APPENDIX D Default Settings
Platí pro: Windows SBS 2003
Microsoft® Windows® Small Business Server 2003 is designed specifically for the needs of small businesses. As such, Setup provides default settings specifically designed for a small business network. For more information, see the section "Server Installation and Configuration."
Windows Small Business Server 2003 also provides tools for automatically configuring client computers running Microsoft® Windows® XP Professional or Windows 2000 Professional based on best practices for your small business network. For more information, see "Client Configuration," later in this appendix.
Server Installation and Configuration
This section outlines the configurations performed by Setup based on best practices for a small business network.
Several of the settings configured by Setup require that you complete the Connect to the Internet task on the To Do List, which appears at the end of Setup. This task opens the Configure E-mail and Internet Connection Wizard.
Local Network Adapter
During the operating system installation, detected network adapters are enabled and configured to use Transmission Control Protocol/Internet Protocol (TCP/IP). As part of configuring the operating system, you will select the network adapter used to connect to your local network (also called your private or internal network) and then enter a static IP address (Setup provides a default value of 192.168.16.2). A static IP address for your server's local network adapter is necessary because the server performs network services that require the IP address to stay the same.
During Setup, all network adapters on the server except the one you selected to access your local network are disabled. Your settings on the disabled adapters are preserved.
NTFS Formatted System Drive
Windows Small Business Server 2003 requires that the system drive be formatted as the NTFS file system. An NTFS partition is required for components, including Active Directory® and Microsoft® Exchange Server 2003. It is also recommended that all drives and partitions be formatted as NTFS.
During Setup, disk quotas are enabled so that you can monitor and control the amount of disk space used by individual users. Each user is allowed 1 gigabyte (GB) of space. Administrators are not assigned a disk quota limit. For more information on changing disk quotas, see Help and Support after Setup is complete.
Use an NTFS drive provides additional benefits, including:
Better scalability to large drives. The maximum partition or volume size for NTFS is much greater than that for file allocation table (FAT), and as volume or partition sizes increase, performance with NTFS does not degrade as it does with FAT.
The ability to set permissions on individual files rather than just folders.
File encryption, which you can enable to greatly enhance network security.
Recovery logging of disk activities, which allows NTFS to restore information in the event of power failure or other system problems.
Sparse files, which are very large files created by applications in such a way that only limited disk space is needed. NTFS allocates disk space only to the written portions of a file.
As part of configuring the operating system, Setup installs Active Directory and promotes the computer to a domain controller. This creates your Windows Small Business Server domain.
Active Directory is a directory service that catalogs information about all the objects (such as users, groups, and client computers) on a network and distributes that information throughout the network. Active Directory gives network users access to permitted resources anywhere on the network using a single logon process. It also provides a consistent way to name, describe, locate, access, manage, and secure information about these individual resources. Additionally, it assists administrators with management tasks by providing a unified, logical view of the network organization and its resources.
Active Directory is a requirement for installing several server applications. When Setup installs and configures Active Directory, the following changes are made:
The internal (local) domain is created using the default value of organization_name.local. Spaces or nonstandard characters in your organization name are excluded. If your organization name contains all nonstandard characters, the default DNS name for the internal domain is smallbusiness.local.
The default settings for your internal domain are designed to separate your local (or internal) network from the Internet (or external network). Using the .local label for the full DNS name for the internal domain is a more secure configuration because the .local label is not registered for use on the Internet. This separates your internal domain from your public Internet domain name. Additionally, using the extension of your registered Internet domain name (for example, .com, .net, and .biz) can result in name resolution issues.
The Directory Services Restore Mode password is synchronized with the built-in Administrator account password so that you do not have to manage two passwords. If the Administrator account password is modified, the Directory Services Restore Mode password is updated with the change.
The Directory Services Restore Mode password is used to log on to a domain controller when the computer is started in Directory Services Restore Mode. Directory Services Restore Mode is a safe mode that allows you to start a domain controller in order to complete a system restore in the case of entire system loss.
The domain is set to Windows 2000 native functional level (in Windows 2000, this was known as native mode) to support the tools provided with Windows Small Business Server, as this enables Active Directory features such as universal groups and nested group membership. This functional level requires that all domain controllers in the domain be running Windows® 2000 Server or Windows Server™ 2003.
