2 Use a Windows Small Business Server product
Using the Windows SBS Console
For administrators working with Windows SBS for the first time, it is a goodidea to become familiar with the management tools supplied with Windows SBS2011, especially the Windows SBS Console. Clicking the Using the Windows SBSconsole link on the Home page opens a Help window that describes the basiccapabilities of the Windows SBS and provides links to more detailed help pageson specific subjects.Some of the other entries in the Getting started tasks list link to help filesas well, including How can users access computers on the network? and How canI add a shared printer to the network? For more information on these subjects,see Chapter 6, “Working with Users, Computers, and Groups” and Chapter 10,“Sharing Printers.”
Connecting to the Internet
The Connect To The Internet Wizard is an important part of the Windows SBS2011 setup process; many of the other wizards in the Getting started taskslist cannot run until you complete it. If you installed your server runningWindows SBS 2011 before setting up an Internet access router on your network,this wizard detects the router and configures the server to use it forInternet access. The wizard also configures the DHCP Server service on thecomputer to supply Internet Protocol (IP) addresses and other TransmissionControl Protocol/Internet Protocol (TCP/IP) configuration settings to theclient workstations that you will be connecting to the network.To complete the Connect To The Internet Wizard, set up your router on thenetwork according to the manufacturer’s instructions and then use thefollowing procedure: 1. Log on to your server running Windows SBS 2011 using an account with network Administrator privileges. The Windows SBS Console appears. 2. On the Home page of the Windows SBS Console, click Connect to the Internet. The Connect To The Internet Wizard appears, displaying the Before You Begin page.As noted on the Before You Begin page, you should locate the IP address ofyour router’s internal interface before you proceed with the wizard.Standalone router devices usually have a web-based administration interfaceand a factory-configured IP address that is specified in the productdocumentation. To access the administration interface, you type that IPaddress in a web browser and log in using the access password, also specifiedin the product documentation. 3. Click Next. The Detecting The Existing Network page appears.The wizard attempts to detect a router on the network and access its settings.If the attempt is successful, the Detecting The Router And Configuring YourNetwork page appears. This page specifies the IP address of the router’sinternal interface, which becomes the Default Gateway address for all yournetwork computers, and the IP address that the wizard configures your serverto use.If there is a router on your network, and the wizard fails to detect it, thewizard leaves the Router IP address and server IP address text boxes blank.Click Cancel to exit the wizard, troubleshoot your router, and restart thewizard. 4. If the Router IP address and Server IP address values that appear on the page are correct, click Next. If the Router IP address and Server IP address fields are incorrect or blank, then troubleshoot your router (if necessary), supply the correct values, and click Next. The wizard configures your server, and the Your Network Is Now Connected To The Internet! page appears. 5. Click Finish. The wizard closes.The basic function of the Connect To The Internet Wizard is to configure yourserver with an IP address on the same network as your router, and a DefaultGateway address that is the same as the router’s IP address. This enables theserver to access the Internet through the router. In addition, the wizardconfigures the DHCP Server service on the computer running Windows SBS.The Windows SBS 2011 setup program installs the DHCP Server role during theserver installation whether a router is present on the network or not, leavingthe DHCP Server unconfigured and the service stopped. The wizard configuresthe DHCP Server by starting the service and creating a scope. In DHCPparlance, a scope is a range of IP addresses that the server can allocatedynamically to clients on the network as needed.As you can see in the DHCP Console, shown in Figure 4-4, the wizard hascreated a scope consisting of the IP addresses from x.x.x.1 to x.x.x.254 onthe network it detected from the router. The wizard has also created anaddress exclusion for the scope, which prevents the service from allocatingthe IP addresses from x.x.x.1 to x.x.x.10. This exclusion range includes theaddress of the router, the Windows SBS server address, and additionaladdresses for any other servers that you might want to install on the networkat a later time.Figure 4-4 The DHCP Console, showing the scope that the Connect To TheInternet Wizard created.In addition to the range of IP addresses and the exclusion range, the wizardalso configures the DHCP scope with scope options, as shown in Figure 4-5.Scope options are additional TCP/IP configuration settings that the DHCPserver delivers to clients along with an IP address.Figure 4-5 The DHCP Console, showing the scope options that the Connect To TheInternet Wizard created.The scope options that the wizard configures are as follows: * 003 Router Specifies the IP address of the router, which the client should use for its Default Gateway address * 006 DNS servers Specifies the IP address of the server running Windows SBS 2011, which functions as a DNS server and which the client should use for its Preferred DNS Server address * 015 DNS Domain name Specifies the name of the internal domain that you created during the Windows SBS 2011 installationIf the wizard fails to detect a router on the network, you can still specifyvalues for the Router IP address and Server IP address fields. After youconfirm that you want the server configuration process to continue, the wizardconfigures the TCP/IP and DHCP Server settings just as if a router werepresent and then displays pages that help you to configure your router forInternet access.The Configure Your Router page, shown in Figure 4-6, enables you to connect toyour router’s administration console so that you can manually configure it andthen test its Internet connectivity. This function assumes that the routeruses web-based configuration and the standard port number (80) for itsinterface. If the router is configured to use a nonstandard port number forthe administrative interface, you can connect to it with a web browser using auniform resource locator (URL) that specifies both an IP address and a portnumber, as in the following example: http://10.0.0.1:4096. If the router usesa different type of administrative interface, consult the routermanufacturer’s documentation to determine how to access it.Figure 4-6 The Configure Your Router page of the Connect To The InternetWizard.Before you proceed with the other wizards in the Getting started tasks list,you must complete this wizard successfully by connecting to the Internetthrough a router on your network. The Windows SBS Console does not permit theother wizards requiring Internet access to launch until the Connect To TheInternet Wizard succeeds.
