Friday 24 May 2013

Scripted Installation of SharePoint 2013 and Office Web Apps Server – From the Field (Part 3)

This is third post in the Scripted Installation of SharePoint 2013 and Office Web Apps Server blog series, covering the following service applications deployment:
  • User Profile
  • Search
  • Distributed Cache
For SharePoint farm topology, installation and provisioning of the basic service applications please see blog one and two of this series.
  1. Farm Topology and Prerequisites
  2. SharePoint Installation, Configuration and Basic Service Applications Deployment
  3. User Profile, Search and Distributed Cache Service Applications Deployment
  4. Office Web Apps Server farm Implementation and Configuration

Prerequisites and Assumptions

  • Please download and extract the attached files onto a local directory on each SharePoint Server. For the purposes of this blog the directory is suggested to be: E:\Scripts\Install.
  • From the downloaded files, update the SPUserProfile.xml file with environment specific information such as, SQL server alias name, service account details, database name, service application name, etc. This will be self-explanatory once you open the file.
  • Also update the SPSearchService.xml file with environment specific information such as, SQL server alias name, service account name and password, database name, service application name, Index Location, etc.

Configure Distributed Cache

The Distributed Cache service can be deployed in two modes: dedicated mode or collocated mode. In dedicated mode, all services other than the Distributed Cache service are stopped on the application server that runs the Distributed Cache service. In collocated mode, the Distributed Cache service runs together with other services on the application server. Dedicated mode is the recommended mode in which to deploy the Distributed Cache service if the total number of users exceed 10,000.
When more than one server is used for Distributed Cache, all the servers must have the same cache size configured.
Please see Planning for Distributed Cache service in SharePoint Server 2013 for more information.
Provision Distributed Cache Service in dedicated mode:
Launch SharePoint Management Shell as administrator and execute the following PowerShell script on all Application, Search and Web Application Servers (all servers apart from Distributed Cache servers SPDCache01 and SPDCache02) to remove them from the Distributed Cache cluster and stop the services:
 $instanceName ="SPDistributedCacheService Name=AppFabricCachingService" 
 $serviceInstance = Get-SPServiceInstance | ? {($_.service.tostring()) -eq $instanceName -and ($_.server.name) -eq $env:computername} 
 $serviceInstance.Unprovision() 
 Stop-SPDistributedCacheServiceInstance -Graceful 
 Remove-SPDistributedCacheServiceInstance 
Change the Memory Allocation of the Distributed Cache Service
When SharePoint Server 2013 is installed, it assigns the Distributed Cache service 10 percent of the total memory on the server. It is recommended to allocate sufficient amount of memory on each Distributed Cache server. Please see Change the memory allocation of the Distributed Cache service to calculate how much memory can be assigned to the Distributed Cache service. It is important to note that the allocated memory on each server should not exceed 16 GB.
Use the following procedure to update the memory allocation accordingly:
Launch SharePoint Management Shell as Administrator on SPDCache01 and SPDCache02 and run the following scripts:
Stop the Distributed Cache service:
 $instanceName ="SPDistributedCacheService Name=AppFabricCachingService" 
 $serviceInstance = Get-SPServiceInstance | ? {($_.service.tostring()) -eq $instanceName -and ($_.server.name) -eq $env:computername} 
 $serviceInstance.Unprovision() 
Reconfigure the cache size of the Distributed Cache service:
 Update-SPDistributedCacheSize -CacheSizeInMB 7168 
Restart the Distributed Cache service:
 $instanceName ="SPDistributedCacheService Name=AppFabricCachingService" 
 $serviceInstance = Get-SPServiceInstance | ? {($_.service.tostring()) -eq $instanceName -and ($_.server.name) -eq $env:computername} 
 $serviceInstance.Provision() 
Change Service Account
When the server farm is first configured, the server farm account is set as the service account of the AppFabric Caching service. The Distributed Cache service depends on the AppFabric Caching service. For security purposes it is advised to change the service account from the farm account. To change the service account of the AppFabric Caching service to a managed account, set the Managed account as the service account on the AppFabric Caching service.
At the Windows PowerShell command prompt, run the following command:
 $farm = Get-SPFarm 
 $cacheService = $farm.Services | where {$_.Name -eq "AppFabricCachingService"} 
 $accnt = Get-SPManagedAccount -Identity DomainName\SVC_SPFabric 
 $cacheService.ProcessIdentity.CurrentIdentityType = "SpecificUser" 
 $cacheService.ProcessIdentity.ManagedAccount = $accnt 
 $cacheService.ProcessIdentity.Update() 
Where the ‘DomainName’ is the NetBIOS domain name.

