add Folder button, choose either the drive or the folder you’d like to exclude, and finally click OK.
Figure 3.3 Excluding folders
Once this wizard runs, it will back up all your important NT data (such as NTDS.dit and your Active Directory information) and all your server data. Note that unless you click the Backup Now button that appears after you set up the job, the job will not run until the time you set. But clicking this button will open the full-blown Backup Utility window you see
PREPARING FOR MIGRATION BY CREATING BACKUPS
in Figure 3.4. There, you can manually launch the Backup utility and back up all your data immediately.
Figure 3.4 Backup Utility window
Depending on how much data you select and the method you choose in which to store it, the data may take several minutes to several hours to transfer as the Backup tool transfers it from one media to another. But once this is completed, you’ll have some of your most important data backed up into an easily recoverable media format. Next on your list of items to back up is any Microsoft Exchange Server data from your previous server.
Stage 2: Backing Up Exchange Server Data Microsoft Exchange Server gets its own custom step in the process because Exchange Server data is critical to any enterprise, and the loss of it can be devastating. Given that Exchange Server data is usually smaller than the rest of your remaining NT data (if you aren’t in an extremely large infrastructure), you can usually back this data up to a small hard drive or tape backup drive that can be placed off-site. With Small Business Server 2003, Exchange Server data is stored at a custom location based on each install. Most administrators pick an area to store their Exchange Server data that is separate from the rest of the infrastructure. When I do Exchange Server installs, I usually choose to make a folder called Production Exchange where I store two important folders: ◆
Priv
◆
Pub
These two folders contain the Exchange Server public and private databases. In some cases, these folders can get rather large because they contain .edb (Exchange database) files. These Exchange database files, when combined with a few HTML files and other critical components of the Exchange database, can recover Exchange Server in the case of a disaster.
57
58
CHAPTER 3 MIGRATING AND ‘‘UPGRADING’’ TO SMALL BUSINESS SERVER 2008
The way you choose to back up your Exchange Server data is up to you; you have three options: Copying manually Dragging and dropping the Exchange Server Priv and Pub files to an external location. Using NTBACKUP/Backup utility Running the Backup utility again and extracting the data to another location. Running a third-party Exchange Server backup tool I’ve never had any success with third-party Exchange Server backup tools, but some of my colleagues swear that there are some absolutely fantastic system administrator backup tools available for purchase. Keep in mind, however, that these programs tend to be quite expensive (and usually a little difficult to work with). Recovery from Exchange Server usually isn’t that painful if the proper plans have been made. But there is something you need to keep in mind: to import an Exchange database, it must be exactly the same as the Exchange database from the original organization! If the database isn’t named the same, the recovery process will fail. As you can see in Figure 3.5, the default organizational name for Small Business Server 2003 is First Organization.
Figure 3.5 Organizational name
Recovering from Exchange During one of the darkest periods of SuperTeach, its Small Business Server machine experienced a SCSI plane failure that resulted in the loss of the operating system volume, its custom software, and the ability for all users to log in to the server to access shared files. And more important than anything else, the company lost its ability to send and receive emails. For most businesses, sending and receiving emails is the way they make money. Numerous sales, negotiations, and backdoor deals have been sealed through the use of this simple but vital tool. In larger companies, a single hour of lost email connectivity can result in an absolutely devastating loss of productivity. As a case in point, a colleague told me once that he worked for a company that decided to deploy a beta patch to its environment, only to have that beta patch cause a massive failure that resulted in the Exchange Server machines not working for more than two hours. The estimated loss of revenue to the company was more than $200,000 in loss of labor and potentially millions of dollars in loss of receivables, sales, and other revenue. Thus, it behooves us as administrators to have a simple and effective plan of action in place for the loss of an Exchange Server machine.
PREPARING YOUR NETWORK FOR MIGRATION
The process in itself is fairly straightforward:
1. Have a plan of action. 2. Ensure that the plan adheres to the limits of Exchange Server. The plan of action includes the proper maintenance of Exchange Server backups and the careful consideration of data needed in the case of a failure. The limitations include verifying the organizational name in the system manager and understanding the limits of the hardware.
Stage 3: Making an Image Whenever you have the option, it’s always a fantastic decision to create a complete image backup of your current server. In a nutshell, a server image is just an exact bit-by-bit copy of your current installation, placed in the form of a file. Using third-party software, such as Norton Ghost, Acronis, Paragon, or any of the major brands of software, you can make a recoverable installation of your server so that if the migration process doesn’t work, you can easily revert to the way things used to be and not have any unnecessary downtime. When given the choice of whether you should complete this process, the answer should almost always be yes. In the rare cases that the answer is no, one of the following conditions should exist: ◆
You do not have enough space for the image.
◆
The budget for the software is not available.
◆
The data on the server is not critical.
Otherwise, an image creates a simple and stable recovery point that you can refer to in the future, even after a migration.
Stage 4: Conducting a Test This point of the process is much more nebulous and undefined, but suffice to say that whenever you’re able, you should do your best to test the recovery process. If you have made a tape backup, you should try to recover some of the data from the tape. If you’ve copied the data to a hard drive, make sure the data is the same size as the originating data, and so forth. It never hurts to double-check, and if you’re careful, it very well may save you a lot of pain and anguish later as you ask yourself, ‘‘Why didn’t I test this to make sure it works?’’
Preparing Your Network for Migration As you can see from the previous section, preparing your server for migration basically means making sure all your data is backed up, backed up, and, in case you didn’t test it, backed up again. Preparing the network for the change, however, is quite a bit more involved. For one thing, if the SBS 2003 server is set up correctly, the entire topology of the network has to be altered! This is because SBS 2003, in a proper setup, functions as a pass-through for LAN and WAN traffic, whereas SBS 2008 is designed to sit behind a firewall. To get a clearer picture, take a look at Figure 3.6. There, you’ll see that the router connects directly to the SBS 2003 server, where the server functions as a firewall, DHCP server, and
59
60
CHAPTER 3 MIGRATING AND ‘‘UPGRADING’’ TO SMALL BUSINESS SERVER 2008
various other network roles. And it’s only after the server has been exposed to the unfiltered traffic that the data is passed on to the rest of the network.
Figure 3.6
Client PC
SBS 2003 network configuration
Router
Server
Firewall
Printer
Switch
Client PC
With SBS 2008, the SBS server exists on the network, but only behind a firewall and a switch. From a networking perspective, the server exists behind the firewall like any other given client computer. This is a much more secure way of administering your network, because the network is protected by a hardware firewall that is impervious to viruses or corruption. Thankfully, this is convenient, but at the same time, this network topology change is necessary because SBS 2008 supports only one network card. This means that you can’t possibly support the ‘‘old-style’’ infrastructure. You can see a sample of the SBS 2008 network topology style in Figure 3.7.
Figure 3.7
Client PC
SBS 2008 network configuration
Router
Firewall
Server
Switch
Client PC
Printer
PREPARING YOUR NETWORK FOR MIGRATION
So, although the changeover from the old network infrastructure to the new infrastructure may be nice, the process of switching back and forth is actually quite complicated. Thankfully, Microsoft has a very straightforward path that it recommends:
1. Reconfigure DHCP for shorter licenses. 2. Remove the second network card. 3. Reconfigure the network settings. 4. Make any required network hardware changes. 5. Reconfigure remote access. 6. Verify connectivity and DHCP.
Reconfiguring DHCP for Shorter Licenses Assuming your SBS 2003 server is configured as a DHCP server (which is part of the recommended practices), one of the first steps you’ll take when you are rearranging your network topology is to shorten the DHCP lease that SBS 2003 gives to the rest of the network. The main reason for this is that if you are rearranging the network and providing client machines with a new DHCP server, new DNS server, and new default gateway, you’ll need to make sure they receive the proper IP address as soon as possible. Thereafter, once 24 hours have passed and all the machines have the proper IP addresses, you can lengthen the time once again to a longer period. By default, SBS 2003 sets its lease time to eight days — which is quite a long time. For the sake of completeness, set it to eight hours instead. You can accomplish this through the DHCP Management Console in SBS 2003, which you can access by selecting Start Administrative Tools DHCP. Under the Properties menu, you can adjust the Lease Duration setting of your clients to eight hours.
Removing the Second Network Card Since SBS 2008 supports only one NIC, it’s necessary to remove or disable the second NIC. You can do either, and there is a pretty constant debate as to whether it’s a good practice to remove the second NIC or just disable it. Arguments for removing it are that the server can’t use it anyway and that it’s cleaner. Arguments for keeping the NIC are that you won’t have to install it again later if you switch to an operating system that supports multiple NICs and that removing it can sometimes violate server warranties.
Disabling a NIC Disabling a NIC is fairly simple. All you have to do is navigate to Start Control Panel Network Connections, right-click the NIC you’d like to shut down, and select Disable. The network connection will then become gray, and the network connection will be unusable. Note that this does not disable the NIC in hardware. There, it will still be a fully functioning connection that you can bring back to life in the case of a reinstall.
Removing a NIC Removing a NIC is an involved but fairly easy process:
1. Shut down the server. 2. Remove the panel attached to the side of the server.
61
62
CHAPTER 3 MIGRATING AND ‘‘UPGRADING’’ TO SMALL BUSINESS SERVER 2008
3. Navigate to the network card if it is removable. Note that if it is not removable, you will need to either disable the NIC in the BIOS or contact the manufacturer of your server for further instructions.
4. Reboot the computer. 5. Log on with Administrator credentials — you may see an error from the missing network card.
6. Either run the Configure Email And Internet Connection Wizard or manually assign the
computer an IP address through the Network Connections menu (Start Control Panel Network Connections).
In any event, when you remove your NIC, you want your server to be set up in such a way that your computer will be able to use a router as its central gateway and so that it is configured to receive email and web requests at the proper addresses.
Reconfiguring the Network Settings With Windows Server 2008, there are two areas where you need to adjust the network settings so you’ll have a robust and well-designed network that can support expansion, remote access, network ranges for virtual private networks, and access to various network resources from the Internet. The two points where you need to adjust these settings are the firewall and the network range configuration. First you need to examine your firewall.
Firewall Settings To provide external access to SBS 2003 and 2008 resources, you need to open a series of TCP/IP ports to forward over services. Namely, these services are SMTP, HTTP, HTTPS, SharePoint, and optionally Remote Desktop, Remote Web Workplace, File Transfer Protocol, and SSH. On your network firewall, you need to make sure to open the following ports: 21: FTP File Transfer Protocol is used by Windows Server to export and import large files across the network. This is useful for transferring files that cannot fit into a single email, which has limited attachment capabilities. 22: SFTP Secure File Transfer Protocol is similar to FTP, except that it uses RSA encryption to secure the password exchange, which is sent as plain text with traditional FTP. SFTP should not be used in addition to FTP but rather instead of it. 25: SMTP Simple Mail Transfer Protocol is used by Windows Exchange Server to send out and receive email. Without this, external clients won’t be able to send in email. 80: HTTP website.
Hypertext Transfer Protocol is used to allow access through the Internet to your
443: HTTPS Hypertext Transfer Protocol Secure is used for websites combined with Secure Sockets Layer encryption. 444: SharePoint The SharePoint Companyweb intranet site uses this port for external clients to access collaborative work processes. 3389: Remote Desktop Remote Desktop is used to remotely access the server to administer it and fix issues that may occur from a distance.
PREPARING YOUR NETWORK FOR MIGRATION
4125: Remote Web Workplace desktop from the Internet.
Although not required, this allows users to connect to their
Depending on your specific installation, you may want to open or close ports to support your services. In all circumstances, you want to make sure that you only have ports open for the services that you need. The more ports that are open on a server, the more vulnerable that service is. Thankfully, these most common ports are well secured. Also note that these firewall settings are based on you having a hardware firewall, not the Windows software firewall. More often than not, you can open hardware firewall ports and still see these services blocked. One of the most infamous of these services is SQL Server, which is blocked by default in Windows Firewall and requires an exception.
Deciding What Type of Firewall to Put in Place With a Small Business Server environment, the type of hardware firewall that you put in place is very important. In a small business, you usually have a limited budget for information technology, and this mandates that both the server and the firewall have to serve a lot of roles. Usually, firewalls serve three distinct purposes: Firewall They act as a front-facing security device that blocks outside network intrusion. Router Most firewalls come with an internal router placed inside the device, although it’s not usually mentioned in the device information. Switch To this day, I haven’t seen a small-business firewall that didn’t have a switch placed into it. To get just a pure firewall that has one port in and one port out, you usually have to jump up to medium- and large-business hardware. Since the firewall is going to support so many different roles, you need to make sure you choose the right type of firewall. Various brands, such as WatchGuard and Cisco, have several limitations based upon what type of licensing you purchase. High-end firewalls limit the following: Throughput They limit the amount of bandwidth that can pass through the firewall (10/100/1000 speeds). VPN Users hardware.
They limit the number of clients that can authenticate through the firewall in
NAT Some only support one-to-one network address translation (one address in, one address out), and some support one-to-one and dynamic NAT, which allows the forwarding of ports and the actual use of the built-in router. Antivirus/Anti-intrusion Higher-end hardware firewalls can stop intrusions, viruses, and malicious software before it even gets access to your network. This is valuable, because it takes away load from your server. Balancing Some of the most expensive firewalls can support WAN balancing so that two Internet connections can be used in case one goes down. For small businesses using cable, DSL, or fiber, this is an excellent solution.
63
64
CHAPTER 3 MIGRATING AND ‘‘UPGRADING’’ TO SMALL BUSINESS SERVER 2008
Various firewalls at the small-business level can cost between $100 and $10,000, depending on your needs. Usually, a well-equipped firewall will cost somewhere in the $1,500 to $2,000 range. Don’t be fooled into saving money on this aspect of your network. The SBS 2008 software firewall is not sufficient.
Network Addressing Scheme When using SBS 2003, most administrators kept using the default 192.168.1.X networking scheme because it was convenient, easy, and mostly effective. However, by default, SBS 2008 now uses the 192.168.16.X naming convention. This is because the SBS crew figured that most experienced hackers might typically try to connect to the .0, .1, or even .2 subnet. Still, even as an experienced administrator, I was a little confused by this decision, but there are actually two very good reasons for it: ◆
Migrating from SBS 2003 to 2008 requires a different IP address and name on each server. Since you have to move from one IP address to another, it makes sense to change your address range. This means that your former server, which probably used a significant address on your .1 network, such as .1.1 or .1.100, probably occupies a significant digit in the last octet you’d like to keep. Thus, if you change the range your server is in, chances are there won’t be any network conflicts.
◆
Using VPNs can cause problems with the default .1 range. At my local office, we use the 10.0.1.0/255 range. And, unfortunately, we also use same addresses for our VPN users. I say ‘‘unfortunately’’ because these conflict, so I have to restrict the number of DHCP users to 200 so that they use .1 to .200, and then I subnet the rest of the addresses so they can still access all the 10.0.1.0/255 addresses. This is really overcomplicated. Instead, you can use a unique local address range so that VPN clients will be on a complete different subnetwork.
Network and Client Preparation Before you begin the server migration, it’s advisable (if possible) to shut down all client workstations. Doing this ensures that users will be forced to log on once again after the server has rebooted, which serves as a nice litmus test once the server settings have been migrated. Furthermore, on the firewall network, clients, servers, and any external access programs or virtual private networks should be shut down so there are no issues with address reassignment. In an ideal world, just about everything is shut down. Obviously, for some environments this is not possible or practical. Thus, Microsoft recommends that VPNs be shut down as a mandatory action when migrating. As a side note, there are many advantages to using a remote web workplace instead of a VPN. They do not require an additional network connection or additional IP addresses, and they’re actually easier to set up than a traditional VPN.
Preparing Your Server for Migration to SBS 2008 To properly migrate your server, you have to complete a several-step process that involves configuring Active Directory, confirming that your server is prepared to migrate, and creating an answer file. After you’ve completed these steps, you’ll be able to begin installing Windows Small Business Server 2008 and eventually transfer the Active Directory data from the SBS 2003
PREPARING YOUR SERVER FOR MIGRATION TO SBS 2008
server to the SBS 2008 server. First, before you create the answer file or confirm your server is ready to migrate, you have to prepare Active Directory.
Prepping Active Directory By default, SBS 2003 activates at the Windows 2000 Server forest functional level and Windows 2000 domain functional level. With the original incarnation of Windows Server 2003, there were several forest functional levels that you could establish: ◆
Windows 2000 Mixed
◆
Windows 2003 Interim
◆
Windows Server 2003
as well as the following domain functional levels: ◆
Windows 2000 Mixed
◆
Windows 2000 Native
◆
Windows 2003 Interim
◆
Windows Server 2003
Thankfully, your job is pretty easy here. All you have to do is raise your SBS 2003 server to the Windows Server 2003 functional level on both the domain and forest levels. This can be pretty easily accomplished through the Active Directory Domains And Trust snap-in.
Be Careful When Raising Functional Levels With the advent of Windows Server 2008, the issues that could arise with raising functional levels are slowly beginning to fade, but it’s important to note that it’s easy to raise functional levels of domains and forest, but it’s impossible to lower them again. Once, in another life and another era, a young administrator installed a new Windows Server 2003 server in an environment, promoted it to a domain controller, and raised the domain and forest functional levels to Windows Server 2003 — to disastrous effects. Unfortunately, this young administrator didn’t realize that the Windows 2000 domain controller would no longer be supported. And consequently, an entire domain went down. With SBS 2003 to 2008 migration, this shouldn’t be an issue. However, keep in mind that although this process will be very easy for you, raising a functional level is something that should be done only with a great deal of planning and preparation. Otherwise, disaster can result. Also, just in case you do somehow have Windows 2000 domain controllers in your environment, you will need to demote these domain controllers from their current roles. This way, they’ll keep functioning, and you won’t notice a difference when you upgrade to SBS 2008.
65
66
CHAPTER 3 MIGRATING AND ‘‘UPGRADING’’ TO SMALL BUSINESS SERVER 2008
Raising the Functional Level As a first step in migrating from SBS 2003 to SBS 2008, you’ll need to upgrade the functional level of your infrastructure to Windows Server 2003. This activity will show how to complete that process.
1. First, log on to your SBS 2003 computer as an enterprise administrator account with domain privileges.
2. Select Start Administrative Tools Active Directory Domains And Trusts. This opens the window shown here.
3. Right-click the domain, and choose Raise Domain Functional Level. 4. This opens the functional level menu where you can choose your functional level. If you are not running at Windows Server 2003, you will be able to select Windows Server 2003 and click Raise.
5. There will be a warning that you cannot undo this change; click OK. Once the process completes, you’ll see a dialog box indicating that the functional level has now been raised on the domain. Note that sometimes this can take quite a while to complete. If your domain functional level is already SBS 2003, a dialog box will tell you that your domain functional level is Windows Server 2003.
CHECKING THE BEST PRACTICES ANALYZER (BPA)
Preparing Your Users for Migration Contrary to a large-business environment, in the small-business environment, it’s a very good practice to keep your users informed of any drastic change that may occur. After all, if the migration fails or there is a problem along the way, this can result in a great deal of downtime. Thus, when you’re migrating, you should prep users by having them log out and prep their mailboxes.
User Logons and Files If you can do so without compromising your standard business practices, have users back up any shared files or folders they have on the server to their personal desktops. With the advent of external hard drives ranging in the 2TB range, it may be a wise investment to give one to each user to store their files for an easily deployable rapid-restore process.
User Mailboxes It goes without saying that there are some pretty major changes from SBS 2003 to SBS 2008, but this isn’t necessarily true when you shift from Exchange 2003 for SBS to Exchange 2007 for SBS. For one thing, the entire database is designed slightly differently. Thus, it’s a good idea to do two things:
1. Have your users back up their important emails to their dedicated backup areas, which should be separate from your migration server. You can also consider creating archives for each of your users and placing these archive folders on external hard drives.
2. Make sure they get rid of any excess data, including junk email, unnecessary sent mail, deleted items, and the like.
Checking the Best Practices Analyzer (BPA) Although it isn’t a required step for migration from SBS 2003 to SBS 2008, Microsoft strongly recommends using the Best Practices Analyzer (BPA) to examine your current environment. Should you be interested, you can find the Best Practices Analyzer on Microsoft’s website. It’s downloadable for free and is well documented in KB article 940439 in the Microsoft Knowledge Base. Installing the BPA is very easy, and running it is even more so. All you really have to do is install the tool and run a scan. After you’ve run the scan, Microsoft’s tool will look through your entire environment and find any errors that may exist. Note that this is a good practice in the first place, but before a migration, it’s even more strongly recommended, because you may be unaware of some of the potential snags that may occur during a migration. Also note that if you are not running SBS 2003 but are instead running the full versions of Windows Server 2003, you cannot run the BPA; instead, you can run the Windows networking tools summarized in Table 3.1.
67
68
CHAPTER 3 MIGRATING AND ‘‘UPGRADING’’ TO SMALL BUSINESS SERVER 2008
Table 3.1:
Windows Networking Tools
Windows Networking Tool
Description
Netdiag.exe
Helps isolate networking and connectivity issues
Dcdiag.exe
Analyzes the state of domain controllers in a forest or enterprise and reports issues to assist you in troubleshooting
Repadmin.exe
Assists you in diagnosing replication issues between domain controllers
Source: Microsoft Migration Guide
Migrating Now that you’ve completed the initial migration preparation steps, you can begin the process of truly migrating from SBS 2003 to SBS 2008. This process comes in several distinct stages:
1. Upgrading Active Directory to Server 2008 2. Creating an answer file 3. Prepping Exchange 4. Migrating settings and data
Upgrading Active Directory The process up upgrading Active Directory is actually fairly simple in concept but a little more complicated in implementation. Effectively, upgrading Active Directory requires three stages:
1. Updating the schema 2. Migrating objects 3. Completing your transition from SBS 2003 to SBS 2008 The trouble is that, unless you have an SBS 2008 server, you can’t exactly upgrade the server to SBS 2008 without knowing the SBS 2008 schema because, obviously, SBS 2003 doesn’t understand SBS 2008 yet. To update your SBS 2003 server to SBS 2008, you need to be logged on as an enterprise administrator account — or any account that has both domain and forest privileges to change the schema. By default, the SBS 2003 administrator account should have both of these, but best security practices says that you should change the name from your default Administrator account to something other than Administrator, so it will ultimately depend on how your network is set up. Regardless, at this point, you are only going to complete the schema update. The remaining portions of this process will be completed throughout the rest of the SBS 2008 upgrade. The schema update process consists of two portions. The first portion is to insert the Windows SBS 2008 DVD and complete the schema update process; then you will need
MIGRATING
to set the sync clock. To update the schema, you will first need to make sure of a couple things:
1. Make sure Windows Server is updated. 2. Make sure Windows Server is running Service Pack 2. To upgrade the schema, you will use the ADPREp.exe tools. Directly from Microsoft, the adprep tool extends the schema for SBS 2008 to include the Windows Server 2008 style schema. Note that this is not the same as Windows 2003 or SBS 2003. To successfully migrate, you have to update the AD DS schema on the source server before migration. To run this tool, you must be an enterprise administrator with full rights. The default Administrator account should do just fine. You can find the tool on the DVD in the \\tools \SourceTool.exe folder. Double-click it, and you’ll see a screen pop up like in Figure 3.8. Note that you must select the check box to proceed! Also note that running adprep manually will fail.
Figure 3.8 Preparing your source server for migration
The tools will run through a small wizard that does the following: ◆
Updates the schema
◆
Provides licensing support
◆
Configures Exchange to support migration
In reality, this tool runs adprep, installs an update that allows the time limit for migration to be extended for 21 days, and prepares the server for Exchange Server. It’s actually quite a nice feature set, but it takes a few minutes to run. This is another one of those examples where you can click it and just go grab a cup of coffee.
69
70
CHAPTER 3 MIGRATING AND ‘‘UPGRADING’’ TO SMALL BUSINESS SERVER 2008
If you want to skip ahead to the next step, once the source server is prepared, you can create the answer file. Additionally, you can review the migration guide from a hotlink in the wizard. Either way, when you click Finish, you will need to reboot your server.
The Answer File Now that you’ve updated the server schema to SBS 2008, you need to complete another step along this process: creating an answer file. With SBS 2008, an answer file does the following: ◆
Starts the migration process during the installation of Windows SBS 2008
◆
Provides information that is automatically entered into the Windows SBS 2008 installation pages
◆
Allows consultants to prepare servers for installation before they even arrive at client locations
The answer file for SBS contains three specific types of information: ◆
Clock and time zone settings
◆
Company information
◆
Source server
Table 3.2 summarizes the subfields that these accounts contain. The SBS 2008 DVD contains a tool called the SBS Answer File Generator. With the Answer File Generator, you can automate a fresh install of SBS. This is normally used for unattended or automated installations, but with a migration, the answer file is required.
Table 3.2:
Answer File Information
Category
Information
Clock and Time Zone Settings
Sync time information
Company Information
Name of business, address
Source Server
Domain administrator account name Password Source server name Source domain name Source server IP address Default gateway Whether or not DHCP is running
Destination Server
Destination server name Destination server IP address
Source: Microsoft
MIGRATING
To access the Answer File Generator, you can locate the file SBSAfg.exe on the SBS 2008 DVD. Before you start, you of course need to make sure you are familiar with all the aspects of your business and that the whole installation is ready to go. In the ‘‘Generating an Answer File’’ sidebar, I show how to use the Answer File Generator to create an answer file.
Generating an Answer File To create an answer file that you can use to migrate your settings from your original server, do the following:
1. Double-click SBSAfg.exe on the DVD. (It will be in the Tools directory.) 2. Select Migration From Existing Server (Join Existing Domain). 3. Fill in the required information, making sure to not forget anything. 4. You have the option of printing a copy for yourself, but it’s not required. You can also save a copy to your local hard disk, which is what you’ll do here.
5. Save the file locally to your hard drive where you can access it easily for the next step. 6. Close the Answer File Generator (clicking Cancel works as well). 7. Copy the XML file you saved to your hard disk to a removable form of media, such as a CD or a flash drive.
8. Open the XML file in Notepad to verify its contents. It should appear as you see here.
71
72
CHAPTER 3 MIGRATING AND ‘‘UPGRADING’’ TO SMALL BUSINESS SERVER 2008
Exchange Updates From the default installation of SBS 2003, you have to perform several steps to move to SBS 2008. Most likely, if you’ve been using this server for a while, you’ll be able to skip some of these. But if you’re doing this as an exercise, installing Exchange Server and updating it will require you to make Exchange Server go through three steps:
1. Forest preparation 2. Domain preparation 3. Messaging services installation The easiest way to accomplish these and complete the preparation process is to download the Exchange Service Pack 2 for Exchange 2003. This lets you prepare all the Exchange files for the migration process, which will convert all your previous installation’s Exchange Server information into usable Exchange 2007 data.
The Migration Process Once you have completed the initial installation process, the migration process can finally begin with the migration tool. During this process, SBS 2008 is going to migrate the following from your server: ◆
Network settings
◆
Exchange Server mailbox settings
◆
Group Policy settings
◆
Group Policy objects
◆
Legacy Group Policy objects
◆
Users’ shared data
◆
Internal website
◆
Fax data
◆
User accounts and groups
◆
Folder redirection
◆
SQL Server data
◆
Terminal Services licensing
Installing SBS 2008 in Migration Mode The installation process in migration mode is similar to the clean installation you did in Chapter 1, ‘‘Introducing Windows Small Business Server 2008,’’ but there are a few main differences. First, you’ll complete similar steps in that you’ll need to take your Windows Small Business Server 2008 and place it into your server. Second, you’ll need to also place your removable media in an accessible location. Note that if you chose a CD as your medium, you can insert this later.
INSTALLING SBS 2008 IN MIGRATION MODE
There are a few things you will need: ◆
Small Business Server 2003 Standard key
◆
Small Business Server 2003 Premium key (if applicable)
◆
A partition with 60GB minimum, preferably more
When you begin the initial install process after placing the DVD in the computer and rebooting, you’ll need to answer the initial questions and then make sure your unattended.xml file is accessible to that computer. Once it is, the installation can begin. Most notably during the install, you’ll need to keep the Unattended Install box selected. This tells the server to look for the answer file. If you leave it deselected, the server will expect manual input. As usual, this process can take several minutes to a couple hours and require a lot of reboots. The ‘‘Installing SBS 2008 in Migration Mode’’ sidebar goes through the process step-by-step.
Installing SBS 2008 in Migration Mode To complete this activity, it’s assumed that you’ve already installed SBS 2008 and that you’re familiar with the involved steps. I also assume that you’ve inserted the DVD, done the basic installation, and stopped before the regional and language settings you see on the screen shown here during the initial startup.
73
74
CHAPTER 3 MIGRATING AND ‘‘UPGRADING’’ TO SMALL BUSINESS SERVER 2008
1. At the screen shown here, insert your CD or USB drive. 2. Click Install Now. 3. Type your product key, and then click Next. 4. Agree to the license agreement. 5. Click Custom on the screen shown here.
6. At the next screen, you’ll need to choose where you want to install Windows. Assuming SBS 2008 sees your drives, you can just select the location you’d like. Note: If you are using RAID, a SCSI controller, or a special type of hardware, you may have to load some drivers for your specific hardware, but the process is relatively simple. You can insert the required media, click the Browse button, and load the driver from your media.
7. The operating system will begin installation. 8. If the XML file is read correctly, the installation process will begin once the operating system is installed. You should see the screen shown here, or one of the main screens, depending on whether you chose an attended or unattended installation. Note that the Microsoft installation utility will scan every drive available and see whether the XML file is in the root directory of each drive. The system is fairly smart, so it can be a CD-ROM, USB drive, or generally any attached media, but it will need to be in the root directory and not in a folder.
INSTALLING SBS 2008 IN MIGRATION MODE
9. The Connecting To Your Server screen may appear on your desktop for several minutes or maybe even several hours, depending on how much information you have on each of your servers. The best thing you can do right now is go take a break.
10. If you have done something incorrectly during the installation, you will probably see something like the screen shown here.
75
76
CHAPTER 3 MIGRATING AND ‘‘UPGRADING’’ TO SMALL BUSINESS SERVER 2008
11. Otherwise, you’ll be presented with a screen that will ask you if you have a current backup. Click the ‘‘I have a current backup’’ check box and the other ‘‘I have read the most recent version of the Migration Guide’’ — but only if you’ve done so. Then, click Next.
12. If all has gone well, you can sit back and relax as the nearly two-hour-long process of expanding and installing the files takes place. Just for fun, Windows Server will reboot a few times during the process. Other than that, you’re done!
The Migration Wizard After completing the process of setting up your network, servers, users, and essentially your entire infrastructure for the big change to SBS 2008, you can begin using the tool that will make the actual migration process easier — the Migration Wizard. The SBS 2008 Migration Wizard is capable of migrating the following aspects of Windows Server: ◆
Network settings
◆
Exchange settings
◆
Group Policy/logon settings
◆
Users’ data
◆
Companyweb intranet site
◆
Fax info (I will not cover this)
◆
Users and groups
All in all, it’s almost a little dissatisfying to spend all that time setting things up, messing around with the server, creating an unattended file, and then going through all that rigmarole to just have to go through a series of wizards — but that’s the way it’s done. Oh, and that’s not all! One of the big caveats you need to remember about migration is that migration must be completed within 21 days of installation. Who knows where Microsoft came up with that number, but that’s how long you have to complete it. In this section, I’ll cover the process of migrating using each part of the wizard. Once the expanding and installing section completes, a Start The Migration link will appear. Click it, and the wizard will take you through the following sections of the migration process: ◆
Data Stores: The Data Store Wizard will find your stored data with Exchange Server, WSS, and Windows Update.
◆
Network Configuration: This will set up your Internet connection and web access, as well as configure your custom DNS settings and any remote access or SSL configurations you may have stored on your server.
◆
Migrate Mail Settings: This allows you to migrate all mail settings.
◆
Remove Legacy Group Policy: ◆
The modified logon scripts should be renamed.
◆
The logon scripts only apply to accounts added by the Add User Wizard.
◆
Delete all Small Business Server GPOs.s
◆
Remove the WMI filters.
INSTALLING SBS 2008 IN MIGRATION MODE
◆
Migrate User Shared Folders and Redirects: ◆
Move shared folders.
◆
Alter share permissions on the source server.
◆
Create new shares.
◆
Configure security settings for folders.
◆
The Internal Website (companyweb): You can migrate the entire website, including its data directory.
◆
Fax Data
◆
Group Data
To complete these wizards, you’ll need to be logged into the SBS 2008 machine as an administrator. By default, the Windows SBS Console should open automatically, and you should be able to choose the Migrate To Windows Small Business Server 2008 option, which will start the wizard process. This brings up a series of tasks, such as the following: ◆
Changing the Exchange Server data location
◆
Changing the Windows SharePoint services data location
◆
Changing the users’ shared data location
◆
Changing the users’ redirected documents data location
◆
Changing the Windows Update Repository data location
The process of completing this series of tasks is fairly straightforward. You essentially just have to click Next and then provide the required information as you progress through each step of the migration wizard. But ultimately, if you’ve installed Windows even once before (especially if that Windows version happened to be SBS 2008), you should find the process quick and painless. Now, a couple things to note. First, during the migration process, Exchange Server may delete ‘‘dangerous’’ attachments. What it defines as dangerous usually includes anything that isn’t a standard commonly recognized format, like .doc, .xls, or .mp3. Because of this, it’s a good idea to have users back up attachments before you import these settings. Actually, in reality, it’s a good idea to have your users do this anyway. It can really reduce the size of your Exchange Server mailboxes (which is always a good thing) if you have users remove attachments as soon as they get them. Next, you need to be aware that some legacy Group Policy objects may throw an exception or not transfer properly. If you have any that you think might be really important, you may want to be prepared to hand make the GPO yourself. You can learn more about this in Chapter 5, ‘‘Configuring and Administering Active Directory with SBS 2008.’’ Otherwise, the install is fairly straightforward. At the end of the process, you’ll see the Migration Home Wizard complete and the tasks it requires checked off one at a time. And then you can start to do the optional tasks if you so choose, although that’s not required. But in any event, you’ll finally be greeted with a Finish Migration Wizard. Lastly, you’ll need to use the DCPROMO tool that you’ve used in other installations. You can access it by clicking Start Dcpromo. You’ll need to elevate the SBS server to a domain controller and complete your installation.
77
78
CHAPTER 3 MIGRATING AND ‘‘UPGRADING’’ TO SMALL BUSINESS SERVER 2008
Seamless Migration When the engineers at Microsoft first designed the migration process of SBS 2008, they created it in such a way that the migration process could be completed without the need to stop any user services and so the process would be relatively transparent to end users. In practice, the project leads of Microsoft were able to take a sample setup with SBS 2003 and migrate it to SBS 2008 with all users logged on, working, and operating uninterrupted. Many administrators, including those who were in the alpha process, were able to take their users through the process and move their SBS server from one server to another without the users knowing. In this book, however, I don’t recommend this process unless it’s necessary. This is because it can be problematic to move Exchange Server public folders and Active Directory information during a live site. The bottom line is that it’s certainly well designed and well supported. But just because you can do something doesn’t mean you should. Always consider whether your process is going to be good for the users or good for the business.
The Bottom Line Set up and plan migration One of the oldest phrases in IT is referred to as the five Ps: proper planning prevents poor performance. It’s not only a little funny; it’s true. The first step of any planned migration is to plan. When you create your plan, you can break it down into areas involving your server, network, and objects. Furthermore, you can consider hardware purchases that will be required, implementation times and deployment periods that will be the most beneficial, and what would make your migration process the easiest. Master It Develop a plan for a small business of 30 employees that requires the migration process to be done during business hours. The current network is running SBS 2003 and uses SBS 2003 as an ISA server. However, the ISA server is being replaced with a hardware firewall without proxy. Define any bottlenecks and potentially troubling concerns. Create an answer file Answer files are XML documents designed to massively import settings from a source server to a destination server. Answer files can be generated from the source server by using the Windows Server toolkit. Master It Create an unattended answer file that requires no user input until the migration process has been completed. Click the Install Now button at the Windows Server introduction, and see whether your installation is paused. Migrate objects Once the migration process has begun, the automated process will bring you to a wizard that allows you to complete the migration. This process is what actually migrates your settings and allows you to complete the wizard. Master It Create an installation of SBS 2008, and compare the originating server to the destination server. Ensure that the destination server has the appropriate objects.
Chapter 4
Implementing a DNS Name Server and File Sharing with SBS 2008 Windows has come a really long way since the days of Windows 3.1 and the Disk Operating System (DOS). Twenty years ago, we had no option but to input commands in text-only format, repeating ourselves if we made a mistake with a single letter. It makes you appreciate exactly how far we’ve come. Today, tasks that used to take hours can take minutes, even seconds, to complete. With Windows Small Business Server 2008, administrators can create a server naming convention system that can request names, pass it on to other naming convention systems, and resolve hosts in a matter of about 10 minutes. Furthermore, administrators can create a central repository that can share folders and data across a network with ease. In the early days of computers, even a simple connection was barely possible. But nostalgia aside, the latest iteration of the Small Business Server platform contains a number of dramatic new improvements since the previous version, including Certificate Services that allow us to more easily share and exchange security encryptions through a business, Exchange upgrades to more easily send email, and a few new roles that will be covered in various chapters throughout the rest of this book. With all of these strides forward in not only computing but Small Business Server, you’ll need to know how to implement the important roles and special features of SBS 2008. In this chapter, you’ll learn how to ◆ Set up the Domain Name System ◆ Set up file sharing ◆ Use the File Server Resource Manager
The Domain Name System The Domain Name System (DNS) is a convention for converting IP addresses (discussed in Chapter 2) to traditional Internet naming conventions, such as www.google.com. In the modern day, the DNS process occurs from the front end without any end user knowledge necessary. From the perspective of a user accessed the Google search engine, the website and server being accessed is simply an unknown entity called google.com. Chances are, they don’t know that .com is actually a portion of the DNS naming convention, nor do they understand that google.com is just an alias associated with an actual IP address.
80
CHAPTER 4 IMPLEMENTING A DNS NAME SERVER AND FILE SHARING WITH SBS 2008
DNS in a modern small-business server environment plays a critical role. It allows small-business owners to host machines under aliases that can be accessed by people in the small business. As an example, when you set up Windows Small Business Server 2008 for a web installation through DHCP, you can simply enter an aliased name into a web browser and then easily access your server. Without DNS, this wouldn’t be possible. With Small Business Server, DNS is normally just a handy tool that goes on in the background without anyone really knowing the inner parts of what’s happening. However, administrators using DNS in a larger environment have to pay careful attention to the Domain Name System in order to provide a careful method of checks and balances. If proper attention isn’t given to the name resolution structure, there can be instances where servers and users can’t properly reach the clients they’re supposed to, simply because they don’t know the right name to look for. With SBS 2008, the process is usually much less arduous because the average business owner will start SBS 2008 with DNS automatically functioning and be unaware of what’s happening under the hood. In this section, I hope to expand on that knowledge and show you the vital role DNS can play in any configuration, large or small. The reason this is important for SBS users to know is that, although most DNS functions in a small environment occur automatically and without administrator or user knowledge, if you understand how to utilize DNS manually, you can drastically improve your overall administration tasks.
Anatomy of DNS The easiest way to understand the Domain Name System is to understand that DNS functions through a system of tiers called domain namespaces. Each of these tiers of domain namespaces are divided by a dot (.) that separates the levels under which they operate. In the real world, administrators have begun to use dot separations for host and domain names as a logical way of separating a URL. For example, if you want users to access the fourth accounting server in a business, you could easily use the convention fourthserver.accounting.mybusiness.com. This makes four different levels of separation: fourthserver accounting mybusiness com Breaking this down further, a website such as www.intellicorp.com has three specific namespaces: www, intellicorp, and com. Together, they form a complete domain reference to a specific location. To understand how that reference is created, it’s best to read the DNS entry in reverse order. Surprisingly, at the beginning of the address is the com portion. This section is called a top-level domain and defines the maximum level under which these references refer. It also describes the type of organization using the domain. Table 4.1 provides a full list of these top-level domains. Top-level domains on the Internet are used to specify the overall region and purpose of an Internet domain. The most common type of domain, a .com domain, is a commercial business in the United States. When a DNS server receives the request for a .com host, it knows at the very beginning to look for a geographic region and to look for a specific type of account. Beyond the top level, DNS entries are then broken up into domains that contain various zones, which I’ll discuss in the ‘‘DNS Zones’’ section a little later in the chapter. In the address www.intellicorp.com, the intellicorp portion is a domain that contains a zone. Across the Internet, standard Windows zones are broken down with resource records that indicate
THE DOMAIN NAME SYSTEM
individual IP addresses, such as www, which may correspond to a server at 10.0.0.1. This will all begin to make sense as I continue this explanation.
Table 4.1:
Top-Level Domains
Top-Level Domain Name
Organization Type
.com
Commercial business
.gov
Governmental organization
.net
Network
.org
Organization
.info
Informational site
.us
United States
.edu
Educational
.int
International organization
.uk
United Kingdom
.jp
Japan
Source: Wikipedia
At the small-business level, you don’t have control over top-level domain changes, or sometimes you’re even restricted to just one domain, as opposed to a large environment, which may have several domains. In this chapter, you’ll see how to manage the domain you have access to. For the moment, let’s start to enter DNS entries by hand.
Manual DNS Entries One of the best ways to start understanding DNS is to just use it. Accordingly, in this section I’ll show you the value of adding your own custom DNS entries to the Windows HOSTS file. The HOSTS file is a single file that contains network names and IP addresses, which are manually entered by an administrator. If you reference Figure 4.1, you can see a HOSTS file with a very simple configuration. Some comments are listed in the HOSTS file (these are preceded by the # symbol), and then there are two hosts, the local host (127.0.0.1) and the local host for IPv6 (::1). Here, in this location, you could specify an IP address you commonly use, such as one of the oldest DNS servers on the planet, which is located at IP address 4.2.2.2. This address is useful for small-business owners, because it’s one of the most reliable addresses in the entire Internet. You can use it to determine stability, as a last resort DNS server, or even as your primary server — it’s nearly guaranteed to always work. To show you how to create a DNS entry manually, I’ll use one of the most common practices in a small office/home office (SOHO) environment: making sure that the Internet is running. From experience, I know that the level-3 DNS server (4.2.2.2) never goes down. I’ll place it into my sample HOSTS file (so I can reference it later) and make an entry like this: 4.2.2.2
online
81
82
CHAPTER 4 IMPLEMENTING A DNS NAME SERVER AND FILE SHARING WITH SBS 2008
Figure 4.1 Sample HOSTS file
From now on, if I type the word online in my URL bar, the command window, or any other common location, Windows will instantly know that I’m referencing a predetermined host: 4.2.2.2. Thus, instead of referencing the address, I can just type the hostname whenever I need it. Static host entries, such as the one we just created, are the most efficient type of DNS entry possible because the local host is not required to go through the process of contacting a server. Instead, it can immediately send its request to the network and begin accessing more information. In your own business, you can use static host entries to improve efficiency. By placing a static host entry into the HOSTS file of an individual computer, you remove the need to bother any servers with a DNS lookup request and instead can just send your request straight to a router, which will eventually route your request to your intended destination. This is not only a good business practice but also a good security practice. By manually installing hostnames, you limit the amount of shared information passed through a network in an insecure manner. Often in security-critical environments, you may not want the address of something classified like supersecretserver.topsecret.gov to even be passed around. After all, once someone knows where a server is located, it exposes it to attack. Having something exist only at the local level reduces this possibility, because a DNS query isn’t sent to anything but the local host. If this isn’t done, the DNS hostname has to be resolved, which I discuss in the next section.
DNS Resolution Process With a simple DNS entry, like the manual entry just discussed, the process of resolving a DNS entry is pretty easy. Effectively, the resolution process begins when the server receives a request for an individual host, such as a user requesting to go to Google.com. The server then queries itself and says, ‘‘Do I know who this entry is?’’ It then looks into its own HOSTS file and says, ‘‘Yep, I sure do’’ (or correspondingly ‘‘No, I do not’’ in the case of an undefined entry). What makes things complicated is that just about 99.9 percent of DNS requests are unknown. The reason for this is that if a local host had every single DNS entry in its own local hosts file, the file would be so massive that it would bog down the entire server. Can you imagine how unnecessary and inefficient it would be to have a server used for business know the name and IP address of every adult website and illegal file–sharing hosting company on the Internet? It’d be a nightmare. Accordingly, it’s best to understand exactly what happens in the case of an undefined entry, because the process sure doesn’t end there. This all comes down to DNS queries, which I go into in the ‘‘DNS Queries’’ section a little later in this chapter. In fact, the DNS process breaks down into three separate processes: ◆
DNS server
◆
DNS client
◆
DNS resolver
THE DOMAIN NAME SYSTEM
DNS Server A DNS server is a server running Domain Name Services. They’re generally used either in a branch or datacenter or by an Internet service provider to translate its named requests into IP addresses. As an example, if Intellicorp is an ebusiness based in Chicago, there may be five or six computers running different services somewhere in a datacenter. These servers would probably all be in the intellicorp.com domain. However, they may carry a lot of different names, such as serverone.intellicorp.com, servertwo.intellicorp.com, and so forth. Accordingly, Intellicorp would need to use a DNS server to identify the names of these servers to the rest of the Internet. This means the server is running a process that accepts queries from clients for IP addresses based on domain names and then returns the IP address. Usually in a business that involves a datacenter or a branch office, the DNS servers respond to a DNS server at a higher level. For instance, if I purchase the domain name intellicorp.com from a domain registrar like GoDaddy.com, I could easily enter the DNS information for my intellicorp domain. It’s usually a pretty simple process, such as logging onto the website that registered your domain name and saying ‘‘My DNS server is at this IP address.’’ This means that all requests heading for a server within the intellicorp domain would be told by the GoDaddy DNS servers that my DNS server is where I specified it with their tools.
DNS Client A DNS client, on the other hand, is any machine that’s requesting a DNS response from a given server running DNS services. And since anything running the TCP/IP protocol must use a DNS query process, you can safely say that all Windows machines are running this. In a SOHO environment with SBS 2008, chances are that most of the computers connected to the SBS 2008 will function as clients to the SBS 2008 server, which will serve as their primary DNS server. And as discussed, that DNS server will probably respond to requests that are handed down from a higher-level DNS server, such as one operated by an ISP or a higher-level DNS server.
DNS Resolvers A resolver can be either a server or a software process that actually figures out the correct name address. You can think of it this way: a server serves the information, the client wants it, and the resolver bridges the gap between the two via either a software service on a DNS server or a third-party application. With Windows, it’s almost always built into the DNS server.
The Importance of DNS Even in the smallest environment, setting up DNS properly is critical. The difference between logging in with DNS set up correctly vs. incorrectly can mean the difference between seconds and hours, because the Windows logon system uses DNS to resolve the authentication process. DNS is used throughout Windows Server 2008 in many roles that are unapparent to the administrator. By not having your server function with DNS, you can cause programs to cease working properly, as well as categorical errors with applications, including line-of-business applications.
83
84
CHAPTER 4 IMPLEMENTING A DNS NAME SERVER AND FILE SHARING WITH SBS 2008
As a case in point, a young administrator (who shall remain nameless) once decided to have a router function instead of a server as a DNS provider. Shortly thereafter, the entirety of the branch office was unable to access any part of the Internet, and business came to a complete halt, resulting in the loss of thousands of dollars worth of productivity. Do not let this happen to you.
DNS Queries You may have noticed that one of the key words thrown out occasionally in the previous two sections was query, or, specifically, a DNS query. Throughout IT, this word is used to signify a notification that requires a response. In the case of database administration, programmers will use queries to receive a certain amount of data. And with DNS, clients will ask servers to use resolvers to find the answers to questions. These questions, or queries, come in three separate types: iterative, recursive, and inverse.
Iterative Query The first type of query a server can issue is an iterative query. An iterative query is a query iteration that starts at one server and then is added and passed on to another server if the server that receives the first iteration is unfamiliar with the address. Simply put, a client asks a server whether the server is familiar with the hostname. If not, the server passes it on to the next iteration of its DNS, or the next stop on the list of DNS servers that it knows of. It’s sort of like saying ‘‘Yes, I’ve heard of that’’ and ending the process or saying ‘‘Never heard of it — ask this server’’ if it hasn’t.
Recursive Query Unlike iterative queries, recursive queries do not allow the proverbial buck to be passed, or just dropped off and never returned. This is because reverse DNS queries absolutely require an answer. In effect, a recursive query asks a DNS server whether it has the domain and expects one of three responses: the proper name and IP address resolution, a ‘‘does not exist’’ message, or a temporary ‘‘waiting for response’’ message. Technically, the response it’s looking for is either yes, along with an IP address; no, with a response that the domain does not exist; or ‘‘Hold on, I’m looking for it.’’ Usually, recursive queries are used by Internet service providers (ISPs) that are trying to reduce their overall bandwidth. Unlike iterative queries, recursive queries use a very definable amount of bandwidth, because if the server does not know the answer, it can ask another server. As an example of what might happen with a DNS query in a small-business server environment, the following process may occur:
1. A host queries, ‘‘What is the cool.snarfmagnet.com IP address?’’ 2. The SBS DNS server looks up cool.snarfmagnet.com in local tables and either responds with the right IP address or responds that the host was not found.
3. If not found, the SBS DNS sends a query to a root server for the IP of cool.snarfmagnet.com, usually your ISP’s DNS server.
4. The ISP DNS server replies with a referral through reverse DNS to the top-level domain for a cool.snarfmagnet.com lookup.
THE DOMAIN NAME SYSTEM
5. The SBS DNS server sends the query ‘‘What is the cool.snarfmagnet.com IP address?’’ to one of the .com top-level domain servers.
6. The top-level domain refers to the snarfmagnet.com DNS server. 7. The snarfmagnet.com DNS server sends a query to itself with ‘‘What is the cool.snarfmagnet.com IP address?’’
8. It discovers the address and sends it back to the first host.
Inverse Query Inverse queries are when things start to really become interesting. This is because, up until now, the only way to achieve a DNS resolution was through the process of asking a DNS server if it had ever heard of a particular name and then asking it for the IP address associated with that name. However, this isn’t the only way the domain name system can resolve. In fact, it can do it the opposite way — by resolving names to IP addresses. The feat of mapping an IP address to a domain name is accomplished by using pointer (PTR) records. PTR records contain reverse information that binds this name to an IP address by using the in-addr.arpa convention. This convention uses an octet system that maps IP addresses from their least to most specific portions. For example, an address such as 10.0.1.5 goes from the least specific portion to the most specific: 10: The category A subnet that implies hundreds of millions of addresses 0: The category B subnet that could contains hundreds of thousands of addresses 1: The category C subnet that could in and of itself hold thousands of addresses 5: The most specific address that can be mapped to only one logical device Thus, when using PTR records, the DNS server would create a PTR record of 5.1.0.10.in-addr.arpa for this host. PTR records may seem a little confusing, and for the most part they are out of the range of knowledge required to operate SBS 2008 effectively. However, PTR records do usually show up in the small-to-medium business market when an administrator is setting up email. This is because a large share of Internet service providers that provide email, such as AT&T and Google, require that there be a known PTR record for any addresses functioning as a mail delivery system. Without a PTR, these ISPs have no way to ensure that these servers are not just random bots or malicious users seeking to crash their mail systems with unnecessary email.
DNS Zones With SBS 2008 and all versions of Windows Server 2008, DNS records are placed into collections of records called DNS zones. For those new to DNS, it can be a little confusing, but the easiest way to think about DNS zones are that they are similar to ‘‘folders’’ of DNS records that contain various host types, which I will discuss in more detail in the next section. Within DNS, you need to be familiar with four types of zones: primary, secondary, stub, and GlobalNames. I’ll discuss each of these briefly and then discuss how each of these zone types can be broken down into two categories: forward lookup zones and reverse lookup zones.
Primary Zones As the name implies, a primary zone is the primary collection of all host records for a DNS server. With Windows, these primary zones can be either integrated or not integrated into
85
86
CHAPTER 4 IMPLEMENTING A DNS NAME SERVER AND FILE SHARING WITH SBS 2008
Active Directory. The advantage of having these zones integrated with Active Directory is that your Windows server will include these hosts’ records, aliases, and other DNS records throughout the entirety of its Active Directory database so they will be passed on to other users who are connected to the server. This greatly reduces network traffic and enhances network security. So, because of this nifty feature, most administrators almost always make their primary zones Active Directory integrated. However, there are some reasons you might choose not to do so. For whatever reason, a user may have specific local hosts that they may not want to know all of the primary zone information. In a small office, for example, there could be a situation where there are multiple joined host computers, one of which is owned by the small-business owner. And he just may not like the idea of using all the servers’ DNS information. It’s rare, but sometimes it happens.
Secondary Zones If there are primary zones, there just have to be secondary zones, doesn’t there? Well, of course! And that’s because they’re quite useful. Granted, with SBS 2008 they aren’t quite as popular as primary zones, but that’s because SBS 2008 is essentially a one-stop shop for all Windows features — it usually consists of only one server, two at the max. Secondary zones do, however, exist throughout the rest of the Internet. In Windows, secondary zones are exact replications of primary zones that are designed to serve as points of fault tolerance, as well as replications of primary zones to ease the burden on primary DNS providers. You see, unlike Active Directory–integrated primary DNS zones, secondary zones do not need to be added to a domain controller and can instead be placed on any member server — which can really ease the burden on your domain controller. Another tidbit of information you need to know about secondary zones is that the information they contain cannot be edited or updated. This is mostly for security reasons, but it makes sense when you think about it. Primary zones are integrated into your domain controller and can be updated based on administrator settings, whether that means whenever the server learns something or just when an administrator decides to update. Secondary zones, on the other hand, always contain the same information, so administrators don’t have to worry about them being compromised.
Stub Zones Stub zones are like light secondary zones. They are secondary zones that can contain only name server, host, and alias record types. I’ll go into these record types more in depth in the next section, but for right now keep in mind that stub zones are just like secondary zones, except that they can contain only three record types — a lighter, meaner, and even more efficient version of an already efficient concept.
GlobalNames Zones Secondary zones aren’t used too much with small businesses, but GlobalNames zones are rarely used indeed. But, for the sake of thoroughness, I’ll briefly discuss them. A GlobalNames zone is a modern convention to adapt to the old NetBIOS convention of using Windows Internet Name Service (WINS) to resolve names. I’m not going to go into a huge discussion of WINS, but I will go so far as to say that WINS used a series of CNAME record types to map locations. However, the implementation proved to be inefficient on the high end and was therefore replaced. For more about WINS, see http://technet.microsoft.com/en-us/library/cc784180.aspx.
THE DOMAIN NAME SYSTEM
Forward and Reverse Lookup Zones Thinking back to the previous section on inverse queries will help you a lot in understanding forward and reverse lookup zones. This is because DNS with Windows SBS 2008 and all other versions of Windows Server 2008 are divided into two different types of zones: those that resolve DNS inquiries ‘‘forwardly’’ or by resolving names to IP addresses and those that resolve names in reverse by using PTR records to resolve IP addresses to host names. It really isn’t all that hard to understand, but unless you remember that, the zones discussed in the previous sections can get a little confusing. Just keep in mind that all zone types are classified into either forward or reverse and then subcategorized into the categories of primary, secondary, stub, and GlobalNames.
DNS Record At last, what you’re really interested in with SBS — DNS records! As I stated earlier, DNS zones are essentially just collections of DNS records. This makes it kind of hard to understand what a DNS zone is without understanding DNS records to begin with. This section should alleviate that. Simply put, a DNS record is an assigned location for a specific type of host. These hosts can be normal hosts, aliases, mail exchangers, or various other types of records that I’ll explain a little later. When a user sends a query to a DNS server, the DNS server looks into one of its zones and sees whether it has a record that matches that query. For example, a user may issue a query that in pseudo-code looks something like this: ‘‘I’m looking for mail.intellicorp.com.’’ The DNS server would then check its primary zone at intellicorp (within the .com domain) and then look to see whether it has a host called mail. If it did, it would respond with an affirmative response. Take a look at Figure 4.2. In that figure, I’ve captured the default setting of the DNS service that comes with SBS 2008. You can access your own similar server’s DNS Manager by selecting Start Administrative Tools DNS.
Figure 4.2 DNS Manager
As you can see, a whole lot of hosts already exist! By default, SBS tries to remove a lot of the burden of manually adding DNS host records by autocreating some of them for
87
88
CHAPTER 4 IMPLEMENTING A DNS NAME SERVER AND FILE SHARING WITH SBS 2008
you. There is already a record for officesvr1, as well as other records such as Sites and SharepointSMTPServer. What this all means will become clear in a moment, but it’s good to take a look at the big picture before you get too far along the path. But now, you need to start understanding DNS records. This is because SBS Server, more so than just about any Windows Server product, really relies on DNS records. Small offices sometimes know of a few computers only or are actually part of a larger organization that just needs a centrally located server to take care of all its business needs. With SBS 2008, you can use the DNS Manager to outline the network in a very efficient fashion. You can tell it where all of the hosts are or set it up to define them automatically — as it does by default.
DNS Record Types With SBS 2008, you need to be familiar with these five record types: ◆
Hosts
◆
Name servers
◆
Aliases
◆
Pointers
◆
Mail exchanger
I’ll discuss each of these record types one at a time, with an example of each.
Host Records A host address record, or A record, signifies the existence of a single, solitary host that contains an IP address. An example of a host address record is something like this: www
IN
A
63.146.189.101
With this record, the categories are as follows: HostName | Time_to_Live | Record_Type | IP_Address The hostname is www, the time to live is optional (and shows for how long the record is valid), the record type is an A record, and the IP address is 63.146.189.101. The A records are used for individual machines, web boxes, SMTP servers, and just about any machine that doesn’t contain one of the other known record types. If you’re like just about every other SBS 2008 administrator, you’ll end up with a whole lot of A records in your DNS database.
Name Servers If a machine is running DNS, it’s good to have a name server record associated with it. For example, the following NS record actually shows that there is a name server in this DNS database: Cramsession.com.
IN
NS cramsession.com
Unlike a host record, an IP address isn’t specified (because it’s just a name server record, not a host record), and thus this breaks down as follows: Name | Address Class | Record Type | NameServerName ◆
The name is cramsession.com.
THE DOMAIN NAME SYSTEM
◆
The address class is IN: Internet.
◆
The record type is NS: name server.
◆
The name server name is the fully qualified domain name of the responsible server: cramsession.com
This means that users looking for the name server cramsession.com will query their own DNS server for the name cramsession.com. With SBS 2008, these records become vitally important if you need to set up another optional name server for your small-business server. Say, for example, you work in a larger environment or are a small company owned by a larger one. The larger company may have another name server that contains hundreds of thousands of host records. This way, SBS can specify a name server and have the name server on record if it needs to access it. In the cramsession example, it may know tons of names you’ve never heard of at the SBS level but that it may need if for some reason they’re requested by the larger company. In fact, the name server you specify for the larger company may have hosts you would have never heard of unless you told SBS to specifically look for the name server. The name niceexample.cramsession.com may not even be publicly accessible, for example, unless you know about the cramsession.com name server.
Aliases An alias record is used if you already have an A record for a host and you’d like to have another name for that host. So, for example, if you already have a www record for intellicorp.com (www.intellicorp.com on the Internet), you could create an alias called neat.intellicorp.com that would actually point to the same place. This is accomplished by creating an alias or canonical name (CNAME) that references the previously existing host. So, for example, earlier the hostname was www.intellicorp.com at 63.146.189.101. To make an alias for this host, called supercool, you could create an alias record that looks like this: supercool.intellicorp.com IN CNAME www.intellicorp.com
This makes supercool.intellicorp.com report to the alias of www.intellicorp.com.
Pointers Pointers, or PTR records (discussed earlier), are reverse records that translate IP addresses to hostnames. In DNS, these records look like this: Reversed Address.in-addr.arpa | TTL | IN | Target Domain
Earlier, in the simple hosts, a PTR record for that associated query would associate the www.intellicorp.com host with its given IP address. This would look like this: 101.189.146.63.in-addr.arpa
IN
PTR
www.intellicorp.com
This now makes any user who tries to resolve the IP address of 63.146.189.101 automatically resolve to www.intellicorp.com.
Mail Exchangers A mail exchanger record is used to let external SMTP mail servers and various hosts know the location of your company’s (or, more specifically, your DNS zone’s) mail exchanger location.
89
90
CHAPTER 4 IMPLEMENTING A DNS NAME SERVER AND FILE SHARING WITH SBS 2008
This type of record, called an MX record, is stored similarly to other records you’ve seen. It uses this format: Domain | Class | Type | Host If you had an Exchange mail server at, say, 10.0.1.100, you could make an entry that looks like this: Intellicorp.com IN MX 0 mail.intellicorp.com
This makes the intellicorp.com mail exchanger look for the host at mail.intellicorp.com, which would need its own respective host record.
Creating Records Now that you have an idea of how DNS records work and understand the zones that contain them, it’s time to create and use some simple records that will familiarize you with how to administer the SBS 2008 DNS Manager. In this exercise, you will create and add a standard host record new forward lookup zone called intellicorp.com. For your own purposes, you can name the zone anything you like, but you will need to keep track of any changes you make that differ from these exact exercises. Otherwise, future exercises that reference this material will seem unfamiliar.
1. Open the DNS Manager by navigating to Start Administrative Tools DNS. 2. Expand your server by clicking the minus symbol, then right-click Forward Lookup Zones, and finally select New Zone, as shown here:
THE DOMAIN NAME SYSTEM
3. This opens the New Zone Wizard. Click Next after it appears. 4. As shown here, select Primary Zone, and then click Next. Make sure the check box in the Store The Zone In Active Directory section is selected.
5. Click Next. 6. On the next screen, you can choose whether you want this zone to be replicated to just this domain or to the entire forest. Since you are using only a single domain environment, limit this to the domain, and click Next.
7. On the New Zone Wizard screen shown here, name your zone intellicorp.com.
91
92
CHAPTER 4 IMPLEMENTING A DNS NAME SERVER AND FILE SHARING WITH SBS 2008
8. Click Next. 9. You want to allow only secure dynamic updates, so leave the Dynamic Update selection screen as the default, and click Next.
10. Finish the zone wizard by clicking Finish. 11. Once the wizard is complete, you will see intellicorp.com added to your list of forward lookup zones. Highlight intellicorp.com by selecting it.
12. In the area to the right of the gray bar separating the locations from the records, right-click any empty white space area, and select New Host.
13. In the New Host box, enter the name test for the name and an IP address in your subnet, such as 192.168.0.240.
14. Select Add Host. 15. A message box will appear saying you have completed adding a host file. Once this is complete, you can click OK and see that a host file called test is now in the intellicorp.com lookup zone.
Configure MX Records Now that you’ve created a DNS zone and added a host, you will configure a mail exchanger record for SBS 2008 so that you can understand how this process works. In future installations, you may do in your business or with your respective clients, you will probably have to conduct this exercise often.
1. Open the DNS Manager by navigating to Start Administrative Tools DNS. 2. Expand your server by clicking the minus symbol, then right-click Forward Lookup Zones, and finally select the intellicorp.com zone you just created.
3. Create another host record called mail by repeating the steps you completed in the ‘‘Creating Records’’ exercise, except this time name the host mail and give the IP address of your SBS 2008 computer.
4. Now, right-click any whitespace available, and select the New Mail Exchanger (MX) record. You will see an image like the one shown here:
5. You will see an area in which to place a host or child domain name. As the box says, most of the time this is left blank. However, in this case, you’ve actually created a host called mail for the purpose of illustrating a point. With this host created, you can choose it as your mail server. However, many administrators choose to leave their domain mail server the same as their domain name by default. The decision you make is up to you.
6. Next, in the Mail Server Priority section of the screen, you’ll want to leave the default of 10 in the box. Windows evaluates servers by choosing the server with the lowest mail server priority. This is because a lower number indicates a more preferred server.
IMPLEMENTING FILE SHARING
7. Click OK.
The mail server will appear as shown here:
Implementing File Sharing As an administrator, whether you run a small or large business, file sharing is often your best friend. Through the effective use of file sharing, users can swap files, provide a central repository for collective work, give administrators control over where files are stored, and just generally provide a lot of worry- and hassle-free control of file management. In previous versions of Windows, file sharing was a little onerous to administer because of the various levels of protection associated with each of the files, along with the processes of mapping drives and other little complications that arose along the way. But with SBS 2008, this has been made much easier. You can access shared folders through the Windows SBS Console, as shown in Figure 4.3. This is a dramatic change from SBS 2003, in which shared folders were still controlled the ‘‘old-fashioned way’’ — with Windows permissions. The SBS 2008 method makes it a lot easier
93
94
CHAPTER 4 IMPLEMENTING A DNS NAME SERVER AND FILE SHARING WITH SBS 2008
for administrators new to Windows permissions to make changes quickly and effectively, which allows you to let users access files with ease throughout your environment.
Figure 4.3 Windows SBS Console shared folders
Default Shares By default, SBS 2008 creates three separate shares that you need to pay attention to: ◆
A public share
◆
Redirected folders
◆
User shares
Before I talk about how to add new shares and specify them to your business’s needs, I’ll explore the shares that SBS 2008 has already created. First, one of the most useful folders that SBS creates is the public share folder, which appears in the */Users/Public location of your system drive. If you navigate to that folder, you’ll see that Public contains five separate subfolders for public documents, downloads, music, pictures, and video, as shown in Figure 4.4.
Figure 4.4 Public folder contents
The main purpose behind the Public share folder is pretty simple. Effectively, it’s a file that can be accessed by everyone and gives full read and write privileges. This allows employees or users accessing the folder to download items from this folder, place music or media in this folder, and just generally put whatever they would like within it. So, you can see that the Public folder can be accessed by anyone. Just look at the permissions on the folder by double-clicking the Public share. You’ll see it displayed as shown in Figure 4.5. In general, this is a good practice because it gives a secured area of the server where users can download virtually anything. However, you should keep in mind that the Public folder is not foolproof. Users can still download viruses to this location and wreak havoc if they place malicious files there. However, it is considered a good business practice to have a share that can
IMPLEMENTING FILE SHARING
be accessed by everyone. This way, you don’t need to have as much administrative overhead as you would with specific shares.