Set Up Your Internet Address
For your users to send and receive Internet email or access your networkservices from a remote location, you must establish a presence on theInternet. This is different from simply accessing the Internet, which youconfigured the server to do when you ran the Connect To The Internet Wizard.Establishing a presence on the Internet enables users on the Internet toaccess your network’s resources. To receive email from users outside yourorganization, for example, their messages must be able to reach the MicrosoftExchange Server application running on your server.By default, Windows SBS 2011 configures your server to use a private IPaddress and a domain name with a local suffix (both of which are inaccessiblefrom the Internet by design). To establish an Internet presence, you mustregister a domain name with an Internet domain registrar and configure yourrouter to admit Internet traffic addressed to your server. The domain nameenables Internet users to locate your network, and the router configurationlets the packets coming from those users pass through your firewall. Both ofthese tasks can be relatively complicated, but fortunately, Windows SBS 2011includes an Internet Address Management Wizard that helps you to completethem.The Internet Address Management Wizard prompts you to select a domain namethat is accessible from the Internet, as opposed to the local name youspecified for your Active Directory Domain Services (AD DS) domain during theWindows SBS 2011 installation. The most common practice is to use the samesecond-level domain name, but with a different top-level domain. For example,if you use adatum.local for your internal domain, you might choose adatum.comfor your Internet domain. You don’t have to use the same second-level domain,however; you can use any domain name that is available for registration.If the Internet domain name you select is available, the wizard enables you toregister it with one of several commercial domain registrars. If you alreadyhave a registered domain name, the wizard lets you use that instead. Once youhave a registered domain name, the wizard then configures your server, yourrouter, and the Domain Name System records for the new domain.
Using an Existing Domain
If you already have a registered domain on the Internet, you can still use theInternet Address Management Wizard to configure your network to use it. Whenyou select the I already have a domain name that I want to use option on theDo You Want To Register A New Domain Name? page and click Next, a How Do YouWant To Manage Your Domain Name? page appears, as shown in Figure 4-7.Figure 4-7 The How Do You Want To Manage Your Domain Name? page in theInternet Address Management Wizard.This page provides the following two options: * I want the server to manage the domain name for me To use this option, your domain name must be registered with one of the registrars supported by the wizard. If you have registered your domain with another registrar, the wizard gives you the opportunity to transfer the domain to one of the supported registrars, a process that can take several days. Once you have completed the transfer, the wizard proceeds as with a newly registered domain. * I want to manage the domain name myself If you decide to leave your domain name with another registrar, the wizard configures your server and your router, but it cannot create the new resource records your network needs on your registrar’s DNS servers. In this case, you must create those resource records yourself, using the interface supplied by the registrar and the information in the next section.
Understanding the Wizard’s Configurations
During the configuration phase, the Internet Address Management Wizard makes avariety of changes to the various components involved in your presence on theInternet. First, on your server running Windows SBS 2011, the wizardconfigures the following services: * Certification Authority (CA) The wizard has the CA on the server issue a certificate for the Remote Web Workplace website, as shown in Figure 4-8. This certificate enables users on the Internet to confirm that the RWW that they are connecting to is authentic.Figure 4-8 The certificate for the RWW site, issued by the CA. * Domain Name System (DNS) On the server’s DNS server, the wizard creates a zone for the remote third-level domain beneath the Internet domain that you registered, as shown in Figure 4-9. This makes the DNS server the authoritative source for information about this third-level domain.Figure 4-9 The DNS Manager Console, showing the third-level domain created bythe Internet Address Management Wizard. * Internet Information Services (IIS) The wizard configures IIS on the server to recognize incoming web traffic addressed to the remote domain and forward it to the Remote Web Workplace site. * Simple Mail Transfer Protocol (SMTP) The wizard configures Exchange Server 2010 to process incoming SMTP traffic addressed to the domain you registered.Next, the wizard uses the credentials you supplied to connect to yourregistrar’s website and configure DNS records for your newly registereddomain. What you are actually paying for when you register a domain is spaceon the registrar’s DNS servers, in which you can create resource records inthat domain.Using the interface provided by the registrar, the wizard automaticallycreates the resource records listed in Table 4-1.
