The "Right Way" to Install SBS 2003

Myron Johnson - RTA Information Technology

SBS is an excellent choice for the vast majority of small businesses. It gives the owner and the employees the tools they need to actually run a small business.

In my opinion, any company with less than fifty employees that is not using SBS 2003 as its main business server should think SERIOUSLY if it's being properly served by its IT staff. There. I said it.

SBS's features:
* Full remote access via computer, laptop, PDA or SmartPhone
* "Get your email and appointments anywhere" Exchange Server
* That wonderful, pre-configured SharePoint site
* Its automated backups and monitoring
make SBS 2003 a no-brainer. If your IT staff or your IT consultant haven't told you about SBS, then they aren't doing their job.

Although I call this the "Right Way" to install Microsoft Windows Small Business Server 2003, there are obviously other ways to do it. And not all of them are "Wrong". But unless you ALREADY have hands-on experience installing and maintaining SBS 2003, please consider these suggestions. This is how I, and many other, Microsoft Small Business Specialists install SBS. It works, and it's supported by Microsoft.

[Opinion Mode On] First, although SBS 2003 has wizards for setup and installation, there are some "gotchas" that can cause problems. If you aren't an IT professional who specializes in SBS, you should consider hiring an outside SBS Specialist for the initial setup. You'll save lots of time, money, and frustration by doing so. You'll minimize any disruption to your business. And a consultant will show you how to take full advantage of what you've purchased. There are dozens of hidden features that could be valuable to your office that you may miss, otherwise.

If you are intent on doing your own installation, a common recommendation is to do TWO (or more) SBS installs:
1) Do a practice install and make the mistakes that you will surely make. Add a client PC that you don't care about. Doing the Client PC join to the Domain is the hardest part of installing SBS.
2) Wipe the box and do a second, REAL install.

Frankly, having played computer games and having built a couple of home PCs is NOT enough experience to install and manage an Active Directory Domain Controller and Email Server. Yes, SBS 2003 IS simple to install. Yes, it has great Wizards. Yes, it is reliable and trouble-free. But if you start messing with it and don't know what you are doing, you can easily end up with a mess that somebody else is going to have to come in and fix for you. [Opinon Mode Off]

The "Standard" SBS 2003 Setup:

1) Install the Server in a secured area. One of the points of a Server is to have security. Leaving your Server and your Company's data in an open area is not a good idea.

2) Use two NICs on the SBS Server. That way, SBS can serve as a Firewall for all the internal computers. Use a Static IP address on the "External (Internet)" NIC and hook it to your Router. Hook the second NIC to your switch. Hook the client computers to the switch.

3) Have the Router forward ports 25, 80, 443, 444, 3389, and 4125 to the SBS Server's IP address. The your email, web, secure email, remote access, and Remote Web Workplace servers. Forward 1723 if you want to VPN into your network. Be sure to turn on Protocol 47 (GRE) forwarding if you are using the PPTP VPN protocol.

4) Be sure to name your Domain with a NON-INTERNET name, like the suggested "XXXX.LOCAL". Naming your domain with the same name as your Internet Domain Name will cause problems. I recommend using a ".LAN" extension, to avoid an issue with older Macintosh clients.

Also, keep your internal Domain name and server name SHORT AND SIMPLE! "AAA.LAN" works great as a Domain name, as does "Server1" for the server name. A simple, non-specific Domain name will avoid a very-expensive Domain name change if your business grows and changes names or merges with another business.

5) After running through the Setup and the "To Do" checklist, you should have a working server, with email, internal Sharepoint site, and full Remote Access.

6) Add User Accounts and Computer Accounts to the SBS Server.

7) Join all your (Windows XP Professional and 2000 computers only!) clients to the Domain using the "ConnectComputer" Wizard. Make sure you understand how to do this properly or you will lose User's profiles on their PCs and will have to search for their old data and desktop files. You want to migrate their profiles over to their new Domain Profile on their PC.

8) SBS will automatically install Outlook 2003 on each computer and automatically create new Domain Email profiles for each user. You'll have to migrate old emails from their old email program to their new Exchange mailbox (using .PST migration if they already use Outlook).

9) Set up desired Security Groups to easily set up who can access what on the Server.

10) Set up required shared folders (for secure sharing of files) on the Server and set the desired sharing and security permissions, using the Security Groups you've created.

11) Implement and TEST your backup system. Hard drives fail all the time and people make mistakes. SBS makes it REALLY EASY to have reliable, automated backups of your Server and all your Office's important data. Don't ignore this capability. And be sure to make offsite storage of backups part of your backup process.

I STRONGLY recommend that you host your own email. This requires a business-level Internet connection, which doesn't block the required Server ports. Continuing to use the common POP-3 email accounts that many people use is a constant source of complication to email flow. You'll need to register a Domain Name ($10 per year) and set the public DNS settings to point to your new Server.

Each user will now have his/her own mailbox on the Exchange Server, and can read that mailbox from virtually anywhere, using Outlook, OWA, SmartPhone, PDA, etc. This includes personal mailboxes and contacts, as well as shared contacts. To create a shared contact list, you can create it in a Public Folder in Exchange. After giving each User Account access to the Public Folder, they'll all be able to see and modify (if you allow it) the common office contact list.

You can also use Microsoft's Business Contact Manager (Version 2) to create shared contacts. BCM is a free add-in to Outlook 2003. Sending email, both inside and outside of the Office, to each person will be automatically handled by Exchange and Outlook.

There are a couple of books on how to configure SBS. Harry Brelsford's two SBS 2003 books are popular. Microsoft has one, too. There's also a three-day Microsoft course and certification on SBS installation and management.

Security-related recommendations:

1) Install SBS SP1. Install Exchange SP2 and configure the IMF (Spam Filter).

2) Allow SBS to update all XP Professional clients to SP2.

3) Use third-party IP-based Spam Server block lists for Exchange.

4) Insist (and enforce through SBS) LONG passphrases.

5) Insist that everyone use their own account/password for logons. Medical practices have HIPAA compliance to worry about. Financial groups have SOX.

6) Perform monthly patching of the Server and all clients.

7) Don't allow Windows 95, 98, or ME clients on your network. They are NOT secure.

8) Install both Server-based and client-based Antivirus products. Get an email-server-aware antivirus for the Server, that will catch viruses BEFORE they enter your email system.

9)Do monthly tests of your backup integrity. Do monthly security and patch scanning, using MBSA.