Figure 4.5 Public share default permissions
Another shared folder that you need to pay attention to with SBS 2008 is the RedirectedFolders default share. Personally, this is my favorite feature of the shared folder improvements of SBS 2008. Explaining the RedirectedFolders share when going over basic Windows share permissions is a bit like putting the cart before the horse, because I haven’t yet discussed some of the consequences associated with file and folder permissions, but I’m going to go ahead and do it anyway, just because it’s so darn easy. Take another look at Figure 4.3, and you’ll see that the second folder on the list is the RedirectedFolders share. This folder is designed to serve as a repository of ‘‘redirected’’ user account folders that are actually on the server and not the local machines. These folders include My Documents, Desktop, and anything else a user may specify. If you double-click RedirectedFolders, you’ll see that the share is set by default to Everyone. That’s a little deceiving, because the share is set to be accessible by everyone, but it’s set up internally within SBS 2008 Group Policy to be able to be specified to individual users. You can do so by clicking the Redirect Folders for User Account To The Server link, as shown in Figure 4.6. Clicking this link will open the dialog box shown in Figure 4.7, wherein you can choose the folder names and user accounts that you want to see redirected. Personally, I’ve gone ahead and decided that I’d like just my documents to be reassigned. I’ve then also checked for my own user account to be the user account that is redirected. It’s pretty amazing, but just by clicking OK after doing this, Windows SBS 2008 will change the default policy of all connected user accounts that are specified in this policy to store their
95
96
CHAPTER 4 IMPLEMENTING A DNS NAME SERVER AND FILE SHARING WITH SBS 2008
folders within this shared redirected folder, rather than within their default local disk folder on their own computer. If you’d like to see it in action, create a user account for yourself, and then log out and log in with your computer. You will notice that your Documents folder will originally be stored on your local computer, and then when you log in again, it will be automatically stored on the server.
Figure 4.6 Folder redirection
Figure 4.7 Folder redirection properties
This is not only exceptionally neat but also exceptionally powerful. Having users store their documents on your server is an extremely good business practice because your server most likely has redundant technologies such as RAID and server software that is designed to be more reliable than client software. Additionally, should an employee have to be terminated or released, having these folders stored on a server gives the small-business owner the assurance that the data is safe with them vs. being embedded within a computer that an angry ex-employee can easily tamper with out of retaliation or spite. Now, just for bonus points, let’s look at what’s going on behind the scenes here. Once you’ve done this in the shared folders SBS console utility, a group policy object (GPO) is altered and applied to your server. You can access this GPO if you’re interested in the Group Policy Management Editor by going to Administrative Tools and then Group Policy
IMPLEMENTING FILE SHARING
Management. If you expand your forest, then your domains, and then your .local domain, you will see the policy under Group Policy Objects — it’s called Small Business Server Folder Redirection Policy, as shown in Figure 4.8.
Figure 4.8 Small Business Server Folder Redirection Policy location
If you right-click this policy and select Edit, you will open the policy. You can then expand User Configuration Policies Window Settings Folder Redirection and then right-click Documents and select Properties, resulting in the box shown in Figure 4.9.
Figure 4.9 Folder redirection properties
Here, you can see that users have been granted exclusive rights to their documents so other users cannot modify them, the SBS server moves the contents to their new location automatically, and it retroactively applies this policy to older versions of Windows. And to boot, it is set
97
98
CHAPTER 4 IMPLEMENTING A DNS NAME SERVER AND FILE SHARING WITH SBS 2008
to redirect if you as the administrator decide to alter the policy. But of course, you can change that. However, it’s not really a great idea to do so, because you most likely won’t remove the policy. Finally, the last folder available by default through SBS 2008 is the UserShares folder. This folder, similar to RedirectedFolders, is designed to serve as a shared folder that users can place publicly. This might be useful in an enterprise situation where an individual wants to make a few users aware of a file but share with the entire organization in the Public folder. By default, users joined to SBS 2008 will be given a user share where they can store and share data with the rest of the organization.
Creating a New Share If you’re like just about any other business in the world, you’re going to need more shares than those listed by default. Accordingly, you need to understand a little bit more about file permissions, sharing, and the dangers involved with making information publicly available on a share. This section is going to help solve those concerns by explaining how to make a share, how to assign permissions, and how to stop and start sharing a folder based on an immediate need or emergency. So, let’s start with the easy stuff — making the share. The sheer art of it is mind boggling in its conception. You hit the Add A New Shared Folder button. This opens the Shared Folder Location Wizard, which will help you create new shares for your business. You can see this wizard in Figure 4.10.
Figure 4.10 Shared Folder Location Wizard
To specify a new location, you can click the Browse button and then specify a previously existing location, or just make a new one with the New Folder button. I’m going to make a new shared folder called Accounting on my server’s C drive. Once I’ve done this, I’ll go ahead and click Next. Since I’m going to worry about folder permissions later, I leave the
IMPLEMENTING FILE SHARING
next screen blank and make sure No, Do Not Change NTFS Permissions is selected. Then I click Next. I can then choose whether I’d like to use Server Message Block (SMB) or Network File System (NFS). SMB is the default available method and really the preferred method for Windows. Usually NFS is used for Linux or Unix servers and not for Windows. So, since this is set by default, I can just click Next again. The screen shown in Figure 4.11 is where things start to get interesting because you begin to enter into SMB permissions.
Figure 4.11 SMB Permissions screen
By default, SBS 2008 comes with three instant settings: ◆
All users and groups have only read access.
◆
Administrators have Full Control; all other users and groups have only read access.
◆
Administrators have Full Control; all other users and groups have only read access and write access.
These settings are fairly self-defined. With the first setting, everyone can only ‘‘read’’ the files in the folder and not write anything to it. Note that this includes accounts with administrator access. With the other two settings, administrators are given full control, and the other users are allowed to read or also to read and write to the given folders. The second option is useful if you’d like to make a document accessible to all users but do not want them to be able to alter the contents of the folder. The last option is handy if you just want to make a simple folder share that anyone can add files to. However, these three are not the only settings available. There is also an optional User And Groups Have Custom Share Permissions radio button. For learning purposes, let’s select it and then hit the Permissions button.
99
100
CHAPTER 4 IMPLEMENTING A DNS NAME SERVER AND FILE SHARING WITH SBS 2008
In this location, you can specify individual users and groups from Active Directory to be added into your folder. You can then grant them one of three permissions: ◆
Read
◆
Change
◆
Full Control
The Read permission gives users the ability to read from the folder but not write to it. Change gives users the permission to not only read but to also change filenames and add and remove folders. The Full Control permission allows users to do all of the above, as well as to override other users’ decisions. For my purpose, I’m going to select the second radio button in Figure 4.11, Administrators Have Full Control; All Other Users and Groups Have Only Read Access. This is because I want only administrators to control what’s put into the Accounting folder, but I want all my users to be able to read it. Clicking Next opens the quota policy you see in Figure 4.12. The quota policy allows you to limit the amount of data accessed by the folder share in one of six template methods, summarized in Table 4.2.
Figure 4.12 Quota Policy screen
Because I’m just making a simple Accounting folder, I’m going to select only a 100MB limit. You can then click Next if you’re following along. The next page, in Figure 4.13, allows you to allow a file-screening option. This is an extremely useful feature if you want to specifically prohibit certain file types from being added. A good example of this is if you have a lot of users who are adding pictures, music, or videos that you may not want added.
IMPLEMENTING FILE SHARING
Table 4.2:
Quota Templates
Template
Description
100 MB Limit
Places a hard limit of 100MB on the shared folder
200 MB Limit Reports to User
Places a hard limit of 200MB on the share and notifies the user if it reaches within 10 percent of that threshold (180MB)
200 MB Limit with 50 MB extension
Creates a 200MB share with a 50MB extended threshold for data overflow
250 MB Extended Limit
Creates a soft limit of 250MB that can be overridden
Monitor 200 GB Volume Usage
Monitors a folder and shows whether it has used more than 200GB of total input/output
Monitor 500 MB Share
Monitors a 500MB share
Figure 4.13 File Screen Policy screen
On this screen, you can apply a policy and select any of the templates listed in Table 4.3. Because I am going to be the only one adding files, I’m not going to add on a filter. However, if you’d like, you can feel free to do so on your own share. After all, it’s your share! After you make your decision, click Next. The next section, on DFS namespace publishing, allows you to place a shared folder in a distributed file sharing location. For the moment, I’m going to ignore this section because I will cover it later in this chapter. Go ahead and click Next.
101
102
CHAPTER 4 IMPLEMENTING A DNS NAME SERVER AND FILE SHARING WITH SBS 2008
Table 4.3:
File Screening Policy Templates
Template
Description
Block Audio and Video Files
Prohibits audio and video files, such as MP3s of MPEGs, from being stored on the file share.
Block E-mail Files
Prohibits email messages and archived email files from being stored on the share.
Block Executable Files
Prohibits executable files.
Block Image Files
Blocks JPGs, PNGs, GIFs, TIFs, or other image files from the server. Keep in mind that there are a few odd image types that may pass through.
Monitor Executable and System Files
Monitors whether executable or system files have been placed on the share and sends a notification to the administrator. This is mostly a secure measure against viruses and malicious outbreaks.
On the next screen, you’ll see that all the permissions you’ve set are summarized in an easy-to-read format, as shown in Figure 4.14. At this point, you can review what you’ve created, and if it’s to your liking, you simply hit Create. If it’s successful, you should see the green check mark shown in Figure 4.15, and you can select Close.
Figure 4.14 Review Settings and Create Share screen
Now, when you go back to the Shared Folders screen, you’ll see the Accounting folder added, complete with its 100MB quota.
THE DISTRIBUTED FILE SYSTEM
Figure 4.15 Confirmation screen
The Distributed File System In addition to shared folders, one of the other folder sharing options available to Windows Server 2008 administrators with any version of Windows Server 2008 is the distributed file system (DFS). The distributed file system works on the basis that disk space is ultimately limited, and one individual computer may not have enough disk space to accommodate the needs of the entire user base. Furthermore, DFS also takes into consideration that it may be a good operating practice for an organization to spread its files through multiple operating systems to enhance reliability. In a small-business environment, this is especially important because of the (usually) small number of computers and lack of space available. With DFS, you can spread shared folders and their space requirements among many different machines and save a great deal of space in your environment. DFS accomplishes this by using a decentralized store concept that is fairly straightforward. Effectively, DFS creates a shared folder–like share that is spread throughout multiple computers through the use of Remote Differential Compression (RDC). Through RDC, Windows Server detects changes in the file structure and replicates these changes throughout the rest of the server system. These folders are collectively placed into a tree-like structure called a DFS namespace that appears to the user as a centralized collection of folders, with the actual backend procedures completely obscured from sight. Figure 4.16, copyright of Microsoft, illustrates the concept extremely effectively.
Figure 4.16 The Distributed File System
Access Server in Tampa
User in Tampa
Referral DFS replication
Referral
Namespace
Access User in Houston
Server in Houston
The DFS system takes advantage of two important technologies that I mentioned in passing earlier in this chapter but didn’t completely describe: ◆
DFS namespaces
◆
DFS replication
103
104
CHAPTER 4 IMPLEMENTING A DNS NAME SERVER AND FILE SHARING WITH SBS 2008
DFS Namespaces DFS namespaces are collective ‘‘virtual’’ trees of shared folders that are stored in a central location that appears to the user as a simple folder structure. In reality, these folders are spread throughout multiple locations, across either LAN or WAN links. DFS namespaces are often used when companies are expanding to branch-office locations and need to find a way to easily share their data through multiple offices. DFS namespaces are divided into two types: domain-based and stand-alone namespaces. Domain-based namespace A domain-based namespace is stored in Active Directory domain services. This means it’s accessible by multiple servers within the domain and supports increased scalability because it’s accessible throughout the domain. Usually with SBS, this is the only type of DFS namespace you use. Stand-Alone Namespace A stand-alone namespace is isolated to a single server to isolate it from the rest of the environment. Keep in mind, however, that a stand-alone namespace can be replicated to a failover cluster for reliability. Usually, most organizations don’t choose to do this because it defeats the purpose a little bit. In a small business, you usually don’t get involved with stand-alone namespaces.
DFS Replication DFS replication is the technology that fuels the distributed file system. It supports scheduling, bandwidth throttling or limitations, and compression through the use of remote differential compression. DFS replication keeps folder properties synchronized through multiple-user environments in various ‘‘states’’ that are tracked continuously by Windows Server 2008 through the use of replication groups. These are groups that are set up by an administrator to replicate the settings of folders among multiple servers either for the purpose of content sharing or to connect through a hub-and-spoke model where one server functions as a central hub and another server is set as a spoke in another branch office.
Systems That Support DFS Note that Windows Server 2008 DFS is supported on Windows Server 2003 SP1, Windows Server 2003 R2, and Windows Server 2008.
DFS Limitations Keep in mind that Microsoft notes a few limitations in its DFS documentation: ◆
Each server can be a member of up to 256 replication groups, and each replication group can contain up to 256 replicated folders.
◆
Each server can have up to 256 connections (this includes both incoming and outgoing) and can contain up to 1 terabyte of replicated files.
◆
A replication group also can contain only up to 256 members.
◆
A volume can contain up to 8 million replicated files.
◆
On each server, the number of replication groups is restricted. But thankfully, with SBS 2008 and a small environment, it is highly unlikely that you will ever reach this limitation. And if you did? Well, then you should probably be running the full version of Windows Server 2008.
THE DISTRIBUTED FILE SYSTEM
Setting Up DFS Unlike a lot of the features of SBS 2008, DFS cannot be enabled from the console. Instead, SBS has to be installed as it would be on other Windows Server 2008 operating systems. You can do so by first clicking the Server Manager button in the lower-left portion of your screen, next to the Start menu, shown in Figure 4.17. This will open the Server Manager menu, shown in Figure 4.18.
Figure 4.17 Server Manager Start menu
Figure 4.18 Server Manager
On other versions of Windows Server 2008, the Server Manager is the central point of operation for the management of your Windows server. With SBS 2008, since you have the console, it is a little bit less so. However, you can still accomplish a great deal through the use of the Server Manager, including, of course, the installation of DFS. To install DFS, you will need to select the Roles section on the left of the Server Manager screen and then scroll down on the right until you see File Services, as shown in Figure 4.19. Once you’re there, click Add Role Services to open the Select Role Services screen that you see in Figure 4.20. From here, select Distributed File System, which will automatically select DFS Namespaces and DFS Replication. You can then click Next. This will open the namespace wizard screen dubbed Create A DFS Namespace. In the box shown in Figure 4.21, you’ll need to enter the name for your namespace. I usually choose something like SharedFiles. Click Next to open the namespace type selection screen. You’ll see that you can select the two different types of namespace, domain-based or stand-alone. Go ahead and choose Domain-Based Namespace, as shown in Figure 4.22, and click Next. This will open the namespace configuration screen shown in Figure 4.23.
105
106
CHAPTER 4 IMPLEMENTING A DNS NAME SERVER AND FILE SHARING WITH SBS 2008
Figure 4.19 Roles management
Figure 4.20 Select Role Services screen
THE DISTRIBUTED FILE SYSTEM
Figure 4.21 Create A DFS Namespace screen
Figure 4.22 Namespace type selection
107
108
CHAPTER 4 IMPLEMENTING A DNS NAME SERVER AND FILE SHARING WITH SBS 2008
Figure 4.23 Configure Namespace screen
On this screen, you can choose virtual folders that you want to add to your namespace. Normally at this point, administrators will go throughout their organization and pick shared folders, server folders, and other information to add to the namespace by using the Add button and choosing them. If you’d like, you can go ahead and pick a few. But since this is just a demonstration, I’ll just click Next and assume I would have added folders later. Finally, click Install. It should take only a few minutes; when it completes, you can click Close.
DFS Management DFS comes with a series of nifty tools that you can access once it is installed. To view and use them, you can navigate to Start Administrative Tools DFS Management. This will open the DFS Management tool you see in Figure 4.24. Here, you can expand the namespaces that you have created, select them, and do some useful administrative tasks such as adding new folders, delegating them to other administrators, and then adding them to a replication group, which I will explore now.
DFS Replication Groups Earlier I discussed how DFS uses RDC to replicate information between servers. Unfortunately, it doesn’t just miraculously do this out of the box. Instead, you have to set it up, which you can do by opening the DFS Management tool and then clicking Replication. Once there, you can select New Replication Group. This will open the New Replication Group Wizard shown in Figure 4.25. In this wizard, you can choose two types of groups, one for replication and one for data collection. Go ahead and choose a multipurpose group, and click Next. The next screen you’ll see will allow you to choose the name of a replication group. Here again, I try to stick to simple naming conventions like DFSrep, just so I remember what it is. In the box below your replication group name, you can choose an optional description of this group. Normally I choose to leave this blank, but you are the administrator in charge, so you can fill it in if you’d like. Either way, when you’re done, you can click Next.
THE DISTRIBUTED FILE SYSTEM
Figure 4.24 DFS Management
Figure 4.25 New Replication Group Wizard
At the screen shown in Figure 4.26, you can choose servers to add to your replication group. In a large environment, this ends up growing at a pretty rapid rate, but for the moment you have only one server. So, you can just click the Add button and then type the name of your server in the pop-up box; then click OK. Because you’re dealing only with a small office and you haven’t added a great deal of servers and members and so forth, I’m not going to show all of the steps involved with setting up DFS, but you can find a lot of documentation on Microsoft’s website.
109
110
CHAPTER 4 IMPLEMENTING A DNS NAME SERVER AND FILE SHARING WITH SBS 2008
Figure 4.26 Replication Group Members screen
The File Server Resource Manager With SBS 2008, Microsoft has included the File Server Resource Manager (FSRM) as another tool that administrators can use to keep control of the files and shared folders that are contained within their server. Using FSRM, administrators can easily create quotas for folders, as well as file screens. Earlier, when you used the SBS 2008 console to enable file sharing, you effectively did this. The FSRM is just a more advanced method of doing so. You can access the FSRM by navigating to Start Administrative Tools File Server Resource Manager. Once there, you can access the quota management or file screening management selections on the left. If you expand Quota Management and then select Quotas, you will see the folders you created earlier, along with their rules, as depicted in Figure 4.27. Double-clicking any of these folders will open the administrative quota template you see in Figure 4.28. There, you can make any adjustments you’d like. And similarly, you can add a new quota by clicking the Create Quota button on the right. Both quotas and file screens were already covered briefly in the section on shared folders, but it’s important that you see them both in action now. Effectively, each of these systems works by first creating a quota or file screen and then applying a preexisting template to the screen. This then applies the predefined template to the files or folders specified and cuts your work in half. It’s really quite easy, and a little fun. The only thing that’s really different about FSRM from what you used in shared folders is the File Groups section you see in Figure 4.29. The File Groups section is a collection of group types. As an administrator, you can create your own group types to use as filters. For instance, if you’re a programmer, you may have a customer file type called WAD and want only WAD files to be placed inside a particular folder. With file groups, you can create a file group and select WAD.
THE FILE SERVER RESOURCE MANAGER
Figure 4.27 Quotas with File Server Resource Manager
Figure 4.28 Quota template
111
112
CHAPTER 4 IMPLEMENTING A DNS NAME SERVER AND FILE SHARING WITH SBS 2008
Figure 4.29 File groups
Creating a file group is pretty darn easy. You just click the Create File Group link, which opens the screen in Figure 4.30, and then you can name the file group and select the file type by typing a * in front of the name. In Figure 4.30, I’ve named the file DOOM FILES in commemoration of the game DOOM and then used *.WAD as the file type I’d like to add. Selecting OK adds the DOOM FILES template to my selectable templates. It’s just that easy.
Figure 4.30 File group properties
THE BOTTOM LINE
The Bottom Line Set up the Domain Name System The Domain Name System is a critical role in any Windows Server environment. Through proper use, it allows for user authentication, Internet name resolution, and critical server roles to function. Improperly operating DNS will result in slow, inefficient server operation and possibly authentication failure. Master It Install DNS with static entries to four different servers or known Internet hostnames. Make two of these Internet hostnames resolve to correct addresses that will respond to pings, such as google.com, and make two of these addresses resolve to improper, uncommon names, such as Funny.TheDomainYouChose.com. Set up file sharing DFS allocation can create a central repository for users to share folders. To set up DFS, you will need to set up servers at multiple locations. Master It Install DFS by sharing at least two folders through two different computers, and place them inside a namespace. Access this namespace through a client computer. Use the File Services Resource Manager The File Services Resource Manager is a new tool from Microsoft that enables you to select quotas and allocate filters to system resources. It allows you to carefully administer your file system without being concerned with whether the templates or restrictions you place on the server are working. Master It Use the File Services Resource Manager to create a 250MB extended quota on your inetpub folder.
113
Chapter 5
Configuring and Administering Active Directory with SBS 2008 The central focus point of all Windows Server products since Windows 2000 has been the administration and implementation of Microsoft Windows Active Directory technology. Active Directory (AD) is a system of network resource management that controls the use of all objects within a Microsoft Windows network, including users, computers, servers, printers, and any major resource in a Windows network. Within a Windows network, any change to a Microsoft-centric resource is made through Active Directory and replicated to different parts of the Microsoft environment. In this chapter, you’ll learn to administer Active Directory through the use of organizational units. You’ll also learn the different parts of Active Directory, where they are stored, and the server roles involved with the use of Active Directory. By the end of this chapter, you should easily be able to segment different portions of your server environment through Active Directory and logically structure your organization in an easily understood manner. In this chapter, you will learn to ◆ Create organizational units ◆ Understand FSMO roles ◆ Create, delete, and manage objects
Active Directory Structure Within SBS, it’s a little easy to lose scope of the overall structure of Active Directory. This is because SBS does its best to contain the entirety of Active Directory in one centralized location. This way, SBS makes the overall architecture of the network pretty easy to understand, because it’s all in one place. However, in reality, Active Directory is far more complex. And as an administrator, you need to understand the overall design of Active Directory and the role that design plays in a business, from the smallest of small businesses to the greatest of enterprises. Active Directory contains three levels of infrastructure: ◆
Sites
◆
Forests
◆
Domains
116
CHAPTER 5 CONFIGURING AND ADMINISTERING ACTIVE DIRECTORY WITH SBS 2008
To effectively administer SBS, you need to understand the difference between these three Active Directory levels.
Sites In the Microsoft system administration world, the words site and area are used almost synonymously because an Active Directory site is designed to identify the physical location and overall network segmentation of an area within Active Directory. For example, Figure 5.1 shows two locations, New York City and Tokyo.
Figure 5.1
New York City
Tokyo
15.1.1.0/24
15.1.2.0/24
Two geographic sites
As you can see from the figure, which uses the standard ‘‘/24’’ convention to indicate a 255.255.255.0 subnet mask for each, each of these different sites holds two completely separate subnets. To most network administrators, this would mean two completely different ‘‘sites’’; however, with Microsoft technology, this isn’t necessarily the case because sites can contain different subnets through WAN links. For example, say that you work for the Floor1-to-Floor2 exchange company. You have offices on the first floor and an office on the second. With Windows Server, you can represent this by connecting these two locations with a WAN link and making these two different locations part of one larger ‘‘site.’’ As shown in Figure 5.2, Active Directory sites are reflected in topological diagrams by shaded circles. These are usually then labeled with corresponding names, such as ‘‘Site1.’’ In this figure, both the Floor1 and Floor2 sites are placed into one location.
Figure 5.2
Floor1
Floor2
15.1.1.0/24
15.1.2.0/24
One Active Directory site
Although this makes a great illustration and learning tool, in reality this isn’t very practical. One of the disadvantages of creating sites that are connected through different subnets is that in order to communicate the Active Directory data through them, they have to transmit their information across a very slow WAN link, which could result in poor communication. So, when you are creating sites, you need to keep in mind that these locations are areas where Active Directory information is replicated. If the links between these areas are not quick, it can result in poor performance. Another point to keep in mind is that on the SBS level you usually don’t deal with multiple subnets. Therefore, I only need to go as far as to explain that a site is a physical location that contains the Active Directory logical structure, including domains and forests — which I’ll discuss now.
ACTIVE DIRECTORY STRUCTURE
Forests The best way to think of an Active Directory forest is to take a step back from the terms forest, site, and domain. Once you’ve cleared your mind of those concepts, you can separate the terms using two distinct classifications. First, forests and domains are logical separations, whereas sites are physical separations. At the top of the ‘‘logical separations’’ division of Windows Server is the Windows Active Directory forest. Simply put, an Active Directory forest is a lot like a container. It holds Active Directory domains and all their respective objects, such as printers, users, and computers. These domains are linked through a series of trusts, which are beyond the scope of this book, that turn additional domains into Active Directory trees, which together form the forest. Visually, it looks like Figure 5.3.
Figure 5.3 Active Directory forest
intellicorp.com
sales.intellicorp.com
sybex.com
engineering.intellicorp.com
sales.sybex.com
engineering.sybex.com
A forest can consist of one or multiple trees. In Figure 5.3, there are actually two trees. You can tell this is because there are two different naming conventions that you should recognize from Chapter 2. The tree on the left uses the intellicorp.com domain as its root domain, and the tree on the right uses sybex.com as its domain. These naming conventions are referred to as a domain namespace. Namespaces define the realm to which a domain tree isolates calls to a specific area of the Active Directory infrastructure. A domain that is part of a tree is said to be a child of a parent domain. Domains that are bonded by parent-child relationships form an automatic security boundary that allows resources to be passed up and down between them. Keep in mind that, by default, SBS 2008 has both a domain and a forest. Furthermore, a single-domain organization has both a domain and a forest. Whether there are additional domains or trees is irrelevant. Additionally, in order to create a new tree, you need to make sure that there is a domain controller attached to that tree that can manage the new domain.
Domains The next rung on the Active Directory logical hierarchy is an Active Directory domain. Domains in Active Directory are collections of another structure, called organizational units, which I’ll speak about in the following few sections. In a logical topology, domains are separated by a dot (.) within their own namespace. In Figure 5.4, you can see a domain tree with a root domain called ‘‘intellicorp.com’’ and two subdomains, sales.intellicorp.com and engineering.intellicorp.com. Earlier, in Chapter 4, you got to experience installing and administering the Active Directory Domain Name System (DNS). Just doing that should give you a good idea of exactly what a
117
118
CHAPTER 5 CONFIGURING AND ADMINISTERING ACTIVE DIRECTORY WITH SBS 2008
Figure 5.4 Domain tree
intellicorp.com
sales.intellicorp.com
engineering.intellicorp.com
domain is, at least on the host level. Domains, like forests, are collective structures. They contain host information and objects. Furthermore, domains contain Active Directory master roles that you need to be aware of — you can review these in the ‘‘Flexible Single Master Operations’’ section.
Active Directory Objects Active Directory contains many types of group objects that you need to pay careful attention to so you understand how to administer them. Active Directory is organized into associated sectional groups and then into respective object types.
Organization By default, Active Directory comes with the following organizations associated with SBS 2008: Built-In
Contains default groups
Computers
Client computers
Contact A contact card that can be accessed throughout Active Directory by various applications Group
Containers of Active Directory objects
Organizational Units infrastructure
Small containers used to apply group policies and organize an
Through the use of the three levels of the Active Directory infrastructure, these objects can be then applied throughout your SBS server at different locations. Usually, a domain controller is the device responsible for logging and cataloging these objects. Ultimately, however, the true responsibility of organizing these objects rests with the roles shared through flexible single master operations.
SBS BUSINESS DESIGN MODELS OVERVIEW
Object Types To properly administer SBS, you must understand the following object types and their purpose within Active Directory: Computer Computer objects are client workstations associated within an Active Directory forest or domain. These computers share the same security database. Contact Contact objects are used to specify contact information regarding individuals within Active Directory. Normally, they’re associated with organizational units. Group Group objects are collections of objects that are primarily designed for security permissions. Groups can consist of collections of printers, computers, users, and servers as well as a few specialty type objects. Organizational unit Organizational units are the smallest objects that can have group policies placed upon them. They’re used as a collective structure for administration. Printer Printer objects are printers visible to Active Directory that can be accessed by other Active Directory objects. Shared folder Shared folders, like in Chapter 2, are used to create central repositories of data that can be shared to other users. User User objects contain an individual’s name, address, email address, and other associated data representative of that individual user. InetOrgPerson
These are used with LDAP and X.500.
MSMQ Queue Alias
This is a custom object for the MSMQ-Custom-Recipient class.
Within Active Directory, administrators can also create custom object types, and some additional object types are not listed here. However, these nine objects are the most common objects you’ll see in a Windows infrastructure.
SBS Business Design Models Overview Small Business Server administration models inherit a lot from large administration models that concentrate on divvying up roles based off of various factors like where an office is located, what departments are contained in the office, and other factors, like who the managers in the department are, which individuals are related to another, and so forth. In a large office, there are three models that define overall methods for organizing and infrastructure. They can either use a model that is centrally administered, where all resources are located in one area and branched out form that; decentralized, where resources are split up into various locations and managed independently; or hybrid, where the resources are divvied up and the management of them is concentrated in one central location. With a small business, there obviously isn’t a need for such a tremendous amount of organizational configuration. After all, we’re usually only dealing with a single office. And for that manner, there’s only one domain and one forest and one site! So, on the surface, this may not seem as useful to know. However, this is actually not quite the case. The reason for this is that once you understand the concept of divvying up infrastructure, it really helps to lay down solid foundations for organizing your organizational units and the infrastructure overall. Let’s consider why this is. For one thing, we know the type of administrative structure that SBS 2008 uses — it’s centralized. All our resources concerning Active Directory are in one basket. Even if you decided
119
120
CHAPTER 5 CONFIGURING AND ADMINISTERING ACTIVE DIRECTORY WITH SBS 2008
to add another server or offload application-based concerns to another machine, the server will still house and contain all of your Active Directory information. This lets us further know that we can treat everything conceptually as if it’s in one location. So, let’s think about that. If everything is in one location there are going to have to be different criteria we use to control how we access the data that is contained there. For example, say we have various departments. We could use these departments to organize how the information is laid out. Or, we could always arrange it by something geographic, like the floors of a building we occupy. Let’s give two examples of a centralized administration method with SBS 2008, one based on departments and one based on floors. If we had an engineering department and a sales department, we could think of our server in this manner: ◆
SBS Server’s Central Domain and Forest ◆
Engineering Department
◆
Sales Department
And if we had three floors in our office, we could think of it like this: ◆
SBS Server’s Central Domain and Forest ◆
Floor 1
◆
Floor 2
◆
Floor 3
This concept really allows us to understand that we should view our Active Directory design as a model for how we run our business. Because, really, that’s all a design model is. It’s a model that reflects how your business infrastructure really works. If you understand that, you’ll be well on your way to not just being a good SBS designer, but a good large business infrastructure designer as well.
Flexible Single Master Operations Within a domain controller, certain tasks are performed by domain controllers that can only be fulfilled by certain servers at certain times. These roles, collectively known as flexible single master operations (FSMO) roles, take advantage of the Active Directory database to do activities on both the domain level and the forest level. I’ll break these down one at a time and then summarize them in a table for your reference.
Domain Operations Masters Within every Windows Server domain, including SBS 2008 domains, there are three main domain ‘‘master roles’’ that are performed by a server in that domain. In the case of SBS 2008, SBS performs all of these roles, but you need to be familiar with their purpose. Relative ID master (RID master) A relative ID master is a server that contains the unique identifier of every object in Active Directory. It essentially makes sure that even if two things are named the same in Active Directory (like two OUs named Sales), they are separated by a hexadecimal identifier that ensures these objects are quite unique in memory.
FLEXIBLE SINGLE MASTER OPERATIONS
PDC emulator master Within SBS 2008, the PDC emulator is responsible for making sure that earlier versions of Windows are supported. On more robust versions of Windows Server 2008 (such as Standard, Enterprise, and Datacenter edition), the PDC emulator ensures that servers running previous versions of Windows Server are able to communicate with the current version of Windows Server through their own native processes. The PDC also caches passwords to ease the network load of traversing passwords across a network. The PDC is still run, even in native mode. Infrastructure master Intimidating name aside, the infrastructure master is the machine that ensures Active Directory data involving objects is replicated throughout the forest through a series of synchronizations.
Forest Operations Masters On the forest level, there are two master roles you must become familiar with: Schema master The schema master is responsible for keeping track of all servers in the forest and managing its overall structure. With SBS 2008, this is always contained on the SBS 2008 server and is usually not a very complex setup. However, in cases where SBS 2008 has been joined to a larger environment for some reason, it can be quite a bit more complicated. Domain naming master The domain naming master keeps track of (you guessed it) domain names in the forest and is responsible for adding new domains to the forest. Unfortunately, with SBS 2008, you can have only one domain, so this is now as robust as it could be.
Limitations on FSMO Roles The full version of Windows Server, and correspondingly Small Business Server 2008, supports a maximum number of FSMO servers on each level. Table 5.1 makes this much clearer.
Table 5.1:
Maximum Number of FSMO Servers
Role Name
Scope
Description
Schema master
1 per forest
Controls and handles updates/modifications to the Active Directory schema.
Domain naming master
1 per forest
Controls the addition and removal of domains from the forest if present in root domain.
PDC emulator
1 per domain
Provides backward compatibility for NT 4 clients for PDC operations (such as password changes). The PDCs also run domain-specific processes such as the Security Descriptor Propagator (SDPROP) and are the master time servers within the domain.
RID master
1 per domain
Allocates pools of unique identifiers to domain controllers for use when creating objects.
Infrastructure master
1 per domain
Synchronizes cross-domain group membership changes. The infrastructure master cannot run on a global catalog server (GCS), unless all DCs are also GCs.
121
122
CHAPTER 5 CONFIGURING AND ADMINISTERING ACTIVE DIRECTORY WITH SBS 2008
Organizational Units At last — the interesting stuff. Organizational units (OUs) are one of the fundamental containers and structural units used in Active Directory for Windows Server, and they comprise the basis for administering all the objects within Windows Server. An OU is a container for all types of Active Directory objects, including users, servers, groups, computers, and other organizational units within its own domain. The primary purposes of organizational units are twofold. First, OUs are designed to segment Active Directory into a more manageable structure for administrative purposes. Second, OUs are the primary application point for Group Policy. As you can see in Figure 5.5, the organization of OUs is designed such that larger Active Directory objects should be placed into OUs. Effectively, this means that groups and collective objects should be placed in OUs instead of individual user or computer accounts.
Figure 5.5 Organizational unit User
Group
Organizational unit
With the full edition of Windows Server, administrators usually organize an OU structure to model a business, dividing that business into different sectors based on department or on the business’s needs. With SBS 2008, SBS places all Active Directory objects within the default OU called MyBusiness. Within MyBusiness are four directories called Computers, Distribution Groups, Security Groups, and Users. Within Users there is a sub-OU called SBSUsers, as shown in Figure 5.6. There you can see the small amount of user objects that I’ve created in my SBS server.
Figure 5.6 SBSUsers
ORGANIZATIONAL UNITS
For most businesses, this layout is actually fairly intuitive. Although there may be a few departments at the SBS level, usually small businesses aren’t formal (or perhaps pretentious) enough to divide up their Active Directory into numerous organizational groups to track their few members. That’s usually reserved for large organizations where the bloat of Active Directory objects can become a serious problem. However, businesses often do create OUs for their own purposes, because these can serve to simply contain and group all objects of a certain type — for example, your Terminated container.
OU Design When designing OUs, as mentioned in the previous section, it’s best to pick a pattern that mirrors your business. But like I also said earlier, in SBS this pattern is usually already predefined by the starting OU structure SBS provides. However, should you want to expand on SBS’s default choices, you should keep in mind some of the design decisions laid out in MCTS Windows Server 2008 Active Directory Configuration Study Guide by Will Panek and James Chellis (which is a handy book for any administrator, by the way). That book recommends the following three OU design decisions: ◆
Keep the names and descriptions simple.
◆
Pay attention to the limitations.
◆
Pay attention to the hierarchical consistency.
The authors go on to explain in more detail with what they mean by these, but I think they’re pretty self-explanatory. Keeping the names simple helps reduce congestion caused by excessively long names. As for limitations, you need to keep in mind that OUs have a maximum length of 64 characters, which further emphasizes the first point. On the last point, this means you need to make sure to not have overlapping names or an OU placed in an area where it doesn’t belong. This can cause a lot of administrative headache as you look around to find any given OU that isn’t where it is supposed to be.
Creating OUs The process of making an organizational unit with SBS is fairly simple. First, you can access the OU infrastructure by selecting Start Administrative Tools Active Directory Users And Computers. This will open the administrative tool that contains all your user and computer objects that are inherently placed within organizational units. Once you’ve opened that tool, expand the Active Directory OU structure on the left until it mirrors what you see in Figure 5.6. Then, right-click Users, and select New Organizational Unit, as you see in Figure 5.7. Once you’ve done this, the New Object – Organizational Unit Wizard will open, as you see in Figure 5.8. Two points in this wizard are key. First, you’ll see that the wizard will show you where the OU is being placed in the Active Directory infrastructure. Second, you’ll see that there is a Protect Container From Accidental Deletion check box. Pay careful attention to that. This check box creates an OU that cannot be deleted without a great deal of extreme effort. Personally, I don’t like to use this feature, so I deselect it. However, if you are creating a container that you know you will never delete, it’s good to keep this box selected. Regardless of whether you decide you want to use the check box, enter Managers for the OU name, and then click OK.
123
124
CHAPTER 5 CONFIGURING AND ADMINISTERING ACTIVE DIRECTORY WITH SBS 2008
You’ll notice that the Managers OU will now appear in addition to your SBSUsers OU. The process is really as simple as that. But just as a side note, if you keep the Protect Container From Accidental Deletion box selected, you can change your mind later by selecting View Advanced Features from the Active Directory Users And Computers screen. This will open a lot of OUs you don’t recognize, as shown in Figure 5.9. You can then right-click any OU and select Properties. There, on the Object tab you see in Figure 5.10, you can select or deselect the Protect Object From Accidental Deletion box.
Figure 5.7 Creating a new organizational unit
Figure 5.8 New Object – Organizational Unit Wizard
ORGANIZATIONAL UNITS
Figure 5.9 Advanced Features OU selection
Figure 5.10 Advanced properties
Managing OUs Once OUs have been created, it’s natural that at some point or another you will need to add objects to them or move them around in order to facilitate your needs as an administrator. With SBS, this is fairly easy to do, but you need to exercise caution. This is mainly because there’s really nothing to creating objects in an OU. All you have to do is right-click the OU in question, select New, and then choose your desired object type. Creating a new user, for example, brings up the New Object – User Wizard. I’ve filled in the required information for my new object, as you see in Figure 5.11.
125
126
CHAPTER 5 CONFIGURING AND ADMINISTERING ACTIVE DIRECTORY WITH SBS 2008
Figure 5.11 New Object – User Wizard
Once you fill in the same information to create an object, clicking the Next button prompts you for a password that has to meet your domain requirements, but other than that, the process is relatively painless. Once you’ve done that, you’ll see that the John Q. Manager object I just created has been placed inside my Managers OU, as shown in Figure 5.12.
Figure 5.12 Manager object
It’s pretty self-explanatory and pretty darn neat. What’s even more interesting is that if you open the SBS console, you won’t see this user account because the Windows SBS Console is only aware of its default user groups. This behooves administrators to stay within the confines of the SBS OU infrastructure. So, let’s perform an experiment. So, now you’ve created the Managers OU under the Users OU and not the SBSUsers OU. To move it there, you could move the entire OU. Note, however, that if you try to drag an OU from one place to another, you will receive a warning message. This is because dragging an OU is a bad idea. It can cause invalid replication, and it can also fail to copy over all your
ORGANIZATIONAL UNITS
objects! Furthermore, it actually just changes a couple directory locations and doesn’t alter the infrastructure. Instead, you can right-click the Managers OU and select Move. This will open the Move dialog box you see in Figure 5.13.
Figure 5.13 Move dialog box
Once there, you can navigate to the SBSUsers OU, select it, and then hit OK. Notice that the OU is still not in the SBS console. This brings up a truly important point. The Windows SBS Console is not all-knowing, and it is actually quite limited. It is designed to be a simple, easy-to-use tool that administrators can use to implement complicated administrative practices. However, the console is only aware of what the console does in the console’s own manner. Changes made using the standard methods of user account creation and OU management very well may not be recognized by the console.
Renaming and Deleting OUs Although moving OUs can be a little tricky, renaming and deleting an organizational unit is just about the easiest thing to do in all administration. All you have to do is right-click the OU and select Rename. Beyond this, you don’t have to do anything. Additionally, to delete a nonprotected OU, all you have to do is right-click and select Delete. The reason this isn’t complicated is that OUs are containers that are linked to policies. Deleting a container is pretty easy from an administrative level, because everything associated with that container is then removed. Additionally, renaming is much easier because ‘‘names’’ in Active Directory are really nothing more than aliases. At the end of the day, Microsoft either has security identifiers (SIDs) or memory addresses for every aspect of its administration. Changing a name doesn’t affect performance or linked policies in the slightest.
Understanding Inheritance By default, Windows Server arranges for OUs to inherent the permissions of parent OUs. This means that whenever you move or copy OUs to locations that are embedded within other OUs, the child OU will inherit the parent’s properties. This will become particularly important when I begin discussing Group Policy, but for the moment, remember that group policies will by default be inherited through child objects.
127
128
CHAPTER 5 CONFIGURING AND ADMINISTERING ACTIVE DIRECTORY WITH SBS 2008
Delegating OUs Because of the complexity that can arise with OU infrastructures in both larger and smaller environments, Windows Server supports the ability to delegate administrative control to other users and security groups for the purpose of applying Group Policy and performing general administrative tasks. Because OUs are such small containers in terms of Group Policy, this is commonly done so that various administrators at different levels of the company can administer their own versions of Group Policy for their users. For example, in a small business, the head of sales may not want sales users to be able to access the Control Panel, or even access the Internet, but instead to be bound only to their computer for the sole purpose of using Excel and taking orders. Delegation allows for an administrator to easily break up the common tasks associated with administration by placing them in the hands of others. On the SBS level, this isn’t done as frequently, but it may be done two or three times in the course of the business and therefore deserves your attention. To delegate an OU, you simply have to right-click the OU in question within the Active Directory Users And Computers MMC and choose Delegate Control. This will open the Delegation Of Control Wizard. Click Next to open the Users Or Groups page of the wizard that you see in Figure 5.14. There, you can choose users or groups that will be delegated control of the OU in question. Keep in mind that choosing a security group will allow all members of that security group to apply group policies to that OU, so it behooves administrators to make sure they have chosen the right group at this screen. You can add a group by clicking the Add button and choosing a user.
Figure 5.14 Adding users or groups
Personally, I’m going to be adding my John Q. Manager user I created earlier. I can do so by just typing john and then clicking the Check Names button (see Figure 5.15). His name will then appear there as Active Directory looks for any names logically associated with John. You can then click OK. The user will then be added into your Delegation Of Control Wizard; you can click Next once you’ve added all the users or groups you desire. This opens the delegation task list you see in Figure 5.16.
ORGANIZATIONAL UNITS
Figure 5.15 Adding a user
Figure 5.16 Tasks to delegate
Windows SBS 2008 contains 11 tasks that can be delegated to individual users, each of which is fairly self-explanatory: ◆
Create, Delete, And Manage User Accounts
◆
Reset User Passwords And Force Password Change At Next Logon
◆
Read All User Information
◆
Create, Delete, And Manage Groups
◆
Modify The Membership Of A Group
◆
Manage Group Policy Links
◆
Generate Resultant Set Of Policy (Planning)
◆
Generate Resultant Set Of Policy (Logging)
◆
Create, Delete, And Manage inetOrgPerson Accounts
◆
Reset inetOrgPerson Passwords And Force Password Change At Next Logon
◆
Read All inetOrgPerson Information
129
130
CHAPTER 5 CONFIGURING AND ADMINISTERING ACTIVE DIRECTORY WITH SBS 2008
Figure 5.17 Active Directory Object Type selection page
The only thing that may strike you as a bit out of place is the inetOrgPerson definition. This is a class of user that’s defined within the Lightweight Directory Access Protocol (LDAP) that was initially created with RFC 2798 from the Internet Engineering Task Force (IETF). An inetOrgPerson account was designed to retrieve data from LDAP and X.500 protocols. These types of accounts are almost exclusively used in a heterogeneous environment running Linux or some other brand of Unix. Thankfully, on the SBS end, you normally will not have a heterogeneous environment, so you can willfully and gleefully ignore inetOrgPerson accounts for the moment. However, should you want to learn more about them, you can read Scott Fulton’s informIT article available at www.informit.com/guides/content.aspx?g=windowsserver&seqNum=44. Moving on, the Delegation Of Control Wizard also allows you to define a custom task that limits the scope of the operations the delegated users can perform. If you look at Figure 5.17, you’ll see that you can restrict it to an individual folder, or you can go so far as to define numerous object types that can be delegated. For our purposes, we’re just going to do some simple delegation; therefore, at the screen in Figure 5.16, select Create, Delete, And Manage User Accounts, and then click Next. You will then be greeted with a summary screen showing what you’ve done and asking you to finish your task (Figure 5.17). Once you hit Finish, from now on John Q. Manager will be able to create and manage user accounts within that OU. While you are delegating OUs, you should be aware of three important considerations: ◆
Parent-child relationships will be propagated during delegation, and all corresponding authorities will transfer.
◆
Entire security groups will receive delegation.
◆
Group Policy Link applications must be specified as a delegation control authority in order to give delegates the associated permission.
ORGANIZATIONAL UNITS
Dividing for Power Within a small business, the president of the company decided that he wanted to use SBS and transition from being the sole operator and administrator of the server to just being the overseeing manager of the server. Accordingly, inside his business he developed several OUs to manage his employees. These OUs included OUs for the following: ◆
Engineers
◆
Editors
◆
Sales professionals
◆
Accountants
Once he’d created these OUs, he applied different levels of Group Policy to each. He gave the engineers access to new programs and development tools. For the accountants and sales professionals, he added policies that accounting and financial folders required. And for the editors, he gave open access to the use of Internet Explorer and the Internet so they could perform the intensive research they needed to conduct. Separating these various departments into OUs also provided the president with the ability to have his respective employees placed together in a logical way within Active Directory; therefore, he could make actions and implement policies for the entire department instead of one or two individuals.
OU Grouping and Subgrouping With organizational units, it makes sense to group your OUs according to some type of organizational model and then design that model in such a way that contained OU structures can appear very similar throughout the rest of your design. For example, say you have a business with seven departments: ◆
Engineering
◆
Sales
◆
Management
◆
Accounting
◆
Editorial
◆
Production
◆
Graphics
131
132
CHAPTER 5 CONFIGURING AND ADMINISTERING ACTIVE DIRECTORY WITH SBS 2008
You could have subgroups in this design for each level of employees that designate the amount of authority they have in the company. For example, you could have the following: ◆
Managers
◆
Employees
◆
Assistants
This makes the organization of your Active Directory infrastructure much easier to navigate and to understand when you take a few steps back and examine it from a distance. In Figure 5.18, you can see how the Intellicorp infrastructure has been broken down. Active Directory diagrams such as this one allow you to plan your infrastructure very effectively. This way, you get a chance to look at the overall structure and decide whether there is a way you can improve it. You can apply this same concept to all levels of Active Directory, including users and groups, computers and servers, and other object levels.
Figure 5.18 Organizational breakdown
Production Managers
Employees
Sales Managers
Employees
Engineering Managers
Employees
Thus, when you first start to administer Windows Server technology for any business, including SBS 2008, you should take the time to carefully plan the organizational structure of
CREATING OBJECTS WITH ACTIVE DIRECTORY
your business and develop both an overarching model design for that business and a diagram to help you cross-reference your design ideas with your practical application of that design in your chosen environment.
Creating Objects with Active Directory As I’ve tried to show throughout the course of this chapter, since you’re using Windows Server 2008, you are not solely limited to the use of the Windows SBS Console. In fact, an ambitious SBS administrator can use Windows SBS 2008 exclusively without the console. Thus, in this section, you’ll perform a few hands-on exercises that show you how to create different Active Directory objects.
Creating Objects 1. Open the Active Directory Users And Computers tool, and expand your local infrastructure until you see this screen.
15.1.1.0/24 Floor1
Site link
15.1.2.0/24 Floor2
2. Right-click the subgroup you created earlier, and select New Computer. This will open the dialog box shown here.
133
134
CHAPTER 5 CONFIGURING AND ADMINISTERING ACTIVE DIRECTORY WITH SBS 2008
3. In the dialog box, specify the following: Computer Name: Comp1 Computer Name (Pre–Windows 2000): COMP1
4. In the User Or Group box, you can choose to place the user or group in an area other than the default domain. For now, leave this at the default. You can also choose to assign this computer as a pre–Windows 2000 computer, which you will not do either, because these have become quite rare now.
5. Click OK. This will create the computer object shown here. This object has now been entered into Active Directory.
6. Right-click your subgroup, and select New Contact. This will open the dialog box shown here.
LARGE OBJECT ACTIONS
7. Specify the following information in the fields (you can, of course, change the name to your own): First Name: Steve Initials: A Last Name: Johnson Full Name: Steve A. Johnson Display Name: sjohnson
8. Click OK. This will create an Active Directory contact that will now be housed in the Active Directory database.
9. If you do not have a printer installed on your server or network, you are done. 10. If you do have a printer, right-click your subgroup, and select New Printer. This will open the dialog box shown here.
11. Enter a network location of a printer in your Active Directory, and click OK. SBS 2008 will then locate your printer and list it in the subgroup OU.
Large Object Actions As you’ve probably noticed from the previous exercise and information, creating objects can be a little tedious at times. Say, for example, you had to create more than 100 objects for your employees — one for each of their computers, their user accounts, their printers, and so forth. Unless you had a lot of spare time on your hands, this would take you a very, very long time. Happily, Windows Server contains a few tools that can make this process a whole lot easier. Windows SBS 2008 and Windows Server full edition support two very powerful executable files: ◆
LDIFDE.exe
◆
CSVDE.exe
135
136
CHAPTER 5 CONFIGURING AND ADMINISTERING ACTIVE DIRECTORY WITH SBS 2008
Using these tools, administrators can do the following: ◆
Bulk import objects
◆
Modify objects
◆
Export objects
These tools are a lot more advanced than dealing with simple graphical user interfaces and require knowledge of the command line. But since this is a mastering-level book, we’ll jump into it in full force.
LDIFDE.exe LDIFDE.exe is an abbreviation for LDAP Data Interchange Format Directory Exchange, which is actually an abbreviation for Lightweight Directory Access Protocol Data Interchange Format Directory Exchange. What a mouthful! In short, LDIFDE is a plain-text standard for translating LDAP directories into easily readable text formats, capable of being understood by humans as well as computers. Using LDIFDE.exe is a little tricky and can get confusing. For starters, you can find a nice resource for the complete usage of LDIFDE.exe at http://support.microsoft.com/kb/237677. But just as an introduction, I’ll include a couple simple exercises you can do to familiarize you with how powerful the tool is.
Exporting Organizational Units 1. Start the command prompt by selecting Start Administrative Tools Accessories Command Prompt or by typing cmd in the Windows Start menu’s search box.
2. At the command prompt, enter the following command (all in one line): ldifde -f exportOu.ldf -s Officesvr1 -d "dc=intellicorp,dc=local" -p subtree -r "(objectCategory=organizationalUnit)" -l "cn,objectclass,ou"
Notice that the server name is Officesvr1 and the domain name is intellicorp, my domain name. And the branch I’m looking at is local. If the command is entered correctly, you will see output similar to that shown here.
This will create an .ldf file in your default user directory called exportOu.ldf. For my default account, it was created in c:\users\steve.
LARGE OBJECT ACTIONS
3. Navigate to your .ldf file, and open it with Notepad by right-clicking the OU and selecting Open With. Note: You may receive a warning message — this is normal. Opening this file with Notepad will not affect your system.
4. In Notepad, you should see output similar to the following: changetype: add objectClass: top objectClass: organizationalUnit dn: OU=MyBusiness,DC=intellicorp,DC=local changetype: add objectClass: top objectClass: organizationalUnit dn: OU=Distribution Groups,OU=MyBusiness,DC=intellicorp,DC=local changetype: add objectClass: top objectClass: organizationalUnit dn: OU=Security Groups,OU=MyBusiness,DC=intellicorp,DC=local changetype: add objectClass: top objectClass: organizationalUnit dn: OU=Users,OU=MyBusiness,DC=intellicorp,DC=local changetype: add objectClass: top objectClass: organizationalUnit dn: OU=SBSUsers,OU=Users,OU=MyBusiness,DC=intellicorp,DC=local changetype: add objectClass: top objectClass: organizationalUnit dn: OU=Computers,OU=MyBusiness,DC=intellicorp,DC=local changetype: add objectClass: top objectClass: organizationalUnit dn: OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=intellicorp,DC=local changetype: add objectClass: top objectClass: organizationalUnit dn: OU=SBSServers,OU=Computers,OU=MyBusiness,DC=intellicorp,DC=local changetype: add
137
138
CHAPTER 5 CONFIGURING AND ADMINISTERING ACTIVE DIRECTORY WITH SBS 2008
objectClass: top objectClass: organizationalUnit dn: OU=Microsoft Exchange Security Groups,DC=intellicorp,DC=local changetype: add objectClass: top objectClass: organizationalUnit dn: OU=SubGroup,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=intellicorp,DC=local changetype: add objectClass: top objectClass: organizationalUnit
5. This indicates the command was successful. However, organizational units alone won’t suffice. You also need to have user accounts. This will be discussed in the next project.
Exporting User Accounts 1. Navigate to the command prompt (or simply type cls and press Enter if you’re already there). 2. Enter the following command: ldifde -f Exportuser.ldf -s OfficeSvr1 -d "dc= intellicorp,dc=local" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,samAccountName"
3. If the command completed successfully, you will see output similar to that shown here.
Like the OU exportation, this will create another file in the default directory called exportuser.ldf. Note: As you may have guessed, you can change the filename in the beginning by changing the command from exportuser.ldf to whatever you’d like.
4. Navigate to the file, and open it with Notepad.
LARGE OBJECT ACTIONS
5. When you open it, you should see output like the following: dn: CN=Steve Johnson,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=intellicorp,DC=local changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Steve Johnson givenName: Steve sAMAccountName: Steve dn: CN=John Q. Manager,OU=SubGroup,OU=SBSUsers,OU=Users,OU=MyBusiness, DC=intellicorp,DC=local changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: John Q. Manager givenName: John sAMAccountName: jmanager
Note that I’ve included only two of my three users for the sake of conciseness.
Importing User Accounts 1. If you followed the previous exercises, you will now have a handy file with your usernames available. You can now use this file to import new user accounts. Note: You must be logged on as administrator for this activity to work.
2. In Notepad, eliminate all but one user entry field, as shown here: dn: CN=Steve Johnson,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=intellicorp,DC=local changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Steve Johnson givenName: Steve sAMAccountName: Steve
3. In these user fields, change this information to the new user information, as shown here: dn: CN=Mary Johnson,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=intellicorp,DC=local changetype: add objectClass: top objectClass: person
139
140
CHAPTER 5 CONFIGURING AND ADMINISTERING ACTIVE DIRECTORY WITH SBS 2008
objectClass: organizationalPerson objectClass: user cn: Mary Johnson givenName: Mary sAMAccountName: Mary
4. Once you’ve done this, save the file as type All Files, and call it importuser.ldf. 5. Back at the command prompt, enter the following: ldifde -i -f importuser.ldf -s officesvr1
6. Press Enter. If the command completes successfully, you’ll see output like that shown here.
If you close and reopen the editor, you will see that Mary has now been added.
CSVDE.exe CSVDE.exe is very similar to LDIFDE.exe; it stands for ‘‘comma-separated value directory exchange.’’ The only real difference is that CSVDE.exe requires the use of a comma-separated value (.csv) file. Really, it’s so similar that I won’t go over its complete usage. The following is an example command provided by Microsoft: csvde -i -f c:\filename.csv
This will import information from the given file. Administrators sometimes use CSVDE.exe for specific CSV spreadsheets (which can be made easily in Microsoft Excel) that require users to be added.
The Bottom Line Create organizational units Creating an organized OU infrastructure makes the experience of administering a server easier on administrator and user alike. With SBS 2008, this process has become easier than ever.
THE BOTTOM LINE
Master It Create a centralized hierarchy with two subtiers. This hierarchy should include departmental and role-based separation (Production/Managers). It should be robust enough that the structure could be replicated for all departments and subdepartments. Understand FSMO roles FSMO roles are roles within SBS 2008 that allow you to specify administrative tasks throughout your business. These tasks include determining what server is allowed to control the schema of the forest (the schema master) and selecting the domain naming master. Through proper use, you can eventually upgrade your SBS environment to an even more complex environment. Master It Suppose you have two servers in your environment that could each share FSMO roles. Decide which server would hold the schema master and why. Could you have two? Create, delete, and manage objects Creating objects in Active Directory allows you to truly make an organization. Without objects, the process of having a server is pointless. You need to be able to easily create objects and place them within Active Directory. Master It Create one user account and one computer account using the server graphical user interface. Then, create 10 user accounts and 10 computer accounts using the LDIFE.exe import tool. Once you’ve done this, import these user accounts to one of the lowest tiers of your infrastructure.
141
Chapter 6
Configuring and Managing Groups and User Accounts with SBS 2008 Without users, groups, and permissions, there wouldn’t be a lot to Windows SBS 2008. In fact, there wouldn’t be a lot to servers in general. Users and groups within SBS 2008 are the main object upon which permissions are placed. Within Windows, they’re also associated with Active Directory, Microsoft Exchange, and even SQL Server. The Microsoft Active Directory structure has been designed from the ground up to make user and group accounts very powerful and the administration of them as painless as possible. However, there are a lot of different group types that have special types of associations that you need to understand in order to master SBS 2008. In this chapter, you will learn to ◆ Create users and security groups ◆ Create distribution groups ◆ Create a permissions list for a group
Group Structure with SBS 2008 With Windows Server 2008, you can use groups for many purposes, including setting permissions, sending messages, or doing other assorted tasks. Accordingly, Windows Server 2008 divides groups into two distinct types: security groups and distribution groups. Security groups and distribution groups can be tailored toward the individual needs of your organization. They’re designed to be able to house any members that you would like to add, including various Active Directory objects that run the gamut of those available (including computers, users, other security groups, and so forth). Each of these group types are described in the following sections.
Security Groups The most common type of groups, security groups, are collections of Active Directory objects that are placed together for the purpose of assigning permissions. Most commonly in SBS 2008, security groups are used to assign file and folder permissions or to restrict access to certain material throughout an infrastructure. As a good security practice, most organizations use a
144
CHAPTER 6 CONFIGURING AND MANAGING GROUPS AND USER ACCOUNTS WITH SBS 2008
common naming convention for the security groups. For instance, at Intellicorp, we use the convention ‘‘PRM_.’’ So, in our organization, we have group names like these: ◆
PRM_CustomerService
◆
PRM_Engineering
◆
PRM_Products
◆
PRM_Accounting
◆
PRM_Sales
A good reason for choosing a naming convention with something prepended to the object name is that when they display in Active Directory, they’ll all appear grouped together. For example, in Figure 6.1, you can see that all my groups are in one spot. This makes it easy for me to find them when I’m applying permissions.
Figure 6.1 Security groups in Active Directory
Distribution Groups Distribution groups, the other type of group in Active Directory, are used for non-security-based functions such as messaging, including email. Distribution groups are tools that can easily group together Active Directory objects that can be sent messages at the same time. An example of when you might use something like this is when you’d like to send an email to a group of people. For example, at Intellicorp, we have a Sales distribution group, where I’ve placed all the sales department’s users. Then, if someone wants to email all the members of that department, they can address the email to the Sales distribution group. Additionally, distribution groups consume less space in the Active Directory database than a security group. For this reason, they are useful any time the group will not be used to assign permissions or to authenticate logons. And just like with security groups, it’s a good idea to have a naming convention for distribution groups, as you can see in Figure 6.2. Having all these names grouped together makes it really easy to administer them without a lot of chasing around in the Active Directory database by alphabetical order.
Figure 6.2 Distribution groups in Active Directory
Although there are only two types of groups in Active Directory, it’s important to remember that there are a lot of applications for these two groups. And it isn’t quite as easy as just
GROUP STRUCTURE WITH SBS 2008
creating a group and moving on. In fact, groups have multiple levels at which they can permeate through Active Directory and assign permissions. These levels of exposure are referred to as group scope.
Group Scopes Whenever a group is created in Active Directory, you can assign a certain level of permissions to it. With standard Windows Server 2008, this has a great deal more importance than with SBS 2008 because there are more levels. In a large environment, for example, you may have multiple domains and multiple forests to contend with. With SBS, you’re limited to the target domain of your choice and only one forest. However, behind the scenes, a lot of this group’s membership operations still goes on. Thus, you need to at least be familiar with group scopes because, whether you like it or not, membership is still being done the good old-fashioned way, as you can see in Figure 6.3, which is a standard user group in SBS 2008 Active Directory.
Figure 6.3 SBS group scope in Active Directory
In Windows Server 2008, there are three scope levels: universal, global, and domain local. By default, all user groups created in the Windows SBS Console are created as universal groups, but each of the groups has specific levels of permission that can be assigned.
Universal Groups The simplest of the group types, universal groups, are groups that can be assigned permissions from any domain in the forest within which they reside. This means that, for example, if you had two domains, domain1.intellicorp.com and domain2.intellicorp.com, a universal group created in either domain would be able to be assigned permissions from both domains and be able to contain members from both domains. This is an important difference between universal groups and global groups.
145
146
CHAPTER 6 CONFIGURING AND MANAGING GROUPS AND USER ACCOUNTS WITH SBS 2008
Another important difference regarding universal groups is that, unlike the rest of the group types, universal groups are stored in the global catalog, and they are replicated throughout the entire forest. In a way, this is convenient, because every server is aware of the universal groups. But in a larger-scale environment, this can be a bit of a pain because the group membership has to be replicated throughout the whole enterprise. The rule of thumb most administrators use when it comes to group scope is to first create global groups and then create universal groups only when needed. For example, if you have a small business that has four employees who will most likely be gone in the next few years or if you have an entire department that has a lot of turnover, you’ll probably want to create them in a global group, discussed in the ‘‘Global Groups’’ section next. On the other hand, executives who will be around for a while, and who will probably want to access resources outside of their own domain, will need a universal group because they have room for expansion.
Global Groups Global groups are groups that can contain members only from their own domain, but they can access resources in any domain. It’s a little confusing, but it makes sense. You’d use a global group if you ever wanted to have a group exist on only one domain but have it access resources on a lot of other domains.
Domain Local Groups In my opinion, domain local is probably the most utterly confusing name in all information technology. This is because it implies two basically foreign concepts in one spot. The word domain inherently implies a large area, and local implies a relatively small area. Regardless, domain local groups are groups that can only access resources from the domain that contains the group. However, it can contain members from any domain. Think of it like this: domain local means that everything has to be accessed from the local domain. In fact, the name local domain would probably make a bit more sense. Typically administrators will create a domain local group when they want to ensure that the users and computers (or other Active Directory objects) they create are refined to one specific domain. This way, they don’t have to worry about scope membership — because they’ll always know that the objects they create in that domain will stay in that domain.
Group Membership Another important factor concerning all groups is what type of members they can have. In the previous section, you saw that there are restrictions regarding where groups can have members originate from, but there are also a couple concerns regarding what types of other groups and members each group type can contain. Table 6.1 describes what type of memberships each group can contain.
Default Groups Out of the box, SBS 2008 comes with several groups. These groups are divided into four sections: user groups, special identity groups, built-in groups, and default local groups. These groups are created by default to fulfill roles that will be used by all SBS servers. Inherently, each of these groups is a security group and not a distribution group.
GROUP STRUCTURE WITH SBS 2008
Table 6.1:
Group Scope Membership
Group Scope
Allowed Membership
Universal
Any group type, any user, any computer
Domain local
User accounts, computer accounts, global groups, universal groups, domain local groups
Global
Global groups from the same domain, user accounts and computer accounts from the same domain
User Groups User groups are collections of users placed into a default group. One of the most commonly referenced groups in the autodefined user groups is the domain users group, which contains every user in the domain. User groups that are built in are designed to give administrators an easy way of referencing every user in their domain by just selecting one group. You’d want to access this one group when using Group Policy or when installing a third-party application that needed to give permissions to everyone in a domain.
Special Identity Groups Special identity groups are used to refine users to one specific ‘‘type’’ of group. These groups are designed so administrators don’t really have to think about what security group would be appropriate when they want to choose who to add based on ‘‘concept,’’ rather than on explicit casting. These groups include the following: ◆
Everyone
◆
Network Users
◆
Interactive Users
◆
Authenticated Users
◆
Services
◆
Creator/Owner
As you can see, these built-in special identity groups are pretty descriptive. If you want to add Everyone to a file share, literally everyone in the domain will be able to see it. If you want only authenticated users to see it, then you can set only Authenticated Users to see it, and so forth.
Built-in Groups Within SBS 2008, there are several built-in groups placed within the Builtin OU container for the purpose of general assignment. These groups are summarized in Table 6.2, taken from the description of the groups provided in SBS 2008.
147
148
CHAPTER 6 CONFIGURING AND MANAGING GROUPS AND USER ACCOUNTS WITH SBS 2008
Table 6.2:
Built-in SBS 2008 Groups
Group Name
SBS 2008 Description
Account Operators
Members can administer domain user and group accounts.
Administrators
Administrators have complete and unrestricted access to the computer/domain.
Backup Operators
Backup Operators can override security restrictions for the sole purpose of backing up or restoring files.
Certificate Service DCOM Access
Members of this group are allowed to connect to certification authorities in the enterprise.
Cryptographic Operators
Members are authorized to perform cryptographic operations.
Distributed COM Users
Members are allowed to launch, activate, and use Distributed COM objects on this machine.
Event Log Readers
Members of this group can read event logs from the local machine.
Guests
Guests have the same access as members of the Users group by default, except for the Guest account, which is further restricted.
IIS_IUSRS
This is a built-in group used by Internet Information Services.
Incoming Forest Trust Builders
Members of this group can create incoming, one-way trusts to this forest.
Network Configuration Operators
Members in this group can have some administrative privileges to manage the configuration of networking features.
Performance Log Users
Members of this group can schedule the logging of performance counters, enable trace providers, and collect event traces both locally and via remote access to this computer.
Performance Monitor Users
Members of this group can access performance counter data locally and remotely.
Pre-Windows 2000 Compatible Access
This is a backward-compatibility group that allows read access on all users and groups in the domain.
Print Operators
Members can administer domain printers.
Remote Desktop Users
Members in this group are granted the right to log on remotely.
Replicator
This group supports file replication in a domain.
Server Operators
Members can administer domain servers.
GROUP STRUCTURE WITH SBS 2008
Table 6.2:
Built-in SBS 2008 Groups (CONTINUED)
Group Name
SBS 2008 Description
Terminal Server License Servers
Members of this group can update user accounts in Active Directory with information about license issuance for the purpose of tracking and reporting TS Per User CAL usage.
Users
Users are prevented from making accidental or intentional system-wide changes and can run most applications.
Windows Authorization Access Group
Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects.
Source: SBS 2008
Default Security Groups When you first open either the Windows SBS Console or the Active Directory Users and Computers MMC, you’ll be able to see a list of predefined security groups. Each of these default security groups is used to provide permissions for basic uses in SBS 2008. These uses are summarized in Table 6.3, which shows the default SBS groups and the description provided in the Windows SBS Console.