Configure User Profile Services

Login to SPAPP01 (Application Server hosting the Central Administration site) and launch SharePoint Management Shell as administrator. Execute the following command to start and configure User Profile Service:
 E:\Scripts\Install\SPUserProfile.ps1 -configLocation E:\Scripts\Install\SPUserProfile.xml 
When prompted provide the My Site Application Pool account variable “$MySiteAppPool”

Start User Profile Synchronisation

  1. Ensure that the Farm Admin account (SVC_SPFarm) is a member of local administrators group on SPAPP01.
    Please note this is only required while configuring User Profile synchronisation Settings. However, when a backup of the User Profile application is initiated, the synchronization service provisions the User Profile application again. During the course of provisioning the User Profile application, the farm account must stop and start the synchronization service. To do this, the farm account must be a member of the Administrators group on the computer that is running the synchronization service. Due to this you may decide that the farm account will remain a member of the Administrators group on SPAPP01.
  2. Ensure that the Farm account is able to logon locally on both SPAPP01 and SPAPP02 (Please see http://technet.microsoft.com/en-us/library/ff182925(v=office.15).aspx#permission)
  3. Reboot SPAPP01 after granting above permissions
  4. Starting the user profile synchronisation service introduce the same challenge as we had in SharePoint 2010. This needs to be done under the farm account. There are a number of options:
    1. Login to SPAPP01 using the Farm Admin account (SVC_SPFarm). Navigate to Central Administration Site and click on Services on Server and start User Profile Synchronization Service.
    2. Launch the SharePoint Management Shell as the SVC_SPFarm account and use New-SPProfileServiceApplication Cmdlet.
    3. Use the third option described in: Avoiding the Default Schema issue when creating the User Profile Service Application using Windows PowerShell by Spencer Harbar.
    4. Perform an IIS reset on SPAPP01 server
The following activities are recommended however are out of scope of this blog post:
  1. Add a new synchronisation connection
  2. Define exclusion filters for a synchronisation connection
  3. Map user profile properties
  4. Start profile synchronization and configure Import Schedules

Configure Search Service

Login to SPAPP01 (Application Server hosting the Central Administration site) and launch SharePoint Management Shell as administrator. Execute the following command to start and Search Services and configure the search topology:

 E:\Scripts\Install\SPSearchService.ps1 -configLocation E:\Scripts\Install\SPSearchService.xml 
Please note the following Search post configuration steps are required to be carried out; however, are out of scope of this blog post:
  1. Provide the location of the global Search Centre
  2. Setup People Search
  3. Configure result sources
  4. Configure Search Result Exclusions
  5. Configure Search Alert Settings
  6. Configure Search Crawling Schedule
Lookout for the next blog post, where we implement Office Web Application Components and its integration with SharePoint.

Monday 18 March 2013

Scripted Installation of SharePoint 2013 and Office Web Apps Server – From the Field (Part 2)

This is the second post in the Scripted Installation of SharePoint 2013 and Office Web Apps Server series. If you have not already done so, please see part one of this blog series: Farm Topology and Prerequisites.
  1. Farm Topology and Prerequisites
  2. SharePoint Installation, Configuration and Basic Service Applications Deployment
  3. User Profile, Search and Distributed Cache Service Applications Deployment
  4. Office Web Apps Server farm Implementation and Configuration
This blog post will cover:
  • Installation of SharePoint 2013
  • Farm creation and configuration
  • Implementation of:
    • Excel Services
    • Secure Store
    • Usage and Health Data Collection
    • Managed Metadata Services
    • State Services
  • Configuration of services on servers
  • Configuration of usage and health data collection
  • Configuration of state service
  • Configuration of diagnostic logging

Servers in Farm

The following table illustrates the server names and associated server roles for each server:
 Server Name  Server Role
 SPWEB01  SharePoint 2013 Web Server 1
 SPWEB02  SharePoint 2013 Web Server 2
 SPDCache01  SharePoint 2013 Distribution Cache Server 1
 SPDCache02  SharePoint 2013 Distribution Cache Server 2
 SPAPP01  SharePoint 2013 Application Server 1 (CA)
 SPAPP02  SharePoint 2013 Application Server 2 (CA)
 SPQuery01  SharePoint 2013 Query Processing and Index Server 1
 SPQuery02  SharePoint 2013 Query Processing and Index Server 2
 SPCrawl01  SharePoint 2013 Admin, Crawl, Content Processing, Analytics Processing Server 1
 SPCrawl02  SharePoint 2013 Admin, Crawl, Content Processing, Analytics Processing Server 2

Installation Prerequisites and Assumptions

  • Please download and extract attached files onto local directory. It has been assumed that this directory is local folder on all SharePoint serves created as E:\Scripts\Install
  • It is assumed that the SharePoint installation directory is D:\
  • Update the SilentConfig.xml file with SharePoint product key. Please see Config.xml reference on TechNet for more information.
  • Update the Config.xml file with environment specific information such as, SQL server alias name (To improve ease of maintenance, and make it easier to relocate the database if it is required in the future, create DNS aliases that point to the IP address for all instances of SQL Server), farm account details, admin database and configuration database.  
  • Update the SPCredentials.xml file with service accounts and passwords information.
  • Update the SPServices.xml file with Usage and Health data collection log file location, Usage and Health data collection maximum file size, SQL server name, service application names and related database names.

