This list is the guide that we use to set up our SBS 2011 boxes or VMs in a consistent manner. As with earlier versions of SBS, this version too will require a number of post OS install tweaks and configuration steps.
TechNet: SBS 2011 Release Notes
Microsoft Support: KB2483007 Windows SBS 2011 Standard Known Post Installation Event Log Errors and Warnings
The following assumes that the server manufacturer’s prep disk was used to update the BIOS, motherboard firmware, RAID controller firmware, backplane firmware, and any other device’s onboard firmware prior to installing the SBS 2008 OS. The firmware update step is an absolutely critical one for the stability of the server.
Note that we do not input the Product Key into the OS until we are ready to put the server into production or are on the edge of finishing up a migration.
The SBS 2011 Setup Steps
When installing into a VM set the time.
MPECS Inc. Blog: Hyper-V- Preparing A High Load VM For Time Skew
Standalone: When virtualizing SBS on a standalone server set the host to poll pool.ntp.org for the correct time. Configure the host’s firewall to allow NTP polling on the local subnet. Then set the SBS VM to poll the host’s IP or hostname for time using the above settings.
Clustered: Have the standalone DC polling pool.ntp.org and set as the authoritative time source for the domain. Have SBS and other VMs poll the standalone DC for their time using the above settings.
Install the manufacturer’s drivers.
RAID including RAID monitoring/status software.
Chipset.
Video.
NIC (Do not team). Unplug or disable any extra NICs for now.
Management suites from the hardware manufacturers will be installed later on in this process.
We do not install System Center Essentials that is provided by Intel on our Intel based SBS 2008 servers.
Desktop
Set the desktop resolution for the monitor attached.
Keep in mind that some remote management modules such as Dell’s DRAC may not work if the monitor’s resolution is set too high.
Enable desktop icons:
Click Start –> type: Desktop Icons [Enter].
GUI Customization
Windows Explorer.
Extensions, Show hidden . . .
Start Menu.
Notification Area.
Remove the Speaker from the System Tray.
Add a Desktop Toolbar to the Task Bar .
Internet Explorer.
Add http://download.microsoft.com to Trusted Sites.
Task Manager Process Column Customization.
PID, memory usage, maximum memory usage, I/O Bytes (3)
Partitioning
NEW: RAID 5 with 4x 15K SAS Spindles (four drives) is now our default RAID setup for small clients.
For our 8-15 seat clients we will configure 5 15K SAS spindles in RAID 5 plus a hot spare depending on their I/O requirements.
With the advent of the 300GB and 600GB Intel 320 Series SSDs we are looking to SSD going forward for those clients that require ultra-high performing storage systems.
For clients with around 15 seats or more we are starting to configure a standalone 1U server for virtualization or Hyper-V Cluster directly attached to a Promise VTrak RAID Subsystem (VTE310sD or VTE610sD) for maximum storage flexibility.
Name after the amount of storage is the drive label.
~900GB Usable (4x 300GB 15K SAS)
C: 150GB SS-SBS (Rename to SBS server name)
S: 1.5x RAM xxGB SwapFile (Min. 10GB RAM * 1.5 with wiggle room)
32GB SwapFile
SBS 2011 swap file configuration out of the box:
L: 718GB WorkingStorage
Note: Exchange 2010 has been designed from the ground up to utilize more RAM. Adding more RAM for Exchange performance would be our priority before adding more spindles to the RAID 10 set.
Also, we do not install SATA hard drives of any kind into server settings anymore. In our experience they are too problematic in RAID arrays no matter which manufacturer made them.
MPECS Inc. Blog: SAS versus SATA and Hardware RAID versus Software RAID.
Move the optical drive letter to Z:.
Move the Swap File (Reboot).
SBS 2011: Do _not_ Copy and paste this services shutdown batch file onto the desktop (previous blog post).
The Exchange 2010 team has addressed the issues of having Exchange installed on a DC with this version. Exchange 2007 had shutdown timing issues thus the long shutdown times.
Install and configure Print Services Role: SBS 2008 Terminal Services and HP Printer Drivers (previous blog post).
Windows Native Tools Management Console modifications
Add the Group Policy Management Console
Add the Print Management snap-In (after adding the Print Server Role).
Add the Share and Storage Management snap-in.
Add the File Server Resource Manager snap-in.
Add the Remote Desktop Services Manager snap-in.
Add the Windows Server Backup snap-in.
Configure an authoritative time source for the SBS OS.
Blog Post: Hyper-V- Preparing A High Load VM For Time Skew
This is the best methodology to date for setting up a VM’s Windows Time Service.
Blog Post: SBS 2008 Physical And Hyper-V – Set Up the Domain Time Structure.
