SBS 2011 Post-Setup Manual Steps
Microsoft Windows Small Business Server (SBS) 2011 usually requires some post-setup steps which are not covered by the setup wizards in the Windows SBS Console.
Domains, IP Address & Certificates
The use of a registered domain, static IP address and a certificate from a trusted certificate authority is highly recommended, and should be considered mandatory. Using dynamic IP addresses with a dynamic DNS service, and self-issued certificates is possible, but both configurations require much more manual attention, initially and over the life of the server. Additionally, having your own domain name is virtually mandatory with SBS.
- If using an external name server provider for your domain, configure the “remote” alias as an A record, pointing to your site's IP address.
- Configure the Autodiscover records.
- Configure the MX with an A record. Don't configure the MX with a CNAME.
- Ensure the certificate you obtain contains the name remote.<domain>.
- If using a static IP address, ask your ISP to set up a reverse DNS pointer for remote.<domain>† to your IP. (This step is not necessary if you are using an upstream smart host to route outbound email, but it's a good practice anyway in case you switch the configuration later.)
† Substitute for the alias you choose if not the default.
Updates & Software Installation
- Refer to the Exchange Server Supportability Matrix for information on supported versions of .NET Framework. Do not install any full packages of .NET Framework offered via Windows Update yet.
Block unsupported versions with the following:
reg add "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\WU" /v BlockNetFramework46 /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\WU" /v BlockNetFramework461 /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\WU" /v BlockNetFramework462 /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\WU" /v BlockNetFramework47 /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\WU" /v BlockNetFramework471 /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\WU" /v BlockNetFramework472 /t REG_DWORD /d 1 /f
- Don't install Internet Explorer 10 or later yet. IE10 deprecates some group policy objects on the server which means you won't be able to edit the default policies SBS applies to Internet Explorer.
- Apply Exchange Server 2010 Service Pack 3. (You may need to manually stop some services first.) Post-service pack Exchange Server rollups will be offered via Windows Update.
- Apply KB2401588.
- After applying the Sharepoint 2010 updates via Windows Update, manual intervention is required. Open an elevated command-prompt and enter:
cd /d "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN"
PSConfig.exe -cmd upgrade -inplace b2b -force -cmd applicationcontent -install -cmd installfeatures
Until this is done, the SBS 2011 Backup may fail with a Volume Shadow Copy Service 0x800423f0 error.
One-Off Post Installation Tasks
- Add backup drives. If possible, set up all removable drives for backups at the same time. Otherwise, you may need to use a manual workaround. See Error message when you try to add an additional disk to a scheduled backup.
- Set up forwarders in the DNS console. Specify your ISP or third party's DNS resolvers. (If not using third-party resolvers, it may be necessary to edit the registry as per KB968372.)
- DHCP: Enable DNS Dynamic Updates & Extend Lease Time. Suggested settings as follows, but alter as required:
Extend the lease time to avoid a DCOM Error 10009 error and other IP address confusion as devices exit and re-enter the network.
- Reset Internet Explorer policy settings. SBS 2011 imposes policies on Internet Explorer, which, amongst other things, overrides users' homepages with http://companyweb. However, these policies are deprecated in Internet Explorer 10 and above so they should be removed prior to installing IE 10 or above on the server. The default policies will still be applied to any clients using Internet Explorer 9 or below, but the policies won't be able to be edited. Open Group Policy Management on the server, right-click Windows SBS User Policy under Forest: [Your Domain] → Domains → [Your Domain] and choose Edit. Then navigate to User Configuration → Policies → Windows Settings → Internet Explorer Maintenance.
- Reserve TCP/IP Ports. By default, SBS 2011 has a lesser need to reserve listening ports to prevent them from being used as ephemeral (outbound) ports than earlier versions of Windows, but it is good practice to reserve some specific critical system ports, plus any additional ports required by your applications, to prevent connectivity problems that may arise later if the ephemeral port range is changed/expanded.
- Check Server's Gateway Setting. If you alter the server's IP address after the initial setup, the Gateway address may show as blank after each reboot. In turn this causes some services to not function properly, such as Terminal Services and DNS. To resolve, remove the blank line from the key DefaultGateway under HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\[SID] (where [SID] is the identifier of the network adaptor).
- Enable Ampersands in IIS7. The default setting prevents opening the opening of any attachment with an ampersand (&) in the title in Outlook Web Access. This will need to be disabled if such documents need to be accessed.
- SSL Tweaks. See Improving Encryption Quality on Windows-Based Webservers.
