Performing Post-Installation Tasks
As soon as possible after you install Windows SBS 2011 on your server, you should begin addressing the items in the Getting started tasks list on the Home page of the Windows SBS Console. Some of these tasks link to wizards that help you to configure various server functions, while others display help files that provide useful information about administering your server and your network.
The following sections describe the functions of the various tasks in the list. As you finish each task, select its Completed check box to keep track of your progress.
Using the Windows SBS Console
For administrators working with Windows SBS for the first time, it is a good idea to become familiar with the management tools supplied with Windows SBS 2011, especially the Windows SBS Console. Clicking the Using the Windows SBS console link on the Home page opens a Help window that describes the basic capabilities of the Windows SBS and provides links to more detailed help pages on specific subjects.
Some of the other entries in the Getting started tasks list link to help files as well, including How can users access computers on the network? and How can I add a shared printer to the network? For more information on these subjects, see Chapter 6, “Working with Users, Computers, and Groups” and Chapter 10, “Sharing Printers.”
Connecting to the Internet
The Connect To The Internet Wizard is an important part of the Windows SBS 2011 setup process; many of the other wizards in the Getting started tasks list cannot run until you complete it. If you installed your server running Windows SBS 2011 before setting up an Internet access router on your network, this wizard detects the router and configures the server to use it for Internet access. The wizard also configures the DHCP Server service on the computer to supply Internet Protocol (IP) addresses and other Transmission Control Protocol/Internet Protocol (TCP/IP) configuration settings to the client workstations that you will be connecting to the network.
To complete the Connect To The Internet Wizard, set up your router on the network according to the manufacturer’s instructions and then use the following procedure:
Log on to your server running Windows SBS 2011 using an account with network Administrator privileges. The Windows SBS Console appears.
On the Home page of the Windows SBS Console, click Connect to the Internet. The Connect To The Internet Wizard appears, displaying the Before You Begin page.
As noted on the Before You Begin page, you should locate the IP address of your router’s internal interface before you proceed with the wizard. Standalone router devices usually have a web-based administration interface and a factory-configured IP address that is specified in the product documentation. To access the administration interface, you type that IP address in a web browser and log in using the access password, also specified in the product documentation.
Click Next. The Detecting The Existing Network page appears.
The wizard attempts to detect a router on the network and access its settings. If the attempt is successful, the Detecting The Router And Configuring Your Network page appears. This page specifies the IP address of the router’s internal interface, which becomes the Default Gateway address for all your network computers, and the IP address that the wizard configures your server to use.
If there is a router on your network, and the wizard fails to detect it, the wizard leaves the Router IP address and server IP address text boxes blank. Click Cancel to exit the wizard, troubleshoot your router, and restart the wizard.
If the Router IP address and Server IP address values that appear on the page are correct, click Next. If the Router IP address and Server IP address fields are incorrect or blank, then troubleshoot your router (if necessary), supply the correct values, and click Next. The wizard configures your server, and the Your Network Is Now Connected To The Internet! page appears.
Click Finish. The wizard closes.
The basic function of the Connect To The Internet Wizard is to configure your server with an IP address on the same network as your router, and a Default Gateway address that is the same as the router’s IP address. This enables the server to access the Internet through the router. In addition, the wizard configures the DHCP Server service on the computer running Windows SBS.
The Windows SBS 2011 setup program installs the DHCP Server role during the server installation whether a router is present on the network or not, leaving the DHCP Server unconfigured and the service stopped. The wizard configures the DHCP Server by starting the service and creating a scope. In DHCP parlance, a scope is a range of IP addresses that the server can allocate dynamically to clients on the network as needed.
As you can see in the DHCP Console, shown in Figure 4-4, the wizard has created a scope consisting of the IP addresses from x.x.x.1 to x.x.x.254 on the network it detected from the router. The wizard has also created an address exclusion for the scope, which prevents the service from allocating the IP addresses from x.x.x.1 to x.x.x.10. This exclusion range includes the address of the router, the Windows SBS server address, and additional addresses for any other servers that you might want to install on the network at a later time.
Figure 4-4 The DHCP Console, showing the scope that the Connect To The Internet Wizard created.
In addition to the range of IP addresses and the exclusion range, the wizard also configures the DHCP scope with scope options, as shown in Figure 4-5. Scope options are additional TCP/IP configuration settings that the DHCP server delivers to clients along with an IP address.
Figure 4-5 The DHCP Console, showing the scope options that the Connect To The Internet Wizard created.