Install SharePoint

  1. Microsoft SQL Server 2008 R2 Native Client is installed as part of SharePoint 2013 prerequisites installer, however if you are using SQL Server 2012 to host SharePoint databases, Install Microsoft SQL Server 2012 Native Client 64-bit edition on all SharePoint servers.
  2. Install SharePoint prerequisites and SharePoint binaries by executing the following script on all servers listed above (launch SharePoint Management Shell as administrator): 
Set-ExecutionPolicy Unrestricted –force 
E:\Scripts\Install\SPInstaller.ps1 -installPath D:\ -offline "n"
Import-PSSession $session
Please note: Windows PowerShell execution policies let you determine the conditions under which Windows PowerShell loads configuration files and runs scripts. The execution policy is not a security system that restricts user actions. Instead, the execution policy helps users to set basic rules and prevents them from violating them unintentionally. Please see About Execution Policy TechNet article.
This script will automatically restart servers as required. Do not run configuration wizard until installation is completed on all servers
The following steps are performed on individual servers specified in each step:

Create the Farm

Login to SPAPP01 (Application Server hosting the Central Administration site) using the installer account and launch SharePoint Management Shell as administrator. Execute the following command to create the farm:
E:\Scripts\Install\SPConfig.ps1 -configLocation E:\Scripts\Install\Config.xml -createJoin create -isCA "y"

Join Servers to the Farm

Login to SPAPP02 (The second Application Server hosting the Central Administration site) and launch SharePoint Management Shell as administrator. Execute the following PowerShell script:
E:\Scripts\Install\SPConfig.ps1 -configLocation E:\Scripts\Install\Config.xml -createJoin join -isCA "y"
Run the following script on the below SharePoint servers:
E:\Scripts\Install\SPConfig.ps1 -configLocation E:\Scripts\Install\Config.xml -createJoin join -isCA "n"

 Server Name  Server Role
 SPWEB01  SharePoint 2013 Web Server 1
 SPWEB02  SharePoint 2013 Web Server 2
 SPDCache01  SharePoint 2013 Distribution Cache Server 1
 SPDCache02  SharePoint 2013 Distribution Cache Server 2
 SPQuery01  SharePoint 2013 Query Processing and Index Server 1
 SPQuery02  SharePoint 2013 Query Processing and Index Server 2
 SPCrawl01  SharePoint 2013 Admin, Crawl, Content Processing, Analytics Processing Server 1
 SPCrawl02  SharePoint 2013 Admin, Crawl, Content Processing, Analytics Processing Server 2

 Register Managed Accounts

Login to SPAPP01 (Application Server hosting the Central Administration site) using the installer account and launch SharePoint Management Shell as administrator. Execute the following command to register managed accounts in the farm:
E:\Scripts\Install\SPCredentials.ps1 -configLocation E:\Scripts\Install\SPCredentials.xml

Configure Basic Services

Login to SPAPP01 (Application Server hosting the Central Administration site) using the installer account and launch SharePoint Management Shell as administrator. Execute the following command to start required services and stop unwanted ones:
E:\Scripts\Install\SPServices.ps1 -configLocation E:\Scripts\Install\SPServices.xml
 The above script will stop unnecessary services from servers and starts the following service:
  • Excel Services
  • Secure Store
  • Usage and Health Data Collection
  • Managed Metadata Services
  • State Services

Configure Usage and Health Data Collection

Login to SPAPP01 (Application Server hosting the Central Administration site) using the installer account and launch SharePoint Management Shell as administrator. Execute the following command to start and configure Usage Service:
E:\Scripts\Install\SPUsage.ps1 -configLocation E:\Scripts\Install\SPServices.xml

Configure State Service

Login to SPAPP01 (Application Server hosting the Central Administration site) using the installer account and launch SharePoint Management Shell as administrator. Execute the following command to start and configure Usage Service:
E:\Scripts\Install\SPStateService.ps1 -configLocation E:\Scripts\Install\SPServices.xml

You should now have basic services started on all servers in the farm. It is recommended to check Servers in Farm page from Central administrations site to ensure that the correct services are started.
By the end of this blog series the expected farm topology will be as illustrated below:
 Server Name  Server Role  Services
 SPWEB01 Web Server  Microsoft SharePoint Foundation Web Application
 Microsoft SharePoint Foundation Workflow Timer Service
 Managed Metadata Web Service
 SPWEB02 Web Server  Microsoft SharePoint Foundation Web Application
 Microsoft SharePoint Foundation Workflow Timer Service
 Managed Metadata Web Service
 SPDCache01 Distribution Cache  Distributed Cache
 Microsoft SharePoint Foundation Workflow Timer Service
 Microsoft SharePoint Foundation Web Application
 SPDCache02 Distribution Cache  Distributed Cache
 Microsoft SharePoint Foundation Workflow Timer Service
 Microsoft SharePoint Foundation Web Application
 SPAPP01 Application Server  Central Administration
 Excel Calculation Services
 Microsoft SharePoint Foundation Workflow Timer Service
 Secure Store Service
 User Profile Service
 User Profile Synchronization Service
 SPAPP02 Application Server  Central Administration
 Excel Calculation Services
 Microsoft SharePoint Foundation Workflow Timer Service
 Secure Store Service
 User Profile Service
 SPQuery01 Search - Query Processing and Index  Microsoft SharePoint Foundation Workflow Timer Service
 Search Host Controller Service
 Search Query and Site Settings Service
 SharePoint Server Search
 SPQuery02 Search - Query Processing and Index  Microsoft SharePoint Foundation Workflow Timer Service
 Search Host Controller Service
 Search Query and Site Settings Service
 SharePoint Server Search
 SPCrawl01 Search - Admin, Crawl, Content Processing, Analytics Processing  Microsoft SharePoint Foundation Workflow Timer Service
 Search Host Controller Service
 Search Query and Site Settings Service
 SharePoint Server Search
 SPCrawl02 Search - Admin, Crawl, Content Processing, Analytics Processing  Microsoft SharePoint Foundation Workflow Timer Service
 Search Host Controller Service
 Search Query and Site Settings Service
 SharePoint Server Search

Lookout for the next blog post, where we complete the farm configuration by provisioning search, user profile services and distributed cache service.