A new Group Policy object is created to disable password policies. An administrator can then choose to configure password policies if they want to require strong passwords for their users by running the Configure Password Policies task, which is available from Server Management.
The operating system has the following requirements:
The computer running Windows Small Business Server must be at the root of the forest. A forest is a grouping or hierarchical arrangement of one or more active directory trees. A tree is a grouping or hierarchical arrangement of one or more domains, as shown in Figure D.1. Your Windows Small Business Server domain cannot be created as a child domain of an existing domain. The Windows Small Business Server domain is a single tree in a single forest.
There can only be one computer running Windows Small Business Server 2003 in the Windows Small Business Server domain. If you are migrating from a previous version of Small Business Server, you are allowed two computers running versions of Small Business Server during the server migration process. Within 7 days, you must verify that the new server is running properly, and then remove the original server. However, you can have additional domain controllers running Windows 2000 Server or Windows Server 2003.
You cannot establish any type of trust between the Windows Small Business Server domain and any other domain. A trust is a logical relationship established between domains to allow user accounts and global groups defined in one domain to be given rights and permissions in another domain. The double-arrows in Figure D.1 show trust relationships.
Figure D.1 Active Directory forest and Windows Small Business Server domain
To learn more about Active Directory, see Help for Windows Server 2003, Standard Edition, at http://go.microsoft.com/fwlink/?LinkId=16783.
In Help, double-click Active Directory, and then double-click Concepts.
To support the Active Directory® directory service and to resolve Domain Name System (DNS) queries for local network resources, the DNS Server service is installed and configured. A local DNS server improves performance of the queries for local network resources as it does not require an external query to the DNS servers at your Internet service provider (ISP). To resolve queries for Internet resources, your DNS server is configured to forward the queries to the DNS servers at your ISP. By using the DNS servers at your ISP for name resolution, you do not have to manage DNS resource records for Internet resources.
As part of the DNS configuration of the server, the following changes are made by running Setup:
To prevent your DNS server from resolving queries for resources on the Internet, the root zone that is automatically created when DNS is installed is deleted and DNS is configured to listen only for DNS queries from the local network.
So that your internal DNS records are not available on the Internet, the DNS server is unbound from the external network adapter.
To allow your DNS server to resolve your local client computer's reverse queries, a reverse lookup zone for the local subnet is created. A reverse query resolves the IP address to the fully qualified host name of your server.
So that name resolution requests intended for the Internet are forwarded to the DNS servers at your ISP, the Configure E-mail and Internet Connection Wizard sets the DNS server addresses for your external network adapter to the IP address of your local network adapter. Additionally, forwarders are created so that internal name resolution is more efficient and your internal host information is not broadcasted over the Internet.
If you do not want to use the DNS servers provided by your ISP, DNS requests must instead use root hints. It is recommended that you use DNS server information if it is available from your ISP. For more information about root hints, see click Start, and then click Help and Support after Setup is complete.
A local DNS server does not limit your ability to host Web sites available to the Internet on the server. For more information, click Start, click Help and Support, and then search for "Hosting an Internet Web Site" after Setup is complete.
If you host your own Web site on the server and your ISP requires you to maintain your own DNS server on the Internet, it is recommended that you install a second Windows server. Using Windows Small Business Server 2003 to host a DNS server published to the Internet results in a security risk for your local network. For more information, search for article 254680 in the Knowledge Base at http://go.microsoft.com/fwlink/?LinkID=4441.
Dynamic Host Configuration Protocol (DHCP) is a TCP/IP service protocol that dynamically leases IP addresses and distributes other configuration parameters to client computers. The DHCP server provides a standard for managing the process by which DHCP-enabled client computers obtain an IP address.
During Setup, if an existing DHCP Server service is detected on the network, you are prompted to decide if you want to use the existing device or have Setup install and configure the DHCP Server service provided with Windows Small Business Server 2003.
When prompted, disable the existing device and use the DHCP Server service provided with Windows Small Business Server 2003. This ensures that Setup is able to properly configure the DHCP Server service for your network. Although Setup is able to configure DHCP server settings on devices that support the UPnP™ architecture, not all DHCP server devices support all of the DHCP settings that Setup configures for your network. Additionally, if your existing DHCP server does not support the UPnP architecture, you must manually configure the DHCP scope options as specified in Appendix C, "Network Configuration Settings."
If you have an existing device that is running a DHCP Server service that you want to continue using, ensure that the device is turned on and connected to the network before running Setup.