The default time.windows.com is not a reliable source.
TechNet: Synchronize the Source Server time with an external time source for Windows SBS 2008 migration.
Once the commands have run, an error message or two may show in the Event Logs soon to be replaced by a successful connection to the authoritative time source.
Note Oliver Sommer’s comments in the above article.
Enable ShadowCopies on the WorkingStorage partition and set a schedule. We use before hours, coffee, lunch, coffee, and after hours for the schedule.
DHCP IPv4 Properties (DNS updates & credentials)
Enable Name Protection and set the credentials.
DHCP additional exclusions for printers (x.1-10 if not present) and servers (x.250-254).
DNS Settings for Scavenging at 7 days and AD integrated zones.
Verify NIC Binding Order Settings: Blog Post: Slow Network Speeds with SBS 2008 and 2011: NIC Binding Order
Create a 10GB Soft Quota (File Server Resource Manager).
Enable firewall logging and pop-ups: SBS 2008 Windows Firewall with Advanced Security troubleshooting (previous blog post).
Customize the firewall setup for QuickBooks.
QuickBooks Connection Diagnostic Tool Post (Previous blog post).
Customize the firewall setup for Simply Accounting (Previous blog post).
Create the default Company Shared Folder with required NTFS and share permissions on the L: WorkingStorage partition.
Share Name: Company.
Quota: 10GB Soft.
Enable Access-based Enumeration.
NTFS Permissions:
Domain Admins = FULL.
Domain Users = Modify.
Leave default machine based permissions.
Share Permissions:
Everyone = FULL.
Create the ClientApps (previous blog post on GP and the ClientApps folder) on the L: WorkingStorage partition.
Share Name: ClientApps.
Quota: None.
Enable Access-based Enumeration. Subfolders can have custom permissions at a later date to exclude users or groups and thus hide those subfolders at a later date.
NTFS Permissions:
Domain Admins = FULL
Domain Users = FULL
Domain Controllers = FULL
Domain Computers = FULL
Share Permissions:
Everyone = FULL
Make changes to the WSUS Setup:
WSUS Classifications: Enable all.
WSUS Sync Schedule: Increase synchronization frequency schedule depending on what products are installed on the server.
Getting Started Tasks – Out of Order
Configure and take a backup now.
Times: 12:30, 17:30, 23:30.
Make sure that the backup times and the Volume Shadow Copy snapshots do not happen at the same time.
Backup Now by right clicking on the configured backup and running it.
Backup in between each batch of updates.
Windows Server 2008 R2 Service Packs
Download and install the latest Windows Server 2008 R2 Service Pack (Bing Search)
Be aware that the install process may take a while.
Exchange 2010 Updates
Out of the box SBS 2011 has Exchange 2010 SP1 installed.
Exchange Update Rollup Search on Microsoft Downloads
Exchange Service Pack Search on Microsoft Downloads
Server Updates via WSUS/MU.
Update to the latest SBS Update Rollup first.
Run updates according to the following product groups:
Windows Server 2008 Standard R2
Run OS Updates at around 10-15 per reboot cycle.
Run OS Security Updates at around 5-10 per reboot cycle.
Exchange SP1/2/3 or Exchange Rollup RU1/2/3/etc
.NET
If .NET v1 is present update first.
Do .NET v2 and v2.x updates one at a time.
Do .NET v3 and v3.x updates one at a time.
Do .NET v4 and v4.x updates one at a time.
Reboot between each cycle as requested.
SQL
Start with 2005 versions.
Next to 2008 versions.
Next to 2008 R2 versions.
WSUS, and others.
SharePoint Foundation Updates should be run separately.
Back Up Before SharePoint Updates!
NOTE: Official SBS Blog: You Must Manually Run PSCONFIG after Installing SharePoint 2010 Patches
Create a new User Role in the SBS Console.
Name: Standard User – Restricted.
Remove all Group Memberships.
Add the Domain Users security group only.
Remove OWA permission.
No RWW or VPN.
Verify permissions in the User Role after it is created.
This role is used for the local admin account deployed via Group Policy later in this guide.
Create and configure the Group Policy Central Store (Previous blog post).
OPTION: Raise both Domain and Forest Functional level to 2008 R2
This is accomplished in AD Domains and Trusts.
Group Policy Configurations (previous blog post):
Windows Computer Policy:
Firewall Exceptions:
Enable Remote Event Log Management (previous blog post).
Remote Volume Management
Remote Desktop Protocol and RemoteFX Protocol
Set limits to the RDP setup on the server and clients (previous blog post).
Local Policies: User Rights Assignment.
Local Policies: Security Options.