Monday 18 February 2013

Scripted Installation of SharePoint 2013 and Office Web Apps Server – From the Field (Part 1)


This is the first in a series of posts where I will talk about my involvement in the TAP (Technology Adoption Program) and more specifically a project I was involved in to implement the SharePoint 2013 platform andOffice Web Apps Server farm. I will be sharing my findings and experience that will hopefully help you to:
  • Create a reusable SharePoint 2013 build and configuration guide
  • Implement SharePoint and Office Web Apps Server in a consistent manner using the scripts I will provide throughout this blog post series.
The series is broken down into the following articles that I will write:
  1. Farm Topology and Prerequisites (This article)
  2. SharePoint Installation, Configuration and Basic Service Applications Deployment
  3. User Profile, Search and Distributed Cache Service Applications Deployment
  4. Office Web Apps Server farm Implementation and Configuration

Introduction

This post will focus on providing an overview of the overall farm topology, the end to end build sequence from preparation to testing, recommended service accounts and the prerequisites.

Build Sequence

The following diagram illustrates the high level overview of the steps required to implement and configure the SharePoint and Office Web Apps Server farms. The Office Web Apps server farm requires dedicated hardware and is no longer implemented as a SharePoint service application.

Farm Topology

The server farm topology will have multiple tiers and each tier will have redundant server instances, this is the most common topology that provides an efficient physical and logical layout to support scaling out or scaling up, and provides better distribution of services across the
member servers.

It is important to adopt an iterative design approach to analyse the architecture model, to verify that the model identifies all the elements that are required for the farm solution. 
The Plan for monitoring in SharePoint 2013 TechNet article provides great introduction on tools and scenarios on how to best use them. 
Redundant member servers are hosted on different Hyper-V hosts and Anti-Affinity helps to eliminate single points of failure. It is worth noting that the Deployment guide for SharePoint 2013 eBook, provides great detailed information regarding recommended practices when implementing SharePoint 2013 on a virtualised platform such as:         
  • Leave adequate memory for the Hyper-V partitions - For SharePoint products virtual machines, we recommend 4 GB of RAM or more for host computer operations.
  • Use a minimum of two physical network adapters - For better network management and performance, dedicate one adapter to virtual machine network traffic and use the other adapter for virtualization host network traffic.
  • Do not oversubscribe the CPU on the virtualization host computer - Review the supported ratio of virtual processors per logical processor and avoid oversubscribing the host computer CPU. The optimum virtual processor:logical processor ratio is 1:1. For more information, see Configure the processors for the virtual machines in Deployment guide for SharePoint 2013 eBook.
  • Do not cross Non-uniform memory access (NUMA) boundaries - Hyper-V spans NUMA nodes to assign physical memory to a virtual machine; however, this does reduce performance on the virtual machine. For more information, see Configure the memory for the virtual machines in Deployment guide for SharePoint 2013 eBook.
  • Do not use snapshots in a production environment - Do not use snapshots for the virtual machines in a SharePoint products production environment.  When you create a snapshot, Hyper-V creates a new secondary drive for the virtual machine. Write operations occur on the new drive and read operations occur on both drives, which has the same net affect as a differencing disk. Every snapshot that you add reduces disk performance further.
  • Do not use dynamic memory - The reason is that this implementation of dynamic memory does not work with every SharePoint feature. For example, Distributed Cache and Search do not resize their caches when the allocated memory for a virtual machine is dynamically changed. This can cause performance degradation, especially when assigned memory is reduced.

Service Accounts

The following service accounts are what I have used to create the farm. This list may vary for your implementation depending on Server resources management versus least privilege security recommendation, required service applications and in general what works for your implementation based on the organisations security guidelines and policies.

