SharePoint On-Premises Nirvana
- 1. WELCOME SHAREPOINT SATURDAY OTTAWA December 3rd, 2016
- 2. SharePoint On-Premises Nirvana TIPS AND TRICKS FOR INSTALLING, CONFIGURING, AND OPERATING A SHAREPOINT FARM: LARGE OR SMALL
- 3. SPS Ottawa is made possible by our Sponsors! Platinum Gold Silver Bronze
- 4. Summerhays Grill 5:30 pm 1971 Baseline Road (corner of Woodroffe) Please drink responsibly . We will be happy to call a cab for you
- 5. Agenda: SharePoint Nirvana SharePoint ◦ Prepare ◦ Install ◦ Configure ◦ Operate ◦ Tune SQL IIS Windows Server
- 6. Who Am I: John Calvert? SharePoint / .NET solution and technical architect Over 18 years experience developing business solutions for private industry & government Recent clients include StatCan, HoC, Justice Canada, NRC, NSERC, DFAIT, CFPSA, MCC, OSFI Specialize in Microsoft technologies Speaker at user groups and conferences
- 7. Who Am I: Brian-Paul Carline? Senior Infrastructure and SharePoint Administrator
- 8. CloudShare: What We Do Specialized turnkey solutions for specialized cloud-based IT lab applications: Sales Enablement Dev & TestTraining
- 9. Ease of Use ExtensiveTemplate Library Licensing Included Spin up a fully- configured and customized environment in minutes. A web browser is all you need! Individual SharePointVMs or pre- configured, multi-server SharePoint farms – we have what you need Our SharePoint templates have licensing built-in.One less expense. One less thing to worry about. Quick Environment Cloning Sharing & Collaboration Resource Management Copy your whole environment with a single click – even its current memory state. Return to a clean image in minutes. Invite your colleagues to collaborate on your environment – across the office or across the world Fully configurable policies – including activity sensing and auto- suspend – to save your resources and money CloudShare allows SharePoint professionals to build single server or multi-server SharePoint farms in minutes, at a fraction of the time and expense of traditional setup. o No need for expensive on premise infrastructure. No IT experience required. CloudShare’sSharePointSolution
- 10. CloudShare: About Us Over 500 customers in 100+ countries Patented cloud computing technology developed with over 200 man-years of top R&D talent Privately held with HQ in San Francisco and R&D in Tel Aviv With CloudShare, we have scaled the business without having to give another thought to the platform we’re running on. – Kevin Streater, Director of Global Training –
- 11. Wait: Go Cloud or Hosted! Office 365 / SharePoint Online: ◦ Optimized topology and config ◦ Highly available, geo-replicated, and scalable ◦ Always patched / always current & cloud-only features ◦ No need for separate Office Online Server (OOS) farm ◦ Highly secure, latest encryption and configuration, BYO encryption keys ◦ Expert behind-the-scenes support team Requires 3rd party backup & restore / DR solution ◦Multiple Office 365 services will make this complicated
- 12. Initial Planning Workloads: Intranet/Internet WCM, Collaboration, Search, BI, etc? Third-party components: Office Store vs farm solutions Small vs large farm Load balancing High availability Disaster recovery Security Operations
- 13. Small Farm Topology Topology is determined by: • Budget • Availability reqs • Disaster recovery reqs • Operations capacity Requires Feature Pack 1 (Shared Roles) Ignores Office Web Apps Farm
