 |
Overview |
| Today's very small organizations, or micro businesses, often require many of the same IT resources as their larger counterparts but on a smaller scale. A micro business with 15 or fewer employees may have outgrown its peer-to-peer network, and now needs a central repository for shared files along with the ability to share printers, scanners, faxes, internet access and more. |
|
| Windows Server 2008 R2 Foundation (or Windows Foundation Server for short) is designed specifically for these micro environments. It offers file and printer sharing, business application hosting, web hosting, remote access and security. This guide covers the essentials of planning appropriate uses of a server running Windows Server 2008 R2 Foundation and then setting up the server following best practices. You'll also learn how to enable server roles, create users and groups and configure security once the server is up and running. |
|
| The sections of the guide include: |
|
| Understand it: Explore the benefits and limitations of Windows Server 2008 R2 Foundation to determine whether it's the right fit for your organization. |
|
| Plan it: Plan which role(s) the server will perform, the level of security and access control you need and the users and groups you need to create. |
|
| Do it: Install the server in your workplace and perform initial configuration tasks. |
|
| Use it: Customize the server for your organization by creating user accounts, enabling file and print sharing and configuring security. |
|
Understand it |
| A server running Windows Server 2008 R2 Foundation can boost productivity for a micro business. This section explores server options for small environments, and why Windows Server 2008 R2 Foundation is the right fit. |
|
| How a server benefits a peer-to-peer networking environment |
|
| In a peer-to-peer environment, each computer user may access files on the hard drives of other computers on the network, which means your important business data may be scattered across several computers. There's also no easy way to ensure version control of documents. In addition, someone must configure settings such as shares, permissions, passwords and updates on each computer manually. Ensuring security is time–intensive, and each computer's data must be backed up regularly. |
|
| You should consider a server if your employees routinely have difficulty finding the files they need on their co–workers' computers or if you feel that you would like to have greater security around sensitive files or information in your organization. Another important consideration is if individual computers are not being backed up regularly—your organization is at risk of losing valuable data to mishaps or hardware malfunctions. |
|
| A server will help you accomplish your goals, and then some. A server can provide: |
|
|
• |
An easy-to-access central repository for data files |
|
• |
The ability to share printers, scanners and other peripherals |
|
• |
The ability to host business applications |
|
• |
Greater security from unauthorized viewing of sensitive documents |
|
• |
More secure storage |
|
• |
An automated data backup method |
|
• |
The ability to access documents from a remote location |
|
| Windows Server 2008 R2 Foundation benefits and limitations |
|
| Windows Server 2008 R2 Foundation is designed with the micro business's first server in mind. It's a general-purpose server system that enables file and printer sharing, runs most business applications and even provides remote access services for employees who aren't always in the office. |
|
| You can run Windows Server 2008 R2 Foundation in a workgroup environment (the default) or in Active Directory®, depending on your needs. Active Directory permits individual users or groups to access data on the server on a need-to-know basis, and makes complex management tasks much easier for the administrator than in a workgroup setting. For example, using Active Directory, you can create roaming profiles for users, so they have access to their files and the same desktop settings regardless of which computer they use to log on to the server. In addition, Active Directory allows you to prevent users from accessing the registry for installed software (for security purposes), and enforce password policies for all computers in the domain and for individual users. |
|
| With Windows Server 2008 R2 Foundation, you don't have to purchase client access licenses (CALs). However, you're limited to a maximum of 15 user accounts, and the operating system will notify you if you attempt to exceed the limit. |
|
| As your business grows, you may need the additional features found in a more advanced version of Windows Server. For example, you've hired additional employees and are bumping up against or exceeding the 15–user limit, or you've decided to virtualize parts of your IT environment. At this point, you should consider Windows Server 2008 R2 Standard Edition. |
|
|
| The following table compares some key features of Windows Server 2008 R2 Foundation with the Standard edition. |
|
Feature |
Windows Server 2008 R2 Foundation |
Windows Server 2008 R2 Standard |
|
|
0 |
4 |
|
|
1 |
4 |
| Random access memory (RAM) limit |
|
8 gigabytes (GB) |
32 GB |
|
|
Up to 15 |
Unlimited |
| Routing and Remote Access service (RRAS) connections |
|
50 |
250 |
| Runs in a virtual environment |
|
Not licensed |
Licensed |
|
| Table 1: Comparing some features of Windows Server 2008 R2 Foundation to Windows Server 2008 R2 Standard Edition. |
|
| You can purchase Windows Server 2008 R2 Standard Edition and perform an in-place upgrade from Windows Server 2008 R2 Foundation. That means you don't have to replace the server hardware you already own. |
|
| How to acquire Windows Server 2008 R2 Foundation |
|
| Unlike other Window Server operating systems, Windows Server 2008 R2 Foundation is available only on specific servers through original equipment manufacturers (OEMs). The Buy it section in this How-To Guide provides detailed information on acquiring a server with Windows Server 2008 R2 Foundation pre-installed. |
|
Plan it |
| A primary consideration for any server is what role(s) the server will fill. In addition, you need to plan for security, access control and users roles. |
|
| Determine how you will use the server |
| Many organizations that run Windows Server 2008 R2 Foundation use it to share files and printers. However, the operating system also allows you to do the following: |
|
|
• |
Host business applications, such a Microsoft Office |
|
|
• |
Host email and websites |
|
|
• |
Provide file backup |
|
|
• |
Provide remote access |
|
| Other than file backup, each of the preceding server "uses" requires you to set up a server role, which is a primary function the server performs. After adding a role, the server runs all of the necessary services to support that role. Windows Server 2008 R2 Foundation provides a wizard to help you add server roles in a snap. You can set up one or more roles on a single server. |
|
| Assess your security needs |
|
| If everyone in your organization simply needs to share the same files, you can allow all users access to a shared folder on the server. This is the easiest but least secure method. Alternatively, you can create subfolders and then grant access to each subfolder to specific users or groups, giving them read or read and write permission.