AccountPurposeRequirements
SVC_SPInst
Setup user account
(Install Account)
The Setup user account is used to run the following:
  • Setup
  • SharePoint Products Configuration Wizard
  • Domain user account.
  • Member of the Administrators group on each server on which Setup is run.
  • SQL Server login on the computer that runs SQL Server.
  • dbcreator and securityadmin
  • This account must be a member of the db_owner fixed database role for the content databases database.
SVC_SPFarmThe server farm account is used to perform the following tasks:
  • Configure and manage the server farm.
  • Act as the application pool identity for the SharePoint Central Administration Web site.
  • Run the Microsoft SharePoint Foundation Workflow Timer Service.
  • Domain user account.
  • Additional permissions are automatically granted for the server farm account on Web servers and application servers that are joined to a server farm.
  • The server farm account is automatically added as a SQL Server login on the computer that runs SQL Server. The account is added to the following SQL Server security roles:
  • dbcreator fixed server role
  • securityadmin fixed server role
  • db_owner fixed database role for all SharePoint databases in the server farm
SVC_SPSvcA generic services account for grouped Service Applications
  • Domain user account
SVC_SPSvcPoolApplication Pool Identity for SharePoint Web Services Default application
  • Domain user account
SVC_SPWebApplication Pool Identity for the main web application
  • Domain user account
SVC_SPUPAThe User Profile Service account is used to run the following:
  • User Profile Synchronisation with AD
  • Domain user account
  • AD Delegate rights for: Replication Directory Changes
SVC_SPSearchThis is the Windows Service account for the SharePoint Server Search Service. This setting affects all Search Service Applications in the farm.
  • Domain user account
SVC_SPSrchPlSearch Admin Web Service application pool
Search Query and Site Settings Web Service application pool
  • Domain user account
SVC_SPSrchCrlWindows user credentials for the Search service application to use to access content when crawling
  • Domain user account
SVC_SPFabricAppFabric Caching service
  • Domain user account
SVC_SPOWAPoolOffice Web App Application pool account
  • Domain user account
SVC_SPOWASvcOffice web application Services Pool
  • Domain user account
SVC_SPSecStrSecure Store application Pool account
  • Domain user account

Prerequisites

  1. All SharePoint servers would require an additional drive to host Data, Log and Index flies.
    1. An additional VHD is required
    2. Bring the disk online
    3. Format the drive as NTFS, label: Data
  1. Ensure that the following are implemented:
    1. Remote Registry Service started (or Automatic - Trigger Start) on all servers
    2. Inbound firewall rules enabled on all SharePoint servers: (Please see SharePoint 2013 Ports, Proxies and Protocols - An Overview of Farm Communications for more information)
      1. ICMP v4
      2. ICMP v6
      3. Central Administration port number on the servers hosting the Central Admin Site only. It is recommend to use SSL for the central administration site.
      4. Distribution Cache port 22233 on the Distribution Cache Servers only
  2. Ensure that the Install account has SQL securityadmin and dbcreator roles and is member of local administrator group on all SharePoint servers
  3. Ensure that the Farm account is a member of local administrators group on the server hosting the User Profile Service Synchronisation Service. This is only required during the User Profile Synchronisation Configuration defined in post #3 User Profile, Search and Distributed Cache Service Applications Deployment. These permissions are only required while configuring User Profile synchronisation Settings. However, when a backup of the User Profile application is initiated, the synchronization service provisions the User Profile application again. During the course of provisioning the User Profile application, the farm account must stop and start the synchronization service. To do this, the farm account must be a member of the Administrators group on the computer that is running the synchronization service.
  1. Ensure that the Farm account is able to logon locally on the server hosting the User Profile Service Synchronisation Service (Please see Plan account permissions).
 Now we are ready to implement SharePoint and configure the basic services. Look out for part two for detailed step by step scripted deployment and configuration of the farm.

Friday 11 May 2012

The experiences of a new starter at Microsoft Services

My career life has always been focused on Microsoft products and services. Working for a Microsoft gold partner for almost 8 years, had given me an inkling of what life at Microsoft might be like. However once I moved to Microsoft in November 2011, it didn’t take me long to truly realise, the benefits of working at such an influential organisation.

Investment in people

From the very first day it was very clear to me how much people are valued as individuals and "Putting People First" is not just an advertising campaign.
I was given enough time to familiarise myself  with the Microsoft way of consulting. This included a one week new hire onboarding programme in Redmond at Microsoft Services University. It was an incredible experience  that definitely helped me with my soft skills and familiarised me with the resources and toolset available to do my day to day job more effectively and efficiently. I also had the opportunity to network with amazing people from around the globe. I made some great friends from all over the world which I'm still in touch with today.

Personal development

I can honestly say that Microsoft is a sea of opportunity and development. Not only that, you are in fact encouraged and expected to take advantage of such opportunities. These include an onsite library with access to the vast number of technical and non-technical materials, free access to online materials and Microsoft courses, free exams, free MSDN subscription, regular opportunity to attend events such as TechReady (which is like TechEd for Microsoft field staff covering all the Enterprise products and technologies) and most of all, 'the time' that you would need to do all these.
My manager works directly with me on regular basis to review my career development progress and provide support where necessary in order to help achieve my targets.

Empowered

At Microsoft the emphasis is on the quality of work produced and the client satisfaction. We are empowered to manage our own schedules working within the needs of our customer commitments on projects, this allows me to plan the necessary development activities into my schedule to enable me to grow whilst still delivering high quality to our customers and the business.

Making a difference

Not only am I encouraged to get involved and make a difference, but I am expected as part of my commitments to contribute to my team, community, partners, processes and the practice. The opportunity to influence the development of new processes, or to better current processes is an invaluable experience that not many organisations have in place.

The team

I definitely feel like I am part of a team. People are extremely passionate, talented, experienced and go above and beyond their duty to help.  The standard and reputation of the people at Microsoft was one of the primary reasons for me wanting to join. There is a diverse background of people at Microsoft but the one thing they all have in common is that they are leading individuals in their field of expertise and they are all more than willing to share their wisdom and experience.

