Microsoft SharePoint Online Dedicated Custom Solution Policies and Process Published: April 2010 For the latest information, please see http://microsoft.com/online. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. ©2010 Microsoft Corporation. All rights reserved. Microsoft, Access, Active Directory, Excel, Forefront, InfoPath, Internet Explorer, Outlook, PowerPoint, SharePoint, Silverlight, SQL Server, Visual Studio, Win32, Windows, Windows PowerShell, and Windows Server are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 2 Contents Introduction ................................................................................................................................................. 6 What Developers Should Know ................................................................................................................ 6 What Is New in the April 2010 Release .................................................................................................... 6 How Online Services Can Help ................................................................................................................ 7 Potential Impact of Deploying Custom Solutions ...................................................................................... 7 Deployed Custom Solutions ..................................................................................................................... 7 Use of Third-Party Solutions and Products .............................................................................................. 7 Third-Party Solution Licensing ............................................................................................................... 8 Open Source Project Support ................................................................................................................ 8 Customization Process .............................................................................................................................. 9 Timeline Overview of Customization Process ........................................................................................ 10 Key Milestones ..................................................................................................................................... 11 Requirements Gathering .......................................................................................................................... 12 High Level Design Review........................................................................................................................ 13 Scope of Customization .......................................................................................................................... 13 Hardware Evaluation .............................................................................................................................. 14 Customization Development .................................................................................................................... 16 Customization Testing.............................................................................................................................. 17 Using the Code Analysis Framework Tool ............................................................................................. 18 Customization Packaging ........................................................................................................................ 19 Package Requirements .......................................................................................................................... 19 Components............................................................................................................................................ 19 Customization Package Structure .......................................................................................................... 20 Solution Package Creation ..................................................................................................................... 22 Customization Package Submission ...................................................................................................... 22 Updating Existing Custom Code ............................................................................................................. 23 Online Services Testing, Validation, and Deployment .......................................................................... 24 Timeline for Online Services Review ...................................................................................................... 24 Online Services Operations Team Testing ............................................................................................. 25 Pre-Production Environment Validation .................................................................................................. 26 Change Advisory Board (CAB) Production Review ................................................................................ 27 Production Environment Deployment ..................................................................................................... 28 Re-Drop Policy for the Customization Package ..................................................................................... 29 Microsoft Engineering Policies for Custom Solutions .......................................................................... 31 System Monitoring .................................................................................................................................. 31 Patching Impacts .................................................................................................................................... 32 Updating a Customization ....................................................................................................................... 32 Break-Fix Remediation ........................................................................................................................... 33 Emergency Change Remediation ........................................................................................................... 33 Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 3 Impact of SharePoint Online Upgrade on Customizations ..................................................................... 34 Service Policies ......................................................................................................................................... 37 Supported Customizations Policy ........................................................................................................... 38 Appendix A: SharePoint Developer Resources ..................................................................................... 42 Getting Started ........................................................................................................................................ 42 Webcasts ................................................................................................................................................ 42 More Development Resources ............................................................................................................... 43 E-Learning Resources ............................................................................................................................ 43 Best Practices for SharePoint Developers ............................................................................................. 43 Best Practices for Development Environments ................................................................................... 