|
|
| For example, let's say you have a primary folder named FileShare with two subfolders: Financials and Personnel. You also have two groups: Accounting and HR. Three users are part of the Accounting group, which have read and write permissions in the Financials folder. One accountant, Arnie, handles payroll and other personnel-related tasks. You could give him read-only access to the Personnel folder, or make him a part of the HR group, giving him read and write permissions to Financials. Other users in the Accounting group may see the HR folder in the folder list, but they receive an error message when they try to click into the folder. This method offers higher security but is more time-intensive to manage. |
|
| In the preceding scenario, all users are in a workgroup. As the number of users, groups and folders increases, assigning and maintaining permissions can become a complex task. Consider using the Active Directory service to more easily maintain and monitor security. Active Directory uses domains rather than workgroups. Using Group Policy along with Active Directory, each domain has a database that tracks user accounts, passwords, permissions and other details, and management is highly centralized. You can more easily manage permissions and group memberships in Active Directory than you can using workgroups; however, Active Directory takes significant effort to set up and configure. |
|
| Note: Setting up Active Directory is beyond the scope of this guide. However, you can learn how to use Active Directory by using the Help system in Windows Server 2008 R2 Foundation. |
|
| Plan groups |
|
| Do you need to group some users by job role, such as executives in one group, accounting users in another and sales users in a third group? If so, create a "road map" of users and the roles they fill. Determine which subfolders they need access to and the actions they may take on the content of those folders. Determine which users require the same access to the same folders and plan to create groups accordingly. |
|
| For example, you may want to create an Executives group that has read permission in all shared folders. The Accounting group should have read and write permissions to a Financials folder, and the Sales group should have read and write permissions to a Sales folder. Accounting group members should not have any access to Sales, and Sales members should have no access to Financials. |
|
 |
|
| Today's servers and Windows Server 2008 R2 Foundation in particular are designed for simple installation and ease of use. However, following best practices ensures a successful installation the first time. |
|
| Set up the server hardware and make connections |
|
| Unpack the server hardware and locate it in a protected area, such as a well-ventilated server closet with restricted access. Connect one end of the power cord to the server and the other end to an uninterruptible power supply (UPS). |
|
| Assuming you already have the necessary network wiring or wireless infrastructure in place, make the wired or wireless connection between the server and the networking equipment, such as a patch panel or router/firewall. If you plan to share peripherals, such as a printer and scanner, from the server, read the user manuals to find out if you should connect them now or after you configure the operating system and install device drivers. |
|
| Start the server and log on as the Administrator. The first time you log on you're prompted to change the Administrator password. Use strong password best practices for the new password. To ensure you don't lose the password, click the Create a password reset disk link and follow the instructions. |
|
| Perform initial configuration tasks |
|
| When Windows Server 2008 R2 Foundation starts, the Initial Configuration Tasks window appears automatically (Figure 1). From this window you should do the following: |
|
|
• |
Activate the operating system software |
|
• |
Set the appropriate time zone |
|
• |
Configure networking |
|
• |
Provide a computer name and domain (if necessary) |
|
• |
Enable automatic updates |
|
• |
Download and install updates |
|
• |
Ensure Windows Firewall is turned on |
|
| You also need to add roles and features, which you'll learn about in the Use it section of this guide. |
|
 |
| Figure 1: The Initial Configuration Tasks window. |
|
| For example, to rename the server to something more meaningful than the default, click the Provide computer name and domain link. In the System Properties dialog box, shown in Figure 2, enter a server name in the Computer description text box. If you want to use Active Directory and join a domain, click the Change button. In the dialog box that appears, select the Domain option, type the name of the domain you want to join as a member server and then click OK. |
|
 |
| Figure 2: The System Properties dialog box. |
|
| Next, check network connectivity: |
|
|
1. |
Click the Configure networking link. |
|
2. |
Double-click the Local Area Connection Network icon. The Local Area Connection Status dialog box appears (Figure 3), which should indicate whether you're using IPv4 or IPv6 and if connectivity is enabled. |
|
3. |
If you have a static Internet Protocol (IP) address from your internet service provider, click the Properties button. |
|
4. |
Click the Internet Protocol Version 4 (TCP/IPv4) or Internet Protocol Version 6 (TCP/IPv6) option, depending on which protocol you're using on your network, and then click Properties. |