Table 4-1 DNS Resource Records for Your Internet Domain
RECORD TYPE|NAME|RECORD SETTINGS|RECORD FUNCTION —|—|—|— Host (A)|remote|IP address of your router’s external interface|Maps the remote name in your domain to your router’s Internet IP address Mail Exchanger (MX)|domain.com|remote.domain.com|Directs SMTP mail traffic to your server running Windows SBS 2011 Text (TXT)|domain.com|v=spf1 a mx ~all|Prevents email sent by your internal users from being flagged as spam Service (SRV)|_autodiscover|Protocol = _tcpPriority = 0Weight = 0Port = 443Target = remote.domain.com Finally, if your router conforms to the Universal Plug and Play (UPnP)standard, the wizard configures your router by opening ports 25, 80, 443, and987, so that traffic arriving from the Internet using those ports can passthrough the firewall to your server running Windows SBS 2011.If your router does not support UpnP, you must configure it yourself to admittraffic through those ports and forward it to the server’s IP address. Arouter’s configuration site typically provides an interface for this like theone shown in Figure 4-10.Figure 4-10 A typical port-forwarding interface in a router’s configurationsite.
Configure a Smart Host for Internet Email
A smart host is an external email server, typically operated by an ISP, whichyou can use as an intermediate stop for your users’ outgoing email. For moreinformation on configuring a smart host, see Chapter 15, “AdministeringEmail.”
Configure Server Backup
The Getting started tasks list contains a link to the Configure Server BackupWizard, which you can also access from the Backup And Server Storage page ofthe Windows SBS Console. For information on performing backups and restores onyour server running Windows SBS 2011, see Chapter 12, “Backing Up andRestoring.”
2 Use a Windows Small Business Server product
If you own Microsoft Small Business Server (SBS) versions 2008 or 2011, youhave an automated backup management feature available already. Windows ServerBackup is an integral part of the SBS management solution. The assured backupof Exchange 2010 in SBS 2011 is a high-value feature to the small business.Emailed daily summary reports and weekly detailed reports make it easy to spotproblems with your backups; seeFigure Afor an actual SBS report email detailing a recent backup failure.
4: IP addressing deserves attention
Just as a network’s topology deserves attention and planning, so too does anetwork’s IP addressing scheme. The popularity of universal threat management(UTM) appliances and proprietary router and firewall operating systems, suchas those found in Cisco, SonicWALL, and other companies’ devices, oftenintroduces a variety of operating subnets.As a result, troubleshooting connection failures, performance issues, andother problems is made exponentially more difficult. Instead of maintainingthree different subnets, or worse, encountering multiple DHCP devices servingup the same IP addresses within the same ranges (don’t laugh, it happens),always plot network topologies and the corresponding IP subnets on paper. Aworld of mistakes (and hurt) can be easily avoided, as discrepancies areeasily spotted when a network is properly documented on paper or within Visio.Multiple subnets aren’t always bad, of course. Occasionally, a small businessmay require two subnets. When security is of particular concern, maintainingsensitive data on a secondary subnet available only to limited personnel (andtypically removed from wireless connectivity) may prove best. Such secondarysubnets also prove helpful when you want to limit VPN or remote traffic tospecific network segments.
7: Wireless technologies are problematic
Although they’re full of promise, wireless networks frequently provefrustrating, introducing problems like security vulnerabilities and flakynetwork connections. From relatively weak WPA keys to easily defeated MACfiltering, wireless security (or the lack thereof) is infamous. Tack onreduced throughput, the need to position antenna and access points carefully,and the potential for introducing yet another routing device servingpotentially conflicting IP addresses, and you may be prompted to rethinkwhether wireless access is really required on a network.Certainly, occasions will arrive in which an organization’s users require themobility wireless networking provides. Or a business may occupy a facility inwhich running required Ethernet cables simply isn’t viable. When designing orplanning such networks, be sure to seek routing equipment that also includeswireless service. By combining routing/firewall/VPN features and wirelessconnectivity in a single device, some of the routing issues that arise whenadding multiple devices to a network can be eliminated (although you’re stillstuck with many of wireless’ security headaches).
9: Terminal Services changed in SBS 2003
Terminal Services licensing changed with the introduction of SBS 2003. SmallBusiness Server 2000 supported Terminal Services running in Application Mode,but SBS 2003 does not. What’s that mean?If users must access network applications powered by the server, organizationsshould design their small business network to use Windows Server 2003 instead.Only users possessing administrator rights can log on remotely to a WindowsSBS 2003 desktop and even then, SBS 2003 supports a limit of two suchconcurrent sessions.Microsoft claims Terminal Services in Application Mode was disabled in SBS2003 as a security precaution. As mentioned previously, however, the featureis still available in Windows Server 2003.Ultimately, your best bet when designing a small business network is to limitas many remote connections as possible. But should your organization requiresuch connectivity, be aware that SBS 2003 may not meet your requirements.