the ultimate sharepoint-michael nole
DESCRIPTION
Guide to using SharepointTRANSCRIPT
Windows Server 2008 R2 SP1 or Windows Server 2012
(Preferred)
SQL Server 2008 R2 w/SP1 or SQL Server 2012
(Preferred)
Type Memory Processor
Dev/Stage/Test server 8GB RAM 4 CPU
‘All-in-one’ DB/Web/SA 24GB RAM 4 CPU
Web/SA Server 12GB RAM 4 CPU
DB Server (medium environments) 16GB RAM 8 CPU
DB Server (small environments) 8GB RAM 4 CPU
Software/Hardware Requirements
Office Web Apps is no longer a service application
Web Analytics is no longer service application, it’s part of search
New service applications available and improvements on existing ones App Management Service – Used to manage the new SharePoint
app store from the Office Marketplace or the Application Catalog
SharePoint Translation Services – provides for language translation of Word, XLIFF, and PPT files to HTML
Work Management Service – manages tasks across SharePoint, MS Exchange and Project.
Access Services App (2013) – Replaces 2010 version of Access Services
Changes in Service Applications and New Service Applications
A new Windows service – the Distributed
Cache Service – is installed on each server in
the farm when SharePoint is installed
It is managed via the Services on Server page
in central admin as the Distributed Cache
service
The config DB keeps track of
which machines in the farm
are running the cache service
Distributed Cache Service
The purpose of the Request Management feature is to
give SharePoint knowledge of and more control over
incoming requests
Having knowledge over the nature of incoming requests
– for example, the user agent, requested URL, or source
IP – allows SharePoint to customize the response to
each request
RM is applied per web app, just like throttling is done in
SharePoint 2010
Request Management (RM)
Option 1: Simple one-way Sync (a la SharePoint
2007)
Option 2: Two-way, possible write-back to AD
options using small FIM service on UPA server (a la
2010)
Option 3: Full Forefront Identity Manager (FIM)
Synchronization, allows for complex scenarios –
Larger clients will appreciate this
User Profile Sync – Three Options for Deployment
SharePoint 2013 continues to offer support for both claims and classic authentication modes
However claims authentication is THE default authentication option now Classic authentication mode is still there, but can only
be managed in PowerShell – it’s gone from the UI
Support for classic mode is deprecated and will go away in a future release
There also a new process to migrate accounts from Windows classic to Windows claims – the Convert-SPWebApplication cmdlet
Claims-based Authentication - Default
Stores new versions of documents as ‘shredded
BLOBs that are deltas of the changes
Promises to reduce storage size significantly
Shredded Storage
Documents are stored in SharePoint
Emails are stored in Exchange
Team Folders can receive emails and have their own email address
Easy access to both from Outlook and SharePoint
Unified compliance policy applies to both
Team Mailboxes – Exchange 2013 Integration
New Search
architecture (FAST
based) with one
unified search
Personalized search
results based on
search history
Rich contextual
previews
Search – FAST Search now included
Classic and Contemporary views for mobile browsers
Automatic Mobile Browser Redirection
Target different designs based on user agent string
Office Mobile Web Apps
Excel
PowerPoint
Word
Push notifications
Mobile Device Improvements
2 SharePoint Servers running
Web and Service Apps
2 Database Servers
(AlwaysOn FCI or AlwaysOn
Availability Groups)
1 or 2 Index Partitions with
equivalent query components
Smallest farm size that is fully
highly available
Smallest Highly Available Farm
2 Dedicated Web Servers (NLB)
2 Service Application Servers
2 Database Servers (Clustered or Mirrored)
1 or 2 Index Partitions with equivalent query components
Best Practice ‘Six Server Farm’
• Separate farm for Service Applications
• One or more farms dedicated to content
• Service Apps are consumed cross-farm
• Isolates ‘cranky’ service apps like User Profile Sync and allows for patching in isolation
Ideal – Separate Service App Farm + Content Farm(s)
• Multiple Dedicated Web Servers
• Multiple Dedicated Service App Servers
• Multiple Dedicated Query Servers
• Multiple Dedicated Crawl Servers, with multiple Crawl DBs to increase parallelization of the crawl process
• Multiple distributed Index partitions (max of 10 million items per index partition)
• Two query components for each Index partition, spread among servers
Large SharePoint Farms
Allows organizations that wouldn’t normally be able to have a test environment to run one
Allows for separation of the database role onto a dedicated server
Can be more easily scaled out in the future
Sample 1: Single Server Environment
High-Availability across Hosts
All components Virtualized
Uses only two Windows Ent Edition Licenses
Sample 2: Two Server Highly Available Farm