43 Development Environment Software Best Practices ........................................................................... 44 Automate Source Control and Build Process ...................................................................................... 45 Do Not Attempt Solution Versioning .................................................................................................... 45 Use Proper Namespaces for Customizations ...................................................................................... 45 Avoid Feature Versioning .................................................................................................................... 45 Use as Little Code as Possible in Application Development ............................................................... 45 Plan Carefully when Installing Dependencies ..................................................................................... 46 Limit the Number of Solution Packages in a Customization ................................................................ 46 Do Not Use ADO.NET to Connect to Databases ................................................................................ 47 Best Practices for Developing Code that Connects to an Internet Address ........................................ 47 Best Practices for Increasing SharePoint Site Performance ............................................................... 47 Configuring Caching ............................................................................................................................... 47 Using Content by Query Web Part Objects ............................................................................................ 47 Removing Unused Web Parts from SharePoint Pages .......................................................................... 48 Configuration Management .................................................................................................................... 48 Appendix B: Testing Resources .............................................................................................................. 49 Online Resources ................................................................................................................................... 49 Load Testing and Performance Resources ............................................................................................ 49 Best Practices for Testing ....................................................................................................................... 49 Scope of Testing .................................................................................................................................. 50 Microsoft Testing of Custom Solutions ................................................................................................ 50 Test Environments ............................................................................................................................... 51 Failure Points ....................................................................................................................................... 52 Appendix C: Solution Packaging Resources ......................................................................................... 53 Appendix D: Customization Package Checklist .................................................................................... 54 General Instructions ................................................................................................................................ 54 Scheduling Information ........................................................................................................................... 54 Deployment Guide (Installation Instructions) .......................................................................................... 54 Rollback Plan .......................................................................................................................................... 55 Solution Packages .................................................................................................................................. 55 Test Documents and Results.................................................................................................................. 55 Dependencies List .................................................................................................................................. 55 Event Log ................................................................................................................................................ 55 Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 4 Client Troubleshooting Documentation .................................................................................................. 56 Source Code ........................................................................................................................................... 56 Third-Party Licensing Document ............................................................................................................ 56 Customer's Security and Compliance Review Document ...................................................................... 56 Monitoring Document .............................................................................................................................. 56 Update or Revision to an Existing Customization ................................................................................... 57 Appendix E: Building a Mirror Production Environment ...................................................................... 58 Test Machines......................................................................................................................................... 58 Appendix F: Implementing Master Pages ............................................................................................... 61 Prerequisites ........................................................................................................................................... 61 Introduction ............................................................................................................................................. 61 Sample Master Page Using Clarity Master Page Sample ...................................................................... 61 Appendix G: Troubleshooting Guide Templates ................................................................................... 67 Monitoring Troubleshooting Guide ......................................................................................................... 67 Support Troubleshooting Guide .............................................................................................................. 69 Appendix H: Approved Third-Party Solutions ....................................................................................... 70 Appendix I: Building Custom Solutions with Web Parts ...................................................................... 72 Appendix J: Code Development and Deployment Responsibilities .................................................... 75 Appendix K: Custom Solutions Using External Databases .................................................................. 77 Non-Supported SQL Server Features .................................................................................................... 78 Terms and Conditions ............................................................................................................................. 