Navigation
Install the app
How to install the app on iOS
Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
More options
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
Initial Setup
Installation
Initial Setup
by
markdmac
Posted
(Edited
)
[blue]MARKDMACÆs SBS 2011 Extra Configuration Steps[/blue]
This FAQ provides guidance on extra steps you should take when setting up SBS 2011. Some sections should be evaluated while other should be done on all installs. Those items I consider mandatory are listed as All Installs.
A. Check Old Database Size and Set Registry on New Server: All Installs
http://technet.microsoft.com/en-us/library/bb232092.aspx
B. Enable DHCP Conflict Detection: All Installs
A. Open DHCP, right click the IPv4 protocol.
B. Choose properties.
C. Click the Advanced tab.
D. Change the number of conflict checks from zero to one.
C. Discuss what computers belong to what users for RWW: All Installs
Gather workstation list and setup RWW defaults.
D. Discuss Implementing Restricted Groups With Customer: All Installs
Enabling restricted groups allows us to restrict who is a local admin and prevents users from creating backdoor admin accounts. Any account added to a PC will be automatically deleted if it is not part of the Restricted Groups list.
To enable restricted groups:
1. Open GPMC and create and link a new GPO at the top level of the domain.
2. Edit the GPO.
3. Right click the top most link in the GPO and choose Properties.
4. Click the Security tab.
5. Remove all entries related to users. Leave Domain Admins in place.
6. Add Domain Computers and check the box for Apply policy.
7. In the list, select Domain Controllers and check the box for Deny policy.
8. Click OK
9. Right-click Restricted Groups (under Computer Configuration\Windows Settings\Security Settings\Restricted Groups), and then click Add Group.
10. Click Browse. Focused on the local computer, click the "Administrators" group, click ADD, and then click OK. You are returned to the group policy and you see the administrators group listed in the Restricted Groups window.
11. Right-click the group, and then click Security.
12. To the right side of the Members of this Group box, click ADD, and then click Browse.
13. Add the appropriate users to the group. For domain accounts use the browse button to ensure the domain name is included. For the local Administrator ID, type Administrator. Add:
ò UserDomain\Domain Admins
ò UserDomain\Domain Users (if appropriate)
ò Administrator
E. Install Specops GPUpdate utility: All Installs
This free utility lets you reboot computers and remotely push a GPUpdate from ADUC.
http://www.specopssoft.com/products/specops-gpupdate/specops-gpupdate-download
F. Remove Quota Limits on Public and Private Stores: All Installs
Discuss with client and remove or adjust quota limits on databases.
Recommendation: Remove on public folders.
Use PowerShell to remove quotas for users before the move:
get-mailbox | Set-Mailbox -UseDatabaseQuotaDefaults:$False -issuewarningQuota ôUNLIMITEDö -ProhibitSendQuota ôUNLIMITEDö -ProhibitSendReceive ôUNLIMITEDö
G. Moving public folders and System Mailboxes
1) Assign Rights To Public Folders:
Get-PublicFolder -Recurse -Server SBS7 -Identity "\" | Get-PublicFolderClientPermission -Server 'servername.companyname.local' -User 'Companyname.local/Users/Administrator' | Remove-PublicFolderClientPermission -Server 'servername.companyname.local'
Get-PublicFolder -Recurse -Server SBS7 -Identity "\"| Add-PublicFolderClientPermission -Server 'servername.companyname.local' -User 'Companyname.local/Users/Administrator' -AccessRights 'Owner'
2) Manage Replicas:
.\AddReplicaToPFRecursive.ps1 -Server OLDSERVERNAME -TopPublicFolder "\" -ServerToAdd NEWSERVERNAME
.\RemoveReplicaFromPFRecursive.ps1 -Server NEWSERVERNAME -TopPublicFolder "\" -ServerToRemove OLDSERVERNAME
3) Move the arbitration mailboxes:
Get-MoveRequest -MoveStatus Completed | Remove-MoveRequest
Get-Mailbox -Database 'Old Database' -arbitration | New-MoveRequest -TargetDatabase 'NewDatabase'
Get-MoveRequest|Select Identity, Status|FL
H. Verify client IP has RDNS and SPF records: All Installs
Verify client IP has RDNS and SPF records.
I. Discuss ActiveSync password policies with customer: All Installs
Discuss enabling passwords on cell phones. Determine if passwords will be used and modify or create new policies accordingly.