Table 6.3:
Default Security Groups in SBS 2008
Security Groups
Description
Windows SBS Remote Web Workplace Users
Can access Remote Web Workplace
Windows SBS Fax Users
Can use the Windows SBS Fax service
Windows SBS Fax Administrators
Can manage the Fax service in Windows SBS
Windows SBS Folder Redirection Accounts
Folders redirected to the server
Windows SBS Virtual Private Network Users
Can access network resources remotely
Windows SBS SharePoint_VisitorsGroup
Have read-only access to the internal Web site
Windows SBS SharePoint_Members Group Windows SBS SharePoint_OwnersGroup
Can view, add, update, delete, approve, and customize the content
Windows SBS Link Users
Can access the Link List in Remote Web Workplace
Windows SBS Admin Tools Group
Can access the Administration tools in Remote Web Workplace
Source: SBS 2008
149
150
CHAPTER 6 CONFIGURING AND MANAGING GROUPS AND USER ACCOUNTS WITH SBS 2008
Nesting Groups As an organization grows and more employees, computers, and Active Directory objects are created, inevitably the need for more departments and groups for various projects and special needs will arise during the course of business. Small Business Server, like all the Windows Server 2008 products, supports this business need. Group nesting is a simple and effective method of placing groups within groups to ease the burden of applying permissions over multiple groups. An area where you may want to do this is in a larger department. For example, if you have 20 salespeople in your average-sized small business, there may be multiple sales managers and a couple salespeople who work on corporate sales instead of end user sales. With group nesting, you could create an isolated group for the corporate salespeople and another for the end user salespeople and then create a larger group called MyBusiness_SalesPersons that contains all the various subgroups. From an administrator’s perspective, this is quite convenient. But be warned — you need to follow this guideline: Keep track of your group nesting With system administration, it’s not too common for administrators to create group documentation to keep track of which people are members of various groups, but that is mostly because administrators keep group nesting classified as an ‘‘only if we need it’’ sort of procedure. This isn’t necessarily a good idea. Instead, you should consider keeping user documentation and creating a simple topological map of your users and their respective groups.
Local Groups Because they aren’t as commonly used with SBS 2008 and higher-level server infrastructures, I won’t spend much time on local groups. Just know that local groups are groups that are local only to the computer upon which they reside. Note, however, that a local group is not the same as a domain local group.
Creating a Group Strategy Just like you wouldn’t construct a building or go to war without a lot of planning and care, you’re not going to want to start creating groups on the fly without a lot of forethought. In fact, so much forethought has gone into the creation of groups in larger-scale environments that Microsoft has released an entire knowledge base article on planning and implementing an effective group strategy. Some of it doesn’t apply to SBS, but you can find the article here: http://technet.microsoft.com/en-us/library/cc783634(WS.10).aspx. Figure 6.4 shows that there is a definite flow to the nesting of groups. Small groupings of individuals are placed into larger groupings. This creates a clean and efficient topology that makes your job as an administrator much easier. Just keep in mind as you’re implementing group nesting within your own organization that certain groups do have membership requirements, and you’ll need to adhere to those requirements. With SBS 2008, this should be very easy, but more experienced administrators should do their best to stay up-to-date on good group practices. Some of these practices include the following: ◆
Not placing individual users in global groups to reduce overhead
◆
Altering universal groups as infrequently as you can
PLANNING GROUP LAYOUTS
◆
Placing individual users in domain local accounts
◆
Placing individual users in global groups
◆
Assigning permissions to global groups
Figure 6.4 Nesting implementation Corporate Sales Team User Accounts
Corporate Sales Team Global Group
Sales Department
All Employees
Another common practice that a more experienced administrator taught me in my earlier admin days is to use universal groups for permission statements as little as possible. This makes sense when you think about it. If you don’t use universal groups much, the chances of them taking up processing time on your global catalog is nearly nil. And you don’t want your organization experiencing any slowdowns.
Planning Group Layouts As a small-business owner or as a consultant or employee for a small business, you’re going to be responsible for planning group membership and group strategies. Accordingly, it’s a good idea to make a group layout strategy that plans for group membership and group scope. There is no set method to how this is done, but usually a cautious administrator will use a program such as Microsoft Excel and use rows and columns to separate membership. Table 6.4 shows a sample group layout from a project management perspective.
151
152
CHAPTER 6 CONFIGURING AND MANAGING GROUPS AND USER ACCOUNTS WITH SBS 2008
Table 6.4:
Group Layout
Group Name
Function
CORP_Sales
End user sales
CORP_Accounting
Number of Members
Access Requirements
Notes
20
Sales folder
Lowest-level security
Accounts payable and receivable
3
Accounting folder, Sales folder
No more than five members
CORP_Managers
Management
1
Account folder, Sales folder, Management folder, Engineering folder
Highest-level security
CORP_Engineers
Front and back-end development
10
Sales folder, Engineering folder
Should only access two folders, never more
Creating Users and Groups with SBS 2008 As I’ve both said and hinted at many times throughout this book, the process of creating users and groups with Windows Server is extremely common. This is so much the case that Microsoft incorporated just about every feature into the Windows SBS Console that you need in order to make user accounts and groups. Since it’s a useful tool, administrators with SBS will commonly just use the console to create user accounts. After all, it’s designed to do that. However, as shown in Figure 6.5, when you start the Windows SBS Console in advanced mode and navigate to Administrative Tools SBS Console (Advanced Mode) and then Users And Groups, the console will have the added task of Open Active Directory Users And Computers Snap-In.
Figure 6.5 Open Active Directory Users And Computers Snap-In task in the console
Clicking Open Active Directory Users And Computers Snap-In will, obviously, open that tool, which you’ve seen before. However, up until this point, you’ve only created user accounts and organizational units. Now, I’ll start diving a bit deeper and show how to do some group
CREATING USERS AND GROUPS WITH SBS 2008
creation, along with some group nesting. After all, with this snap-in, you can make all kinds of new objects: ◆
Computer objects
◆
Contact objects
◆
Group objects
◆
InetOrgPerson objects
◆
msExchDynamicDistributionList objects
◆
MSMQ Queue Alias objects
◆
OUs
◆
Printer objects
◆
User objects
◆
Shared folders
In Chapter 5, you created organizational units at this screen, so you’ll probably be familiar with using it. But just in case you’d like a refresher, the ‘‘Creating Groups and Adding Members’’ exercise will take you through the process of creating a user group and adding members. Keep in mind, an organizational unit is not a security group. Think of it like this: groups get permissions, and OUs get policies. Security groups are designed to group users into easily definable permission blocks, and OUs are designed to create ‘‘containers’’ where Group Policy can be applied.
Creating Groups and Adding Members To illustrate how to create a group and add members to it, in this exercise you’ll create a group called Corporate_Sales and then add members to it. This group will help you in other exercises throughout the rest of the chapter.
1. Open the Active Directory Users and Computers snap-in, and expand nodes until you see the OU structure shown here.
153
154
CHAPTER 6 CONFIGURING AND MANAGING GROUPS AND USER ACCOUNTS WITH SBS 2008
2. Select Users, right-click the whitespace on the right, and select New Group. By default, this will open the screen shown here.
3. SBS 2008 will leave the group scope as global and the group type as a security group. 4. Name this group Corporate_Sales, and leave the pre–Windows 2000 name intact. 5. The Corporate_Sales group will appear in the whitespace with the type Security Group. 6. Double-click the Corporate_Sales security group. This will open the group’s properties dialog box, as shown here.
CREATING USERS AND GROUPS WITH SBS 2008
7. Select the Members tab, and click Add. 8. Type the name of a user in your domain, and then click OK. 9. You will see the user, here Mary Johnson, populate into the Members field.
10. Click OK. This will return you to the default snap-in screen. 11. Alternatively, you can right-click the Corporate_Sales group and select Add to Group. 12. You can then type the name of the user and click OK. The user will then be added to the group.
13. Now, click the Security Groups OU in your OU structure. 14. You will notice that the group does not show up here by default. This is because this OU was manually created in the snap-in vs. made with the console, which places security groups here by default. Should you want to place the group here, you can.
Nesting Groups Now that you’ve created a new Corporate_Sales group, you can add a nested group. This is the first step in creating a multiple-tiered group model. Note that you must have completed the previous exercise to complete this exercise.
1. Open Active Directory Users and Computer, and expand the nodes until you arrive at the SBSUsers OU underneath MyBusiness\Users.
2. Using the method you learned earlier, create a group called Nested Group, but do not add any new members. Your snap-in should look like the screen shown here.
155
156
CHAPTER 6 CONFIGURING AND MANAGING GROUPS AND USER ACCOUNTS WITH SBS 2008
3. Right-click NestedGroup, and select Add To A Group. 4. Type Corporate_Sales, and click Check Names. If Active Directory finds it, the name will become underlined, as shown here.
5. Click OK. 6. You will see that the Add To A Group operation was successfully completed in a dialog box. Note that if there is an error or if the group is already included as a member, you will see a dialog box displaying the pertinent error.
7. Verify group membership by right-clicking Corporate_Sales and selecting the Members tab. You will see Nested Group listed, as shown here.
ADMINISTERING SECURITY GROUPS WITH SBS 2008
This group is now nested. At this point, this means you can add any group members to the NestedGroup security group, and these groups will automatically be included in the Corporate_Sales group.
Administering Security Groups with SBS 2008 Once a security group is created, the real administrative work is actually begun. First you’ll need to add and remove members, nest other groups, and remove groups from Active Directory in total. In particular, deleting groups is interesting with Windows Server because every group created has a specific security identifier (SID) associated with it. A Windows SID identifies a group with a unique number that allows you to add special permissions to that, and only that, group. In a way, it’s what makes multiple groups with similar names, group nesting, and other complex group operations possible. The following exercises show how to rename groups, remove user groups, and change group scope.
Renaming User Groups With SBS 2008, you can change group names in both the Active Directory Users and Computers snap-in and the Windows SBS Console. We will begin with the Windows SBS Console.
1. Open the Windows SBS Console, select Users And Groups, and then select the Groups tab. It should appear as shown here.
157
158
CHAPTER 6 CONFIGURING AND MANAGING GROUPS AND USER ACCOUNTS WITH SBS 2008
2. Right-click TestGroup, and select Edit Group Properties. Alternatively, you can select the group and click Edit Group Properties in the upper-right corner.
3. When the properties dialog box appears, you can select the TestGroup name and replace it with a new name, such as Awesome Group.
ADMINISTERING SECURITY GROUPS WITH SBS 2008
4. Click Apply. 5. The group will then appear in the Security Groups section as Awesome Group. Note that Awesome Group, although funny, probably isn’t the best idea for a group name. Thus, you’ll change it now.
6. Navigate to the Security Groups OU in MyBusiness. Note that Awesome Group is there. 7. To change the name of Awesome Group to something more professional, you can right-click it and select Rename.
8. Enter ProfGroup1 as the new name. 9. Another box will open asking you for a group name and for a pre–Windows 2000 group name. Enter ProfGroup1 in both fields. No matter what you name a group, renaming will never affect a group’s SID in Active Directory. As far as Windows is concerned, it’s still the same group. You have changed only one of its properties. Next, I’ll show how to remove a security group that you no longer require.
Removing a Security Group If a security group has outlived its usefulness, you can remove it from Active Directory with either the Windows SBS Console or the Active Directory Users and Computers snap-in. Note that removing a security group does remove the SID associated with that group. To remove the group with the Active Directory Users and Computers snap-in, follow these steps:
1. Select the group. 2. Right-click the group, and select Delete. 3. Click Yes at the prompt. To use the Windows SBS Console, follow these steps:
1. Navigate to the Groups tab of the Users And Groups section. 2. Select ProfGroup1. 3. Click Remove Group in the upper-right corner. 4. Select Yes. Removing a group is relatively easy, but keep in mind that whenever you delete a group, all member associations that are granted access through that group are now deleted. Furthermore, a group deletion does not mean that the members of that group are deleted — just the group structure itself. Changing group scope is another useful skill that can be easily learned and understood. With SBS, you don’t use this very often, but if you ever need to migrate to a large platform, this is a good skill to master.
159
160
CHAPTER 6 CONFIGURING AND MANAGING GROUPS AND USER ACCOUNTS WITH SBS 2008
Changing Group Scope in SBS 2008 Within SBS 2008, you can change group scope only through Active Directory Users and Computers. You must open a security group through that snap-in.
1. Open the OU containing your user group. 2. Right-click the group, and select Properties. The dialog box that opens should appear similar to what you saw in Figure 6.3 earlier in the chapter.
3. Change the Group Type setting from Universal to Global. 4. Click Apply. 5. Click OK.
Creating Distribution Groups To create an effective messaging structure with SBS 2008, you need to implement distribution groups within your small-business server to send and receive email to multiple targets. Distribution groups, similar to security groups, are collections of user accounts that are associated with email addresses, contacts, and other messaging systems within Windows Server. To effectively maintain an SBS server, you need to know how to create distribution groups in both the Windows SBS Console and the Active Directory Users and Computer Snap-in. The following exercise will familiarize you with both methods.
Adding a Distribution Group To add a distribution group using the Windows SBS Console, follow these steps:
1. Open the Windows SBS Console, navigate to Users And Groups, and then select the Groups tab.
2. Select Add A New Group. 3. This will open the Getting Started window. You can select the box to not show this page again (which is recommended). If you already have, skip this step. Otherwise, click Next.
4. Under Group Name, enter insiders. 5. Under Group Type, make sure the Distribution Group: Send An E-mail Message To User Accounts That Belong To This Distribution Group option is selected.
6. Click Next. 7. Keep insiders at the screen shown here. This will create an
[email protected] email address.
CREATING DISTRIBUTION GROUPS
8. Select the option Allow This Group To Receive Emails From People Outside Your Company. This is vital. Without this, the messaging group will be used only for internal emails and will not be able to be accessed from anyone not within your domain.
9. Click Next. 10. On the Users screen, select the users you want to add, and click Add. 11. Click Next. 12. Click Finish. Note that once the wizard completes, it will add the ‘‘insiders’’ group to your email distribution groups list. To add the group in the snap-in, follow these steps:
1. Open the snap-in, and navigate to the SBSUsers OU underneath MyBusiness. 2. Right-Click the whitespace on the right, and select New Group. 3. Under Group Name, enter insider2. 4. Select the Distribution radio button. 5. Click OK. As you can see, it’s relatively easy either way, but it’s especially elegant with the snap-in. However, with the snap-in, you have to manually add users on the properties page.
161
162
CHAPTER 6 CONFIGURING AND MANAGING GROUPS AND USER ACCOUNTS WITH SBS 2008
The process of deleting a distribution group isn’t really worth showing, because it’s almost like creating a security group. Suffice to say that you can simply select a distribution group, right-click, and choose Delete. Note that, just like deleting a security group, this will not delete the members of that group, but it will delete that group and the SID associated with that group. Additionally, groups that are nested within a group that is deleted will not be affected by the deletion of the top-level group. You should also note that you can easily change the internal properties of a distribution list through the Windows SBS Console. Specifically, using the Windows SBS Console, you can change email addresses and the ability to receive external emails through the group’s Properties window on the E-mail tab, as shown in Figure 6.6.
Figure 6.6 Email alteration of distribution group
In Figure 6.6, you can see that the email address of the distribution group has been changed, and this group has been enabled to receive email from external addresses not within the organization’s domain. All you have to do after this is hit Apply. As shown in Figure 6.7, the insiders group now has the same name, but a new email address is associated with it throughout Active Directory.
Figure 6.7 Altered email address
Administering Distribution Groups Usually in most small businesses, the turnover rate can be fairly high as the business expands and employees come and go for various reasons. Accordingly, distribution groups are often altered even more than security groups. Thus, you need to be familiar with some of the most common administrative tasks associated with them. With the Windows SBS Console, you can easily add users and groups by clicking the Change Group Membership button in the Tasks column. This opens the standard Change Group Membership screen you’ve seen before, as shown in Figure 6.8.
ADMINISTERING DISTRIBUTION GROUPS
Figure 6.8 Change Group Membership screen
All you have to do to add new members to this group is to double-click the member, or you can select them and click Add. Then, click OK, and these new members are added. But just like with security groups, you can also nest different levels of distribution groups. For instance, if a small engineering company has four different teams, one for petroleum engineering, one for electrical engineering, one for mechanical engineering, and one for chemical engineering, it may have four distribution groups: ◆
Corp_EE
◆
Corp_ME
◆
Corp_ChE
◆
Corp_PE
And within these groups, there will most likely be users. This is convenient, because instead of having to create a new distribution group if you wanted to send email to, say, all engineers, you could create an Engineers group and just add the four Corp_groups to a new distribution group, instead of manually adding each engineer one at a time. From a design perspective, distribution groups are much easier to deal with than security groups. This is mostly because, at the end of the day, distribution groups only send messages. And although a single email can be pretty damning if it’s received by the wrong person on the subject of something sensitive, such as whether to fire someone, it’s usually not quite as potentially disastrous as an employee opening a secure file that happens to have all the corporate accounting documents, including a list of usernames and passwords for the bank accounts and instructions for how to make a withdrawal. Obviously, any security risk that could potentially cause a serious disaster is unacceptable in any environment. However, as cautious administrators, we need to be prudent in our evaluation of what security risks we allow. This is because there is no such thing as a completely risk-free environment. Unfortunately, there will always be some risks. Some risks just aren’t as great as others.
163
164
CHAPTER 6 CONFIGURING AND MANAGING GROUPS AND USER ACCOUNTS WITH SBS 2008
Using Distribution Groups as a Filter At OmniCorp, a small business specializing in retail sales and customer service, the number of customer service calls and complaints began to rise to a seriously dangerous level. Sales associates, who are primarily associated with sales calls but also respond to customer service calls and emails, began spending most of their days responding to customer service calls, instead of making outbound sales calls or answering sales email. Accordingly, management decided that the number of calls and emails the sales staff was receiving needed to drop dramatically. Thus, management decided to create a separate customer service distribution group. The reason behind this was that the salespeople could then easily set up a rule in their Outlook program that identified the messages that were specifically for them (sent through the sales system) and then identify the messages that were sent to the
[email protected] distribution group. By doing this, management increased the amount of sales dramatically and actually improved customer service by realizing that they needed to hire individual customer service representatives. But regardless of whether they did that, the distribution list served as a nice filter to guard the salespeople’s ‘‘real’’ email addresses from the anonymous customerservice @omnicorp.com email address.
Security Permissions Now you’ve come to the best part of group structure: assigning permissions. Chances are that if your administration experience is anything like mine, you’re going to spend a ton of time working on permissions. This is because permissions in Windows Server are vital to maintaining an effective, job-separated structure that allows users to access the information they need while prohibiting them from accessing the items that aren’t required in their position. In the security field, we refer to this process as the CIA triad: confidentiality, availability, and integrity. Confidentiality Maintaining nondisclosure of information that is considered private Integrity Maintaining the data contained within a structure Availability Determining whether the data is ready and available In the field of systems administration, which is all administering SBS 2008 really is, you are primarily concerned with the availability field: is the data ready to be accessed, and do the right people have access to the right information at the time? The way you do this in the Windows system architecture is through the use of the Windows permissions list.
Permissions Lists In multiple areas of information technology, including routing and switching, SQL Server administration, Unix administration, and especially Windows system administration, permission lists (also known as access control lists) play a huge role. This is because Windows
SECURITY PERMISSIONS
permissions lists specify who has access to files and folders throughout a Windows architectural system. With Windows file sharing, file permission takes place in several stages. First, the folder containing the files is put into a shared or unshared state. Second, security permissions are set upon the file, and finally these permissions run through an access control list that determines whether the files are accessible to individuals’ accounts.
File and Folder Permissions Ever since Windows 2000, the Windows architecture has had a standard set of file permissions published by Microsoft, as summarized in Table 6.5.
Table 6.5:
Microsoft’s File and Folder Permissions
Permission
Meaning for Folders
Meaning for Files
Read
Permits viewing and listing of files and subfolders
Permits viewing or accessing of the file’s contents
Write
Permits adding of files and subfolders
Permits writing to a file
Read & Execute
Permits viewing and listing of files and subfolders as well as executing of files; inherited by files and folders
Permits viewing and accessing of the file’s contents as well as executing of the file
List Folder Contents
Permits viewing and listing of files and subfolders as well as executing of files; inherited by folders only
Modify
Permits reading and writing of files and subfolders; allows deletion of the folder
Permits reading and writing of the file; allows deletion of the file
Full Control
Permits reading, writing, changing, and deleting of files and subfolders
Permits reading, writing, changing, and deleting of the file
Source: Microsoft
As with any Windows user, you have the right to adjust and administer the permissions on folders and file that you control. This is accessible by right-clicking a file or folder, selecting Properties, and then clicking Edit. For example, in Figure 6.9 you can see the standard Windows SBS 2008 permissions placed on a file in a user’s desktop. In my case, it’s off one of my favorite CDs. As you can see, by default the Full Control permission is selected, giving me permission to read and write whatever I want that is contained there. Furthermore, if I click the Advanced button after the Add button, I can open the Advanced Security Settings screen you see in Figure 6.10.
165
166
CHAPTER 6 CONFIGURING AND MANAGING GROUPS AND USER ACCOUNTS WITH SBS 2008
Figure 6.9 Standard folder permissions on the desktop
Figure 6.10 Advanced Security Settings dialog box
From this screen, you can set advanced file permissions, audit the folder, and check to see who the ‘‘owner’’ of a folder is — something I’ll get to in a minute. Furthermore, you can also look at the effective permissions of a folder and see who has access to what in that file. By clicking the Edit button at this screen, you can also access a whole other level of ‘‘special’’ folder permissions that you couldn’t see in the standard permissions menu. This is shown in Figure 6.11 and summarized in Table 6.6, along with the abilities that each of these permission settings grants you.
SECURITY PERMISSIONS
Figure 6.11 Special file permissions
Table 6.6:
Microsoft’s Special Folder Permissions
Control
Full Modify
Execute
Read & Read
Traverse Folder/Execute File
X
X
X
List Folder/Read Data
X
X
X
X
Read Attributes
X
X
X
X
Read Extended Attributes
X
X
X
X
Create Files/Write Data
X
X
X
Create Folders/Append Data
X
X
X
Write Attributes
X
X
X
Write Extended Attributes
X
X
X
Delete Subfolders and Files
X
Delete
X
X
Read Permissions
X
X
Change Permissions
X
Take Ownership
X
X
Write
X
Special Permissions
X
167
168
CHAPTER 6 CONFIGURING AND MANAGING GROUPS AND USER ACCOUNTS WITH SBS 2008
From the Advanced permissions menu, you can click Edit yet again and set a specific security entry on the folder. As an example, in Figure 6.10, you can see the permissions entries for the folder. But if you click Edit for Steven Johnson, this will open the screen in Figure 6.12. On this screen, you can specifically edit the user’s access to the folder and the specific permissions pertaining to that user. In Figure 6.12, I can adjust each of my permissions individually and then click the OK button.
Figure 6.12 Advanced security settings
It’s also important to note that you’ll see two important check boxes in Figure 6.12: ◆
Include Inheritable Permissions From This Object’s Parent
◆
Replace All Existing Inheritable Permissions On All Descendants With Inheritable Permission From This Object
These two check boxes are very important but easily explained. With Windows Server, subfolders inherit their permissions from their parent folders by default. This means that if you assign permissions to a folder, all subfolders within that folder will receive those permissions. However, you can easily undo this by deselecting the first box: Include Inheritable Permissions From This Object’s Parent. This means the folder ignores all permissions it once received from its parent. The second box, Replace All Existing Inheritable Permissions On All Descendants With Inheritable Permission From This Object, forces the permissions for this specific folder to be propagated throughout the rest of the child folders. So, through the use of these two check boxes, you can stop permissions and force them to the rest of your objects. Effectively, through the use of all these tools, you can do just about anything you’d like throughout your file infrastructure.
ASSIGNING SECURITY GROUP FILE PERMISSIONS
Assigning Security Group File Permissions As a general rule of thumb, Microsoft recommends that security permission for file and folder structures should be granted to security groups and not to individual user accounts. The reasons behind this are a little complex, but suffice to say that assigning individual user accounts permissions to folders can cause a lot of headache, especially if that user account is deleted in the future and you suddenly have a folder hanging out with no permissions on it or irrelevant permissions. In the following activity, you’ll add a security group to a folder and give the account specific permissions.
Assigning a Security Group to a Folder To complete this exercise, you will need to create a folder somewhere within your directory structure and be able to access that directory as an administrator.
1. Right-click your folder, and select Properties. 2. Click the Security tab. 3. Click the Edit button. 4. Click Add. 5. At the Select Users, Computers, Or Groups screen, add a security group you have created. 6. Click OK. 7. The security structure should appear as shown here.
169
170
CHAPTER 6 CONFIGURING AND MANAGING GROUPS AND USER ACCOUNTS WITH SBS 2008
8. Under the security group’s permissions that you’ve added, select the Full Control permission. This will allow the security group to take ownership of the file and alter the file as if it was its own.
9. Click Apply and then OK. 10. Click OK.
Folder Sharing Another common task with folder and group permissions is to make a folder available throughout your business. This is referred to as folder sharing. With Windows SBS, folder sharing is easily accomplished through several wizards, as was done in Chapter 2. What’s important to realize is that, unless a folder has been granted access to a user or another security group, a shared folder either will not be shared or will be accessible by everyone. With Windows file and folder permissions, you can share a folder and then determine who can access the files and folders.
The Bottom Line Create users and security groups Creating users and security groups is the central focus point of an IT infrastructure. By creating users and groups, an entire business is virtually created through Windows Server. Security groups allow you to assign permissions and associate users with similar job roles. Master It Create a nested group structure that contains an All Users group with four internal groups for the engineering, accounting, sales, and customer service departments. Place at least 20 users in all these groups, and attempt to ‘‘double nest’’ a user in the Sales and Engineering groups. Create distribution groups Distribution groups are used to distribute email and messages. Through a distribution group, you can receive external email and send internal messages. Master It Create a distribution group for your infrastructure with a different email address than the name of the group. Attempt to send an email to this group. Create a permissions list for a group Permissions lists and access controls are the primary methods you use to affect the access of files throughout your infrastructure. They control the availability of files throughout the infrastructure and, if not done correctly, can compromise the entire infrastructure. Master It Create a folder and assign permissions to only one security group, and then try to access this group from another account.
Chapter 7
Managing Group Policy with SBS 2008 Microsoft Windows Server Group Policy is the system of software management used by Active Directory to control the behavior and access associated with user and computer accounts on a Microsoft network. By utilizing Group Policy through Active Directory, administrators can prohibit or grant access to portions of Microsoft and Group Policy–compatible software, install or remove software throughout the infrastructure, and publish updates to users and computers based on an administratively defined set of rules. Within the modern small-business network, Group Policy is becoming more and more common. In the older days of system administration, Group Policy was usually seen only in large-scale implementations because it used to be a lot more difficult to manage. Group Policy objects and links were a mystery to most system administrators, but now they’ve become almost as common as a simple user account — well, perhaps not that common, but they’re inching ever closer. What’s certain is that to be an effective administrator with Small Business Server, you need to learn how to use all the tools that SBS makes available to you. Otherwise, a lot of the real advantages of using SBS, such as the ability to deploy software to your users and set up limited access to potentially unproductive software like Internet Explorer, will be unavailable. In this chapter, you’ll learn about all of these topics and more. In this chapter, you will learn to ◆ Create Group Policy objects ◆ Link a Group Policy object to an Active Directory object ◆ Edit a Group Policy object ◆ Delete a Group Policy object
The History of Group Policy Windows Group Policy came onto the scene 10 years ago with Windows 2000. Before Windows 200, with Windows NT, system policies were limited to domains and could not permeate to forests; they could not be secured; they could apply only to users, groups of users, and computers; and they were just generally buggy overall. Worse than that, the few administrators
172
CHAPTER 7 MANAGING GROUP POLICY WITH SBS 2008
who could actually use the Windows NT system usually managed to mess it up somehow with a crazy system policy that would do something fun and convenient like forbid anyone from installing a program within the enterprise. Thankfully, this all changed with the use of Group Policy. Contrary to system policies, Group Policy is stable, is secure, and can be applied at any level. The main difference between Group Policy and the old method of implementing system policies is that Group Policy takes advantage of policy links that connect one Group Policy object to another.
Why We Use Group Policy with SBS Small companies usually come in two flavors — those that are extremely relaxed and understanding with their security and those that are stricter in their policies. Because of the nature of small businesses, it’s pretty rare that you find anything in between. Usually owners will either have a great deal of trust in their employees or will be very restrictive. Both types of approaches need specific settings and options to implement such decisions and policies. With SBS 2008, you’re enabled to make a vast amount of changes to user and computer configuration settings with Group Policy. Some of these changes include the following: ◆
User and group configurations
◆
Registry settings
◆
Software installation
◆
Scripts
◆
Folder redirection
◆
Remote installation services (rarely used in SBS)
◆
Internet Explorer restrictions
◆
Security policies
You can manipulate these settings by understanding how to use the Group Policy snap-in and understanding the elements of Group Policy.
Group Policy Objects As you may remember from earlier chapters in this book, Active Directory is fairly uniform in that at the end of the day it all comes down to objects. Objects of all types are what compose the core of Active Directory and Windows system administration. Group Policy is no exception to this rule. In fact, group policies are one of the few types of objects in Active Directory that are actually referred to as Group Policy objects. This is because a single group policy is actually an entity within Windows Server. You can think of it in terms of building blocks. Users, computers, groups, and other objects like organizational units are all like the small Lego blocks with four round knobs on the top you used when you were a kid. Group Policy objects, on the other hand, are like the long rectangular Lego blocks that can stretch across the small square blocks. Group Policy objects are the essential component of Active Directory. They’re created within the normal version of Windows Server 2008 in the Group Policy Management Console. In
ADMINISTERING GROUP POLICY
SBS 2008, this is . . . just the same! Well, almost. Technically there are no consoles in SBS, other than the Windows SBS Console. Instead, with SBS 2008 you use the Group Policy snap-in, which used to be attached to the Group Policy Management Console, so not much is changed. This means that if you’ve already had a lot of experience with Windows Server 2008 Group Policy, the transition to SBS should be very easy for you. Count yourself lucky. If not, I’ll go through the process of creating a GPO one step at a time.
Group Policy Links Unlike other Active Directory objects, such as users or groups, Group Policy objects are not enforced until they are linked to another point in the Active Directory infrastructure. This is a pretty major difference from standard Active Directory objects because when you create any other object in Active Directory, that object is in the system — and accessible. For instance, when you create an Active Directory user account, that user account exists on the system, and users can log onto the domain they were assigned (unless, of course, their account is disabled). Conversely, a Group Policy object is made through the Group Policy Management Console and then linked to a particular location in Active Directory. But until it’s linked, the Group Policy object effectively accomplishes nothing. It’s just another object that floats around within Active Directory. You can link objects in any Windows Server platform (post–Windows 2000) at one of four locations: ◆
Site
◆
Domain
◆
OU
◆
Local
Obviously, with SBS, you don’t have to care about this quite as much, because it’s all associated to one small-business domain, but it’s important to understand that SBS does technically have the ability to apply Group Policy at all these levels. That said, most of the time you will deploy Group Policy only at the domain level, because SBS environments will have one domain to which users can log on.
Administering Group Policy Now you know that Group Policy is divided into two distinct elements: Group Policy objects (GPOs) and Group Policy links. But the process of implementing Group Policy isn’t quite as simple as designing a Group Policy object and then linking it to various points in the Active Directory infrastructure. Applying Group Policy can have a lot of unexpected results. For instance, say you want to apply Group Policy to the OU group Special_Users. Special_Users, as the name implies, is a special user container that has a few particular rules that need to be applied. Let’s say that you don’t want Special_Users to be able to access the Control Panel, but you want Special_Users to be able to access the Internet whenever the members of that group would like. On the surface, this seems simple enough. The problem occurs when you have multiple Group Policy links in place. Consider, for example, what would happen if the Special_Users OU was a child OU of the standard SBSUsers OU. Were that the case, you could have an issue if the SBSUsers OU prohibits access to Internet Explorer from one point in time to another.
173
174
CHAPTER 7 MANAGING GROUP POLICY WITH SBS 2008
Because of this, you might have a Group Policy conflict. One policy says one thing, and another policy says another. You need to know which OU will take precedence, and why. It’s much more efficient and effective to avoid such conflicts from the outset, rather than trying to solve them when they turn up. So, plan your rollout to anticipate these problems! According to Microsoft, Group Policy should be rolled out in four stages: ◆
Planning
◆
Designing
◆
Deploying
◆
Maintaining
Planning When planning for Group Policy, you first have to consider the objectives you need to accomplish. What is the policy going to do? Who is it going to affect? Why does it need to be in place? This initial process is called a policy definition. You define a policy by its purpose and its objectives: ◆
Purpose: The reason the policy is put in place
◆
Objective: What the policy aims to accomplish
As an example, a policy to restrict Internet Explorer should be planned as follows: ◆
Purpose: To remove the temptation to surf the Internet during business hours
◆
Objective: To restrict Internet Explorer from 8 a.m. to 5 p.m. Monday through Friday
This is an essential step in Group Policy, because it provides a point you can reference after you’ve put several group policies in place. More often than not, administrators like to create a ton of policies and then sometimes forget what they actually do. In fact, I remember one time looking at a server I had placed a great deal of GPOs in and saying, ‘‘You know . . . I don’t exactly remember what most of these do.’’ That’s a bad thing. Documentation and accountability are key to a successfully running environment. Without documentation, you can potentially cause hazards for your users. There’s nothing quite like being a user and suddenly realizing you can’t access a vital tool for your job. Technically, what I just gave you was a very boiled-down version of how to plan policies. According to Microsoft, the actual objectives should be to determine the following: ◆
Purpose of each GPO
◆
Owner of each GPO (the person who requested the policy and who is responsible for it)
◆
Number of GPOs to use
◆
Appropriate container to link each GPO (site, domain, or OU)
◆
Types of policy settings contained in each GPO and appropriate policy settings for users and computers
◆
When to set exceptions to the default processing order for Group Policy
◆
When to set filtering options for Group Policy
◆
The software applications to install and their locations
ADMINISTERING GROUP POLICY
◆
What network shares to use for redirecting folders
◆
The location of logon, logoff, startup, and shutdown scripts to execute
And, although these objectives (which you can find at http://technet.microsoft.com/ en-us/library/cc786212(WS.10).aspx) are important, at the SBS level you can really just boil it down to a simpler question: ‘‘What does this policy hope to accomplish?’’ The next step in planning once you’ve completed your purpose and objective is to design the policy. At this point, you ask the following: ◆
Where will this policy go?
◆
Who will this policy affect?
Here’s an example: ◆
The policy will be placed on the Special_Users OU.
◆
The policy will affect all user groups placed in Special_Users OU.
After you’ve done this, you need to determine whether there are any conflicts in the policy. Is there another overlapping policy? Is there a contradictory policy? These issues are referred to as interoperability issues.
OU Structure During your planning phase, you need to think really carefully about how your OU infrastructure is maintained. In the full-blown version of Windows Server, this is more important, because there are usually a lot more OUs to worry about. With SBS 2008, your OUs are usually limited to two or three, but these two or three may be layered in what’s called a tier hierarchy. In Figure 7.1, you can see a simple SBS tiered hierarchy. As you can see, a Sales and Marketing generalized OU is at the top, and the Sales Users and Marketing OUs are tiered beneath. Within Sales Users and the Marketing OU there are Managers named specifically for their department, a generalized user group (Salespersons and Marketers) and coordinators. This lets you apply individual policies to that particular OU, instead of having to apply them to all users throughout the infrastructure.
Other Design Factors At the small-business level, you need to consider a few design factors you may not have initially thought about. These include possible internal documents that define security requirements and operational guidelines that require more careful attention to Group Policy implementation. At the medium and enterprise-scale business level, you can easily implement staging grounds for GPO implementations. This is not so much the case with SBS. More often than not, just one server runs the whole office. Thus, you need to make sure that implementation and adherence to any predefined business requirements is maintained. This way, you don’t run the risk of creating major server conflicts.
Design Once you’ve planned ahead for your Group Policy implementation, you need to begin the next step of drafting your design. When designing Group Policy, you need to keep in mind four important design elements: ◆
Inheritance
◆
Scope
175
176
CHAPTER 7 MANAGING GROUP POLICY WITH SBS 2008
◆
Objectives
◆
Delegation
I’ll go over each of these topics one at a time.
Figure 7.1 Tiered OU hierarchy Sales and Marketing
Sales Users
Sales Managers
Salespersons
Sales Coordinators
Marketing
Marketing Managers
Marketers
Marketing Coordinators
Inheritance Inheritance is the process of child containers taking linked policies from their parent containers. As an example, consider Figure 7.1 again, with its multiple tiers of infrastructure. With inheritance, if a GPO is linked to the top container, it will permeate to the remaining containers.
ADMINISTERING GROUP POLICY
Thus, if you linked a GPO to the SBSUsers container that restricted access to the Control Panel, that policy would be inherited by all other OUs within that container. Conversely, although inheritance does pass from parent to child, a child will obey any rules specifically given to it. Using the previous example, with the accounting OU, you could easily apply a GPO just to that OU to allow access to the Control Panel. And, because it has been applied directly to that child OU, it would override any inherited GPOs.
Scope Microsoft explained it best in its technical documentation: to define the scope of application of Group Policy objects, consider these main questions: ◆
Where will your GPOs be linked?
◆
What security filtering on the GPOs will you use?
◆
What WMI filters will be applied?
There really isn’t a better way to define scope than just like this. The word scope in IT essentially refers to the area in which something has control. For Group Policy, this effectively means, ‘‘Where is it linked?’’ The scope of a GPO can be extremely broad or extremely narrow, depending upon your needs. Scope with Group Policy can be a little confusing, because higher-level OUs can have policies applied to them that permeate to children — who can themselves override parentally linked GPOs. That’s a lot to swallow. Effectively, children can tell the parents they want to behave differently than the parent. But let me ask you a question. When you were a kid, who was ultimately in charge — the parent or the child? You guessed it, the parent. With Group Policy and scope, this is particularly true because parents can enforce policies on their child objects regardless of the child object’s desires. This is called the no override feature, and it can be set in a Group Policy link. A WMI filter is a Group Policy mechanism that is used to provide granular application techniques to a GPO. Typically, people use WMI filters to ‘‘filter out’’ exceptions to general rules. Say, for example, you have a rule that removes the Control Panel for all computers. However, new computers for the executives will not need to have this rule applied. Thus, you could make a WMI filter to exclude these machines from the GPO. Now, every time Group Policy refreshes, a new filter is applied.
Objectives Group Policy objectives define the exact goals you want to accomplish with your GPO implementation. In some cases, that means limiting control, and in some cases that means expanding the software and capabilities of multiple users. To define a proper Group Policy objective infrastructure, you need to make some very important objective decisions: ◆
The purpose of the GPO ◆
◆
Why are we implementing this policy? Is there an alternative? If the policy is put in place, what do you hope it accomplishes?
The owner of the GPO ◆
Is someone, other than the default administrator, responsible for the GPO? If so, why?
177
178
CHAPTER 7 MANAGING GROUP POLICY WITH SBS 2008
◆
Where the GPO is applied ◆
◆
This comes back to scope. Is the scope properly considered?
Exceptions for the GPO ◆
Are there any users of containers in any of the GPOs who need to be exceptions to that Group Policy object? If so, is there an alternative method of implementation?
Delegation One of the abilities you’re granted with the Windows Server platform is the ability to delegate Group Policy to other users and groups. Through delegation, you can add a user or group to the Group Policy Creator Owners (GPCO) or explicitly grant users permission to create GPOs. Delegation is useful in small, medium, and large businesses because it allows heads of departments, team leaders, or junior administrators to create and implement Group Policy objects on specific containers. Through Windows Server 2008 (and technically Windows NT), you can assign five permissions through the Group Policy Management Console (GPMC) snap-in, as summarized in Table 7.1. Delegation can also be granted on higher levels. Technically, you can delegate Group Policy–related decisions to users and groups on the site, domain, and OU levels. With SBS 2008, this is something you may want to use if you have a business owner or junior administrator within a small business who needs to implement group policies throughout the business at whim.
Table 7.1:
GPMC Options and Permissions in Access Lists
Option in GPMC User Interface
Corresponding NT Permission in ACL Editor
Read
Read access granted on the GPO
Edit Settings
Read, Write, Create Child Objects, and Delete Child Objects granted on the GPO
Edit, Delete, And Modify Security
Read, Write, Create Child Objects, Delete Child Objects, Delete, Modify Permissions, and Modify Owner granted on the GPO
Read (from Security Filtering)
Technically cannot be set by an administrators, but appears on the Delegation tab if a delegate has Read and Apply Group Policy permissions
Custom
A custom set of permissions
Since SBS 2008 disables these default administrator accounts by default as a security best practice, it’s really worth it to consider not just making the network administrator default account but also making an individual user account that has delegated permissions for the business owner or junior administrator. Then, the administrator or business owner can link GPOs and create GPOs at whim. Furthermore, to keep yourself safe, you can also grant individual users permission to generate Resultant Set of Policy (RSoP) permission on the site, domain, or OU level. This permission allows individual user accounts beyond the network
ADMINISTERING GROUP POLICY
administrator account to generate GPOs and simulate what it would be like to link those policies and put them in place. Overall, through delegation, administrators can save a lot of overhead. On the small-business level, various managers or small-department heads will want to implement restrictions and permissions for individuals frequently. Generally, a lot is going on in a small business, and lots of people share responsibilities. This is a pretty big contrast to a large enterprise, where users are very segmented in their responsibilities.
The Five Ps A common phrase in the IT industry that nags us all is what’s called the five Ps: proper planning prevents poor performance. As you can imagine, with all aspects of IT this is true, but in no area more so than Group Policy planning. At the small-business level, the hardware is generally so capable that it can accommodate most inefficient deployments of Group Policy. However, consider what happens as time moves on and you switch from one Group Policy deployment to another. If you’ve migrated from SBS 2003 to SBS 2008, you’ve already done this once. But the same thing can happen as you get more users and switch from a small deployment to a large one. Once I administered a small business using SBS 2003 that had to switch to the full version of Windows Server 2003. Unfortunately, the owner of the business was rather sensitive about who had access to what, so he layered multiple group policies at the site level over what became multiple machines. Eventually, things got bogged down as these policies had to be replicated to different servers and sent to the entire site. If the owner had been smart (and if his younger and more foolish administrator would have advised him), he would have taken these policies and applied them to the OU level. That way, the policies wouldn’t be placed throughout the entire site, because the scope would be more refined. Lesson learned, but it sure did take us a long time to fix it once it became a serious problem.
Deploy Once you’ve carefully considered the planning and design of your Group Policy, you can finally deploy it. At the deployment stage, you link the Group Policy object to its proper container and put it into action. Usually before this stage administrators have done their best to test the GPO in a test environment or have chosen to deploy it at a small level. With SBS 2008, this unfortunately isn’t really much of an option, because the deployment is so small already. But, with proper planning, any damage you create through improper planning should be minor. Additionally, if you’re on a budget and you’d like to be safe, you could easily implement a desktop with Microsoft Virtual PC, which is available for free. With Virtual PC, you can install the software on your server and then attempt to virtually deploy your workstation to your server to test Internet connectivity. It’s actually not that hard to set up. You just have to install Microsoft Virtual PC 2007, set up a client, and then connect that client to your SBS 2008 server.
179
180
CHAPTER 7 MANAGING GROUP POLICY WITH SBS 2008
Be Careful with Deployment You may or may not have noticed, but I tend to use ‘‘removing access to the Control Panel’’ in a lot of my examples of what can happen when you make a mistake with Group Policy. Well, there’s a reason for this. One time, a younger and more foolish Steven Johnson decided to implement a GPO that removed access to the Control Panel for all users. I had thought I’d made exceptions to the policy in the right places, but I accidentally removed it from my own user account — and the Administrator user account. Before I knew it, I had linked the GPO to the entire domain, and no one in the entire business could access the Control Panel. I didn’t know it at the time, but it was an easy fix. Regardless, I had placed myself in a position where I didn’t know what I had done and didn’t know how to fix it. And this is a place you never want to be. Generally, mistakes that we make in life come in two flavors: small mistakes and big mistakes. With Group Policy deployment, small mistakes rarely happen. (If you’ve ever used a concept called recursion in computer programming, you’ll understand what I mean.) If not, a computer science professor told me once that there are a couple things in computing that wouldn’t harm you in the least if you did them right, but if you got them wrong, they wouldn’t just blow off your foot, they’d blow off the whole leg. I’m betting a lot of you veterans out there saying, ‘‘Wow, talk about being a bit dramatic,’’ but I guarantee you that there are just as many administrators saying, ‘‘Yep. Done that before!’’ As you mess with Group Policy, strive to be the former and not the latter. One thing that makes IT miserable is war stories. They’re never pleasant to endure . . . or to retell.
At the enterprise level, Group Policy is generally deployed through several stages. If you want to know how it’s done, you can check out the ‘‘Staging Group Policy Deployments’’ article on Microsoft’s website (http://technet.microsoft.com/en-us/library/ cc787823(WS.10).aspx). But for our purposes in small business, it will not be necessary. In the following sections, I will go over two important parts of Group Policy: ◆
Creating GPOs
◆
Understanding starter GPOs
Creating GPOs You create GPOs through the Group Policy Management Console, which you can access through the Administrative Tools menu. To create a GPO, select Start Administrative Tools Group Policy Management, and select Continue at the User Account Control prompt. This will open the Group Policy Management Console that you see in Figure 7.2. On the left in the GPMC window, you’ll see a breakdown of your infrastructure from the forest and domain levels. In Figure 7.2, the top level forest is showing, followed by lots of subcontainers. Of particular interest here is the Group Policy Objects container and the Domain Controllers container. The Group Policy Objects container holds all the Group Policy objects for your enterprise. The Domain Controllers container is of interest because in larger environments
ADMINISTERING GROUP POLICY
the default domain controllers policy can control the effect of implementing Group Policy on your domain controllers, which manage all your logons.
Figure 7.2 Group Policy Management Console
On the right side, you can select a single policy and see the scope, details, settings, and delegation of each Group Policy. In this example, I’ve selected Windows SBS Client – Windows XP Policy. You can see that the location where this is applied is the SBSComputers OU. This means that all objects contained within the SBSContainers OU will have this policy linked to them. The Details tab will give you a lot of information, including the following: ◆
The domain where your GPO resides
◆
The owner of the GPO
◆
The date created
◆
The date modified
◆
The user version
◆
The computer version
◆
The unique ID of the GPO
◆
The status of whether it is enabled or disabled
The Settings tab, shown in Figure 7.3, will display an output of the administrative templates, computer configuration, and user configuration of your GPO. It’s a useful tool for seeing a quick report of how the GPO works and what it’s doing. Last, the Delegation tab, shown in Figure 7.4, will show you the user-specified permission for the GPO. In the case of the Windows XP policy, only Domain Admins and Enterprise Admins are allowed to edit or delete the policy settings. You’ll see all these factors come into play when you start to edit and manipulate Group Policy later in this chapter. But for now, you just need to create a new one. Let’s create a policy
181
182
CHAPTER 7 MANAGING GROUP POLICY WITH SBS 2008
that removes access to the Control Panel for users. In the ‘‘Creating a GPO’’ exercise, I’ll go through this step-by-step.
Figure 7.3 GPO Settings tab
Creating a GPO To complete this exercise, you must be logged on as a domain or enterprise administrator.
1. 2. 3. 4.
Open the GPMC through Administrative Tools. Right-click Group Policy Objects, and select New. In the New GPO box, name the GPO Remove_ControlPanel. The Remove_ControlPanel GPO will appear in the Group Policy Objects list. Right-click this policy, and select Edit. This will open the Group Policy Management Editor shown here.
ADMINISTERING GROUP POLICY
5. Under User Configuration, expand Policies, and then expand the Administrative Templates: Policy Definitions (ADMX files) retrieved from the local machine.
6. Select the Control Panel folder. 7. On the right, select Prohibit Access To The Control Panel, and double-click. This will open the dialog box shown here.
8. At this screen, you’re presented with three options: Not Configured, Enabled, and Disabled. When Not Configured is selected, the policy is blank and has no settings. Enabled means it has settings and is in effect; Disabled means it has settings and is not in effect. Select Enabled. Note that if you’re curious about what an individual policy does, you can select the Explain tab and see a detailed explanation of the policy. In this example, the Explain tab of this policy says the following: ‘‘Disables all Control Panel programs. ‘‘This setting prevents Control.exe, the program file for Control Panel, from starting. As a result, users cannot start Control Panel or run any Control Panel items. ‘‘This setting also removes Control Panel from the Start menu. This setting also removes the Control Panel folder from Windows Explorer. ‘‘If users try to select a Control Panel item from the Properties item on a context menu, a message appears explaining that a setting prevents the action.’’ At this point, you have the option of getting a bit more customized. Say you’d like to actually allow users to control the sound settings on their computers. This requires a little more effort.
9. Click Next Setting. 10. Select Enabled. 11. Select Show.
183
184
CHAPTER 7 MANAGING GROUP POLICY WITH SBS 2008
12. In the list of allowed Control Panel items, type Sound. Then click OK. 13. Click Apply. 14. Click OK. 15. Navigate to the GPMC. Here, right-click an OU (don’t do the whole domain — you want to test this policy first), and select Link An Existing GPO.
16. Select Remove_Control Panel. Click OK.
Figure 7.4 GPO Delegation tab
Starter GPOs If you completed the ‘‘Creating a GPO’’ exercise, you may have noticed that when you created the GPO, you had the option to choose a starter GPO as the base for your new Group Policy object. Starter GPOs are collections of ADMX templates with certain policy settings that allow you to create a new GPO based on a set of predefined GPO settings. They’re really convenient, because with starter GPOs, a lot of the work you’d have to do to make a more complicated policy is already done for you.
Maintain Once you have completed the process of planning, designing, and finally creating your GPOs, you get to go through the process of maintaining them. Maintaining Group Policy in Windows usually involves the processes of editing GPOs, changing link locations and scope, and backing up and restoring GPOs.
ADMINISTERING GROUP POLICY
Editing GPOs and GPO Links I’ve already discussed the primary tool you use to edit Group Policy, the Group Policy Management Console. This snap-in is designed to allow you to set Group Policy settings and preferences. However, the GPMC does not allow you to delete a policy or to manage a Group Policy link. This is done using an alternative method described in the following sections.
Deleting a GPO Removing a GPO from Active Directory is a relatively simple process. To delete a GPO, you only need to select the GPO and either hit the Delete key on your keyboard or right-click and select Delete. Additionally, if this GPO is linked in other locations, the GPO links will be destroyed.
Editing GPO Links To edit a GPO link, you can navigate to the GPMC, right-click your local domain, and select Search. As an example, navigate to the Group Policy object search box that you see in Figure 7.5 and select All Domains Shown In This Forest in the drop-down box. Below that are three drop-down boxes: ◆
Search Item
◆
Condition
◆
Value
Search Item allows you to specify what type of Group Policy–related function you’re looking for. This includes the following: ◆
GPO name
◆
GPO links
◆
Security groups
◆
User configuration
◆
Computer configuration
◆
GUIDs
If you put GPO links in that field, you can jump to the next field, Condition. Usually, Condition autofills to Exist In, but you can also choose Do Not Exist In. Leaving it as the default lets you choose the last field, the value. The Value field allows you to search by Active Directory site to see where you’d like to search in your infrastructure. As an efficiency buff, I usually try to refine my searches by the most local method possible, unless I’m working with a really big enterprise, in which case it can take an extremely long time and be quite confusing. Once the three fields have been filled in, you can click the Add button. This adds the three subfields you just populated to one true search criteria field. Note that you can also add another field if you want by filling out the subfields again. Then, when you search, you’ll be able to see the results all at once. But in any event, hitting the Search button will begin the search. Double-clicking any of the search results will bring you back to the Group Policy Management Console, where you can review any links present. The Group Policy search function is
185
186
CHAPTER 7 MANAGING GROUP POLICY WITH SBS 2008
very useful if you end up with a lot of Group Policy objects and a lot of Group Policy links. But if you have only a few, you might as well just alter them in the GPMC directly.
Figure 7.5 Searching for Group Policy objects
Altering Scope By default, GPOs apply to all authenticated users in an Active Directory infrastructure. However, sometimes you may want GPOs to apply only to certain users in the environment, like if you had some executives you wanted to exclude from a restrictive policy. You can alter this by selecting the Scope tab in the GPMC and clicking Add. There, you can choose a specific user or security group, add it, and then remove the default Authenticated Users group. This makes the GPO only affect the groups you’ve specified. This is the process of group filtering.
Using Loopback Processing Covering this topic is probably a little overboard for this book, because I can’t recall a single instance where I’ve used loopback processing with an SBS environment. But I thought I’d explain what it is for the sake of thoroughness. Loopback processing is using computer policy settings over user policy settings. Effectively what happens is that a user can log on to the machine from any location, and if they do, from that machine the Group Policy options for the user account aren’t deployed; the computer settings are enabled instead. A good example of where this might be useful is a computer dedicated to browsing the Internet. Lots of small businesses have a break room or somewhere that they’ll set up a computer that employees can use to surf the Web, check their personal email, chat, and so on. If you have a Group Policy that disables all these features for a user account but want someone to be able to use them while on that machine, loopback processing is for you.
ADMINISTERING GROUP POLICY
Loopback processing is available in SBS 2008 in the Group Policy Editor snap-in. There are two options with loopback processing: Merge mode In merge mode, all GPOs are placed together in one spot. This means that you can specify computer settings and user settings. Examples of where you might want to use something like this are if you have a machine that you want to be especially restrictive. This way, you could enforce all the general user restrictions and beef them up with the computer’s own restrictions. Replace mode Replace mode is the more commonly used method. With replace mode, user information is completely overridden by machine settings. Replace mode is what you’d like to use for the earlier break-room example, with a machine that needs specific privileges outside the normal user account privileges.
Group Policy Propagation With every version of Windows Server since Group Policy was first implemented, Group Policy has automatically refreshed every 90 minutes as these policies are replicated. This means that whenever you place a new Group Policy setting, this policy won’t be enforced unless a major system event happens, such as the computer starting or a user logging out and logging in. If you’ve ever implemented a Group Policy setting and want it to be propagated immediately, you can use the gpupdate command. This command allows you target a specific computer or user and force them to update their policy. For example, the following command: gpupdate /target:Computer1 /force
would force computer1 to update its policy immediately.
Backing Up GPOs If you ask me, or just about any other administrator, Group Policy can be hard work. And if you have any skill with system administration, you should have already learned that any administrator worth his or her salt tries to do as little real honest-to-God hard work as possible. Just kidding. Well, maybe. Regardless, because so much goes into creating Group Policy, it’s important that you back it up so you don’t have to do it again. Microsoft SBS 2008 has an easy convention for backing up all the GPOs in your infrastructure. From the GPMC, select the Group Policy object, right-click it, and select Backup All. This opens the dialog box you see in Figure 7.6. Note that the Backup Object box does not back up IPsec or WMI filters. To back up your files, you’ll need to click Browse and select a location within your directory structure to store the backup files. Note that you can add a description to the backup. Personally, I find it useful to include a date. For example, 6_09_2013 would show a backup for June 9, 2013. Once you click Back Up, the process begins. Sometimes it can take a little while. But at the end of it, you should see something like this: GPO: Default Domain Controllers Policy...Succeeded ----------------------------------------------------------------------------GPO: Default Domain Policy...Succeeded -----------------------------------------------------------------------------
187
188
CHAPTER 7 MANAGING GROUP POLICY WITH SBS 2008
GPO: Remove_ControlPanel...Succeeded ----------------------------------------------------------------------------GPO: Small Business Server Folder Redirection Policy...Succeeded ----------------------------------------------------------------------------GPO: Update Services Client Computers Policy...Succeeded ----------------------------------------------------------------------------GPO: Update Services Common Settings Policy...Succeeded ----------------------------------------------------------------------------GPO: Update Services Server Computers Policy...Succeeded ----------------------------------------------------------------------------GPO: Windows SBS Client - Windows Vista Policy...Succeeded ----------------------------------------------------------------------------GPO: Windows SBS Client - Windows XP Policy...Succeeded ----------------------------------------------------------------------------GPO: Windows SBS Client Policy...Succeeded ----------------------------------------------------------------------------GPO: Windows SBS CSE Policy...Succeeded ----------------------------------------------------------------------------GPO: Windows SBS User Policy...Succeeded ----------------------------------------------------------------------------12 GPOs were successfully backed up. 0 GPOs were not backed up.
Figure 7.6 Backing up a Group Policy object
If a GPO isn’t backed up for whatever reason, it will be displayed. This can happen sometimes if a GPO is linked to multiple different areas and it throws an exception. I’ve seen this maybe twice, though, so it’s rare. To restore the backup, you can just right-click the GPO and select Manage Backups. Then choose the GPO you want to restore from the backup.
SPECIAL USES OF GROUP POLICY
Special Uses of Group Policy Beyond simple restrictions and permissions, Group Policy has several other special applications you need to be familiar with to properly administer it. These features include the ability to deploy software, redirect user folders, publish applications, and control user profiles. As a small-business administrator, you really need to be familiar with how to use Group Policy to accomplish these applications so that you can remove the need for users to request software, files, folders, or information necessary to do their job. Instead, it’s all automated through a simple application of Group Policy.
Software Deployment The grand prize of administration (or certainly the door prize) is the ability to watch your users log on, retrieve software they need to do their job, and not bother you one little bit. Through Windows Server Group Policy, you can choose where to apply your Group Policy, whether it’s on users, groups, or even computers. Group Policy allows you to be very specific with where the applications or software is deployed and who has access to it. In this section, I’ll go through several exercises that will take you through this step-by-step.
Prerequisites for Deployment Group Policy software deployment requires three essential elements to be completed successfully: Licenses for the appropriate software Not all software can be deployed at whim. In the case of programs like Microsoft Office, you need to make sure that you have the proper licenses to deploy the software how you would like. A distributed file system share or shared folder At some point in your infrastructure, you need a publicly accessible folder that contains the software installation files necessary to complete your software. Specifically, this DFS or file share folder should contain the permissions shown in Table 7.2. Your software should be placed within this folder.
Table 7.2:
DFS/File Share Settings
Account
Permission
Authenticated Users
Read and Execute
Domain Computers
Read and Execute
Administrators
Full Control
Appropriate Group Policy settings the GPMC.
These are set up in your GPO, and the link is created in
Preparing Your Software for Deployment Preparing your software for deployment is a prerequisite, so you should have created a shared folder or DFS where you have either installed your software or placed your setup files. The easiest way to do this is to create a shared folder, share it, and then place all the required files
189
190
CHAPTER 7 MANAGING GROUP POLICY WITH SBS 2008
in that location. By making a shared folder, you allow Active Directory to access the folder and share all the setup information contained within it.
Creating Software Deployment Policies To create a software deployment point, you first have to create a Group Policy object in your domain like you did earlier in the chapter. Then, in the Group Policy Management Console, you’ll need to define your software deployment policies for the new GPO you’ve just created. You can do this by expanding Computer Configuration Policies Software Settings and then right-clicking Software Settings and choosing Properties. This will open the Software Installation Properties dialog box you see in Figure 7.7.
Figure 7.7 Software Installation Properties dialog box
In the Default Package Location text box on the General tab, you can either manually enter the directory of your software or click the Browse button to find it. Then, you can choose from two different sets of settings — one for determining the new package addition settings and the other for installing user interface options. There are four options contained within the New Packages area: Display
Displays a dialog box to the user that asks if they’d like to install software
Publish
Publishes the application with default settings
Assign
Automatically assigns the application with default settings
Advanced
Offers customized settings with two options:
Basic The user has limited perception of the installation taking place. Maximum The user can see everything happening during the installation.
GROUP POLICY PREFERENCES
On the Advanced tab of the Software Installation Properties dialog box, you can choose to uninstall the application when it falls out of scope management, and you can also specify the types of applications that can be installed on 64-bit machines (since they natively support x64 and not x86). The File Extensions tab allows certain types of files to take priority, but it will be blank the first time you create a software installation object. Later, it will be populated with known and associated software packages. Lastly, the Categories tab allows you to create categories of software for user browsing. For example, you could create a category called Office Software, which could contain Microsoft Office or Microsoft Works. Once you’ve made your software installation decisions, you can assign a software package to your Software Installation folder. You can do this by right-clicking the Software Installation GPO in the Group Policy Management Console and selecting New Package. You’ll then need to browse to the folder or DFS where you’ve shared your packages (MSI or ZAP files) and click Open. After answering a few self-explanatory questions, the policy will complete.
Group Policy Preferences New to Windows Server 2008, Group Policy preferences allow administrators to implement preferences on existing GPO links. This is a really impressive new feature, because Group Policy preferences have really changed a lot of the available features and settings you can use with Windows Active Directory. This includes the ability to map drives, create logon scripts, and administer settings. Overall, there are some very major differences between Group Policy preferences and Group Policy settings that you need to be familiar with, as summarized in Table 7.3.
Table 7.3:
Group Policy Preferences vs. Settings
Group Policy Preferences
Group Policy Settings
Not enforced
Enforced
Can affect individual files
Cannot affect individual files
Cannot be used at a local level
Can be used at a local level
Supports non–Group Policy applications
Can be used only with Group-Policy-aware applications
Overrides settings
Does not change settings
Very specific
Very general
Easy to use
Fairly complicated
Microsoft has published an informative white paper on Group Policy preferences for the full version of Windows Server 2008. If you’re interested, you can find it in the Microsoft White Paper Downloads section. Microsoft gives a detailed explanation of Group Policy preferences, as well as a decision tree of whether you should used Group Policy preferences. Effectively, you should use Group Policy preferences if any of the following apply to you:
191
192
CHAPTER 7 MANAGING GROUP POLICY WITH SBS 2008
◆
Your application does not understand Group Policy.
◆
The user needs to be able to change the settings in the policy.
◆
You require more finite control of a Group Policy setting.
Group Policy preferences generally tend to take one of four forms: Create Creates a new Group Policy preference Replace Replaces another Group Policy preference Update
Updates a Group Policy preference with another setting
Delete Deletes a Group Policy preference Group Policy preferences are divided in two different areas: Windows Settings and Control Panel Settings. In Windows Settings, you can control the following: ◆
Applications
◆
Drive maps
◆
Environment settings
◆
Files
◆
Folders
◆
INI files
◆
Registry settings
◆
Shortcuts
In Control Panel Settings, you can control the following: ◆
Data sources
◆
Devices
◆
Folder options
◆
Internet settings
◆
Local users and groups
◆
Network options
◆
Power options
◆
Printers
◆
Regional options
◆
Scheduled tasks
◆
Start menu
Let’s take a look at an example of applying a Group Policy preference in the following exercise.
THE BOTTOM LINE
Applying Group Policy Preferences: Mapping a Drive To complete this exercise, you will need to be logged on as a domain or enterprise administrator.
1. Open the Group Policy Management Console by selecting Start Administrative Tools Group Policy Management.
2. Either create a new GPO for your setting or right-click an existing GPO and select Edit. 3. In the Group Policy Management Console, expand User Configuration\Preferences\Windows Settings, and select Drive Maps.
4. In the whitespace, right-click and select New Mapped Drive. 5. Select Create as your action. 6. Select the location of your mapped drive by clicking the ellipsis ( . . . ) button by the Location button.
7. Click Find Now at the Active Directory search location. 8. Select your map drive. 9. Click OK.
Group Policy Results One of the last features you need to understand about Group Policy management with Windows Small Business Server 2008 is the Group Policy Results Wizard. The Group Policy Results Wizard is the primary tool you can use to view group policies and see which policies are applied first and where they are applied. Like most wizards, the Group Policy Results Wizard is fairly easy to understand and use. Using the Group Policy Results Wizard is as simple as opening the GPMC, right-clicking Group Policy Results, and navigating through the wizard. There are a couple options, such as who is going to be generating the results and which computer the wizard is being run upon. Once the wizard completes, the results will be displayed underneath the Group Policy Results folder. There, you can view reports of the policy by selecting the report, and you can even rerun the query. This is a very nifty feature if you ever want to check to see how your policies are applying across the network.
The Bottom Line Create Group Policy objects Group Policy objects in Active Directory allow you to create a policy and link it to a location somewhere in Active Directory. GPOs are Active Directory objects and do not take effect unless they are linked; otherwise, they are just static objects. Master It Create a Group Policy object that turns off crash detection for Internet Explorer.
193
194
CHAPTER 7 MANAGING GROUP POLICY WITH SBS 2008
Link a Group Policy object to an Active Directory object Group Policy objects do not have any effect until they are linked. With Windows Server, you need to link an existing GPO to an area within Active Directory. Master It Create a new GPO called Test, and leave it unlinked. Then, manually link Test to an OU in your directory infrastructure. Edit a Group Policy object Group Policy usually requires a great deal of maintenance. This is usually conducted through the Group Policy Management Console. Master It Edit the Internet Explorer Crash Detection object to allow crash detection, and then enforce full-screen mode. Delete a Group Policy object Removing a Group Policy object involves deleting the object and any links associated with that object. Otherwise, there can be unresolved components of your Active Directory infrastructure. Master It Remove the Test GPO link, and delete the Test GPO with no conflicts.
Chapter 8
Backing Up and Performing Disaster Recovery If you can find an administrator who’s never had to restore from some sort of disaster, failure, or act of nature, I’ll give you a prize. More so than any other problem, failure to establish a safe and thorough backup in a small, medium, or large enterprise can result in the loss of tens of thousands, if not millions, of dollars in lost productivity, information, and potential revenue. Furthermore, in the past decade, technology has evolved so fast that we upgrade, change, or evolve our network at a never before seen pace. With these changes there is often a difference in the way we do business, but there’s very rarely a change in the data that we use. At the end of the day, we always seem to keep hold of the same old data. Therefore, it has become important over the past few years to be exceedingly diligent and attentive with your backup strategy. Without a strong backup plan, you could potentially lose financial information, sales figures, documentation, websites, programming files, and a cornucopia of other precious information. In this chapter, I’ll discuss the myriad of backup opportunities available with Small Business Server 2008. In some cases, this method is Windows, but this chapter will also extend to general backup strategies and third-party tools and tool types you can use to ensure your company is properly backed up. I’ll start this discussion by covering one of the most important concepts in all of information technology: RAID. In this chapter, you will learn how to ◆ Understand RAID ◆ Recognize different backup media types ◆ Implement a backup strategy ◆ Recover data
RAID In the world of making backups, the often-used ‘‘first line of defense’’ against a potential problem is the use of a Redundant Array of Independent (or Inexpensive) Disks (RAID). At this
196
CHAPTER 8 BACKING UP AND PERFORMING DISASTER RECOVERY
point in your career, you have probably set up or used machines that have been RAID capable, or you have set up RAID yourself. And if not, RAID isn’t such a bad thing. RAID is just what it sounds like: Redundant Array
An organized collection
Independent Disks
Meaning more than one
In and of itself, belonging to only one portion of the organization
A hard disk drive
RAID is used in businesses to collect large amounts of data into one place for the purpose of being distributed in different ways throughout your business. For example, say your business needs 4TB of hard disk space on a shared drive that users in your small business use for storing video and music (for business purposes, of course). Well, that’s all fine and dandy, but what happens if you only have four 1TB drives? You’re out of luck, right? Wrong. With RAID, you can combine these four independent disks into one very large array. Specifically, as an administrator, you can collect these four disks together via RAID and make them one giant collection of data. Effectively, they’re one giant hard drive. RAID can be achieved in one of two fashions (or types) that each support multiple different types of RAID implementations. The first type of RAID is called software RAID. This is when a piece of software, usually an operating system, collects disk data and uses its own knowledge of the existing hardware to make another piece of software see these disks as a large volume. It’s a handy trick, and if you don’t care about a couple of limitations — such as that this drive won’t be able to be booted from, and there are little to no backup measures besides the operating system’s own software configuration — it’s a very handy method. The second type of RAID is called hardware RAID. This is when a piece of hardware (usually a RAID configuration card) configures the RAID in such a way that the hardware collects the data of these drives together through the use of the hardware’s onboard software. I’ll now go into both of these RAID types in more detail.