79 Database Configuration ....................................................................................................................... 79 Security Model ..................................................................................................................................... 80 Database Maintenance ........................................................................................................................ 80 High Availability Protection .................................................................................................................. 80 Connectivity and Access ...................................................................................................................... 80 Support ................................................................................................................................................ 80 Appendix L: Process to Escalate Customization Post-Deployment Issues ....................................... 82 Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 5 Introduction This document provides a description of Microsoft® Online Services (Online Services) support for customization development and deployment to the Microsoft SharePoint® Online Dedicated environment. There are three different types of customization available to the SharePoint Online customer: 1. End-user customization. Customizations that are performed through a Web-based mechanism (for example, style sheets and out-of-the-box Web Part and page templates). 2. Authored site customization. Customizations that are performed by Web designers using HTML editors such as Microsoft Office SharePoint Designer. These customizations apply, for example, to master pages, page layouts, and data view Web Parts. 3. Developed site customization. Customizations that are created by developers using the development of Microsoft .NET–based code and dependent files that must be deployed on SharePoint servers by the Online Services operations team. This document applies only to the third type—customizations that require deployment by the Online Services operations team—and that are installed and run on the SharePoint servers that are hosted by Microsoft. These customizations include solutions or products that are developed by third parties, and code developed in house by a customer development team. Custom solutions can be developed for internal customer sites and for customer sites that are exposed to external users. The custom solution development process that is outlined in this document can help ensure that code deployed to the Online Services production environment is more secure, and that it is developed according to established best practices. To that end, the Online Services engineering team reviews proposed customizations, determines whether an out-of-the-box or existing solution can accomplish the same goals, and then guides the process to ensure that the customization is deployable, supportable, and sustainable by Microsoft support teams. What Developers Should Know It is assumed that the readers of this document are familiar with SharePoint development and Internet Information Services (IIS), and know life-cycle–based development and testing of .NET-based code. Resources for getting started with SharePoint development are included in "Appendix A: SharePoint Developer Resources" later in this document. The availability of the features described in this document is based on the Online Services release process. Time to deployment varies from customer to customer. Customers should contact their service delivery manager to discuss these features in relation to their organization. Although SharePoint Online does not offer customers a hosted development or testing environment, we do host a preproduction environment (PPE) for customers to validate customizations prior to production deployment. see "Appendix E: Building a Mirror Production Environment" later in this document. What Is New in the April 2010 Release Previously, Microsoft SharePoint Online custom code development required that the customer create a customization, test it, and then hand it off to Microsoft to validate the code. Now, most of the validation is done automatically using a tool called the Microsoft SharePoint Online Code Analysis Framework (CAF). The tool validates the solution code to ensure that it is built using most of the known best practices. It also checks the solution for security flaws and for memory leaks. Note that the tool only performs code validation of the solution, so functional and stress testing must still be done by the customer's development team. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 6 How Online Services Can Help Customers who want to develop and deploy custom SharePoint solutions benefit from Microsoft Online Services involvement in the following ways: Structured process. SharePoint Online uses a structured review process that pairs Microsoft partners or employees with customers to help mitigate the risk of falling outside of the established goals for solution performance, scalability, availability, and upgrade. Experience deploying custom-built solutions. SharePoint Online has extensive experience with deployment of customer solutions as well as purchased and custom-written third-party solutions. Capacity planning experience. SharePoint Online has experience evaluating the impact of custom code and the necessary changes that are required to scale hardware and logical infrastructure design to meet customer needs. Potential Impact of Deploying Custom Solutions Custom code has the potential to significantly impact the SharePoint Online environment—especially when the code generates a high load, requires significant resources, or doesn't scale to the current environment. To address these issues, it may be necessary to purchase additional hardware, upgrade existing hardware components, scale back custom solution deployment by deploying to fewer sites or pages, or revoke the solution entirely. During the review phases, the Online Services engineering team identifies the need for additional hardware or upgraded components to support the customizations that are provided by customers. In cases where supporting the customizations would require additional hardware, Microsoft reserves the right to reject the customization or to charge for the additional hardware required. Adding additional hardware could delay the deployment of the customization. Important Because SharePoint Online does not offer a hosted development or testing environment, all development and testing must take place on an environment that is hosted by the customer or a partner. PPE is not a substitute for a customer-hosted or partner-hosted test environment, and it does not become available to the customer until after the customization package has been submitted to the Online Services engineering team for review. Deployed Custom Solutions Deployed customizations are monitored by the Online Services operations team, based on the necessary monitoring rules that are provided by the customer. If custom code has an adverse impact on the Online Services customer experience, or if it affects the ability of Microsoft to meet the customer's service level agreement (SLA), the Online Services operations team takes immediate action. This may include debugging the application and optimizing it for current load and stress conditions, or removing of the code to return the environment to a stable state. If this occurs, an emergency Change Advisory Board (CAB) meeting is called and the customer is consulted to make the best decision possible. For more information about post-deployment issues, see "Appendix L: Process to Escalate Post-Deployment Issues Related to Customizations" later in this document. Monitoring of customizations is effective only if customers provide complete and usable troubleshooting guides, as well as instrument custom event codes. In addition, the customizations must implement the proper instrumentation to support monitoring. Use of Third-Party Solutions and Products Third-party solutions and products are available from both developers and vendors for installation in the Online Services environment. In most cases, these products are eligible for installation if they qualify as an allowed customization as described in "Permitted Customizations Policy" later in this document. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 7 SharePoint Online has evaluated only a limited number of third-party solutions at this time. A full list of the approved third-party standalone solutions can be found in "Appendix H: Approved Third-Party Solutions." As more standalone solutions are evaluated and approved, they get added to the list of prequalified solutions and products that are eligible for installation without the need to go through the evaluation process. Microsoft’s service manager or solution architect assigned to each customer has access to an up-to-date list of all preapproved third-party solutions and products. Some prequalified customizations may also require changes to the hardware resources or support resources associated with a customer's deployment. Third-Party Solution Licensing The customer is responsible for obtaining the licensing for any third-party solution or product, and must provide proof of this licensing (often a key or certificate) as a part of a customization package. Depending on the third-party solution, a second set of licenses may also be needed for the disaster recovery server farm as the first set of licenses may only apply to the production server farm. Open Source Project Support SharePoint Online supports open source code if the customer first takes responsibility in writing for the ownership of the code, and ensures that such code has been tested for performance, scalability, stability, data integrity, and sustainability. The customer is also responsible for end-to-end support of open source code. When deployed to the production environment, if Microsoft encounters any issues that are related to such open source software, it transfers to the customer any issues for further root cause analysis and triage. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 8 Customization Process Introducing custom code within the SharePoint Online production environment—or revising existing code—requires following a development and deployment process that has been established by Microsoft. This process is based on best practices developed by Microsoft through its work with the hosted SharePoint Online Dedicated service. It is also closely aligned with the processes described in the Microsoft Solutions Framework and the Microsoft Operations Framework. For more information about the Microsoft Solutions Framework, download Microsoft Solutions Framework version 3 white papers. For more information about the Microsoft Operations Framework, see Microsoft Operations Framework 4.0 in Microsoft TechNet. The development and deployment process for custom code is outlined in this section. The process applies to the development of new or updated code that is intended to be installed and run on production environment servers. The core deliverables of this process are the High Level Design (HLD) document and the Customization Package which contains the Deployment Guide. The HLD document is the high level technical explanation of the customization. The Deployment guide is contained within the customization package and includes the detailed technical explanation of the customization, deployment and verification steps and other important information. The Customization Package also includes the solution packages (final tested code, install and uninstall scripts), the source code, and all related documents, such test documentation. An overview of the customization process is shown in Figure 1. * Business days ** Customers must submit HLD and code drops along with updated versions of the Change Request templates. Figure 1. Overview of SharePoint Online customization process Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 9 Timeline Overview of Customization Process This section presents an overview of the time and resources that are generally involved in the custom solution development and deployment process, using a sample timeline and process for the deployment of custom code. Steps 2 through 6 are detailed in later sections of this document. As shown in Figure 1, a typical timeline proceeds as follows: 1. Requirements gathering. Depending on the complexity of the customization, the customer's development team may require up to four weeks (20 business days) 'to gather requirements and buyoff from the project sponsor and stakeholders. 2. Create HLD document. At least five days prior to submission of the HLD document for review, the customer must notify the SharePoint Online service management team via the customer's technical account manager (TAM) about its intent to submit the HLD document. Note: Throughout the entire customization process, all communication with SharePoint Online, including the delivery of the customization package to the Online Services engineering team, is handled by the customer's TAM. 3. Review HLD document. The development team submits the HLD document to the Online Services engineering team for review and approval prior to code development. Microsoft has five business days to respond to the HLD after submission by the development team. We recommend that no development work be done until the HLD has been reviewed, to allow any feedback to be incorporated into the development. Until the Online Services engineering team formally accepts the HLD, Microsoft does not accept any customized code for review and testing. 4. Customization development. After the Online Services engineering team approves the HLD, the customer's development team starts customization code development. 5. Customization testing, CAF validation, and packaging. The customer provisions a team to test the customization internally, validate the solution, document the testing and other aspects of the solution process, and build customization packages. Testing. The customer's development team must include tests for scale and performance. Because the current release of the Microsoft SharePoint Online Code Access Framework (CAF) application does not integrate with CAT.NET, the customer must run CAT.NET to analyze their customization code. For more information about CAT.NET testing, see "Best Practices for Testing" later in this document. Validation. The customer's development team uses the CAF application provided by SharePoint Online to validate the code of the customization. Also, manual test cases not included in CAF should be validated by the customer (if applicable to the customization) and submitted using the Test Results document. Packaging. The customer's development team begins preparing the customization package, which consists of all solution documentation, all code components, and the CAT.NET report. This typically takes about 10 business days, but depends on the complexity of the customization. Five business days prior to the intended code drop date, the customer must notify the SharePoint Online service management team through the customer's TAM that a customization package, with final documentation and source code, is being provided for review. The customer submits the customization package to the Online Services engineering team at least 16 business days prior to the change window in which the customer wants to deploy the customization. 