The scope options that the wizard configures are as follows:
003 Router Specifies the IP address of the router, which the client should use for its Default Gateway address
006 DNS servers Specifies the IP address of the server running Windows SBS 2011, which functions as a DNS server and which the client should use for its Preferred DNS Server address
015 DNS Domain name Specifies the name of the internal domain that you created during the Windows SBS 2011 installation
If the wizard fails to detect a router on the network, you can still specify values for the Router IP address and Server IP address fields. After you confirm that you want the server configuration process to continue, the wizard configures the TCP/IP and DHCP Server settings just as if a router were present and then displays pages that help you to configure your router for Internet access.
The Configure Your Router page, shown in Figure 4-6, enables you to connect to your router’s administration console so that you can manually configure it and then test its Internet connectivity. This function assumes that the router uses web-based configuration and the standard port number (80) for its interface. If the router is configured to use a nonstandard port number for the administrative interface, you can connect to it with a web browser using a uniform resource locator (URL) that specifies both an IP address and a port number, as in the following example: http://10.0.0.1:4096. If the router uses a different type of administrative interface, consult the router manufacturer’s documentation to determine how to access it.
Figure 4-6 The Configure Your Router page of the Connect To The Internet Wizard.
Before you proceed with the other wizards in the Getting started tasks list, you must complete this wizard successfully by connecting to the Internet through a router on your network. The Windows SBS Console does not permit the other wizards requiring Internet access to launch until the Connect To The Internet Wizard succeeds.
Customer Feedback Options
Selecting the Customer feedback options link causes a Customer Experience Improvement Program dialog box to appear, which asks if you want to allow Windows SBS to send information about your system hardware and usage trends anonymously to Microsoft for analysis.
Set Up Your Internet Address
For your users to send and receive Internet email or access your network services from a remote location, you must establish a presence on the Internet. This is different from simply accessing the Internet, which you configured the server to do when you ran the Connect To The Internet Wizard. Establishing a presence on the Internet enables users on the Internet to access your network’s resources. To receive email from users outside your organization, for example, their messages must be able to reach the Microsoft Exchange Server application running on your server.
By default, Windows SBS 2011 configures your server to use a private IP address and a domain name with a local suffix (both of which are inaccessible from the Internet by design). To establish an Internet presence, you must register a domain name with an Internet domain registrar and configure your router to admit Internet traffic addressed to your server. The domain name enables Internet users to locate your network, and the router configuration lets the packets coming from those users pass through your firewall. Both of these tasks can be relatively complicated, but fortunately, Windows SBS 2011 includes an Internet Address Management Wizard that helps you to complete them.
The Internet Address Management Wizard prompts you to select a domain name that is accessible from the Internet, as opposed to the local name you specified for your Active Directory Domain Services (AD DS) domain during the Windows SBS 2011 installation. The most common practice is to use the same second-level domain name, but with a different top-level domain. For example, if you use adatum.local for your internal domain, you might choose adatum.com for your Internet domain. You don’t have to use the same second-level domain, however; you can use any domain name that is available for registration.
If the Internet domain name you select is available, the wizard enables you to register it with one of several commercial domain registrars. If you already have a registered domain name, the wizard lets you use that instead. Once you have a registered domain name, the wizard then configures your server, your router, and the Domain Name System records for the new domain.
Registering a New Domain
The Internet Address Management Wizard requires access to the Internet, so you must complete the Connect To The Internet Wizard first. Then, to run the wizard and register a new domain name, use the following procedure:
Log on to your Windows SBS 2011 primary server using an account with network Administrator privileges. The Windows SBS Console appears.
On the Home page of the Windows SBS Console, click Set up your Internet address. The Internet Address Management Wizard appears, displaying the Before You Begin page.
The Before You Begin page lists the resources that you need to complete the wizard, which vary, depending on whether you are registering a new domain name or using an existing one. To register a new name, you must have some idea what name you want to use and a credit card to pay the registration fee.
If your company name is already taken in the com, net, and org domains, you must either choose a variation on the company name, or select a different gTLD. For example, if you are the owner of an eponymously named company that manufactures kilts, and your surname is the same as that of a well-known fast food restaurant chain, you will probably not be able to register your company name in the com domain. Your alternatives are to either vary the name, such as by adding the word “kilts” to your surname, or register your surname in a less popular gTLD, such as biz.
To check on the availability of specific domain names before you run the Internet Address Management Wizard, you can use the WHOIS service provided by the Internet Corporation for Assigned Names and Numbers (ICANN), available at http://www.internic.net/whois.html.