Software RAIDs The simplest form of RAID is configured in software. With this type of configuration, the administrator uses multiple available drives and storage devices to combine available space into one (or multiple) logical drive for the purpose of storing large amounts of data over several volumes. Normally, software RAID is used in situations where there is a large amount of non-mission-critical data space accessible over several drives that are not linked together in hardware. Using Windows Small Business Server 2008, administrators can easily span a RAID together through the use of Windows Disk utilities. However, each disk used in the RAID must be configured as a dynamic disk. Let’s talk about what that means. In Windows, there are two types of disks, simple and dynamic. A simple disk is, well, simple! It’s just a disk that isn’t going to do anything special. It’s going to sit there, say ‘‘I’m a hard drive,’’ and spit out data all day long. A dynamic disk, on the other hand, is a disk that has been configured by the operating system to take place in logical partitioning. If you remember from your early computing years, a hard drive partition is a logical separation of a hard drive into multiple parts. A logical partition is the logical separation of an already logically partitioned drive. Makes perfect sense, right? Well, maybe not. What it really means is that a hard drive, which contains a certain amount of data, was separated when it was first created into
RAID
different portions or parts called partitions. Then, each of these partitions has been further separated into even further ‘‘logical’’ partitions that are taken advantage of in software. Once a disk is made dynamic, disk utilities can store the software ‘‘RAIDed’’ data in either RAID 0, RAID 1, or RAID 5, all of which will be discussed in the ‘‘RAID Configurations’’ section, after I go over hardware RAID.
Hardware RAIDs A hardware RAID is a RAID in which individual drives have been partitioned and segmented through the use of a hardware device, such as a RAID card, in such a way that the operating system or software recognizes them as one independent device or a custom number of independent devices as determined by the administrator during setup. Some advantages of hardware RAID are that it is faster, is more efficient, and involves less burden on the server to set up than software RAID. However, it is also much more expensive because it requires you to purchase dedicated hardware. One of the biggest advantages to hardware RAID is that it doesn’t rely upon something as fickle as an operating system (not that all operating systems are that bad — some are friendlier than others). Hardware RAID takes the decision of what a hard drive actually is, whether simple or dynamic, away from the operating system and instead tells the operating system through hardware that ‘‘these drives are actually one disk.’’ The operating system then just accepts this, because operating systems are software and can complete tasks only so long as the pieces of hardware allow them. If a piece of hardware says ‘‘I am a 4TB disk’’ to the operating system, the operating system will just say ‘‘OK, got it’’ and move on with its life, treating that disk as a 4TB device. Once you’ve decided whether to use hardware or software RAID, you then have to decide which of the multiple RAID types you’ll use to set up your RAID. I’ll talk about these RAID types in the next section, ‘‘RAID Configurations.’’
RAID for Speed! It’s often surprising that many administrators don’t realize there are other benefits to RAID beyond maximizing space and reliability. RAIDs can actually make your applications and operating system blazingly fast! This is because when you spread data across multiple volumes in an array (like in RAID 0 or RAID 5), multiple hard drives can be working at the same time. So, for example, say you had four drives all arrayed into one large collection. If you tried to retrieve part of the data from one drive, you would have four different volumes all trying to churn out any piece of that data they had. In other words, if you have a 1GB file, such as an operating system installation, and you wanted to retrieve that file, approximately 250MB of that file would be placed on four different volumes. Thus, when you try to retrieve that data, the drives all work together with each one only having to put out their portion. This means that instead of shooting out 1,000MB for one drive, you only have to shoot out 250MB, just four volumes at a time. This concept is critical for installations on I/O-intensive applications like SQL Server. If SQL Server is placed on a server with an array spanned across multiple drives, the speed is going to be greatly enhanced. Of course, when you spread out data onto multiple drives, you face a problem: what happens if one of those drives fail? There are ways to recover, as you’ll learn about in the ‘‘RAID 1’’ and ‘‘RAID 5’’ configuration sections, but it’s still a risk.
197
198
CHAPTER 8 BACKING UP AND PERFORMING DISASTER RECOVERY
RAID Configurations Administrators can use RAID in several ways to place data across multiple volumes and create redundancy and fault tolerance. These different methods exist because every project and every server has its own purpose. Does it need to be up all the time? Is the data vital to the completion of business? Is it wise to have this data spanned across multiple drives for the sake of speed at the risk of drive volatility? All these questions have to be asked and solutions provided for them. With most operating systems or RAID cards, there are three RAID types, as well as a hybrid of those types. These RAID types are as follows: ◆
RAID 0
◆
RAID 1
◆
RAID 5
◆
Hybrid [Raid 01]
RAID 0 RAID 0, or striping, is the process of taking several disks and combining them into one large, maximum-speed disk. In the industry, RAID 0 is often referred to as a span. RAID 0 provides no fault tolerance, and thus it’s used only for data that is not mission critical and can be easily recovered. However, RAID 0 does have several important benefits. First, it is the fastest of all RAID types. Using RAID 0, you can achieve speeds of data input and output far greater than any other RAID configuration. Furthermore, RAID 0 is also the easiest to set up. A lot of organizations use RAID 0 on a server that is critical to business when on a limited budget. This is because RAID 0, in combination with another technology such as tape backup, can provide an excellent means of cost-effective storage. Obviously, RAID 0 is supported in both hardware and software configurations. However, RAID 0 cannot be booted from in software configuration. This is because the operating system as it boots has no idea where to find the drive with the existing NT loader. Thus, in order to trick the operating system into understanding RAID 0, a hardware device is required.
When to Use RAID 0 RAID 0 is an incredibly useful feature for small businesses that deal mainly with a large amount of data that doesn’t need backup protection. A great example of a company that might use RAID 0 is a graphic design firm, which may use a large scrap volume for their images. They could use RAID 0 to collect the volume and place it on the disk and not have to worry about losing the scraps if a drive goes bad.
RAID 1 RAID 1 is referred to as mirroring. In RAID 1, a bit-for-bit copy is exchanged from one drive to another. If a change is made to one drive, the change is matched to another drive that is a mirror image of it. This way, if one drive ever goes bad, you instantly have access to a direct copy of that drive to pick up where you last left off and recover to your full operating potential.
RAID CONFIGURATIONS
The disadvantages of RAID 1 are that it’s slow and provides no methods for data efficiency but, more important, that it provides less access to space than you would normally have with two separate drives. When using RAID 0, you would have access to twice the amount of data than you would with RAID 1, because for each individual drive that is used, there is a completely separate drive that remains relatively inactive because it just copies data.
When to Use RAID 1 For your small business, RAID 1 is useful in situations that require a drive’s data to be completely and reliably backed up. This configuration allows not only for critical data backup but also provides the means to restore that data in nearly no time.
RAID 5 When RAID 5 was first introduced, a lot of administrators called it ‘‘black magic.’’ That’s because they just couldn’t figure out how it worked! Most administrators, including me, just looked at RAID 5 and knew the following: ‘‘It provides speed increases and redundancy.’’ The truth is, RAID 5 is actually fairly easy to explain — though I imagine it wasn’t quite as easy to engineer. RAID 5 makes use of a parity bit. A parity bit is just a 1 or 0 that is placed on a drive dedicated to storing parity bits. What a parity bit is responsible for is answering the question, ‘‘Is this data different?’’ RAID 5 uses a minimum of three drives — two that store data and one that stores the parity bits. The way the parity bit comes about is by taking data on the first drive, comparing it with data on the second drive, and saying ‘‘Is this different?’’ So, for example, say you have three drives like in Figure 8.1.
Figure 8.1 Parity bits
1 0 1 0 1 0 1 1
0 1 0 0 1 1 0 1
1 1 1 0 0 1 1 0
In row A, Drive1 has a 1 in its first bit, and Drive2 has a 0 in its first bit. Well, those two numbers are different. Thus, the parity bit is set to 1. On row B, Drive1 has a 1 in its second bit, and Drive2 also has a 1. Since these are the same, the parity bit has been set to 0 and basically says, ‘‘False. These are not different.’’ Let’s see what this accomplishes. Say I lose one drive, like Drive1 in Figure 8.2. Well, my data is gone, right? Wrong. I have a parity drive! By looking at this, I can do as you see in Figure 8.3 to compare this data and say, ‘‘Well, if the parity bit is a 0, I can assume this data is the same. If it’s a 1, I can place the opposite data from what’s contained in the working drive.’’ Thus, you can see how if you lose one drive with your data on it, the parity bit can help you rebuild the data. Now, of course, if you lose the parity drive, you’ll be perfectly fine because
199
200
CHAPTER 8 BACKING UP AND PERFORMING DISASTER RECOVERY
this drive is used to store only parity information, not actual data like the main drives. In this case, you could replace the failed parity drive with a new drive that would rebuild its parity information by comparing the two existing drives bit by bit.
Figure 8.2
1 0 1 0 1 0 1 1
Failed drive
Figure 8.3 Drive rebuild
1 0 1 0 1 0 1 1
× × × × × × × ×
× × × × × × × ×
1 1 1 0 0 1 1 0
1 1 1 0 0 1 1 0
= = = = = = = =
0 1 0 0 1 1 0 1
As you can see, there is a huge advantage to RAID 5. It’s both fast and offers redundancy. But there are also some major downsides. For one thing, it’s expensive and requires at least three drives. Also, RAID 5 cannot be booted from unless you have a hardware RAID card, just like RAID 0. However, for a high-budget enterprise solution, RAID 5 is priceless.
When to Use RAID 5 RAID 5 is the de facto standard of RAID configurations. Unless another configuration offers clear, specific benefits for your situation, use this as your default RAID configuration and the normalized method of RAID (if your budget allows).
Hybrid (RAID 01) RAID 01, also called RAID 0+1, is the first of several ‘‘mixed RAID’’ modes that are available on the high end of storage solutions. In the enterprise, you’ll often run into situations where a simple storage solution utilizing one of the three main RAID types (0, 1, 5) will not be enough, and so you’ll need the advantage of another type of RAID. This type of situation most commonly occurs when an organization demands the speed and accessibility of RAID 0 but also desires the reliability that only RAID 1 can bring. RAID 5 can provide some of these features, in that it can both provide redundancy and improve speeds, but on its own RAID 5 cannot completely stripe together several volumes and then completely mirror them. Using RAID 01, an entire stripe is mirrored onto a completely different stripe. This means there are effectively two complete RAIDs, each of which contains mirror-like setups of their
BACKUP MEDIA TYPES
disk configuration. And these RAIDs have been set up to mirror each other’s data. In other words, you’re mirroring an entire RAID, not just a drive. As mentioned earlier, this is very useful for high-end, demanding environments, but it’s not good for all users. First, RAID 01 is probably the single most expensive implementation of RAID because it requires multiple drives with an exact mirror of the same multiple drives. Thus, you can’t really have RAID 01 without a minimum of four hard drives (two for the stripe and two for the second mirrored stripe). In the real world, you should use this when the organization can afford it and when both speed and reliability are absolutely essential.
When to Use a Hybrid RAID The main point of using a hybrid RAID is to create a situation where we achieve both speed and redundancy in the same location. Because of this, you should consider implementing a hybrid RAID in a spot where you need the advantages of one type of raid, say the speed of ‘‘0’’ and the redundancy of ‘‘1’’ in one place.
Backup Media Types With Small Business Server, you have only one central point of access for your infrastructure’s data. This means you need to make sure this central point of possible failure has its information offloaded onto different backup types on a frequent basis. Notably, with SBS 2008 you usually take advantage of one of three backup media types: ◆
External disks
◆
Tape backup
◆
SAN/NAS
The type of implementation you use depends a lot on your organizational needs and your company budget. Since you’re using SBS, chances are your budget is relatively small, and some of the more elaborate backup options will not be available to you. But in the following sections, I’ll go over each of these backup media types and a typical scenario where these are commonly used.
External Disks External disk drives are hard drives that are connected externally to a computer through various media attachment methods, such as FireWire (IEEE 1394) and Universal Serial Bus (USB). USB and FireWire technology have several notably different speeds.
FireWire FireWire typically comes in two major varieties — FireWire 400 and FireWire 800. FireWire 400 is, as of the printing of this book, the most common implementation of FireWire. It supports the following speeds: ◆
100Mb per second
◆
200Mb per second
◆
400Mb per second
201
202
CHAPTER 8 BACKING UP AND PERFORMING DISASTER RECOVERY
Although technically the rates of these transfer are 98.304, 196.608, and 393.216Mb per second, the numbers are so relatively close that it’s easier to just condense them to these three speeds. Small businesses usually use FireWire 400 for single-disk external drives that don’t support any form of redundancy. FireWire 400 is an excellent choice for these types of implementations because FireWire’s speed of 400Mb per second roughly translates to 50MB per second, which is very close to the maximum transfer rate of a single hard drive. However, some new hard drives have been measured to output up to astonishingly high numbers, including 80MB per second. Thus, in the future, FireWire 800 may be the more popular solution. FireWire 800 supports the same speeds as its predecessor, FireWire 400, along with an even higher speed of 800Mb per second (although this is technically 786.432Mb per second). In the small-business environment, FireWire 800 is used to transfer data to external hard drives that either are high performance or have some form of redundancy built in through the enclosure. The only noticeable physical difference between FireWire 800 and FireWire 400 is that FireWire 800 has a different connection device attached to the end of it that is much more distinctly square. Some modern hard drives will actually contain both. However, the conundrum that can pop up is that FireWire supports massively high transfer rates, but most hard drives are usually peaked in the range of 50MB–100MB/sec, depending on how fast the particular drive is. But (at least for the foreseeable future), there are no hard drives that can peak out up to the rate of FireWire. Of course, the exception to this is if you have a hard raided device that contains multiple hard drives that can put all their data out together in one very fast stream. At the small-business level, FireWire is especially useful because FireWire, unlike USB (discussed in the next section), requires very little processing power to both attach devices and transfer data. If you’re operating a Small Business Server that’s under a pretty heavy load, it’s probably a good idea to consider using FireWire attachments, because they can be easily added and not tax your server.
USB USB is the second of two types of external connection methods I’ll discuss. Far more common than FireWire, USB is used to attach hard drives, keyboards, mice, and various external devices to computers. At the small-business level, USB is used for many different purposes, including backup. Technically, using USB, Small Business Server can connect up to 127 external devices, which will communicate at potentially extremely fast speeds. USB comes in two different flavors used with Small Business Server: ◆
USB 1.1
◆
USB 2.0
However, USB 1.1 is nearly obsolete. It’s only important to mention because certain devices, such as mice and keyboards, connect at USB 1.1 instead of 2.0. Also, USB 1.1 is easier on the CPU, because it requires less of a transfer rate. It’s important to note that, unless a USB external disk is connected at a speed of USB 2.0, the hard drive will run extremely slow. The difference between these two types of USB connections are dramatic: ◆
USB 1.1 transfers at a rate of 12Mb per second.
◆
USB 2.0 transfers at a rate of 480Mb per second.
Using USB 2.0, you can transfer data at an extremely fast rate and connect multiple devices easily. The only downside to USB is that it requires processing power to transfer data across it, and USB-bootable devices can cause potential problems within the server’s BIOS because USB has a bad habit of placing itself as a priority boot device. If this happens to you for
BACKUP MEDIA TYPES
some reason, you’ll know it because after you’ve attached a bootable USB device (including a CD/DVD-ROM), the machine will boot into a black screen and either not progress or show that the system disk is invalid. You can easily solve this by just unplugging the USB device and rebooting your server — although it’s a bit of a pain sometimes.
Using External Drives with Small Business Server When I do work with small businesses, I frequently use external drives as an off-site storage method. Currently, external hard drives are available in multiple terabyte formats and can contain a vast amount of data. This means there are many occasions where an entire server’s data can be transferred to an external hard drive. The only downside to this is that USB or FireWire hard drives are often slow and a little unreliable, because they’re usually just IDE or SATA drives attached to an (often even more unreliable) enclosure. But if you’re willing to look past that they’re a little unreliable, they can be a real lifesaver. More often than not, I use an external hard drive when I just need to know I have a quickly accessible backup in case of a failure. However, I don’t plan on using these hard drives as a critical point of recovery but instead more as a quickly and easily accessible backup medium that may at one time become needed.
Tape Backup Quite possibly the most common and reliable type of critical recovery backup media is the tried-and-true form of tape backup. Tape backup has been used in the information technology industry for more than 20 years. Unlike other older technologies that no longer have their place in a modern world, tape seems to continue being a valuable technology. However, in the coming years up to 2020, this will probably begin to change. With solid state drives becoming larger and larger and with hard drives as a backup form becoming more and more reliable, the need for slow and perishable tape will most likely fall into the annals of IT history. For the moment, however, you need to keep it in mind, because it’s still the king of a critical and reliable backup strategy because of its easy implementation, widespread support, and low cost. Modern tape backup systems come in two different flavors: DAT and LTO.
DAT The oldest and least common of the tape backup types is digital audio tape (DAT). DAT (as the name implies) was originally used for recording digital audio onto tape. Originally developed by Sony in the 1980s, DAT has become less common because it has now been relatively replaced by LTO technology, which I’ll discuss in the next section. However, in some circumstances, there may be an occasion where you do some consulting and run into a legacy DAT drive that a company may keep around to store small amounts of data (typically less than 50GB). But, in general, newer businesses will frequently use LTO.
LTO By far the most common type of backup tape system, linear tape open (LTO) is a tape backup convention created by Hewlett-Packard in the 1990s. LTO currently comes in four different varieties: ◆
LTO-1
◆
LTO-2
203
204
CHAPTER 8 BACKING UP AND PERFORMING DISASTER RECOVERY
◆
LTO-3
◆
LTO-4
Additionally, there are two newly planned implementations: ◆
LTO-5
◆
LTO-6
Using LTO, administrators can store up to 800GB per tape, depending on which of the LTO standards are used. Each of the numbers attached to the LTO standards (1, 2, 3, 4, 5*, 6* [Note that five and six are not yet released]) indicates the generation of LTO that the tape and drive are. LTO-1 came out in 2000, then LTO-2 in 2003, LTO-3 in 2004, and LTO-4 in 2007. If you’re interested in seeing all the differences among the LTO generations, through LTO-6, you can check out Table 8.1.
Table 8.1:
LTO Speeds
Specification
LTO-1
LTO-2
LTO-3
LTO-4
Capacity
100 GB
200 GB
400 GB
800 GB
Throughput
15 MB/s
40 MB/s
80 MB/s
120 MB/s
Source: ‘‘Linear Tape-Open,’’ Wikipedia. http://en.wikipedia.org/w/index.php? title=Linear Tape-Open&oldid=319439289 (accessed October 14, 2009).
Note that LTO-4, unlike LTO-1 through LTO-3, supports encryption of its tapes through AES encryption. When you look at an LTO tape cartridge, like the one in Figure 8.4, you can see that it’s a plastic container that has a red switch on the back of the tape. This switch indicates whether the tape is write-protected at a hardware level. When businesses are using LTO tapes, they commonly use an initial pass to back up their data and then mark the tape as write-protected; therefore, the data will never be overwritten and, theoretically, will be accessible for as long as the tape’s usable life is maintained. This brings us to an unfortunate downside of LTO tapes: LTO tapes have a usable life span that can be finitely measured in several categories: Time LTO tapes have a cartridge life span of somewhere between 15 and 30 years if they are archived and not accessed or written to. Writing to these tapes, loading them, or otherwise altering them will shorten their life span. Cartridge loads Every time a cartridge loads or unloads, it shortens the life span. Cartridges can usually be loaded 5,000 times (with no other wear and tear) before expending their useful life. Passes When a tape is written to or read from, it passes the tape through the container, causing the tape to wear down. The number of times a tape can go through the container varies, depending on the tape length and generation.
BACKUP MEDIA TYPES
Figure 8.4 LTO tape
Tape life can actually be broken down a lot further in an almost mathematical method. See ‘‘Linear Tape-Open,’’ on Wikipedia (http://en.wikipedia.org/w/index.php?title=Linear Tape-Open&oldid=319439289, accessed October 14, 2009), which shows how the tape atrophy breakdown works for the currently existing generations of LTO. Overall, tape provides a quick and easy method of critical backup recovery. Using tape, you can perform full or partial backups using differential, incremental, and other backup methods. All you need to keep in mind is that tape devices have different capacities, speeds, and levels of atrophy. By default, some Windows backup methods can detect a tape backup device, but it’s best to use third-party software from vendors such as Symantec and other backup providers. In my experience with small businesses using SBS 2008, tape backups provide an excellent backup method that can be used to both initially back up software and then provide differential backup points. Typically with small businesses, you’d set up an initial backup to back up primary and critical points of the infrastructure that are likely never to change. Then, you’d set up a daily backup on a rotating tape that would keep track of the day-to-day changes and then a monthly backup that would keep track of the major progression changes that occur month to month.
SAN/NAS Storage area networks (SANs) and network attached storage (NAS) are two types of storage architectural methods to attach storage to a server in an attempt to create available storage on decentralized locations somewhere in an infrastructure. SAN and NAS use different methods of organization to create a labeled volume that’s accessible throughout the entire infrastructure. At the small-business level, you use SAN and NAS to provide a backup location and also to expand the amount of storage that’s accessible to Small Business Server. In the following sections, I’ll cover these two types of attached storage and then go over the methods used to attach them in a small business.
SAN Just about every small business could use a SAN. This is because SANs are a fast and efficient means of storing data throughout any business. A SAN is a system of network-style storage that is (in reality) just a computer dedicated to sharing files across the network. A SAN is usually a server that’s been lying around the closet for a while in a small business, but it can be a
205
206
CHAPTER 8 BACKING UP AND PERFORMING DISASTER RECOVERY
full-blown dedicated appliance, like one of Dell’s PowerVault machines. Basically, that machine is a bunch of disk storage with a lightweight operating system. Most companies use SANs when they have a limited budget and would like to find a solution that will collect a lot of data in one place and yet not drastically lower their throughput speeds. SAN provides an easy way to take several disks and place them on one single volume.
NAS In effect, NAS is a self-contained computer connected to a network that supplies data throughout the rest of the network. This data is accessed through an operating system that’s accessing the formatted data through one of several protocols. The unit itself is not designed to house program files or to be used for general computing tasks but instead to only contain files. NAS are controlled and configured over the network, often through TCP/IP over a web browser on either port 80 or 8080 or through HTTPS on 443 (but this is rare). In effect, a NAS device is almost the same thing as having a computer that has file sharing enabled. The computer is a self-contained unit that can share files throughout a network, but it is a completely separate entity. In much the same way as SAN, NAS can be accessed throughout an enterprise. NAS allows multiple computers to access data contained in the self-sufficient unit. At the small-business level, you normally use NAS as a separate point of access for general data, other than the Small Business Server itself. NAS can use several formatting styles, including FAT32, NTFS4, and NTFS5. However, with Small Business Server, you’re normally only accustomed to NTFS files, unless for some reason you need to support Linux devices on your network. NAS devices are usually accessed by computers throughout your network through one of three major network file systems: ◆
Andrew File System (AFS)
◆
Network File System (NFS)
◆
Small Message Block (SMB)
These file systems allow multiple computers to access the data at any given time. Without these network file systems, you’d be restricted by the number of computers that could access the data. Each of these network file systems is available to you as a Windows System administrator, and each of these has its own strengths and weaknesses. At the small-business level, which one to actually implement in your environment depends a lot upon the type of business your small business was doing, along with how much security you require. I’ll go through each of these file systems one at a time.
AFS The first of these file systems is the Andrew File System. In small businesses, this is the least commonly used; basically, the AFS file system takes advantage of extreme security methods through access control lists and quotas. AFS is not very common in the small business environment because AFS can take advantage of multiple computers by spreading data throughout various locations. There usually aren’t enough computers in small businesses to make this endeavor worthwhile. That said, AFS is extremely advanced and very fast. Larger networks can use this multiple-location-based system for a fast network access system. However, files that are changed frequently are probably not the best application of it, because it has to distribute data across multiple locations. This said, if you just need to read data, you really can’t beat the speed. Tons of machines send you data all at once!
BACKUP MEDIA TYPES
NFS A second NFS system available to you with Small Business Server is NFS. NFS is a system of network sharing used with Unix and Linux computers. In most environments, NFS is the de facto standard, and SBS 2008 can understand, read, and write to it. However, it’s not SBS’s preferred method, because Microsoft developed its own method: SMB. Small businesses tend to use NFS when they are supporting Linux clients. Linux (like all forms of Unix) understands NFS very well, and Windows Server 2008 supports the ability to implement an NFS share on the server itself. This means that, for the monetarily savvy consumer, they can download free copies of Linux distributions and then point them toward an NFS share. Not only is it easy to set up, but it’s cheap, too.
SMB Other than being an acronym for ‘‘small to medium business,’’ SMB also stands for Server Message Block system, and it is the preferred NFS method used by Microsoft. SMB was originally developed by Microsoft in conjunction with IBM to form a network file system that could be used with Microsoft networks (preferably) but still be accessible to Unix and Linux machines. Because SBS is a Microsoft standard, it is the preferred network file system method. Technically, the preferred method is actually SMB2 — a new implementation of SMB that’s available with Windows Vista, Windows 7, and all forms of Windows Server 2008. Using SMB, you can easily attach network shares. With NAS, the process is completely simple and often goes on without you knowing it. For example, if you have a NAS drive, you can use the web interface to attach the NAS to your Windows Server and share the folder. Afterward, you can access it by going to your client machine (or your server) and entering the path of the file into the Explorer window. As an example, you could attach a client to your SBS computer and type the following: \\MyServer\MyShare
where MyServer is the name of your SBS computer, and MyShare is the name of your shared folder. Without the user knowing, Small Business Server would use SMB to transport that name and access files across the network. This is important to point out because Windows Small Business Server makes this operation easy (and it does it straight out of the box), but it isn’t the only method available. You can use NFS and AFS in a similar manner. In fact, if you’re interested, you could probably play around a little bit with your Small Business Server and get SMB to go over NFS — but that’s beyond the scope of this section. Suffice to say, you need to know that SMB is the method used by your Windows Server to access network shares, just in case you have Linux, Macintosh, or Unix machines that have trouble accessing the data on your network file shares. These machines have to physically be told to use the SMB protocol. For example, on a Macintosh, you’d need to navigate to the Finder Connect area and then tell it to point to a virtual network path of SMB://MyServer/MyShare. Without this, the Macintosh would spend all day wondering where the NFS share of \MyServer\MyShare was, because that’s what it uses by default, since it’s a Unix system.
Differences Between NAS and SAN To clarify, there are two primary differences between NAS and SAN. First, SAN and NAS are physically accessed through different types of connection devices. Second, SAN and NAS logically separate their data differently. NAS uses one of the three NFS methods, as well as the possibility of the TCP/IP protocol. You can think of it this way — a SAN is a nearly or completely physical connection that’s attached to the server, and a NAS is attached logically across your network.
207
208
CHAPTER 8 BACKING UP AND PERFORMING DISASTER RECOVERY
To give you a little history, NAS was with Novell’s NetWare file-sharing server software with something called the NCP protocol. For the most part, NCP is almost completely obsolete, because Unix came out with NFS only a year later. But it’s only in the past few years that NAS has become exceedingly popular because of the extremely fast access speeds of gigabit and higher-speed networks. Now, in the small business, you can use both SAN and NAS depending on which flavor suits you. And the best part? They both work really well!
Direct Attached Storage Another type of storage strategy available to you, and one that is quite attractive to most administrators, is directly attached storage. Directly attached storage is an array system that’s been placed directly onto a server through either a Fibre Channel, iSCSI, or other high-speed connection method and accessed through a RAID card — just like internal RAID drives. Small businesses can use DAS to provide speedy and redundant array access. This would be a good technique for something under a lot of read/write demand, like a SQL Server database.
Implementing a Backup Strategy Now that you understand the types of media you can use to create backup methods, you can finally begin to implement a true Windows Small Business Server 2008 backup strategy. Backup is more important at the small business level than for any other business size. Because of the small amount of data and the relatively few number of computers, a single server failure can result in a disaster. Thus, any mindful administrator of a small business will put together a well-thought-out and well-planned disaster recovery or backup strategy that consists of five distinct parts: Windows NT data This comprises Active Directory and all its components, including user profiles, computer names, and all accounts throughout your business. Exchange/SQL data This is your database and mail server data (I have not yet discussed this, but it’s still part of your backup strategy). Critical business data This is the data that, if lost, would make it difficult if not impossible to continue to operate. Noncritical business data This is data that is essential but not completely required for business functions. Unsorted files This is non-mission-critical and more easily replaceable data that can be considered an acceptable loss in the case of a disaster. Backup is divided into multiple parts at any business level for a simple reason: you don’t want to put all your eggs in one basket! In the case of a disaster, you want to have your data divided into several sections. And in small businesses, you want to have the data divided into several sections and then, if possible, combined into one central point for ease of restoration. In effect, say you have the following amounts of data to back up: ◆
Windows NT data: 50GB
◆
Exchange/SQL data: 3GB
IMPLEMENTING A BACKUP STRATEGY
◆
Critical business data: 100GB
◆
Noncritical business data: 200GB
◆
Unsorted files: 1TB
All said and done, this is only 1.353TB. If you would have told me ‘‘only 1.3TB’’ 10 years ago, I think I would have had a heart attack. Anyway, today all this data can be contained in one single external hard drive, which can be accessed by NAS as you learned earlier in the chapter. It’s certainly different than the way it used to be. But that said, there are some old-school practices that still serve us well, because as you learned, NAS is for the most part unreliable. Accordingly, you need to treat each of your sections of backup with a different level of concern. I’ll talk about these sections one at a time, and I’ll also discuss how they can be treated in a small business and the best way to store each kind.
Windows NT Data The first on the list of suspects with Windows backup is your Windows NT data. With Windows Server 2008, this process has gone from fairly complex and tedious to nearly simplistic. To back up Windows NT data, you can start from the SBS Console that you’ve become familiar with from the other chapters. Just click the backup. There, you see a distinct button that allows you to choose to configure backup on Windows Server. However, note that this button will result in an error unless you have a removable drive attached with at least 2.5 times the capacity of your main Windows drive containing your NT data! After clicking Next at the wizard that will pop up (assuming you have a storage drive attached), select the drive you want to store the backup on. You can back up your data to any external storage drive that supports USB 2.0 or IEEE 1394 (FireWire). Currently, these drives are available with capacities of more than 1.5TB and should hold plenty of data. If you need to back up to an internal hard drive, you can select the Show All Valid Internal And External Backup Destinations check box. This way, all drives will show up, so long as they don’t have any system information on them (Linux counts!). Windows Small Business Server can actually support multiple drives. In fact, if you do not attach a USB/FireWire drive, Windows Small Business Server will actually recommend that you attach two external drives to provide an effective backup strategy. Justin Crosby and Damian Leibaschoff, noted Microsoft employees and excellent writers on the subject, wrote in a post on their blog on SBS 2008 backup that when you’re choosing an external storage drive for a server backup, you should consider using a drive that is going to be used for backup only. That way, it won’t (ideally) be used very often, because it will only be written to based on scheduling and perhaps a system restore.
Incremental and Differential Backup Before Windows Small Business Server 2008, Windows Server supported many different types of backup: Full
A complete and total backup
Partial A backup that backs up all data since the last full backup to supplement the backup Differential A supplemental backup that measures the differences in backup since the last full backup Incremental A supplemental backup that takes all data ‘‘added on’’ since the last full backup and records them into a supplemental container
209
210
CHAPTER 8 BACKING UP AND PERFORMING DISASTER RECOVERY
With Windows Small Business Server 2008, this tried-and-true notion has changed. This is because every backup with Small Business Server 2008 effectively always creates a full and differential backup with each backup. Justin Crosby and Damian Leibaschoff, the same two employees of Microsoft credited with many of the changes in Small Business Server that make it what we know today, wrote an article (http://blogs.technet.com/sbs/archive/2008/11/03/introducing-sbs-2008backup.aspx) that gave this example (roughly paraphrased): Consider you have a file on your Small Business Server made up of four blocks: A, B, C, and D. This means that on the first backup conducted by SBS, the blocks (hereby referred to as ABCD) would transfer something like this: ABCD (Source) ---> ABCD (Destination) This means they’re copied from one place in a file structure, directly to another. In the next backup cycle, let’s say the block A changed to A’. So, this time the file is A’BCD. Therefore, only A’ will be moved to the destination like this, and the block A will be saved in a separate location: A’ (Source) ---->
----> Resolves to A’BCD (Destination) In the metadata for the backup, the data of the change to A is then recorded. In the next backup let’s say again A’ changed to A’’, so the file is now A’’BCD: A’’ (Source) ----> ----> A’’BCD (Destination) A’ (Stored in Metadata) A (Stored in Metadata) Through this method, there is only ever one ‘‘backup’’ area with Small Business Server, along with some metadata. This is a really handy feature, because with the full versions of Windows Server 2008, you are really only left with the old tried-and-true conventions, and thus you end up having to make a lot of full, partial, and differential backups, which isn’t a whole lot of fun. SBS just makes everything so darn convenient! In their article, Justin and Damian also note that Windows Small Business Server 2008 will transfer the blocks only since the last rotation. If you wanted to restore to a particular backup version, the backup logic would go through the steps described earlier in reverse order and restore the specific blocks associated with the particular file and version.
Rotation for Reliability If your small business has a lot of data that, if lost, would result in catastrophic fiscal loss, you’ll want to use an SBS 2008 method that will result in a reliable and simple backup method. And of course, rather than rely on some of the ‘‘tried-and-true’’ methods described in this chapter, you probably want it to be quick and easy! As a best practice, once you’ve set up a Small Business Server, you can set up SBS to transfer your backup data to one drive and then another. You can do this in the Windows Backup schedule Wizard, although you can also do this by just physically disconnecting one drive and then connecting another. This makes sure that the most recent backup is on an external drive, and if it isn’t available for some reason, the other drive can usually be restored with minimal loss.
IMPLEMENTING A BACKUP STRATEGY
Performing Backup To actually perform the backup, you will need to launch Windows Server Backup from the Start menu by typing backup. Through the wizard, you can set up a backup schedule, back up once, or recover from a backup. If you want to schedule a backup, you can select Action Schedule Backup. This will open the Backup Schedule Wizard, where you can select Backup Configuration, the time it should be run, and the label of the disk. The wizard is fairly self-explanatory. This method is really good in a small business if you need to suddenly back up a lot of data. You can launch it easily and just tell it to ‘‘back up’’ and be done — a very nifty feature.
After the Backup Is Complete Once your backup is complete, the Windows Small Business Console’s Backup And Recovery section will change and show you a few new options: Add Or Remove Backup Destinations it’s backed up.
This will let you change what is backed up and where
Add Or Remove Backup Items You can remove backed-up data that you no longer require. Change Backup Schedule View Backup History Backup Now
You can alter the schedule of your backup setup.
You can see when backups completed and what they backed up.
You can immediately run a backup job.
Pause Backup Schedule Disable Backup
This stops all backups until you click Resume.
This undoes any configuration established for a backup that you configured.
Exchange/SQL Server Backup In a large business, nearly all productivity will stop at the loss of an email infrastructure. At the small business level, it’s almost exactly the same. But at the small business level, we have a lot less room for error (and usually a lot less limited budget for it). Thus, it behooves us to know how to quickly back up and recover Exchange and SQL. With Windows Small Business Server, Exchange is included in the backup default action. However, for the sake of completeness and because of its aforesaid importance in the small business environment, I prefer to use a more tried-and-true method to make sure all data is completely backed up. Specifically, I prefer use a third-party backup software to move these files. As part of your backup strategy, you should plan on keeping your Exchange data on a shared folder in your network, preferably on a computer that’s known to be stable. When combined with the standard backup method, this will provide a nice redundant path. Just in case you’re interested in earning extra credit on your ‘‘great administrator’’ score card, you can look up this article on TechNet: http://technet.microsoft.com/en-us/library/ms191253.aspx It details how to back up SQL Server 2008.
Noncritical Business Data Backup This is a job for . . . external hard drives! Small businesses use external hard drives to back up noncritical business data. Additionally, if it’s available, you can take advantage of a spare internal hard drive or one that contains enough space for some data that is important but not
211
212
CHAPTER 8 BACKING UP AND PERFORMING DISASTER RECOVERY
important enough to stake the future of the company on. With a small business, this type of data can just be transferred from one place to another. Keep in mind, when you’re backing up data by just dragging it from one place to another, a few issues may pop up. For instance, a user might be accessing the data from some location that may cause a critical fault as Windows attempts to drag the data from one location to another. This is why if you have to move data, you may consider using the NTBACKUP tool to avoid situations like this. NTBACKUP has the ability to select certain folders and move them to another location without involving Windows permissions. Windows itself will move the files.
Unsorted/Extra Files The last rung on the totem pole of Small Business Server is any unsorted or extra files. This may include things such as users’ music files that are stored in a central location, downloads that have never been purged, and other files that aren’t really useful for doing business. With these files you have two choices: ◆
Back them up just like noncritical business data if the space is available.
◆
Disregard them.
You have to remember that, at least on the small business level, there are going to be a lot of occasions where you have data that is relatively unimportant to your business and can be easily purged. However, this doesn’t mean that all data in a small business is unimportant, just that a lot of data will most likely be able to be disregarded without the need for lost sleep at night when you have to do a disaster recovery implementation and realize that you may have not restored several gigabytes of files.
Restoring SBS 2008 After you’ve implemented an effective backup strategy, you can sleep well at night. You have a plan. The server is probably already backed up, and just in case anything should go wrong, you can restore it — right? Well . . . what happens when you have to do that? Restoring SBS 2008 is never a fun process. There’s always part of you that asks, ‘‘Will the backup work?’’ And more important, there’s another part of you that says, ‘‘Well, I know I prepared for a backup. But do I really know how to do it?’’ With Small Business Server, there are two different types of backups you need to know how to perform, simple file recovery and bare-bones recovery.
Simple File Recovery First things first — simple file recovery. Truth be told, it’s simple enough. Simple file recovery is done just like simple file backup, either through NTBACKUP or Windows Explorer. Windows NT Backup (NTBACKUP) allows you to take a backed-up BKF file created through the NTBACKUP tool and convert it back to standard files. This is easily accomplished through the GUI and a selection of Restore. Alternatively, if you’ve just dropped files from one place to another, you can use Windows Explorer to transfer the files from one location to another. You’ve probably done it a thousand times before — you just drag from one location to another.
Bare-Bones Recovery If the worst has happened and you’ve lost all your data, you can always recover from the ground up in what I call a ‘‘bare-bones’’ recovery. This means you have no operating system left and no accessible hard drive. It’s not fun, but fear not — all is not lost.
RESTORING SBS 2008
To recover from a bare-bones situation, you will need to boot from the SBS 2008 disk and load into the SBS 2008 installation menu. Then, once at the screen you see in Figure 8.5, you’ll need to click the Repair Your Computer button at the bottom of the installation window.
Figure 8.5 Repair option
Once you click this, Windows SBS 2008 will scan your local hard drives to find whether any part of your installation still remains. And, unless you’ve totally and completely destroyed your installation, there will be something left there. Keep in mind, though, that there are a few occasions where everything really will be gone, and you’ll have to install from scratch. Regardless, once you click Repair Your Computer, the screen in Figure 8.6 will appear. You can select the hard drive you want to restore, and then you can click Next. This will bring you up to the next, very important, screen that you see in Figure 8.7. Here you’ll see three options: ◆
Windows Complete PC Restore
◆
Windows Memory Diagnostic Tool
◆
Command Prompt
Figure 8.6 System Recovery Options
213
214
CHAPTER 8 BACKING UP AND PERFORMING DISASTER RECOVERY
Figure 8.7 Choosing a recovery tool
Each of these options is important, but I bet you can guess which one we’re going to use in this case. The Windows Memory Diagnostic Tool is used to determine whether there is a problem with either the CPU or the physical memory of the computer, and the command prompt is used to run command-line utilities, such as chkdsk, that could be used to restore your computer. Therefore, at this screen, you’ll need to click Windows Complete PC Restore. After you’ve done this, you’ll see Figure 8.8 if all has gone well. This means that Windows SBS 2008 sees the latest backup done by the SBS 2008 backup and restore utility.
Figure 8.8 Backup detection
Clicking Next will bring up what is, in my opinion, a really cool feature. In Figure 8.9, you’ll see only one SBS backup, but you can, in reality, click the Advanced button and choose from any SBS backup that has been completed and still remembered by the disk. Say, for example, you wanted to do a complete system restore because of a virus that you got five days ago. Selecting the backup from five days ago, rather than the most recent, may be a lot safer. In any event, you can just select the one you’d like and then click Next.
RESTORING SBS 2008
Figure 8.9 Choosing a backup point
The screen in Figure 8.10 is really important because formatting and repartitioning with a bare-bones install is completely optional. You do not have to complete it! However, in my opinion, if you’re going to restore, you might as well format and repartition. So, go ahead and select the check box (or not if you’d rather not), and then click Next.
Figure 8.10 Format and Repartition Disks option
After clicking Next, you’ll be asked to confirm your installation, and then you may get a warning that you’re going to reformat the partition if you chose to do that. But in any event, once you’ve completed this process, the restoration will begin. And, boy, will it take a while. Don’t be alarmed if you see Figure 8.11 for a very, very long time. It’s normal, albeit a little tedious.
215
216
CHAPTER 8 BACKING UP AND PERFORMING DISASTER RECOVERY
Figure 8.11 Restore progress bar
The Bottom Line Understand RAID RAID is used at the Small Business Server level to create a partitioned and redundant system in SBS 2008 that provides for backup in the case of a single or multiple hard drive failure. Through RAID, you can theoretically remove the need for any form of backup, but you do not remove backup methodologies because they’re necessary in the slight chance of an unrecoverable array failure. Master It Choose a RAID installation method with Small Business Server that will provide for six disks, with a complete mirror of the array and each side of the mirror containing a parity bit. Recognize different backup media types Various types of backup media exist in the modern workplace, and choosing the right one for your situation is often a tough decision. There are network file shares, tape backup, network attached storage, and external disks, just to name a few. The right one depends on the application being used and the right time to use it. Master It Choose a backup solution that is allowed to be degradable but is easy and cost effective to implement. Moreover, this backup solution has to be able to easily supply extra media, because of the need to have many different points of recovery, all for a low cost. Implement a backup strategy With SBS 2008, it’s easy and effective to create a backup strategy that not only works but is easily recoverable. Master It Create a minimum requirement backup installation with SBS 2008, and implement it. This backup solution should enable you to recover in the case of a corrupted hard drive or the loss of a drive in a system array. Recover data After you’ve set up a backup system, as in the previous ‘‘Master It,’’ you will need to know that the data can be recovered. All the backups in the world will do you no good if you don’t know how to take advantage of them in a small-business environment. Master It Use the Windows SBS 2008 installation disk utility to completely recover with a bare-bones installation.
Chapter 9
Remote Access, Security, and Adding Servers with SBS 2008 If you ask any given administrator when it is that they actually get to start having ‘‘fun’’ with their servers, they’ll say it’s when they finally start to get fancy with their deployment. And that’s what this chapter is entirely about. Once you’ve gotten an SBS 2008 server set up, installed, and running Group Policy, it’s time to start thinking about how you’re going to access that server — and whether you need to consider adding more servers to the environment to support all of your users and your infrastructure as a whole. The reason I’m covering this now in the book is that all too often in small businesses this stuff is done after an entire deployment scenario has already been implemented — in other words, the small-business owner already has their server set up, policies in place, and user accounts made. That’s also when people stop and think, ‘‘Hmm, you know, I didn’t actually consider the fact that I need to support my remote users, my database users, and possibly my users from this other small business that I own.’’ So, with that in mind, you should approach this entire chapter as if you’re working for a company (or own a company) that already has a full deployment established. In the chapter’s examples, it will be the familiar Intellicorp. In this chapter, you will learn to ◆ Deploy a second server to your environment ◆ Set up Remote Web Workplace access
Reasons to Add a Server Small businesses decide to add servers for one of two reasons. First, they add them because they need the extra processing power, and second, they add them because they need to host an entirely different domain from which their users can log in and log out. Keep in mind that an Active Directory infrastructure has certain physical limits regarding which users can log in and log out (as well as rules on where this can happen). One of these strict rules is that a box running Windows Server 2008 (any edition) can’t host more than one domain as a domain controller. This means that an SBS 2008 server can’t have users logging in to access system resources with user accounts like [email protected] and [email protected].
218
CHAPTER 9 REMOTE ACCESS, SECURITY, AND ADDING SERVERS WITH SBS 2008
Users can pick one only. But with that said, administrators can easily fix this by adding a server and making that server its own domain controller, but I’ll get to that in a minute. For the moment, just keep in mind that SBS 2008 cannot, by default, accept user accounts for another domain. And, just to make sure you don’t get confused, don’t forget that just because users can’t ‘‘log in’’ from a different domain account does not mean they cannot receive email from a different domain. Email domains are entirely different from Windows NT domains. Through Exchange Server (see Chapter 10, ‘‘Configuring Exchange Server 2007 for Small Business’’), you can add an extra recipient domain to do this nicely. But can you really add a server with SBS? Yes, you just need clustering.
What Is Clustering? Dating back to almost the same era as that of the ENIAC and the first computer, the concept of clustering has existed throughout computer infrastructure history. Early computer scientists realized that sometimes one computer just wasn’t enough to get the job done and they were going to need more power to accomplish the job in front of them. However, there is one problem with getting a more powerful computer to accomplish a task. It’s a lot more difficult to design a single computer to be more powerful than it is to simply take an existing design, manufacture several computers from that design, and then find an easy way to have them accomplish the same goal all at once. In its simplest form, all clustering really comprises is the idea that you can have a set number of tasks that need to be accomplished, and these tasks can be divided among multiple computers in a cluster. For example, say you had an application that needed to count to ‘‘eleventybillion,’’ a fictitious but incredibly amusing number made up by the comedy lords of Saturday Night Live. Well, counting to eleventybillion is probably quite a task. So, you could divide that task into two portions: the first portion could count to half of eleventybillion, and the second portion could count from half of eleventybillion all the way to eleventybillion. Assuming that each time a computer completes an iteration, it simply iterates the integer it’s working on by one, eventually the two computers will accomplish the task of counting all the way up to this number — and making sure that every single number along the way has been accounted for in some fashion. This may seem like a rather nonsensical exercise, but it proves a very important point. All tasks can, in some way, be broken down into smaller forms, and then these tasks can be divided among multiple computers and accomplished in a more granular format. The person who actually invented the formal engineering (read: math!) of computing parallel processes (doing multiple processes along the same path at the same time) was Gene Amdahl. Gene worked for IBM in 1967 as an essential uber-genius who was able to mathematically quantify a law, now called Amdahl’s law, that broke down the parallelization of otherwise serial tasks. The only basis for his mathematics was the idea that clustering (parallelization) would need to be defined in a form where computers were connecting through interoperable links, or acting on their own through something called a commodity network. Today, the links used to connect clusters vary. Some clusters use high-speed infiniband or other supercomputing links to connect computer nodes from one to another. But in the Windows world (and, therefore, most of the ‘‘real’’ world), we use the TCP/IP infrastructure to communicate. If you think about it naturally, what easier way could there be to communicate between two machines than by a protocol that was already developed purely to communicate between two machines in a low-overhead, fast, and effective manner? It’s quite logical when you break it down to brass tacks.
REASONS TO ADD A SERVER
When you think about arranging clusters now in a modern Windows infrastructure, you probably think about the full-blown editions of Windows Server 2008. This is because Windows Small Business Server 2008 does not ship with the ability to take place in a cluster. However, SBS 2008 does have the ability to add a server to an existing server infrastructure. And although the collection of computers this forms may not facilitate the exact definition of a modern parallel cluster, it certainly defines the traditional definition of a ‘‘bunch of computers’’ participating in a single task. Your task, in this case, is the responsibility of maintaining multiple points of infrastructure through backup, multipoint failover, or other highly available system models.
Types of Clusters in the ‘‘Full’’ Windows Server 2008 Edition I’m probably digging a bit too far into the clustering topic for a small-business environment. However, just for the sake of informing you how it really works, in the full-blown Windows Server 2008 infrastructure, there are two types of clusters: ◆
Network load balancing (NLB)
◆
Failover
Having an NLB cluster allows you to greatly enhance the ability of your server’s application platform, while making the front-end portion of it transparent to your end users. The simplest example is a web pool. In a web pool, multiple servers run Internet Information Services (IIS) and host websites. These sites can feed the same information to clients, who are consistently accessing these web pages from remote locations, but the trick is that Windows Server may not be letting two different users host the same server. It’s sort of like if you take two host servers and say, ‘‘OK, you two start hosting information,’’ and then tell a second service that runs on each machine to load-balance the incoming traffic between the two servers. This way, neither will be completely overloaded by the work. In the ‘‘old days,’’ load balancing was used so much that large datacenters would actually buy NLB appliances that did nothing but track incoming packets and then feed them from one computer and then the next. Things were just so cool back in the 1990s. Anyway, adding a load-balanced cluster gives you a lot of benefits, including the following: Improved availability If one node goes down, the cluster doesn’t completely stop; one server just absorbs all the load. IP scalability You can divvy up the amount of IP addresses and the way you use network performance pretty easily. Now, you may wonder why I described all this stuff about the full edition of Windows Server. The reason is twofold. First, this information allows you to see the complete package that clustering can introduce to your infrastructure, and second, understanding what the full edition does enables you to comprehend the small-business edition better. Now, with the next section, you really need to pay attention. That’s because that section — on failover — is something that you can sort of pseudo-implement with Small Business Server 2008.
The Concept of Failover Somewhere around the third or fourth day of actual computer usage (you know, about the time that someone first flipped the ‘‘on’’ switch), a bunch of professionals in the industry realized that there needed to be a way to switch rapidly from one working system to another in the
219
220
CHAPTER 9 REMOTE ACCESS, SECURITY, AND ADDING SERVERS WITH SBS 2008
case of a failure. In the earliest of early days, this wasn’t possible because of the extreme costs associated with computers, not to mention the vast amount of space they would occupy in any given building. Now, computer costs have gone down so drastically that a simple server can cost less than $1,000. And once room-sized machines shrunk down to the point that a single 1U server (a measurement used to indicate space used in a rackmount environment) could contain dozens of virtual servers, the effective computing-to-space ration of these devices becomes drastically lower than anything we’ve ever experienced. Accordingly, this means you can now afford to have full and completely reliable backup computers in place in the unlikely (or perhaps likely) event that your server experiences a failure. The name failover implies that as soon as a single server experiences a failure, a perfectly good and working copy of that server will come online and start operating in its place. Failover is used in both large and small businesses to provide a method for the business to continue while administrative repairs are conducted on the machine that experienced the failure. The most classic example of failover with SBS is a backed-up machine that contains the exact data of the previous machine, through software such as Double-Take. In a large business, you can set up a machine to completely take over in a cluster. But since that is beyond the scope of this book, suffice to say that failover clustering is something you can look into as an administrator if you find that the need arises in your organization.
Alternatives to Clustering with SBS Although SBS cannot provide true clustering, with failover and automatic load balancing, it can provide benefits similar to those provided by clustering. For example, you can implement multiple servers to spread file access across more than one machine providing pseudo–load balancing. You can implement a second SBS server to act as a redundant domain controller, thereby providing fault tolerance. No, these solutions are not the same as a clustering solution in the full Microsoft servers. Yes, they do provide similar benefits. So, what can you do with SBS 2008? That’s a great question. The answer is surprising to most administrators, because the answer is, actually, quite a lot! With SBS you can do the following: ◆
Add member servers.
◆
Implement a second server in your SBS network.
◆
Use Hyper-V to virtualize extra servers.
Adding Member Servers Member servers in Windows forests are servers that don’t serve any real ‘‘server’’ function as far as Microsoft is concerned but still run server hardware and a server operating system. These are some classic examples of why you might add a member server: ◆
For a customer third-party application
◆
To be a dedicated file server
◆
To be a dedicated printing server
REASONS TO ADD A SERVER
These tasks aren’t exclusive to Windows, and server-level operating systems can’t help them become much more efficient. So long as you possess the appropriate licenses from Microsoft, you can add member servers to your heart’s content.
Reasons for Implementing a Second Server The flagship feature of SBS 2008 Premium is that it supports the ability to add a second dedicated server to your existing SBS 2008 environment. For many administrators, this is a very valuable feature that allows you to greatly expand the usability of your network. There are many other reasons you’d probably want to add a second server: Separation of duties If you have some duties handled on one server and some handled on another, you don’t have to worry about everything stopping if one server goes down. Adding a second domain controller This allows you to expand your ability to easily log on to the Windows domain and access logon features, without overburdening your SBS server. SQL Server Running a dedicated SQL Server machine is always a good practice! Applications Some applications really need to have their own server, or else they can take a lot of memory and bog down the system with excess calls to the CPU or memory that could be used for server-grade threads and processes. Effectively, as you can see, a second server is mostly used for application-based programs. Things like SQL Server, any application using LDAP, or other such methods will benefit greatly from being placed on their own server because they’re separated entirely from the costly overhead of Active Directory, resource management, SharePoint, and the other fun but costly programs associated with Small Business Server. I’ll discuss the actual process of adding a second server a little later in the chapter in the section ‘‘Adding member servers.’’
Using a Second Server StoopidCorp runs a poorly written application that takes a large amount of memory — sometimes up to 8GB. Because StoopidCorp is not run by effective admins, the company decided to place all its applications on one SBS 2008 server. Now, whenever the application is run for excessively long periods, the entire server shuts down because the system runs out of memory and causes all programs to have to run off excessive file paging. Eventually, StoopidCorp got tired of dealing with the consistent slowdown and decided to hire SmartCorp, a consulting company, to fix the situation. SmartCorp’s solution was to create an extra server that ran SQL Server and the application alone. Now, the SQL Server instance and the application are the only thing running on that computer, and the app isn’t burdening the rest of the infrastructure. This way, users do not notice it when the machine runs slower or requires maintenance. Additionally, because SmartCorp is full of smart people, SmartCorp decided that the best way to access the information available on StoopidCorp’s server was through LDAP. SmartCorp installed LDAP onto the server and pointed it toward the domain controller. Now, if the application requires authentication from users, the main domain controller will be queried but in a very efficient and noninvasive fashion.
221
222
CHAPTER 9 REMOTE ACCESS, SECURITY, AND ADDING SERVERS WITH SBS 2008
Virtualizing Your Servers Microsoft Windows Hyper-V is a hypervisor program that is available for all 64-bit editions of Windows Server 2008. Hyper-V is an extremely advanced virtualizer that allows multiple operating systems to be installed through the Microsoft platform. Using Hyper-V, you can virtualize the following: ◆
Windows Server 2008 R2
◆
Windows Server 2008
◆
Windows Server 2003
◆
Windows Server 2003 R2
◆
Windows Vista
◆
Windows 7
◆
Windows XP
◆
Linux (Redhat)
◆
All of these in 64-bit editions too
There are, of course, many alternatives to Hyper-V. Some alternative companies are VMware and Citrix. The advantages of Hyper-V are that it is completely free with your SBS 2008 license and extremely easy to use. However, it does have some licensing limitations that you should be aware of. Most notably, you can only install operating systems that you have licensed in addition to your SBS 2008 server. So, in other words, you can’t just install Windows at whim and then instantly have a bunch of extra Windows Servers. Unfortunately, you do have to pay for them!
Adding a Second Server The process of adding a server to your SBS 2008 environment may seem a little complicated, but like all aspects of SBS 2008, it’s not all that complicated once you understand it. First, you need to install the external server on a location separate from the SBS Server, or virtualized within it. And then, you need to join that server to the domain as a computer. At this point, you can view second server in the Windows SBS Console by clicking the Network tab and then clicking Computers. The second server is listed under Client Computers. At this point, all group policy settings are applied for the client computer, except for the Small Business Server Updates Services Client Group Policy Settings. If you’d like to apply those, you must manually move the second server to the original SBS server’s organizational unit to apply the appropriate GPOs. This means that you need to drag the computer into the correct OU and make it a server:
1. On the server that is running Windows SBS 2008, click Start Administrative Tools, and then click Active Directory Users And Computers.
2. At the User Account Control prompt, click Continue. 3. In the console tree, expand until you find your domain. 4. Expand MyBusiness, expand Computers, and then click SBSComputers. 5. Right-click the name of the server, and select Move. 6. Place the computer in SBS Server, and click OK.
DOMAIN CONTROLLERS AND THEIR ROLES
Hyper-V and SBS As mentioned, Microsoft Hyper-V is a hypervisor-based virtualization solution that is available for all 64-bit editions of Windows Server 2008. There are two Hyper-V products: ◆
A full version included with your SBS 2008 license used on top of Windows Server 2008 and Windows Server 2008 R2
◆
A free, stand-alone version called Microsoft Hyper-V Server
As I mentioned, SBS 2008 Premium gives you the ability to add a server. And therefore, you can use Hyper-V to add a ‘‘1+1 rights’’ server as a guest of the child member server. Typically, people use this for an implementation of SQL Server 2008. With SBS 2008 Standard, you can virtualize another Windows instance for domain replication, but technically not as a member server (although you should consult a Microsoft licensing expert or a lawyer to find out the exact limitations of your license). Contrary to what you might think, Hyper-V Server is actually a slimmed-down version of the non-stand-alone version. Specifically, it is effectively a Server Core installation of Server 2008 with Hyper-V preloaded. Don’t get confused by this description, because the parent partition in Hyper-V Server 2008 still cannot run enhanced Microsoft services such as IIS or IAS server. Also, Hyper-V Server is different from the full version in that you do not get the GUI management tools on the server. Instead, you manage Hyper-V Server from the command line. You will need to license each server you run as a virtual server on Hyper-V Server, but here’s the benefit: with a single hardware base, you can run several virtual machines. Ultimately, many small businesses can reduce their hardware costs by 40 to 70 percent. One company in central Ohio was able to implement two Hyper-V Server 2008 servers, each running three virtual Windows Server 2008 servers, instead of six physical servers. The hardware costs were reduced by more than $7,400. Additionally, power consumption was reduced by more than 60 percent. For installing the second server using Hyper-V technology, you can find information on the Microsoft TechNet website at http://technet.microsoft.com/en-us/ library/dd239202(WS.10).aspx.
Domain Controllers and Their Roles In Active Directory, a domain controller is any machine that has the domain controller role installed and can accept logon requests for a domain. With SBS 2008, you may want to do this to give the SBS server another server to assist in the burden caused by running a domain controller. This can be fairly easily accomplished.
Promoting a Domain Controller 1. Go to the Windows Start bar, type dcpromo, and then press Enter. 2. The binaries will install, and then the Active Directory Domain Services Installation Wizard opens.
3. Click Next.
223
224
CHAPTER 9 REMOTE ACCESS, SECURITY, AND ADDING SERVERS WITH SBS 2008
4. On the Choose A Deployment Configuration page, select Existing Forest And Add A Domain Controller To An Existing Domain, and then click Next.
5. On the Network Credentials page, type the domain name, and then click Set To Open The Windows Credentials Dialog Box.
6. In the Windows Credentials dialog box, type your credentials. 7. On the Select A Domain page, select the Active Directory domain, and then click Next. 8. On the Select A Site page, select the default site Default-First-Site-Name, and then click Next. 9. On the Additional Domain Controller Options page, make the following selections: DNS Server and Global Catalog.
10. On the Location For Database, Log Files, And SYSVOL page, if desired, choose a folder that’s easily memorable, and then click Next.
11. On the Directory Service Restore Mode Administrator Password page, set a password for the Directory Service Restore Mode administrator account, and then click Next.
12. On the Summary page, click Next. 13. On the completion page, click Finish. 14. Restart the server.
Introduction to Remote Access When remote access first began to be introduced in the first editions of Windows Server, the concept was not hip, and not everybody knew what it was, much less how to accomplish it. Today, remote access has become the norm, rather than the exception. Using today’s technology infrastructure, even the smallest business can support a vast amount of remote users from all over the world. The overall design purpose of remote access is to allow all users from a remote location to access the resources they would normally be able to access in the workplace. Secured infrastructure-based resources, such as file shares, intranet web portals, secure networks, and other important pieces of the infrastructure often can’t be exposed to the outside world, because the exposure of that material could be potentially dangerous to the company and result in a loss of valuable data. To implement this balancing act of weighing the security risk with the ultimate profitability of allowing users to be productive from home, the solution that is often reached is to use secure methods of data access, powered by encryption technologies designed to encapsulate the data from external access. Let’s talk about that concept for a moment: encryption.
Introduction to Encryption Encryption has existed in some form or another for thousands of years, dating back to the time of ancient Egypt. Before computers, encryption was used to conceal important governmental, financial, or otherwise personal information from external sources. Basic encryption involves
INTRODUCTION TO ENCRYPTION
the use of a cipher, or algorithm, that translates plain text or verbiage from one form to another. And, unless you know that cipher, you’re unable to translate the information. Encryption has become a hot topic in the security world for the past 20 years because of the double-edged sword it carries. On one hand, encryption can be used to support the encapsulation of data to secure it from potentially harmful sources. But on the other, encryption can be used to conceal nefarious activities. As an example, the criminal prison gang dubbed the Aryan Brotherhood achieved some level of fame for using an algorithm derived by the famous scientist and philosopher Francis Bacon. To the educated, but not necessarily cryptographically inclined, prison system, the activities of the gang could be communicated in what appeared to be useless babble. Here is a classic example of Bacon’s cipher: a
AAAAA
g
AABBA
n
ABBAA
t
BAABA
b
AAAAB
h
AABBB
o
ABBAB
u-v
BAABB
c
AAABA
i-j
ABAAA
p
ABBBA
w
BABAA
d
AAABB
k
ABAAB
q
ABBBB
x
BABAB
e
AABAA
l
ABABA
r
BAAAA
y
BABBA
f
AABAB
m
ABABB
s
BAAAB
z
BABBB
And here’s an example of some text you might see, using this cipher: AAABBAAAAAAAABBAAABBBABBA Reading this example, you’d have utterly no idea that someone was actually concealing a rather malicious message. If you had the cipher for the message, you’d see that it actually says this: Daddy Quite creepy, eh? Well, thankfully, we’re not hardened criminals. So, let’s take a look at some simple encryption that can be used with computers.
Basic Ciphers and Encryption/Decryption One of the simplest ciphers that has ever been written is a cipher called ROT13. In the early days of software design, a lot of people used ROT13 to store serial keys and other information they wanted hidden, because it was so simple that even the most novice computer users could understand it. Now, obviously, we’re not complete novices, but it serves as a good overview for people who may not be security gurus but would like to learn a little bit about it. ROT13 is short for ‘‘rotate by 13 places.’’ And the cipher, as you can probably guess, works by rotating the numerical or letter-based key by 13 places for each character. Take a look at an example: FuzzyKitties FuzzyKitties has 12 characters: F, U, Z, Z, Y, K, I, T, T, I, E, S. If you were to encrypt these letters using ROT13, you would move each letter correspondingly 13 letters in the alphabet.
225
226
CHAPTER 9 REMOTE ACCESS, SECURITY, AND ADDING SERVERS WITH SBS 2008
If you reach the letter Z, you start over with A. So, as you begin with the letter F, you go 13 letters further in the alphabet: G=1 H=2 I=3 J=4 K=5 L=6 M=7 N=8 O=9 P = 10 Q = 11 R = 12 S = 13 Thus, an S would replace the first character in FuzzyKitties, making it SuzzyKitties. And, if you were to apply the encryption to the rest of the word, you would achieve the following encrypted word: ShmmnXvggvrf This, obviously, does not look anything at all like the word FuzzyKitties. The trouble is, for a computer, that word is very easily ‘‘cracked.’’ Or, that is, it’s very easy for a computer to figure out that cipher. Because, although I did that cipher by hand when writing this book, it took me about five minutes as my slow brain counted up all the letters (I could have been smart and used a tool on the Internet). A computer could do it in about a quarter of a millisecond. And thus, this means that the ROT13 encryption, although easy to learn and use, is ultimately useless for practical applications. Instead, you need to take advantage of more complex encryption systems that rely on very large mathematical algorithms using prime numbers.
Common Encryptions The following are some of the modern encryptions used today.
PGP Pretty Good Privacy (PGP) is an encryption method that uses a combination of hashing, compression, and symmetric keys to encrypt data. It is widely viewed as a very effective means of encryption.
AES Advanced Encryption Standard (AES) is an encryption method commonly used by the U.S. government. AES comes in three standards: AES-128, AES-192, and AES-256. AES is an adaptation of the encryption originally developed by Rijndael. As of 2009, AES is the most popular algorithm used on the IT world today.
INTRODUCTION TO ENCRYPTION
TKIP Temporal Key Integrity Protocol (TKIP) is a security protocol that isn’t necessarily used with access but is instead used with IEEE 802.11 for wireless access. Normally, it’s used with WPA.
DES Data Encryption Standard (DES) is a standardized encryption algorithm developed in 1976. DES is also referred to as Data Encryption Algorithm (DEA). The DES algorithm finds its roots in Horst Feistel’s Lucifer cipher. DES is a block cipher, which means it works on a fixed block of plain text and then converts it into cipher text. The block size of DES is 64 bits. The key used in the algorithm is of 64 bits, but 8 of those bits are used for parity purposes; thus, the effective key length becomes 56 bits. The basic structure of the algorithm is the Feistel structure, which involves swapping, permutations, and XOR operations done over multiple rounds to increase security. DES is not considered secure anymore. Because of an increase in processing power and a decrease in hardware costs, it is now possible to implement a successful brute-force attack on DES. The primary reason for this is the key size (56 bits), which is relatively short compared to modern standards.
