====== Setting up Microsoft Small Business Server 2011 in 2025 ======

This is a guide to everyone that wants to experience the best, and most complete, operating system and software ever produced to run a small business. I truly believe this, SBS 2011 as is was usually called online, is the best OS for a small business or homelab, it's sad that Microsoft killed it in its next iteration (no Exchange, no bueno).

===== Prerequisites =====

A couple of things that you should keep in mind before you go down this journey or that you probably need to keep in mind while you're in this amazing adventure through the golden age of server operating systems.

==== Acquiring the Install Media ====

Microsoft supported Small Business Server 2011 for 10 years, meaning it only recently went out-of-support, so you may still encounter it in the wild (I was still administering one for a client until 2024), this doesn't mean you can't treat it as abandonware, since at this point Microsoft hasn't sold it for many years and they won't supply any updates to it, no matter how severe of a security flaw is found, all of this to say that it's not a problem if you want to use it for educational purposes.

The install media has been [[https://archive.org/details/windows_small_business_server_2011_standard_x64|uploaded to the Internet Archive]] and can be legally downloaded from there, or if you need a faster download in 2025 Microsoft [[http://care.dlservice.microsoft.com/dl/release/0/6/E/06E3E501-F3F8-409E-B152-E43A82E60956/EN-US_SBS_STD_InstallDVD.iso|still hosts the direct link to the ISO]].

For the activation you can purchase a secondhand license from eBay or use [[https://forums.mydigitallife.net/threads/windows-loader-download.58464/|Daz Loader v2.2.2]]. If you go down the not-so-legitimate route check the SHA-1 of the files you download from the internet against this one: ''0efc35935957c25193bbe9a83ab6caa25a487ada''.

==== Virtual machines ====

You're most likely to install this into a virtual machine, which means you will also be installing the appropriate hypervisor guest tools. It's important to note that the version of Server 2008 R2 that comes in the install media of SBS 2011 is the original RTM release of 2008 R2, so most likely any VM guest tools that you try to install will fail, as they expect a newer system, so **you should first update to SP1 and install all the basic cumulative updates before you install any guest tools**.

===== Post-Installation =====

After you've installed your brand new copy of this glorious server operating system a couple of tasks have to be taken before we can start playing around with everything else.

==== Time Servers ====

For some reason SBS 2011 doesn't get its time from an [[https://www.ntppool.org/en/|NTP time server]], so we have to set this up manually. You should choose a server pool that's close to your geographic region. In this example I'll use ''pt.pool.ntp.org'' to use Portugal time servers. Open an elevated command prompt and execute the following commands to setup network time synchronization:

<code=batch>
w32tm /config /manualpeerlist:pt.pool.ntp.org /syncfromflags:manual /reliable:yes /update
w32tm /resync /force
</code>

==== Installing Modern Root Certificates ====

To properly import the certificate open the ''mmc'' Console and add a **Certificates** snap-in. When asked who will the snap-in will manage the certificates for select **Computer account** and in the next screen select **Local computer**. No you should have a system level Certificate management console that will expose the certificate to all users in the server.

With the proper management console, proceed to import the certificates to the appropriate locations of "Trusted Root Certification" for WindowsRoot.sst and "Intermediate Certification" for WindowsIntermediate.sst.

==== Updating to the Latest Patches ====

This is a very old operating system, but it was supported and updated for 10 years, meaning it went through a lot of iteration and incorporated technologies that weren't even available when it was first released, all of this to say that a fully patched version of SBS 2011 may behave very differently than one that was just installed or that has had SP1 installed.

The first thing you should do right away is install the [[https://www.catalog.update.microsoft.com/Search.aspx?q=KB976932|Service Pack 1 for Windows Server 2008 R2]]. This will bring much of the system to a state that is semi-modern, allowing you to install newer applications and have a bit more compatibility in terms of drivers (specially for virtual machines).

Next up you need a couple of updates to be installed in series to enable the usage of another tool to get access to the latest Windows Updates. I know, it's a long way to get this ancient beast to a fully patched state. There is [[https://www.youtube.com/watch?v=06UoqwfZss0|this great video covering the process]], and the files needed for the updates can be found [[https://archive.org/details/sbs2011-windows-update-fix|in this Internet Archive item]] that I've compiled.

===== Setting up an SSL certificate =====

It's important to have a proper SSL certificate since everything these days sadly requires proper encryption.

==== Importing the certificate ====

For some reason Windows Server is incapable of properly importing a private key in a way that all its applications can use it, leading to many permission issues and troubles. The correct way of importing the certificates is using the good old manual ''mmc'' method.

To properly import the certificate open the ''mmc'' Console and add a **Certificates** snap-in. When asked who will the snap-in will manage the certificates for select **Computer account** and in the next screen select **Local computer**. No you should have a system level Certificate management console that will expose the certificate to all users in the server.

From here go to ''Personal | Certificates'' and import the private key using the sidebar. After selecting the *.p12 file, when asked for the password for the private key, ensure that you select the "Mark this key as exportable" checkbox, since this will allow IIS to actually use it for its SSL shenanigans.