- 14. Medium/Large Farm Topology Topology is determined by: • Budget • Feature reqs • Availability reqs • Disaster recovery reqs • Operations capacity Requires Feature Pack 1 (Shared Roles) Ignores Office Web Apps Farm
- 15. Search Topology Topology is determined by: • Budget • Feature reqs • Availability reqs • Disaster recovery reqs • Operations capacity
- 16. Farm Topology: Workloads Topology is determined by: • Feature reqs • Availability reqs • Disaster recovery reqs
- 17. Prepare Pre-reqs: AutoSPSourceBuilder Farm and service accounts: ◦ Catrinescu model ◦ SharePoint 2013 Service Account Creator ◦ Place in custom dedicated AD OU Separate drives for indexing, logs, and data ◦ SharePoint ◦ SQL SP16 requires a separate install of SQL Server ◦ Can be same on server for small farm or Dev/Test DNS, Virtual IPs
- 19. SharePoint Admin and Service Accounts Catrinescu Medium Security Model
- 20. Active Directory Use a dedicated OU Makes it easy to find and manage SharePoint users, groups and machines
- 21. Windows Server Separate drive(s) for indexing, logs, and data • Avoid inadvertently filling the OS drive • Both SharePoint and SQL Server RAID 10 • Better write performance and data integrity
- 22. Install Use AutoSPInstaller and AutoSPInstaller Online! SP16 Feature Pack 1 ◦ MinRole for small farms: Shared roles; Requires only 2 servers nodes not 4! ◦ Auditing of changes made in Central Admin ◦ Simply the Nov/2016 Public Update; AutoSPInstaller handles it SP16 Distributed Cache service is a memory hog; 40% of total RAM Multiple servers in farm? ◦ Windows sysprep and/or two-phase AutoSPInstaller
- 23. AutoSPInstaller Online Prepares an XML config file to define the detailed config of SharePoint farm including topology, and service / web apps Supports host-named site collection Wizard-like hierarchy of options with extensive help comments and guidance
- 26. Multi-Server Farm with AutoSPInstaller
- 28. Configure I Host-named site collections Claims authentication mode (default in CA; not in PowerShell) Fully qualified domain names (FQDN) Portal Reader / User service accounts Health Analyzer rules Set default quota templates on all web applications
- 29. Host-Named Site Collections Single web app can host all your unique host name sites
- 30. Super Reader / Super User Service accounts Content caching for publishing sites
- 31. Configure II Disable Certificate Revocation List Wake-up script first thing once per day Use Alternate Access Mappings (AAM); work for HNSC too! Avoid extending your web apps, except for different authentication protocols
- 32. AAM for HNSC
- 33. Large Farm Config Multiple HNSC web app containers on port 80 ◦ HNSC Group TEST ◦ HNSC Group QA ◦ Separate app pools for security Simple ◦ One IP per web app Less simple ◦ Single IP for all web apps ◦ Manual IIS bindings for each HNSC
- 34. Operate I Use named personal AD accounts and groups Avoid built-in Administrator account and generic / shared AD accounts Use web app User Policy to grant global permissions eg for admin / bulk operations
- 35. Operate II Don’t RDP to server / Use remote tools from workstation ◦ Central Admin via browser ◦ Remote PowerShell ◦ Remote IIS Manager (requires specific features enabled on remote server and local install) Learn and use PowerShell Add-SPShellAdmin + AD groups = ?