Click Next. The Do You Want To Register A New Domain Name? page appears.
Select the I want to purchase a new domain name option and click Next. The Type The Domain Name That You Want To Register page appears.
In the Domain name text box, type the second-level domain name that you want to register. Then, from the Extension drop-down list, select the top-level domain that you want to use and click Next. The Choose A Domain Name Provider page appears.
The wizard displays a list of domain name registrars, based on the domain name that you entered and the location that you specified during the Windows SBS 2011 installation.
Select the domain registrar that you want to use and click Next. The wizard sends the name you specified to the selected registrar.
If the name you specified is not available for registration, the Choose A Different Domain Name page appears, offering variations on the name that are available. Type an alternative name in the fields provided and click Search.
If the name you specified is available for registration, the Register And Purchase The Domain Name page appears. Click Register now to open Internet Explorer and connect to the registrar’s website.
Use the form on the registrar’s website to register your selected domain name. You have to supply, at minimum, your name, mailing address, telephone number, and credit card information to complete the registration process.
Once you have completed the registration process on the website, return to the wizard and click Next. The Store Your Domain Name Information page appears.
In the Domain name and extension text box, type your full domain name, with the suffix.
In the User name and password text boxes, type the credentials that provide access to your account on the registrar’s website.
By default, the wizard uses the name remote for the Windows SBS 2011 Remote Web Workplace site, so that the Internet URL for the domain adatum.info would be http://remote.adatum.info. If you want to use a different name, click Advanced settings to display the Advanced Settings dialog box, shown in the following illustration, in which you can specify an alternative.
Click Configure. The Configuring Your Server page appears, displaying the wizard’s progress as it configures the server, the router, and the DNS resource records for the domain.
When the configuration process finishes, the Congratulations! page appears, summarizing the wizard’s results and displaying any warnings that might have occurred.
Click Finish. The wizard closes.
Using an Existing Domain
If you already have a registered domain on the Internet, you can still use the Internet Address Management Wizard to configure your network to use it. When you select the I already have a domain name that I want to use option on the Do You Want To Register A New Domain Name? page and click Next, a How Do You Want To Manage Your Domain Name? page appears, as shown in Figure 4-7.
Figure 4-7 The How Do You Want To Manage Your Domain Name? page in the Internet Address Management Wizard.
This page provides the following two options:
I want the server to manage the domain name for me To use this option, your domain name must be registered with one of the registrars supported by the wizard. If you have registered your domain with another registrar, the wizard gives you the opportunity to transfer the domain to one of the supported registrars, a process that can take several days. Once you have completed the transfer, the wizard proceeds as with a newly registered domain.
I want to manage the domain name myself If you decide to leave your domain name with another registrar, the wizard configures your server and your router, but it cannot create the new resource records your network needs on your registrar’s DNS servers. In this case, you must create those resource records yourself, using the interface supplied by the registrar and the information in the next section.
Understanding the Wizard’s Configurations
During the configuration phase, the Internet Address Management Wizard makes a variety of changes to the various components involved in your presence on the Internet. First, on your server running Windows SBS 2011, the wizard configures the following services:
Certification Authority (CA) The wizard has the CA on the server issue a certificate for the Remote Web Workplace website, as shown in Figure 4-8. This certificate enables users on the Internet to confirm that the RWW that they are connecting to is authentic.
Figure 4-8 The certificate for the RWW site, issued by the CA.
Domain Name System (DNS) On the server’s DNS server, the wizard creates a zone for the remote third-level domain beneath the Internet domain that you registered, as shown in Figure 4-9. This makes the DNS server the authoritative source for information about this third-level domain.
Figure 4-9 The DNS Manager Console, showing the third-level domain created by the Internet Address Management Wizard.
Internet Information Services (IIS) The wizard configures IIS on the server to recognize incoming web traffic addressed to the remote domain and forward it to the Remote Web Workplace site.
Simple Mail Transfer Protocol (SMTP) The wizard configures Exchange Server 2010 to process incoming SMTP traffic addressed to the domain you registered.
Next, the wizard uses the credentials you supplied to connect to your registrar’s website and configure DNS records for your newly registered domain. What you are actually paying for when you register a domain is space on the registrar’s DNS servers, in which you can create resource records in that domain.
Using the interface provided by the registrar, the wizard automatically creates the resource records listed in Table 4-1.