Triple DES Triple DES is a high-security block cipher derived from DES. It was developed by Walter Tuchman at IBM and was first published in 1978. Like DES, the block size here is 64 bits, and it is based upon the Feistel structure, but its key size is 168 bits, which happens to be equal to three 56-bit keys used in DES. The three steps used in implementing Triple DES are DES encryption, followed by a DES decryption, followed by a DES encryption again.
IDEA International Data Encryption Algorithm (IDEA) was developed by Xuejia Lai and James L. Massey in 1991. It was originally named Improved Proposed Encryption Standard (IPES) because it was meant as a replacement for DES. IDEA is also a block cipher like DES. Its block size is also 64 bits, but the key size here is 128 bits. The algorithm has been used in PGP 2.0 and is also an option in OpenPGP.
Blowfish Blowfish is a symmetric block cipher designed in 1993. It was designed by Bruce Schiener as a replacement for DES. The developer has also stated that the algorithm will always remain free for use by anyone. The underlying structure of the algorithm is Feistel structure, and it divides the plain text into 64-bit blocks. The unique thing about the algorithm is that it has a variable key size ranging from 32 to 448 bits.
RC5 RC5 is a block symmetric key cipher designed in 1994 by Ron Rivest (of RSA Labs). The block size in RC5 varies. It can be 32, 64, or 128 bits. The key itself is of variable size and can range up to 2,040 bits. This algorithm is also based upon the Feistel structure and has 12 rounds to make cryptanalysis difficult.RC6, one of the candidates of the AES challenge, was based upon RC5.
227
228
CHAPTER 9 REMOTE ACCESS, SECURITY, AND ADDING SERVERS WITH SBS 2008
Asymmetric and Symmetric Encryption Completing the short discussion of encryption as a preamble for the discussion of remote workplace access, I’ll now cover the difference between asymmetric and symmetric encryption.
Symmetric Symmetric encryption is a simple form of encryption in which a secret code or key is shared between two different sources. The cipher is known by the sender as well as the recipient. And, using this cipher, the two parties can each look at their respective data and decode it using that cipher. It’s by far the oldest method of encryption and is a little insecure. This is because if a third party knows the key, that person can decrypt the data easily.
Asymmetric The more secure form of encryption is asymmetric. This form of encryption uses a public key and a private key to encrypt and decrypt the message. The public key is available to all users, while the private key is known only to certain users. The public key is used to encrypt, but it can be decrypted only by a private key. Figure 9.1 illustrates how the system works.
Figure 9.1 Private key encryption
Public Key Encrypts
“Hello, I am a message!”
Public Key Decrypts
“Hello, I am a message!”
@#$!@$#LKJIP@ !O#!FS–
VPNs
Methods of Access With Small Business Server, remote workers can use three methods to gain access to information stored on a remote server. These methods are a virtual private network, Remote Desktop Protocol, and the Remote Web Workplace. ◆
A VPN is the most common method of access, and it involves the placement of a computer within a virtual network created by either a server or a hardware device. Through a virtual network, a computer can act like it’s on the local area network through security mechanisms that are discussed in the next section, ‘‘VPNs.’’
◆
Remote Desktop Protocol (RDP) involves the access of your desktop over a TCP connection. Through a simple Internet connection, you can view the contents of a server or workstation without being physically present at the workstation. This is covered in the ‘‘Using Remote Desktop Protocol’’ section.
◆
The last method of access is called Remote Web Workplace (RWW). In the ‘‘Introducing Remote Web Workplace’’ and ‘‘Using Remote Web Workplace’’ sections, I’ll discuss this method and its uses within SBS 2008 and Essential Business Server 2008. Effectively, for this short summary, Remote Web Workplace is a web-based consolidation of all the aspects of remote access in one area.
VPNs A virtual private network is a logical extension to a physical network that is conducted over a wide area network link via TCP. In simple terms, all a VPN really does is simulate a person’s network location over a secure connection, no matter where they physically are. Commonly, virtual private networks are used by companies to give employees the ability to access secure information from home or from remote locations. Using a VPN, to the server, is just like being directly connected across a local area network. College campuses often use VPNs. For example, both the University of Texas and Texas Tech use multiple virtual private networks for their students and for the faculty who want to access the resources they keep inside their network. This is because it doesn’t make a lot of sense for just ‘‘anyone’’ on the Internet to have access to campus supercomputing resources or campus file servers containing information such as student records, student resources, and the like. Figure 9.2 shows a sample virtual private network that would work in almost any size business, large or small. The diagram shows local area network resources and additional clients connected through the Internet via WAN links. Here, the personal data assistants, laptops, and other computers can access the resources contained behind the firewall.
Types of VPNs With Small Business Server 2008, the typical virtual private network looks very much the same as what you see in Figure 9.2 from a topological standpoint. Machines that exist outside the network will be able to access resources from the inside the network across WAN links. The only difference is that with most small-business networks, the firewall or a dedicated SSL client normally doesn’t exist. Instead, the burden of authenticating the remote clients is laid at the feet of Small Business Server. To further explain, virtual private networks typically come in two forms: hardware based and software based.
229
230
CHAPTER 9 REMOTE ACCESS, SECURITY, AND ADDING SERVERS WITH SBS 2008
Hardware-Based VPNs With a hardware-based VPN, the authentication to a VPN via Secure Sockets Layer or some other form of encryption is executed by a dedicated hardware device, such as a WatchGuard firewall or a Cisco ASA device. These devices carry their own operating system (of sorts) and hardware dedicated to authenticating clients and remotely connecting them through some form of encryption. The advantage of hardware firewalls is that they are typically more secure and additionally relieve the burden of authentication from a server. The disadvantages of hardware firewalls are that they are expensive, require more setup, and can be somewhat more complicated to install on a small-business level, because you have to make sure that the hardware firewall can connect to all the small-business resources, which are typically controlled almost completely by one server (or at a maximum two servers).
Figure 9.2
LAN (Trusted Network)
Virtual private network L2TP VPN Microsoft Windows
VPN-1 Pro
IPsec VPN
Palm OS
Internet
Microsoft Pocket PC
IPsec VPN Clientless VPN via SSL
Microsoft Handheld PC Apple Macintosh Microsoft Windows
Additionally, most hardware firewalls come with their own VPN software. As a case in point, WatchGuard firewalls come with a special (and extremely secure) type of encryption called SSL remote authentication. Instead of using typical authentication, WatchGuard firewalls use a very complex certificate-based private key encryption that authenticates to the WatchGuard server and then allows external clients to connect. Many small businesses choose to implement a hardware firewall because of their need for enhanced security. Small businesses that may need this include law firms, banks, and financial institutions with sensitive data. However, the implementation of this is separate from SBS 2008, because SBS 2008 doesn’t actually communicate with a hardware firewall (although there are a few exceptions, such as firewalls that use LDAP to access Active Directory information); thus, you do not have the burden of setting a hardware firewall up.
VPNs
The lowest possible level of firewall you can attain is actually a simple router, such as a Linksys or D-Link router. You can pick one of these up at your local Best Buy or other major retail outlet. However, the tricky part is that you usually won’t see the word firewall anywhere on the device. And the reason for that is that a firewall is technically, well, just a router! Any router running Network Address Translation is technically a firewall because it blocks packets from being forwarded onto devices without specific entries into the NAT table to forward a packet from one server to another. The only real downsides to consumer-grade products are that they are slow, they don’t support a lot of features when compared to business-grade products, and some administrators think that they provide less security than a high-level firewall, which is fundamentally untrue. If you think a consumer firewall will do the job, pick one up!
Software-Based VPNs A software-based VPN implementation is where SBS 2008 comes into play. Using SBS, you can use an external authentication method over Active Directory that takes advantage of SBS’s internal ability to create a VPN connection and authenticate it using its own certificates, credentials, and security information. When budget is a concern (or you just want to get the job done quickly and easily), this is the option you will choose. And since I’m dealing with small businesses (read: frugal businesses), I’ll cover how to set up a small-business VPN with software firewalls.
When a VPN Is Really, Really Needed A small social network- and commerce-based company I consulted with once was developing a high-end application that was designed to take advantage of the plethora of information available via the Internet by allowing prices to be compared using its application. To develop it, the company sought to lower costs by consulting with programmers from India, who would work for dramatically lower rates than United States–based programmers, who often wanted wages in excess of $90,000 a year. Accordingly, the company needed to set up a system in which the programmers could access the local resources from the opposite end of the earth. And thus, the company decided to create a test network for the programmers who could accept VPN connections from the programmers. These programmers, using their own credentials, could log in to the server, work locally, and then choose to move the data securely from one location to another without compromising any security standards whatsoever!
Setting Up a VPN And now, the fun part: setting up the VPN! Just as a warning: port 1723 needs to be open on your firewall (both Windows Server and hardware) to allow clients into your VPN in order to authenticate. Once you’ve done that, the steps to set up the VPN are straightforward:
1. Launch Windows SBS Console. 2. Select the Network tab. 3. Select the Connectivity tab.
231
232
CHAPTER 9 REMOTE ACCESS, SECURITY, AND ADDING SERVERS WITH SBS 2008
4. In the main section, you will see the list of statuses. 5. In the right pane, under Tasks, select Configure A Virtual Private Network. This will launch the Setup Virtual Private Networking Wizard.
6. Select ‘‘Allow Users To Connect To The Server By Using A VPN,’’ and then click Next. 7. The system will configure virtual private networking on the server and configure your router as well. Note that your firewall or router must have PnP configuration enabled for SBS to configure it.
8. The Setup Virtual Private Networking Wizard will now start and attempt to configure your router/firewall. If the wizard completes successfully, a confirmation is displayed. If not, it will display a warning error. At which point, you’d need to make sure that the firewall/router was properly configured. Note that if there are any issues or failures in configuring the VPN or the firewall/router, details on the failures will be linked in the screen that pops up.
9. Once complete, you’ll need to enable the proper users and groups to utilize the VPN by adding them to the ‘‘Remote users’’ group in SBS 2008, as discussed in the next section. As you can probably tell, the Wizard has done a whole lot of actions here. It has enabled the VPN, created a packet filter through PPTP configured DHCP, and even set up remote access.
Enabling Groups to Use the VPN Once you’ve managed to set up the VPN using the SBS console, you’ll need to step into the world of Active Directory and configure your VPN. Because software VPNs are inherently a slight security risk (because you are, after all, opening a port on your firewall), Windows locks down the security mechanism used by the VPN by requiring it to authenticate to Active Directory. Thus, you need to make sure that Active Directory is ready to accept your clients. You can do this by following these steps:
1. Launch the SBS console. 2. Select Users And Groups, and then select the Users tab. 3. Select the user you wish to allow access rights to the VPN. 4. Open the Properties dialog box for the user, select Remote Access, and then click OK. Once you’ve completed these steps, your users will now be able to authenticate via the Windows SBS VPN. All in all, like most things in SBS, the process is pretty painless!
Connecting to the VPN Once you’ve set up your firewall and established your VPN setup connection for your clients to connect, you should be able to connect your clients to the server via VPN. SBS 2008 supports many different clients, including other server operating systems and Windows operating systems. Only legacy operating systems (such as Windows 95) will have difficulty connecting to SBS 2008 networking protocols; they may in fact work, but I haven’t tested that.
VPNs
On the client side, connecting to a VPN setup is fairly easy, but I’ll talk you through it via a sample Windows XP client. On a Windows XP workstation located in a remote location, complete the following steps:
1. Navigate to Control Panel. 2. Double-click Network Connections. 3. Click Create A New Connection in the top left. 4. Click Next at the Welcome To The New Connection Wizard screen. 5. Select the Connect To The Network At My Workplace radio button. 6. Select the Virtual Private Network Connection radio button. 7. Click Next. 8. Enter the name of your company (this is actually the name of the VPN connection, but the name of the company is generally a good convention).
9. Click Next. 10. Enter the WAN IP of your SBS 2008 server that has the firewall set to allow VPN connections.
11. Click Next. 12. Select My Use Only, and click Next. 13. Click Finish. The network will now show up in your network connections area. To connect to it, double-click it.
14. Enter your username and password on the SBS 2008 domain, and click Connect. The client will establish and then slowly connect. When you connect, several things occur: ◆
A DHCP address is assigned to be used by the SBS 2008 server (or other hardware device running DHCP).
◆
A remote gateway is established to route the traffic on the external WAN through the VPN. This allows you to navigate to the Internet as if you were connected locally.
What’s interesting about connecting via VPN to an SBS 2008 server is that the SBS DHCP service is designed to disable when another DHCP server device is detected on the network. This is a handy feature in some ways, because it prevents different DHCP servers from contesting agents attached to subnets within their scope. But it can be a little frustrating if you’ve added a client and the DHCP server isn’t running on your server, because the hardware device may not recognize it. Because of this, I strongly recommend enabling the DHCP server on SBS 2008 instead of your hardware device. When SBS 2008 is properly configured, the process of remoting into an SBS 2008 VPN is simple and completely transparent to the end user. If you don’t do this, you have to basically do all the DHCP, tunneling, and other connections yourself through external hardware and software, which is quite a pain.
233
234
CHAPTER 9 REMOTE ACCESS, SECURITY, AND ADDING SERVERS WITH SBS 2008
If you’ve set up everything properly on your network, your IPconfig output should look similar to this on your client side: PPP adapter Intellicorp: Connection-specific DNS Suffix Description . . . . . . . . . . Physical Address. . . . . . . . DHCP Enabled. . . . . . . . . . Autoconfiguration Enabled . . . IPv4 Address. . . . . . . . . . Subnet Mask . . . . . . . . . . Default Gateway . . . . . . . . DNS Servers . . . . . . . . . . NetBIOS over Tcpip. . . . . . .
. . . . . . . . . .
: : : : : : : : : :
Intellicorp No Yes 192.168.16.129(Preferred) 255.255.255.255 0.0.0.0 192.168.16.1 Enabled
Ethernet adapter Local Area Connection: Connection-specific DNS Suffix Description . . . . . . . . . . Physical Address. . . . . . . . DHCP Enabled. . . . . . . . . . Autoconfiguration Enabled . . . IPv4 Address. . . . . . . . . . Subnet Mask . . . . . . . . . . Lease Obtained. . . . . . . . . Lease Expires . . . . . . . . . Default Gateway . . . . . . . . DHCP Server . . . . . . . . . . DNS Servers . . . . . . . . . .
. . . . . . . . . . . .
: : : : : : : : : : : :
Intellicorp NVIDIA nForce Networking Controller 00-22-15-A1-CA-E9 Yes Yes 192.168.0.197(Preferred) 255.255.255.0 Monday, November 16, 2009 9:21:57 PM Thursday, November 19, 2009 9:21:55 AM 192.168.0.1 192.168.0.1 192.168.0.175 192.168.0.1 NetBIOS over Tcpip. . . . . . . . : Enabled
NOTE Note that there are two IP addresses now, instead of just one. This is because you have a dedicated IP address on your network card and on the virtual network.
Using Remote Desktop Protocol Remote Desktop Protocol is simultaneously the easiest way to access a remote machine and any decent administrator’s best friend. RDP is a TCP protocol that uses port 3389 to transport a user’s desktop from the physical computer across a network connection to another location. While using Remote Desktop, the physical desktop of the remote machine appears within a contained window of the desktop where the user is executing the program. Remote Desktop has been installed by default on all versions of Windows since Windows 2000. It’s relatively easy to use, and you can connect to the server relatively easily. To access your server via Remote Desktop, you need to navigate on the SBS server to Start, right-click Computer, and go to Properties. From there you can select Advanced System
USING REMOTE DESKTOP PROTOCOL
Settings. Of course, if you’re an advanced user, you can always do the really complicated thing — type Advanced System Settings in the Start bar. Isn’t Windows cool? In Figure 9.3, you can see the System Properties dialog box. On the Remote tab, you’ll have three options:
Figure 9.3 System Properties dialog box
Don’t Allow Connections To The Computer This will not allow any computer to connect to the SBS server. Allow Connections From Computers Running Any Version Of Remote Desktop (Less Secure) This will allow just about any version of Remote Desktop to connect to the computer. It’s ‘‘less’’ secure technically but secure enough for government work — literally. The only disadvantage is that you can’t use the encryption methods of higher versions of Remote Desktop. Allow Connections Only From Computers Running Remote Desktop With Network Level Authentication (More Secure) This allows a connection to the server using a secure network-level authentication method. This is the most secure method, but only a few versions of Windows support this.
Connecting to a Remote Desktop This exercise will show you a simple example of connecting with Remote Desktop. To connect via Remote Desktop, you will need to type Remote Desktop in Vista or Windows 7. This will bring up the screen shown here. Afterward, you can type the name of the server if you are on your local network or the IP address or FQDN of the server.
235
236
CHAPTER 9 REMOTE ACCESS, SECURITY, AND ADDING SERVERS WITH SBS 2008
This will open the authentication screen. Once you’ve authenticated, you will see the remote desktop you would normally see otherwise, as shown here. You can work within it as normal.
Introducing the Remote Web Workplace One of the new features implemented on Windows Small Business Server 2008 and Essential Business Server 2008 is the Remote Web Workplace. This feature comes by default with Small Business Server because it’s designed to alleviate a lot of the pain associated with accessing central information from locations a great distance. Using the Remote Web Workplace, users can access integrated features of the server, including the following: ◆
SharePoint
◆
Outlook Web Access
INTRODUCING THE REMOTE WEB WORKPLACE
◆
Server desktops
◆
Client desktops
Prerequisites To use the Remote Web Workplace, you need several prerequisites, most (but not all) of which are fairly common and set up by default. The prerequisites come in two forms: network and Active Directory. Network Requirements ◆
To access the Remote Web Workplace, you must forward the following ports: 80, 443, 987, and 3389.
◆
The browser must support and accept cookies.
Active Directory Requirements ◆
Users must be members of the Web Workplace Users group, or they must be Domain Admins.
Assigning Users Just like other aspects of access I’ll cover in this chapter, to access Small Business Server, you need to assign users to the appropriate group. In this case, it’s the Remote Web Workplace users. To do this, you can either use the SBS console or the Active Directory Users and Computers snap-in. Users may have to log in and log out to access these features.
Assign Users Access to Remote Web Workplace To add users to the group associated with the Remote Web Workplace, you can follow these steps:
1. 2. 3. 4.
Open the Windows SBS Console. On the navigation bar, click Shared Folders And Web Sites. Right-click Remote Web Workplace, and then click Manage Permissions. Click Modify.
5. In Users And Groups, select the user or group to whom you want to grant access. 6. Click OK.
Setting Up Access Setting up access for the Remote Web Workplace is relatively easy. First you have to enable the Remote Web Workplace, and then you have to navigate to it.
How to Enable Remote Web Workplace You can enable remote web workplace by following these steps:
1. Open the Windows SBS Console. 2. On the navigation bar, click Shared Folders And Web Sites.
237
238
CHAPTER 9 REMOTE ACCESS, SECURITY, AND ADDING SERVERS WITH SBS 2008
3. Click the Web Sites tab. 4. Right-click Remote Web Workplace, and then do one of the following: ◆
To enable the Remote Web Workplace so that users can remotely access network features, click Enable This Site.
◆
To prevent users from accessing the Remote Web Workplace, click Disable This Site.
Accessing Remote Web Workplace To complete the setup of the Remote Web Workplace, you need to make sure that port 80 on your router points toward the SBS server and that the Remote Web Workplace pool in IIS is functional. Once you’ve confirmed this, you will need to access the Remote Web Workplace through this URL: https:///remote This will open the Remote Web Workplace login, as you can see in Figure 9.4.
Figure 9.4 Intellicorp login
From there, you can access the Remote Web Workplace and all its features. Should you want to change the port through which SBS 2008 accesses it, you can change it by doing the following:
1. In the registry, navigate to HKLM/Software/Microsoft/Small Business Server/ RemoteUserPort.
2. Change the port value from 4125 to 4150.
USING THE REMOTE WEB WORKPLACE
Customize the Appearance of Remote Web Workplace Small Business Server 2008 allows you to customize the appearance of the Remote Web Workplace. If you’d like to do this, follow these steps:
1. Open the Windows SBS Console. 2. Click Shared Folders And Web Sites at the top. 3. Right-click Remote Web Workplace, and then click View Site Properties. 4. Click the Customization tab. 5. Do any of the following: ◆
To record the name of your organization, type the name in the Organization Name text box.
◆
To choose a custom background image, select an image in the list, and then click OK.
◆
To display your organization’s logo on the Remote Web Workplace home page, click Choose in the Home page dialog box, select an image in the list, and then click OK.
◆
Click Apply.
Enable or Disable the Remote Web Workplace Links List The Remote Web Workplace allows you to create a centralized link list. You can add this from the console by following these instructions:
1. Open the Windows SBS Console. 2. On the navigation bar, click Shared Folders And Web Sites. 3. Right-click Remote Web Workplace, and then click View Site Properties. The Remote Web Workplace Properties page appears.
4. Click Home Page Links, and then click Manage Links. The Remote Web Workplace Links List Properties page appears.
5. If it is not selected already, select the Enable The Remote Web Workplace Links List check box. In the Link sections, follow these steps:
1. Select the check box for each list section that you want to appear on the Remote Web Workplace home page.
2. Clear the check box for each list section that you do not want to appear on the Remote Web Workplace home page.
3. Click OK.
Using the Remote Web Workplace Now that you’ve set up the Remote Web Workplace and configured it how you’d like, you can start using it! Once you’ve accessed the Remote Web Workplace site, enter the username and credentials for an administrator account. Once you enter your credentials, you’ll be greeted
239
240
CHAPTER 9 REMOTE ACCESS, SECURITY, AND ADDING SERVERS WITH SBS 2008
with the Remote Web Workplace main screen. From here, you can access all your server’s services, as well as services relevant to your user account. You can see the main login in Figure 9.5.
Figure 9.5 Remote Web Workplace main login
In Figure 9.5, you can clearly see two buttons, one for checking email and one for accessing the internal website. If the user account you were logging into had a computer assigned to it, you would be able to access the computers via Remote Desktop with another button labeled Connect To Computer. So, the three buttons, in summary, do the following: Check Email Opens Outlook web access with single sign-on authentication Internal Web Site Opens the company website Connect To Computer
Starts the terminal services gateway server
Terminal Services Gateway I think I’ve probably used the phrase ‘‘one of the most powerful features of SBS 2008’’ at least 100 times, so I’ll spare you the use of that expression. Instead, I will say that my single favorite feature in SBS 2008 is that it integrates features from Windows Server 2008 into your small business that otherwise aren’t used by any but the largest organizations. This feature is the terminal services gateway. Remote Desktop Protocol actually takes advantage of the terminal services components of Windows Server 2008. A terminal service is just a service that enables you to remotely access portions of the computer from another computer (the terminal) and view them as if they were on your own desktop. An example of a terminal services connection is Remote Desktop. Through your remote computer, you can access a computer from far away as if it were right in front of you. On the large, corporate level, terminal services gateways are used to connect to different computers running terminal services from a far distance. For example, you could use a terminal services gateway to serve as a focal point to access your whole organization. Instead of having to remember 100 different server names an IP addresses, you can instead just connect to the terminal services gateway and then choose the computer that you need to access. With SBS 2008, this feature is implemented in the Remote Web Workplace. Using the Remote Web Workplace, you can click the Connect To Computer button and access any computer within your small business that you assign access to.
CUSTOMIZING REMOTE WEB WORKPLACE
The Remote Web Workplace Gadget When you connect a Windows Vista or Windows 7 computer to a SBS 2008 computer, SBS 2008 will install a nifty gadget into the desktop by default. This is the SBS 2008 Remote Web Workplace Gadget. This gadget, shown in Figure 9.6, allows you to access areas of the Remote Web Workplace with just a simple click. One touch, and you’re at Outlook Web Access or connecting to a computer.
Figure 9.6 SBS 2008 Remote Web Workplace Gadget for Vista/Windows 7
Additionally, as you can see from the figure, there is an administrator-only section of the gadget that will connect you to SBS 2008’s administrator area for Small Business Server.
Customizing Remote Web Workplace From within the SBS console, you can select Shared Folders And Web Sites and then select Remote Web Workplace by double-clicking it on the Web Sites tab. This will bring up what you see in Figure 9.7, which gives you several options to choose from: ◆
General
◆
Permissions
◆
Home Page Links
◆
Customization
◆
Advanced Settings
In particular, under Home Page Links, you’re presented with a lot of options, as you can see in Figure 9.8. Here, you can decide whether you want the following links to appear: ◆
Check E-Mail (whether or not OWA opens)
◆
Connect To Computer (Remote Desktop Access)
◆
Internal Website (which is a SharePoint Services website)
◆
Change Password (which is useful if you’re remote)
◆
Connect To Server
◆
Help
◆
Remote Web Workplace Link List
241
242
CHAPTER 9 REMOTE ACCESS, SECURITY, AND ADDING SERVERS WITH SBS 2008
Figure 9.7 Remote Web Workplace Properties dialog box
Figure 9.8 Remote Web Workplace home page links
THE BOTTOM LINE
The Bottom Line Deploy a second server to your environment A second server in your environment allows you to offset common tasks, such as adding SQL Server to a dedicated environment. Master It Set up a second server to offset a dedicated application from your SBS 2008 server. Set up Remote Web Workplace access Remote access, in all its forms, is a critical part of your infrastructure. Through it, you can enable your employees to access the system resources from a distance. The Microsoft-recommended method is to set up the Remote Web Workplace, a website that consolidates all the remote components of Windows access. Master It Set up the Remote Web Workplace, and add a computer to the access pool that you can access via the Remote Web Workplace site. Set up a VPN connection Virtual private networks allow you to connect to your SBS server through a secure channel that allows you to communicate with your network resources as if they were locally available. Using a VPN allows to be safe, secure, and efficient. You should know how to enable this for your users. Master It Set up a simple PPP VPN network connection and nest one of your security groups (Ex. the Sales security group) inside the remote access users. Attempt to connect.
243
Chapter 10
Configuring Exchange Server 2007 for Small Business Microsoft has included with Small Business Server (SBS) 2008 what many consider to be its flagship product: Microsoft Exchange Server 2007. The version that is included with SBS 2008 is called Microsoft Exchange 2007 for Small Business. It is a lighter-weight but still extraordinarily powerful messaging system that — like its bigger brother, the full-blown edition of Exchange Server 2007 — provides a messaging system for your environment that sends email, filters spam, allows the creation and propagation of contacts, and integrates directly into Active Directory to provide an elegant email solution for your environment that uses preexisting accounts to send and receive email to/from external or internal locations. Microsoft Exchange Server is a messaging service that takes advantage of the Simple Mail Transfer Protocol (SMTP) to send messages back and forth across the Internet and within intranets. A properly functioning Exchange Server can process millions of emails and other message types per day, as well as keep track of calendars, tasks, and other critical office roles that are used by every business on a day-to-day basis. Of all the Microsoft products, Exchange Server is considered by many to be the most complicated and most troublesome to maintain. This is because Exchange Server has many different components, and each of these components needs to be functioning properly in order to send, receive, and store email within your small business. In this chapter, you will learn to ◆ Understand the components of Exchange Server ◆ Understand Exchange Server roles
Limitations of Exchange Server for Small Business According to Microsoft, ‘‘Essentially there are no limits to the Exchange Server 2007 Standard Edition database size. By default, Exchange 2007 SP1 sets a limit of 250GB that can be changed if needed.’’ It’s also important to note that you can have up to five storage groups with a maximum of one database per group, meaning that you can have up to five databases. And in normal small-business operations, this is more than enough. In fact, most standard small-business Exchange installations use two at the most. This is because in a standard SBS 2008 installation,
246
CHAPTER 10 CONFIGURING EXCHANGE SERVER 2007 FOR SMALL BUSINESS
two storage groups (two databases) are used by default. As with all aspects of computing, the exact speed and performance of your database depends upon your central processing unit, the amount of memory, the disk I/O, and a number of other components.
SMTP To understand how Exchange works, you need to learn how Exchange factors into SMTP and the roles that make Exchange work. First I’ll talk about SMTP. SMTP is an Internet standard that is used to send email across IP networks. Originally, SMTP was defined in RFC 821 and was used in conjunction with the Post Office Protocol (POP) or the Internet Message Access Protocol (IMAP). Later in this chapter, I will discuss both of these protocols in much more detail. For now, I’ll just say that SMTP is a text-based protocol that transmits over a TCP connection. It’s initiated by a series of four processes: Opening During this phase, the email message is opened and verified to be placed into the proper SMTP format. Operating parameters exchanged The SMTP message is opened and analyzed, and its parameters are exchanged with a server. Recipients specified The location of the recipient of the email is verified, usually through a DNS query for a mail exchanger (MX) record. Transferred
The message is transferred via an email-relay server.
In almost all implementations, SMTP uses TCP port 25 to make a connection. Usually, this means that offices have an inbound policy and an outbound policy on port 25 to their Exchange Server. At the small-business level, this means you should add an exception to your firewall that allows traffic into and out of port 25 so that mail can flow properly. If mail is set up properly, SMTP will allow mail to be transported between two mailboxes. On some occasions, SMTP will not even have to use an external port, because mail is often transferred within the same domain. As an example, consider the following line-by-line example of the communication between a client in the intellicorp.com domain and the SMTP server in the intellicorp.com domain: Server: Client: Server: Client: Server: Client: Server: Client: Server: Client: Server: Client: Client: Client: Client: Client:
220 smtp.intellicorp.com ESMTP Postfix HELO smtp.intellicorp.com 250 Hello relay.intellicorp.com, I am glad to meet you MAIL FROM:<[email protected]> 250 Ok RCPT TO: 250 Ok RCPT TO: 250 Ok DATA 354 End data with . From: "Steve Johnson" <[email protected]> To: Tom Carpenter Cc: [email protected] Date: Mon, 21 July 2009 12:00:00 -0500 Subject: Mastering Small Business Server SMTP example
SMTP
Client: Client: Hello Tom, Client: This is a test message I am sending for all the people that are reading this book and loving it! Client: Thanks, Client: Steve Client: . Server: 250 Ok: queued as 12345 Client: QUIT Server: 221 Bye {Close Connection}
In this line-by-line example, a server receives a request from a client identifying itself as [email protected] via the relay.intellicorp.com relay agent. (Once we get into relay agents, transport roles, and so forth, later in the chapter, this will begin to make a bit more sense. But for now, try to follow along line by line.) In this example, an email message is requested to be sent to Tom Carpenter at the address [email protected]. The client then transmits all the data. This includes the To field, Cc field, date, subject, and body. Once the client sends all the data, the server then tells the clients, ‘‘OK, I’ve queued the message to send out. Goodbye.’’ And this, in a nutshell, is how SMTP works. It sends email through relays, which get sent to servers, which queue the message to be sent. When you boil it down to those few steps, it’s fairly simple. At the small-business level, you sometimes run into problems with SMTP because it is too simple. Let me explain what I mean with a real-life example. Say you’re a small-business owner for intellicorp.com. You rent a small facility in the middle of Arkansas, and you have five employees who you know and trust. You and your five employees spend most of your day creating quotes and sending proposals to prospective clients in the hope that you can generate business. And since you use Microsoft Exchange, when you email these messages, Exchange sends them through SMTP to your recipients. As you’ve seen, the process is fairly simple. But what may very well happen is that you might receive a message from an email provider that says something like this: The IP you’re using to send mail is not authorized 550-5.7.1 to send email directly to our servers. Please use the SMTP 550-5.7.1 relay at your service provider instead. Learn more at 550 5.7.1
In other words, you receive an error that looks rather unfriendly and reads a lot like stereo instructions. Situations like this happen at the small-business level because SMTP is so simple that spammers often use it to send out mass emails from numerous IP addresses. Think about it. Say you’re a major email provider such as Google, Yahoo!, or MSN. You send and receive billions of emails through thousands of servers. What would happen if you allowed anyone to send emails to your servers? You’d probably quintuple the amount of emails you send. With the ease of deploying an SMTP server through something like Exchange or Linux, large email providers have gotten to the point that they usually require any server running SMTP to use reverse DNS. Reverse DNS is a method used by IPv4 and IPv6 to map an Internet address to a known domain. Say, for example, the IP address for my SMTP server is 10.0.0.1 on my LAN but 34.96.230.111 on the Internet. If I knew my WAN address was 34.96.230.111 on the Internet, I would have to register this IP address with my Internet service provider, which would make a notation in its tables that this IP address is a known IP address for the
247
248
CHAPTER 10 CONFIGURING EXCHANGE SERVER 2007 FOR SMALL BUSINESS
intellicorp.com mail server. And thus, the major clients like Gmail and MSN would know that I’m not just some spammer who set up an SMTP server to send email ad nauseam but that I am instead a legitimate business. This small problem with SMTP is a very minute example of what can go wrong with an Exchange Server setup. It can be rather complicated. Today, so much email is sent out containing viruses and spam that businesses have to be especially careful. Otherwise, they can either inadvertently list themselves as a spammer or stop receiving email altogether. Now that you understand how SMTP works, you can dive into the actual roles that Exchange plays. In the following discussion, I’ll refer to each role’s general function, as well as its functions in both Small Business Server 2008 and in a full-blown Exchange Server environment, because the two are so closely related. The five roles of Exchange Server 2007 are Hub Transport, Mailbox, Client Access, Unified Messaging, and Edge Transport. I’ll discuss each of these now.
The Hub Transport Server Role The first role I’ll discuss is the Hub Transport server role because this role is required in every single installation of Exchange Server 2007 and plays one of the most critical roles in the environment. Within Exchange Server, the Hub Transport role is responsible for mail flow, categorization, routing, and the delivery of email messages. In effect, you can think of the Hub Transport role in much the same way as its name implies. It serves as a hub, because all messages are sent through it, and it is a transport, because it categorizes, routes, and delivers the email associated with it. The Hub Transport server role also contains two monitoring agents that you need to be familiar with to understand how the Hub Transport server processes mail flow. These two agents are the Transport Rules agent and the Journaling agent.
Mail Flow Before a message is sent inside or outside an organization, it passes through the Hub Transport server role and is routed to the right place. In effect, this means that if the Hub Transport server role is broken, your users will not be able to send or receive email at all — and that is really bad. This serves as a good troubleshooting point for your organization. If you’re experiencing problems with your mail flow, chances are that the issues lie within your Hub Transport server. This is sometimes hard to detect at the small-business level. Small Business Server will not suddenly send out a screaming error message if mail flow stops. Instead, you have to troubleshoot the problem as it occurs. On the other end of the mail flow spectrum, when a message is received by Exchange Server, the Hub Transport server role is called on to analyze the message and categorize it.
Categorization Categorization in mail flow refers to the process of performing recipient resolution, routing resolution, and content conversion on all messages that are sent through Exchange Server. The portion of the Hub Transport server that does this operation is called the categorizer. The categorizer determines what to do with a message based on its recipients. For example, say an email is received for the [email protected] address, which points to a distribution list that includes all the users of the domain. The categorizer would query the full information of the recipients and use it to apply policies, route the message, convert the content to a format that can be understood by Exchange Server, and place the email
THE HUB TRANSPORT SERVER ROLE
in the appropriate mailboxes. As you might imagine, the categorizer can start to get a little busy. For example, if your Exchange Server receives all emails to a distribution list that contains 50 people, this means it has to perform 50 actions for each email sent. And if you receive a couple thousand emails a day to that list, it adds up to a pretty good amount of work. Some of this work is alleviated by the fact that the Hub Transport server is attached to an Exchange Server store that is attached to a mailbox. This means that, most of the time, Exchange can receive a message sent to a distribution list and then place the message into the recipient’s mailbox store. Or, if it needs to, it can use SMTP to send messages to another transport server that contains the store of the user. This leads to a process in email called routing.
Routing Routing with email is not the same as routing with IP packets. IP packets in IPv4 and IPv6 are passed through a series of routers that use various routing protocols to pass the packets around to their ultimate destination. With email, messages are routed but through different Hub Transport servers and relays to reach their ultimate destinations. The Hub Transport server looks at the message, determines where it should go, and places it in an outbound queue to be delivered to the specified location. This applies whether an email is being sent internally or externally. This means that if any of your clients in a small business send an email, they’ll technically talk to their Outlook client, which is connected to their Exchange Server, which will talk to the Hub Transport role, which will queue the message to be sent. At the end of the day, all that matters is that they’re sent, period. Delivery, however, is a bit more of an involved process.
Delivery The final purpose of the Hub Transport server role is the delivery of email within your Active Directory forest. Within your small business, your clients will be connected to your Exchange Server through an Outlook client. This Outlook client will have two important boxes: ◆
Inbox
◆
Outbox
The inbox will connect to the recipient’s mailbox store on your Exchange Server. The outbox will be picked up by the store driver on the Exchange Server and put into the submission queue by the Hub Transport server. The Hub Transport server will also apply any transport rules, journaling policies, or communication with an Edge Transport server (although you would not have one of these in a small-business environment). Since you won’t have an Edge Transport server, the Hub Transport server will relay Internet messages directly. Additionally, the Hub Transport server will provide antispam and antivirus protection for an organization, though not as effectively as a full-blown program such as Ninja Blade or Barracuda. The choice of whether to implement a hardware mail filter is a tough one, and it depends a lot on the kind of work that your company is doing and how exposed the company is to spam. The amount of spam you receive and how that spam is filtered is based partially on how large your organization is and partially on how easily spammers can ‘‘see it.’’ The latter is much more important. As a case in point, a law firm will usually receive 20 to 200 times as much spam per employee as a carpentry store. This is because lawyers’ email addresses are exposed in numerous areas, including on websites, in newsletters, and, in the case of cheesy personal injury lawyers, on the sides of buses. This means that the address is more exposed and thus receives a lot more bulk mail.
249
250
CHAPTER 10 CONFIGURING EXCHANGE SERVER 2007 FOR SMALL BUSINESS
You will know it’s time to implement a hardware filter either when you simply receive too much spam for your hub transport or software-based filter to block or when the amount of email you’re receiving is bogging down Exchange Server. Moving on, messages within an organization are sent in one of three ways: ◆
SMTP
◆
The store driver connected to Exchange Server
◆
The Pickup directory
I’ve already discussed how SMTP works, as well as the store driver that contains the Exchange Server store, which contains mailboxes. The Pickup directory is used in Microsoft environments to test mail flow. Using the Pickup directory, you can use the Set-TransportServer cmdlet (pronounced ‘‘commandlet’’ — a feature that users can take advantage of with PowerShell) to make several configuration changes, including the following: ◆
Enabling/disabling the Pickup directory
◆
Specifying the location of the Pickup directory
◆
Placing a cap on the maximum header size
◆
Specifying a maximum number of recipients accepted by the Pickup directory
◆
Specifying a maximum file processing rate
Transport Rules Agent This agent runs on the Hub Transport server and allows you to set rules, conditions, and actions for your hub transport. This lets you specify users, distributionlists, and specific connectors that define what happens if a predefined setting occurs. For example, if you set up the Transport Rules agent to use a specific SMTP relay to send to the [email protected] email address, you could set a transport rule to offset the burden of sending email to [email protected] to that relay agent, instead of your server.
Journaling Agent The Journaling agent provides your organization with the ability to record email messages sent to or received by your organization. With the new government regulations in place for email that is sent or received across various networks, journaling has become much more common. I discuss the Journaling agent in more detail later in this chapter, and I cover how to set up journaling in the next chapter.
The Mailbox Server Role Within any Exchange network, servers that contain the Mailbox server role are responsible for holding the user mailboxes in your environment, which contain mail, public folders, calendar dates, and tasks related to your users in Active Directory. In addition, the Mailbox server contains the offline address book. The Mailbox server communicates directly with Active Directory on many levels. Specifically, the Mailbox server role communicates with the following: ◆
The Hub Transport server
◆
Active Directory
THE MAILBOX SERVER ROLE
◆
The Client Access server
◆
The Unified Messaging server
◆
Outlook (on the client side only)
Don’t be alarmed that I haven’t yet covered these topics. Chances are that you’ve used Outlook before. But, just in case you’re not familiar with it, Outlook is a client-side email program that is used to send and receive email. Small Business Server comes with a license for Outlook that enables you to install it on your client machines to receive email. You can learn more about Outlook by visiting Microsoft.com or just by installing it on your own machine. It doesn’t require Exchange Server — you can use it with almost any email provider. I’ll discuss the servers mentioned in the previous list later in this chapter. How the Client Access and Unified Message servers fit into the Mailbox server is important, but I won’t go over their roles in the organization until you’re good and ready and, more importantly, after I’ve explained everything about the Mailbox server. Just like any part of Exchange Server, the Mailbox server integrates with Active Directory directly. This comes in really handy with Small Business Server, because whenever you create a user account, a mailbox is automatically created in your Mailbox server for that user. This means that for every account you have in your business, the Mailbox server is already prepared to receive, alter, and delete email for the account. What’s interesting about having Exchange roles in SBS 2008 all on one server is that the Exchange Server roles still communicate to each other as if they were separate entities. Surprisingly, they still communicate using the protocols that they would use if they were installed in different locations on the network. However, the Mailbox server almost always uses the Messaging Application Programming Interface (MAPI) to communicate.
MAPI MAPI is a messaging architecture and component object model API that enables messaging. Exchange Server 2007 uses MAPI in combination with Remote Procedure Call (RPC) to establish connections between Exchange Server and Microsoft Outlook. Technically, MAPI completely controls the messaging system on a client computer. When coupled with Exchange Server, MAPI forms a proprietary connection that almost instantly processes mail back and forth between client and server. Technically, using MAPI, a Mailbox server processes mail and communicates with the rest of your Exchange Server architecture by doing the following:
1. MAPI queries Active Directory. 2. The Mailbox server transfers the outbox message from the Mailbox server to the Hub Transport server.
3. The Client Access server sends a request to the Mailbox server and returns data from the Mailbox server to clients.
4. The Unified Messaging server retrieves the information for the client. At the small-business level, the Mailbox server is the portion of the Exchange Server architecture that you use to store all of your emails and the actual data associated with your messaging infrastructure. If you ever find that you’re having issues with actual email data or with retrieving said data from points in your environment, you can look toward the Exchange Server mailbox store to troubleshoot these issues. However, for access issues, you might look toward the next point in the infrastructure — the Client Access server role.
251
252
CHAPTER 10 CONFIGURING EXCHANGE SERVER 2007 FOR SMALL BUSINESS
The Client Access Server Role Now a required feature in the Exchange Server infrastructure, the Client Access server role is designed to allow your Exchange Server to be highly accessible by multiple clients through various connection methods, including the following: ◆
Outlook Web Access
◆
Exchange ActiveSync
◆
POP3/IMAP4
By default, whenever you install SBS 2008 and include Exchange Server, Exchange Server 2007 for Small Business will automatically provide your user accounts with Outlook Web Access, the ability to hook up mobile devices through ActiveSync, and alternative connection methods like POP3 and IMAP. I’ll first go over POP3 and IMAP4, and then I’ll talk a little bit about Outlook Web Access and Exchange ActiveSync.
POP3 POP3 stands for Post Office Protocol version 3, and it is an application layer protocol to retrieve email via the Internet. Using POP3, clients can query a server for new email, which will be retrieved but not sent via the TCP/IP protocol. An advantage of POP3 is that it has been around for a long time; an disadvantage is that, by default, POP3 will completely remove email that it has accessed before by deleting it, or it will skip it and most likely never download it again. At the small-business level, you may use POP3 for clients that do not support Exchange MAPI protocols natively. This includes Linux or Unix machines that do not ‘‘speak Microsoft’’ with complete fluency. In case you have to support them, you can enable POP3 access to email and provide them with a known method to access their messages.
IMAP4 One of those acronyms that never seems to be written out, IMAP stands for Internet Message Access Protocol. It is the second of the two email access protocols frequently used by system and network administrators. IMAP is a more complicated, and generally more advantageous, method of email access that allows multiple users to be connected to the same web email account at the same time. In most multiplatform environments, the administrator will choose to enable IMAP instead of POP3, because it’s a little more powerful and has a lot of advantages, such as server-side searches and the ‘‘copy’’ email function. However, since this chapter is mostly about Exchange Server and not alternative protocols, I will conclude this discussion of it to simply say that IMAP is a nice alternative for clients that either do not support Outlook or would like to use an alternative email access client.
Outlook Web Access In my humble opinion, Outlook Web Access (OWA), which is one of the major components of the Client Access server, is basically the neatest thing since sliced bread. Included with Small Business Server 2008, Outlook Web Access allows your clients to gain direct access to their mailbox store via a web application that looks, acts, and feels just like Outlook through the Web.
THE UNIFIED MESSAGING SERVER ROLE
Accessed through the HTTPS protocol, Outlook Web Access is a graphically enabled web portal through which users in your organization can access their email when not on a familiar computer. Using their standard credentials that are issued through Active Directory, a user can log in through the Outlook Web Access program and feel just like they’re on their home computer. One advantage of the newest version of Outlook Web Access with Small Business Server 2008 is that Microsoft Windows SharePoint Services and the universal naming convention (UNC) share integration. Furthermore, OWA has been slimmed down enough to where it is extremely fast — so fast, in fact, that it can load on mobile devices at almost-instant speeds. And if that isn’t enough, mobile devices can use ActiveSync.
ActiveSync Simply put, ActiveSync is the syncing technology that allows mobile devices to connect to desktop computers and retrieve information from their mailbox stores. This includes email, contacts, calendar information, and tasks. ActiveSync needs to be installed on the mobile device and the client syncing the device. By default, Group Policy will allow devices to sync, but you can turn this feature off.
Standardization With client access, many different users can access the server in many different ways. Thus, it’s important to pick a standard that all your users can use throughout different points of your organization. For instance, internally, you could have all clients only use Outlook with MAPI. This allows you to make sure that no clients are using a less common email retrieval format such as POP3 that will delete their inbox. This way, if you have any trouble with mail flow, you should be able to troubleshoot it a lot easier, because you’ll know what your clients are using to access their email.
The Unified Messaging Server Role The last major portion of the Exchange infrastructure is the Unified Messaging server role. This portion of Exchange allows your Small Business Server to be integrated with the following: ◆
Voice over IP (VoIP): Making phone calls or using voice communication over the Internet Protocol
◆
Visual Voicemail with Outlook: Receiving voice mails through Outlook by clicking them like in Windows Media Player
The Unified Messaging server isn’t commonly used at the small-business level because setting it up requires a lot of familiarity with high-level (in other words, enterprise-level) messaging architectures. However, with the Unified Messaging server properly set up, you can see voicemails in Outlook and manage a VoIP gateway directly with your Small Business Server.
253
254
CHAPTER 10 CONFIGURING EXCHANGE SERVER 2007 FOR SMALL BUSINESS
Access vs. Security The amount of security a small business chooses to implement depends a lot upon the nature of the business and the people who own it. Some small-business owners are especially cautious of their security, because they’re the sole proprietor of their operation, while others are more carefree. Regardless, as a system administrator, consultant, or business owner, you have to decide how much access mandates the need for security. Say, for example, you want to leave the default settings on your SBS for client access. This allows the following: ◆
Outlook Web Access
◆
Exchange ActiveSync
◆
POP3/IMAP4 (although you must start the services)
Let’s take a look at these one at a time. You’ll find that, surprisingly, each of these default options leaves a security risk. Outlook Web Access Quite possibly the most convenient feature on the list, Outlook Web Access allows the veritable ‘‘front door’’ to be open to your small business. Granted, you still need a username and password, but the exposure of easy access to your Exchange Server’s mail store data allows your business to now be consistently exposed to random password guessing and other attempts of fraudulent access. And this can be very bad. Say, for example, a user had a password like simple1!. It wouldn’t take long for someone truly malicious to guess this password. Or, god forbid, if you had a password policy that actually allowed the word password to be used for a password, that wouldn’t take long to guess at all! Exchange ActiveSync ActiveSync allows users to possibly possess emails, even after termination, that could promote risk and exposure to the company. But even worse than that, having ActiveSync enabled with the default settings means that PDAs can not only sync for email but also transfer files from any shared folders on their server or the local computer to their mobile device. This is very dangerous. In fact, the risks involved have even been shown in movies — unbeknownst to the protagonist, a secret spy in an organization attaches a thumb drive to the local server and downloads all the precious data used to bring down the United States in the latest terror attack. Obviously, at the small-business level, you don’t deal with anything quite that extreme (which is a relief), but this PDA problem still applies. Enabling ActiveSync and leaving all the settings on by default also enables removable devices to receive a ‘‘write’’ policy. When this is active, they can copy anything they can access! POP3/IMAP4 By default, Microsoft Exchange comes with IMAP4 and POP3 installed. However, the services for each have to be manually started by an admin. If you choose to start these, you have to be aware that this allows a couple different ports to be opened on your firewall and allows other types of clients to try to listen in on those ports and intercept mail messages. It’s a small risk but still a risk.
JOURNALING
The Edge Transport Server Role In a large environment, Exchange Server 2007 will implement an Edge Transport server. With Small Business Server, you can’t set up this role because it involves the use of multiple servers (usually more than three to do it efficiently). Edge Transport servers sit in front of the firewall in a perimeter network and transfer mail requests from the outside world to the Hub Transport server. Because it’s a critical role of Exchange and it’s built into Exchange Server 2007 on any given install, this role does occur in SBS, but it’s transparent and not visible to the end user. Thus, with SBS, you can’t set up an Edge Transport server role. However, you still need to know that this process is ongoing.
Journaling With all versions of Exchange Server 2007, including the small-business version, Exchange Server supports the ability to journal email messages. Journaling is, in Microsoft’s words, ‘‘the ability to record all communications, including e-mail communications, in an organization for use in the organization’s e-mail retention or archival strategy.’’ A closely related function to this is this email archiving, which is the process of storing Exchange data somewhere in a backup location. The two are related, but the only one specifically supported by Microsoft Exchange Server is the process of journaling, or keeping a record of all messages processed by Exchange Server in some manner. Whether a business implements journaling is entirely up to the business in question. It is not enabled by default in Exchange Server, and the setup menu is not readily apparent during your initial install. Journaling is normally implemented by businesses in industries that are regulated, such as the financial industry, insurance, health care, commodities and exchange trading, or another industry that requires government or third-party oversight. In some cases, organizations are required to keep every email sent to or from a company for up to seven years. Imagine, just for a moment, the amount of email and records that could be. Even in small businesses, we sometimes see clients easily sending up to 10,000 messages per day, perhaps even more. That can add up to more than 2 million email messages that have to be recorded.
Common Regulations Throughout a business, different levels of regulations apply at different levels. For example, although the accountants and lawyers in a small CPA firm may have to keep the full seven years of email required by the government, the IT guru who installs and uninstalls their network may not have to apply the same rigorous standards to the rest of the company. Really, it all comes down to what specific regulation applies. The following are a few common regulations that Microsoft recognizes in its documentation on journaling: Sarbanes-Oxley Act of 2002 (SOX) This is a U.S. federal law that requires the preservation of records by certain exchange members, brokers, and dealers. Security Exchange Commission Rule 17a-4 (SEC Rule 17 A-4) This provides rules regarding the retention of electronic correspondence and records. National Association of Securities Dealers 3010 and 3110 (NASD 3010 and 3110) The NASD requires that member firms establish and maintain a system to ‘‘supervise’’ the activities of
255
256
CHAPTER 10 CONFIGURING EXCHANGE SERVER 2007 FOR SMALL BUSINESS
each registered representative, including transactions and correspondence with the public. Also, NASD 3110 requires that member firms implement a retention program for all correspondence that involves registered representatives. These regulations affect primarily brokers/dealers, registered representatives, and individuals who trade securities or act as brokers for traders who are subject to the regulations. Gramm-Leach-Bliley Act (Financial Modernization Act) This is a U.S. federal law that protects consumers’ personal financial information held by financial institutions. Financial Institution Privacy Protection Acts of 2001 and 2003 These laws amend the Gramm-Leach-Bliley Act to provide enhanced protection of nonpublic personal information. Health Insurance Portability and Accountability Act of 1996 (HIPAA) This is a U.S. federal law that provides rights and protections for participants and beneficiaries in group health plans. Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (Patriot Act) This is a U.S. federal law that expands the authority of U.S. law enforcement for the stated purpose of fighting terrorist acts in the United States and abroad. There are actually many more regulations than these. Also, this brief summary should in no way be considered legal advice on securing your network. The only person who can tell you how to lock down the journaling and archival strategy for your small business is a lawyer.
The Journaling Process In Exchange Server 2007, the journaling process is accomplished using the Journaling agent, a process that runs on your Hub Transport server in one of two modes: Standard journaling When standard journaling is enabled, the Exchange small-business server records all messages passed through a particular mailbox in the mailbox store that you as the administrator have chosen. By default, standard journaling operates only on the mailboxes you choose and won’t just archive the entire mailbox store. Instead, it’s based on the recipient, and it can’t be replicated throughout your server, because it’s defined by what the Journaling agent calls a journal rule scope, in other words, what the journaling agent is assigned to cover. Premium journaling Premium journaling requires an Exchange Enterprise license and thus can’t be completed with Small Business Server 2008. However, for the sake of completeness, Journaling agents with Exchange Server 2007 that run premium services allow users to create journal rules for a single mailbox or for groups that behave based on finite rule sets. When you enable standard journaling on a mailbox store, this information is saved in Active Directory and is read by the Journaling agent. Journal rules configured with premium journaling are saved in a similar manner.
The Exchange Management Console With SBS 2008, the Exchange Management Console (EMC) is your central administrative focus point for the control of the Organizational Configuration, Server Configuration, and Recipient Configuration areas of your Exchange Server. To access the EMC, you can type Exchange Management Console in the server Start bar. This will load the MMC you see in Figure 10.1.
THE EXCHANGE MANAGEMENT CONSOLE
Figure 10.1 The Exchange Management Console
As you can see from Figure 10.1, the EMC has several distinct sections, all of which have names. The first of these sections, shown in Figure 10.2, is the console tree. The console tree is the area where you can select the portion of the Exchange Server that you want to administer. By expanding the Organizational Configuration area, you’ll have access to the Mailbox, Client Access, Hub Transport, and Unified Messaging components as they apply to your organization (based on what you’re using). By expanding Server Configuration, you’ll have access to the components that are installed on your Exchange Server, which in Figure 10.1 is all of them — Mailbox, Client Access, Hub Transport, and Unified Messaging. Lastly, under Recipient Configuration, the console will show recipient mailboxes, distribution groups known to the Exchange Server, a mail contact list, and any known disconnected mailboxes. The Actions pane, shown in Figure 10.3, directly relates to the console pane; anything selected within the console pane will immediately change the options in the Actions pane. If you pick something in your section in the console pane, the Actions pane will adjust the result pane to show you the options available (see Figure 10.4). The result pane also displays results based upon which of the options you pick in the console pane. You can also filter results that you receive by using the Create Filter button — which is handy if you receive a ton of results when selecting a populated area (an area with a great deal of messages) of your Exchange Server. The last pane in the EMC is the work pane, where all the work takes place! The work pane is below the result pane and is where you can refresh any decisions you’ve made, as well as choose to alter the objects you’ve selected in the work pane. There is almost always a Properties button, as well as a list of key modifications you might like to make regarding the server and its components.
257
258
CHAPTER 10 CONFIGURING EXCHANGE SERVER 2007 FOR SMALL BUSINESS
Figure 10.2 The console tree
Figure 10.3 The Actions pane
Figure 10.4 The result pane
Learning to use the EMC is a bit of a fine art. It takes a little time and some practice, but it’s not that bad. On the high end, many administrators make their entire livings administering just Exchange Server and no other portions of Active Directory. The EMC is a power tool, and over the next few exercises and sections of this chapter, you’ll learn a lot more about it. First I’ll talk about one of the features you won’t use much in this chapter, just to get it out of the way: the Toolbox.
THE EXCHANGE MANAGEMENT CONSOLE
The Toolbox In Exchange Server 2007, the Toolbox provides diagnostic and troubleshooting tools to troubleshoot Exchange. This includes tools like the Queue Viewer (used to see messages that need to be processed), as well as other independent tools. By default, these tools are organized into three distinct sections: ◆
Disaster Recovery
◆
Mail Flow
◆
Performance
Disaster Recovery The Disaster Recovery section of the Toolbox comes with two form-based database recovery tools — the Database Recovery Manager and the Database Troubleshooter. Each of these tools is fairly easy to use, because you just have to answer a couple questions, but they’re very important if something happens to your database. They contain a lot of automated tools to fix common occurrences within your database, even recovering from a complete disaster. All you have to do is double-click, answer the questions, and move on with your administrative life.
Mail Flow Mail flow analysis is probably the single most important part of the Toolbox. It includes four tools: MailFlow Troubleshooter, Message Tracking, Queue Viewing, and the Routing Log Viewer. MailFlow Troubleshooter and Message Tracking Like the Disaster Recovery and Performance sections of the Toolbox, the Mail Flow section of the Toolbox includes two form-based tools to analyze mail flow problems and track messages. And just like the other two, all you have to do is answer a few questions. You’d want to use the MailFlow Troubleshooter and Message Tracking tools if you have a problem with mail either not being sent out or not being received by the correct recipient. Queue Viewer The Queue Viewer is a graphical tool that allows you to see the number of messages being sent by the server and that are queued up to do so. In some cases with SBS, many users will attempt to send messages from their outboxes that get stuck. If the messages have made it to the server, you’ll be able to see the outbound messages here and determine whether they are in the queue, have been attempted to be sent, and when the machine will try again. Normally, you use the Queue Viewer to determine whether the problem with mail flow is on the client or the server. If it’s on the client, you wouldn’t see a queue. If it’s on the server, you’d see either a high total queue count or several messages with retry attempts. Routing Log Viewer The Routing Log Viewer is a detailed custom program designed to let you open the custom logs that Exchange keeps for the inbound and outbound email it processes and to see, in detail, the processes applied to each of your messages. The Routing Log Viewer has four tabs, shown in Figure 10.5, each of which can show you the details involved with their respective tab names:
259
260
CHAPTER 10 CONFIGURING EXCHANGE SERVER 2007 FOR SMALL BUSINESS
Active Directory Sites & Routing Groups routed
Where the objects are and how they’re being
Servers The servers used in your environment Send Connectors Address Spaces
The outbound send connectors used to send email The SMTP connectors established at some point in your infrastructure
Figure 10.5 Router Log Viewer
Performance This section of the Toolbox is designed to help you figure out whether there are any bottlenecks with your messaging system, as well as see the amount of dedicated hardware the Exchange Server is utilizing while it performs its daily tasks. The tools here include the Performance Monitor and the Performance Troubleshooter. Performance Monitor The Performance Monitor is dedicated to evaluating your Exchange Server’s hardware utilization. It’s graphical in nature and very intuitive. As you can see from Figure 10.6, the Performance Monitor is a line graph with check boxes on the bottom. These boxes allow to see your CPU utilization, disk writes, and other important information. Using the Performance Monitor, you can evaluate your messages sent over time and the amount of hardware it takes to send them. If your machine is running slow, you can see where the bottleneck is and where to replace it. Performance Troubleshooter A form-based tool, the Performance Troubleshooter is designed to analyze where a performance problem might be based on your performance logs and advise you how to correct it. To utilize this tool, you only have to open the tool from the Toolbox and answer a few questions.
THE EXCHANGE MANAGEMENT CONSOLE
Figure 10.6 The Performance Monitor
Adding an Exchange Administrator with the EMC You can use the EMC to change permissions on accounts to allow users to view, modify, or administer mailboxes, as well as perform many other Exchange tasks. As an example, let’s create an Exchange administrator that will be able to modify accounts in Exchange Server.
1. Open the Exchange Management Console by typing Exchange Management Console in the Windows Start bar.
2. Expand Organizational Configuration. 3. Select the Exchange Administrators tab. 4. Click Add Exchange Administrator in the Actions pane. This will open the Add Exchange Administrator Wizard. There will be five radio buttons: ◆
Exchange Organization Administrator Role
◆
Exchange Public Folder Administrator Role
◆
Exchange Recipient Administrator Role
◆
Exchange View-Only Administrator Role
◆
Exchange Server Administrator Role
5. Leave the default selection (Exchange Organization Administrator Role), and click Browse. 6. Choose either an AD account or a mailbox type to become an administrator. Note that you can also choose groups. This is perfectly acceptable, but you should keep the group nesting cautionary tales in mind — sometimes you can make big mistakes!
261
262
CHAPTER 10 CONFIGURING EXCHANGE SERVER 2007 FOR SMALL BUSINESS
7. Click Add. The EMC should go through a process with a countdown timer that will only take a second if you selected one user account, and possibly a few more if you chose several. In some large organizations, it can take hours to add numerous accounts. The Exchange administrator will show up with its complete LDAP name. Note that this will, of course, show the OU that the user is contained within. Keep in mind that sometimes this can be a little difficult to find, because it doesn’t show the user’s name; it shows the complete extension. Thus, if you’re adding an administrator, you shouldn’t add one that you may take away in the future, because they’re a little hard to find.
Mailbox Tasks with the EMC Using the EMC, you can do a whole lot with the three different mailbox areas in your Organizational Configuration, Server Configuration, and Recipient Configuration areas. I’ll cover this in the next few sections so you can be familiar with how to administer the rest of your Exchange Server environment.
_Organizational Configuration Mailbox Under the Organizational Configuration section’s Mailbox area, you can conduct five common tasks that I’ll summarize here briefly. You can implement each of these by firing up the EMC and going through the very intuitive GUIs associated with each object: Create a new address list Address lists in the EMC are predefined lists of email addresses that will be published to your Exchange Server based on your administrative desires. For example, you may have a support department that you want all employees to have access to. Thus, you can add the email addresses to the address list and publish the list to the Exchange Server. Create a new managed default folder You can create default folders to appear in Exchange users’ mailboxes. An example of something like that would be a conversation history folder that appears by default for your whole organization. Create a new managed custom folder Custom folders in the EMC allow administrators to define folders that have custom content contained within them. Additionally, you can place comments on these messages or allow only certain types of emails to go in them. Create a new managed folder mailbox A managed folder mailbox policy is sort of like a group. It collects a bunch of other managed folders and places them within one linked area. This allows you to add multiple folders at the same time. Create a new offline address book Offline address books are published to users whether or not they are online. This is very useful in the case of contacts that always need to be reached, even if by phone. Through the EMC, you can publish offline contacts to make sure your users always have access to the people they need to be able to access.
_Server Configuration Mailbox The second area where you can affect mailboxes is Server Configuration. Here, you can create, delete, and manage your storage groups. You can think of a storage group as a collection of stores, which is really just a collection of mailboxes. Mailboxes go into stores, and stores go into
THE EXCHANGE MANAGEMENT CONSOLE
storage groups. Additionally, storage groups can contain public folders. You can put just about anything involving Exchange Server into a storage group in one way or another. However, you don’t want to make a storage group unless you have to because they use a lot of memory and can cause problems if you have too many. Some versions of Windows only support four, for example. Stores, however, are pretty useful. You can use additional stores for different sets of users. Scott Lowe’s article in Tech Republic on June 28, 2006, used this example: ‘‘You may have one set of users for which you want to limit their total mailbox size. For other users, you may want to provide an unlimited mailbox size. One easy way to accomplish this is to use separate mailbox stores and place each user’s mailbox into the appropriate store.’’ A big advantage of SBS 2008 vs. SBS 2003 is that information stores now have no size limitation. SBS 2003 was limited to 18GB, which meant you frequently ran into annoying issues. Thankfully, that has changed, although it is worth noting that SBS 2008 does have a default 250GB limit on its stores. You can change that, but you really shouldn’t. If your stores on your server get really large, you can run into issues where you can’t defragment these files very well, and if they get corrupt, you lose just about everything, instead of just one or two stores.
_Recipient Configuration Mailbox The last area where you can modify mailboxes is Recipient Configuration. Here, you can adjust user mailboxes, assign them permissions to other mailboxes, and create new mailboxes. You can actually create four different mailbox types: User mailbox A user-owned mailbox that sends and receives messages Room mailbox A scheduling mailbox not used by an owner; associated with resources Equipment mailbox A mailbox used for equipment scheduling and not used by a user; user accounts associated with it will be disabled Linked mailbox
A mailbox that links to a mailbox by a separate, trusted forest
Client Access Tasks with the EMC The Client Access portion of the EMC is found within two areas: Organizational Configuration and Server Configuration. The Client Access section of the EMC can manage the following: ◆
Outlook Web Access
◆
Exchange ActiveSync
◆
Offline address book distribution
◆
POP/IMAP4
You can adjust your client access ActiveSync mailboxes policies in the Organization Configuration section; the remainder of these items are under Server Configuration. In Exchange Server 2007, Client Access is a separate role because of the heavy burden that clients can place upon a server. With SBS, this role is forced to consolidate to a small server, but with larger implementations of Exchange, it makes sense to dedicate a server just to Client Access so the remaining portions of Exchange aren’t burdened with having to send emails back and forth and then send them out to the user in some manner. With the EMC, you can select the client access portion of the server and then see the corresponding selections based on the server you pick in the view pane. (In the case of SBS, there’s
263
264
CHAPTER 10 CONFIGURING EXCHANGE SERVER 2007 FOR SMALL BUSINESS
only one.) Through this pane, you can right-click and examine the properties of any object. As an example, I opened up the properties of Outlook Web Access. Here, I can see the internal and external address of my server. If I wanted, I could change this to an external URL so that I could always access my Outlook mail at https://intellicorp.com/exchange, for example.
Unified Messaging with the EMC The Unified Messaging portion of Exchange Server, like the Client Access portion, is accessed only via the Organizational Configuration and Server Configuration areas. This portion of Exchange Server is involved with setting up voice mail, phone systems, and VoIP in a Windows environment. Although I’d really like to get into the process of what it takes to set up unified messaging with SBS, it’s beyond the scope of most small businesses. Unified messaging requires a lot of extra portions of Microsoft enterprise-level software that don’t come with SBS 2008 (which means extra costs). Accordingly, most small businesses aren’t going to use it. Another thing to keep in mind is that Small Business Server, by default, uses a ton of memory. Unified messaging, on top of all the other functions that Exchange does, can use even more. And there reaches a certain limit that the ‘‘old-school’’ business practices of one server not being able to do every possible task in the organization tend to keeps ringing in the head of most administrators. They keep thinking, ‘‘If I add too much to one server, it’s going to explode!’’ When, now, that’s not really the case. And thankfully, that mind-set is quickly fading — if not completely gone already with the advent of virtualization.
Adding a Mailbox Database and Setting Up Journaling Just for fun, let’s say you wanted to set up journaling on a particular user and you wanted that user to be contained within his or her own dedicated mail store (mailbox database). Let’s do that now:
1. Open the EMC by typing Exchange Management Console in the Windows Start bar. 2. Expand Server Configuration, and select Mailbox. 3. Select your server. 4. Expand the first storage group. 5. Right-click the first storage group, and select New Mailbox Database. This will open the screen shown here.
6. Name the database journaling, and click New. 7. The server will think for a bit, test the mounted server, and say that it has completed or throw an error with possible reasons. Click Finish.
8. On the Database Management tab, right-click Journaling, and select Properties. 9. Select the Journal Recipient box, and click the Browse button next to it. 10. Select the mailbox where you would like to journal, and then click OK. 11. Click Apply and then OK. From now on, journaling messages will be sent to that mailbox.