- 36. Operate III Patching has changed in SP16 – Everything is a “Public Update” Auditing of changes in Central Admin (Feature Pack 1) Use SharePoint-specific SQL database roles when appropriate Customizations ◦ Encourage Apps / Add-Ins and client-side API integration ◦ SharePoint Framework (SPFx) is new pure web-dev approach, but not yet RTM ◦ Discourage farm solutions and code-based sandbox solutions
- 37. Use SharePoint- specific database roles Add-SPShellAdmin should take care of this But if ever you need to assign manually
- 38. SQL I SharePoint (SQL) DBA is not the same as regular SQL DBA! Read Edwin Sarmiento’s blog… All of it! NTFS allocation unit size 64K, same for RAID stripe size Default collation order: Latin1_General_CI_AS_KS_WS (KB2008668) Use client alias not instance name
- 39. SQL Server NTFS Allocation unit size: 64KB Default collation order: Latin1_General_CI_AS_ KS_WS Client Alias
- 40. SQL II Physically separate MDF and LDF files Don’t shrink databases Backup compression
- 41. IIS Use fully qualified domain names, portal.softwarecraft.ca Redirect non-FQDN to FQDN TLS 1.2 / SSL Redirect HTTP to HTTPS; Cross origin iFrame is a mess ◦ HTTP Module / Content-Security-Policy / X-Frame-Options
- 42. Cross-origin iFrame SharePoint injects X- FRAME-OPTIONS: SAMEORIGIN Webpart used to turn this off Not flexible or modern, eg Content-Security- Policy
- 43. Windows Server Performance Options > Adjust for best performance Power Options: High performance Page file: 1.5 times RAM Minimal / No desktop Turn off deprecated protocols and cipher suites
- 45. Tools, part I Notepad++ ULS Viewer Sysinternals Suite PowerShell ISE / PowerGUI / Visual Studio PowerShell Extension Remote Desktop Connection Manager v2.7 or BP’s favourite tool SharePoint Manager 2013
- 46. Tools, part II Farm solutions: ◦ Lapointe SharePoint PowerShell cmdlets ◦ Catrinescu Host-Named Site Collection Creator ◦ Havivi SharePoint Property Bag Settings Specialized: ◦ Claims to Windows NT Token Tester (C2WTS)
- 47. Lapointe PowerShell cmdlets And more than shown, eg Export-SPTerms, Import-SPTerms, etc
- 48. Host-Named Site Collection Creator tool Does not handle alternate access mappings for HNSC Use PowerShell cmdlet Set-SPSiteUrl for that
- 49. Property Bag Settings Only string data type Open source, improve it yourself!
- 50. Claims to Windows NT Token Tester Verify that the Claims to Windows Token Service (C2WTS) is working correctly
- 51. Summary Core config and common work loads Did not discuss advanced workloads, eg BI, eDiscovery Automate, simplify, and standardize your farm config and operations with community tools
- 52. Other Links Vlad Catrinescu Pluralsight courses on SharePoint 2016 architecture and deployment Gokan Ozcifci presentations on SharePoint architecture and performance tuning Edwin Sarmiento blogging on SQL architecture and high availability for SharePoint Serge Luca presentation on SharePoint high availability and disaster recovery Stefan Goßner blog on patching and operations
- 53. Contact Us John Calvert, Chief Architect, Software Craft, Inc. john at softwarecraft dot ca softwarecraft dot ca at softwarecraft99 Brian-Paul Carline bpcarline at outlook dot com
- 54. CloudShare: Our Technology • Virtual environments that capture everything in the modern IT workspace: • Software, servers, memory, and storage state • Networking, appliances, and on-premise tools • Complex networking support that allows networks to work on-cloud exactly as they do on-prem • Environment access technologies designed to eliminate IT complexity: • Full environment clones with no performance degradation • Live sensing at user and network level • Firewall-friendly access in-browser/using all protocols • Robust RESTful API covering all application capabilities • Hypervisor and hardware agnostic
Editor's Notes
- #12: Don’t attempt on-premises if you have no / too few dedicated SharePoint IT Pro(s) for operations and support O365 & SPO are more robust and secure than any on-premises farm and IT Pros you can afford! Hybrid has certain complexities, especially with single sign-on and hybrid search, not a lower cost / effort option If Cloud / Hosted pricing appears too expensive, either you have the wrong supplier or you massively underestimate the effort for on-premises On-premises is not an install & forget about it business service; SharePoint farm and related systems eg SQL need constant care and attention