J. Assign certificate to RWW sessions: All Installs
A. From Administratove Tools\Remote Desktop Services select Remote Desktop Session Host Configuration.
B. Right click RDP-Tcp choose Properties.
C. On the General tab, click Select.
D. Select the public certificate and click OK two times.
E. If prompted with a notice about existing connections, click OK.
[red]
If you do not do this, RWW may not be able to remote control computers from inside the domain.[/red]
K. Set max message size
Discuss with client, ask what the max size they want to allow should be. Change the values in red.
Set-TransportConfig -MaxRecipientEnvelopeLimit [red]75[/red]MB -MaxReceiveSize [red]75[/red]MB -MaxSendSize [red]75[/red]MB
L. Set the SCL level to configure Junk Mail threshold
A message with SCL of 9 is likely spam
A message with SCL of 0 is not spam
The default is 2. That means that anything above 2 and lower than the rejection settings (Org Config/Hub Transport/Content Filtering/Action tab) which default to 7 will be sent to the Outlook Junk Mail folder.
Use the following PowerShell command in the Exchange Management Shell.
Set-OrganizationConfig -SCLJunkThreshold 6
M. Enable Powershell Scripts: All Installs
Open PowerShell.
Run the following command:
Set-ExecutionPolicy Unrestricted
Note: This is a security risk. Only run scripts from sources you trust.
N. Create internal Autodiscover in DNS: All Installs
In the MS DNS console add a new SRV record with the following:
Name: _autodiscover
Protocol: _tcp
Port: 443
Host: remote.clientdomain.com
O. Create Autodiscover in Public DNS: All Installs
1) Log into public DNS.
2) Add a new A record called Autodiscover.
3) Point Autodiscover to the public IP address of the SBS server.
[red]
Note: if DNS contains a zone for the public domain name, you must do this step internally in that zone as well, but point the IP to the internal IP address of the SBS server.[/red]
P. Virtualize Old Media: All Installs
In order to remove Exchange from an SBS 2003 server, you will need to have access to SBS 2003 Disk 2. If working remotely you will need the ability to mount/change media at will. Create ISO images from original media and leave on the old server to be used during the decommission process.
Virtualize the disks with LCISOCreator.
http://www.lucersoft.com/files/free/LCISOCreator.zip
Mount the ISO with Virtual Clone Drive
http://static.slysoft.com/SetupVirtualCloneDrive.exe
The following section is only for Blackberry Enterprise Server Express (BESExpress) Installs
Setup the BESAdmin ID
ò Make an ID called BESADMIN
ò Make BESAdmin a member of Administrators Group
ò Assign the BesAdmin user "log on as a service" rights in the Default Domain Controller Policy
Run the following in Exchange Management Shell
ò Get-MailboxDatabase | Add-ADPermission -User "BesAdmin" ûAccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin
ò Add -RoleGroupMember "View-Only Organization Management" -Member "BesAdmin"
ò Add-ADPermission -InheritedObjectType User -InheritanceType Descendents ûExtendedRights Send-As -User "BesAdmin" -Identity "OU=SBSUsers,OU=Users,OU=MyBusiness,DC=COMPANY,DC=local"
ò Get-ThrottlingPolicy | Where-Object {$_.IsDefault -eq "True"}|Set-ThrottlingPolicy -RCAMaxConcurrency $null
Set Send/Receive As Security for Users
ò In ADUC, view Advanced Properties.
ò View properties of the SBS Users OU.
ò Select Security.
ò Add BESAdmin.
ò Click Advanced.
ò Highlight BESAdmin.
ò Click Edit.
ò Select Descendant User Objects in the drop down.
ò Check the boxes for SendAs and ReceiveAs.
ò Click OK 3 times.
Install the Exchange MAPI CDO 1.2.1 package
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e17e7f31-079a-43a9-bff2-0a110307611e&displaylang=en
Now perform a default installation of the BESExpress Software.
After BESExpress is installed, enable the Hard Deletes Setting:
ò Log into the BlackBerry Administration Service.
ò In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > Email.
ò Click the instance that you want to change.
ò Click Edit instance.
ò On the Messaging tab, in the Messaging options section, in the Hard deletes reconciliation drop-down list, click True.
ò Click Save all.