THE EXCHANGE MANAGEMENT SHELL
The Exchange Management Shell Another powerful feature that comes with Exchange Server in SBS 2008 is the Exchange Management Shell (EMS). With Small Business Server, you can use this tool to execute commands and scripts to modify portions of Exchange Server through a command interface. The EMS is a Visual Basic–enabled .NET application that allows you to interact with all Exchange Server objects and issue commands on them.
EMS Features According to Microsoft, the key features of the EMS are as follows: Command-line interface The EMS offers the ability to issue multiple commands through a command-line interface that allows more robust application of complicated commands affecting multiple user groups, mail stores, or other Exchange objects. Piping of data between commands Piping in the EMS allows you to input a command, receive output from that command, and use that output as the input for another command. A layman’s example of how this works would be something like this: ‘‘Tell me the number of ducks in a row, and then use that number to pay the farmer in increments of $100.’’ If there were four ducks, our command would count the number of ducks, receive the number four, and then give the farmer $400. Structured data support This one is best explained by Microsoft. It defines structured data support as the ability to use ‘‘output from the commands’’ that ‘‘can be acted on and processed
265
266
CHAPTER 10 CONFIGURING EXCHANGE SERVER 2007 FOR SMALL BUSINESS
by other commands by using little or no manipulation. Commands in a particular feature set accept output from other commands in that same feature set, without manipulation.’’ Extensive support for scripting With the EMC, you can script just about anything involving Exchange. Want to add a thousand email addresses to one user account? No problem. Just write a script! Visual Basic with .NET is the most readily accepted standard. Safe scripting Safe scripting allows you to execute a script and see that it does exactly what you want. This is helpful if you’re executing a script that could cause a lot of harm to your environment. Access cmd.exe commands from the EMS.
You can now use command prompt commands like ipconfig
Trusted scripts Microsoft designed trusted scripts with security in mind. Trusted scripts are used to improve security. ‘‘The Exchange Management Shell requires that all scripts are digitally signed before they are allowed to run. This requirement prevents malicious parties from inserting a harmful script in the Exchange Management Shell. Only scripts that you specifically trust are allowed to run. This precaution helps protect you and your organization.’’ Profile customization Based on your own profile, you can adjust the way the EMS appears. This is kind of handy if you have a particular configuration you’d like to use. Extensible shell support According to Microsoft, ‘‘The Exchange Management Shell uses XML to let you modify many aspects of its behavior. Developers can create new commands to integrate with the built-in Exchange Management Shell commands. This extensibility gives you more control over your Exchange 2007 organization and helps you streamline business processes.’’
EMS Commands The full range of available EMS commands is quite extensive. In fact, since the EMS takes advantage of PowerShell, the range of commands could quite easily encompass an entire book. In fact, getting a PowerShell book is probably a really good investment, because with the advent of the EMS, several of the main tools used to modify Exchange Server in the past are no longer in the GUI and must instead be done through PowerShell. However, there are two main tasks that you’ll do quite often with SBS — modify permissions and retrieve mailbox information/set quotas.
Adding an Account or Modifying Permissions Let’s take a look at how easy it is to use the EMS to do what you just did earlier in the EMC — create an Exchange account administrator. Let’s do it again with the EMS. This time, just fire up the EMS by typing Exchange Management Shell in the Start bar, and then enter the following line: Add-ExchangeAdministrator -Role OrgAdmin -Identity intellicorp\steve
This does the same thing as the steps you performed in the EMC, with the elegance of just a single command! Most administrators use commands like this in lieu of using the GUI, which
THE EXCHANGE MANAGEMENT SHELL
can take a lot of time to navigate. The downside, of course, is that you have to get used to using PowerShell, which can have a learning curve.
Using EMS and PowerShell More often than not, you may have a few users who end up with really big Exchange mailboxes. You may decide to set quotas for them, which is pretty easy. You can also even list the Exchange Server 2007roles. Here are a few PowerShell examples of how you would do that.
Retrieving a Mailbox Retrieving a mailbox will allow you to see a user’s mailbox and the data involved with it. Use the following command: get-Mailbox Domain\User
replacing Domain and User with the correct names. Here’s an example: get-Mailbox intellicorp\steve
Setting a Quota With this command, you can set quotas on various parts of a user’s mailbox. Use the following command: get-Mailbox "Domain\User" | set-Mailbox -ProhibitSendQuota 100MB
Listing Roles in Exchange Server 2007 You can display the roles of your Exchange Server to show what it holds. This is often more useful in larger environments, but it can help you debug your SBS server if you have a mail flow problem. Use the following command: get-ExchangeServer
This will display all your Exchange Server data; for example, check out Figure 10.7. The figure shows just a simple example of powering up PowerShell with Exchange and running a simple command. If you’re interested in learning more about PowerShell, you can read about it in several books dedicated to PowerShell. Upon mastering it, you can display the contents of the previous command more clearly, run scripts to display only portions that you want to see, and generally become a much more versatile administrator without the need to learn a drastic deal more about your server. PowerShell takes advantage of VBScript, the language that runs its scripting. Mastery of Exchange Server doesn’t necessarily require knowledge of VBScript, but it certainly separates you from the pack.
267
268
CHAPTER 10 CONFIGURING EXCHANGE SERVER 2007 FOR SMALL BUSINESS
Figure 10.7 Exchange shell command output
The Bottom Line Understand the components of Exchange Server To properly administer Exchange Server for a small business, you need to know what controls Exchange Server and how to use it. With Exchange Server, you can control an entire messaging architecture that is rather complex. Master It One of the components of the Exchange Server infrastructure is PowerShell. How can you use PowerShell to set a quota of 100MB on a mailbox? Understand Exchange Server roles To properly administer Exchange Server for a small business, Exchange Server 2007 has implemented new roles and functions. These five roles are Client Access, Hub Transport, Mailbox, Unified Messaging, and Edge Transport. Before Exchange Server 2007, these roles either did not exist or were named differently. Master It Create or draw a picture that illustrates what the server placement would look like for a company using the full version of Exchange Server 2007 in a LAN environment, with each server holding a role. Show where each server would be placed in reference to the firewall.
Chapter 11
Managing Clients, Troubleshooting, and Recovering from Disaster with Exchange for SBS In the previous chapter, I focused on the components of Exchange Server 2007, how they differ from Exchange Server 2003, and what you need to know about them to effectively manage your small-business infrastructure. Both an advantage and a disadvantage of SBS 2008 is the incredible set of tools and features it has access to that are available through enterprise-level licensing agreements. Accordingly, this means that not only will you have to understand a lot about the Windows infrastructure to properly manage your SBS server, but you’ll also need to know a lot about the Exchange Server infrastructure and how the components are accessed by your clients, along with what you should do if things go wrong. This chapter will focus on accessing Exchange Server through various clients, as well as how to troubleshoot mailflow problems. I’ll also spend a couple sections describing how you can back up Exchange Server and recover from disaster if it strikes your organization. So, the chapter will effectively be broken down into two parts — how to access Exchange Server and how to handle it when something goes wrong. In this chapter, you will learn to ◆ Set up Exchange Server clients ◆ Diagnose mailflow issues ◆ Back up Exchange Server 2007
Exchange Server Clients Exchange Server, like any other mail server, is not necessarily picky about the types of client software programs that access it, but it is picky about how clients access it. If you think about the way email is accessed throughout the entire world — whether it’s through Exchange Server, POP/SMTP, or any of the other mailing systems — it’s all based around the idea of protocols. If you request information in a certain method, the server will respond with the requested information based on that protocol.
270
CHAPTER 11 MANAGING CLIENTS, TROUBLESHOOTING, AND RECOVERING FROM DISASTER WITH EXCHANGE FOR SBS
Here are some of the many choices of email clients you can use to access email: ◆
Outlook 2000/2003/2007
◆
Barca
◆
Calypso
◆
Entourage
◆
Eudora
◆
Lotus Notes
◆
Mozilla Thunderbird
◆
Pegasus
◆
Pine
◆
The Bat
Some support direct connections with Exchange Server and some don’t, but nearly all of them support standard POP/SMTP connections to retrieve email, which is supported by Exchange Server. Typically, clients connecting to a small-business server are using either Microsoft Outlook, Entourage for the Macintosh, or a popular alternate like Mozilla Thunderbird.
Outlook 2007 Microsoft Small Business Server 2008 ships with client licenses for Microsoft Outlook 2007 for your clients, because it is the preferred client for SBS 2008. Outlook is a messaging tool that can be used to send email and handle contacts, tasks, voice mails, and other communication formats from a client to a server. In and of itself, Outlook can do nothing. It’s only when it’s attached to a server that it will actually become a functioning tool. Part of your responsibility as an SBS administrator is to know how to set up Outlook 2007 for your clients. You can do this in many ways, including using security and mail services other than Exchange Server.
Entourage Entourage is the Macintosh alternative for Microsoft Outlook. It is similar to Outlook in its procedures and protocols, but it is available only on Macs. Usually users with Entourage are graphic designers or users who, for whatever reason, need access to a Macintosh computer.
Alternatives Other than the Microsoft-supported mail clients, users can choose to use any of the competing mail browsers. However, Microsoft does not support or recommend using third-party products — so, in short, you can use these types of products, but if something breaks, you’re on your own. Or, you can always contact the vendor that produced the third-party software (assuming it’s available) and see what happens. I haven’t heard of a lot of people having success with this, however.
EXTERNAL ACCESS TO EMAIL
A Multiplatform Environment During my consulting days in IT support, I often worked for businesses that ran multiplatform operations to either cut costs or support specific programs that were available only on certain platforms. One example was a small business with five employees. Two of these employees used Windows XP workstations, one used Ubuntu Linux, and two used Macintosh. It was almost stereotypical in that the two XP users were businesspeople in marketing and accounting, the Linux user was a programmer, and the Macintosh user was the graphic designer. The president of the company, who used Vista, wanted an email solution that conveyed to the rest of the world that his company was legitimate, in that they had their own domain name, but he didn’t care at all about logging employee traffic, chronicling email, or setting up any type of journaling archive. Instead, he just wanted to make sure that email was sent and delivered. So, I set up a Small Business Server environment that had IMAP enabled. This allowed the three Outlook-based workstations (two XP, one Vista) to connect to the server, and it also allowed the Linux and Macintosh clients, which were both technically Unix machines, to connect to the email server with ease and retrieve email that would be stored on the server but still accessible to the client through a copy — even if they accessed it through IMAP. When implementing email solutions for a small business, you have to keep in mind that many of them just don’t need the massive amount of archiving and extra storage or transport rules associated with a large business. All you’ll really need to do is set up a simple email solution that follows the KISS rule: keep it simple, stupid! If a client asks you to make it easy for their clients to access the server and doesn’t want anything fancy, just give them what they want. It will make both of you happy.
External Access to Email More than just having an Exchange Server enabled only for your network and the users directly attached to it, modern workers need to be able to access their email through their favorite web client from just about anywhere. And with laptops becoming more and more ubiquitous in small, medium, and large businesses, the inability for users to access their email from locations other than their office has become simply intolerable. With SBS 2008, users are provided with two easy and effective means to access their email remotely: Outlook Anywhere and Outlook Web Access. The following sections discuss what each is and how to enable them.
Outlook Anywhere Outlook clients use Remote Procedure Call (RPC) to connect to a server and retrieve email. The upside to this is that RPC works very well, and when it’s connected to a LAN, it has very few problems. The downside is that RPC doesn’t support transmission over a wide area network for several reasons. First, it’s insecure, and second, the protocol sends a lot of data that can become jumbled fairly easily. This made RPC very impractical for remote users until Microsoft came up with a very elegant solution.
271
272
CHAPTER 11 MANAGING CLIENTS, TROUBLESHOOTING, AND RECOVERING FROM DISASTER WITH EXCHANGE FOR SBS
The solution Microsoft came up with was to use the Hypertext Transfer Protocol (HTTP), a protocol that basically helped defined the Internet as we know it today. This allowed the following: ◆
Remote access to Exchange Server from the Internet via HTTP
◆
Full integration with Outlook Web Access (discussed in the next section)
◆
Secure Sockets Layer (SSL) incorporation for HTTPS
◆
Security from unauthenticated users
◆
Incorporation with known certificate authorities
◆
Elimination of the requirement for virtual private networks (VPNs)
All in all, the feature set that it allows is very impressive. In particular, the ability to use HTTP with SSL (HTTPS) is particularly brilliant in that it allows you to authenticate to the correct server without the possibility of its identity being compromised. Another key feature is that with RPC over HTTP, you do not have to use a virtual private network. This is very important, because before RPC over HTTP, any user authenticating from anywhere across the globe had to set up a VPN connection, which was taxing on your server, firewall/router, and Internet connection. Now, it’s processed just like web traffic.
Setting Up RPC over HTTP This section explains how to set up RPC over HTTP using SBS 2008. You can complete this exercise without a certificate, but if you are going to use this server in a live business environment, it’s highly suggested that you purchase one. This will help eliminate the possibility of your users connecting to a spoofed email server. To install the RPC over HTTP Windows Networking component in Windows Server 2008, do the following:
1. Open Server Manager. 2. Select Features on the left. 3. Check to see whether the RPC Over HTTP Proxy feature is installed. It should be by default. If not, in the right pane, click Add Features.
4. Select the RPC Over HTTP Proxy check box. 5. If the Add Role Services Required For HTTP Proxy dialog box appears, click Add Required Role Services.
6. Click Next twice. 7. On the Select Role Services page, click Next. 8. On the Confirm Installation Selections page, click Install. 9. When the features are installed, click Close. To use the Exchange Management Console to enable Outlook Anywhere, follow these steps:
1. In the console tree, expand Server Configuration, and then click Client Access.
EXTERNAL ACCESS TO EMAIL
2. In the action pane, click Enable Outlook Anywhere. 3. In the Enable Outlook Anywhere Wizard, type the external hostname for your organization in the External Host Name box. I will use intellicorp.com.
4. Select an available external authentication method. You can select Basic authentication or NTLM authentication.
5. Select the Allow Secure Channel (SSL) Offloading check box, if you want to do SSL offloading. 6. Click Next. 7. Click Finish at the summary screen.
Outlook Web Access The next form of external access available to businesses utilizing Exchange Server for Small Business Server 2008 is Outlook Web Access (OWA). OWA provides direct web integration with the Exchange Server mail store through the Client Access server. It allows a user to manage email over the Web as if they were directly attached to the mail store through an Outlook client. You enable OWA through the Exchange Management Console, under Server Configuration. Since it comes enabled by default with Small Business Server, you should know how to do two things: ◆
Turn it off if it proposes a security risk.
◆
Change the URL for easier user access.
Turning Off OWA More often than not, organizations concerned with the possibility of email exposure to the public have begun turning off Outlook Web Access. Follow these steps:
1. Open the Exchange Management Console by typing Exchange Management Console in the Start menu.
2. Select Client Access under Server Configuration. 3. Select the Outlook Web Access tab. 4. Right-click owa (SBS Web Applications), and select Properties. 5. Ensure the external URL is blank. 6. Open IIS by selecting Administrative Tools IIS Manager. 7. Select Application Pools underneath your server. 8. Stop the MSExchangeOWAAppPool pool by selecting it and then hitting the Stop button in the action pane. This will stop the OWA pool and not interfere with the other aspects of IIS or Exchange Server. Note that this will just stop the application; it will not necessarily stop the web pool. Should you want to start the application again in the future, you can easily navigate to the application pool and then start the application.
273
274
CHAPTER 11 MANAGING CLIENTS, TROUBLESHOOTING, AND RECOVERING FROM DISASTER WITH EXCHANGE FOR SBS
Changing the OWA Access Address The default yoursite.com/owa is sometimes a little inconvenient to type, and if you’re a company that doesn’t require a web presence, you might want to change it to something as simple as yoursite.com. You can do this by following these steps:
1. Start IIS Manager by accessing it through Administrative Tools. 2. Right-click Default Web Site, and choose Properties. 3. Click the Home Directory tab. 4. Change the first option to A Redirection To A URL. 5. Enter /owa in the box. 6. Change the entry below to A Directory Below URL Entered. 7. Click Apply and then OK. This simple method redirects the traffic from the default /owa to the option you’d like. This is a simple, easy, and elegant way to redirect your traffic.
ActiveSync Exchange ActiveSync is a low-bandwidth synchronization platform designed to work with any size network. The ActiveSync protocol was originally based on XML and HTTP to provide a connection-oriented system that could transmit forms through XML while using HTTP to transmit across a network of any speed range. Through ActiveSync, mobile devices can access email, calendars, contacts, and tasks. However, ActiveSync will not synchronize Outlook notes, which is a little bit of a downside but not a deal breaker. That’s really the only feature out of many that doesn’t work. Whenever the Client Access server role with Exchange Server is installed, ActiveSync is automatically installed as well on the Exchange Server. Since you’re dealing with SBS and the Client Access server role will always be installed, it’s a fair statement to say that ActiveSync will always be installed, and accordingly you will need to know how to set it up, as well as what it can do.
New Features in ActiveSync for Exchange Server 2007 The official list of Microsoft features, available at: http://technet.microsoft.com/en-us/ library/aa998357.aspx, is: ◆
Support for HTML messages
◆
Support for follow-up flags
◆
Support for fast message retrieval
◆
Meeting attendee information
◆
Enhanced Exchange search
◆
Windows SharePoint Services and UNC document access
ACTIVESYNC
◆
PIN reset
◆
Enhanced device security through password policies
◆
Autodiscover for over-the-air provisioning
◆
Support for Out of Office configuration
◆
Support for tasks synchronization
◆
DirectPush
Using ActiveSync Since ActiveSync is enabled by default, using it is fairly easy. ActiveSync uses the Autodiscover protocol to detect devices, assuming the device supports it. Autodiscover works a lot like the Dynamic Host Configuration Protocol (DHCP) in that it’s relatively transparent to the end user. A user plugs in a device, and it automatically works. Assuming the device uses Windows Mobile, it should just work. Other devices, like Palms and iPhones, can sometimes experience conflict errors, but most vendors that work with ActiveSync post troubleshooting and diagnostic guides for their devices.
ActiveSync Security Exchange ActiveSync uses SSL to communicate between mobile devices and your Exchange Server in Small Business Server 2008. This is done so that data transmitted back and forth between mobile devices and the Exchange Server is authenticated and secured. Once authenticated, the certificate is stored into the device’s memory. ActiveSync also supports RSA SecurID two-factor authentication for the particularly security-conscious administrator. As part of the public key infrastructure (though the Windows Small Business Server 2008 PKI is pretty darn easy), you can authenticate a device to know that it’s dealing with a trusted authority through Exchange Server. This is particularly useful for large organizations, but for the extra-paranoid SBS administrator, this is available for kicks. You can enable this in the console. Additionally, you can also set the security features defined by Microsoft in the earlier referenced ActiveSync article: Remote wipe If a device is ever lost or stolen, you can issue a command to immediately purge the device of all data, adding an extra layer of security in case you have an employee who, when terminated, could turn malicious. Password policies Exchange Server 2007 allows a lot of different password options. Some of these include the following: Minimum password length (characters) The default length for ActiveSync passwords is four, but it can go up to eighteen characters. Require alphanumeric password both numbers and letters. Inactivity time (seconds) ically locks.
This allows you to include a password that requires
This set how long the device can stay inactive before it automat-
Wipe device after failed (attempts) Deletes the device after a certain number of attempts at logging in. This is very useful for PDAs that may contain sensitive data.
275
276
CHAPTER 11 MANAGING CLIENTS, TROUBLESHOOTING, AND RECOVERING FROM DISASTER WITH EXCHANGE FOR SBS
Database Structure and Recovery I’ve already gone over how devastating a disaster can really be on at least three different occasions in this book, so I’ll spare you the lecture. In this section, I will go into how to back up your Exchange Server data separately and restore it in case the worst happens. More than one small-business administrator has been stuck in a situation where they had properly backed up their server but hadn’t considered their email as a completely separate entity and therefore lost data. Those of us who use servers to do business on a daily basis know how much of a pain it can be to lose something like that, and thus we back up accordingly. I’ll start by spending some time talking about the design of the Exchange database and how it’s recovered. The Exchange database is the most important part of your information system, and you need to know what to do in case it fails with SBS 2008.
File Structure of the Exchange Store The main component of any disaster recovery is the Exchange store and the mail contained within. Without the Exchange store, even if every other aspect of your Exchange Server infrastructure were up and running, you really couldn’t do much without the actual emails themselves, which are stored in your email store. This is why the most important part of any Exchange Server restore is the Exchange store. The Exchange store in Small Business Server is broken into a specialized set of data files, including Exchange database (.edb) files, transaction logging (.log) files, and checkpoint (.chk) files. These files, for the most part, sit back and collect data with zero user interaction. Together, these files form a storage group that contains the data for your Exchange Server to do business. Let’s go over what each of these files do, one at a time.
Database Files Exchange database (.edb) files are the repository for mailbox data. They are accessed by the Extensible Storage Engine (a .dll that allows the application to store records and create indexes) directly and have a B-tree structure (a computer science binary search tree that allows for quick data insertion) that is designed for quick access. When running properly, the system can access data in as little as four I/O cycles.
Log Files Before any other file operations are done, when Exchange Server handles any messages, it records these changes to a log file with the (.log) file format. This is done so that, no matter what Exchange Server tries to do, it records a log of what occurred so a user can look through it. For the especially ambitious administrator, the Exchange Server logs can provide a wealth of information. However, over time, the Exchange Server logs can expand greatly in size. Thus, it’s a good idea to occasionally delete or replace these with fresh files. You can remove these logs by stopping a storage group in a clean state and then verifying the state in the logs by what is currently being accessed. Then, you can remove the log files if they are no longer in use.
Checkpoint Files Similar to log files, checkpoint (.cdk) files in Exchange Server indicate whenever a database transaction has successfully taken place, rather than when one is just attempted. In combination
DATABASE STRUCTURE AND RECOVERY
with log files, checkpoint files can help restore a database based on transaction logs of what was attempted vs. what was actually recorded to the database.
Exchange Server Transaction Logging Because Exchange Server 2007 manages so much data, the process of logging has become quite important, and therefore it has become very streamlined. Because there is so much data, Exchange Server breaks log files down into individual 1MB files (1024KB) that are sequentially numbered in an incremental fashion (for example, Enn00000001.log, Enn00000002.log, Enn00000003.log, and so on). The nn number in the naming convention is a prefix that’s appended to each of the log files. Just like the trailing number, it increments by one for each new file. For example, an extraordinarily large email server may have an E23099991.log file, which would represent the 23rd prefixed group of files, file number 99991. But there’s just one trick — the files are numbered in hexadecimal. This means that, instead base 10 numbers like you’re used to (0 through 10), the hexadecimal system runs from 0 through F. So, eventually, instead of going from . . . 009 to . . . 10, the file number would flip to . . . 00A. If you’re interested, you can learn to count in hexadecimal by reading any entry-level mathematics book, or you could also just follow Microsoft recommendation: You can convert log file sequence numbers to their decimal values by using the Windows Calculator (Calc.exe) application in Scientific mode. To do this, run Calc.exe, and then, from the View menu, click Scientific. Source: Microsoft TechNet But, just in case you don’t want to go through all that effort, you can refer to Table 11.1, which lists the basic sequence of hexadecimal numbers. As you can see, the file structure is designed to be so large that a database of practically any size could be logged. I don’t have the number in base 10 offhand, but can you imagine how bit EFFFFFFFFFF.log must be? That’s why you use checkpoint files to sort of stream together these log files. Viewing a specific log file is pretty easy. All you have to do is use the Exchange Server Database Utilities (eseutil.exe). The information regarding the decimal number of the log is contained there, along with the log information. If you want to see the header information, however, you’ll need to use the /ml switch with the eseutil command. On TechNet, Microsoft cautions the following: You cannot view the header of a database while it is mounted. You also cannot view the header of the current log file (Enn.log) while any database in the storage group is mounted. Exchange holds the current log file open as long as one database is using it. You can, however, view the checkpoint file header while databases are mounted. Exchange updates the checkpoint file every thirty seconds, and its header is viewable except during the moment when an update is occurring. Source: Microsoft TechNet It’s therefore vital that you understand the Exchange Server header files, because with these files alone, you can determine the order in which the Exchange Server data should be placed and what you’ll need to do in order to properly recover from disaster, because not everything may be required.
277
278
CHAPTER 11 MANAGING CLIENTS, TROUBLESHOOTING, AND RECOVERING FROM DISASTER WITH EXCHANGE FOR SBS
Table 11.1: Base 10
Converting Base 10 to Base 16 Base 16
0
0
1
1
2
2
3
3
4
4
5
5
6
6
7
7
8
8
9
9
10
A
11
B
12
C
13
D
14
E
15
F
Take a look at the following header file: Initiating FILE DUMP mode... Base name: e00 Log file: e00000005BF.log lGeneration: 1471 (0x5BF) Checkpoint: (0x2C66,8,0) creation time: 09/12/2009 18:54:06 prev gen time: 09/12/2009 18:54:04
This log file indicates that it starts at the base e00, which means that it doesn’t have a sequence to come after. Instead, the log file will begin at e00 and start its log name as e00.log. The lGeneration information then indicates how much the log file is filled and where it ends. The number 11 corresponds to the 5BF in the (0x5BF) address. This means that, since the log file goes from e00 to e0B, the log file’s name will be E000000005BF.log.
DATABASE STRUCTURE AND RECOVERY
The Checkpoint information indicates where the checkpoint file is located and how far apart the log is from that checkpoint. In my work as an administrator, I’ve never seen anyone use this, so I’m not going to discuss it. However, if you’re really into studying logs, you can look it up on Microsoft’s website. However, what you should know is that even if the checkpoint file is completely and utterly destroyed, life isn’t over. Exchange Server can scan the log files and begin with the oldest file available. This normally just takes longer, because it has to access the old database. On a normal log file, it takes only a couple seconds to scan whether it’s already been applied to the database. If not, it can take a few minutes, so it’s not the end of the world at the small-business level. It only starts to become a nightmare when the databases get tremendous, like they do in large enterprises. To delete log files, the Exchange database needs to be in a ‘‘clean shutdown’’ position, which means that Exchange Server needs to be shut down in the proper manner. You can see whether this has occurred by using the eseutil /mh command to examine the file headers. This doesn’t cause any harm, except that your ability to restore older backups has probably been compromised because the earlier log files aren’t available. Please note that, in general, you shouldn’t delete Exchange Server logs unless you have to do so. Every log that you delete could potentially be a log that you desperately need in case of a disaster. It’s never fun to be in a situation where you have to say ‘‘Logs? Logs!?’’ And beyond that, note that you need to shut down your database in a clean state. If you don’t, you’ll need to have every database log from the checkpoint forward before you can mount it. And if you don’t have them, you have to launch the eseutil command and repair the database.
Circular Logging It’s not a recommended practice, but you can configure Exchange Server 2007 to save space by using circular logging. Circular logging enables the Exchange Server to reach a certain point of log file extension and then circle back to the beginning of where it initiated the logs and record over the data it’s already processed. On the rarest of circumstances, if you have an organization that has very little space on the system drive that is running Exchange Server, you can enable circular logging to save a great deal of disk space. However, you will never be able to recover from any data that you write over. Thus, it’s generally not a good idea, unless you accompany your circular logging with another form of backup — or generally don’t care as much about the backup that you’re doing. To enable (or disable) circular logging, follow these steps:
1. Start the Exchange Management Console. 2. Expand Server Configuration, and then select Mailbox. 3. Right-click the storage group you desire, and then click Properties. 4. Select (or clear) Enable Circular Logging. 5. Click OK. On more than one occasion, I’ve worked for an organization running SBS that decided to install SBS 2008 on the system drive, which places Exchange Server there by default. And in some of those occasions, the system drive was too small to support the installation of both Small Business Server and Exchange Server 2007. Thus, after a short period of time, mailflow
279
280
CHAPTER 11 MANAGING CLIENTS, TROUBLESHOOTING, AND RECOVERING FROM DISASTER WITH EXCHANGE FOR SBS
ceased because the system drive had become bogged down with logs. If you’re ever in a situation where a customer is operating with a single volume, make sure to check the size of the Exchange Server logs. If they’re too large, try to purge as many as you can afford to without compromising Exchange Server.
Continuous Replication and Continuous Replication Circular Logging The type of logging you implement is completely up to you, depending on exactly how you would like to view your logs. Exchange Server 2007 (which you use in SBS 2008) supports two types of continuous logging: continuous replication and continuous replication with circular logging. (The ‘‘with’’ is not technically part of the name; it just helps with the ease of explanation.) Continuous replication circular logging is run by the Exchange Server replication servers. Effectively, it runs by not creating an addition file, but it writes on top of the old file. This has some upsides, because it keeps logging to a minimum, but it doesn’t allow you to keep as much data, because the logs are constantly overridden. Most administrators either use this to save space or use it when they need to do a giant operation on a server, such as moving mailboxes or migrating from one server to another. This way, they don’t have to worry about mailbox logs growing and causing replication nightmares.
Backing Up Exchange Server Completely Just like nearly every other aspect of SBS 2008, Exchange Server can be backed up with the SBS console both with the traditional backup method and in a special manner in addition to the standard system backup. Note, however, that only one backup of Exchange Server is needed. Since SBS 2008 has simplified the process of backing up Windows so much, thankfully you don’t have to worry about the mess that the full-blown versions of Exchange Server 2007 have to deal with. That is, in the full version, Exchange Server 2007 is not incorporated with Windows Backup. In the old days, you could use NTBACKUP to copy your system store and go on with your merry life, content that your backup would both be reliable and work. Now, life isn’t quite as easy on the high end. You actually have to use a third-party tool. The SBS console standard system, however, will back up Exchange Server data in a full system backup. But because Exchange Server data is so important, you might want to consider backing it up with the additional method provided solely for Exchange Server by the console. The method to back up the console is as follows:
1. Open the Windows SBS Console. 2. Click the Backup And Server Storage tab on the navigation bar, and then click the Server Storage tab.
3. Click the Server Storage tab, and then click Move Exchange Server Data. 4. Click Next at the intro screen. 5. If you haven’t configured Backup, it will present you with a message prompting you to do so. Either way, do one of the following: ◆
If you do not want to configure Backup, click OK.
◆
If you want to configure Backup and back up the data before continuing, click Cancel. Then configure Backup with the method discussed in Chapter 8, ‘‘Backing Up and Performing Disaster Recovery.’’
DATABASE STRUCTURE AND RECOVERY
6. On the Choose A New Location For The Data page, click the drive or partition where you want to move, and then click Move.
7. When the move finishes, click Close. The Exchange Server data is now backed up.
Restoring Exchange Server from Full Backup The restoration process from an Exchange Server backup is so easy, I almost don’t want to discuss it. But for the sake of thoroughness, if you lose your Exchange Server data, you can easily recover your backup by navigating to the Backup And Server Storage menu from the SBS console and then selecting Restore Server Data From A Backup in the Tasks pane. Once you click that, you’ll be presented with all the backups you’ve made server-wide. You can select the one that recovers the Exchange Server data you’d like to see.
Creating a ‘‘Recovery’’ for Backup One of the features available with Exchange Server 2007 is to use an Exchange restore to provide a ‘‘syncable’’ backup that you can use to manage a feature called a recovery storage group, which is discussed in the next section. This backup is an exact copy of your Exchange Server data, located in another place on your system — preferably on another drive, but that’s not required. To create a storage backup, select Start Administrative Tools Windows Server Backup, and click Recover. This will start the Recovery Wizard. On the first screen, choose your server, and click Next. You’ll then want to choose the backup date to recover from on the next screen, similar to what you did in Chapter 8. Click Next again, and then do the important part: choose Applications as the type of recovery, since Exchange Server 2007 is an application. This tells Windows Backup, in effect, that the type of backup you’re doing is a file-only backup and that it shouldn’t try to restore any Windows features on the files it’s recovering. At the next screen, shown in Figure 11.1, you’ll get to choose the type of application. Choose Exchange.
Figure 11.1 Exchange recovery
281
282
CHAPTER 11 MANAGING CLIENTS, TROUBLESHOOTING, AND RECOVERING FROM DISASTER WITH EXCHANGE FOR SBS
After that, you can click Next and proceed to the next screen. Here, you will choose to recover to a different location than you can use to separate your ‘‘real’’ Exchange Server from your recovery database. A \restore definition does nicely. After you click Next, the wizard will complete, and you can move on.
Creating a Recovery Storage Group In Exchange Server 2003, Microsoft created a simple way for administrators to recover lost emails or mailboxes from a database, without the need to restore from a complete backup or, really, from any form of formal backup media whatsoever — at least as far as the traditional definition of backup media is concerned. Instead, you can just restore from a backup storage group. To create a storage recovery group, you can use the Exchange Toolbox. First, open the Exchange Management Console, and select the Toolbox. Select the Database Recovery Management toolbox, shown in Figure 11.2. This will open the tool set that will allow you to use Exchange Server’s backup methods.
Figure 11.2 Database recovery management
At the welcome screen, you’ll need to enter your Exchange Server name, your domain controller name (which should autofill), and a label to associate with the action that you’re doing. I recommend just labeling it recovery storage group. Once you’ve labeled it and entered the right information, you can click Next. Click Create A Recovery Storage Group, as shown in Figure 11.3. This will open the storage group options.
Figure 11.3 Creating a recovery storage group
At the next screen, shown in Figure 11.4, you’ll be able to select the storage group that you’d like to associate with your recovery storage group. This group will then ultimately be merged with the recovery group you’re making, so be sure to pick the one with your user accounts and not a backup group of some sort.
Figure 11.4 Storage group selection
At the next screen, you’ll be able to set your log, system, and database folders location. (These are left to the default values in Figure 11.5.) The first, or the ‘‘original,’’ storage group
DATABASE STRUCTURE AND RECOVERY
should be left to the default, and the recovery storage group should be located wherever you’ve created your backup. This lets you place the files in different locations, making the process smoother when they ultimately merge.
Figure 11.5 File locations
If everything went OK, you’ll see a summary screen with results similar to Figure 11.6. This means that your group is set up and working.
Figure 11.6 Results screen
Mounting the Recovered Database for Merging At this point, you want to take the database that you created through your system restore and mount it to your Exchange Server systems so it can be used. This lets Exchange Server use this
283
284
CHAPTER 11 MANAGING CLIENTS, TROUBLESHOOTING, AND RECOVERING FROM DISASTER WITH EXCHANGE FOR SBS
database to create an incredibly efficient merged database that allows for failover in the case of lost messages. Assuming you followed the previous steps, you can click the Go Back To The Task Center button and then click Mount Or Dismount Databases In The Recovery Storage Group. If you exited, you can access it again by accessing the Database Recovery Management toolbox and then filling in your server/label information. Using either method, once you’re at the main action screen, you can click the button you see in Figure 11.7.
Figure 11.7 Mounting or dismounting databases in the recovery storage group
This will open the Mount Or Dismount Database page. Here, select the mailbox database you created, and click the Mount Selected Database option, as shown in Figure 11.8.
Figure 11.8 Mounting the database
Recovering Corrupted Databases Exchange databases, like almost all databases, can become corrupted. This is especially true if they are merged, because the Exchange databases are consistently swapping back and forth between Exchange Server storage groups. The end result of this swapping can be an inconsistent database. Furthermore, this can happen when you try to mount a database for the purpose of merging. If it does happen, you can go back to the task center and click Repair Database. The GUI is fairly simple to use, and it does a really good job of repairing a database. You can also use eseutil.exe to help recover the database.
Merging the Mailboxes Finally, now that you’ve created the restore, mounted the database, and recovered it if it’s corrupted, you can merge all the mailboxes that you’re trying to back up!
OVERVIEW OF MAILFLOW
You can merge mailboxes in the Exchange Server console by going to the task center and clicking the Merge Or Copy Mailbox Contents button shown in Figure 11.9.
Figure 11.9 Merge or Copy Mailbox Contents button
On the next screen, select Gather Merge Information. This will start a look through your recovery storage group and your first storage group. Then, you can click the Perform Pre-merge Tasks button. To you as a user, the process will almost seem like a ‘‘next, next, next’’ sequence. Eventually, you’ll need to select the mailboxes you would like to merge. Most administrators just choose all their mailboxes and continue. And at that point, you’re done! The last thing you have to do is to dismount the remote storage group. You can do that in the tasks pane by clicking Remove The Recovery Storage Group.
Troubleshooting Mailflow The number-one IT concern for just about any business operating with more than five employees can be summarized in one word: mailflow. The process of mailflow is the sending and receiving of messages across Exchange Server and other mail servers throughout the Internet, intranet, and various connectors that are established through Exchange Server 2007. As an IT technician or network administrator, you should be particularly concerned with mailflow issues because if there’s a problem with it, someone will most likely end up in front of your desk, complaining that their mail isn’t flowing. And that ultimately means your day is going to get a lot worse — very quickly. To troubleshoot Exchange Server mailflow issues, you first need to understand how the mailflow system works in Exchange Server 2007 and what the stoppages you experience indicate in terms of where the problem may lie. Generally, mailflow issues come in two forms: Exchange Server mailflow problems and SMTP mailflow problems. More often than not these are related, but I’ll cover troubleshooting these as separate issues for the sake of clarity. First let’s talk about mailflow in general.
Overview of Mailflow When Microsoft released Exchange Server 2007, it made a dramatic move by completely replacing the tried-and-true system that Exchange Server 2003 used to route messages with a new system designed to more easily divvy up the roles process in Exchange Server 2007. In effect, there is now a server role for all the major portions involved with Exchange Server 2007. However, what’s ironic is that a majority of mailflow problems occur with one portion of Exchange Server — the Hub Transport. The Hub Transport, which is responsible for routing external and internal emails, runs on the Microsoft Exchange Transport service. You can find it in services.msc by typing services.msc in the Windows SBS Start menu. This will launch all Windows services. The Hub Transport is the service that’s going to handle most of the traffic, including inbound email, outbound email, and local email. Inbound email Inbound email is sent from outside the server (usually the Internet) to the Exchange Server through the hub transport. Eventually it is fed to the mail store, if it is allowed.
285
286
CHAPTER 11 MANAGING CLIENTS, TROUBLESHOOTING, AND RECOVERING FROM DISASTER WITH EXCHANGE FOR SBS
Outbound email Outbound email is sent from the SBS server to an area outside of its local or recipient domains, usually to the Internet. For a message to be outbound, it cannot be destined for any local recipients or users behind the firewall. Local email Local mail flow refers to messages that are processed by a Hub Transport server in an Exchange Server 2007 organization and delivered to a mailbox on the same Active Directory site.
SMTP Connectors SMTP connectors in Exchange Server 2007 are links between the Exchange Server and the Internet that are established in one-way communication lines. Two types of connectors can exist on your Exchange Server: ◆
SMTP receive connectors
◆
SMTP send connectors
An SMTP receive connector is required to receive email from another SMTP connection. Typically on Exchange Server 2007 there is only one SMTP receive connector; however, Exchange Server 2007 can accept multiple connections to a single server if an administrator wants the server to receive email from multiple connections. The SMTP connector is connected to both the Hub Transport and Edge Transport portions of the Exchange Server, because both need to receive email. SMTP send connectors are designed to send outbound email from the Exchange Server across the Internet and are connected to the Hub Transport portion of the Exchange Server. Generally, there is only one SMTP outbound connection from the Exchange Server to the Internet. However, you can manage each of them using the Exchange Management Console or Exchange Management Shell.
Message Transportation As messages are passed from the Exchange Server to the outside world, they go through a series of delivery mechanisms that are established through Exchange Server. These mechanisms are called messaging components. There are five messaging components involved with sending a message: ◆
Submission queue
◆
Store driver
◆
Microsoft Exchange Mail Submission Service
◆
Pickup directory
◆
Categorizer
Messages from outside your Exchange Server organization enter the transport pipeline through an SMTP receive connector. Messages inside enter the pipeline through the Hub Transport server role.
Submission Queue Whenever a message needs to be delivered on an Exchange Server, it’s delivered to the submission queue. This queue is a list of messages needing to be processed by the Exchange Server,
SMTP ERRORS
and it can sometimes get rather large. For example, some organizations will send mass emails to customers in the form of newsletters or email marketing advertisements. Each of these email addresses is a different message that has to be sent from the message queue. Thus, if you have about 100,000 customers (which is not all that many), you will probably send about 80,000 messages, all which must be processed by the queue.
Store Driver Whenever a user sends a message in Outlook, that message is placed initially into an outbox. This outbox is a temporary location that transfers the data from the outbox to (eventually) the submission queue. However, Exchange Server first places it in the outbox and uses the store driver to transfer the message from the outbox to the submission queue. This is because messages are first stored in MAPI format and then converted into Summary Transport Neural Encapsulation Format (S/TNEF) before they’re placed into queue; the store driver is the engine that makes this change.
Microsoft Exchange Mail Submission Service The Microsoft Exchange Mail Submission Service runs on Exchange Server and lets the store driver know to activate and submit the message to the queue. Like many services, it runs on the Hub Transport service and is used to make sure that the messages are moved to the queue.
Pickup Directory Once messages have been placed into the queue, they’re then ready to be delivered by the Hub Transport service. Messages are placed in the Pickup directory until they are processed by the Hub Transport service. This directory is designed to store messages until the Hub Transport service can process them.
Categorizer The categorizer takes the first message received (the oldest message) from the Pickup directory and decides whether it needs to be routed internally and then passes it on. Additionally, the categorizer performs the following tasks: ◆
Identifying and verifying recipients
◆
Expanding distribution lists
◆
Determining routing paths
◆
Converting content formats
◆
Applying message policies
SMTP Errors In cases where the server is either partially or fully running and there’s still an error involved with delivering the message, you can learn a great deal from the messages that Outlook or another mail client server provides through SMTP status codes. SMTP status codes are messages sent by an SMTP-capable server that convey information regarding errors that occur behind the scenes when an email is sent. Through these error codes, you can often troubleshoot the problems associated with email messages.
287
288
CHAPTER 11 MANAGING CLIENTS, TROUBLESHOOTING, AND RECOVERING FROM DISASTER WITH EXCHANGE FOR SBS
Table 11.2 presents a handy reference of Exchange Server error codes. I discuss some of the more commonly experienced errors, along with what can cause them, in the following sections.
Table 11.2: Code
SMTP Error Codes What the Message Means
200
Nonstandard message format
250
Completed mail-sending operation
251
Forwarding to another server
450
Mailbox unavailable
451
Processing error
452
Insufficient storage
500
Unrecognized command
501
Syntax error
503
Unrecognized command sequence
510
Bad email address
511
Bad email address format
512
Domain not found
521
Domain refused mail message
SMTP Error 450: Requested Mail Action Not Taken: Mailbox Unavailable In no particular order, I’m starting with this error because it’s the error I think I’ve seen more than any other in small businesses. And that’s because there are a lot of reasons that this error could display in an email client: The mailbox is busy Sometimes the Exchange store is occupied or overburdened and can’t write to the mailbox. If this happens, this error can appear. You can fix it by seeing why the mailbox is busy. Perhaps there are a ton of messages waiting to be processed, or maybe the user has synced a lot of messages recently. The mailbox is disabled/not allowed/does not exist Technically, this ‘‘shouldn’t’’ happen, but experience has taught me that it does. Sometimes disabled user accounts in Active Directory can cause this very strange, and highly annoying, problem. If this issue comes up and the mailbox isn’t overburdened, check to see whether that mailbox either is disabled, is not allowed to receive email, or does not exist; then try to resolve the problem.
THE BOTTOM LINE
SMTP Error 553: Requested Action Not Taken: Mailbox Name Not Allowed SMTP error 553 is an unusual error that can take many forms. Namely, error 553 can happen on the mailbox, domain, or even server level. For example, error 553 may show up as this: Error 553: Sorry, that domain is not in my list of allowed rcpthosts This specific error shows either that your host is not on the allowed list of email senders to that domain or that your host IP is on a DNS blacklist. Obviously, this error is something that could be solved only by the server that hosts this blacklist/restriction method. But that’s not the only form that this error can come in. Whenever you receive a 553 error, you need to look at the error itself and find out why the mailbox is not allowing mail to be sent to it. Nine times out of ten, it’s a rule like the domain not being allowed or the host origin IP not being allowed, but it is greatly dependent upon the way you have Exchange Server set up in your organization.
Error 452: Requested Action Not Taken: Insufficient System Storage This error is pretty obvious, but it can happen a lot. If your mail system becomes too full and the mail server doesn’t have any space to save an email, well, it won’t! If this happens, try reducing disk space or see whether there is a data quota set somewhere in your server. But whatever you do, do it right away. It’d be a little embarrassing for a company you do business with to hear that you simply ‘‘don’t have room’’ for their important emails.
Error 512: The Host Server for the Recipient’s Domain Name Cannot Be Found (DNS Error) If you see this error, it means that somewhere along the way of sending your error, an email server checked its DNS records for the corresponding IP address to the domain it was sending email to and didn’t find one. It usually means there is a DNS issue on either the other email server or your server. For example, Suzy at the email address [email protected] tries to send an email to [email protected]. As she sends it out, it is rejected because Suzy’s mycorp DNS server and the associated DNS servers can’t find the intellicorp.com mail server IP address.
The Bottom Line Set up Exchange Server clients You need to learn how to set up Exchange Server clients in order to properly administer your SBS 2008 server. You can do this by creating mailbox and user accounts. Master It Use the Exchange Management Console to add a mailbox user and an account in Active Directory for John Smalls. Diagnose mailflow issues Diagnosing a mailflow issue is a major component of becoming an administrator with Exchange Server. Through this, business owners can count on you being able to fix any issue at any time that may arise.
289
290
CHAPTER 11 MANAGING CLIENTS, TROUBLESHOOTING, AND RECOVERING FROM DISASTER WITH EXCHANGE FOR SBS
Master It A mail server has stopped mailflow, and the hard drive shows zero space. What should you do? Back up Exchange Server 2007 You need to be able to restore Exchange Server 2007 at a whim, regardless of what may occur in your organization. Otherwise, disaster could strike at any time, and you would be without any way to compensate for it. Master It Create an Exchange Server recovery group to restore from.
Chapter 12
Introducing SQL Server If you purchased the Premium edition of Small Business Server, you also got a copy of Microsoft’s flagship database management product called SQL Server. If you aren’t familiar with SQL Server, it is an industrial-strength platform for storing, manipulating, and retrieving data. If you are familiar with SQL Server, then you probably already know how powerful it is. But just because it’s powerful, don’t let it intimidate you. SQL Server comes with a very robust user interface called SQL Server Management Studio (SSMS) that does an excellent job of simplifying the tasks of creating and managing databases. In this chapter, I’ll review how SQL Server fits into the SBS environment, how to install it, and then how to use and administer it. In this chapter, you will learn to ◆ Install and configure SQL Server ◆ Use SQL Server ◆ Administer SQL Server
What Is SQL Server? As mentioned in the introduction to this chapter, SQL Server is a database management application (or platform) that is used to store and manipulate data. For example, suppose you need to track your customers and their orders for the products that your company creates and sells. You previously may have been using some type of paper-based system or maybe you have already gone electronic and use some combination of programs such as Microsoft Word or Excel, but you now realize you need to store all that customer data in a centralized location that is readily available and easy to maintain. Using SQL Server, you can create what is known as a relational database (which is basically a set of interrelated tables), define the data that is to be contained in those tables, and then populate those tables with your data. Once you have the tables in your database populated with data, you can then read, update, slice, dice, and process that data in any way you see fit. You can create a Windows application for managing the data, create a web application for viewing reports based on the data, or even pull the data directly into an Excel spreadsheet or some other data-aware application. The point is that once you have your data centralized and organized into a SQL Server database, you can pretty much do anything you want with it. However, SQL Server isn’t just a bucket for storing data; it comes with a slew of tools and features that allow you to define the data, restrict who has access to the data, manage the users who are using the data, integrate the data with external applications, back up the data . . . the
292
CHAPTER 12 INTRODUCING SQL SERVER
list goes on and on. I’ll cover many of those tools and features in this chapter and provide you with some pointers for learning about many of the other areas. In addition to SQL Server, Microsoft sells a few other database products such as Access (part of the Office suite of applications) and Visual FoxPro, and it can get confusing as to which one you should use and when. If you need a simple database application that will be used by only one or a handful of users, then either Access or Visual FoxPro will work just fine. However, if you think that your database will need to grow to support many different users, then SQL Server is definitely your best choice: although it’s easy enough to use to create smaller databases, it has the power and robustness to handle any amount of data and users you may require.
SQL Server Editions Like many other Microsoft products, SQL Server comes in a variety of flavors, or editions. The edition that comes with the Premium version of SBS is called Microsoft SQL Server Standard Edition for Small Business, and it is basically the Standard edition of SQL Server with a few extra licensing restrictions, but more on that later. For now, I’ll review the core SQL Server editions and the requirements and limitations of each.
SQL Server Compact This edition of SQL Server comes at my favorite price — free! However, this edition is actually not built on the same code base as SQL Server. Instead, it is a greatly simplified, file-based, embedded database targeted for single-user use. It is useful on handheld devices that do not need multiuser access, and it can also be used on desktops and in websites for very small and compact databases.
SQL Server Express This edition of SQL Server is also free but is built on the same code base as the rest of the SQL Server editions, and it is therefore fully compatible with those editions. Let me say that again — this free version of SQL Server is fully compatible with the other SQL Server versions, including the small-business version that you got with SBS Premium. I’ve provided an example of why this is important in the ‘‘Building Databases with SQL Server Express’’ case study later in this chapter. Although SQL Server Express is fully compatible with other versions of SQL Server, it does come with some limitations on the features that it exposes, the hardware that it supports, and the sizes of databases that it can handle. In terms of features, SQL Server Express contains the database engine, SSMS, full-text searching, and a limited set of reporting services. It does not contain some of the more upscale features such as full replication, database mail, data warehousing, and integration services. Don’t worry if you aren’t sure what all of that means; I’ll go over these and other features later in the chapter. In terms of hardware, SQL Server Express can use only one CPU, it can use only 1GB of memory, and the database size cannot exceed 4GB. To download and try SQL Server Express for yourself, visit the SQL Server Express page on the Microsoft website at www.microsoft.com/express/sql/default.aspx. Note that if you do decide to try SQL Server Express, make sure that at the very least you get the one with the runtime and management tools. This will ensure that you get the SSMS application that is used to create and manage databases.
WHAT IS SQL SERVER?
SQL Server Standard This edition of SQL Server is a big step up from the Express version and is in fact the very version that you get with SBS Premium. In this version, you get the ability to do full replication, send database emails, create data warehouses, and use data integration services, among other really cool features. In terms of hardware, SQL Server Standard can use up to four CPUs, with no limit on the amount of memory and no limit on the size of databases. Although the version of SQL Server that you get with SBS is the Standard version, there are some special licensing requirements for using it within a SBS environment. I’ll cover these special licensing requirements in the section ‘‘Installing and Configuring SQL Server’’ later in the chapter.
SQL Server Enterprise This edition of SQL Server is the top-of-line version with all the bells and whistles. In addition to all the features that you get with the lesser versions, you also get advanced features such as mirrored backups, database snapshots, and data mining. In terms of hardware, SQL Server Enterprise is supported on machines with no limit on the number of CPUs, no limit on the amount of memory, and no limit on the size of databases. In addition to the versions of SQL Server discussed earlier, there are also specialized versions of SQL Server targeted to small businesses and developers. These versions include Workgroup, Web, and Developer. The differences between these versions are basically their licensing restrictions in terms of where they can be installed and the features and types of hardware configurations that they support. For more information about the various editions of SQL Server, you can visit the SQL Server editions page on the Microsoft website at www.microsoft.com/sqlserver/2008/en/us/ editions.aspx.
Building Databases with SQL Server Express I once had a client who needed a pretty simple inventory-tracking database, but she expected it to grow exponentially over time and was worried about making sure that she bought the right database product to do the job. In addition, like many small businesses, she was strapped for cash and didn’t really want to spend thousands or even hundreds of dollars on something that didn’t fit her needs. Enter SQL Server Express. Because SQL Server Express is simply a stripped-down version of SQL Server Standard and Enterprise, I was able to build and deploy her database with that. Then, once she was convinced that it would do the job and when she had the money to do so, she a bought a license for SQL Server Standard, and I moved the database over to that edition of SQL Server in a matter of minutes; no harm, no foul. The 4GB limit imposed by SQL Server Express was removed and now had a robust database for storing all her data that would serve her well for many years to come.
293
294
CHAPTER 12 INTRODUCING SQL SERVER
So, the moral of this story is that even though you have a license to use SQL Server Standard within your SBS environment, you can still install and use SQL Server Express on other machines in your environment to create databases. Then, when you’re ready to go ‘‘live’’ with the databases and make them available for your entire organization to use, move them to the Standard version. I’ll show you how to move databases between servers in the ‘‘Moving SQL Server Databases’’ section.
SQL Server Features There is no doubt about it, SQL Server is a very robust and complex product, and there is simply no way to cover everything that it is capable of doing in a single chapter. However, I do want to give you an overview of some of its key features, and that is what this section is all about. Database management The key feature of SQL Server is its ability to create and manage databases. This is done through what is known as the database engine (or runtime) in conjunction with SQL Server Management Studio, which is the graphical user interface for SQL Server. With the database management features of SQL Server, you can create not only databases but also the database objects that they contain, including tables, triggers, stored procedures, and views. User management In addition to database management, SQL Server also provides the ability to control the access that users have to the databases that it manages. This control is managed through the use of user accounts and roles and can be managed at the server, database, and database object levels. Database administration Although the line between database management and database administration can get a bit blurry, SQL Server supports many different database administration tasks such as backing up and restoring databases, doing database maintenance, and customizing many different options for server and database configurations. Scheduled jobs Scheduled jobs in SQL Server allow you set up a series of tasks to be completed automatically by SQL Server on a scheduled basis. For example, you can use scheduled jobs to perform routine database maintenance, run scripts, execute integration services packages, or send alerts when specified actions occur. Database mail Database mail is a SQL Server feature that allows you to configure SQL Server to generate and send emails. This can be useful for alerting you or your users to problems occurring in the database or to notify users when there have been changes within the data in the database. For example, suppose that you run a fairly open database environment and allow some users to create database objects directly such as tables. However, you want to be notified of any such change when it occurs. Using database mail and another SQL Server feature called alerts, you can set up SQL Server so that when a database object change is made in your database, you will be automatically notified of that change via email, generated directly from SQL Server. Replication Replication is a feature of SQL Server that gives you the ability to copy and synchronize data between databases. This can be useful for scenarios involving data that is spread across physical locations — for example, a server in one city that needs to be synchronized with a server in a different city.
HOW DOES SQL SERVER FIT IN WITH SMALL BUSINESS SERVER?
Suppose you have two sales offices, one in Atlanta for the East Coast and one in Seattle for the West Coast, and you need them both to work from the same set of customer-tracking data. However, you want the database centralized in one location. Using replication, you could set up the database located in Atlanta as the primary database (known as the publisher) and the one in Seattle as the secondary database (known as the subscriber). Once you’ve set up the replication, the Atlanta site would act as the central data repository for all sites, and the data between all sites would stay in sync. Reporting Services SQL Server Reporting Services (SSRS) is a relatively new feature of SQL Server that gives you the ability to create, distribute, manage, and use reports. Reports built using SSRS can be viewed through a Windows application, website, or SharePoint site. Integration Services SQL Server Integration Services (SSIS) is an updated version of Data Transformation Services (DTS) that was available in older versions of SQL Server. Using SSIS, you can retrieve, transform, and load data from a wide range of sources. Analysis Services SQL Server Analysis Services (SSAS) allows you to create and mine data from online analytical processing (OLAP) databases. OLAP databases contain data that is organized in a multidimensional (or ‘‘cube’’) structure, which provides many different ways of analyzing data. Full-Text Search SQL Server Full-Text Search is a feature of SQL Server that can be used to find character-based data in a database using techniques that are more robust than standard SQL language keywords. Using Full-Text Search, you can find words or phrases contained in a text-based column of data within a table. This list of features of course only scratches the surface in terms of all that SQL Server can do, but I do hope that it at least gives you an idea of some of things that SQL Server is capable of doing. There is one very important aspect of SQL Server that I want to mention, although it is debatable if it can be considered a feature, and that is the SQL Server help system known as SQL Server Books Online. No matter whether you love help systems or hate them, SQL Server Books Online is a comprehensive and important resource that you would be well served to become familiar with. With this resource you can find pretty much anything and everything that you might need to know about SQL Server and how to use it. You can install SQL Server Books Online when you install SQL Server, but it is also (surprisingly enough considering its name) available online at the Microsoft website at http://msdn.microsoft.com/en-us/ library/ms130214.aspx. For the remainder of this chapter, I will focus on the features included with the Standard version of SQL Server because that is the version that comes with SBS Premium. Note, however, that much of what I will cover applies also to the Express and Enterprise versions.
How Does SQL Server Fit in with Small Business Server? Now that you know what SQL Server is, what its different versions are, and some of the features that it contains, it will be useful to discuss how it fits in with a SBS environment and your business in general. As with any business, small businesses need to store useful information, keep it organized, and make it readily available. In addition, they need to be able keep that data secure and accessible for many different users, whether it is Amy in accounting, John in sales, or Steve the company owner who needs to know how his business is performing.
295
296
CHAPTER 12 INTRODUCING SQL SERVER
A common problem that all businesses face is how to take the many different types of information that they have and transform them into a centralized format. This is exactly what SQL Server was designed to do. With SQL Server and the many tools and features that it provides, you can organize your data into a centralized database, thereby providing a common repository for the many different forms of data that your company uses. But what about SBS specifically? How does SQL Server fit within a SBS environment? You may be surprised to learn that when you build a SBS server, you installed a few versions of SQL Server by default. SBS uses SQL Server Express Edition for SBS monitoring, and Windows Update and Windows SharePoint Services use SQL Server Compact Edition. Even though SBS itself makes use of SQL Server, you’ll still want to take advantage of the Standard version of SQL Server that you got with your SBS Premium purchase. By putting in place your own SQL Server, you’ll be able to create and use databases specific to your organization and do so in a manner that is separate from the primary Small Business Server that is used to manage other aspects of your environment. So, that’s it for the conceptual overview of SQL Server, what it is, and what you can use it for. Now let’s get down to business so you can get your hands dirty with it. The first step is to get it up and running, and you’ll do that next.
Installing and Configuring SQL Server Although installing SQL Server is a bit time-consuming, I think you’ll find it to be a fairly painless process, and I will walk through that process step-by-step in just a bit. However, before actually installing SQL Server, you should take the time to understand the licensing restrictions that come with SQL Server in an SBS environment.
Installation and Licensing Requirements Although the version of SQL Server that you get with SBS Premium is essentially the Standard version, it comes with a few installation and licensing requirements: ◆
It can be installed only within an SBS network.
◆
You’ll need a client access license (CAL) for any user or device that accesses it.
◆
Although you can install SQL Server on the SBS domain controller, it is recommended that you install it on a separate server.
◆
You should not attempt to migrate the SQL Server databases used by SBS to your separate SQL Server installation. This is an unsupported scenario.
◆
You can move the Windows SharePoint Services content database to your separate SQL Server if you want or need. You can learn all about this at http://technet.microsoft .com/en-us/library/cc794697(WS.10).aspx#BKMK SharePoint.
◆
To install SQL Server, you need to be logged in as a domain administrator, with the server joined to the SBS domain.
That’s pretty much it for the installation and licensing requirements. If you want to get a more thorough overview of these requirements, you may do so online at http://technet .microsoft.com/en-us/library/cc794697(WS.10).aspx.
INSTALLING AND CONFIGURING SQL SERVER
Installing SQL Server Before you get started installing SQL Server, I’ll cover a few ground rules and decisions that you need to make. The first thing that you’ll need to decide is whether you want to install SQL Server as a default or named instance. SQL Server allows you to install multiple instances of the runtime engine so that you effectively have multiple SQL Servers running on one machine. For the purposes of this chapter, I will show how to install the default, single instance. The second decision that you’ll need to make is the Windows accounts that you want SQL Server to run under. In general, it’s a good idea to create accounts specifically for SQL Server to use, but you can configure SQL Server to run under standard system accounts, which is what I’ll show how to do. Note, however, that in a production server environment, you should not run SQL Server using the standard system accounts but should instead configure your own specific accounts because it will provide you with a more secure environment. Another decision to make is where you want to install SQL Server. Some organizations prefer to install SQL Server on a partition separate from the primary operating system partition. However, installing SQL Server on the primary partition will work just fine, so that is what I will show you how to do. The final decision to make is which SQL Server features you want to install, but this decision is not as critical, because you can always go back and add features to an existing installation. In the following exercise, you’ll install a fairly minimal set of features. You’re now ready to begin the installation of SQL Server, so grab your installation disc and proceed to Exercise 12.1.
Exercise 12.1: Installing SQL Server In this exercise, you will install SQL Server as a default instance using a basic set of SQL Server features. To begin the process of installing SQL Server, make sure that you are logged into the server as a domain administrator. Then, perform the following steps:
1. Insert the SQL Server 2008 installation disc into the server’s CD or DVD drive. 2. When the AutoPlay feature activates, you should see a screen similar to the one shown here.
297
298
CHAPTER 12 INTRODUCING SQL SERVER
3. Click Run SETUP.EXE. After a few moments, the SQL Server Installation Center will appear as shown here.
4. On the SQL Server Installation Center screen, click the Installation link in the left-side list. This will cause the SQL Server Installation Center screen to change to a list of installation options, as shown here.
5. Since this is a new installation of SQL Server, click New SQL Server Stand-Alone Installation Or Add Features To An Existing Installation. This will start the Setup Support Rules process that
INSTALLING AND CONFIGURING SQL SERVER
checks your server for issues that may prevent you from successfully installing SQL Server. You can see the rules that were checked by clicking the Show Details button, as shown here.
6. Click OK to move on to the Product Key screen. If your product key has not already been prepopulated, select Enter The Product Key, and enter the product key that came with your SQL Server license. When done, click Next.
7. The next screen that you will see (not shown) is the License Terms screen. Read and accept the license terms, and click Next.
299
300
CHAPTER 12 INTRODUCING SQL SERVER
8. The next screen that you will see is the Setup Support Files screen. Click Install to install the files that are needed for the installation process. Once the setup files are installed, you’ll see the Setup Support Files screen again with a list of rules that were checked, similar to the screen shown here.
9. Click Next to continue to the Feature Selection screen. This is the screen that you use to select the SQL Server features that you want to install. At a minimum, you should select Database Engine Services, SQL Server Books Online, and Management Tools; then click Next.
INSTALLING AND CONFIGURING SQL SERVER
10. You’ll next see the Instance Configuration screen, which is where you can specify the type of instance that you want to install, the name that you want to use for the instance, and the root directory that you want the instance installed in. Select Default Instance, and leave everything else set to the default values; then click Next.
11. The next screen is the Disk Space Requirements screen (not shown) that summarizes the disk space need for the features that you selected to install. Assuming that you don’t have any issues with the required disk space, click Next.
12. On the Server Configuration screen that next appears, you can set the accounts that the SQL Server services will use to access system resources. Although it is recommended that you use different accounts for each service, for purposes of this exercise, use the NT AUTHORITY \SYSTEM account for the SQL Server Agent and SQL Server Database Engine services, and leave the defaults for everything else, as shown here; then click Next.
301
302
CHAPTER 12 INTRODUCING SQL SERVER
13. On the Database Engine Configuration screen that appears next, you can select the authentication mode that you want to use, the accounts that you want to have administrator access to SQL Server, and the data directories and filestream settings. For this exercise, click the Add Current User button to add the account that you are currently logged in as, and leave the default values for everything else, as shown here; then click Next.
14. The next screen that appears is the Error And Usage Reporting screen (not shown) that allows you to optionally send Microsoft information about your SQL Server usage. Make your selections, and then click Next.
15. On the Installation Rules screen that appears next, you’ll see a list of setup rules for the installation. Assuming that you have passed all the rules, click Next.
INSTALLING AND CONFIGURING SQL SERVER
16. You’re almost there. On the Ready To Install screen that appears next, you’ll see a summary of all the installation choices that you have made up to this point. Click Install to start the installation of SQL Server, as shown here.
17. The installation will take a while to run, but once it is complete, you’ll see the Complete screen, which will indicate whether the installation was successful, as shown here. To finish the installation process, click Close, and then close the SQL Server Installation Center screen as well.
303
304
CHAPTER 12 INTRODUCING SQL SERVER
That’s it for installing SQL Server. Note that in this exercise, you took the path of least resistance and installed SQL Server using pretty much all of the default configurations, but your environment and business needs may require different configurations. For more detailed coverage of the different configurations that you can make when installing SQL Server, check out some of the SQL Server administration books offered by Sybex (such as Mastering SQL Server 2008) or SQL Server Books Online. Now that you have completed the initial installation of SQL Server, it’s a good idea to make sure that you also install the most recent service pack that Microsoft has made available for SQL Server. You can do this in a few different ways. One is to run the SQL Server setup program again and then on the Installation page of the SQL Server Installation Center screen select Search for product updates. Another is to simply run the Windows Update utility that comes with Windows. However, you may want to have more control over how SQL Server service packs are installed and do so manually. Exercise 12.2 will walk you through the process of installing a SQL Server service pack manually.
Exercise 12.2: Installing a SQL Server Service Pack In this exercise, you will install the latest SQL Server service pack. To begin the process of installing the service pack, make sure you are logged into the server as a domain administrator, and then perform these steps:
1. Open your favorite web browser, and navigate to the SQL Server 2008 Downloads page, which at the time this chapter was written was at http://msdn.microsoft.com/en-us/ sqlserver/bb671149.aspx. If that URL doesn’t work, go to the main Microsoft SQL Server page at http://www.microsoft.com/sql and look for a SQL Server Downloads link. Once you get to the service pack page, click the link to download the service pack to a directory of your choosing.
2. Open Windows Explorer, and navigate to the directory where you downloaded the service pack file to; then double-click the service pack file to begin the installation process.
3. As the service pack installation process begins, you’ll see a dialog box indicating that the service pack files are being extracted to a temporary directory. When the extraction completes, you’ll see the Welcome screen that looks similar to the Setup Rules screen that you saw during the SQL Server installation process, as outlined in Exercise 12.1.
INSTALLING AND CONFIGURING SQL SERVER
4. Click Next to continue to the License Terms screen (not shown). As before, read and accept the license terms, and click Next.
5. You’ll next see the Select Features screen with the features automatically selected for you, as shown here. Click Next.
305
306
CHAPTER 12 INTRODUCING SQL SERVER
6. The next screen that appears is the Check Files In Use screen. This screen indicates any services that you may need to stop for the installation to proceed. If there are services listed in this screen, stop them, and then click Next.
7. On the Ready To Update screen that appears next, you’ll see a summary of the SQL Server features that will be updated with the service pack. Click Update to begin the installation of the service pack.