- #13: It is very likely you will want at least these workloads: SharePoint is the top WCM platform for corporate Intranets, per Neilson group (9 or 10 top sites in their survey) Small vs large: Number of SharePoint capabilities deployed, eg BI-related and search are both heavy weight Collaboration sites corpus (how many, how big) Search corpus (how many documents) Security isolation means multiple site collections (preferred) or breaking inheritance (OK but has other limitations) SharePoint is a platform / framework not a turnkey solution, you will want / need third party components to fill out the capabilities; Office Store is one way to achieve this
- #14: Feature Pack 1 is required for MinRole with shared roles Office Web Apps Farm is required for (i) document previews in search results hover panel, (ii) co-authoring of Excel Technical diagrams for SharePoint 2016, https://technet.microsoft.com/en-us/library/cc263199(v=office.16).aspx Announcing Feature Pack 1 for SharePoint Server 2016—cloud-born and future-proof, https://blogs.office.com/2016/09/26/announcing-feature-pack-1-for-sharepoint-server-2016-cloud-born-and-future-proof/
- #15: Feature Pack 1 is required for MinRole with shared roles Office Web Apps Farm is required for (i) document previews in search results hover panel, (ii) co-authoring of Excel Technical diagrams for SharePoint 2016, https://technet.microsoft.com/en-us/library/cc263199(v=office.16).aspx Announcing Feature Pack 1 for SharePoint Server 2016—cloud-born and future-proof, https://blogs.office.com/2016/09/26/announcing-feature-pack-1-for-sharepoint-server-2016-cloud-born-and-future-proof/
- #16: Technical diagrams for SharePoint 2016, https://technet.microsoft.com/en-us/library/cc263199(v=office.16).aspx
- #17: Workloads include: Collaboration Intranet / Internet WCM Search Business Intelligence Etc Technical diagrams for SharePoint 2016, https://technet.microsoft.com/en-us/library/cc263199(v=office.16).aspx
- #18: AutoSPSourceBuilder, https://github.com/brianlala/AutoSPSourceBuilder SharePoint 2013 Service Accounts Best Practices Explained, https://absolute-sharepoint.com/2013/01/sharepoint-2013-service-accounts-best-practices-explained.html Catrinescu model: SP_Admin is a user account not a service account; is responsible to “Configure and manage the server farm” Lapointe service account guidance, http://blog.falchionconsulting.com/index.php/2010/10/service-accounts-and-managed-service-accounts-in-sharepoint-2010/ Lapointe: Do not use the AD group _Managed Service Accounts Don’t use SP_Farm account as service / web app application pool identity, except in low security option SharePoint 2013 Service Account Creator, https://sp2013serviceaccount.codeplex.com/ Demo: Show Computer Explorer Drives
- #19: Off-line installes, eg VM / server is behind a firewall or proxy and cannot reach the Internet for direct download Standardized installs, eg ensure every VM / server gets the exact same binaries
- #20: SharePoint 2013 Service Accounts Best Practices Explained, https://absolute-sharepoint.com/2013/01/sharepoint-2013-service-accounts-best-practices-explained.html Note: There is an error on the Catrinescu website, “Configure and manage the server farm” is listed under SP_Farm but it should be under SP_Admin; configured verbally with Vlad Nov/2016
- #23: AutoSPInstaller handles RTM binaries, PU/CU updates, and language packs Use AutoSPInstaller Online to prep / validate the XML config input file DEMO: AutoSPInstaller config online tool Pause After Install under Installation Options in AutoSPInstaller Online
- #24: AutoSPInstaller Online, https://autospinstaller.com/
- #29: Don’t create a host header web application for each division / business unit; either put them all in one with path-based site structure, or use host named site collections If you have an Intranet / Internet site collection for web content management, be sure to configure a web application user policy for the portal reader and full accounts Health Analyzer rules for disk free space will likely need tweaking to avoid false positives for too little space
- #32: Disable CRL an unnecessary time delay for servers with no outbound access to Internet Extending increases resource demands on servers; may require a new application pool which negatively impacts server performance Same reasons we use HNSC and avoid multiple host header web apps