Highest transaction servers are physical
Multiple farm support, with DBs for all farms on the SQL cluster
Sample 3: Mix of Physical and Virtual Servers
Processor (Host Only)
<60% Utilization = Good
60%-90% = Caution
>90% = Trouble
Available Memory
50% and above = Good
10%-50% = OK
<10% = Trouble
Disk – Avg. Disk sec/Read or Avg. Disk
sec/Write
Up to 15ms = fine
15ms-25ms = Caution
>25ms = Trouble
• Network Bandwidth – Bytes
Total/sec
– <40% Utilization = Good
– 41%-64% = Caution
– >65% = Trouble
• Network Latency - Output
Queue Length
– 0 = Good
– 1-2= OK
– >2 = Trouble
Virtualization of SharePoint Servers Virtualization Performance Monitoring
Can reduce dramatically the size of Content DBs, as upwards of 80%-90% of space in content DBs is composed of BLOBs
Can move BLOB storage to more efficient/cheaper storage
Improve performance and scalability of your SharePoint deployment – But highly recommended to use third party
Remote BLOB Storage (RBS)
DB-A
File 1
DB-B
File 1
Volume #1
DB-A
File 2
DB-B
File 2
Volume #2
DB-A
File 3
DB-B
File 3
Volume #3
DB-A
File 4
DB-B
File 4
Volume #4
Tempdb File 1 Tempdb File 2 Tempdb File 3 Tempdb File 4
Multiple Files for SharePoint Databases
• Break Content Databases and TempDB into multiple files (MDF, NDF), total should equal number of physical processors (not cores) on SQL server.
• Pre-size Content DBs and TempDB to avoid fragmentation
• Separate files onto different drive spindles for best IO perf.
• Example: 50GB total Content DB on Two-way SQL Server would have two database files distributed across two sets of drive spindles = 25GB pre-sized for each file.
Multiple Files for SharePoint Databases
• Implement SQL Maintenance Plans!
• Include DBCC (Check Consistency) and either Reorganize Indexes or Rebuild Indexes, but not both!
SQL Database Optimization SQL Maintenance Plans
• Add backups into the maintenance plan if they don’t exist already
• Be sure to truncate transaction logs with a T-SQL Script (after full backups have run…)
High Availability and Disaster Recovery
SQL Server Solution
Potential
Data Loss
(RPO)
Potential
Recovery Time
(RTO)
Automatic
Failover
Additional
Readable Copies
AlwaysOn Availability Groups – Synchronous (Dual-phase
commit, no data loss, can’t operate across WAN)
None 5-7 Seconds Yes 0 - 2
AlwaysOn Availability Groups – Asynchronous (Latency
tolerant, cross WAN option, potential for data loss)
Seconds Minutes No 0 - 4
AlwaysOn Failover Cluster Instance (FCI) – Traditional
shared storage clustering
NA 30 Seconds to
several minutes
(depending on
disk failover)
Yes N/A
Database Mirroring - High-safety (Synchronous)
Zero 5-10 seconds Yes N/A
Database Mirroring - High-performance (Asynchronous)
Seconds Manually
initiated, can be
a few minutes if
automated
No N/A
SQL Log Shipping Minutes Manually
initated, can be
a few minutes if
automated, by
typically hours
No Not during
a restore
Traditional Backup and Restore Hours to
Days
Typically
multiple hours,
days, or weeks
No Not during
a restore
Comparison of High Availability and Disaster Recovery Options
Hardware Based Load Balancing (F5, Cisco, Citrix NetScaler – Best performance and scalability
Software Windows Network Load Balancing fully supported by MS, but requires Layer 2 VLAN (all packets must reach all hosts.) Layer 3 Switches must be configured to allow Layer 2 to the specific VLAN.
If using Unicast, use two NICs on the server, one for communications between nodes.
If using Multicast, be sure to configure routers appropriately
Set Affinity to Single (Sticky Sessions)
If using VMware, note fix to NLB RARP issue (http://tinyurl.com/vmwarenlbfix)
Network Load Balancing
Best Practice – Create Multiple Web Apps with Load-balanced VIPs (Sample below) Web Role Servers
sp1.companyabc.com (10.0.0.101) – Web Role Server #1 sp2.companyabc.com (10.0.0.102) – Web Role Server #2
Clustered VIPs shared between SP1 and SP2 (Create A records in DNS) spnlb.companyabc.com (10.0.0.103) - Cluster spca.companyabc.com (10.0.0.104) – SP Central Admin spsmtp.companyabc.com (10.0.0.105) – Inbound Email VIP home.companyabc.com (10.0.0.106) – Main SP Web App (can
be multiple) mysite.companyabc.com (10.0.0.107) – Main MySites Web
App
Network Load Balancing
• Infrastructure Security and Best practices
Physical Security
Best Practice Service Account Setup
Kerberos Authentication
• Data Security
Role Based Access Control (RBAC)
Transparent Data Encryption (TDE) of SQL Databases
• Transport Security
Secure Sockets Layer (SSL) from Server to Client
IPSec from Server to Server
• Edge Security
Inbound Internet Security (Forefront UAG/TMG)
• Rights Management
Five Layers of SharePoint Security
Service Account Name Role of Service Account Special Permissions
COMPANYABC\SRV-SP-Setup SharePoint Installation Account Local Admin on all SP Servers (for installs)
COMPANYABC\SRV-SP-SQL SQL Service Account(s) – Should be separate
admin accounts from SP accounts.