Table 4-1 DNS Resource Records for Your Internet Domain
IP address of your router’s external interface
Maps the remote name in your domain to your router’s Internet IP address
Mail Exchanger (MX)
Directs SMTP mail traffic to your server running Windows SBS 2011
v=spf1 a mx ~all
Prevents email sent by your internal users from being flagged as spam
Protocol = _tcp
Priority = 0
Weight = 0
Port = 443
Target = remote.
Finally, if your router conforms to the Universal Plug and Play (UPnP) standard, the wizard configures your router by opening ports 25, 80, 443, and 987, so that traffic arriving from the Internet using those ports can pass through the firewall to your server running Windows SBS 2011.
If your router does not support UpnP, you must configure it yourself to admit traffic through those ports and forward it to the server’s IP address. A router’s configuration site typically provides an interface for this like the one shown in Figure 4-10.
Figure 4-10 A typical port-forwarding interface in a router’s configuration site.
Configure a Smart Host for Internet Email
A smart host is an external email server, typically operated by an ISP, which you can use as an intermediate stop for your users’ outgoing email. For more information on configuring a smart host, see Chapter 15, “Administering Email.”
Add a Trusted Certificate
Digital certificates are electronic documents that verify the identity of a computer or a user. By default, a server running Windows SBS 2011 creates self-signed certificates for the intranet websites it hosts and for its domain controller functions. Self-signed certificates are sufficient for internal functions because users on the network can trust the authority of their local server.
When a client computer first uses one of these internal functions, it automatically applies for and receives a certificate from the server, a process called autoenrollment. The process is invisible to the users on the network, but they can open the Certificates snap-in on their computers and look at the certificates they have received.
However, Internet users are not logged on to the AD DS domain, so they cannot obtain certificates using autoenrollment. When a remote user on the Internet connects to a Windows SBS 2011 resource on your network, such as the RWW website, the browser displays an error message, as shown in Figure 4-11. This message appears because the web server has generated its own certificate, and on the Internet, a computer that verifies its own identity is not trustworthy.
Figure 4-11 A certificate error in a web browser.
For users conscious of this situation, clicking the Continue to this website (not recommended) link presents no danger, but to eliminate the error message, the server must have a certificate issued by a third party that both the clients and the server trust. The third party is typically a commercial CA that is in the business of confirming the identities of clients and issuing certificates attesting to that identity.
The Getting Started Tasks page provides an Add A Trusted Certificate Wizard that simplifies the process of enrolling for and installing a third-party certificate. To run the wizard, use the following procedure:
Log on to your Windows SBS 2011 primary server, using an account with network Administrator privileges. The Windows SBS Console window appears.
On the Home page of the Windows SBS Console, click Add a trusted certificate. The Add A Trusted Certificate Wizard appears, displaying the Before You Begin page.
Click Next. The Get The Certificate page appears.
Select the I want to buy a certificate from a certificate provider option and click Next. The Verify The Information For Your Trusted Certificate page appears, containing the name of your remote site and the company and address information you supplied during the Windows SBS 2011 installation.
Modify the company and address information, if necessary, and click Next. The Generate A Certificate Request page appears.
Click Copy to copy the certificate request to the clipboard or click Save to file to save the request as a file on your local drive.
Click Next. The A Request Is In Progress page appears.
Open the website of the certificate provider that you want to use and submit your request by pasting the contents of the Clipboard into the appropriate form or uploading the request file that you saved. After you pay a fee and supply the correct information, the provider issues a certificate, either as text you can copy to the Clipboard or as a file you can download.
Return to the Add A Trusted Certificate Wizard, make sure that the I have a certificate from my certificate provider option is selected, and click Next. The Import The Trusted Certificate page appears.
In the Trusted certificate box, either paste the text that you copied from the certificate provider’s site or click Browse to select the file that you downloaded, and then click Next. A The Trusted Certificate Is Imported Successfully page appears.
Click Finish. The wizard closes.
Configure Server Backup
The Getting started tasks list contains a link to the Configure Server Backup Wizard, which you can also access from the Backup And Server Storage page of the Windows SBS Console. For information on performing backups and restores on your server running Windows SBS 2011, see Chapter 12, “Backing Up and Restoring.”
Adding Users and Computers
To connect workstations to your network, you must create user accounts and join the computers to your AD DS domain. The Add A New User Account Wizard in the Getting started tasks list is also accessible from the Users And Groups page in the Windows SBS Console. The Connect Computers To Your Network Wizard is also accessible from the Network page. For information on using these wizards, see Chapter 6.