The Premium Edition of SBS 2008 includes a second Windows Server 2008 Standard server license. This is a full Windows Server 2008 Standard license governed by the rights of the license agreement under which the server license is supplied (OEM, retail, MOLP, MOVL).

Apart from obtaining a second server license by purchasing SBS 2008 Premium, you can also purchase separate Windows Server 2008 licenses under any of Microsoft’s licensing programs. There is no functional difference between the second server license provided with SBS 2008 Premium or a separately purchased server license.

For networks where there is more than a single location, the additional server can be installed as a domain controller (DC) for a remote site. The domain controller role allows the server to authenticate user login requests, check permissions to network objects, facilitate user password changes, and so on. Having an additional domain controller at a site where users are remote to the main SBS 2008 server can improve WAN performance, and it enables users logging into the network to successfully authenticate in the event of a WAN link failure between the sites.

Windows Server 2008 includes the ability for a domain controller to be deployed in a read-only configuration, also called a Read-Only Domain Controller (RODC). The RODC is just like a global catalog server in Active Directory, which can be deployed at a remote site to enable users at this site a better network authentication response time, as well as act as a resource against which users can look up objects in Active Directory. The key difference, however, is as the name implies—the domain controller is read only. Although changes cannot be written to it, it can forward change requests to a non-read-only domain controller. The RODC also maintains a read-only copy of the SYSVOL share.

The RODC is an ideal solution for several reasons, including the following:

You can read more about planning and deploying RODCs at http://go.microsoft.com/fwlink/?LinkID=122172.

Windows Server 2008 Terminal Services enables users to run Windows-based programs, or a full Windows desktop, which can access LAN-connected resources, from a multitude of devices and locations.

Many readers are familiar with Microsoft Terminal Services technology and how it can be used to benefit an organization’s operations. Windows Server 2008 builds on the functionality available in Windows Server 2003 Terminal Services, giving both users and administrators greater functionality, performance and security.

Terminal Services is a Windows Server role and is best implemented as the sole task of a Windows server.

More detailed and in-depth information regarding Microsoft’s Windows Server 2008 Terminal Services technology can be found at http://go.microsoft.com/fwlink/?LinkId=48555.

Another function for the second server is to support a line of business (LOB) application or database. In the case of SBS 2008 Premium, where a license for Microsoft SQL 2008 Standard is included, this can be installed onto the second server in order to host a business database, thereby freeing up the SBS 2008 server to look after the network.

The process for setting up the second server to host the LOB is dependent on the particular requirements of the database or application itself, and the application vendor should be consulted for their system requirements before committing to a hardware purchase.

Virtualization is one of the hottest topics around for multiple reasons, including the fact that it offers the following: better overall utilization from your server hardware investment; lower power consumption, less physical space consumed, and less heat emissions due to fewer physical servers; easier management of multiple servers; simplified backup and disaster recovery; and more efficiency in building and using development and test environments.

Windows Server 2008 now includes out-of-the-box virtualization support through the use of Microsoft’s new Hyper-V product. Hyper-V provides the ability to install, host, and manage multiple operating system instances on a single server chassis in a virtualized environment.

Change the server time zone to match the time zone of the SBS 2008 server (assuming it has been correctly set) by following these steps:

A server should always have a static IP address on the network. This address can either be manually entered into the network configuration settings for the network card or can be assigned to the server as a DHCP reservation from the SBS 2008 server. Both methods are generally acceptable; however, it is generally best practice to manually set the IP details for the server to avoid potential connectivity problems if the DHCP service becomes unavailable for an extended period of time.

The process for setting a static address for the server is very similar to that used for Windows Server 2003 and Windows 2000 Server, as follows:

1. From the Initial Configuration Tasks screen, select the Configure networking link. This opens the Network Connections screen.

2. Right-click the network adapter for the server and select Properties from the drop-down menu.

3. Select Internet Protocol Version 4 (TCP/IPv4) and then click Properties.

4. Enter the appropriate IP address, subnet mask, and gateway addresses.

5. The DNS server address entered should be the address of the SBS 2008 server; for this example, it is 192.168.16.2 (see Figure 14.2).

FIGURE 14.2. IP address, subnet mask, gateway, and DNS server entries.

6. Click the OK and Close buttons to save your changes.

It is also a good idea to change the server name at this stage, to match the name it will have on the domain. Changing the server name is a very simple process, but it requires a restart of the server:

1. In the Initial Configuration Tasks screen, select the Provide computer name and domain link.

2. The System Properties dialog box is displayed. Click the Change button.

3. Enter the server name in the top text box; spaces and special characters are not permitted for the name, so use letters and numbers only. If you enter an invalid name, you receive the warning shown in Figure 14.3.