Friday 8 October 2010

SharePoint Solution Generator is dead (for good) - Part 1

SharePoint Solution Generator, part of Visual Studio 2008 extensions for Windows SharePoint Services has been a fantastic tool in SharePoint 2007 development when I needed to create a list definition and list instance quickly.

All you had to do was to create your content types,site columns, and list using SharePoint UI and apply the content types and site columns to your list, then customise your list and create views then finally point solution generator to your list and create your solution package.

 

Combination of the new features of SharePoint 2010 and Visual studio 2010 means no more messing around with add-ons….

SharePoint 2010 allows you to save your site as a wsp package and Visual studio allows you to import the wsp package and select the required elements to include in your solution package! sounds easy? it is :)

 

…so first you need to create your list as before with all required components and customisations:

1) Create your Site Content Type

image

2) Create your Site Columns

image

3) Assign your site columns to your content type

image

4) Create your list/library and assign your content type to your list

To be able to do this you need to ensure you have selected “allow management of content types” from the list advanced settings

image

5) Save your site as WSP package

Site Action –> Site Settings –> “Save site as template”

image

provide a file name and a template name for your template

image

Download the WSP file and save locally

image

6) Import the WSP package into Visual Studio 2010

Create a Visual Studio SharePoint project and select “Import SharePoint Solution Package”

image

Import the WSP file

image

Specify the project elements required in this case the list template

The easiest way to do this is to highlight all items (Ctrl + A) and  deselect one item. this will uncheck all boxes

Then select the “List instance” and “Content type” and click finish (You do not need to include the columns)

image

Say No to include all dependent items

image

Now you have all required components for your solution

image

There are a number of considerations which I will try to cover in the next posts such as including Lookup and Managed Metadata filed types in your solution.

Automated SharePoint 2010 AD service accounts creation using PowerShell

As I don’t really enjoy repetitive tasks, I decided to put a quick PowerShell script together to create the AD service accounts required for SharePoint 2010.
The required accounts are:
  • svc_spFarm (Server farm account or database access account)
  • svc_spAdmin (Setup user account Install Account)
  • svc_caAppPool (Application Pool Identity for Central Administration web application)
  • svc_portalAppPool (Application Pool Identity for Portal web application)
  • svc_myAppPool (Application pool Identity for my sites host web application)
  • svc_spUPS (User Profile Synchronisation with AD)
  • svc_spUPAPool (User Profile Services Application Pool account)
  • svc_spSearch (This is the Windows Service account for the SharePoint Server Search Service. This setting affects all Search Service Applications in the farm)
  • svc_spCrawl (Content Access account)
  • svc_spSearchAP (Enterprise Search Application Pool Identity)
  • svc_spSearchAdmAP (Enterprise Search Admin component Application Pool Identity)
  • svc_fsSearch (Foundation server search account)
  • svc_fsCrawl (Foundation server crawl account)
  • svc_spSandbox (Sandbox service service account)
  • svc_WebAnalytics (SharePoint Web Analytics service account)
  • svc_SecureStore (Secure Store Application Pool service account)
  • svc_spSTSAcct (Security Token Service Application)
  • svc_spMetadata (Managed Metadata Service Account)
(Other accounts may be required depending on services running on the farm such as InfoPath services, Visio, etc…)
Please note The following additional domain , local and SQL permissions / roles are required:
svc_spAdmin:
Member of the Local Administrators group.
SQL Server login on the computer that runs SQL Server.
Member of the following SQL Server security roles:
    · securityadmin fixed server role
    · dbcreator fixed server role
    · sysAdmin fixed server role (during installation using PowerShell only)
svc_spFarm:
Member of the Local Administrators group during the user profile services configuration only.
svc_spUPS:
AD Delegate rights for Replication Directory Changes permissions
The PowerShell command takes a csv file containing the following headings:
  • samAccountName   
  • userPrincipalName
  • cn
  • givenName
  • Password
  • description
Copy and paste the following into a csv file called acc.csv (ideally this needs to be an XML):
samAccountName,userPrincipalName,cn,Password,description
svc_spAdmin,svc_spAdmin@domainName.FQDN,svc_spAdmin,accountPassword,The Setup user account is used to Setup SharePoint Products Configuration
svc_spFarm, svc_spFarm@domainName.FQDN,svc_spFarm,accountPassword,The server farm account is used to Run the Microsoft SharePoint Foundation and workflow Timer ServiceWizard
svc_caAppPool,svc_caAppPool@domainName.FQDN,svc_caAppPool,accountPassword,Application Pool Identity for Central Administration web application
svc_portalAppPool,svc_portalAppPool@domainName.FQDN,svc_portalAppPool,accountPassword,Application Pool Identity for Portal web application
svc_myAppPool, svc_spAppPool@domainName.FQDN,svc_myAppPool,accountPassword,Application pool Identity for my sites host web application
svc_spUPS,svc_myAppPool@domainName.FQDN,svc_spUPS,accountPassword,User Profile Synchronisation with AD
svc_spUPAPool,svc_spUPAPool@domainName.FQDN,svc_spUPAPool,accountPassword,User Profile Services Application Pool account
svc_spSearch, svc_spSearch@domainName.FQDN,svc_spSearch,accountPassword,This is the Windows Service account for the SharePoint Server Search Service. This setting affects all Search Service Applications in the farm
svc_spCrawl, svc_spCrawl@domainName.FQDN,svc_spCrawl,accountPassword,Content Access account
svc_spSearchAP,svc_spSearchAP@domainName.FQDN,svc_spSearchAP,accountPassword,Enterprise Search Application Pool Identity
svc_spSearchAdmAP,svc_spSearchAdmAP@domainName.FQDN,svc_spSearchAdmAP,accountPassword,Enterprise Search Admin component  Application Pool Identity
svc_fsSearch,svc_fsSearch@domainName.FQDN,svc_fsSearch,accountPassword,Foundation server search account
svc_fsCrawl,svc_fsCrawl@domainName.FQDN,svc_fsCrawl,accountPassword,Foundation server crawl account
svc_spSandbox,svc_spSandbox@domainName.FQDN,svc_spSandbox,accountPassword,Sandbox service application service account
svc_WebAnalytics,svc_WebAnalytics@domainName.FQDN,svc_WebAnalytics,accountPassword,SharePoint Web Analytics service account
svc_SecureStore,svc_SecureStore@domainName.FQDN,svc_SecureStore,accountPassword,Secure Store Application Pool service account
svc_spSTSAcct,svc_spSTSAcct@domainName.FQDN,svc_spSTSAcct,accountPassword,Security Token Service Application
svc_spMetadata,svc_spMetadata@domainName.FQDN,svc_spMetadata,accountPassword,Managed Metadata Service Account
…and now the magical one-line PowerShell command, this needs to run using the Active Directory module for Windows PowerShell.
image
The Active Directory module for Windows PowerShell in Windows Server® 2008 R2 is a Windows PowerShell module (named ActiveDirectory) that consolidates a group of cmdlets. You can use these cmdlets to manage your Active Directory® domains, Active Directory Lightweight Directory Services (AD LDS) configuration sets, and Active Directory Database Mounting Tool instances in a single, self-contained package.
You can install the Active Directory module by using any of the following methods:
  • By default, on a Windows Server 2008 R2 server when you install the AD DS or AD LDS server roles
  • By default, when you make a Windows Server 2008 R2 server a domain controller by running Dcpromo.exe
  • As part of the Remote Server Administration Tools (RSAT) feature on a Windows Server 2008 R2 server
  • As part of the RSAT feature on a Windows 7 computer
Start Active Directory module for Windows PowerShell and type the following:
Import-Csv acc.csv | ForEach-Object { New-ADuser -Path 'OU=Service Accounts,DC=dev,DC=local' -Name $_.samAccountName -samAccountName $_.samAccountName -userPrincipalName $_.userPrincipalName -GivenName $_.cn -description $_.description -PasswordNeverExpires $True -CannotChangePassword $True -Enabled $true -AccountPassword (ConvertTo-SecureString $_.Password -AsPlainText -force)}
in the above script I have an OU called “Service Accounts” and my domain name is “dev.local”