Local Admin on Database Server(s)
(Generally, some exceptions apply)
COMPANYABC\SRV-SP-Farm SharePoint Farm Account(s) – Can also be
standard admin accounts. RBAC principles
apply ideally.
N/A
COMPANYABC\SRV-SP-Search Search Account N/A
COMPANYABC\SRV-SP-Content Default Content Access Account Read rights to any external data sources to
be crawled
COMPANYABC\SRV-SP-Prof Default Profiles Access Account Member of Domain Users (to be able to
read attributes from users in domain) and
‘Replicate Directory Changes’ rights in AD.
COMPANYABC\SRV-SP-AP-SPCA Application Pool Identity account for SharePoint
Central Admin.
DBCreator and Security Admin on SQL. Create
and Modify contacts rights in OU used for mail.
COMPANYABC\SRV-SP-AP-Data Application Pool Identity account for the
Content related App Pool (Portal, MySites, etc.)
Additional as needed for security.
N/A
When creating any Web Applications, USE KERBEROS. It is much more secure and also faster with heavy loads as the SP server doesn’t have to keep asking for auth requests from AD.
Kerberos auth does require extra steps, which makes people shy away from it, but once configured, it improves security considerably and can improve performance on high-load sites.
Should also be configured on SPCA Site! (Best Practice = Configure SPCA for NLB, SSL, and Kerberos (i.e. https://spca.companyabc.com)
Role Groups defined within Active Directory (Universal Groups) – i.e. ‘Marketing,’ ‘Sales,’ ‘IT,’ etc.
Role Groups added directly into SharePoint ‘Access Groups’ such as ‘Contributors,’ ‘Authors,’ etc.
Simply by adding a user account into the associated Role Group, they gain access to whatever rights their role requires.
User1
User2
Role
Group SharePoint
Group
SQL Server 2008, 2008 R2, 2012 Enterprise Edition
Feature
Encrypts SQL Databases Transparently, SharePoint is
unaware of the encryption and does not need a key
Encrypts the backups of the database as well
External or Internal Certs highly recommended
Protects Transport of content
20% overhead on Web Servers
Can be offloaded via SSL offloaders if needed
Don’t forget for SPCA as well!
By default, traffic between SharePoint Servers (i.e.
Web and SQL) is unencrypted
IPSec encrypts all packets sent between servers in
a farm
For very high security scenarios when all possible
data breaches must be addressed
Capability
TMG 2010
UAG
2010
Publish Web applications using HTTPS X X
Publish internal mobile applications to roaming mobile devices X X
Layer 3 firewall X X*
Outbound scenarios support X X*
Array support X X
Globalization and administration console localization X X
Wizards and predefined settings to publish SharePoint sites and Exchange X X
Wizards and predefined settings to publish various applications X
Active Directory Federation Services (ADFS) support X
Rich authentication (for example, one-time password, forms-based, smart card) X X
Application protection (Web application firewall) Basic Full
Endpoint health detection X
Information leakage prevention X
Granular access policy X
Unified Portal X
AD RMS is a form of Digital Rights Management (DRM)
technology, used in various forms to protect content
Used to restrict activities on files AFTER they have been
accessed:
Cut/Paste
Save As…
Directly integrates with SharePoint DocLibs
• Document all key settings in IIS, SharePoint, after
installation
• Consider monitoring for changes after installation
for Config Mgmt.
• Fantastic tool for this is the SPDocKit - can be found
at http://tinyurl.com/spdockit
SPDocKit
SharePoint 2013 Unleashed from SAMS Publishing (http://tinyurl.com/sp2013unleashed)
Microsoft ‘Virtualizing SharePoint Infrastructure’ Whitepaper (http://tinyurl.com/virtualsp)
Microsoft SQL Mirroring Case Study (http://tinyurl.com/mirrorsp )
SharePoint Kerberos Guidance (http://tinyurl.com/kerbsp)
SharePoint Installation Scripts (http://tinyurl.com/SPFarm-Config)
SharePoint Documentation Toolkit
(http://tinyurl.com/SPDocKit)
Contact us at CCO.com
Michael Noel
Twitter: @MichaelTNoel
www.cco.com
Slides: slideshare.net/michaeltnoel
Travel blog: sharingtheglobe.com