FIGURE 14.3. Invalid computer name warning.

4. Click the OK button to save the new server name. You are prompted to restart the server for the changes to apply.

5. Click OK and then Close, and restart the server.

TIP

Another way to change the server name is to use the netdom command prompt utility. The syntax for this is as follows:

netdom renamecomputer %computername% /newname:<NewComputerName>

where <NewComputerName> is the new name for the server. If you append the /Reboot switch, the server is also automatically restarted after 30 seconds. Note that the command prompt needs to be set to “run as administrator.”

Now that your server has the correct time zone, IP address, and name, it can be added to the SBS 2008 domain.

In SBS 2003, the process for adding a server to the network was relatively similar to adding client computers to the domain—a server computer account was created, and the server was then added to the domain using the Connect Computer Wizard. With SBS 2008, you no longer use this wizard for servers.

If you try to add the server to the domain using the http://connect site, you receive the error message shown in Figure 14.4.

FIGURE 14.4. Operating System warning message.

Complete the following steps to correctly join your server to the SBS 2008 domain:

After the server has restarted and you login, make sure you change from the local server account to the domain account. The initial login screen will look like the one shown in Figure 14.5.

FIGURE 14.5. Initial login screen.

Click the Switch User button to see the screen shown in Figure 14.6.

FIGURE 14.6. Change username login screen.

Select Other User to see the screen shown in Figure 14.7.

FIGURE 14.7. SBS 2008 domain login screen.

You see that you are being prompted to log into the domain. Enter the administrator username and password and click the login arrow, or press the Enter key to complete the login process.

The Server Manager console is displayed with the Full Computer Name showing that the server has been successfully joined to the domain (see Figure 14.8).

FIGURE 14.8. Server Manager console on second server.

You can also verify that the server has been successfully added to the domain by referring to the Network tab on the SBS Console (see Figure 14.9).

FIGURE 14.9. Server Manager console on SBS 2008.

Figure 14.8 shows the main screen from which server roles and features are installed.

In instances where the second domain controller is to be located at a remote site, the IP address of the server needs to be changed to one in the subnet for this site.

These deployments would typically use a VPN connection between the sites managed by either the hardware routers for each site or some software-based firewall/VPN solution. See Figure 14.15 for an example network.

FIGURE 14.15. Example network.

Assuming the VPN connection is operational, the change to the second server is simply changing the IP address and gateway address. The DNS server address on the server should stay set to the SBS 2008 server address.

The IP address change is best performed as the last step before shutting down and relocating the server. This is to allow the server to start correctly, being able to communicate with the SBS 2008 server as services start.

If this server is going to be a DHCP server to the client machines on the remote network, it should provide its address as their DNS server (see the following section).

The SBS 2008 server will be providing DHCP services to the main office; however, this is not suitable for remote sites. The additional domain controller can be configured to provide DHCP-assigned addresses to the client computers at the remote site by installing the DHCP Server role and creating the appropriate DHCP scope.

Before installing the DHCP Server role, you need to know the DHCP scope details that will be configured as part of the service setup process. Using the example network shown previously, Table 14.1 provides the information needed for the installation wizard.

TABLE 14.1. DHCP Server Information

Note that the WINS service is not installed by default on the SBS 2008 server and is not required for most networks today.

Once you have determined the DHCP scope information for the remote site, install the DHCP role onto the domain controller, as follows:

1. Open the Server Manager console.

2. Click on the Roles branch on the left side of the console.

3. Click on the Add Roles link on the right side of the console to start the Add Roles Wizard.

4. If the Before You Begin page appears, click Next to move to the Select Server Roles screen.

5. Select the DHCP Server role by clicking the checkbox next to its name and clicking Next.

6. Read the introduction screen; then click Next.

7. The Network Connection Bindings screen enables you to confirm the network connection to which the DHCP service will be bound. Where the server has only one network card, there will only be a single connection shown. Click Next.

8. Enter the IP address of the DNS server the clients use to resolve network resources (see Figure 14.16). This should be the IP address of the domain controller at the remote site. Click Next.

FIGURE 14.16. IPv4 DNS server settings.

9. If you are not using the WINS service on your network, leave the WINS Server Settings option at its default of not required; otherwise, enter the IP address of the WINS server on your network and then click Next.

10. Click the Add button and enter the information prepared earlier regarding the DHCP scope as per Table 14.1 (see Figure 14.17). When the information has been entered, click the OK button and then click Next.

FIGURE 14.17. New scope settings.

11. If you are not using IPv6, select the Disable DHCPv6 option for the DHCPv6 Stateless Mode option; then click Next.

12. Authorize the DHCP Server service on the domain using the credentials supplied, which will be the domain administrator account with which you are currently logged in. If you do not authorize the DHCP Server, the DHCP Server service will not be able to start. Click Next.