==== Adding the SSL Certificate to IIS ====

To use the recently imported SSL certificate inside IIS all that you have to do is select the ''Default Web Site'', click on ''Bindings...'' in the sidebar, remove the HTTPS binding that's currently there since it may produce a weird logon error if you just try to modify the certificate associated with it, add a new binding for HTTPS and select the appropriate certificate.

Now you should have all Exchange and SharePoint endpoints using your certificate. You can test this by going to the OWA portal using HTTPS on your local machine.

If you get any errors when adding the binding related to a lack of a trusted intermediate certification chain, it means that you forgot to import the public root certificate for your self-signed certification authority. To do so follow the same certificate instructions as before, except you should import your *.cer file to the Trusted Root Certification store.

===== Setting up Exchange Server 2010 =====

This is the best part of SBS 2011, with it you get well setup Exchange server right out of the box, although it still needs a couple of tweaks to be useful and be brought up to speed with modern times.

==== Send Connector ===

**TODO: Setup a SMTP or Send Connector to * so you can email anyone.**

==== Accepted Domains ====

You want to be able to receive email from your proper domain name, not only the AD domain, so go to ''Organization Configuration | Hub Transport | Accepted Domains''. You should see your AD domain listed, now simply add your own external/local domain to the list as an Authoritative domain.

==== Mailbox Addresses ====

By default if you try to connect to the Exchange server using Outlook it will fail and complain that "An encrypted connection to your mail services is not available". This is most likely due to the fact that you used your nice domain name instead of the ''domain.local'' that SBS 2011 generated for you.

To fix this go into the Exchange Management Console and into ''Recipient Configuration | Mailbox''. Double-click your username there and jump to the ''E-Mail Addresses'' tab. In this tab simply add your ''username@domain.tld'' address to the list and if your SSL certificate is properly setup in IIS everything should just work from now on.

==== Connecting Clients ====

Connecting clients to an Exchange server has always been a super simple task, since every OS expected you to connect to one there should be an automated wizard to guide you through the process, the only problem is that you are most likely to hit a bunch of errors with no proper explanation or ability to troubleshoot (all error messages are generic and provide no way to debug), although there are a couple of things to remember when you encounter any errors.

=== Autodiscovery Service ===

Exchange has a service to allow clients to automatically configure themselves, all you have to do to enable this feature is open the DNS server and add a new ''A Record'' for ''autodiscover.domain.tld'' that points to the IP address of your Exchange server and everything should work itself out from there.

=== Login Username ===

On clients you should specify your Exchange email, but the username for authentication should either be ''DOMAIN\username'' or ''username'', different clients require different usernames, try all possible combinations until it works has been my default approach.

==== Updating to the Latest Version ====

Exchange is a massive project and needs a lot of updates to keep everything working smoothly and with modern clients, specially given that to support TLS 1.2 you need Service Pack 3, so it's extremely important to update to the last Cumulative Update that Microsoft provided if you intend on actually using the server. I was going to say updates are also important for security, but you should know that using such an older and unsupported version of a software is a security nightmare, so never expose it to the internet and you should be fine.

To get your install fully updated you should download and install the following packages:

  * [[https://www.microsoft.com/en-us/download/details.aspx?id=36768|Microsoft Exchange Server 2010 Service Pack 3]]
  * [[https://www.microsoft.com/en-us/download/details.aspx?id=102774|Update Rollup 32 For Exchange 2010 SP3 (KB5000978)]]

For some bizarre reason if you try to install the Update Rollup by double-clicking it as with every update, it'll randomly fail in the middle of the installation because of [[https://www.msdigest.net/2014/03/setup-wizard-for-exchange-update-rollup-ended-prematurely/|some conflict with UAC]] (User Access Control). To work around this issue jump to an elevated command prompt (Run as administrator) and install using the following command:

<code=powershell>
msiexec.exe /update Exchange2010-KB5000978-x64-en.msp
</code>

Before installing these updates ensure that you have the latest version of the .NET frameworks and of the Visual C++ redistributables. Also, if you need a list of all the update rollups available for Exchange 2010 and other versions can be [[https://learn.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates|found here]].

==== Standard Authentication for OWA ====

For some reason the default in Exchange 2010 of using Forms-based authentication for Outlook Web App causes authentication issues on modern web browsers outside of Windows, so it's good to disable it. To do this we need to go to the Exchange Management Console and navigate to ''Server Configuration | Client Access'' and **in the Outlook Web App AND the Exchange Control Panel** go to the Authentication tab and select the usage of standard authentication methods (include Digest Authentication).

===== Enabling Modern TLS =====

Sadly the world moves on and people decide that we need more sophisticated encryption algorithms for serving plain text pages with no user input or sensitive information. Even worst, these people decide that they are going to force everyone to upgrade while they are at it. This brings us to the fact that if we want to interact with our server from a modern browser, or pedantic mail client, we need at least to have TLS 1.2 enabled and working.