Enable UAC by default in Group Policy (previous blog post).
NOTE: The UAC structure can be split up between Computers, SBSComputers, and SBSServers GPOs so that domain/local admin accounts only get prompted on servers.
Remote Connectivity: Restrict certain RDP related settings (previous blog post).
Windows SBSUsers Policy:
Configure Screensaver Management. Our default is 45 minutes with logon.scr as the default SS. Password is always required.
2010-10-18: For Windows 7 we now use scrnsave.scr as the basis for all screensavers which is a blank screen.
Mapped Network Drive (M: = \\SS-SBS\Company) via Group Policy Preferences
Set the Companyweb as the default site in IE.
Add the RWW and OWA URLs to IE’s Favourites.
Windows SBSComputers Policy:
Deploy a restricted domain user to _all_ system’s Local Admin Group.
Create a new user using the Standard User – Restricted Role.
Deploy to workstation’s Local Admin Group via Group Policy Preferences.
Remove the user’s mailbox (previous blog post).
Windows Printer Deployment Policy:
Deploy printers to XP Professional x86 (previous blog post).
Deploy printers to Windows Vista using the Printer Management snap-in.
Windows SBSComputers XP Pro Policy:
Deploy Windows Defender to Windows XP Professional (Optional).
Install the server hardware manufacturer’s management software suite.
Set the SBS Domain Password Polices (60-75 days, 10-12 characters minimum with complexity).
Note that all user’s passwords will reset to request a new password!
Enable Folder Redirection to SBS.
Changing the security settings in the default GPO for redirection will show FR as not enabled in the SBS Console.
We remove the Exclusive Access setting on any folders redirected to remove complications when it comes time to migrate the client to a new server.
OR: Enable Folder Redirection to an separate server (previous blog post).
Remove the Public share in the SBS Console.
Self-issued certificate: copy the package to the Network Admin\SBS folder in the Company shared drive. (We create a Network Admin folder in the Company Shared Folder at all client sites).
If using a GoDaddy certificate, make sure to install the GoDaddy Intermediate certificates (download page) into the Intermediate Certification Authorities store individually to avoid any issues later.
Install the gd_cross_intermediate.crt first
Install the gd_intermediate.crt second
Disable All Uses for GoDaddy Class 2 root certificate in Trusted Root Certification Authorities if present.
Check for this one after installing the actual certificate at step 5.
Restart the IISAdmin service.
Install the GoDaddy certificate using the wizard.
Move the relevant data folders to the L: partition. We move all but the Exchange databases.
WSS (SharePoint) Data.
Users’ Shared Folders.
Re-enable Access-based Enumeration
Users’ Redirected Folders Data.
Re-enable Access-based Enumeration
WSUS Update Repository Data.
SBS Console Getting Started Tasks.
Connect to the Internet.
Customer Feedback options.
Set up your Internet address.
Configure a Smart Host for Internet e-mail.
Add a trusted certificate.
Configure server backup: Earlier in this checklist.
Add new users (use the multiple wizard under users if there are a lot of users to add).
Connect computers: http://connect.
Share Printers via Group Policy for Windows Vista and PushPrinterConnections.exe for Windows XP Pro SP3 (both links are previous blog posts).
Configure the Reports e-mail addresses.
Configure Workstations on the domain.
Official SBS Blog: How to Configure SBS 2011 Standard to Accept E-mail for Multiple Authoritative Domains
E-mail Enable the SharePoint Foundation Companyweb site (Official SBS Blog Post). Then:
Enable an MFP or Copier to Scan To E-mail Destined To A Companyweb SharePoint Library (previous blog post).
Run the following in an elevated Exchange Management Shell to increase the allowed attachment size (100MB is our default):
Set-ReceiveConnector "Copier Send to E-mail" -MaxMessageSize 100MB
Make sure to verify the largest file size setting in SharePoint.
Aimless Ramblings: Large Files in SBS 2008’s Companyweb
OPTION: If using Exchange 2010 AntiSpam set up a library on Companyweb called Spam.
E-mail enable the library with spam@companyweb
Set Exchange AntiSpam to REDIRECT instead of DELETE to spam@companyweb
Change the Default Message Size Limits for outgoing and inbound messages in the Exchange Management Shell:
Set-TransportConfig –MaxSendSize 25MB –MaxReceiveSize 25MB
Set-ReceiveConnector “Windows SBS Internet Receive ServerName” –MaxMessageSize 25MB
Set-SendConnector “Windows SBS Internet Send ServerName” –MaxMessageSize 25MB
Check the status for each connector:
Get-TransportConfig | ft name, MaxSendSize, MaxReceiveSize
Get-ReceiveConnector | ft name, MaxMessageSize
Get-SendConnector | ft name, MaxMessageSize
Get-mailbox | ft name, MaxSendSize, MaxReceiveSize
Hat Tip: LAN-Tech: Quickie: changing message size limits on SBS STD 2008 and 2011
Enable Single Item Recovery in Exchange Server 2010 – Exchange Team Blog.