NOTE

The Windows Server 2008 DHCP Server service is integrated with Active Directory in order to ensure it starts only if authorized to do so. As the DHCP Server service starts, it sends a DHCPInform message, which requests information about the root Active Directory from other DHCP Servers on the network. A DHCPAck message is then sent back to this server by other DHCP Servers on the domain, informing the DHCP Server where to locate the Active Directory root domain.

The DHCP Server then queries the Active Directory to ensure that its address is listed as an authorized DHCP Server; if its address is found in the list, the DHCP Server service will start. If it does not find its address in the list, the service will shut down.

In an Active Directory domain, all DHCP Servers must be either domain controllers or member servers before they can be authorized to provide DHCP Server services to the computers on the network.

In the case where the DHCP Server is also a domain controller, it simply refers to its copy of the list of authorized DHCP Servers.

13. Confirm the DHCP Server service setup summary and, if correct, click the Install button to start the installation process.

14. On completion of the installation process, the wizard presents a completion dialog box. Simply click the Close button to exit the wizard.

If the DHCP Server service has installed and started successfully, the server is ready to assign IP addresses to the computers on the network. Any existing computers with addresses assigned by the router (if previously providing addresses) should have their IP address released and then renewed in order to be assigned an address by the Windows Server.

By default, Active Directory replication is set to occur once per hour between domain controllers. This schedule should be adequate for most implementations but can most certainly be changed to be either more or less frequent.

To change the replication of AD information, open the Active Directory Sites and Services branch under Roles in the Server Manager console, from either domain controller (unless the second server is an RODC, in which case you can only do this from the SBS 2008 server). Continue to expand the console and select the NTDS Settings node under the secondary domain controller to see something similar to Figure 14.18.

FIGURE 14.18. NTDS settings.

Right-click the RODC Connection (FRS) in the middle pane and select Properties (see Figure 14.19).

FIGURE 14.19. RODC Connection (FRS) properties.

Select the View Schedule button to view the replication schedule (see Figure 14.20).

FIGURE 14.20. RODC connection schedule.

The dialog box indicates the days of the week, together with every half-hour increment throughout each day.

By default, the entire week is selected; however, you can change this to select only particular days and times by dragging the mouse over a rectangle of days and times you want to change. Alternatively, you can select individual times.

Change the replication schedule for the selected time(s) by choosing from the radio buttons on the right side of the dialog box: none, once per hour, twice per hour, or four times per hour.

Click the OK button twice to save your changes.

You can also perform a manual replication of the Active Directory from the RODC, as follows:

This process is useful when you may have turned off replication between the sites during the work day but want to perform an update (for example, due to a user password being reset or group membership changes) without waiting for the next scheduled synchronization.

Perform the following steps to install Terminal Services onto the second server:

In order to use Terminal Services (TS) on your network, you need to have a TS licensing server set up and configured. The licensing server is used to install, issue, and manage device and user Terminal Services licenses.

Running in Grace Mode

If you’re not ready to set up your TS licenses when your server is being deployed, don’t panic. Microsoft understands that when given the choice between rolling out a new server or setting up a licensing service, the server is the much more exciting choice.

With this in mind, the terminal server will operate properly without TS licensing set up for a grace period of 120 days. You can monitor the number of grace period days you have left when logging into the server with a local administrator account—a message will appear in the lower-right corner of the screen to advise the number of days you have remaining before the grace period expires. After this time, if no TS licensing server has been set up, the TS server will not accept any further connections to it.

Prior to the grace period expiring, you need to have set up the TS licensing service (ideally on the SBS 2008 server), purchased the appropriate number of licenses, and entered the license details into the TS License Manager console (see link in Figure 14.21).

FIGURE 14.21. TS Licensing Manager under Advanced Tools.

The grace period ends when either the number of grace period days is exceeded or a permanent TS CAL is issued by the TS licensing server to a client connecting to the TS server.

Since the introduction of Windows Server 2003, the ability to have licenses based on users or devices accessing the TS server has been available. Typically, one type of license is used for the server—a license is issued for each named user that logs in, or for each client device that is used to access the TS server. This is called “Per User” and “Per Device” licensing mode, respectively.

When Per Device licensing is used, and a client device connects to the TS for the first time, a temporary license is issued to the device by the TS licensing server. Where this is a Windows-based device, an entry is made into the registry for this license—this is in addition to the temporary license information stored on the TS licensing server. If this device should connect to the TS a second time, the temporary license is converted to a permanent TS Per Device license.