Thursday 23 September 2010

Security Advisory 2416728 (Vulnerability in ASP.NET) and SharePoint

** Updated 24/09/2010 4:30PM ** – Updated with additional defensive workaround published by the ASP.NET team valid for ALL affected versions of SharePoint listed below.

Microsoft has recently blogged that the vulnerability in ASP.Net affects SharePoint and the workaround should be applied ASAP on every single SharePoint WFE server http://blogs.msdn.com/b/sharepoint/archive/2010/09/21/security-advisory-2416728-vulnerability-in-asp-net-and-sharepoint.aspx

Microsoft has recently released a Microsoft Security Advisory for a vulnerability affecting ASP.NET.  This post documents recommended workarounds for the following SharePoint products:

  • SharePoint 2010
  • SharePoint Foundation 2010
  • Microsoft Office SharePoint Server 2007
  • Windows SharePoint Services 3.0
  • Windows SharePoint Services 2.0

Sunday 13 December 2009

ISA 2006, Forms, SharePoint 2007 Extranet and Client Integration

Anyone who has worked on SharePoint 2007 extranet project with ISA 2006 used as reverse proxy and to publish SharePoint Farm, knows about Client integration challenges…

When users try to edit a document, they are challenged and required to authenticate and even after a successful authentication, it is not possible to check the document back in to SharePoint.

This is because despite the existing session, office client initiate another session and ISA treats this as a new session.

The short answer to this problem is to configure a Persistent cookie on ISA web listener (Under Forms –> Advance)

clip_image001

BUT there are several security issues that are highlighted by MS and need to be considered:

  • A malicious attacker who obtains a persistent cookie may be able to perform a brute force attack to obtain user credentials from the cookie.
  • On a public computer, if the user does not log off, the session cookie can be used by the next user to access published sites. This threat can be mitigated by not enabling persistent cookies for public computers.
  • Spyware may be able to access the cookie.