To enable such modern encryption algorithms for these pedantic people we could go down the [[https://tecadmin.net/enable-tls-on-windows-server-and-iis/|manual route]] or we can use the amazing [[https://www.nartac.com/Products/IISCrypto/|IISCrypto]] tool provided by Nartac, which is a lot better and is the proper way of doing it. Here's [[https://box.innove.link/u/IISCrypto-v3.3.exe|a link to an archive of version 3.3]] that's needed for SBS 2011.

===== Disabling IPv6 =====

No one needs IPv6, it's a complete mess and has never helped anyone. When you finish setting up SBS 2011 it will automatically have IPv6 enabled, meaning it will resolve IPv6 DNS addresses and possibly allow clients to get allocations via DHCP, so we must disable this abomination [[https://web.archive.org/web/20150217022430/http://blogs.technet.com/b/sbs/archive/2011/02/18/small-business-server-2011-slow-to-boot-and-several-services-fail-to-start.aspx|even Microsoft will warn you against it]]. Apparently full network connectivity is needed for some of the early system initialization and if you disable the protocol from the network adapter settings a lot of services, such as Exchange, will break and whenever you reboot you will be stuck in the "Applying system configuration" phase of the system boot.

Since Microsoft has already taken the page with the instructions to disable IPv6 offline, here is a copy of what you should do:

  - Uncheck Internet Protocol Version 6 (TCP/IPv6) on your Network Card.
  - In Registry Editor, locate and then click the following registry subkey: ''HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\''
  - Double-click ''DisabledComponents'' to modify the entry, or if it's unavailable, you must create it as a "DWORD (32-bit) Value".
  - Enter ''ffffffff'' (eight f’s), and then click OK.
  - Because of the VPN service you **MUST also Export and then Delete** the following registry key: ''HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ipv6''
  - Reboot the SBS 2011 server.

===== Disabling Windows Server Update Services =====

Windows Server Update Services (WSUS) is a really nice piece of software that Microsoft developed so that system administrators could centrally manage Windows Updates of an entire business, and it is quite a lot of fun to play around with and enables you to update older machines, since it creates a cache of Microsoft's updates, but it's a massive resource hog, and given that most of our old machines can be updated using things like [[https://download.wsusoffline.net/|WSUS Offline]] or [[http://legacyupdate.net/|Legacy Update]], it's a waste of resources to keep such a service running.

The problem with disabling or removing core services like this is that it may break the amazing SBS Console, which really makes managing SBS 2011 such a joy, so we must tread carefully if we want to disable this resource hog without breaking useful functionality.

The information contained in this section is a mixture of [[http://sangnak.com/disable-wsus-on-sbs-2008-or-2011/|a tutorial by Sangnak]] and [[https://notes.ponderworthy.com/disable-wsus-in-sbs-2011|another one by PonderWorthy]], both on the same subject. My goal is to reduce resource usage while ensuring we can still revert our changes in the future if we want.

==== WSUS Services ====

The first part of the process is to disable the service itself and ensure that our change propagates to the client machines connected to our server. For this we need to do the following:

  - Open ''services.msc'' and locate the "Update Services" service.
  - Stop the service. Go into its properties and change its startup type to "Disabled" so it won't be restarted.
  - Open ''gpmc.msc''
  - Navigate to ''Forest | Domains | domain.local | Group Policy Objects''.
  - Select the ''Update Services Client Computers Policy'' policy and go into the Details tab.
  - Change its GPO Status to "All settings disabled".
  - Repeat the same operation for the ''Update Services Common Settings Policy'' and ''Update Services Server Computers Policy'' policies.
  - Open a command prompt on the server and run ''gpupdate /force''
  - Open the Registry Editor with ''regedit''.
  - Navigate to the ''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU'' key and create any necessary keys if they don't exist.
  - Create a new DWORD (32 bit) Value called ''UseWUServer'' and set its value to ''0''.
  - Open the Windows Update application and set its update settings according to your preferences.

==== IIS ====

Afterwards we need to disable the WSUS entries in IIS so that the service is no longer advertised:

  - Open the IIS Manager application.
  - Select ''Application Pools'' and stop the ''WsusPool'' application.
  - Expand the ''Sites'' folder and select the ''WSUS Administration'' site.
  - Stop the ''WSUS Administration'' site from the Actions panel.

==== SQL Server ====

Now it's time for the biggest resource hog of them all, SQL Server. This is a tricky one and it's the one that's consuming most of the resources in your system.

  - Open the SQL Server 2008 R2 ''SQL Server Management Studio'' as Administrator, with a right-click and select Run As Adminitrator.
  - Connect to a Database Engine with the name ''\\.\pipe\mssql$microsoft##ssee\sql\query''
  - Right-click the root node ''\\.\pipe\mssql$microsoft##ssee\sql\query'' and select Properties.
  - Go to the Memory tab and change the maximum server memory to something more reasonable such as 512 MB.

You should now have a much lighter server and with all useful services still available. Since Windows Server is still Windows, I would advice a restart just to be sure.