ò On the computer that hosts the BlackBerry Dispatcher, restart BlackBerry Dispatcher service.
This FAQ provides guidance on extra steps you should take when setting up SBS 2011. Some sections should be evaluated while other should be done on all installs. Those items I consider mandatory are listed as All Installs.
A. Check Old Database Size and Set Registry on New Server: All Installs
http://technet.microsoft.com/en-us/library/bb232092.aspx
B. Enable DHCP Conflict Detection: All Installs
A. Open DHCP, right click the IPv4 protocol.
B. Choose properties.
C. Click the Advanced tab.
D. Change the number of conflict checks from zero to one.
C. Discuss what computers belong to what users for RWW: All Installs
Gather workstation list and setup RWW defaults.
D. Discuss Implementing Restricted Groups With Customer: All Installs
Enabling restricted groups allows us to restrict who is a local admin and prevents users from creating backdoor admin accounts. Any account added to a PC will be automatically deleted if it is not part of the Restricted Groups list.
To enable restricted groups:
1. Open GPMC and create and link a new GPO at the top level of the domain.
2. Edit the GPO.
3. Right click the top most link in the GPO and choose Properties.
4. Click the Security tab.
5. Remove all entries related to users. Leave Domain Admins in place.
6. Add Domain Computers and check the box for Apply policy.
7. In the list, select Domain Controllers and check the box for Deny policy.
8. Click OK
9. Right-click Restricted Groups (under Computer Configuration\Windows Settings\Security Settings\Restricted Groups), and then click Add Group.
10. Click Browse. Focused on the local computer, click the "Administrators" group, click ADD, and then click OK. You are returned to the group policy and you see the administrators group listed in the Restricted Groups window.
11. Right-click the group, and then click Security.
12. To the right side of the Members of this Group box, click ADD, and then click Browse.
13. Add the appropriate users to the group. For domain accounts use the browse button to ensure the domain name is included. For the local Administrator ID, type Administrator. Add:
ò UserDomain\Domain Admins
ò UserDomain\Domain Users (if appropriate)
ò Administrator
E. Install Specops GPUpdate utility: All Installs
This free utility lets you reboot computers and remotely push a GPUpdate from ADUC.
http://www.specopssoft.com/products/specops-gpupdate/specops-gpupdate-download
F. Remove Quota Limits on Public and Private Stores: All Installs
Discuss with client and remove or adjust quota limits on databases.
Recommendation: Remove on public folders.
Use PowerShell to remove quotas for users before the move:
get-mailbox | Set-Mailbox -UseDatabaseQuotaDefaults:$False -issuewarningQuota ôUNLIMITEDö -ProhibitSendQuota ôUNLIMITEDö -ProhibitSendReceive ôUNLIMITEDö
G. Moving public folders and System Mailboxes
1) Assign Rights To Public Folders:
Get-PublicFolder -Recurse -Server SBS7 -Identity "\" | Get-PublicFolderClientPermission -Server 'servername.companyname.local' -User 'Companyname.local/Users/Administrator' | Remove-PublicFolderClientPermission -Server 'servername.companyname.local'
Get-PublicFolder -Recurse -Server SBS7 -Identity "\"| Add-PublicFolderClientPermission -Server 'servername.companyname.local' -User 'Companyname.local/Users/Administrator' -AccessRights 'Owner'
2) Manage Replicas:
.\AddReplicaToPFRecursive.ps1 -Server OLDSERVERNAME -TopPublicFolder "\" -ServerToAdd NEWSERVERNAME
.\RemoveReplicaFromPFRecursive.ps1 -Server NEWSERVERNAME -TopPublicFolder "\" -ServerToRemove OLDSERVERNAME
3) Move the arbitration mailboxes:
Get-MoveRequest -MoveStatus Completed | Remove-MoveRequest
Get-Mailbox -Database 'Old Database' -arbitration | New-MoveRequest -TargetDatabase 'NewDatabase'
Get-MoveRequest|Select Identity, Status|FL
H. Verify client IP has RDNS and SPF records: All Installs
Verify client IP has RDNS and SPF records.
I. Discuss ActiveSync password policies with customer: All Installs
Discuss enabling passwords on cell phones. Determine if passwords will be used and modify or create new policies accordingly.