If you want to use the DHCP Server service provided with Windows Small Business Server 2003, do not disable the existing DHCP server until prompted by Setup. Otherwise, Setup cannot detect the IP address range currently in use in the local network.
If DHCP is configured on the server, it is configured by Setup as follows:
To prevent your DHCP server from responding to IP address requests from clients on the Internet, the DHCP Server service is bound only to the internal network adapter.
The DHCP scope is configured for the DHCP server provided with the server or a DHCP device that supports the UPnP architecture as follows:
To define the default gateway used by client computers, the router option is set to the IP address of the server's local network adapter. However, if you have only one network adapter on the server and you are using a router device to connect to the Internet, the default gateway is set to the IP address of the router's internal interface.
To provide client computers with name resolution services for the local network, the DNS server option of client computers is set to the IP address of the server's local network adapter.
To provide client computers with the fully qualified domain name (FQDN) for the local network, the DNS domain name option is set to the full DNS name for internal domain (for example, smallbusiness.local).
The following settings are only configured for the DHCP server scope on the computer running Windows Small Business Server 2003:
To provide name resolution services for the local network to client computers running Microsoft® Windows® 98 and earlier or Windows NT® 4.0 and earlier, the Windows Internet Name Service (WINS) server option is set to the IP address of the server's local network adapter. Additionally, the WINS node type option is set to hybrid (h-node), which prevents unnecessary broadcast traffic.
To leave available IP addresses for printers and other servers that require a static address, the scope excludes the first 10 IP addresses in the address pool from distribution by the DHCP server.
Because client computers running Microsoft® Windows® 2000 Professional and Windows XP Professional automatically register and dynamically update their DNS names with the DNS server, and because WINS is installed for client computers running Microsoft® Windows® 98 and earlier, DHCP is not enabled for dynamic updates.
Although you can statically assign IP address settings to your client computers rather than use a DHCP service, it is not recommended. Assigning static IP address settings can result in more network administration time. Additionally, you will not be able to automatically configure client computers running Windows 2000 Professional or Windows XP Professional using the network Setup provided with the server tools.
Internet Information Services
Microsoft® Internet Information Services (IIS) is installed to support Web-based services, including Microsoft® Windows® SharePoint® Services (your intranet), Outlook® Web Access (Web-based e-mail access), Outlook® Mobile Access (Web-based e-mail access for mobile devices), and the Remote Web Workplace.
The following changes are made to IIS by Setup:
A new virtual server named "companyweb" is created for Windows SharePoint Services. Anonymous access to the site is disabled.
Secure Sockets Layer (SSL) is configured to secure communications between your Web server and Web browsers.
The default Web site for IIS is configured to only respond to requests from the local network.
By running the Configure E-mail and Internet Connection Wizard, the following changes are made:
The maximum number of incoming Web request connections allowed to the default Web site or the companyweb site for Windows SharePoint Services is set to 500. This improves system availability and reliability by mitigating denial-of-service attacks against your Web site.
You can also allow access from authorized users on the Internet to Web services on the server, such as Outlook Web Access.
Because several Web services are automatically configured to require users to connect using SSL, the Sbsflt.dll ISAPI filter is installed. An ISAPI filter is an application programming interface that resides on a server for initiating software services tuned for Windows operating systems. The filter automatically redirect users who connect to the Web server by typing http:// (a non-secure connection) to be using https:// (a secure connection) for services that require https://.
If you decide to use ISA Server 2004 as your firewall, the following changes are also made to IIS:
Socket pooling is disabled. This enables ISA Server to use port 80 so ISA Server can monitor incoming Web requests.
The http.sys driver is configured to only bind to the local network adapter and the loopback adapter. By doing this, IIS will only listen to Web requests from the local network adapter. This allows ISA Server to monitor incoming Web requests from the Internet.
RPC over HTTP Proxy
Setup installs this component to allow users to remotely access their e-mail from a client computer on the Internet using Outlook 2003, without creating a virtual private network (VPN) connection.
RPC over HTTP Proxy is configured as follows:
A new virtual directory named "rpc" is created for the RPC over HTTP Proxy service. Anonymous access to the site is disabled.
By running the Configure E-mail and Internet Connection Wizard, you can enable the service by selecting Outlook via the Internet when you enable access to your Web server from the Internet.
