For a Terminal Server based on Windows Server 2008, there are two types of CALs that are supported for providing access to the Terminal Server—User and Device. As with the SBS CAL, using a Terminal Server User CAL will likely be the most commonly-chosen CAL type for the majority of Terminal Server implementations. As with the SBS User CAL, the Terminal Server User CAL enables a user to access the Terminal Server from any device. A Terminal Server Device CAL allows only that specific device to access the Terminal Server. As with earlier versions of Terminal Server implementations, Device CALs are tracked in the Terminal Server Licensing Server, but User CALs are not.
The bottom line for anyone wanting to add a Terminal Server to the SBS 2008 network is that you need to purchase and install appropriate Terminal Server CALs in order to meet Microsoft licensing requirements.
Planning the Hardware
Once you have an understanding of how the server will be used in the environment, you can begin determining the specifications for the hardware that will be used in the box. As mentioned earlier, the requirements of any third-party applications that might be installed and run from the server are beyond the scope of what can be addressed in this book. However, the following sections discuss the limitations of the hardware that can be used in the server and provide some guidance as to the minimum specifications needed in general cases.
Processor
SBS 2008 is built on Windows Server 2008 Standard Edition, and inherits the hardware requirements for that OS. Server 2008 can run on one to four processors. With current processors having one to four cores, you could build a server with up to 16 cores, as long as you are comfortable with the pricing. Server 2008 requires a minimum 1.4GHz processor speed for 64-bit processors, but a minimum 2GHz processor is recommended.
The second server license that comes with SBS 2008 Premium can be installed as the 32-bit or 64-bit version of Windows Server 2008. The only difference between the two is that the minimum listed CPU speed for the 32-bit version of Server 2008 is 1GHz. Still, a minimum of 2GHz for the 32-bit version of Server 2008 is recommended.
Memory
The SBS 2008 server can use between 3 and 32GB of RAM. The recommended minimum RAM for the SBS 2008 server is 4GB, and if any third-party applications will be installed on the box, installing more than 4GB of RAM on the SBS server is highly recommended.
If the second server license from the Premium Edition is used, both the 32-bit and the 64-bit versions of Server 2008 require a minimum of 512MB of RAM, but 2GB of RAM is the minimum recommended amount for the second server. Again, the actual use of the second server license determines how much RAM will really be needed on the system.
Related Hardware
Because the SBS 2008 installation media (both Standard and Premium Editions) are on DVD discs, all servers in the network need a DVD reader to be able to install the software. Having a writeable removable media drive is not required, and if you choose to try to use a writeable drive in the system, make sure any writing software you install is compatible with Server 2008.
A video card and monitor capable of displaying an 800x600 resolution is required. Most of the software tools in SBS 2008 can be run in this resolution, but a 1024x768 resolution or higher is recommended. You could also select a video card that is capable of handling the Aero interface, but that is not required.
At least one USB 2.0 interface is needed on the server. This is to connect the external disk drive for backup, if the built-in backup utility will be used on the server. Additionally, a FireWire (IEEE1394) interface could be used to connect an external hard drive for backup as well.
Planning the Network
After you have the licensing counts established, you can focus on the network implementation. This aspect of the installation covers a number of networking issues, from connecting to the Internet to internal IP address schemes to internal and external domain names. Each piece of this puzzle has a significant impact on the way the server is set up, and because some networking changes are difficult to impossible to change down the line, it's best to spend some quality time in this area to make sure that you can get it right the first time.
Changes in Network Options from Previous Versions
All previous versions of SBS supported the ability to use the SBS server as an edge device and a network router, but that is no longer the case with SBS 2008. Due to changes in the underlying network architecture with Server 2008, SBS 2008 can no longer be used in a two-NIC configuration where the SBS server sits between the internal network and the external network.
This change has caused a bit of an uproar in the SBS community because of the related changes. ISA is no longer included with the SBS product, the first time in any release of SBS. The previous best practice of using SBS as a router between the internal and external networks, even if it was not an edge device, no longer applies. Consultants who had built their practice on the security provided by using the SBS server in this way have to rework their own approach to network security.
This change simplifies the network layout in many ways, but it also makes it more complex in others. The following sections outline the standard network configuration for the SBS 2008 network, as well as the best practice recommendations for network implementation.
Connection to the Internet
SBS 2008, in its single-NIC configuration, expects that it will access the Internet in the same way that the other workstations on the network will—through a firewall/router at the edge of the network. Historically, this has often been through a consumer-class DSL or cable modem or other consumer-class router device. And for those who used the SBS server as a router (with or without ISA), this might have been a reasonable approach. But now that SBS 2008 is a node on the network just like any other workstation, those who are implementing SBS 2008 networks should give serious consideration to a business-class device at the edge, especially one that can control outbound traffic as well as inbound traffic.
There are a number of business-class firewall devices on the market as standalone hardware devices. Those who are comfortable with ISA as a solution can still implement an ISA solution, but it must be on a separate computer. Regardless of which approach is chosen, be sure to budget appropriately for the edge device, as a business-class firewall is not going to be found in the sub-$100 range of consumer-class devices. There are a number of business-class devices ranging in price from $300–$1000, with some devices having basic inbound firewall features and others offering Active Directory–integrated outbound filtering, for example. The choice of which firewall to use will likely be heavily based on personal preference or brand loyalty, but the general consensus is that a consumer-class device does not provide the level of protection most businesses want or need.