Enable and configure Windows Search Services on SBS 2008 or a Windows Server 2008 RTM/R2 file server and Libraries on Windows 7 (Official SBS Blog post).
Install the Search Service (On SBS 2011 it may already be installed).
If so: Click Start –> type Search.
Click Indexing Options in the results.
Verify that all company shared folders are being indexed.
Add the Company folder share (or Public folder share) to Windows 7 Libraries.
Click start and start typing and watch those network files results flow!
Fix the networking settings for Add-On Congestion Control Provider, Receive Window Auto-Tuning Level, Receive-Side Scaling State, Task Offload (previous blog post).
SBS 2008 related … tentative at this point.
Download, install, and run the SBS 2011 Best Practices Analyzer.
The BPA will pick up a lot of the little things that need to be configured such as advanced OS networking features that should be disabled and others.
The SBS 2011 BPA requires the Microsoft Baseline Configuration Analyzer 2.0.
Change the initial domain administrator’s password if using an Answer File (remember to reset the DHCP credentials, and any Event Log event fired Task too).
Note that if the admin account has not been logged off since changing the Password Policies, a log off and log on again will require a password change anyway.
Input the PID and Activate.
Control the Microsoft##SSEE WSUS Database’s memory Usage
SBS 2011 – WSUS SQL Memory Usage Is Very High – How To Reduce It
Configure Custom Views and e-mail Task triggers for Event IDs (SBS Native Tools Management):
E-mail on Event IDs for low disk space (previous blog post).
E-mail on Event ID for Failed Logon Attempts (previous blog post). SBS Console flag also in this post.
E-mail on Event ID for Failed Backup.
OPTIONS:
Configure a mapped network drive for the Companyweb SharePoint site (previous blog post).
Configure TS to allow two concurrent connections to the server (useful for training or working with someone on a problem).
Configure BGInfo to publish on all desktops (previous blog post).
Configure a GPO setting with an XP WMI filter and deliver WindowsDefender to all XP Pro workstations via GP.
Copy Logon Failure XML code (CodePlex site) into a new Event ID Filter and set an e-mail to fire when a failed logon occurs.
Customize the SBS Console Reports.
SBS Console XML Customizations on CodePlex.
SBSDeveloper.com: SBS Reporting Plugins XML.
Run a backup. Crash the server. Restore the Backup. Deliver.
One thing to keep in mind when it comes to checklists is that they are never meant to be a replacement for the materials they summarize!
It is very important to understand why the various steps need to be accomplished, how those steps can change over time due to changes in the operating system, the hardware configurations underneath the OS, and the technician’s own growth in experience and understanding.
The “why” leads to an ability to understand how things are going wrong when they do. Note that we are saying, “when” and not “if” things go wrong.
Troubleshooting
Post OS Setup
Microsoft Indicated
The Official SBS Blog: The Ultimate Guide to SBS 2008 Setup Failures
A huge list of the various things that can impact a good install of SBS 2008/2011 Standard.
Microsoft KB 2483007: Windows SBS 2011 Standard Known Post Installation Event Log Errors and Warnings
EventID 6772 SharePoint timer
DCom 10016 spfarm
EventID 6 SBS datacollectorservice
EventID 8230 on VSS status 1376
SBS 2011 OS related
SBS VM time keeps loosing synchronization with the correct time.
Blog Post: Hyper-V- Preparing A High Load VM For Time Skew
Blog Post: SBS 2011 Error – WBCommandletInBuiltTracing failed to start 0xC0000035
This condition exists in the RTM/Gold build. It is not a show stopper.
Blog Post: SBS 2011 Standard Setup Crashes Unexpectedly- Error- Cannot commit configuration changes because
Blog Post: .
Exchange 2010 Related
Blog Post: SBS 2011 – Exchange Services Do Not Start
SharePoint Foundation Related
Blog Post: SBS 2011 – SharePoint Foundation Event ID 6398 – Access Denied Every 30 Minutes
Microsoft Knowledgebase Articles and Hotfixes
Trend Micro and other AntiVirus vendors that still use TDI.SYS
Microsoft Support: KB2493361: Slow Network Performance on SBS 2011
Microsoft KB 2489744: Windows SBS 2011 Standard Certificate may fail to install on a Vista or Windows 7 Client
Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book
*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.
Windows Live Writer
Subscribe in a reader