- Increase Exchange 2010 Message Size Limits. Open the Exchange Management Shell and issue the following commands (assuming default SBS connectors and server name of <SERVER>):
Check and adjust global limits
Get-TransportConfig | ft MaxSendSize, MaxReceiveSize
Set-TransportConfig -MaxSendSize 100MB -MaxReceiveSize 100MB
For sending messages
Get-SendConnector | ft name, MaxMessageSize
Set-SendConnector "Windows SBS Internet Send <SERVER>" -MaxMessageSize 100MB
For receiving messages
Get-ReceiveConnector | ft name, MaxMessageSize
Set-ReceiveConnector "Windows SBS Internet Receive <SERVER>" -MaxMessageSize 100MB
Set-ReceiveConnector "Windows SBS Fax Sharepoint Receive <SERVER>" -MaxMessageSize 100MB
Set-ReceiveConnector "<SERVER>\Default <SERVER>" -MaxMessageSize 100MB
To check limits on individual mailboxes
Get-mailbox | ft Name, MaxSendSize, MaxReceiveSize, ProhibitSendQuota
- Configure other domains. If the server needs to handle email for domains other than the default domain entered during setup, they must be configured under Exchange Management Console → Organization Configuration → Hub Transport → Accepted Domains.
- Configure non-local mailboxes. If the organisation has some mailboxes on the same domain as the default domain, but which are hosted elsewhere (such as POP account), change the properties of the domain under Exchange Management Console, Organization Configuration → Hub Transport → Accepted Domains from Authoritative Domain to Internal Relay Domain. This ensures that any Exchange users who email to a recipient with the same email domain which are not recognised by the server will be forwarded to the external smart SMTP host.
- Adjust Internal Databases. There are three SQL Server instances running in SBS 2011 by default: .\MICROSOFT##SSEE, .\SBSMONITORING and .\SHAREPOINT. Servers with relatively little memory could have the memory usage of these instances constrained where necessary.
Also, some of the databases may not be accessible through Management Studio because an Owner ID is missing. This can be corrected by running the following query against each database:
EXEC sp_changedbowner 'sa'
- Configure Windows 7/8 Workstations. Using Internet Explorer 10 on Windows 7/8 systems to access the Remote Web Workplace will not work due to a compatibility problem (“The wizard cannot configure Remote Desktop Connection Settings. Make sure that the client version of Remote Desktop Protocol (RDP) 6.0 or later is installed on this computer”). To resolve, add the domain of the server to Tools → Compatibility View Settings and the Trusted Sites zone.
Because Internet Explorer adds compatible sites information to the browser History list, this information is lost every time the browser history is cleared. So you may wish to switch this off by adding the following command to the login script:
reg add "HKCU\Software\Microsoft\Internet Explorer\Privacy" /v CleanHistory /t REG_DWORD /d 0 /f
- Add Windows 10 Support. See http://blogs.technet.com/b/sbs/archive/2015/07/23/client-connector-availability-with-windows-home-server-small-business-server-and-windows-server-essentials-for-supported-client-os.aspx.
- Add certificate to non-domain joined machines. If using self-signed certificates, any systems which require access to Remote Web Workplace must have the server's certificate installed. If the certificate is from a trusted authority, this is not necessary.
- Check Email Configuration. Use the service at https://www.mail-tester.com to test how your outbound email is treated by the outside world.
- Configure L2TP. If users with iOS 10 or later versions of OS X need to connect to the server via VPN, configure L2TP.
Regular Maintenance Tasks
- Best Practices Analyser. Regularly run the Windows Server Solutions Best Practices Analyzer. It may pick up small issues which are causing larger problems which are otherwise hard to pinpoint.
- Fix Backup Errors. Some servers need manual intervention to resolve backup problems. See SBS 2008 Backup Issues. Also see Backup Version and Space Management in Windows Server Backup.
- Run WSUS Cleanup Wizard. Open Windows Server Update Services, then <Server> → Options → Server Cleanup Wizard. This clears out superceded update files. If not run regularly, the WSUS system ends up with gigabytes of obsolete update binaries.
Note this process will not substantially reduce the size of the WSUS database itself.
- Back up CompanyWeb. The SBS backup will backup Companyweb as part of the whole server backup, but if more control or granularity is required, the database can be backed up with the following commands:
cd /d "%ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\12\BIN"
STSADM -o backup -url http://companyweb -filename "c:\backup\companyweb.bak" -overwrite
- Clear SBS logs. Over a period of time the internal logs collected by SBS can grow to several gigabytes. If the server is running well, these can be cleared from time to time:
net stop DataCollectorSvc
cd /d "C:\Program Files\Windows Small Business Server\Logs"
del MonitoringServiceLogs\*.* /s /q
net start DataCollectorSvc
del "C:\Program Files\Microsoft\Exchange Server\V14\Logging\lodctr_backups\*.*" /s /q
- Monitor system database sizes. Check the database and transaction log sizes at the following locations:
C:\Program Files\Microsoft SQL Server\MSSQL10_50.SHAREPOINT\MSSQL\DATA
C:\Program Files\Microsoft SQL Server\MSSQL10_50.SBSMONITORING\MSSQL\DATA
- Check & Renew Expired Certificates. See Outlook: Expired Security Certificate.
- Consider Windows 10 servicing. See http://blogs.technet.com/b/wsus/archive/2016/01/22/what-to-do-if-you-re-on-wsus-3-0-sp2-or-sbs-2011.aspx.