The important point to consider here is that the client needs to be making the decision between Security and User experience / functionality

In a recent project I spent some times to identify few factors that the client needed to take into consideration when making this decision:

 

This is a public or shared computer

This is a private computer

Persistent cookie file on logout

Deleted

Not Deleted but user is required to authenticate (Domain name and user name are saved)

Persistent cookie file when user closes the browser

Not Deleted - Session is available before cookie timeout

Not Deleted - Session is available before cookie timeout

Temporary Internet Files

Enabling persistent cookie has no effect

Enabling persistent cookie has no effect

Temporary Draft Files

Enabling persistent cookie has no effect

Enabling persistent cookie has no effect

Ability to open documents on SharePoint within session time (browser closed)

Yes

Yes

FAQ:
Q) Is the cookie hashed e.g. using Hashed MACs (HMACs)?
A) Yes

Q) Are server tokens erased after session end?
A) Yes

Q) Is the cookie transmitted via SSL?
A) It is highly recommended

Q) Are Temporary Internet files deleted when session ends?
A) No, But this is not caused by the persistent cookie

Q) Are copy of the draft documents deleted if the user fail to check in / overwrite checkout?
A) No, But this is not caused by the persistent cookie

Q) are there any extra consideration when accessing the site though Kiosk Stations when using persistent cookies?
A) Yes the followings should be considered:

  • Do not select “This is a private computer”.
  • Perform logoff on published applications.

Additional consideration when accessing the site though Kiosk Stations (regardless of the usage of the persistent cookies):

  • Delete cookies after you finish using published applications.
  • Delete temporary Internet files.
  • Delete temporary files that Office created when working with Microsoft Office SharePoint® Portal Server.
  • Delete any files that were manually downloaded to the kiosk.
  • Close all browser windows.
  • Log off from Windows, if possible.

Windows 7: Boot from VHD

Recently I have been forced to look into available options to best utilise the amount of memory available on my laptop to be able to run SharePoint 2010 VMs. There are number of options available to do this, but I have tried to simplify this as much as possible to speed up the VHD file creation and imaging process.
1) Create a partition to store the VHD; optional (I had to do this since my primary partition is BitLocker encrypted)
2) Download the VHD tool box from http://cid-1dc3b1edb30aea44.skydrive.live.com/self.aspx/.Public/VHDToolBox.zip
This tool box includes:
  • WIM2VHD.wsf – WIM to VHD Converter
  • ImageX.exe 64-bit (32-bit available from http://depositfiles.com/files/4563922)
  • Bcdedit.exe- Command-line tool for managing BCD stores
  • intlcfg.exe - The International Settings and Configuration tool (Intlcfg.exe) is used to configure the language and locale settings in a Windows image
3) Copy the Install.Wim from the OS media to the VHDToolBox folder
4) Now you are ready to create your VHD. Start command prompt and navigate to the VHDToolBox folder and run the script:
There are a number of switches you will need to know:
/wim: specifies the path to the WIM file
/sku: OS version (ServerStandard, Ultimate etc…)
/vhd: specifies the path and the name of the VHD to be created
/size: specifies the size of the VHD in MB
/disktype: specifies the type of disk, Dynamic or Fixed
For example to create a Windows Server 2008 R2 Enterprise VHD on a 40GB Fixed disk we would use the following command:
cscript wim2vhd.wsf /wim: C:\VHDToolBox\install.wim /sku:SERVERENTERPRISE /vhd:F:\2K8_R2_SP2010_01.vhd /size:40960 /disktype:Dynamic/Fixed
Note: to find the sku you could run the following imagex command on your install.wim file:
Imagex /info “<install.wim location>”
5) Next you need to use bcdedit.exe to add an entry to the boot menu:
  • bcdedit /copy {current} /d "My New VHD Description" (This will Return the GUID of the Loader Object that you will use to replace <guid> below)
  • bcdedit /set <guid> device vhd=[driveletter:]\<directory>\<vhd filename>
  • bcdedit /set <guid> osdevice vhd=[driverletter:]\<directory>\<vhd filename>
  • bcdedit /set <guid> detecthal on
That’s it, enjoy

Tuesday 24 November 2009

Get Ready for Microsoft SharePoint 2010

Certification Path for IT professionals

  • 70-667 TS: Microsoft SharePoint 2010, Configuring
    Microsoft Official Curriculum: Will cover configuration of SharePoint 2010 including deployment, upgrade, management and operation on a server farm.

  • 70-668 PRO: SharePoint 2010, Administrator
    Microsoft Official Curriculum: Will cover advanced SharePoint 2010 topics including capacity planning, topology designing and performance tuning.

Certification Path for Developers

  • 70-573 TS: Microsoft SharePoint 2010, Application Development
    Microsoft Official Curriculum: Five-day instructor-led course designed for developers with six months or more of.NET development experience. Course covers what you need to know to be an effective member of a SharePoint development team using Visual Studio 2010.

  • 70-576 PRO: Designing and Developing Microsoft SharePoint 2010 Applications
    Microsoft Official Curriculum: Five-day instructor-led training course designed for development team leads who have already passed the Developing on SharePoint 2010 technical specialist exam. The course covers choosing technologies for and scoping a SharePoint project, best practices for SharePoint development, configuring a SharePoint development environment, advanced use of SharePoint developer features and debugging of code in a SharePoint project.

https://partner.microsoft.com/40121316?msp_id=sharepoint2010ready