To secure your local network from unauthorized Internet access, firewall, network address translation (NAT), and routing services must be configured. A firewall protects your local network from unauthorized Internet access by permitting only the network traffic that you specify to reach the local network. Since it is recommended that you use private (non-routable) IP addresses for your local network, the NAT service is required to translate the private IP addresses to public IP addresses when client computers on the local network access the Internet. The routing service forwards requests for the Internet to and from the local network. In this way, the device performing NAT provides address filtering capability, which improves network security. For more information, see Appendix B, "Understanding Your Network."
To provide these services for your local network, Setup will automatically install the Routing and Remote Access service. Then, by running the Configure E-mail and Internet Connection Wizard, the Routing and Remote Access service is configured to meet the needs of your small business. Or, if the wizard detects that you have an existing firewall device on the network that supports the UPnP architecture, it will configure the settings on the device that are necessary for your local network. If the device does not support the UPnP architecture or the standard used by the UPnP certified device is not supported by the wizard, you must manually configure the firewall settings. For more information, see the section "Configuration Settings for an Existing Firewall Device" in Appendix C.
The Routing and Remote Access service or a UPnP certified firewall is configured when you run the Configure E-mail and Internet Connection Wizard as follows:
A standard set of services necessary to ensure your Internet connectivity are automatically allowed through the firewall. For more information about the standard set of services, after Setup is complete, click Start, click Help and Support, and the search for "Firewall settings for your Windows Small Business Server."
If you allow access to your Web server's default Web site or specified services from authorized users on the Internet, the firewall is configured to forward the port numbers used by the specified service to pass through. You can also specify additional services that you want to allow through the firewall.
ISA Server 2004
Internet Security and Acceleration (ISA) Server 2004, which ships with Windows Small Business Server 2003 Service Pack 1 Premium Edition, contains a full-featured, application-layer-aware firewall that helps protect your network from attack by both external and internal threats.
You can install ISA Server 2004 as the firewall for your local network. You install ISA Server from the Premium Technologies CD Setup page by clicking the ISA Server installation link on that page. After the installation is complete, the Configure E-mail and Internet Connection Wizard runs to help you configure your firewall settings.
To view a detailed list of information about the settings that the Configure E-mail and Internet Connection Wizard configures, open a Web browser, and in the Address box type %SBSProgramDir%\Networking\ICW\Icwdetails.htm. This file shows you the settings for your network, firewall, secure Web site, and e-mail.
Microsoft® Exchange Server 2003 provides messaging for Internet and intranet e-mail. Exchange also integrates with Microsoft® Office Outlook® 2003 for scheduling meetings and sharing contacts. In addition, Exchange provides users with remote Web access to e-mail, scheduling, and contacts through Outlook Web Access or Outlook Mobile Access.
As part of Setup and by running the Configure E-mail and Internet Connection Wizard, the following configurations are made for Exchange:
The deleted items retention is set to 30 days. However, by running the Backup Configuration Wizard, you can turn the value on/off or change the value.
Circular logging is enabled to reduce drive storage space requirements. This is the recommended configuration if a backup solution is not configured. When you run the Backup Configuration Wizard, circular logging is disabled since the Exchange logs are deleted after each backup.
The time-out interval is set to 10 minutes to disconnect idle user sessions, unless you previously configured this setting.
The mailbox quota for each user is set to block at 200 megabytes (MB) to control the amount of disk space used by individual user mailboxes. A warning is sent to the user when the amount of disk space used by an individual user reaches 175 MB.
The Microsoft Connector for POP3 Mailboxes is installed. Using the Configure E-mail and Internet Connection Wizard or the POP3 Connector Manager, you can define POP3 mailboxes that will be downloaded to Exchange mailbox(es).
The following changes are only made by running the Configure E-mail and Internet Connection Wizard:
Only clients computers with an IP address within the range of IP addresses for the local network, or authenticated users, are allowed to relay mail through the SMTP virtual server. This is to allow internal mail clients that do not authenticate to be able to send mail.
Specified attachments to e-mail received from the Internet can be removed. You can also specify a folder where the removed e-mail attachments are then saved.
The number of outbound connections is limited to 10. This prevents Exchange from using excessive amounts of network bandwidth.
The maximum number of concurrent connections for incoming message delivery is set to 500. This improves server availability and reliability.