The registry key for the license is HKEY_LOCAL_MACHINESOFTWAREMicrosoftMSLicensingStoreLICENSExxx, where “xxx” is a number starting from 000 and incrementing by 1, depending on the number of TS servers this device has connected to.

Per User CALs are handled somewhat differently than Per Device CALs. The Per User CAL gives a single user the right to connect to a domain-joined TS from an unlimited number of devices. Note that the user should only access the server from one device at a time in order to remain licensing compliant. Another point to note is Per User CALs are not enforced by TS licensing, so client connections can be made with the server regardless of the number of Per User licenses entered into the licensing management console. This means your organization needs to ensure it has purchased sufficient licenses in order to avoid violation of the license agreement accepted when the server was installed.

Identifying the right license for your environment can be as complex or as simple as you make it. For most SBS environments, user-based licenses are the best option to choose because they give users the flexibility to access the TS from any computer on the LAN, a thin client device, from a notebook computer, a Windows Mobile device, or a computer at the user’s home (for example).

Device-based licenses are ideal for environments where there are typically more users than devices accessing the server—for example, a factory where there are multiple shifts of workers sharing computers. If there were three shifts of 30 workers and only 30 computers, and users do not need to access the TS from outside the workplace, it makes good economic sense to use Per Device licenses such that only 30 need to be purchased instead of 90 user CALs.

Keep in mind the TS Licensing mode is either Device or User; you should not try to use both types of licenses on the same server.

More detailed information about Terminal Services licensing can be found on the Microsoft TechNet web site at http://go.microsoft.com/fwlink/?LinkID=85873

TS licensing is a server role service that is best installed onto the SBS 2008 server. This role should be deployed after the TS server itself has been set up and installed on the network and is running in the licensing grace period.

By default, the Terminal Services role is installed onto the SBS 2008 server, so adding the TS Licensing role service is done from within the Terminal Services branch of the Server Manager console.

Install TS licensing by following these steps after you have determined the type of TS CALs you are going to use:

Now that TS licensing is installed, scroll to the bottom of the Terminal Services management console to Advanced Tools and select TS Licensing Manager (see Figure 14.21).

Prior to using the TS Licensing console, the license server must be activated with the Microsoft Clearing House, which installs a digital certificate onto the server that validates the server ownership and identity. Once this certificate is installed, the server will accept the installation of TS licenses.

Terminal Services RemoteApp (TS RemoteApp) is a part of the Terminal Services role that enables you to make applications, or a complete desktop, hosted by the TS easily deployed across a network.

TS RemoteApp enables you to create .RDP files that can be supplied pre-configured to users, which they simply double-click to access the application or desktop. You also can distribute a .MSI file using group policy, which installs a link onto the desktop of the user’s computer, and into the Start menu if desired, such that it looks like a locally installed application!

This process can reduce complexity and confusion for users in instances where they lose track of where they are actually running an application—on their local desktop or on a remote server. Programs accessed through TS RemoteApp can look and operate like a locally running application; they can be minimized and allow cut and paste between other applications, and their windows can be resized.

This can be especially useful when deploying a new version of an application, and you want to perform testing parallel to an existing program installed on the users’ computers, or a different terminal server.

Let’s assume you have a new application installed on the TS, called WordPad, which you want to make available to users without their needing to access a full desktop on the server. Perform the following steps to make this application available through TS RemoteApp:

1. Open the Server Manager console on the TS server.

2. Expand the Roles branch on the left side; then expand the Terminal Services role and click on the TS RemoteApp Manager link, as shown in Figure 14.22.

FIGURE 14.22. TS RemoteApp Manager console.

3. Click the Add RemoteApp Programs in the top-right corner of the Server Manager console.

4. Click the Next button to show the list of registered applications on the server. If the actual application you want to add is not listed, click the Browse button; otherwise, select the checkbox next to the application you want to make available (see Figure 14.23).

FIGURE 14.23. RemoteApp Wizard application selection.

5. If you click the Properties button, you are able to verify the path to the application executable, the alias of the program, whether or not the user can pass command-line arguments to the application (including any particular command-line arguments you want to enforce), and also change the icon, as shown in Figure 14.24.

FIGURE 14.24. RemoteApp properties.

6. Click Next and then Finish to complete the RemoteApp Wizard.

The application will now appear under the RemoteApp Programs section in the Server Manager console, as shown in Figure 14.25.

FIGURE 14.25. RemoteApp Programs listing.

You are now able to create either a .RDP file or a .MSI file, or both, which can be deployed to client computers on the network.

To create a .RDP file, perform the following steps:

Similarly, you can create the .MSI file, which has the added advantage of creating shortcuts to the application in the user’s Start menu, as well as on the desktop, if desired:

If you decide to make changes to the .RDP or .MSI file, you can simply re-run the wizard and recreate the file.