|
5. |
Enter the IP address information from your provider and click OK. |
|
 |
| Figure 3: The Local Area Connection Status dialog box. |
|
| Note: For details on configuring IPv4 and IPv6 networking, see the Configuring TCP/IP networking article in Microsoft TechNet. |
|
| Another important step is to enable automatic updates and install the latest updates through Windows Update. In the Update This Server section of the Initial Configuration Tasks window, click the Download and install updates link. In the dialog box that appears, click Turn on automatic updates. Windows Update checks for updates and then prompts you to install them. |
|
| Restart the server, and then follow instructions in the Use it section to create users and groups, set up file and print sharing and configure security. |
|
| After you've performed many of the initial tasks, you want to customize the server for your organization. This section walks you through the steps for creating users and groups, enabling file and print sharing and configuring security. |
|
| Create user accounts and groups |
|
| To set up a user account: |
|
|
1. |
click Start, click Administrative Tools and then click Computer Management. |
|
2. |
Expand the Local Users and Groups option in the left pane, then click the Users item. |
|
3. |
In the middle pane, right-click a blank area and select New User from the shortcut menu. |
|
4. |
Enter a user name, the user's full name, a description (optional), a password, and confirm the password. A completed New User dialog box is shown in Figure 4. Click Create. The New User dialog box appears with blank fields. |
|
5. |
Enter information for another new user, and repeat until all new users are created. |
|
6. |
Click Close. |
|
 |
| Figure 4: The New User dialog box. |
|
| To work with groups, in Computer Management, click the Groups item in the left pane. A list of pre-configured groups appears along with their descriptions (Figure 5). You can double-click an existing group and add users to it, or you can create a new group. |
|
 |
| Figure 5: Pre-configured groups in Windows Server 2008 R2 Foundation. |
|
| To create a new group, such as for accounting personnel: |
|
|
1. |
Right-click an empty area of the middle pane and select New Group from the shortcut menu. |
|
2. |
Enter a name for the group and a brief description (optional). |
|
3. |
Click the Add button and enter a user name in the text box. |
|
4. |
Click the Check Names button. The complete user name appears in the text box. |
|
5. |
Click Add and repeat the instructions for each user you want to add to the new group. |
|
6. |
Click OK when you're finished adding users. |
|
7. |
Click Create and then click Close. |
|
| Set up file and print sharing |
|
| If you haven't already, connect and install any peripheral devices you want to share, such as a printer. |
|
|
1 |
In the Customize This Server section of the Initial Configuration Tasks window, click Add roles. |
|
2. |
When the Add Roles Wizard starts, click Next. |
|
3. |
Select the checkbox of each role you want to add, as shown in Figure 6. For this example, check the File Services and the Print and Document Services checkboxes and click Next. |
|
4. |
The wizard walks you through configuration of file and print sharing; just follow the prompts to complete the setup and click Install. |
|
5. |
Restart the server for the changes to take effect. |
|
 |
| Figure 6: The Add Roles Wizard. |
|
| Tip: Don't forget to visit the server and peripheral hardware manufacturers' websites to download and install the latest device drivers. This will ensure all hardware works as expected. |
|
| Configure security and access controls |
|
| To maintain file and folder organization, and apply access controls, it's a best practice to create a main folder on a server drive. You can share the main folder and give all users and groups access, or create subfolders and share them with users and groups, selecting permissions for each user and group. |
|
|
1. |
For example, open Computer, double-click the C: drive, create a new folder for sharing and then create a subfolder, such as Accounting. |
|
2. |
Right-click the Accounting folder and then select Share with > Specific people. |
|
3. |
In the File Sharing window, type a user or group name in the Add text box or open the drop-down list, select a user or group that should have access to the Accounting folder (see Figure 7) and click Add. |
|
4. |
For each user, select Read or Read/Write in the Permission Level column. |
|
5. |
When you're done adding users or groups, click Share. |
|
| Note: The Read permission allows users to open and view files but not make changes or delete them. The Read/Write permission allows users to open, modify, and delete files. |
|
 |
| Figure 7: The File Sharing window. |
|
| In addition to permissions, Windows provides the Security Configuration Wizard (SCW) to help you create a security policy based on the server's role(s). To help lock down your server, SCW enables functionality required by a server role and disables functionality that's not required. |
|
| To run SCW, click Start, click Administrative Tools and then click Security Configuration Wizard. Just follow the prompts throughout the wizard to establish a security policy for your server's current configuration. |
|