- #34: Mark Arend, https://blogs.msdn.microsoft.com/markarend/2012/05/30/host-named-site-collections-hnsc-for-sharepoint-2010-architects/
- #35: AD group eg SP_Admins Assign site collection primary administrator to SP_Admin account; No need to assign primary / secondary administrator permissions to personal AD user unless you are a very large business with dedicated site collection administrators and specific training DEMO: Remote PowerShell and IIS Manager DEMO: Auditing of changes in Central Admin TODO: Link to Stefan Gossner blog posts (Sept & Oct 2016)
- #36: DEMO: Remote PowerShell and IIS Manager DEMO: Auditing of changes in Central Admin Add-SPShellAdmin may not work properly with AD groups, but you can manually configure missing SQL permissions; use custom PowerShell cmdlet Test-SPSite for farm admin health check of site collections or web app user policy and /_layouts/sitehealthcheck.aspx ; no need to assign site collection primary / secondary administrator permissions
- #37: Server Updates / Uber Updates, https://blogs.technet.microsoft.com/stefan_gossner/2016/09/13/september-2016-cu-for-sharepoint-server-2016-is-available-for-download/ Security Updates / Public Updates / Cumulative Updates, https://blogs.technet.microsoft.com/stefan_gossner/2016/10/11/october-2016-cu-for-sharepoint-server-2016-is-available-for-download/ SharePoint-specific SQL database roles: Don’t create your own or try to replicate them if they don’t exist; figure out why they are missing and use PowerShell cmdlets that cause them to be created, eg Add-SPShellAdmin for SP_DataAccess etc Web-dev skills are portable (good for dev) and standard (good for business), HTML5 and popular tools such as Yeoman for scaffolding and Gulp for packaging
- #39: Certain standard SQL config are no-no for SharePoint SQL Server; eg disable auto-create/update statistics http://www.edwinmsarmiento.com/database-configuration-for-maximum-sharepoint-performance-video-powershell-script/ NTFS allocation unit size cannot be changed after disk is formatted, only option is to re-format; Relatively easy to move files to another disk and then back after re-format Default collation order cannot be changed after SQL Server is installed, only option is to rebuilt SQL Server; Major effort, avoid Supportability regarding SQL collation for SharePoint Databases and TempDB, https://support.microsoft.com/en-ca/kb/2008668 Client alias makes it much easier to repoint SharePoint to another SQL Server, eg for disaster recovery or maintenance
- #41: MDF is random-access read/write; LDF is sequential-access write-only Put them on separate drives / spindles Shrinking databases causes extra processing, index fragmentation, and then just grows again
- #42: Use IIS HTTP Rewrite module for redirects; note that SharePoint does not support rewrite module for clean URLs, use Managed Navigation termset for that
- #43: https://softwarecraft.ca/2016/10/24/aye-aye-iframe-quest-for-the-origin-of-a-mystery-response-header/
- #44: Windows leaves deprecated protocols and ciphers enabled by default Credit: Gokan Ozcifci presentation @ ESPC16
- #46: https://notepad-plus-plus.org/ https://blogs.technet.microsoft.com/wbaer/2014/08/22/uls-viewing-like-a-boss-uls-viewer-is-now-available/ Windows Sysinternals, https://technet.microsoft.com/en-ca/bb545021 PowerShell ISE is a Windows native tool https://marketplace.visualstudio.com/items?itemName=AdamRDriscoll.PowerShellToolsforVisualStudio2015 https://blogs.technet.microsoft.com/rmilne/2014/11/19/remote-desktop-connection-manager-download-rdcman-2-7/ SharePoint Manager 2013 https://spm.codeplex.com/
- #47: Lapointe’s SharePoint PowerShell cmdlets, http://www.falchionconsulting.com/PowerShellViewer/Default.aspx Catrinescu’s SharePoint Host Named Site Collection Creator, https://hnsc.codeplex.com/ Haviv’s SharePoint Property Bag Settings 2013, https://pbs2013.codeplex.com/ https://blogs.msdn.microsoft.com/rodneyviana/2011/07/19/troubleshooting-claims-to-windows-nt-token-service-c2wts-in-sharepoint-2010-may-be-difficult-if-you-dont-know-where-to-start/
- #49: DEMO
- #51: https://blogs.msdn.microsoft.com/rodneyviana/2011/07/19/troubleshooting-claims-to-windows-nt-token-service-c2wts-in-sharepoint-2010-may-be-difficult-if-you-dont-know-where-to-start/ http://rodneyviana.codeplex.com/releases/view/19103