8. Once the install of the service pack is completed, you’ll see the Update Progress screen, which will indicate the success or failure of the installation; then click Next.
9. The final screen that you’ll see is the Complete screen (not shown). Click Close to end the installation of the service pack. At this point, SQL Server should now be installed, up-to-date, and ready for use. In the next section, I’ll cover some of the core features of SQL Server and show you how to use them, and I’ll even give you a few tricks that you can use as you learn to create and use databases.
Using SQL Server Now that you have SQL Server installed and ready to go, let’s jump right in and learn the environment that you’ll be using to work with it. As mentioned earlier, the primary user interface that you’ll use to work with SQL Server is called SQL Server Management Studio. But to get to SSMS, you first have to log into SQL Server, so let’s take a look at how to do that.
Logging into SQL Server Logging into SQL Server is simply a matter of launching SSMS, selecting the SQL Server instance that you want to connect to, and entering a username and password with the
USING SQL SERVER
authority to access it. Since you installed SQL Server earlier in the chapter using Windows authentication, SQL Server will automatically use the username and password associated with your Windows domain account when you choose Windows Authentication as the authentication type. To launch SSMS, open the Windows Start menu, and then select All Programs Microsoft SQL Server 2008 SQL Server Management Studio. You’ll then see the Connect To Server screen, as shown in Figure 12.1.
Figure 12.1 SQL Server’s Connect To Server screen
The Server Type option should be Database Engine, the Server Name option should be the computer name of your server (you can alternatively use ‘‘(local)’’ or ‘‘.’’), and Authentication should be set to Windows Authentication. Click Connect to connect to your instance of SQL Server.
Using SQL Server Management Studio Once you’ve successfully connected to your instance of SQL Server, you’ll see the SSMS environment as depicted in Figure 12.2. Like most Windows applications, SSMS has a menu bar across the top and a toolbar beneath it. The most important aspect of SSMS, and the one that you will spend the most time using, is the Object Explorer that is docked by default to the left of the SSMS screen and is shown expanded in Figure 12.2. Using the Object Explorer, you can access all the database objects contained in SQL Server and perform many tasks associated with those objects. The tasks that you can perform on the database objects are listed in a context menu that you can reach by right-clicking an item in the Object Explorer. For example, if you right-click the server name, which is the first item listed in the Object Explorer, you’ll see the server context menu, as shown in Figure 12.3. You can use the server context menu to perform tasks on the server such as connecting and disconnecting a server, starting and stopping the database engine service, generating server reports, and configuring the server. For example, if you select Properties from the server context menu, you’ll open the Server Properties window, as shown in Figure 12.4. You can use the Server Properties window to configure and tweak SQL Server above and beyond what you did during the installation process. The main point is that the Object Explorer is the place to go to manage SQL Server and the many database objects that it contains, and you do so by right-clicking a node within the Object Explorer to access the tasks associated with the selected object.
307
308
CHAPTER 12 INTRODUCING SQL SERVER
Figure 12.2 SSMS Object Explorer
Figure 12.3 Server context menu
USING SQL SERVER
Figure 12.4 Server Properties
One last feature of SSMS that I will cover, and one that you will use as much if not more than the Object Explorer, is the Query window, as shown in Figure 12.5, which you can open by clicking the New Query button in the SSMS toolbar.
Figure 12.5 Query window
You can use the Query window to enter and execute Structured Query Language (SQL) statements against both the server and the databases that it manages. In Figure 12.5, you can see that I executed the following SQL statement: SELECT @@VERSION;
309
310
CHAPTER 12 INTRODUCING SQL SERVER
This SQL statement simply returns information about the version of SQL Server that you are using. After typing the SQL statement into the Query window, I clicked the Execute button on the SSMS toolbar. Note that as an alternative to the Execute button, you can press the F5 key on your keyboard to execute a SQL statement in the Query window. The subject of SQL statements is far too broad to even try to attempt to cover in a single chapter, but there are a few keys points that you should understand. First is that SQL is a standardized language, and most if not all database vendors follow it to some degree. In the case of SQL Server, the SQL implementation that is used is called Transact SQL (T-SQL). In addition, SQL statements can be broken into two general categories. One is Data Manipulation Language (DML) statements, which involve working with the actual data that a database contains. Examples of these types of statements include SELECT, INSERT, UPDATE, and DELETE. The second category of SQL statements are Data Definition Language (DDL) statements. These are used to work with database objects, such as tables. Examples are CREATE, ALTER, and DROP statements. I will be using some of the DML SQL statements throughout the rest of the chapter, but to get more information about the types of SQL statements supported by SQL Server, see SQL Books Online.
Creating a Database For SQL Server to be of any real use, you’ll need to create a database for it to manage. Fortunately, creating a database in SQL Server is easy. To create a new database, right-click the Databases item in the Object Explorer, and select New Database; this will open the New Database window, as shown in Figure 12.6.
Figure 12.6 New Database window
USING SQL SERVER
Using the New Database window, you can name your database, set its owner, set a wide range of options, and even specify which files the database should be created in. In Exercise 12.3, you’ll create a database named Customers that you’ll be using throughout the rest of this chapter.
Exercise 12.3: Creating a Database In this exercise, you will create a SQL Server database using the default settings that SQL Server provides. To begin the process of creating the database, make sure that you’ve logged into SQL Server and the SSMS environment is open, and then perform the following steps:
1. Right-click the Databases item in the Object Explorer to open the Databases context menu.
2. In the Databases context menu, select New Database to open the New Database window (previously shown in Figure 12.6).
3. In the Database Name field of the New Database window, enter Customers, and then click OK.
Once you’ve created a database in SQL Server, the Object Explorer will list the database under the Databases item, as shown in Figure 12.7.
Figure 12.7 New database in the Object Explorer
311
312
CHAPTER 12 INTRODUCING SQL SERVER
If you expand the Customers database that you created in Exercise 12.3, you’ll see subitems for the database such as Database Diagrams, Tables, Views, and so on. As you may have already guessed, each of these database items come with their own set of tasks that can be accessed from their respective context menus.
Creating Tables in a Database The basic building block of any relational database is the table, because it is the table that contains the data that is useful to your users. Within SQL Server, you can create tables either using a graphical user interface called the Table Designer or using the CREATE TABLE SQL statement. In this section, I’ll show you how to create a table using the Table Designer. Getting to the Table Designer is simple. While SSMS is open, expand the Databases item, and then expand the database that you want to create the table in. Next, right-click the Tables item to bring up the Tables context menu, and then select New Table. This will open the Table Designer, as shown in Figure 12.8.
Figure 12.8 Table Designer
Using the Table Designer, you can create the columns for your table, specify the types of data that the columns will contain, and set the columns properties if needed. In addition, you can also use the Table Designer to set the table’s primary key, establish relationships between multiple tables, create indexes, and create additional constraints. Fundamental to understanding how to create tables is the concept of a data type, which defines the type of data that will be contained in a column of the table. SQL Server supports the following types of data: ◆
Numerics
◆
Date and time
◆
Character and Unicode character strings
USING SQL SERVER
◆
Binary strings
◆
Special data types
Table 12.1 describes some of the more common data types and what they can contain.
Table 12.1:
Common Data Types
Data Type
Value Ranges
Int
−2,147,483,648 to 2,147,483,647
Decimal
−1038 + 1 to 1038 – 1
Money
−922,337,203,685,477.5808 to 922,337,203,685,477.5807
Char
From 0 to 8,000 characters
Varchar
From 0 to 8,000 characters
Varchar(max)
From 0 to 2 billion characters
Binary
From 0 to 8,000 bytes
Varbinary(max)
From 0 to 2 billion bytes
Date
0001-01-01 to 9999-12-31
Datetime
1753-01-01 to 9999-12-31
Timestamp
Used for automatic timestamp generation in a database
Uniqueidentifier
A globally unique identifier (GUID) that may be generated or manually created
XML
For storage of XML data up to 2GB in size
Finally, one aspect of table creation that I would be remiss if I didn’t cover is that of establishing what’s known as a primary key. A primary key for a table is that columns or group of columns that are used to uniquely identify a row within a table, which is important to have because it will allow you to easily identify and work with a row of data. Creating a primary key for a table in SQL Server involves selecting the row or rows that you want to set as the primary key and then choosing to set them as the primary key using either the SSMS menu, the toolbar, or the column’s context menu. You’ll see how to do this in Exercise 12.4.
Exercise 12.4: Creating a Table In this exercise, you will create a simple table using the Table Designer. To begin the process of creating the table, make sure that you’ve logged into SQL Server and the SSMS environment is open, and then perform the following steps:
1. Expand the Databases item in the Object Explorer. 2. Expand the database named Customers, which you created in Exercise 12.3.
313
314
CHAPTER 12 INTRODUCING SQL SERVER
3. Expand the Tables item in the Customers database. 4. Right-click the Tables item, and select New Table. 5. In the Table Design window, enter the column information shown here.
6. In the Table Designer window, click the CUSTID column, and then in the column properties for that column, change the (Is Identity) subproperty of the Identity Specification property to Yes. This sets the column as an identity column, which is basically a numerical column that has its value automatically incremented by SQL Server.
7. In the Table Designer window, right-click the CUSTID column definition, and select Set Primary Key.
USING SQL SERVER
8. Click the Close button in the upper-right area of the Table Designer window, which will open the Choose Name window that you can use to name your table.
9. Enter Customers for the table name, and then click OK to save the table.
Notice that if you now expand the Tables item in the Object Explorer, you will see your newly created table listed. If you need to make changes to an existing table, you can right-click the table name in the Object Explorer and select Design from the context menu.
Inserting Data into a Database Once you have a table created, the next step is to get some data in it, and you can do that in a number of ways. One way is to open the table for editing directly in SSMS. You can do this by right-clicking the table in the Object Explorer and then selecting Edit Top 200 Rows. Once the table is open for editing, you can enter directly in the table. Another way to enter data into a table is by using the INSERT SQL statement, and I’ll show you how to do that in Exercise 12.5.
Exercise 12.5: Entering Data in a Table In this exercise, you will enter data in a table using the INSERT SQL statement. To begin the process of entering data in a table, make sure that you’ve logged into SQL Server and the SSMS environment is open, and then perform the following steps:
1. Click the New Query button on the SSMS toolbar to open the Query window. 2. In the Query window, enter the following SQL statements: USE Customers; INSERT INTO Customers
315
316
CHAPTER 12 INTRODUCING SQL SERVER
VALUES (‘Joe’, ‘A.’, ‘Smith’, ‘123 Main Street’, ‘Atlanta’, ‘GA’, ‘30075’, ‘555-555-5555’, ‘[email protected]’); INSERT INTO Customers VALUES (‘Susan’, ‘L.’, ‘Johnson’, ‘456 Main Road’, ‘Charlotte’, ‘NC’, ‘28173’, ‘555-555-5555’, ‘[email protected]’); INSERT INTO Customers VALUES (‘Bill’, ‘H.’, ‘Jones’, ‘789 Main Avenue’, ‘Seattle’, ‘WA’, ‘98205’, ‘555-555-5555’, ‘[email protected]’);
3. Press F5 on your keyboard to execute the SQL statements.
In addition to entering data directly into a table using either the SSMS edit table feature or a SQL statement, you can also import data into the table using the SSMS Import Wizard (available as a task on the database context menu) or SQL Server Integration Services. In the next section, I’ll show a few different ways that you can view the data that you just entered into the Customers table.
Viewing Data in a Database Now that you have some data populated in the Customers table, you’ll learn how to view that data, which you can do in a couple of ways within SSMS. A quick way to do this is to right-click the table in the Object Explorer and, then in the table’s context menu, choose Select Top 1000 Rows. This will open the Query window with a prebuilt SQL statement, with the results of executing that statement shown just below the SQL statement, as shown in Figure 12.9.
Figure 12.9 Viewing data in SSMS
Another approach would be to build and execute your own SQL statement, and you’ll do that in Exercise 12.6.
ADMINISTERING SQL SERVER
Exercise 12.6: Viewing Data in a Table In this exercise, you will view data in a table using the SELECT SQL statement. To begin the process of viewing data in a table, make sure that you’ve logged into SQL Server and the SSMS environment is open, and then perform the following steps:
1. Click the New Query button on the SSMS toolbar to open the Query window. 2. In the Query window, enter the following SQL statements: USE Customers; SELECT * FROM Customers;
3. Press F5 on your keyboard to execute the SQL statements.
That ends the discussion of how to use SQL Server for creating and using databases. Some other aspects of SQL Server usage in terms of database creation that you may want to explore include views, stored procedures, triggers, relationships, and indexes. These advanced concepts can be found in any good book on SQL programming or administration, but you can also find resources on SQL programming through the MSDN library. You can find a huge list of free SQL programming books available online at: http://technet.microsoft.com/en-us/ library/ms130214.aspx.
Administering SQL Server Now that you have a basic understanding of how you can use SQL Server to create and use databases, you’ll learn a few of the things that you can do to administer both the server and the databases that you use the server to manage. In this part of the chapter, I’ll review some of the core aspects of SQL Server administration, starting with managing and configuring the SQL Server services.
Managing SQL Server Services One aspect of SQL Server administration is managing and configuring SQL Server services, which are the SQL Server applications that run in the background on the server. In fact, the SQL Server database engine, which is the core program that is SQL Server, runs as a service called — you guessed it — the SQL Server Service. To do anything with SQL Server, the SQL Server Service must be started, and you can use a program called the SQL Service Configuration Manager to start and stop the SQL Server Service, along with all the other services that are part of SQL Server such as the SQL Server Agent and the SQL Server Browser. The SQL Server Configuration Manager is a Microsoft Management Console (MMC) snap-in, and you can launch it from the All Programs menu by selecting Microsoft SQL Server 2008 Configuration Tools SQL Server Configuration Manager. If you select the SQL Server Services item along the left side of the SQL Server Configuration Manager interface, you’ll see the currently installed SQL Server services on the right, along with information about their states, as shown in Figure 12.10.
317
318
CHAPTER 12 INTRODUCING SQL SERVER
Figure 12.10 SQL Server Services in the SQL Server Configuration Manager
If you right-click any of the services listed, you can use the context menu that appears to start, stop, pause, or resume the service; and if you select Properties from the context menu, you can also change the system account that the service uses, change its start mode, or even change a few advanced properties of the service. Note that in addition to the properties associated with the SQL Server services, you can also use the SQL Server Configuration Manager to enable, disable, and set the properties for the network protocols that SQL Server uses.
Backing Up a SQL Server Database Another key aspect of the SQL Server administration is the all-important task of backing up databases. Many things can go wrong with a database, from basic hardware failures to natural disasters to employee tampering. Whatever the case may be, you would be well advised to put in place a solid backup and recovery plan just in case the unforeseen happens. With a solid plan for backing up and restoring the databases that your organization or clients use, you will be able to quickly and easily get them up and running again with minimal, if any, data loss. As with most things in SQL Server, database backups can be performed using SSMS or Transact-SQL, but I’ll show you how to perform a quick database backup using SSMS. To access the user interface that is used for database backups, all you have to do is right-click the database in the Object Explorer, and then in the context menu that appears select Tasks and then Back Up. The Back Up Database window will appear, as shown in Figure 12.11. On the Back Up Database window, the name of the database to back up is automatically selected for you; all you really need to do is select the location (destination) of the backup, and that too is automatically set to the default database backup location, if you want to simply use that. You can set many other options for the database backup including the backup type, the backup component, and the days before the backup will expire. A quick note about the backup type: backup types include full, differential, and transaction log. A full backup makes a complete copy of the database, a differential backup stores only the data that has changed since the last backup, and a transaction log backup stores only the transactions that have occurred in the database since the last backup. For smaller databases, the Full backup type is the best option, because you will always get a full copy of the database. For larger databases that may take many hours to back up, you may want to use the differential backup. In terms of recovery models, SQL Server supports three types: simple, full, and bulk-logged. Which one you choose affects the type of backup that you can do, and the general consideration to make when choosing a recovery model is how timely you need the backup and restore to be and how it will affect performance of your server. For example, if you choose the full recovery model, you’ll be able to back up and restore the database and its transaction logs, which will allow you to restore the database to the point of failure or a point in time, but it may take much longer to restore. Alternatively, you can use the simple recovery model, which
ADMINISTERING SQL SERVER
makes minimal use of the transaction log and provides for a much quicker backup and restore. Note that the simple recovery model should not be used on production system; it is best suited for development systems or databases that are read-only and do not change much.
Figure 12.11 Back Up Database window
In Exercise 12.7, I’ll walk through how to take a quick backup of the Customers database that you created earlier in the chapter.
Exercise 12.7: Backing Up a Database In this exercise, you will back up the Customers database using SQL Server Management Studio. To begin the process of backing up the database, make sure that you’ve logged into SQL Server and the SSMS environment is open, and then perform the following steps:
1. Expand the Databases item in the Object Explorer. 2. Right-click the Customers database that you created earlier in the chapter. 3. In the context menu that appears, select Tasks and then Back Up. 4. Ensure that the selected database is Customers and that the destination is set to back up to disk in the following default path: C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Backup \Cusomters.bak
319
320
CHAPTER 12 INTRODUCING SQL SERVER
5. Click OK to start the backup. 6. When complete, SQL Server will display a message indicating that the backup was completed successfully, and the Back Up Database window will automatically close.
7. You can verify that the backup was made by opening Windows Explorer and navigating to the destination path indicated in step 4. There you should see a file named Customers.bak.
It goes without saying that if you back up a database, you also need a way to restore that database should something go wrong, and restoring a database in SQL Server is an even easier process than backing it up. To restore a database in SQL Server, open SSMS, and then right-click the Databases item in the Object Explorer. In the context menu that appears, select Restore Database, which will open the Restore Database window, as shown in Figure 12.12.
Figure 12.12 Restore Database window
Using the Restore Database window, you can select the database that you want to restore to (the destination) and then the backup database that you want to restore from (the source). If you are restoring a database from a database backup, select the From Device option, and then browse to the file that contains the backup. Once you have the database destination and source set, click OK. After a few minutes, the restored database will appear in the Object Browser, just as you would expect. Finally, SQL Server provides a wizard for setting up and scheduling a backup called the Database Maintenance Plan Wizard. Using this wizard, you can set up a maintenance plan for your database that includes performing automated backups. You can access the wizard in the
ADMINISTERING SQL SERVER
Object Explorer by selecting Management Maintenance Plans; then right-click Maintenance Plans, and in the context menu that appears, select Maintenance Plan Wizard.
Moving SQL Server Databases Although you could use the backup and restore method to move a database from one server to another, a simpler approach is to use the ‘‘detach and attach’’ method. This approach involves detaching a database from SQL Server, moving it to another instance, and then reattaching it. As mentioned in the case study earlier in the chapter, this approach can be very effective when you need to move a database from a SQL Server Express instance to your SQL Server Standard instance. The processing of detaching and attaching a database is similar to the process of backing up and restoring a database, and it can be done using either SSMS or Transact-SQL. In SSMS, you detach a database by right-clicking the database in Object Explorer, and then in the context menu that appears, selecting Tasks and then Detach. This will open the Detach Database window, as shown in Figure 12.13.
Figure 12.13 Detach Database window
Once you have detached a database from SQL Server, you can then move the database files to a different folder location and then attach the database to SQL Server by right-clicking the Databases item in Object Explorer and then selecting Attach from the context menu. This will display the Attach Databases window, as shown in Figure 12.14. While in the Attach Databases window, you can select the database to attach by clicking the Add button in the middle of the window to locate the database files that contain the database that you want to attach.
321
322
CHAPTER 12 INTRODUCING SQL SERVER
Figure 12.14 Attach Databases window
In Exercise 12.8, I’ll walk you through how to detach a database from SQL Server, move it to a different folder, and then attach it. You will of course be using the Customers database that you have been using throughout the chapter.
Exercise 12.8: Moving a Database In this exercise, you will detach and then attach a database in SQL Server. To begin the process of detaching and attaching a database, make sure that you’ve logged into SQL Server and the SSMS environment is open, and then perform the following steps:
1. Open Windows Explorer, and create a new folder on the C drive named Databases. This will be the destination for the copied database files. Be sure to leave Windows Explorer open because you will use it in a later step.
2. Switch to SSMS, and expand the Databases item; then right-click the Customers database. 3. In the context menu that appears, select Tasks and then Detach. 4. Click OK in the Detach Database window. Notice that the Customers database no longer appears in the Object Explorer.
5. Switch to Windows Explorer, and locate the Customers database files in the following folder: C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA
6. Select both the Cusomters.mdf file and the Customers_log.ldf file, and then drag them to the C:\Databases folder that you created in step 1.
THE BOTTOM LINE
7. Switch to SSMS, right-click the Databases item in the Object Explorer, and then select Attach. 8. On the Attach Databases screen, click the Add button. Then using the Locate Database Files screen, navigate to the C:\Databases folder, select the Customers.ldf file, and then click OK.
9. Notice that in the Attach Databases window that the Databases To Attach and Customers Database details sections have been filled out. Click OK to attach the database.
10. Notice that the Customers database now appears in the Object Explorer.
As an alternative to the manual detach and attach process, SQL Server provides a wizard that walks you step-by-step through the same process. You can access the wizard in the Object Explorer by right-clicking a database; then in the database context menu, select Tasks and then Copy Database. Well, that’s it for the fast and furious overview of SQL Server. I hope it will help you feel comfortable installing and using some of the more basic features of SQL Server. I encourage you to dig even deeper into all of the robust and powerful features that SQL Server supports.
The Bottom Line Install and configure SQL Server To use SQL Server, you must first install it. But installing SQL Server is not simply a matter of inserting the installation disc and clicking though the installation routine; it involves making decisions about which features of SQL Server to install, what accounts you want it to run under, and where it should be installed. Master It What are the minimum SQL Server features you should choose to install? Use SQL Server The first step in using a SQL Server database is to create it, and you can do this easily with the SSMS or with Transact-SQL. Master It Using SSMS, create a new database, named Accounts, that includes a table named Locations. Administer SQL Server The most basic and perhaps most important of SQL Server administrative tasks is to create an effective and robust backup and restore routine. As with most things in SQL Server, you can do this using SSMS or Transact-SQL. Master It Back up a SQL Server database using SSMS.
323
Chapter 13
Using SharePoint with Your Small Business Server Microsoft SharePoint Server has been around for the past several years, but it only began to gain traction around 2006. That’s when businesses discovered that the SharePoint services enabled them to have a central, easily manageable web portal where they could store all information pertinent to their business and their business associates. Broadly defined, SharePoint is a suite of tools used to share business processes, information, managerial duties, and communication data. Additionally, SharePoint can be used to manage business content, sales, and account data, as well as track the growth and expansion of business processes (such as a sales process) over time. The way SharePoint is used with Small Business Server 2008 shares a lot of similarities with the full version of Microsoft Office SharePoint Server in that there are four distinct viewpoints associated with SBS 2008 and its usage: ◆ Manager ◆ IT Administrator ◆ Developer ◆ End User
SharePoint, unlike a lot of the other features of Small Business Server 2008, is a utility that can be accessed by anyone in your organization. Of course, you can implement security so some users don’t have access to it, but most companies just freely implement SharePoint. In this chapter, you’ll learn how to set up SharePoint, perform some common administrative tasks, go through the various ‘‘points’’ of SharePoint, and perform a backup and restoration of the SharePoint services. In this chapter, you will learn to ◆ Set up SharePoint/Companyweb ◆ Administer SharePoint ◆ Back up and restore SharePoint
326
CHAPTER 13 USING SHAREPOINT WITH YOUR SMALL BUSINESS SERVER
Overview of SharePoint Usage SharePoint Server is a collaborative platform that builds upon many technologies, including Windows SharePoint Services 3.0 and Microsoft SQL Server. It’s actually an integrated suite of multiple technologies, placed into one location. Effectively, ‘‘SharePoint’’ is only an application-like layer on top of preexisting Microsoft technologies. Typical usages for SharePoint include the following: Document collaboration SharePoint integrates all Microsoft Office documents, such as Word, Excel, and other document types. With SharePoint, these files can all be centrally accessed through SharePoint Server. Document services SharePoint includes the ability to implement document services, which is a technology that allows multiple users to access documents in document collaboration from a website. Furthermore, services allow potentially sensitive data, such as Excel spreadsheets, to be locked down through security. Customer tracking SharePoint allows you to track individual companies and keep hold of all data associated with a customer account. As an example, a salesperson could log into SharePoint and see a customer’s phone number, address, sales performance, and other data. Employee performance reports With SharePoint, since all data is located in one location, managers or business owners can track business data easily through the SharePoint graphical user interface over the Web. You can quickly and easily create performance graphs and evaluations. Data archival Because of legal constraints that mandate certain businesses to keep track of business data, SharePoint integrates the ability to set up a repository with data expiration dates to keep data stored from the date it was first created to the date of the archival expiration. This makes it easy for sales associates to simply add a file with legally sensitive information to their repository for later access.
SharePoint Components SharePoint Server actually integrates into two points of Small Business Server. First, it plugs into SQL Server, and second, it plugs into IIS. From the SBS console, you can see this by going to the Shared Folders and then the Web Sites tab and selecting Internal Web Site, as shown in Figure 13.1.
Figure 13.1 Companyweb site
If you open the full version of IIS Manager, you can expand the SBS SharePoint menu and see all of the data associated with the website, as shown in Figure 13.2.
OVERVIEW OF SHAREPOINT USAGE
Figure 13.2 SharePoint in IIS
Additionally, you can view the SQL Server databases associated with SharePoint by navigating to this location: C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\Data
There, you’ll see the databases shown in Figure 13.3.
Figure 13.3 SQL databases
Every database starting with the word SharePoint houses the SQL Server data associated with SharePoint. This includes a lot of information, including user login information, layout,
327
328
CHAPTER 13 USING SHAREPOINT WITH YOUR SMALL BUSINESS SERVER
skins, designs, and other data associated with your web page. For SharePoint to work, both the SQL Server database service and the IIS service have to be running properly. If you experience an error when accessing your SharePoint Companyweb home page, you can always try to alter it by navigating to services.msc and restarting either service.
Network Components of SharePoint SharePoint requires several ports to be opened externally (and internally) on the firewalls running on your server. First, and less obviously, the internal firewall of the SBS 2008 server needs to be adjusted to allow HTTP and HTTPS traffic to the SharePoint site. Thankfully, this is done by default. Next, to externally access the SharePoint server, you need to forward these ports to the SharePoint server: ◆
80: HTTP traffic
◆
443 and 987: HTTPS traffic
Note that it is very important that you do not forward SQL Server traffic to your SharePoint Server instance. Doing this can have catastrophic effects, including SQL injecting, unauthorized access to your SQL databases, and network-based attacks onto your data! Additionally, you can make your life a little easier by setting up SharePoint as your default website. To do so, you can navigate to IIS Manager and disable the Default Website item by setting it to Stop. Then, you can expand your SBS SharePoint server and select Bindings in the right column. This will open the dialog box shown in Figure 13.4.
Figure 13.4 Site Bindings dialog box
The difference between Figure 13.4 and what you’ll see is that the IP addresses bound on your server will be * by default. This is so that associated clients can just type companyweb in their DNS settings and navigate to SharePoint straightaway. This is convenient, but more often than not, you’ll want SharePoint to be accessible to external users. This means you’ll need to set the SharePoint Site to an actual IP address. In this case, I’ve set mine to 192.168.0.4. You can change this by clicking Edit and then selecting the IP address you’d like to assign from the drop-down, as shown in Figure 13.5. Something you will notice here is that the SharePoint server is actually assigned to both port 80 and port 987. This is done for security reasons, but the concept is that SharePoint will accept authentication credentials on port 80 and then securely pass this data to port 987. Unless you bind both, you’ll experience network errors. In fact, once you’ve clicked OK and changed the bindings, you might want to navigate to your server and try to just go to the IP address. Companyweb should still work when you access it through a web browser.
INITIALLY CONFIGURING SHAREPOINT
Figure 13.5 IP address assignment
Initially Configuring SharePoint SharePoint configuration is a subject that can take just a few minutes to discuss or several months (and books), depending on just how deep you want to get into it. The bottom line with SharePoint Server is that just about everything is customizable. SharePoint supports the ability to do the following: ◆
Add wikis.
◆
Create customer searches.
◆
Create a business data catalog.
◆
Create audit policies.
◆
Define a custom web portal for each user.
◆
Check designs.
And much, much more. Just how much you want to add into it depends on how much time you want to spend configuring your company home page, Companyweb.
Companyweb When you first log into your SBS 2008 server after any given installation, you can access the Companyweb Internet web portal by going to a web browser and navigating to http://companyweb. After you’ve done so, you will see the Companyweb home screen, as shown in Figure 13.6. At this point, you’ll need to go through the initial setup portions that you see on the home web page. This includes installing the server security certificate and initial configuration.
Initial Setup The first item listed on the SharePoint website is the Welcome To Your Internal Web Site welcome message. If you click the link, you’ll be prompted to enter new information that can be shared with the rest of your users. This is really just designed to let you distribute an initial file across your website, or really to just ‘‘get things going,’’ for lack of a better phrase. My recommendation is to ignore this and go to the next, more important section — installing a security certificate.
329
330
CHAPTER 13 USING SHAREPOINT WITH YOUR SMALL BUSINESS SERVER
Figure 13.6 SBS 2008 web portal
If you click Install The Server’s Security Certificate On Your Remote Computer link, a set of instructions will appear. Following the instructions there will allow remote computers to always trust Small Business Server. If you don’t want to do this before you navigate to the Companyweb home page, you can install the server’s security certificate on your remote computer by doing the following:
1. From a computer that is in the Windows SBS network, open a web browser, and type the following address into the address bar: \\INTELLICOSERVER\public\downloads.
2. Copy the file Install Certificate Package.zip to portable storage media, such as a floppy disk or a USB drive.
3. Insert the floppy disk or USB drive into the computer that is not joined to the Windows SBS domain and from which you want to access the Remote Web Workplace.
4. In Windows Explorer, navigate to the location where you copied the ZIP file. 5. Right-click the ZIP file, and choose Extract All. 6. In the Extract Compressed (Zipped) Folders dialog box, type a folder location to which you want to extract the files, and then click Extract.
7. Open the folder where the extracted files are located, and then double-click Install Certificate.
8. Select Install The Certificate On My Computer, and then click Install. 9. Browse to the Remote Web Workplace website.
Moving SharePoint Data to Another Location Just like most things in SBS 2008, moving SharePoint data to a dedicated hard drive is pretty easy, but it’s a little obfuscated unless you know exactly where to look. To back up SharePoint data, you can navigate to the SBS console and select Backup And Server Storage. Then, you
CHECKING THE CONFIGURATION
can select the Server Storage tab shown in Figure 13.7 and select the backup link called Move Windows SharePoint Services Data.
Figure 13.7 Move Windows SharePoint Services Data link
You need to have an extra hard drive attached with enough space to contain all the data located on your main hard drive; otherwise, the backup routine will fail. Once the wizard begins, you’ll need to click Next two times so the server can read the configuration and prepare for the backup. Then, once this is complete, you will be presented with the screen shown in Figure 13.8.
Figure 13.8 Moving data
There, you can see the amount of data your SharePoint services are using (in my case, a paltry 86.3MB) and the amount of space available on your backup drive. All you have to do at this point is click Move.
Checking the Configuration One of the tools that comes with SharePoint on SBS 2008 is the SharePoint Products and Technologies Wizard. You can use this wizard to repair portions of SharePoint that come installed with SBS 2008. If you ever experience problems with SharePoint Services (IIS permissions errors
331
332
CHAPTER 13 USING SHAREPOINT WITH YOUR SMALL BUSINESS SERVER
or SQL Server problems, for example), you can run this tool, which will check the configuration of SharePoint. You can run this tool by selecting Start Administrative Tools SharePoint Products And Technologies Configuration Wizard. This will launch the tool and give you a warning. Clicking Next will walk you through a series of 10 steps, each of which will look like the screen shown in Figure 13.9. If there are any issues along the way, the wizard will alert you of a problem and say what needs to be done to correct it.
Figure 13.9 Products and Technologies Configuration Wizard
Once the wizard completes, it will bring you to the SharePoint home page and allow you to check the integrity of your site. It’s a good idea to run this wizard if you’ve done a backup and restore.
Performing SharePoint Administration Tasks Administration with SharePoint Server is all done through a centralized web-based console that is accessible through port 4721 on your SBS server. You can access this either by navigating to :4721 or by selecting Administrative Tools SharePoint Administration. This will open the main console, which you can see in Figure 13.10. The administrative area has three important areas: Home
This is the central location, where you can access all other areas.
Operations This page contains links to pages that help you manage your server or server farm, such as changing the server farm topology, specifying which services are running on each server, and changing settings that affect multiple servers or applications.
CREATING A NEW SHAREPOINT WEBSITE
Application Management This page contains links to pages that help you configure settings for applications and components that are installed on the server or server farm.
Figure 13.10 SharePoint Central Administration
When you first access this home page, there will be eight administrative tasks that you’ll need to configure. Some of these will be done with default settings, and some will be set to blank. In the next few sections, you’ll learn how to configure SharePoint Server. One of the initial settings you have to set up for SharePoint to work properly is email. You need to set both the incoming and outgoing email alerts to be configured according to your settings. To do this, simply click the Incoming E-Mail Settings item, and then click Configure Incoming Email Settings. Do the same for the Outgoing E-Mail Settings item.
Creating a New SharePoint Website SharePoint Server gives you the ability to administer multiple SharePoint web portals for your users. In terms of a small business, this may be useful for a business that functions under multiple names or in fact is actually multiple parts. More often than not, Microsoft has found that a small business may have more than one name under which it operates. And if they don’t do that, business owners very well may operate more than one company. After all, if one company has become successful, you might as well start a second!
Configuring Settings To create a new website with SharePoint, you need to access the Central Administration site for SharePoint and select Create SharePoint Sites. This will open the menu shown in Figure 13.11. With SharePoint, all tasks can be centrally managed through the administrator console, and you can choose who else has the ability to both access the console and perform various tasks.
333
334
CHAPTER 13 USING SHAREPOINT WITH YOUR SMALL BUSINESS SERVER
I’ll go over that in the ‘‘Adding and Editing Items’’ section, so for now you’ll just add a SharePoint site. You can do this by clicking the Create New Web Application action button. This will open the page partially shown in Figure 13.12.
Figure 13.11 Administrator task: Creating the Site
Figure 13.12 Creating a web application
IIS Web Site In the IIS Web Site area, you can decide to use an existing website or create a new one. Usually, you’ll want to create a new website, unless you’d like to write SharePoint over a website you’ve already created. Almost always you will want to change the default name. In this example, I’m going to change it to ‘‘example.’’ Next, you can set the port that it is hosted upon. I almost always leave this blank, because SharePoint is pretty good at picking random ports that the server is not already using. As you
CREATING A NEW SHAREPOINT WEBSITE
can see in Figure 13.12, in this case it picked port 27466. Talk about a random port — I think that takes the cake. You’ll probably want to leave the host header blank unless you have specific requirements for your host header in your website. If you have a custom host header, you’ll want to place it here. But, for the path, you’ll want to place this in a location that is both logical and easily accessible. The default inetpub\wwwroot is almost always a good choice. But any directory that you choose will suffice.
Security Configuration In the Security Configuration area of SharePoint, you can choose to use Kerberos or NTLM authentication: Kerberos Kerberos is a network authentication protocol that was developed at the Massachusetts Institute of Technology. It is an incredibly secure and very reliable private-key encryption method that is virtually immune to compromise. As a rule of thumb, if you can implement Kerberos, you should. However, as you can note in the text next to the SharePoint site in the Add A New Site Wizard, ‘‘Kerberos requires the application pool account to be Network Service or special configuration by the domain administrator.’’ This is a little troublesome for most small businesses and a little bit outside the scope of this book. However, I must mention that if you want to set up the most secure method of accessing your site, you should choose this. NTLM NTLM stands for NT LAN Manager; it’s a Microsoft authentication protocol. It’s very similar to MS-CHAP, which is fairly secure, but it’s specified for the SMB network sharing protocol. You should implement NTLM if you would like quick and easy security, such as a connection between two machines that are housed behind a firewall and are already relatively secure. However, it is not as highly specialized (or secure) as Kerberos. SSL By now, you should be familiar with SSL. Secure Sockets Layer determines whether your server will use a security certificate to authenticate to the web portal. Usually this is a little unnecessary for SharePoint, but there’s a chance that you might be housing some incredibly sensitive data or require that your passwords be obfuscated. If this is the case, you should use SSL.
Load Balanced URL The Load Balanced URL setting is the fully qualified URL that users will use to access the SharePoint site. It’s set to the server name by default, but you can easily change it to the name of a domain you either own or administer.
Application Pools Application pools in IIS are collections of web applications that are placed into pools so that they can be distributed across multiple servers. In the case of Small Business Server, you will almost never use them. Thus, you should not try to make a new pool for yourself. This is the default setting. Also, if you’d like to set specific configuration credentials for the pool, you can enter your username and password in the radio box or a username and password that is custom to that application pool. But, as a friendly tip from one administrator to another: unless you’re an IIS guru, ‘‘If it ain’t broke, don’t fix it.’’ The default is usually just fine.
335
336
CHAPTER 13 USING SHAREPOINT WITH YOUR SMALL BUSINESS SERVER
Reset Internet Information Services The Reset Internet Information Services setting should be grayed out and left to manual. Having IIS reset automatically can be problematic, especially if it tends to try to do it again and again and consistently fails — consequently jamming up your server!
Database Name and Authentication Here, you can specify your local SQL Server embedded instance, or you can point to an SQL Server member server. If you do this, you should probably set up a custom SQL Server login authentication account or use Windows authentication. Note that the servers are entered in this format: <Server Name> \ < SQL Instance Name>
Search Server If you want to set up Windows SharePoint Search Server, you can select your server in the drop-down box. However, this is not necessarily a good idea on SBS, because it takes up a lot of processing power.
Creating the Site Once you’ve entered all your information, click the OK button. If SharePoint has a problem with anything you’ve entered, it will display red text to let you know what you’ve done incorrectly. Now, normally, I don’t show loading screens, but in this case, don’t be surprised if you see the loading screen in Figure 13.13 for several minutes or several hours. SharePoint can take its sweet time, and it’s best to not interrupt it.
Figure 13.13 The agonizing processing notification screen
Once SharePoint is complete, it will show the Application Created screen. At this point, you’ll want to do an IIS reset. You can do this by typing the following command in your command prompt utility: IISreset /noforce
Assuming the process succeeded, you will see the following message: Attempting stop... Internet services successfully stopped Attempting start... Internet services successfully restarted
CONFIGURING WORKFLOW SETTINGS
Just as a note, sometimes IIS might hang. If this happens, IIS will tell you that it failed to restart and display various errors. Just open the Windows Start menu, and type services.msc. This will open the Windows Services menu. From there, you should stop and restart the IIS Admin service. Now, if you open IIS Manager, you will see your new site listed, as shown in Figure 13.14.
Figure 13.14 Viewing the new site in IIS Manager
From here, you can easily browse to your new site by clicking the Browse button.
Server Operations Operations is one of the main menus in the Central Administration and part of the heart of SharePoint administration. Server Operations breaks down into six distinct categories: Topology and Services The number of servers in your farm, what services they’re running, and how they’re configured Security Configuration The services accounts, antivirus setup, file type setups, and Administrators group Logging and Reporting
Diagnostics logging and analysis processing
Global Configuration Time syncs and global configurations Backup And Restore Data Configuration
SharePoint manual backups and restoration Database servers and retrieval services
In the next few sections, I’ll run through some of the more common administrative tasks associated with SharePoint and essentially give you a guided tour of what you can do with it. At the small-business level, you aren’t necessarily a SharePoint administrator, but you’ll want to know enough to be able to expand SharePoint’s functionality and, if needed, make basic repairs.
Configuring Workflow Settings Once you’ve set up a site, you can specify the following: ◆
Whether users are allowed to assemble new workflows out of building blocks deployed to the site
◆
Whether participants without access should be sent a copy of the document as an email attachment so they can participate in a workflow
337
338
CHAPTER 13 USING SHAREPOINT WITH YOUR SMALL BUSINESS SERVER
You can also accomplish this task from the SBS 2008 SharePoint home page, just like what you did when you created a website. When you configure workflow settings, you can set the following: ◆
Web applications
◆
User-defined workflows
◆
Workflow task notifications
Setting Up Web Applications In the Web Applications area, you can set the web application that your SharePoint server will utilize. This is all fed from the available web applications seen by your IIS server. Any available web applications will be displayed in the drop-down box.
Setting Up User-Defined Workflows User-defined workflows allow SharePoint developers to specify whether their users are able to use administrator-developed applications. With this radio button, you can determine whether they have access to code developed by your administrators. Typically, you will leave this button set to Yes, which is the default.
Setting Up Workflow Task Notifications This last area is pretty simply defined. It allows you to alert users who do not have site access when they are assigned a workflow task and to alert external users to participate in a workflow by sending them a copy of a document. Usually these options are set to Yes for workflow alerts and No for copies of the document. But you can always change this second option to Yes if you’d like external options. And, of course, if you don’t want to receive updates, you can leave this option set to No.
Enabling Antivirus This is a very useful yet often overlooked function. If you navigate to Central Administration Operations Antivirus, you can turn the Antivirus settings in SharePoint off or on based on your specifications. You can choose whether documents are scanned on upload or download, whether users are able to download infected documents, the number of threads to dedicate to your antivirus software, and how long your antivirus software takes to time out.
Configuring Backup and Restore The Backup And Restore area located inside the operations area of your site content enables you to back up SharePoint-specific data. Unlike general Windows Server backup, SharePoint backups are highly specialized and allow you to custom-configure each aspect of SharePoint, along with exactly what is backed up. As you can see from the following table, you have a lot of options to choose from in the basic menu. (Note: Farm is a term in SharePoint to describe all the servers that are connected that run the SharePoint services.)
CONFIGURING BACKUP AND RESTORE
Farm
Farm
Content and configuration data for the entire server farm
SharePoint_Config_29c26fca17b8-48c1-9704-b869932abcb6
Configuration Database
Configuration data for the entire server farm
Windows SharePoint Services Web Application
Windows SharePoint Services Web Application
Collection of web applications
Example
Web Application
Content and configuration data for this web application
WSS_Content_f70d83581a 3946c59e29ee1b1c4da433
Content Database
Content for the web application
SBS SharePoint
Web Application
Content and configuration data for this web application
ShareWebDb
Content Database
Content for the web application
WSS_Administration
Central Administration
Collection of web application
Web Application
Web Application
Content and configuration data for this web application
SharePoint_AdminContent _d4e397f2-a27a-48a0-a628d25db6672bab
Content Database
Content for the web application
Windows SharePoint Services Search
Index files and Databases
Searches instances for Windows SharePoint Services
Search instance
Index files on INTELLICOSERVER
Searches index files on the search server
WSS_Search_WINEUGSO7LO7PY
Search database for INTELLICOSERVER
Searches database for the search server
On the left side of the page, there are check boxes that allow you to decide exactly how much you want to back up. Just as a test, try selecting all the check boxes and then clicking Continue To Backup Options. You should be able to do this by just selecting Farm. Once you click Next, you’ll be presented with three submenus: Backup Content This allows you to pick the content you want to back up and should be what you selected from the previous menu. Type Of Backup You can choose either full or differential backups. A full backup backs up everything with associated history, and a differential copies just what has changed since your last full backup.
339
340
CHAPTER 13 USING SHAREPOINT WITH YOUR SMALL BUSINESS SERVER
Backup Files Location You can set where the backup should go with a UNC path, such as \\intellicoservers\Backup. Note that the SQL Service account will need to be able to read this directory path. Click OK will queue the backup. You can view the backup process by clicking the Refresh button. Check out Figure 13.15 to see what it should look like.
Figure 13.15 Backup and Restore Status
Restoring from Backup The restoration process of restoring from a preexisting backup of SharePoint is a fairly straightforward process that has four steps:
1. Choosing the backup file location 2. Choosing the backup ‘‘point’’ 3. Choosing the components to restore 4. Entering the restoration options You can access the Restore option under the Backup And Restore area of the Central Administration portion of SharePoint. Choosing to restore is fairly self-explanatory for the first three steps. First, you choose your backup location; second, you choose which of the backups you’ve made that you’d like to restore. Third, you choose which components of the backups you’ve selected that you’d like to implement. But, the last screen is a little trickier. The last screen allows you to apply new settings to your preexisting installation, including new SQL logins, new names for web content, new databases, and even new application pools. The reason that this exists at all is that there are some occasions where a small business might have to change some configuration data after having completed a server recovery process that changed some of the data of their preexisting configuration. Say, for example, Intellicorp experienced a server crash because of a failed SATA array and had to restore from backup. If you didn’t have your full Windows Small Business Server
CONFIGURING BACKUP AND RESTORE
backup image, you’d want to restore from the small SharePoint backup that you made earlier. The trouble is, during the restoration process, say you forgot what SharePoint application pool name was, along with the service name, site name, database name, and even database password. This happens a lot more often than most administrators would care to admit. And because of that, this screen exists. Here you can override all the settings that were contained in your previous installation. You can reinstall Windows, set it up how you would like (which, given the fact that hindsight is usually 20/20, may be different), and then import your SharePoint data with no fear of compatibility problems that result from the loss of important passwords or server settings. Ultimately, regardless of whether you decide to change these settings, upon choosing to restore, SharePoint will begin the restoration process. It will update you periodically on the process and alert you of any errors that occur along the way. If you take a look at Figure 13.16, you can see what happened when I chose to restore and experienced an error.
Figure 13.16 Restore error
The Restoration information box indicates that I can find more details about the restoration process and the errors associated with it by navigating to the event log. Let’s explore that in the next section.
Troubleshooting Backup and Restore SharePoint Server is designed to service both the largest and smallest organizations. And accordingly, SharePoint gives very detailed records on both the backup and restore process. These details are contained in the SharePoint backup and restore logging files in the backup and restoration directory. Whenever a user chooses to create a backup directory, SharePoint Backup Services will automatically create a file infrastructure within that directory to support its backup file configuration. If you look at Figure 13.17, you’ll see that SharePoint has created a directory called spbr0000. Within this directory, SharePoint has placed all the associated backup data for the first backup created with SharePoint.
Figure 13.17 Backups points created
341
342
CHAPTER 13 USING SHAREPOINT WITH YOUR SMALL BUSINESS SERVER
Of course, if I had done more backups, the number of folders would increase. First there would be an spbr0001, then an spbr0002, and so forth. And in case you hadn’t guessed, spbr stands for SharePoint backup and recovery. Notice in this home directory there is also an XML document. Because it’s important for your understanding, let’s examine it now: <SPBackupRestoreHistory> <SPHistoryObject> <SPId>3ec1cd5b-c29c-496c-93c7-25a633b2603c <SPRestoreId>30c2cc29-15c7-4a91-9bda-e15bfd00af76 <SPRequestedBy>INTELLICORP\steve <SPBackupMethod>Full <SPRestoreMethod>New <SPStartTime>10/22/2009 20:24:00 <SPFinishTime>10/22/2009 20:25:52 <SPIsBackup>False <SPBackupDirectory>c:\backup\spbr0000\ <SPDirectoryName /> <SPFailure>Object WSS_Search_WIN-EUGSO7LO7PY failed in event OnRestore. For more information, see the error log located in the backup directory. <SPTopComponent>Farm <SPTopComponentId>12c4078d-47c5-472e-abdf-ea237c8b8f50 <SPWarningCount>0 <SPErrorCount>4 <SPHistoryObject> <SPId>3ec1cd5b-c29c-496c-93c7-25a633b2603c <SPRequestedBy>INTELLICORP\steve <SPBackupMethod>Full <SPRestoreMethod>None <SPStartTime>10/21/2009 01:42:32 <SPFinishTime>10/21/2009 01:44:22 <SPIsBackup>True <SPBackupDirectory>c:\backup\spbr0000\ <SPDirectoryName>spbr0000 <SPDirectoryNumber>0 <SPTopComponent>Farm <SPTopComponentId>12c4078d-47c5-472e-abdf-ea237c8b8f50 <SPWarningCount>0 <SPErrorCount>0
This XML contains the entire history of your backup attempts. This includes the last backup you’ve attempted, the errors associated with it, the directory, and the components upon which association was attempted. You can also see the start time and finish time of the backup in the SPStartTime and SPFinishTime elements.
SETTING UP SHAREPOINT JOBS
Now, if you explore the directory spbr0000, you can find these log files. In fact, there are two — each available in either TXT or XML format. There is one backup for the Backup log and another for the Restore log. If you open the Restore log (sprestore.txt), you can see that it has a lot of information, including some random logs like what data it has added and the directory it’s using, as shown here: [10/22/2009 4:15:24 PM]: Verbose: Adding WSS_Content_f70d83581a3946c59e29ee1b1c4da433 to Restore list. [10/22/2009 4:15:24 PM]: Verbose: Adding SBS SharePoint to Restore list. [10/22/2009 4:15:24 PM]: Verbose: Adding ShareWebDb to Restore list. [10/22/2009 4:15:24 PM]: Verbose: Adding WSS_Administration to Restore list. [10/22/2009 4:15:25 PM]: Verbose: Adding Web Application to Restore list. [10/22/2009 4:15:25 PM]: Verbose: Adding SharePoint_AdminContent_d4e397f2-a27a-48a0-a628-d25db6672bab to Restore list. [10/22/2009 4:15:25 PM]: Verbose: Adding Windows SharePoint Services Search to Restore list. [10/22/2009 4:15:25 PM]: Verbose: Adding Search instance to Restore list. [10/22/2009 4:15:25 PM]: Verbose: Adding WSS_Search_WIN-EUGSO7LO7PY to Restore list. [10/22/2009 4:23:31 PM]: Verbose: Using directory: c:\backup\spbr0000\.
Additionally, you can find errors in these logs by browsing down until you see the word Error. At this point, you’ll see something like this: [10/22/2009 4:24:08 PM]: Error: Object WSS_Content_f70d83581a3946c59e29ee1b1c4da433 failed in event OnRestore. For more information, see the error log located in the backup directory. SPException: The specified component exists. You must specify a name that does not exist.
Here, it says you received an error because the component already exists. Thus, you can’t create a new component on a preexisting name (although that would be a neat trick). The log files in Backup and Restore are almost always very revealing. Even the best and most seasoned of techs and administrators will use the phrase ‘‘When all else fails, look at the logs.’’ Chances are, the logs will give you tremendous insight into what is happening on both the server and the backup utility that is being processed.
Setting Up SharePoint Jobs If you use SharePoint a lot in your organization, you’ll probably find that you’re consistently having to complete the same task over and over again. Some of these tasks include purging unused sites from site collections and creating backups. SharePoint Server allows you to schedule the many different tasks that you do on frequent occasions through timer jobs. You can find a complete list of these jobs by going to the Timer Jobs area of the gui of your SharePoint server, but Table 13.1 provides a partial list. Note that in this table there are two tasks for each pool. Because I created a site earlier, the associated jobs for each site come up.
343
344
CHAPTER 13 USING SHAREPOINT WITH YOUR SMALL BUSINESS SERVER
Table 13.1:
SharePoint Jobs
Job
Pool
Schedule
Backup/Restore
N/A
One-Time
CEIP Data Collection
N/A
Daily
Change Log
Example
Daily
Change Log
SBS SharePoint
Daily
Config Refresh
N/A
Database Statistics
Example
Weekly
Database Statistics
SBS SharePoint
Weekly
Dead Site Delete
Example
Disabled
Dead Site Delete
SBS SharePoint
Disabled
Disk Quota Warning
Example
Daily
Disk Quota Warning
SBS SharePoint
Daily
Immediate Alerts
Example
Minutes
Immediate Alerts
SBS SharePoint
Minutes
Recycle Bin
Example
Daily
Recycle Bin
SBS SharePoint
Daily
SharePoint Services Search Refresh
N/A
Minutes
Usage Analysis
Example
Daily
Usage Analysis
SBS SharePoint
Daily
Windows SharePoint Services Incoming E-Mail
N/A
Minutes
Windows SharePoint Services Update Distribution List Status
N/A
Minutes
Windows SharePoint Services Watson Policy Update
N/A
One-time
Workflow
Example
Minutes
Workflow
SBS SharePoint
Minutes
Workflow Auto Cleanup
Example
Daily
Workflow Auto Cleanup
SBS SharePoint
Daily
Workflow Failover
Example
Minutes
Workflow Failover
SBS SharePoint
Minutes
EDITING YOUR SHAREPOINT SITE
Most of these tasks are fairly straightforward by name (such as Disk Quota Warnings), but through the console you can navigate into each one and get a full description if you need it. As an example, the Recycle Bin name is rather nondescript, but with a little investigation, you can see that there is actually a Recycle Bin link in the Central Administration page, as shown in Figure 13.18. All this task does is empty the Recycle Bin for your applications.
Figure 13.18 Recycle Bin emptier
Editing Your SharePoint Site Since no discussion of SharePoint Server would be complete without including some basic use of SharePoint, in this section I’ll walk you through some basic SharePoint usage that you might encounter in a small-business environment. I’ll discuss how to add links to the home page, customize the appearance of the site, and add new public documents for distribution across your enterprise. Obviously, one of the first things you will want to do with any business, large or small, is to customize the appearance of your SharePoint web portal. To do this, you can click the Site Actions button in the upper-right corner of the screen, and then from the main menu select Edit Mode, as shown in Figure 13.19.
Figure 13.19 Site Actions menu
Once you’ve selected Edit Mode, it will load the Edit Mode screen modifiers; this allows you to add web parts, which are internal resources that can be added to your site’s web access area. If you click any of the two areas that will allow you to add a web part (the left and right areas), it will bring up a list that will allow you to add the following: ◆
Announcements: Messages on the home page
◆
Calendar: Calendars for group meetings
◆
Fax Center : A document library for managing and sending faxes
◆
Links: Links to web pages
◆
Pictures: Pictures
◆
Shared documents: Shared documents from the document library
◆
Tasks: Tasks lists
◆
Team discussions: Microblog-like newsroom discussions
345
346
CHAPTER 13 USING SHAREPOINT WITH YOUR SMALL BUSINESS SERVER
Additionally, you can add miscellaneous web parts, like the following: ◆
Content Editors
◆
Forms
◆
Images
◆
Page Viewers
◆
Relevant Docs
◆
Site Users
◆
User Tasks
◆
XML
As an example, select Tasks and click Add. This will allow you to add new items to the newly appeared tasks area, as shown in Figure 13.20.
Figure 13.20 Tasks
Clicking Add New Item will let you fill in the fields shown in Figure 13.21 and add that web part to the home page.
Figure 13.21 Task fields
Notice that in Figure 13.21 there is an Address Book button that appears next to the Assigned To line. This integrates directly with Exchange Server and allows you to synchronize your whole organization! All you have to do is fill out the rest of the fields and click OK.
THE BOTTOM LINE
Overall, you can add a lot of customizability to your SharePoint Server site. It’s easy — and a little fun. Around the world, businesses use SharePoint as a collaborative portal to their internal information. In your own business or your consulting, you can use SharePoint to post company policies and increase workflow. When you combine this feature with the many other features of Microsoft Small Business Server, you can see why SBS is truly one of the most powerful business tools available. Ultimately, both SharePoint and SBS can facilitate almost every business need . . . and do it exceedingly well.
The Bottom Line Set up SharePoint/Companyweb Setting up SharePoint with Small Business Server enables you to take full advantage of your server. Without it, the server is nowhere near as powerful or versatile as it could be. Master It To secure your SharePoint web portal, you should enable your server to publicly identify itself. How can you do this? Administer SharePoint Administering SharePoint is the primary goal of this chapter and the primary goal of you as an administrator. From what you’ve learned, you should be enable to enable SharePoint and backup your data appropriate. You should also be able to easily perform basic timer jobs and administer your jobs for your own purposes. Master It Change the name of your Recycle Bin timer job definition to ‘‘Bin.’’ Back up and restore SharePoint Point data for later restorations.
SharePoint backups allow you to specifically back up Share-
Master It A SharePoint Server backup process fails with an error, and you have to troubleshoot it. How do you do that?
347
Appendix
The Bottom Line Each of The Bottom Line sections in the chapters suggest exercises to deepen skills and understanding. Sometimes there is only one possible solution, but often you are encouraged to use your skills and creativity to create something that builds on what you know and lets you explore one of many possible solutions.
Chapter 1: Installing Windows Small Business Server 2008 Identify the requirements of Windows Small Business Server 2008 Review and memorize the server requirements for SBS 2008. Master It What types of processors can be used to virtualize an install of SBS 2008? Solution The basic processor requirements for Windows Small Business Server 2008 are as follows: Processor
2GHz x64 or faster
Memory
4GB minimum, 32GB maximum
Disk space
60GB minimum
Install Windows Small Business Server 2008 Set up and completely install SBS 2008 on a partition of your creation and choosing. Master It Install Windows Small Business Server 2008 so the server can access the Internet, download updates, and show all networking essentials as ‘‘in the green.’’ Solution Upon completion, you will see all settings as ‘‘in the green.’’ Keep in mind that this may take up to 24 hours, because of updates being downloaded.
Chapter 2: Setting Up and Utilizing an SBS 2008 Network Plan an SBS 2008 network installation Planning an SBS 2008 installation includes the process of deciding upon a subnet, preparing hardware network devices, and planning for expandability. Master It Create a usable Class C subnet with more than 200 available addresses. Solution Because of its ease of use, you can use the 192.168.0.X subnet or any derivative of the 192.168.X first three octet ranges. This is because any network with a 255.255.255.0 subnet will contain 252 usable addresses.
350
APPENDIX
THE BOTTOM LINE
Configure SBS 2008 client computers for networking Planning an SBS 2008 installation includes the process of deciding upon a subnet, preparing hardware network devices, and planning for expandability. Master It Establish a connection with SBS 2008, and ensure that computers can be added to the network with corresponding user accounts. This means that your network is ready to expand, along with the small business. Solution Use the http://connect method to attach a computer to your server. This will bring up the Run The Connect Computer Program screen, which allows you to add a computer to the domain controller across the Internet. Alternatively, you can also use something like a jump drive to do this easily and without a lot of administrative overhead. Use command-line networking commands Using the command line greatly enhances your ability to quickly diagnose technical network issues and expedite your process of troubleshooting network issues. To become an effective administrator, you need to be familiar with these commands. Master It Use network commands to determine your DNS server, ping your DNS server, and trace the route to your server. Solution If you are connected to an SBS server, your DNS server should be the address of the SBS server, your default gateway should be the address of your router, and the race to it should be one hop. For example, on the default SBS installation, your DNS server should be 192.168.16.1, your gateway should be a random address like 192.168.16.10, and the route should be one hop. Diagnose small network problems Even for the most seasoned administrator, small network problems can be a tremendous headache. Knowing how to quickly and easily solve these problems is key to saving you and your company time and effort. Master It Set up a small business network with four different computers, each connected to your network through a switch. Then, take a spare Ethernet cable, cut five of the eight internal wires, and connect one of the computers to it — but don’t pay attention to the IP address or name of the computer. Go back to your SBS server, and determine which computer has been compromised. Solution Back at your server computer, look at the list of authenticated computers in your SBS console. Then, use the Ping command to ping the name of each of these computers. See which one of these fails, and determine from that which of the computers is experiencing a network problem. Simulate resolving the problem by attempting to complete a file transfer, replacing your network cable, and trying it again. Implement wireless networking Setting up a wireless network allows you to access network resources from anywhere in your SOHO environment. This is critical to maintaining a readily available and effective small business. Master It Implement WPA2 security on the network with MAC filtering, if it is available. Then go by each of your computers, determine their MAC addresses, and add them to the access list. Solution Conduct the same networking essentials from the ‘‘Use command-line networking commands’’ scenario without having your wired connection attached. Execute the Ping,
CHAPTER 3: MIGRATING AND ‘‘UPGRADING’’ TO SMALL BUSINESS SERVER 2008
Pathping, and Traceroute commands to see whether you are able to authenticate to the router without the proper MAC address and then with the MAC address. By doing this, you test the security of your network to see whether you can join the WPA2 connection with the standard user and password or whether you have to use the exact MAC address. If for some reason you are unable to connect using either method, there is a chance that you may have written down the MAC address of the WPA key incorrectly. In that case, you can reattach the network cable, log in to the router, and check the information.
Chapter 3: Migrating and ‘‘Upgrading’’ to Small Business Server 2008 Set up and plan migration One of the oldest phrases in IT is referred to as the five Ps: proper planning prevents poor performance. It’s not only a little funny; it’s true. The first step of any planned migration is to plan. When you create your plan, you can break it down into areas involving your server, network, and objects. Furthermore, you can consider hardware purchases that will be required, implementation times and deployment periods that will be the most beneficial, and what would make your migration process the easiest. Master It Develop a plan for a small business of 30 employees that requires the migration process to be done during business hours. The current network is running SBS 2003 and uses SBS 2003 as an ISA server. However, the ISA server is being replaced with a hardware firewall without proxy. Define any bottlenecks and potentially troubling concerns. Solution There will most likely need to be some downtime because the server cannot be deployed with the same topology as an SBS 2003 network. You will need to arrange some slight downtime after you have migrated the information. However, the SBS 2003 server will not need to go down (optionally) until you have migrated the settings. Eliminating the ISA server is relatively easy. You are not required to migrate the ISA settings. Create an answer file Answer files are XML documents designed to massively import settings from a source server to a destination server. Answer files can be generated from the source server by using the Windows Server toolkit. Master It Create an unattended answer file that requires no user input until the migration process has been completed. Click the Install Now button at the Windows Server introduction, and see whether your installation is paused. Solution Unattended installations can be performed through the SBS 2008 toolkit and selecting the Unattended Installation Process check box. Below, when the menu extends, the server’s DHCP, business information, and other important business information will need to be entered in order to proceed. Once complete, the XML file will be placed at a location of your choosing and can be exported to a USB flash drive. Migrate objects Once the migration process has begun, the automated process will bring you to a wizard that allows you to complete the migration. This process is what actually migrates your settings and allows you to complete the wizard. Master It Create an installation of SBS 2008, and compare the originating server to the destination server. Ensure that the destination server has the appropriate objects.
351
352
APPENDIX
THE BOTTOM LINE
Solution Once the server has been migrated completely, the objects from the originating server will be identical to the objects in the second server. Each of the wizards will allow you to choose which objects you would like to migrate and which objects you would like not to migrate.
Chapter 4: Implementing a DNS Name Server and File Sharing with SBS 2008 Set up the Domain Name System The Domain Name System is a critical role in any Windows Server environment. Through proper use, it allows for user authentication, Internet name resolution, and critical server roles to function. Improperly operating DNS will result in slow, inefficient server operation and possibly authentication failure. Master It Install DNS with static entries to four different servers or known Internet hostnames. Make two of these Internet hostnames resolve to correct addresses that will respond to pings, such as google.com, and make two of these addresses resolve to improper, uncommon names, such as Funny.TheDomainYouChose.com. Solution You will need to open DNS Manager in SBS 2008 and create four static entries in your primary zone. Two of these entries should be to known sites, such as oldestdnsserver at 4.2.2.2 and google.com at 74.125.45.200. The other two should be made up entries, such as funnyhahaha.com at 10.2.3.4. When you attempt to ping or traceroute to any of these entries with the command line after creating them in the primary zone, the first two names should receive replies from ping by the name you chose, and the second two should not respond at all. Set up file sharing DFS allocation can create a central repository for users to share folders. To set up DFS, you will need to set up servers at multiple locations. Master It Install DFS by sharing at least two folders through two different computers, and place them inside a namespace. Access this namespace through a client computer. Solution First, you will need to install two different servers on two machines running a version of Windows Server 2003 or newer. Then, you will need to go to Administrative Tools Distributed File System on your SBS 2008 server and run through the ‘‘new DFS root’’ system. The wizard will guide you through the steps necessary. Afterward, you should be able to access the shared folders from one location and not realize that they are contained on different computers. You will be able to access the share by entering the name of the DFS share in the Windows Explorer menu (with the name you set up in the DFS wizard). Use the File Services Resource Manager The File Services Resource Manager is a new tool from Microsoft that enables you to select quotas and allocate filters to system resources. It allows you to carefully administer your file system without being concerned with whether the templates or restrictions you place on the server are working. Master It Use the File Services Resource Manager to create a 250MB extended quota on your inetpub folder.
CHAPTER 5: CONFIGURING AND ADMINISTERING ACTIVE DIRECTORY WITH SBS 2008
Solution Start the File Services Resource Manager by clicking the Start button and typing file services. Expand the Quotas Management area if it’s covered up, right-click the Quotas section on the left, and select Create Quota. Click the Browse button, navigate to your main drive, and select the inetpub folder. Then, from the drop-down menu, click 250 extended. Click OK.
Chapter 5: Configuring and Administering Active Directory with SBS 2008 Create organizational units Creating an organized OU infrastructure makes the experience of administering a server easier on administrator and user alike. With SBS 2008, this process has become easier than ever. Master It Create a centralized hierarchy with two subtiers. This hierarchy should include departmental and role-based separation (Production/Managers). It should be robust enough that the structure could be replicated for all departments and subdepartments. Solution Your structure should mirror a three-tier Active Directory structure and be ready to accept user accounts. You will need to create these OUs in the Active Directory Users And Computers tool, creating OUs within OUs without dragging. If you need to move an OU, you should right-click and select Move. Understand FSMO roles FSMO roles are roles within SBS 2008 that allow you to specify administrative tasks throughout your business. These tasks include determining what server is allowed to control the schema of the forest (the schema master) and selecting the domain naming master. Through proper use, you can eventually upgrade your SBS environment to an even more complex environment. Master It Suppose you have two servers in your environment that could each share FSMO roles. Decide which server would hold the schema master and why. Could you have two? Solution You cannot have two schema masters because the FSMO rules dictate only one per forest, unless you have two forests. The schema master should be the server that is able to communicate most easily with new servers or clients that would be frequently added to the infrastructure. Faster switches and added visibility are important factors. Create, delete, and manage objects Creating objects in Active Directory allows you to truly make an organization. Without objects, the process of having a server is pointless. You need to be able to easily create objects and place them within Active Directory. Master It Create one user account and one computer account using the server graphical user interface. Then, create 10 user accounts and 10 computer accounts using the LDIFE.exe import tool. Once you’ve done this, import these user accounts to one of the lowest tiers of your infrastructure. Solution You will need to open Notepad, examine the user account syntax, and then specify the target OU. Then, you will have to run the tool successfully and examine your Active Directory user database to make sure the accounts have been imported.