USING ISA IN THE SBS 2008 NETWORK - At the time of publication, the ability to run ISA on an edge device in the SBS 2008 network has some key limitations. The current version of ISA, ISA 2006, cannot be run on Windows Server 2008. That means that the second server license included in SBS 2008 Premium cannot be used as the OS for the computer running ISA. A separate Windows Server 2003 license would be needed to run on the ISA device.
Microsoft will have a whitepaper (http://go.microsoft.com/fwlink/?LinkID=122167) on configuring ISA on a separate server as an edge device for the SBS 2008 network. Because there will be no wizard integration for the configuration of ISA, the ISA configuration must be performed manually. For those who want to use ISA as the edge device, refer to the Microsoft whitepaper on the topic.
IP Address Ranges
SBS 2008 expects that the IP address for the network will be a private, non-routable IP address range. During installation, SBS 2008 will look in several 192.168.x. subnet range locations (based on common defaults) for the firewall device and configure the network accordingly. However, this does not limit the SBS 2008 network to only use the 192.168.x.x address ranges for the local network. If other private address ranges are used, they must be configured manually. See Chapter 3, "Installing and Configuring SBS 2008," for more information about configuring the network settings on the server.
BEST PRACTICE—SELECTING THE INTERNAL NETWORK ADDRESS RANGE - If you have the option and the ability to adjust the internal network address range when installing SBS 2008, you should select an address range that is not a "default" address range. Many recent firewall devices use a 192.168.0.x or 192.168.1.x address range for the internal network connection. If a user wants to connect into the network via VPN, and his or her home router also has the same internal subnet, the VPN connection will not work correctly (for more information about setting up a VPN connection using SBS 2008 tools, see Chapter 6, "Remote Web Workplace and Other Remote Access Tools"). Moving the internal subnet away from these router defaults will help avoid VPN access problems down the road.
VPN access can also be an issue for the IT consultant who has many different networks that he or she supports. Even if the consultant has a different internal network range than a client site, if he or she needs to connect to more than one client site at a time, and those two client sites have the same IP network address range, communicating with the client sites will be problematic.
To avoid these issues, select a unique internal network address range for each SBS 2008 installation, where possible. When installing into an existing peer-to-peer network, or when setting up a network for a new business, this can be done when first setting up the firewall. When installing into an existing network, especially one with an existing server, the change may be more difficult to make. If there are a large number of devices with static IP addresses, you might opt not to make the change for that site.
DHCP Configuration
Many small networks use DHCP to allocate IP addresses to network resources, and this is the expected practice with SBS 2008 as well. SBS 2008 wants to install a DHCP server as part of the Windows services, but the DHCP service will shut itself down if it detects another DHCP server (provided by the firewall, for example) on the network to avoid DHCP confusion and the possibility of assigning duplicate IP addresses to network devices.
BEST PRACTICE—USE SBS AS THE DHCP SERVER FOR THE NETWORK - In cases where an SBS 2008 server is being introduced to an existing network, there might already be a functioning DHCP server on the LAN. Any devices that are providing DHCP services should have the DHCP function disabled so that the SBS 2008 server is the only device that provides dynamic network configuration information to the workstations.
The reasoning behind this is simple. When the SBS 2008 server is configured using the setup wizards, the proper network configuration information is put into the DHCP server settings and provided to the clients. When the SBS 2008 server is not allowed to serve DHCP, it falls on the network administrator to manually configure the DHCP server settings on the device. Chapter 4, "DNS, DHCP, and Active Directory Integration," covers the default DHCP settings for an SBS 2008 network in greater detail. However, when planning a new SBS 2008 implementation, the plan should include making use of the SBS 2008 server's DHCP services in place of any other DHCP services on the internal network.
DHCP can also be used to assign "static" IP addresses for network devices that need to have a consistent IP address, such as a network printer. The DHCP service on the SBS 2008 server can be used to create IP address reservations for these devices to ensure that they receive the same IP address every time they are restarted. Again, more information about this process can be found in Chapter 4.
Public and Private Domain Names
The argument over whether to use a public domain name (that is, smallbizco.net) as the internal network name for an Active Directory network is a passionate one for most parties. Those who believe a public name should not be used internally will generally not be swayed to think otherwise. Those who believe that the public name should be used internally will generally not budge from their position, either.
Microsoft's recommendation, and the way the wizards are built, is to use a private, non-routable domain name for the internal network, and once again Microsoft has chosen the .local namespace as the default for SBS 2008. The installation process does have options for choosing a different internal domain name (see Chapter 21, "Advanced Installation Options"), which can be a public domain name or a different private domain name. There is not any reason that one has to be chosen over the other, but those who go with a standard installation end up with a .local internal domain name.
The only caveat to using a public domain name for the internal domain name is that the DNS records for any public services, such as the company's web site, have to be manually maintained in the SBS 2008 DNS configuration. If the web host changes to a different public IP address, someone has to update the DNS records for the www site in the SBS 2008 DNS configuration to match the new IP address. For those who do not want to manage DNS at this level, or who are unsure how to do so, a private domain name should be used internally.