The default recipient policy is set to your e-mail domain name for SMTP e-mail addresses. The e-mail domain is used as the e-mail address for users who send e-mail to the Internet. For example, if your e-mail domain name is wingtiptoys.com, an e-mail address could be Chris@wingtiptoys.com.
An SMTP connector is created to send and receive Internet e-mail based on the selections you made in the wizard.
Windows SharePoint Services
Windows Small Business Server 2003 provides your company with a preconfigured intranet using Microsoft® Windows® SharePoint™ Services.
As part of Setup, Windows SharePoint Services is configured as follows:
A custom Web site for your company's intranet is created at http://companyweb. Additionally, to provide examples for how the intranet site can be used, Setup will populate the site with additional sample content such as lists, document libraries, and documents. A new virtual server, bound to a host header of http://companyweb and port 80 is created. A DNS cname resource record is created for http://companyweb.
When you create a user with the Add User Wizard, that user receives a SharePoint site group membership, which defines access to the intranet site. These site group memberships are inherited from the template the user was modeled after. Administrators and power users are made members of the Administrators site group, which allows them unrestricted access to the Web site. All other users are made members of the Web Designers site group, which allows them to read, add, modify documents, and change the layout of the site.
If Fax Service is installed, the Incoming Faxes document library is created. You can then select to route incoming faxes to this document library as part of configuring the Shared Fax Service. Users can then subscribe to the Incoming Faxes document library, and receive e-mail notification when faxes arrive.
If Exchange is installed, the alerts service is configured. This allows users to subscribe to document libraries and then receive e-mail notification if a document in the library is added or modified.
An instance of Microsoft SQL Server™ 2000 Desktop Engine (Windows) (WMSDE) is installed as the database used by Windows SharePoint Services. WMSDE is a protected system database that only Windows components can use. No other applications can use it. Also, it has no size limit.
The central administration for the SharePoint site is set to port 8081. For example, administrators can connect by typing http://localhost:8081.
The site owner is set to the account used while installing Setup. Generally, this is the Administrator account.
Setup installs an instance of Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) as the monitoring database. Other applications can use the MSDE 2000 database, and the database has a size limit of 2 gigabytes (GB).
The following section outlines the automatic configurations performed as part of client Setup for client computers running Windows XP Professional and Windows 2000 Professional, based on best practice implementations.
To connect client computers to the network, use DHCP to automatically assign IP addresses.
Client Networking Configuration
Once you have added users and computers using the To Do List, go to the client computer, open Internet Explorer, and type http:// ServerName /connectcomputer (where ServerName is the name of the computer running Windows Small Business Server). Click Connect to the network now, and follow the instructions in the Small Business Server Network Configuration Wizard to configure networking settings for your client computers. The wizard requires the following:
You must be logged on as a member of the Local Admins security group on the client computer.
Only one network adapter can be enabled and configured to connect to the local network.
TCP/IP, Client for Microsoft Networks, and File and Printer Sharing for Microsoft Networks must be installed and bound to the network adapter. TCP/IP is configured to automatically obtain an IP address and DNS server addresses.
Client Application Configuration
After the applications that have been deployed by the Set Up Computer Wizard are installed, they are configured for each user and for the local network. The following settings are configured:
Microsoft Internet Explorer 6 Service Pack 1
Internet Explorer 6 provides the Web browser for client computers. Client Setup Configuration configures Internet Explorer 6 as follows:
The Home Page is configured to point to "My Company" (http://companyweb).
The following internal Web site links are added to the Favorites list Web site:
Web site Address
Microsoft Windows Small Business Server Web site
Information and Answers
Small Business Server Administration
Microsoft Office Outlook 2003
Outlook 2003 provides a single location for organizing and managing daily information, from e-mail and calendars to contacts and task lists. Client Setup Configuration configures Outlook 2003 as follows:
A user profile is created and configured to use Exchange Server 2003. The profile specifies Exchange connections and defines account information.
If the client computer contains existing profiles, the option for using Exchange is added and a new profile is created as the default. The old profile is backed up.
If you specify that the client computer will be used remotely, Outlook 2003 is configured to run in Cached Exchange Mode.
Fax Client enables users to send faxes directly from their desktops. Depending on the users permissions, users can view the status of faxes in the queue or cancel faxes. Client Setup Configuration configures Fax Client as follows:
- Outlook is configured with faxing capability.