353
354
APPENDIX
THE BOTTOM LINE
Chapter 6: Configuring and Managing Groups and User Accounts with SBS 2008 Create users and security groups Creating users and security groups is the central focus point of an IT infrastructure. By creating users and groups, an entire business is virtually created through Windows Server. Security groups allow you to assign permissions and associate users with similar job roles. Master It Create a nested group structure that contains an All Users group with four internal groups for the engineering, accounting, sales, and customer service departments. Place at least 20 users in all these groups, and attempt to ‘‘double nest’’ a user in the Sales and Engineering groups. Solution You should have 20 users nested within four security groups, plus an All Users group. Create distribution groups Distribution groups are used to distribute email and messages. Through a distribution group, you can receive external email and send internal messages. Master It Create a distribution group for your infrastructure with a different email address than the name of the group. Attempt to send an email to this group. Solution After you’ve created the security group, attempt to send an email to the security group, for example to [email protected]. Once this fails, create a distribution group, and send it an email (make sure that you set the group to receive email). Then, once you’ve confirmed that, create another email address in the distribution list. A user account in the distribution group should receive an email. Create a permissions list for a group Permissions lists and access controls are the primary methods you use to affect the access of files throughout your infrastructure. They control the availability of files throughout the infrastructure and, if not done correctly, can compromise the entire infrastructure. Master It Create a folder and assign permissions to only one security group, and then try to access this group from another account. Solution Only one security group should be able to access the folder. Try to log on as a user from a different security group and attempt to access the folder. If you can’t, try another and verify that only this group can access it. If you can, recheck your permissions and try again.
Chapter 7: Managing Group Policy with SBS 2008 Create Group Policy objects Group Policy objects in Active Directory allow you to create a policy and link it to a location somewhere in Active Directory. GPOs are Active Directory objects and do not take effect unless they are linked; otherwise, they are just static objects. Master It Create a Group Policy object that turns off crash detection for Internet Explorer. Solution Open the Group Policy Management Console, right-click your domain, and select Create A New GPO And Link It Here. Name the GPO, right-click it, and select Edit. In the Group Policy Management Console, expand Computer Configuration, and then
CHAPTER 8: BACKING UP AND PERFORMING DISASTER RECOVERY
expand Administrative Templates\Windows Components\Internet Explorer. Double-click Turn Off Crash Detection, and select Enabled. Click Apply and then OK. Link a Group Policy object to an Active Directory object Group Policy objects do not have any effect until they are linked. With Windows Server, you need to link an existing GPO to an area within Active Directory. Master It Create a new GPO called Test, and leave it unlinked. Then, manually link Test to an OU in your directory infrastructure. Solution Open the Group Policy Management Console, right-click Group Policy Objects, and select New. Name the object Test. Right-click an OU, and select Link An Existing GPO. Select your GPO, and then click OK. Edit a Group Policy object Group Policy usually requires a great deal of maintenance. This is usually conducted through the Group Policy Management Console. Master It Edit the Internet Explorer Crash Detection object to allow crash detection, and then enforce full-screen mode. Solution Open the Group Policy Management Console, and right-click your Internet Explorer policy. Expand your Windows Components folder, and double-click Turn Off Crash Detection. Disable it, then double-click Enforce Full Screen Mode, and finally select Enabled. Delete a Group Policy object Removing a Group Policy object involves deleting the object and any links associated with that object. Otherwise, there can be unresolved components of your Active Directory infrastructure. Master It Remove the Test GPO link, and delete the Test GPO with no conflicts. Solution Open the Group Policy Management Console, and expand your local domain (intellicorp.local or whatever you’ve chosen). There, select the Test GPO, press the Delete key, and click OK. Then, expand the Group Policy Objects folder, select the Test GPO, and press the Delete key. Click OK in the dialog box, and select Yes.
Chapter 8: Backing Up and Performing Disaster Recovery Understand RAID RAID is used at the Small Business Server level to create a partitioned and redundant system in SBS 2008 that provides for backup in the case of a single or multiple hard drive failure. Through RAID, you can theoretically remove the need for any form of backup, but you do not remove backup methodologies because they’re necessary in the slight chance of an unrecoverable array failure. Master It Choose a RAID installation method with Small Business Server that will provide for six disks, with a complete mirror of the array and each side of the mirror containing a parity bit. Solution Remember, sometimes a combination of two different configurations is actually your best bet. Implement a RAID 5+1 system. With RAID 5 you will provide for a parity bit, and with RAID 1 you will provide a mirror. You can do this by either going to Disk Management and arranging your disks into two separate RAID 5 disks that are mirrored or using a hardware RAID device, but the important thing you take away from this chapter is the exact process involved with setting it up.
355
356
APPENDIX
THE BOTTOM LINE
Recognize different backup media types Various types of backup media exist in the modern workplace, and choosing the right one for your situation is often a tough decision. There are network file shares, tape backup, network attached storage, and external disks, just to name a few. The right one depends on the application being used and the right time to use it. Master It Choose a backup solution that is allowed to be degradable but is easy and cost effective to implement. Moreover, this backup solution has to be able to easily supply extra media, because of the need to have many different points of recovery, all for a low cost. Solution Implement a tape backup solution using LTO. This method allows you to choose a backup implementation that is easy to implement and doesn’t cost too much. This way, you can easily swap out tapes based on your need and create extra points of backup. Implement a backup strategy With SBS 2008, it’s easy and effective to create a backup strategy that not only works but is easily recoverable. Master It Create a minimum requirement backup installation with SBS 2008, and implement it. This backup solution should enable you to recover in the case of a corrupted hard drive or the loss of a drive in a system array. Solution Through the SBS Console, choose Backup And Recovery. Once you’ve done this, choose Configure Backup. With an attached USB drive, allow your main hard drive to complete a scheduled backup. After a few hours, the drive will be completely backed up. Recover data After you’ve set up a backup system, as in the previous ‘‘Master It,’’ you will need to know that the data can be recovered. All the backups in the world will do you no good if you don’t know how to take advantage of them in a small-business environment. Master It Use the Windows SBS 2008 installation disk utility to completely recover with a bare-bones installation. Solution Insert the SBS 2008 disk into the machine, and attempt to boot up. From the menu on the disk, choose Repair Computer. Follow the steps in the wizard, and choose the backup that you made. Once you’ve chosen the backup, choose to format the installation and restore the server from the ground up. Once you’re done, you’ll be sure that you know how to back up your server, even if the absolute worst should happen.
Chapter 9: Remote Access, Security, and Adding Servers with SBS 2008 Deploy a second server to your environment A second server in your environment allows you to offset common tasks, such as adding SQL Server to a dedicated environment. Master It Set up a second server to offset a dedicated application from your SBS 2008 server. Solution Here are the steps:
1. Install a Windows Server 2003 or Windows Server 2008 server. 2. Join the Windows Server to the SBS server using http://connect. 3. Move the new server to the SBS Server’s OU.
CHAPTER 10: CONFIGURING EXCHANGE SERVER 2007 FOR SMALL BUSINESS
Set up Remote Web Workplace access Remote access, in all its forms, is a critical part of your infrastructure. Through it, you can enable your employees to access the system resources from a distance. The Microsoft-recommended method is to set up the Remote Web Workplace, a website that consolidates all the remote components of Windows access. Master It Set up the Remote Web Workplace, and add a computer to the access pool that you can access via the Remote Web Workplace site. Solution Here are the steps:
1. Install a new version of Windows on a client computer. 2. Use http://connect to connect the computer to the SBS 2008 domain. 3. Set up the Remote Web Workplace in the console by selecting the Websites tab. 4. Ensure the firewall allows remote web access for the Remote Web Workplace. 5. Access the Remote Web Workplace site. 6. Enter your credentials, and then click Remote Access. Set up a VPN connection Virtual private networks allow you to connect to your SBS server through a secure channel that allows you to communicate with your network resources as if they were locally available. Using a VPN allows to be safe, secure, and efficient. You should know how to enable this for your users. Master It Set up a simple PPP VPN network connection and nest one of your security groups (Ex. the Sales security group) inside the remote access users. Attempt to connect. Solution Here are the steps:
1. Launch the SBS console. 2. Select the network tab, then the connectivity tab. 3. Select configure Virtual Private Network from the tasks menu. 4. Select ‘‘allow users to connect to the server by using a VPN,’’ and then click Next. 5. Allow the wizard to configure your firewall. 6. Add your security group to the Remote Users group.
Chapter 10: Configuring Exchange Server 2007 for Small Business Understand the components of Exchange Server To properly administer Exchange Server for a small business, you need to know what controls Exchange Server and how to use it. With Exchange Server, you can control an entire messaging architecture that is rather complex. Master It One of the components of the Exchange Server infrastructure is PowerShell. How can you use PowerShell to set a quota of 100MB on a mailbox?
357
358
APPENDIX
THE BOTTOM LINE
Solution PowerShell is a component of Exchange Server that is used to manually execute commands and scripts through a command-like infrastructure. To retrieve a mailbox and set a quota, you would execute the following command: get-Mailbox "Domain\User" | set-Mailbox-ProhibitSendQuota 100MB
Understand Exchange Server roles To properly administer Exchange Server for a small business, Exchange Server 2007 has implemented new roles and functions. These five roles are Client Access, Hub Transport, Mailbox, Unified Messaging, and Edge Transport. Before Exchange Server 2007, these roles either did not exist or were named differently. Master It Create or draw a picture that illustrates what the server placement would look like for a company using the full version of Exchange Server 2007 in a LAN environment, with each server holding a role. Show where each server would be placed in reference to the firewall. Solution Your system should look similar to the graphic shown here.
Outlook Clients
Mailbox Component
Unified Messaging Component
Mailbox Store
Hub Transport Component
Client Access Component
Firewall
Edge Transport Component
Internet
Outlook Web Access Clients
Chapter 11: Managing Clients, Troubleshooting, and Recovering from Disaster with Exchange for SBS Set up Exchange Server clients You need to learn how to set up Exchange Server clients in order to properly administer your SBS 2008 server. You can do this by creating mailbox and user accounts. Master It Use the Exchange Management Console to add a mailbox user and an account in Active Directory for John Smalls.
CHAPTER 11: MANAGING CLIENTS, TROUBLESHOOTING, AND RECOVERING FROM DISASTER
Solution Here are the steps:
1. Open the EMC. 2. Expand Recipient Configuration. 3. Select Mailbox. 4. Click New Mailbox. 5. Select User Mailbox. Click Next. 6. Click Next. 7. Enter the username and logon. 8. Enter the user storage group. Diagnose mailflow issues Diagnosing a mailflow issue is a major component of becoming an administrator with Exchange Server. Through this, business owners can count on you being able to fix any issue at any time that may arise. Master It A mail server has stopped mailflow, and the hard drive shows zero space. What should you do? Solution Here are the steps:
1. Check to see whether the log files have become too large in Exchange Server’s Program Files menu.
2. If the log files are too large, purge them. 3. If the log files are not too large, check the size of the information store. 4. If the store is too large, convert some data to PSTs or reduce user mailbox sizes. Back up Exchange Server 2007 You need to be able to restore Exchange Server 2007 at a whim, regardless of what may occur in your organization. Otherwise, disaster could strike at any time, and you would be without any way to compensate for it. Master It Create an Exchange Server recovery group to restore from. Solution Here are the steps:
1. Start the Exchange Database Recovery Management tool from the EMC Toolbox. 2. Enter your server name, and label it as a recovery group. 3. Click Next. 4. Click Create A Recovery Storage Group. 5. Select your first storage group (or the primary storage group you’re operating with). 6. Click Next, give the group an alternative name if you’d like, and then click Create The Recovery Group.
7. Go back to the task center.
359
360
APPENDIX
THE BOTTOM LINE
Chapter 12: Introducing SQL Server Install and configure SQL Server To use SQL Server, you must first install it. But installing SQL Server is not simply a matter of inserting the installation disc and clicking though the installation routine; it involves making decisions about which features of SQL Server to install, what accounts you want it to run under, and where it should be installed. Master It What are the minimum SQL Server features you should choose to install? Solution Database Engine Services, SQL Server Books Online, and Management Tools. At a minimum, you’ll need to install Database Engine Services and the management tools. You can verify that everything is installed by launching SSMS and connecting to the instance of the server that you just installed. Use SQL Server The first step in using a SQL Server database is to create it, and you can do this easily with the SSMS or with Transact-SQL. Master It Using SSMS, create a new database, named Accounts, that includes a table named Locations. Solution Here are the steps:
1. In the Object Explorer, right-click Databases, and choose New Database. 2. In the Database name field, enter Accounts, and then click OK. 3. In the Object Explorer, right-click Tables, and choose New Table. 4. Create at least one table column, and then click Close. This will open a window where you can name your table. Administer SQL Server The most basic and perhaps most important of SQL Server administrative tasks is to create an effective and robust backup and restore routine. As with most things in SQL Server, you can do this using SSMS or Transact-SQL. Master It Back up a SQL Server database using SSMS. Solution Here are the steps:
1. Expand the Databases item in the Object Explorer. 2. Right-click the database that you want to back up. 3. In the context menu that appears, select Tasks and then Back Up. 4. Set the destination path that your backup will use. The destination is set to back up to disk in the following default path: C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Backup\.
5. Click OK to start the backup. After running your backup, verify that the backup was made by viewing the backup files created at the destination path that you specified.
CHAPTER 13: USING SHAREPOINT WITH YOUR SMALL BUSINESS SERVER
Chapter 13: Using SharePoint with Your Small Business Server Set up SharePoint/Companyweb Setting up SharePoint with Small Business Server enables you to take full advantage of your server. Without it, the server is nowhere near as powerful or versatile as it could be. Master It To secure your SharePoint web portal, you should enable your server to publicly identify itself. How can you do this? Solution Enable your SharePoint server to utilize a security certificate. A security certificate both encrypts data and allows your server to publicly identify itself with a unique certificate. Administer SharePoint Administering SharePoint is the primary goal of this chapter and the primary goal of you as an administrator. From what you’ve learned, you should be enable to enable SharePoint and backup your data appropriate. You should also be able to easily perform basic timer jobs and administer your jobs for your own purposes. Master It Change the name of your Recycle Bin timer job definition to ‘‘Bin.’’ Solution
1. Navigate to your SharePoint server central administration page. 2. Select Operations. 3. Select Timer Job Definitions. 4. Click Recycle Bin. 5. Change the name of the job title to ‘‘Bin.’’ 6. Press OK. This will change the name of your timer job. Back up and restore SharePoint Point data for later restorations.
SharePoint backups allow you to specifically back up Share-
Master It A SharePoint Server backup process fails with an error, and you have to troubleshoot it. How do you do that? Solution Here are the steps:
1. Open the logs. 2. Search the logs for errors. 3. See whether the error was based upon communication or security. 4. Fix the communication or security error. 5. Retry the backup.
361
Index A A records (host records), 85, 87, 88, 89, 90, 92 ABCD blocks, 210 access control panel, 173, 177, 180, 182, 183, 184 security v., 254 access control lists. See permission lists Account Operators group, 148 Acknowledge process (DHCP), 32 Active Directory, 115–141. See also Group Policy objects; groups GPOs and, 172 Group Policy and, 171 MCTS Windows Server 2008 Active Directory Configuration Study Guide, 123 objects computer, 119, 153 contact, 119, 153 creating, 133–140 group, 119, 153 InetOrgPerson, 119, 153 large object actions, 135–140 msExchDynamicDistributionList, 153 MSMQ Queue Alias, 119, 153 printer, 119, 153 types, 118–119 user, 153 Open Active Directory Users And Computers Snap-In, 152–153, 155, 157, 159, 160, 161 organizational units, 117, 118, 119, 122–133 creating, 123–125, 140–141 delegating, 128–130 deleting, 127 design, 123 dividing for power (example) and, 131 grouping/subgrouping, 131–133 inheritance and, 127 managing, 125–127 renaming, 127 security groups v., 153
SBS migration and, 65, 68–70 sites, 116 Active Directory Domain Services Installation Wizard, 223 Active Directory Domains And Trust Snap-in, 65, 66 ActiveSync, 252, 253, 254, 263, 274–275 Add A New Site Wizard, 335 Add Exchange Administrator Wizard, 261 Add Role Services Required For HTTP Proxy dialog box, 272 addresses. See IP addresses AddUserWizard, 76 Admin Tools Group, 149 administration models (SMB), 119–120 Administrators group, 148 ADMX templates, 183, 184 ADPREp.exe tools, 69 ADSL (asynchronous digital subscriber line), 48 Advanced Encryption Standard (AES), 226 Advanced Security Settings dialog box, 166 AES (Advanced Encryption Standard), 226 AFS (Andrew File System), 206 alerts, 20 alias records, 86, 89 /all, 45 ALTER, 310 Amdahl, Gene, 218 Amdahl’s law, 218 Analysis Services (SSAS), 295 Andrew File System (AFS), 206 answer files, 70–71, 78 antivirus protection Barracuda and, 249 email and, 248 firewalls and, 60, 63 Forefront Security for Exchange Server and, 13 Hub Transport server and, 249 Live OneCare for Servers and, 4, 12, 13, 18, 19, 20
364
ANYCAST ADDRESS
•
CATEGORIZATION
Monitor Executable and System Files template and, 102 Ninja Blade and, 249 Public folder and, 94 Security Configuration and, 335, 337 settings (Central Administration), 338 anycast address, 31 APIPA (Automatic Private IP Addressing), 27–28, 30 Application Created screen, 336 application filters, 9 Application Management, 333 Application Mode (Terminal Services), 4 application pools, 273, 335, 340, 341 archived data, 326 areas, 116. See also sites asymmetric encryption, 228 asynchronous digital subscriber line (ADSL), 48 Authenticated Users (special identity group), 147 authentication ActiveSync Security and, 275 DNS and, 83, 113 NTLM, 273, 335 RDP and, 234–236 remote, 230 RPC over HTTP and, 273 RWW and, 240 second server and, 221 SharePoint and, 328, 335 SQL Server and, 302, 307 VPNs and, 230, 231 Windows, 307, 336 Automatic Private IP Addressing (APIPA), 27–28, 30 availability, 46, 47, 164, 170, 219
B Back up Group Policy object dialog box, 187, 188 Backup and Restore, 338–343, 347–348 Backup Operators group, 148 Backup Schedule Wizard, 210, 211 backups, 195–216. See also recovery databases, 318–321 differential, 209–210, 318 Exchange Server, 208, 211, 280–285, 290
full, 209, 318 GPOs, 187–188 incremental, 209–210 media types, 201–208, 216 direct attached storage, 208 external disks, 201–203 FireWire, 201–202 NAS, 5, 205, 206–208, 216 SANs, 205–206, 207–208 tape backup systems, 201, 203–205 USB, 202–203 Networking Essentials Summary screen and, 18–19 NTBACKUP utility and, 55, 58, 212, 280 RAID and, 195–201 rotation and, 210 SBS migration and critical files, 55–57 Exchange Server data, 57–58 SharePoint Server, 330–331, 338–343 SQL Server database, 318–321 strategies, 195, 208–212, 216 critical business data, 208 Exchange Server/SQL, 208, 211 unsorted files, 208, 212 Windows NT data, 208, 209 transaction log, 318, 319 Bacon, Francis, 225 Barca, 270 bare–bones recovery, 212–216 Barracuda, 249 Bat, 270 Best Practices Analyzer (BPA), 67 blocks, ABCD, 210 blowfish, 227 Books Online (SQL Server), 295, 300, 304, 310 BPA (Best Practices Analyzer), 67 broadcast domain, 27, 28 built–in groups, 147–149 bulk–logged recovery, 318
C cable modems, 48, 63 Calypso, 270 categorization, 248–249
CATEGORIZER
categorizer, 248, 249, 286, 287 Central Administration (SharePoint), 332–334 Application Management, 333 Home, 332 Server Operations, 332, 337 centralized administration method, 119–120 Certificate Service DCOM Access group, 148 Certificate Services, 79, 148 certificate–based private key encryption, 230 Change Group Membership screen, 163 checkpoint files, 276–277 Chellis, James, 123 child domains, 4, 92 chkdsk, 214 CIA (confidentiality, integrity, availability), 164 ciphers, 225–226. See also encryptions Bacon’s, 225 encryptions and, 225–226 Lucifer, 227 ROT13, 225–226 circular logging, 279–280 Client Access (EMC) server role, 252–253 tasks, 263–264 client operating systems, 5 clients (Exchange Server clients), 269–270 clusters, 218–222 alternatives to, 220–222 failover, 219–220 member servers and, 220–221 NLB, 219 cmd.exe commands, 266 cmdlets, 3, 250 CNAME record types, 86, 89 collaboration, 326 collision domains, 27 command–line interface (EMS), 265 tools, 45–46, 52 commands. See also specific commands chkdsk, 214 cmd.exe, 266 cmdlets and, 3, 250 CSVDE.exe, 140 Ctrl+Alt+Delete, 15
•
CREATOR/OWNER (SPECIAL IDENTITY GROUP)
Dcdiag.exe, 68 EMS, 266–268 Get-ExchangeServer, 267 Get-Mailbox Domain/User, 267 ipconfig, 45, 234, 266 LDIFDE.exe, 136–140 nslookup, 45, 46 Pathping, 45–46 ping, 45, 46, 52 Repadmin.exe, 68 services.msc, 285, 328, 337 commodity network, 218 Compact edition (SQL Server), 292 Company Information screen, 10, 11 Companyweb, 62, 76, 77, 326, 328, 329–330, 347 component object model API, 251. See also MAPI computer accounts (SBS networks), 36–44 manual joining of, 44 portable content, 40–44 web activation, 37–40 computer objects (Active Directory), 119, 153 confidentiality, integrity, availability (CIA), 164 configuration SharePoint Server, 329–332 SQL Server, 296–306, 323 Configuration Manager (SQL Server), 317, 318 Configure Email And Internet Connection Wizard, 62 Connect Computer program, 34, 37, 38, 39 connectivity issues, 47–48 Console Wizard, 34 contact objects (Active Directory), 119, 153 continuous replication, 280 continuous replication circular logging, 280 control panel access/removal, 173, 177, 180, 182, 183, 184 Corporate_Sales group creating, 153–155 nested group in, 155–157 corrupted database recovery, 284 CREATE, 310, 312 Create New Web Application action button, 334 CREATE TABLE, 312 Creator/Owner (special identity group), 147
365
366
CRITICAL BUSINESS DATA (BACKUP STRATEGY)
•
DIALOG BOXES
critical business data (backup strategy), 208 Crosby, Justin, 209, 210 cryptographic operations, 148, 225. See also encryptions Cryptographic Operators group, 148 CSVDE.exe, 140 Ctrl+Alt+Delete, 15 customer tracking, 326 Customers (database) backing up, 318–321 creating, 310–312 moving, 321–323 tables creating, 312–315 data insertion, 315–316 data viewing, 316–317
D DAT (digital audio tape), 203 data archival, 326 Data Definition Language (DDL) statements, 310 Data Encryption Standard (DES), 227 Data Manipulation Language (DML) statements, 310 data types, 312–313 database administration (SQL Server), 294 database engine, 292, 294 Database Engine Services, 300, 301, 302, 307, 317 database (.edb) files, 276 database mail (SQL Server), 294 Database Maintenance Plan Wizard, 320 database management (SQL Server), 294 Database Troubleshooter, 259 databases (relational databases). See also Customers; tables backing up, 318–321 corrupted, recovery of, 284 creation with SQL Server, 310–312 with SQL Server Express, 293–294 defined, 291 moving, 321–323 OLAP, 295 recovery. See recovery Data-Link layer, 27
Dcdiag.exe, 68 DCPROMO tool, 77, 223 DDL (Data Definition Language) statements, 310 decentralized administration method, 119 decentralized locations (SANs/NAS), 205 decentralized store concept (DFS), 103 decryption, 225, 227. See also encryptions default groups, 146–150 default security groups, 149 default shares, 94–98 Delegation Of Control Wizard, 128, 130 DELETE, 310 delivery (Hub Transport server role), 249–250 deployment deployment phase (Group Policy), 179–180 software deployment (Group Policy), 189–191 DES (Data Encryption Standard), 227 design models (SMB), 119–120 design stage (Group Policy), 175–179 DFS (distributed file system), 103–110, 113, 189, 191 Group Policy software deployment and, 189 limitations, 104 management, 108, 109 namespaces, 101, 103, 104, 105, 107 replication groups, 104, 108–110 setting up, 105–108 supported systems for, 104 DHCP (Dynamic Host Configuration Protocol), 32–34 pools, 28, 32, 33 shorter licenses for, 61 diagnosing network problems, 46–48, 52 dialog boxes Add Role Services Required For HTTP Proxy, 272 Advanced Security Settings, 166 Back up Group Policy object, 187, 188 Extract Compressed (Zipped) Folders, 330 Folder redirection properties, 95, 96 functional level, 66 Home Page, 239 Move, 127 New Object–Computer, 133, 134 New Object–Printer, 135
DIFFERENTIAL BACKUPS
Prohibit Access To The Control Panel, 183 Properties, 154, 156, 158, 160, 232, 235 Remote Web Workplace Properties, 242 Site Bindings, 328 Software Installation Properties, 190, 191 System Properties, 235 Windows Credentials, 224 differential backups, 209–210, 318 digital audio tape (DAT), 203 direct attached storage, 208 disasters. See also recovery Exchange Server backups and, 57, 290 functional levels and, 65 security risks and, 163 SQL Server database backups and, 318 discover, offer, request, acknowledge (DORA), 32 Discover process (DHCP), 32 Disk Operating System (DOS), 45, 79 disks dynamic, 196 external, 201–203 simple, 196 Distributed COM group, 148 distributed file system. See DFS distribution groups administering, 162–163 creating, 160–162, 170 as filter, 164 naming convention, 144 DML (Data Manipulation Language) statements, 310 DNS (Domain Name System), 79–93, 113 anatomy of, 80–81 importance of, 83–84 login problems, 44 manual entries, 81–82 queries, 84–85 records, 85, 87–93 alias, 86, 89 CNAME, 86, 89 creation, 90–92 host (A), 85, 87, 88, 89, 90, 92 MX, 89–90, 92–93, 246 name server, 88–89 PTR, 85, 88, 89
•
ENABLE OUTLOOK ANYWHERE WIZARD
resolution process, 82–83 zones, 80, 85–87 DNS client, 83 DNS resolvers, 83 DNS server, 83 document collaboration, 326 document services, 326 Domain Controller, Read-Only, 6 domain controllers, 223–224 Domain Controllers container, 180–181 domain functional levels, 65 domain local groups, 145, 146, 147, 150, 151 Domain Name System. See DNS domain namespaces, 80, 117 domain naming master, 121 domain operations masters, 120–121 domain-based namespaces, 104, 105 domains (Active Directory), 117–118 DORA (discover, offer, request, acknowledge), 32 DOS (Disk Operating System), 45, 79 DOs (dumb operators), 33–34 drives, mapped, 40, 50, 93, 193 DROP, 310 DSL, 63 dumb operators (DOs), 33–34 dynamic, 32 dynamic addressing, 28 dynamic disks (RAID), 196 Dynamic Host Configuration Protocol. See DHCP
E Edge Transport server role, 255 80 port (HTTP traffic), 62, 206, 237, 238, 328 802.11 standard, 49 8080 port, 206 email. See also Exchange Server 2007 external access to, 271–273 migration, to Exchange Server 2007, 67 remote access to, 271–273 routing with, 249 viruses and, 248 EMC. See Exchange Management Console employee performance reports, 326 EMS (Exchange Management Shell), 265–268 Enable Outlook Anywhere Wizard, 273
367
368
ENCRYPTIONS
•
FOLDER REDIRECTION (DEFAULT SHARE)
encryptions, 224–228 AES, 226 asymmetric, 228 blowfish, 227 ciphers and, 225–226 DES, 227 IDEA, 227 PGP, 226 private key, 228, 230, 235 public key, 228, 275 RC4, 50 RC5, 27 RSA, 62, 227, 275 symmetric, 228 TKIP, 50, 227 triple DES, 227 ENIAC, 218 Enterprise edition (SQL Server), 293 Entourage, 270 errors, SMTP, 287–289 Eudora, 270 Event Log Readers group, 148 Everyone group (special identity group), 147 Exchange Management Console (EMC), 256–265 Exchange administrator added with, 261–262 mailbox tasks, 262–263 Toolbox disaster recovery section, 259 mail flow analysis section, 259–260 performance section, 260–261 Exchange Management Shell (EMS), 265–268 Exchange Server 2007 (Microsoft), 2, 245–290 backups, 208, 211, 280–285, 290 clients, 269–270 components, 245–268 limitations, 245–246 migration (Exchange Server 2003 to 2007) updates/preparation process, 72 user email, 67 server roles, 248–255, 268 Client Access, 252–253 Edge Transport, 255 Hub Transport, 248–250
Mailbox, 250–251 Unified Messaging, 253 storage recovery group, 282–283 Express edition (SQL Server), 292, 293–294 extensible shell support (EMS), 266 external access, to email, 271–273 external disks, 201–203 Extract Compressed (Zipped) Folders dialog box, 330
F failover clusters, 219–220 farms, 332, 333, 337, 338, 339 Fax Administrators (security group), 149 Fax Users (security group), 149 Feistel structure, 227 fiber connections, 48, 63 file permissions, 165–170 file recovery, 212 File Screen Policy screen, 101 file screening policy templates, 102 File Server Resource Manager (FSRM), 110–113 file sharing, 93–102, 113 File Transfer Protocol (FTP), 50, 52, 62 filters distribution groups as, 164 time zone and, 9 Financial Institution Privacy Protection Acts, 256 Financial Modernization Act (Gramm–Leach–Bliley Act), 256 firewalls high-end, 63–64 Live OneCare for Servers, 4, 12, 13, 18, 19, 20 migration and, 62–63 routers and, 26–27, 63 selecting, 63–64 switches and, 27, 63 WatchGuard, 63, 230 FireWire, 201–202 5 Ps (proper planning prevents poor performance), 78, 179 flexible single master operations (FSMO) roles, 4, 115, 120–121, 141 /flushdns, 45 folder redirection (default share), 95–98
FOLDER REDIRECTION ACCOUNTS (SECURITY GROUP)
Folder Redirection Accounts (security group), 149 Folder redirection properties dialog box, 95, 96 folder sharing, 170. See also DFS; shares folders permissions, 165–168 security group added to, 169–170 sharing, 170 Forefront Security for Exchange Server (Microsoft), 2, 4, 12, 13 forest functional levels, 65 forest operations masters, 121 forests (Active Directory), 117 48 bit ISP Portion, 31 forward lookup zones, 87 443 port (HTTPS traffic), 62, 206, 237, 328 444 port (SharePoint Companyweb), 62 4125 port (Remote Web Workplace), 63, 238 4150 port, 238 4721 port, 332 free trials, 3, 5 frequencies/speeds (wireless networking), 49–50 FSMO (flexible single master operations) roles, 4, 115, 120–121, 141 FSRM (File Server Resource Manager), 110–113 FTP (File Transfer Protocol), 50, 52, 62 full backups, 209, 318 Full Control (permission), 165 full recovery, 318 Full–Text Search (SQL Server), 292, 295 functional levels, 65–66 FuzzyKitties, 225, 226
G Gadget (RWW), 241 get-ExchangeServer, 267 get-Mailbox Domain/User, 267 Getting Started Tasks, 20–22 global groups, 146 GlobalNames zones, 86 GPMC. See Group Policy Management Console GPOs. See Group Policy objects gpupdate command, 187
•
GROUP STRATEGY
Gramm-Leach-Bliley Act (Financial Modernization Act), 256 green alerts, 22, 23 group filtering, 186 group layouts, 151–152 group objects (Active Directory), 119, 153 Group Policy, 171–194 Active Directory and, 171 administering, 173–188 deployment stage, 179–180 design stage, 175–179 history of, 171–172 links, 172, 173, 185–186, 194 objectives, 174, 177–178 planning stage, 174–175 preferences, 191–193 propagation, 187 purpose and, 174 reasons for usage, 172 results, 193 Results Wizard, 193 roll out stages for, 174 settings, 72, 185, 187, 189, 191, 192, 222 snap-in, 172, 173 software deployment, 189–191 special uses of, 189–191 system policies v., 171–172 Group Policy Management Console (GPMC), 172–173, 178 folder redirection and, 96–97 GPO creation with, 180–184, 193 Group Policy snap-in and, 173 Group Policy objects (GPOs), 172–173 backing up, 187–188 creating, 180–184, 193 deleting, 185, 194 editing, 185–186, 194 links, 172, 173, 185–186, 194 loopback processing, 186–187 maintaining, 184–188 scope, 177, 186 starter, 184 Group Policy Objects container, 180 group scopes, 145–146, 159–160 group strategy, 150–151
369
370
GROUPING/SUBGROUPING OUs
•
INSERT
grouping/subgrouping OUs, 131–133 groups. See also specific groups built–in, 147–149 Corporate_Sales creating, 153–155 nested group in, 155–157 creating, 152–157 distribution groups administering, 162–163 creating, 160–162, 170 as filter, 164 naming convention, 144 domain local, 145, 146, 147, 150, 151 enabled, for VPNs, 232 global, 146 local, 150 memberships, 146, 147 nesting, 150 security groups, 143–144 added to folder, 169–170 administering, 157–160 default, 149 file permissions, 169–170 naming convention, 144 OUs v., 153 removing, 159 special identity, 147 strategy, 150–151 structure of, 143–150 universal, 145–146 user creating, 170 defined, 147 renaming, 157–159 Guests group, 148
H hardware RAIDs, 196, 197 Health Insurance Portability and Accountability Act of 1996 (HIPAA), 256 HIPAA (Health Insurance Portability and Accountability Act of 1996), 256 Home (Central Administration), 332 Home Page dialog box, 239 host records (A records), 85, 87, 88, 89, 90, 92
HOSTS file, 81–82 HTTP (Hypertext Transfer Protocol), 272 port 80 and, 62, 206, 237, 238, 328 RPC and, 271–273 HTTPS port 443 and, 62, 206, 237, 328 SSL and, 272 Hub Transport server, 249 Hub Transport server role, 248–250 hybrid administration method, 119 hybrid RAID, 198, 200–201 Hypertext Transfer Protocol. See HTTP Hyper-V, 222–223
I ICANN (Internet Corporation for Assigned Names and Numbers), 31 ICMP (Internet Control Message Protocol), 45, 46 IDEA (International Data Encryption Algorithm), 227 IIS (Internet Information Services) OWA and, 273, 274 Remote Web Workplace pool, 238 Reset Internet Information Services setting, 336 SharePoint Server and, 326–327 web pool, 219, 273 Web Site, 334–335 IIS reset, 336 IIS_IUSRS group, 148 images, 59 IMAP4 (Internet Message Access Protocol), 246, 252, 254, 263, 271 Improved Proposed Encryption Standard (IPES), 227 ‘‘in the green,’’ 22, 23 Incoming Forest Trust Builders group, 148 incremental backups, 209–210 InetOrgPerson, 119, 153 infrastructure master, 121 inheritance GPOs and, 176–177 OUs and, 127 INSERT, 310, 315
INSTALLATION
installation SBS 2008, 6–9 customization, 9–14 in migration mode, 72–78 Server Core, 6, 223 twice, 22 types, 6 SQL Server, 296–306, 323 SQL Server service pack, 304–306 Integration Services. See SSIS integrity, 164 Interactive Users (special identity group), 147 interforest trusts, 4 International Data Encryption Algorithm (IDEA), 227 Internet Control Message Protocol (ICMP), 45, 46 Internet Corporation for Assigned Names and Numbers (ICANN), 31 Internet Information Services. See IIS Internet Message Access Protocol. See IMAP4 Internet Security and Acceleration (ISA) server, 5, 54, 78 Internet service providers. See ISPs interoperability, 175, 218 inverse queries, 85 IP addresses addressing techniques (IPv4), 27–34 APIPA, 27–28, 30 dynamic, 28 IPv6 ranges, 29–30 IPv6 types, 31–32 manual, 28 mapping, to domain name, 85 multicast, 31 prefixes, 31 ranges, 28–29 reserved, 29, 30 scheme, migration and, 64 static, 28 unicast, 31 ipconfig, 45, 234, 266 IPES (Improved Proposed Encryption Standard), 227
•
LINKS (GROUP POLICY)
IPv4, 27 address ranges, 28–29 addressing techniques, 27–34 IPv6, 27 address ranges, 29–30 address types, 31–32 anatomy, 30–31 ISA (Internet Security and Acceleration) server, 5, 54, 78 ISPs (Internet service providers) connectivity issues, 48 48 bit ISP Portion (IPv6), 31 inverse queries and, 85 recursive queries and, 84 iterative queries, 84
J jobs. See timer jobs journal rule scope, 256 journaling, 255–256 agents, 248, 250, 255, 256 mailbox database and, 264–265
K keep it simple, stupid (KISS rule), 271 Kerberos, 335 KISS rule (keep it simple, stupid), 271
L Lai, Xuejia, 227 large object actions (Active Directory), 135–140 layouts, group, 151–152 LDIFDE.exe, 136–140 leases (DHCP), 33 Leibaschoff, Damian, 209, 210 licenses/licensing DHCP, 61 Group Policy software deployment and, 189 SBS Premium and, 4 SQL Server, 296 Terminal Services, 72 linear tape open (LTO), 203–205 Link Users (security group), 149 links (Group Policy), 172, 173, 185–186, 194
371
372
LINKS LIST (RWW)
•
MIGRATION (SBS 2003 TO SBS 2008)
links list (RWW), 239 List Folder Contents (permission), 165 Live OneCare for Servers, 4, 12, 13, 18, 19, 20 Load Balanced URL setting, 335 load balancing, 219, 220 local domain. See domain local groups local groups, 150 logging bulk-logged recovery, 318 circular, 279–280 log files, 276 transaction log backups, 318, 319 transaction logging, 277–279 logical partitions, 196 loopback processing, 186–187 Lowe, Scott, 263 LTO (linear tape open), 203–205 Lucifer cipher, 227
M MAC (Media Access Control), 27, 30, 52 mail exchanger (MX) records, 89–90, 92–93, 246 Mailbox (EMC) server role, 250–251 tasks, 262–263 mailbox database/journaling, 264–265 mailflow Hub Transport server role and, 248–249 issues, 285 overview of, 285–286 MailFlow Troubleshooter tool, 259 Maintenance Plan Wizard, 321 Management Console. See Exchange Management Console; Group Policy Management Console; MMC Management Studio. See SSMS manual addressing, 28 manual DNS entries, 81–82 MAPI (Messaging Application Programming Interface), 251, 252, 253, 287 mapping drives, 40, 50, 93, 193 IP address, to domain name, 85 Massey, James L., 227
Mastering SQL Server 2008 (Sybex), 304 MCTS Windows Server 2008 Active Directory Configuration Study Guide (Panek & Chellis), 123 Media Access Control (MAC), 27, 30, 52 media types (for backups), 201–208, 216. See also backups direct attached storage, 208 external disks, 201–203 FireWire, 201–202 NAS, 5, 205, 206–208, 216 SANs, 205–206, 207–208 tape backup systems, 201, 203–205 USB, 202–203 member servers, 220–221 Memory Diagnostic Tool (Windows), 213, 214 merge mode (loopback processing), 187 Message Tracking tool, 259 Messaging Application Programming Interface (MAPI), 251, 252, 253, 287 messaging components, 286–287 categorizer, 248, 287 Microsoft Exchange Mail Submission Service, 287 Pickup directory, 287 store driver, 287 submission queue, 286–287 Microsoft Entourage, 270 Microsoft Exchange Mail Submission Service, 287 Microsoft Forefront Security for Exchange Server, 2, 4, 12, 13 Microsoft Management Console. See MMC Microsoft Office SharePoint Server. See SharePoint Server Microsoft Outlook 2007, 270. See also Outlook Web Access Microsoft SQL Server 2008 Standard for Small Business. See SQL Server Microsoft Windows Active Directory. See Active Directory migration (SBS 2003 to SBS 2008), 53–78 backups critical files, 55–57 Exchange Server data, 57–58 Exchange Server updates and, 72
MIGRATION HOME WIZARD
overview, 54 preparation BPA and, 67–68 firewall settings, 62–63 network, 59–64 server, 64–66 steps, 55–68 user preparation, 67 process overview, 72–73 seamless, 78 server image and, 59 testing recovery process, 59 upgrading v., 5–6, 53 Migration Home Wizard, 77 Migration Wizard, 76–77 mirroring, 198 mixed RAID modes, 200 MMC (Microsoft Management Console), 5, 317 Modify (permission), 165 mounting recovered database, 283–284 Move dialog box, 127 Move Windows SharePoint Services Data (link), 331 moving databases (SQL), 321–323 SharePoint data, 330–331 Mozilla Thunderbird, 270 MSExchangeOWAAppPool pool, 273 msExchDynamicDistributionList objects, 153 MSMQ Queue Alias objects, 119, 153 multicast address, 31 multiplatform environment, 271 MX (mail exchanger) records, 89–90, 92–93, 246
N name server records, 88–89 namespace wizard screen, 105 namespaces DFS, 101, 103, 104, 105, 107 domain, 80, 117 domain-based, 104, 105 stand-alone, 104, 105 naming conventions. See also DNS DFS Replication Groups, 108 distribution groups, 144
•
NETWORKS
DNS, 79, 117 192.168.16.X, 64 security groups, 144 server naming convention system, 79 UNC, 253 NAS (network attached storage), 5, 205, 206–208, 216 NASD 3010 and 3110 (National Association of Securities Dealers 3010 and 3110), 255–256 NAT (Network Address Translation), 29, 63, 231 National Association of Securities Dealers 3010 and 3110 (NASD 3010 and 3110), 255–256 nesting groups, 150 .NET application, Visual Basic–enabled, 265–268 NetBIOS convention, 86 Netdiag.exe, 68 Network Address Translation (NAT), 29, 63, 231 network administrator account (SBS installation), 10, 12 network attached storage (NAS), 5, 205, 206–208, 216 Network Configuration Operators group, 148 network device connectivity issues, 47–48 Network File System (NFS), 99, 207, 208 network interface cards. See NICs network layer, 26 network load balancing (NLB) clusters, 219 Network Users (special identity group), 147 Networking Essentials Summary screen, 16–22, 23 networks commodity, 218 SBS 2003 configuration, 60 migration, 59–64 SBS 2008, 25–52 command–line tools, 45–46 computer accounts added to, 36–37 configuration, 60 connectivity issues, 47–48 diagnosing problems, 46–48, 52 expanding, 34–44 manual joining, 44 migration preparation, 59–64 planning, 27–32 problems, 46–48
373
374
NEW OBJECT–COMPUTER
•
PDC EMULATOR MASTER
servers in, 27 user accounts added to, 34–36 wireless, 48–52 VPNs, 143, 229–234 wireless, 48–52 New Object–Computer, 133, 134 New Object – Organizational Unit Wizard, 123, 124 New Object–Printer, 135 New Object – User Wizard, 125, 126 New Replication Group Wizard, 108, 109 New Zone Wizard, 91 NFS (Network File System), 99, 207, 208 NICs (network interface cards) disabling, 61 removing, 61–62 support for, 5, 61 987 port (HTTPS traffic), 237, 328 Ninja Blade, 249 NLB (network load balancing) clusters, 219 noncritical business data (backup strategy), 208, 211–212 nslookup, 45, 46 NT LAN Manager (NTLM), 273, 335 NTBACKUP utility, 55, 58, 212, 280 NTLM (NT LAN Manager), 273, 335
O Object Browser, 320 Object Explorer, 307–309, 310, 311, 315, 316, 318, 320, 321, 322, 323 objectives (Group Policy), 174, 177–178 objects (Active Directory). See also Group Policy objects computer, 119, 153 contact, 119, 153 creating, 133–140 group, 119, 153 InetOrgPerson, 119, 153 large object actions, 135–140 msExchDynamicDistributionList, 153 MSMQ Queue Alias, 119, 153 printer, 119, 153 types, 118–119 user, 153
Offer process (DHCP), 32 OLAP (online analytical processing) databases, 295 OmniCorp, 164 192.168.16.X naming convention, 64 1723 port, 231 online analytical processing (OLAP) databases, 295 Open Active Directory Users And Computers Snap–In, 152–153, 155, 157, 159, 160, 161 OpenPGP, 227 Operations (Server Operations), 332, 337 Organizational Configuration Mailbox, 262 organizational units (OUs), 117, 118, 119, 122–133 creating, 123–125, 140–141 delegating, 128–130 deleting, 127 design, 123 dividing for power (example) and, 131 grouping/subgrouping, 131–133 inheritance and, 127 managing, 125–127 renaming, 127 security groups v., 153 OUs. See organizational units Outlook 2007, 270 Outlook Anywhere, 271–273 Outlook Web Access (OWA), 241, 251, 252, 253, 273, 274 OWA. See Outlook Web Access OWA pool, 273 Owner/Creator (special identity group), 147
P Panek, Will, 123 parallelization, 218 parity bit, 199 partial backups, 209 partitions, 197 passwords ActiveSync, 275 sniffing, 51–52 user account, 36 wireless networks (unsecured) and, 51–52 Pathping, 45–46 PATRIOT Act, 256 PDC emulator master, 121
PEGASUS
Pegasus, 270 Performance Log Users group, 148 Performance Monitor, 260, 261 Performance Monitor Users group, 148 performance reports, 326 Performance Troubleshooter, 260 permission lists (access control lists), 164–165, 170, 206 permissions, 164–170 default security groups and, 149 file/folder, 165–170 groups and, 153 modifying, EMS and, 266–267 special folder, 167 PGP (Pretty Good Privacy), 226 physical connectivity issues, 47 Pickup directory, 287 Pine, 270 ping, 45, 46, 52 pipeline, transport, 286 piping (EMS), 265 planning stage (Group Policy), 174–175 pointer (PTR) records, 85, 88, 89 policy definitions, 174. See also Group Policy Policy Definitions (ADMX files), 183 pools application pools, 273, 335, 340, 341 DHCP pools, 28, 32, 33 MSExchangeOWAAppPool pool, 273 OWA pool, 273 web pool, 219, 273 POP3 (Post Office Protocol), 246, 252, 253, 254, 263, 269, 270 portable content, 40–44 ports 8080, 206 firewall settings and, 62–63 port 21 (FTP), 62 port 22 (SFTP), 62 port 25 (SMTP), 62, 246 port 80 (HTTP traffic), 62, 206, 237, 238, 328 port 443 (HTTPS traffic), 62, 206, 237, 328 port 444 (SharePoint Companyweb), 62 port 987 (HTTPS traffic), 237, 328 port 1723, 231
•
PROTOCOLS
port 3389 (Remote Desktop), 62, 234, 237 port 4125 (Remote Web Workplace), 63, 238 port 4150, 238 port 4721, 332 random, 334, 335 Post Office Protocol. See POP3 PowerShell, 2, 3, 267–268 premium journaling, 256 Pretty Good Privacy (PGP), 226 Pre-Windows 2000 Compatible Access group, 148 primary key, 312, 313, 314 primary zones, 85–86 Print Operators group, 148 printer objects (Active Directory), 119, 153 private keys, 228, 230, 235 processing notification screen, 336 Products and Technologies Wizard (SharePoint), 331–332 Prohibit Access To The Control Panel dialog box, 183 proper planning prevents poor performance (5 Ps), 78, 179 Properties dialog box, 154, 156, 158, 160, 232, 235 protocols. See also IP addresses ActiveSync, 252, 253, 254, 263, 274–275 DHCP, 32–34 pools, 28, 32, 33 shorter licenses for, 61 FTP, 50, 52, 62 HTTP, 272 port 80 and, 62, 206, 237, 238, 328 RPC and, 271–273 HTTPS port 443 and, 62, 206, 237, 328 SSL and, 272 ICMP, 45, 46 IMAP4, 246, 252, 254, 263, 271 POP3, 246, 252, 253, 254, 263, 269, 270 RDP, 229, 234–236, 243 SFTP, 62 SMTP, 245, 246–248 errors, 287–289 receive connectors, 286 send connectors, 286
375
376
PROXY SERVERS
•
/RELEASE
TCP/IP, 26, 45, 62, 83, 206, 207, 218, 252 TKIP, 50, 227 proxy servers, 5 PTR (pointer) records, 85, 88, 89 public keys, 228, 275 public shares, 94–95 publisher, 295 purpose (Group Policy), 174
Q queries, DNS, 84–85 Query window, 309, 310, 315, 316, 317 Queue Viewer, 259 quota policy, 100 Quota Policy screen, 100 quota templates, 101, 110, 111 quotas, with FSRM, 110, 111
R RAID (Redundant Array of Independent Disks), 195–201 configurations, 198 hybrid, 198, 200–201 speed and, 197 RAID 0, 198 RAID 0+1, 198, 200–201 RAID 1, 198–199 RAID 5, 199–200 raising functional levels, 65–66 random ports, 334, 335 RC4, 50 RC4 encryption algorithm, 50 RC5, 27 RDC (Remote Differential Compression), 103, 104, 108 RDP (Remote Desktop Protocol), 229, 234–236, 243 Read (permission), 165 Read & Execute, 165 Read-Only Domain Controller, 6 read-only domain controller, 6 real world scenarios access v. security, 254 answer file, 71 database creation with SQL Server Express, 293–294
distribution groups as filters, 164 Exchange Server loss/recovery plan, 58–59 firewall selection, 63–64 5 Ps and, 78, 179 functional levels, 65–66 Group Policy deployment, 180 multiplatform environment, 271 OUs and dividing for power, 131 records (DNS) creating, 90–92 MX configuration, 92–93 SBS 2008 installation in migration mode, 73–76 second server, 221 unsecured wireless network passwords, 51–52 VPNs, 231 receive connectors (SMTP), 286 Recipient Configuration Mailbox, 263 records (DNS records), 85, 87–93 alias, 86, 89 CNAME, 86, 89 creation, 90–92 host (A), 85, 87, 88, 89, 90, 92 MX, 89–90, 92–93, 246 name server, 88–89 PTR, 85, 88, 89 recovery, 212–216. See also backups bare-bones, 212–216 bulk-logged, 318 Exchange Server 2007 and, 276–286 file, 212 full, 318 simple, 318 Recovery Wizard, 281 recursion, 180 recursive queries, 84–85 Recycle Bin timer job, 345, 347 redirected folders (default share), 95–98 Redundant Array of Independent (or Inexpensive) Disks. See RAID Regional Internet Registry (RIR), 31 regulations, 255–256 relational databases. See databases relative ID master (RID master), 120, 121 /release, 45
REMOTE ACCESS
remote access email and, 271–273 encryptions, 224–228 AES, 226 asymmetric, 228 blowfish, 227 ciphers and, 225–226 DES, 227 IDEA, 227 PGP, 226 RC4, 50 RC5, 27 symmetric, 228 TKIP, 50, 227 triple DES, 227 introduction, 224 RDP and, 229, 234–236, 243 RWW and, 229, 236–243 VPNs and, 143, 229–234 remote authentication, 230 Remote Desktop Protocol (RDP), 229, 234–236, 243 Remote Desktop Users group, 148 remote desktops connecting to, 235–236 port 3389 and, 62, 234, 237 Remote Differential Compression (RDC), 103, 104, 108 Remote Procedure Call (RPC), 251, 271–273 Remote Web Workplace (RWW), 229, 236–243 customization, 239, 241–242 Gadget, 241 links list, 239 pool, 238 prerequisites, 237 Properties dialog box, 242 terminal services gateways and, 240 user access setup, 237–238 Users (security group), 149 using, 239–240 Remove_ControlPanel, 182, 184, 188 removing control panel, 173, 177, 180, 182, 183, 184 /renew, 45 Repadmin.exe, 68 replace mode (loopback processing), 187
•
SCOPES
replication continuous, 280 DFS, 103, 104, 105, 108–110 groups, 104, 108–110 SQL Server and, 294–295 Replicator group, 148 Reporting Services (SSRS), 292, 295 Request process (DHCP), 32 reserved addresses, 29, 30 Reset Internet Information Services setting, 336 resolution process, DNS, 82–83 resolvers (DNS), 83 restoration. See Backup and Restore Restore Database window, 320 reverse lookup zones, 87 RID (relative ID) master, 120, 121 Rijndael, 226 RIR (Regional Internet Registry), 31 Rivest, Ron, 227 roles. See server roles ROT13 cipher, 225–226 rotation (backup data), 210 routers, 26–27, 63 routing (Hub Transport server role), 249 Routing Log Viewer, 259–260 RPC (Remote Procedure Call), 251, 271–273 RSA encryption, 62, 227, 275 RWW. See Remote Web Workplace
S safe scripting, 266 SANs (storage area networks), 205–206, 207–208 Sarbanes-Oxley Act of 2002 (SOX), 255 satellite technology, 48 SBS 2003. See Small Business Server 2003 SBS 2008. See Small Business Server 2008 SBS Console (Windows SBS Console), 15–22 SBS default security groups, 149 scheduled jobs, 294 schema master, 121 Schiener, Bruce, 227 scopes Delegation Of Control Wizard and, 130 DHCP, 33 domain local groups, 145, 146, 147, 150, 151
377
378
SCRIPTING (EMS)
•
SHAREPOINT SERVER
FSMO Servers, 121 global groups, 146 GPOs, 177, 186 group, 145–146, 159–160 journal rule scope, 256 universal groups, 145–146 scripting (EMS), 266 seamless migration, 78 Search Server, 336 second server, 217–224, 243 clustering and, 218–222 reasons for, 217–218, 221 secondary zones, 86 Secure File Transfer Protocol (SFTP), 62 Secure Sockets Layer (SSL), 76, 229, 230, 272, 273, 275, 335 security access v., 254 ActiveSync, 275 certificate, 329, 330, 335, 347 Networking Essentials Summary screen and, 18 SharePoint Server and, 325 wireless networking, 50–52 Security Configuration area, 335, 337 Security Exchange Commission Rule 17a–4, 255 security groups, 143–144 added to folder, 169–170 administering, 157–160 default, 149 file permissions, 169–170 naming convention, 144 OUs v., 153 removing, 159 security identifiers (SIDs), 157 security permissions. See permissions security services screen (SBS installation), 12–13. See also Forefront Security for Exchange Server; Live OneCare for Servers SELECT, 310, 317 send connectors (SMTP), 286 Server Configuration Mailbox, 262–263 Server Core installation, 6, 223 Server Manager, 16, 105, 272 Server Message Block (SMB), 99, 207, 335
Server Operations, 332, 337 Server Operators group, 148 server roles (Exchange Server 2007), 248–255, 268 Client Access, 252–253 Edge Transport, 255 Hub Transport, 248–250 Mailbox, 250–251 Unified Messaging, 253 servers adding, 217–224, 243 conflicts (DHCP), 33 farms, 332, 333, 337, 338, 339 images, 59 member servers, 220–221 naming convention system, 79 in network, 27 second, 217–224, 243 clustering and, 218–222 reasons for, 217–218, 221 server/network screen (SBS installation), 10, 11 virtualizing, 222–223 services document, 326 special identity group, 147 SQL Server, 317–318 terminal, 240 services.msc, 285, 328, 337 Setup Virtual Private Networking Wizard, 232 SFTP (Secure File Transfer Protocol), 62 Shared Folder Location Wizard, 98 shared folders (Active Directory), 119, 153 Shared Folders And Web Sites, 237, 239, 241, 326 SharePoint Products and Technologies Wizard, 331–332 SharePoint Server, 325–348 administration tasks, 332–333 Backup and Restore, 338–343, 347–348 backups, 330–331, 338–343 Companyweb, 62, 76, 77, 326, 328, 329–330, 347 components, 326–328 configuration, 329–332 IIS and, 326–327 moving data, 330–331 network components, 328–329
SHAREPOINT SERVICES
•
overview, 326 Products and Technologies Wizard, 331–332 timer jobs, 343–345, 347 usages for, 326 website creating, 333–337 editing, 345–347 website creation with, 333–337 SharePoint Services 3.0, 3, 326 SharePoint_Members Group, 149 SharePoint_OwnersGroup, 149 SharePoint_VisitorsGroup, 149 shares creating, 98–102 default, 94–98 public, 94–95 redirected folders, 95–98 user, 98 sharing files, 93–102, 113 sharing folders, 170 SIDs. See security identifiers simple disks (RAID), 196 simple recovery, 318 simplicity KISS rule, 271 user experience, 33–34 Site Bindings dialog box, 328 sites (Active Directory), 116 64-bit processors (virtualization), 7, 23 Small Business Server (SBS) 2003. See also migration administration models, 119–120 design models, 119–120 network configuration, 60 Small Business Server (SBS) 2008 default security groups, 149 installation, 6–9 customization, 9–14 in migration mode, 72–78 Server Core, 6, 223 twice, 22 types, 6 limitations, 4–6, 53–54 migrating to, 5–6, 53–78 MMC and, 5
SQL SERVER (SQL SERVER 2008 STANDARD FOR SMALL BUSINESS)
network, 25–52 network configuration, 60 overview, 1–5 Premium version features, 2 read–only domain controller, 6 requirements, 1–6 SQL Server and, 295–296 Standard version features, 2 support client operating systems, 5 NICs, 5 proxy servers, 5 trial, 3 small office/home office. See SOHO SmartCorp, 221 SMB (Server Message Block), 99, 207, 335 SMTP (Simple Mail Transfer Protocol), 245, 246–248 errors, 287–289 receive connectors, 286 send connectors, 286 snap-ins Active Directory Domains And Trust, 65, 66 Group Policy, 172, 173 Open Active Directory Users And Computers, 152–153, 155, 157, 159, 160, 161 sniffing passwords, 51–52 software deployment (Group Policy), 189–191 Software Installation Properties dialog box, 190, 191 software RAIDs, 196–197 SOHO (small office/home office), 25–27. See also networks SOX (Sarbanes-Oxley Act of 2002), 255 span, 198 special identity groups, 147 Special_Users, 173, 175 speed RAID and, 197 wireless networking and, 49–50 SQL (Structured Query Language), 3 SQL Server (SQL Server 2008 Standard for Small Business), 3, 291–323. See also databases administering, 317–323 backup, 318–321
379
380
SQL SERVER ANALYSIS SERVICES (SSAS)
•
THROUGHPUT
Books Online, 295, 300, 304, 310 configuration, 296–306, 323 data (backup strategy), 208, 211 database administration, 294 database mail, 294 database management, 294 defined, 291–292 editions, 292–293 features, 294–295 Full-Text Search, 292, 295 installation, 296–306, 323 licensing requirements, 296 logging into, 306–307 Mastering SQL Server 2008 (Sybex), 304 online information, 318 replication and, 294–295 SBS environment and, 295–296 service pack installation, 304–306 using, 306–317, 323 SQL Server Analysis Services (SSAS), 295 SQL Server Configuration Manager, 317, 318 SQL Server Integration Services (SSIS), 292, 293, 294, 295, 316 SQL Server Management Studio. See SSMS SQL Server Reporting Services (SSRS), 292, 295 SQL Server services, 317–318 SSAS (SQL Server Analysis Services), 295 SSIS (SQL Server Integration Services), 292, 293, 294, 295, 316 SSL (Secure Sockets Layer), 76, 229, 230, 272, 273, 275, 335 SSL remote authentication, 230 SSMS (SQL Server Management Studio), 291, 307–310 SSMS Import Wizard, 316 SSRS (SQL Server Reporting Services), 292, 295 stand-alone namespaces, 104, 105 Standard edition (SQL Server), 293 standard journaling, 256 starter GPOs, 184 static addressing, 28 S/TNEF (Summary Transport Neural Encapsulation Format), 287 StoopidCorp, 221 storage area networks (SANs), 205–206, 207–208
storage recovery group (Exchange Server), 282–283 store driver, 287 striping, 198 structured data support (EMS), 265–266 Structured Query Language. See SQL stub zones, 86 subgrouping/grouping OUs, 131–133 submission queue, 286–287 subnets, 26 subscriber, 295 Summary screen (SBS installation), 13–14 Summary Transport Neural Encapsulation Format (S/TNEF), 287 switches (IPconfig tool), 45 switches (network hardware device), 27, 63 Sybex, Mastering SQL Server 2008 and, 304 symmetric encryption, 228 syncing technology. See ActiveSync system policies, 171–172. See also Group Policy System Properties dialog box, 235
T Table Designer, 312, 313, 314, 315 tables (database tables) creating, 312–315 data inserting, 315–316 viewing, 316–317 tape backup systems, 201, 203–205 DAT, 203 LTO, 203–205 task-based system, MMC and, 5 TCP/IP, 26, 45, 62, 83, 206, 207, 218, 252 Tech Republic, 263 Temporal Key Integrity Protocol (TKIP), 50, 227 Terminal Server License Servers group, 149 Terminal Services, 240 Application Mode, 4 gateways, 240 licensing, 72 terminal services, 240 3389 port (Remote Desktop), 62, 234, 237 throughput, 63
THUNDERBIRD
Thunderbird, 270 time zone, 9–10, 70 timer jobs, 343–345, 347 TKIP (Temporal Key Integrity Protocol), 50, 227 Toolbox (EMC) disaster recovery section, 259 mail flow analysis section, 259–260 performance section, 260–261 top-level domains, 80, 81 tracking customers, 326 Transact SQL (T–SQL), 310, 318, 321, 323 transaction log backups, 318, 319 transaction logging, 277–279 transmission channels, 50 transport pipeline, 286 Transport Rules agent, 250 trials, 3, 5 triple DES, 227 troubleshooting Backup and Restore, 341–343, 348–349 Database Troubleshooter tool, 259 mailflow, 285 MailFlow Troubleshooter tool, 259 Performance Troubleshooter, 260 SMTP errors, 287–289 trusted scripts, 266 trusts, 4, 117, 148 T-SQL (Transact SQL), 310, 318, 321, 323 Tuchman, Walter, 227 25 port (SMTP), 62, 246 21 port (FTP), 62 22 port (SFTP), 62
U unicast address, 31 Unified Messaging EMC and, 264 server role, 253 universal groups, 145–146 Universal Serial Bus. See USB unsorted files (backup strategy), 208, 212 UPDATE, 310 Update Services 3.0, Windows Server, 2 Updates (Networking Essentials Summary screen), 16–18
•
WEB APPLICATIONS
Updates tab, 16, 17 upgrading. See also migration Active Directory, 68–70 migration v., 5–6, 53 USB (Universal Serial Bus), 202–203 user accounts, 34–36 creating, 152–157 LDIFDE.exe and, 139–140 user experience, simplifying, 33–34 user groups creating, 170 defined, 147 renaming, 157–159 user objects, 153 user shares, 98 Users group, 149
V Verizon FIOS, 48 Virtual Private Network Users (security group), 149 virtual private networks (VPNs), 143, 229–234 virtual trees (DFS namespaces), 104 virtualization, 222–223 Hyper–V and, 222–223 64–bit processors and, 7, 23 unified messaging and, 264 viruses. See antivirus protection Visual Basic–enabled .NET application (EMS), 265–268 VPNs (virtual private networks), 143, 229–234 connecting to, 232–234 groups enabled for, 232 hardware–based, 230–231 setting up, 231–232 software–based, 231
W WAN balancing, 63 WatchGuard, 63, 230 web activation, 37–40 web applications application pools, 273, 335, 340, 341 creating, 333–337 editing, 345–347
381
382
WEB APPLICATIONS AREA
•
ZONES (DNS)
Web Applications area, 273, 338 web parts, 345–346 web pool, 219, 273 website (SharePoint website) creating, 333–337 editing, 345–347 WEP (Wired Equivalent Privacy), 50 Windows authentication, 307, 336 Windows Authorization Access Group, 149 Windows Credentials dialog box, 224 Windows Internet Name Service (WINS), 86 Windows Live OneCare for Servers, 4, 12, 13, 18, 19, 20 Windows Memory Diagnostic Tool, 213, 214 Windows NT data (backup strategy), 208, 209 Windows SBS Client –Windows XP Policy, 181–184 Windows SBS Console. See SBS Console Windows Server 2008 Standard Technologies, 2 Windows Server Group Policy. See Group Policy Windows Server Update Services 3.0, 2 Windows Small Business Server 2008. See Small Business Server 2008 Windows XP Hyper-V and, 222 Windows SBS Client - Windows XP Policy, 181–184 WINS (Windows Internet Name Service), 86 Wired Equivalent Privacy (WEP), 50 wireless networking, 48–52 limitations, 48–49 security, 50–52 speeds/frequencies, 49–50 wireless packet sniffer, 51–52 wizard mode, 55. See also NTBACKUP utility wizards Active Directory Domain Services Installation Wizard, 223 Add A New Site Wizard, 335 Add Exchange Administrator Wizard, 261 AddUserWizard, 76
ADPREp.exe tools and, 69 Backup Schedule Wizard, 210, 211 Configure Email And Internet Connection Wizard, 62 Console Wizard, 34 Database Maintenance Plan Wizard, 320 Delegation Of Control Wizard, 128, 130 Enable Outlook Anywhere Wizard, 273 folder sharing and, 170 Group Policy Results Wizard, 193 Maintenance Plan Wizard, 321 Migration Home Wizard, 77 Migration Wizard, 76–77 namespace wizard screen, 105 New Object –Organizational Unit Wizard, 123, 124 New Object –User Wizard, 125, 126 New Replication Group Wizard, 108, 109 New Zone Wizard, 91 Products and Technologies Wizard, 331–332 Recovery Wizard, 281 Setup Virtual Private Networking Wizard, 232 Shared Folder Location Wizard, 98 SSMS Import Wizard, 316 workflow settings, 337–338 WPA2-Personal, 50 WPA-Personal, 50 Write (permission), 165
X XML ActiveSync protocol and, 274 answer file and, 71 backup directory and, 342, 343 EMS and, 266 value range, 313 web part, 346
Z zones (DNS), 80, 85–87
Run Your Small Business Network Without a Giant IT Department
Master All the Technologies and Components in Windows SBS 2008
If you run a small business, you need a network infrastructure fit especially for one. With its rich collection of server and management technologies such as Exchange Server 2007 and SharePoint Services 3.0, Windows SBS 2008 fills this niche perfectly. Master all SBS components, then see how to set up, deploy, and administer SBS 2008 successfully in your organization with the step-by-step instructions in this comprehensive guide.
Set Up, Deploy, and Administer SBS 2008 in Your Small Business Create an Enterprise-Class Network at a Lower Cost
COVERAGE INCLUDES: • Planning a Windows Small Business Server 2008 network • Installing, configuring, or upgrading SBS 2008 for the first time • Using the command line for network administration tasks • Configuring and using Active Directory®, Group Policy, and SQL Server® • Creating and controlling users, printers, and groups • Setting up Exchange with your network and configuring email and webmail accounts • Handling disaster recovery, backup, and disk management
Integrate with Windows Server® 2008, SQL Server® 2008, Exchange Server 2007, Windows® SharePoint® Services 3.0, and More Reinforce Your Skills with Real-World Examples
ABOUT THE AUTHOR Steven Johnson is a technical writer and IT consultant who specializes in Windows System Administration, Cisco Networking, and Microsoft Exchange. He holds many certifications and is the author of several books, including MCITP: Windows Server 2008 Enterprise Administrator Study Guide (Exam 70-647). Steven is also a frequent speaker at technology events, including CompTIA tradeshows.
www.sybex.com
ISBN 978-0-470-50372-0
CATEGORY COMPUTERS/Operating Systems/ Windows Server & NT
$49.99 US $59.99 CAN