J. Assign certificate to RWW sessions: All Installs
A. From Administratove Tools\Remote Desktop Services select Remote Desktop Session Host Configuration.
B. Right click RDP-Tcp choose Properties.
C. On the General tab, click Select.
D. Select the public certificate and click OK two times.
E. If prompted with a notice about existing connections, click OK.
[red]
If you do not do this, RWW may not be able to remote control computers from inside the domain.[/red]
K. Set max message size
Discuss with client, ask what the max size they want to allow should be. Change the values in red.
Set-TransportConfig -MaxRecipientEnvelopeLimit [red]75[/red]MB -MaxReceiveSize [red]75[/red]MB -MaxSendSize [red]75[/red]MB
L. Set the SCL level to configure Junk Mail threshold
A message with SCL of 9 is likely spam
A message with SCL of 0 is not spam
The default is 2. That means that anything above 2 and lower than the rejection settings (Org Config/Hub Transport/Content Filtering/Action tab) which default to 7 will be sent to the Outlook Junk Mail folder.
Use the following PowerShell command in the Exchange Management Shell.
Set-OrganizationConfig -SCLJunkThreshold 6
M. Enable Powershell Scripts: All Installs
Open PowerShell.
Run the following command:
Set-ExecutionPolicy Unrestricted
Note: This is a security risk. Only run scripts from sources you trust.
N. Create internal Autodiscover in DNS: All Installs
In the MS DNS console add a new SRV record with the following:
Name: _autodiscover
Protocol: _tcp
Port: 443
Host: remote.clientdomain.com
O. Create Autodiscover in Public DNS: All Installs
1) Log into public DNS.
2) Add a new A record called Autodiscover.
3) Point Autodiscover to the public IP address of the SBS server.
[red]
Note: if DNS contains a zone for the public domain name, you must do this step internally in that zone as well, but point the IP to the internal IP address of the SBS server.[/red]
P. Virtualize Old Media: All Installs
In order to remove Exchange from an SBS 2003 server, you will need to have access to SBS 2003 Disk 2. If working remotely you will need the ability to mount/change media at will. Create ISO images from original media and leave on the old server to be used during the decommission process.
Virtualize the disks with LCISOCreator.
http://www.lucersoft.com/files/free/LCISOCreator.zip
Mount the ISO with Virtual Clone Drive
http://static.slysoft.com/SetupVirtualCloneDrive.exe
The following section is only for Blackberry Enterprise Server Express (BESExpress) Installs
Setup the BESAdmin ID
ò Make an ID called BESADMIN
ò Make BESAdmin a member of Administrators Group
ò Assign the BesAdmin user "log on as a service" rights in the Default Domain Controller Policy
Run the following in Exchange Management Shell
ò Get-MailboxDatabase | Add-ADPermission -User "BesAdmin" ûAccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin
ò Add -RoleGroupMember "View-Only Organization Management" -Member "BesAdmin"
ò Add-ADPermission -InheritedObjectType User -InheritanceType Descendents ûExtendedRights Send-As -User "BesAdmin" -Identity "OU=SBSUsers,OU=Users,OU=MyBusiness,DC=COMPANY,DC=local"
ò Get-ThrottlingPolicy | Where-Object {$_.IsDefault -eq "True"}|Set-ThrottlingPolicy -RCAMaxConcurrency $null
Set Send/Receive As Security for Users
ò In ADUC, view Advanced Properties.
ò View properties of the SBS Users OU.
ò Select Security.
ò Add BESAdmin.
ò Click Advanced.
ò Highlight BESAdmin.
ò Click Edit.
ò Select Descendant User Objects in the drop down.
ò Check the boxes for SendAs and ReceiveAs.
ò Click OK 3 times.
Install the Exchange MAPI CDO 1.2.1 package
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e17e7f31-079a-43a9-bff2-0a110307611e&displaylang=en
Now perform a default installation of the BESExpress Software.
After BESExpress is installed, enable the Hard Deletes Setting:
ò Log into the BlackBerry Administration Service.
ò In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > Email.
ò Click the instance that you want to change.
ò Click Edit instance.
ò On the Messaging tab, in the Messaging options section, in the Hard deletes reconciliation drop-down list, click True.
ò Click Save all.
ò On the computer that hosts the BlackBerry Dispatcher, restart BlackBerry Dispatcher service.
Please Note: 1 is Bad, 10 is Good :-)
Part and Inventory Search
-
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.