6. Online Services testing, validation, and deployment. The Online Services engineering team typically takes 10 business days to review and validate the customization, and to test the code in an Online Services internal lab environment. Deployment occurs first in the PPE environment, and then in the production environment. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 10 Validation. The validation is intended to confirm that the solution is supportable and matches the details of the HLD document. SharePoint Online uses the CAF application, as well as manual tests, to validate the customization. Testing. The choice of manual tests depends on the customization type. For example, if the customization is a master page then there is a test that validates that the sites will have the correct look and feel when the feature is enabled. There are tests to verify that when a feature is disabled, the look and feel reverts to the previous version. The Online Services operations team also tests that the Web.config files are correctly updated when the customization is activated, and that the changes are reverted when the customization is deactivated. PPE deployment. The deployment request is reviewed in a Change Advisory Board (CAB) meeting at Microsoft (one business day). After approval by the CAB and a successful initial review, the Online Services operations team deploys the solution to the PPE if it is available, and performs customer-provided validation steps. Production deployment. In parallel with the PPE review by Microsoft, the customer development team also has five business days to review the customization in the PPE and sign off for deployment to the production environment. When the customization receives validation from both the Online Services engineering team and the customer development team, the production deployment request is submitted to the CAB. When approved by the CAB, the Online Services operations team prepares for production deployment (four days). Deployment occurs at the next scheduled change window, usually on a Friday. The Online Services operations team performs the validation steps provided by the customer and then contacts the customer development team to perform any post-deployment actions. For more information about the deployment window, see Production Environment Deployment. Key Milestones Table 1 shows key milestones that the customer must understand to ensure a successful deployment of a customization to their SharePoint Online PPE and Production environment. Table 1. Timeline for Deployment Action Duration Customer notification to Online Services operations team before submitting HLD. 5 business days Turnaround time for Online Services operations to complete HLD review. 5 business days* Notification by customer to Online Services operations before submitting customization package. 5 business days Turnaround time for Online Services operations to complete customization package review. 10 business days* * Assumes that Online Services operations team requires no additional information from the customer to process the review. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 11 Requirements Gathering As a formal part of any development, requirements should be gathered from all stakeholders: developers, support personnel, end users, and testers. When factoring in all of the requirements, it is important to consider scale (for example, multiple Web front-end servers) and performance (such as page load time and latency). Customer requirements influence both how the code is developed and how it is tested. For a customer with multilingual requirements, unit testing requirements should specify that testing is performed in each localized language. SharePoint Online uses language packs, master pages, page layouts, resource files, and administrator interface that are specific to a locale. In some cases, the customer must ensure that the custom application renders correctly when the page is read right to left or if the language contains doublebyte characters. The customer does not need to submit a formal statement of requirements to Microsoft. However, specific constraints related to such factors as performance, scale, and language should be noted both in the HLD document and later in the test plan. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 12 High Level Design Review The HLD review is the process that helps SharePoint Online, or its designated partner, to work with the customer in providing an initial evaluation of the customer's proposed customization. To start the process, SharePoint Online requires the customer to gather and present information about the proposed customization using the HLD document. We recommend that the customer request the template for the HLD document, which is available from the customer's TAM or solution architect. The completed HLD document is submitted to the Online Services engineering team for review and approval prior to code development. The HLD review has the following goals: Provide SharePoint Online the opportunity to suggest an out-of-the-box solution or a previously evaluated third-party solution instead of custom development. Provide feedback to ensure that the design implementation follows established best practices and receives guidance from experienced SharePoint developers. Evaluate the design to determine whether it is supportable within the Online Services hosted environment, and if it poses any risk to the existing environment or the SLA. Minimize the likelihood of having to rewrite or change the solution when service packs and future versions of the product are released. Determine whether additional hardware is needed to support the customization. Capture potential performance issues early, rather than during testing or after production deployment. The following information helps with submission of the HLD document: The Online Services engineering team must receive notification five business days in advance that the HLD document will be submitted. If usage patterns, audience, hours of usage, or similar characteristics are likely to change as a result of a new customization, that information should be included in the HLD document so that resource considerations can be taken into account early. The Online Services engineering team has five business days to respond to the HLD document. During the HLD review, Microsoft or a designated partner notifies the customer if the solution packages will require a longer validation and review period than the standard 10 business days allocated for this phase. In this case, the Online Services engineering team provides an estimate of the amount of time that will be required to review the customization. Scope of Customization The HLD review provides the Online Services engineering team with an opportunity to review the scope of the planned solution and determine whether it is a small, medium, or large customization based on the amount of code and number of Windows® SharePoint Services solution package (WSP) files that will be included in the customization package. (For more about solution packages, see "Customization Packaging" later in this document.) Table 2 shows how customization sizes are determined. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 13 Table 2. Customization Sizes Solution Size Lines of Code Number of WSP Files Small 0 to 1000 1 to 2 Medium 1000 to 3000 1 to 4 Large 3001 or more 1 to 10 Important Customizations that are determined to be extremely large and complex (requiring the full time period to review) will not be eligible for a re-drop (a resubmission by the customer of any part of the customization package) during the evaluation and production deployment phase of the customization review process. We recommend that the customer development team consider breaking up a large project into multiple phases that are evaluated and deployed at different times. In general, the development team can anticipate the solution type based on its size, as indicated by the criteria in Table 2. However, a solution that is more complex than normal, has dependencies on a significant number of external systems, or processes a large amount of user-provided content may be classified differently despite a small amount of code or number of WSP files. Upon submission of such complex customizations, Microsoft notifies the customer if additional time is necessary to complete the review. If the development team is designing a solution that will require more than 10 WSP files, the team should reconsider its architecture. It is difficult to manage and deploy so many solution files within a single deployment window, and the solution risks rejection because of the complexity for the Online Services operations team of managing it. Hardware Evaluation The HLD review is performed based on the customer's current load and hardware configuration. In some cases, an HLD review may reveal the need for a new hardware component; for example, a multipart customization may require deployment of additional servers, or upgrades to existing servers, to meet performance expectations and SLA requirements. In certain cases, additional resources and operational support may be necessary. The Online Services engineering team reserves the right to reject any customization that requires the addition of hardware or resources above and beyond what is already provisioned for the customer. Microsoft Responsibilities Return an evaluation of the HLD document within five business days of receiving the document from the customer, or immediately notify the customer if more than five days will be needed for review. Evaluate the HLD document against the existing infrastructure and resources, and notify the customer if the customization requires changes. Evaluate whether the standard 10-business-day evaluation period will be adequate to validate the customization when complete. Contact the customer immediately if problems are discovered during the review process. Evaluate whether an HLD reveals a small, medium, or large customization. Large customizations are not eligible for a re-drop during the evaluation phase. Customer Responsibilities Complete the HLD document before any coding takes place. Notify the Online Services engineering team at least five business days before the HLD document is submitted, to ensure that SharePoint Online possesses the necessary resources to evaluate it. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 14 Provide a developer resource to respond to questions or concerns in order to achieve signoff within the window of five business days. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 15 Customization Development Following approval of the HLD, the development team can begin code development. The customer is responsible for developing or purchasing the customization and operating its own development environment. The customization should be developed in an environment that matches the SharePoint Online production environment. For details about how to build an environment that matches the SharePoint Online production environment, see "Appendix E: Building a Mirror Production Environment" later in this document. For customers who are new to development for SharePoint Online, we highly recommend that a customer team perform the following actions: Plan a proof-of-concept before doing a full-scale production development. Use a source control system for storing and tracking customization code. Furthermore, we strongly discourage running code with full administrative privileges. In addition, the customer development team should ensure that any dependencies of the customization should rely only on the custom code itself. Any configuration changes should be implemented in a way that minimizes the need for manual steps by the operations personnel who deploy the solution. Information and resources about development in the SharePoint environment are available in "Appendix A: SharePoint Developer Resources" later in this document. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 16 Customization Testing As with development, testing is a customer responsibility. SharePoint Online does not offer a customeraccessible testing environment, so testing code and maintaining a test environment is the responsibility of the customer. Note: The customer is solely responsible for the testing of the solution. The customer must test all components of the solution, whether developed by the internal customer development team or purchased from a third-party vendor, before sending it for evaluation and deployment by the Online Services engineering team. These tests should include, but may not be limited to, functionality, performance, stability, scale, and full unit testing. Insufficiently tested code represents a risk to the entire Online Services environment. If the Online Services engineering team has sufficient concern that a customer has not adequately tested the code, the code is rejected during the review process. If a customization is depending on integration or communication with services, data, or systems that are unique to the customer's corporate environment, then the Online Services operations team will be unable to reproduce this within its own testing environment. However, when evaluating code in the PPE, the customer can test whether these forms of integration are working as expected. When performing these types of integration tests, we recommend that the customer provides and uses connections to a user acceptance test (UAT) version of the customer's service, data, or system to avoid negative impact to the production environment. However the customer chooses to handle this aspect, testing must be performed adequately within the customer's environment and then later documented in the customization package. Important It is important to recognize that the PPE is not a substitute for a test environment; it is simply a validation environment. It is very important that the customer provision a dedicated test team that is familiar with the customer's production version of Microsoft Office SharePoint Server. The test team should be able to distinguish the difference between defects in a customization versus an out-of-the-box solution that is working but is not behaving as desired. Testing must cover the entire solution life cycle (for example, installation, activation, creation of content, editing of content, and finally expiry or deletion of content). We recommend that the development team have a full formal test pass before handoff to the customer's own test team, to minimize the number of defects. Important Development and testing should be done with the same Microsoft Office SharePoint Server version, including the patch levels, that is installed on the customer's hosted environment. Prior to development, the customer should check with Microsoft to determine whether any patches are scheduled to be installed prior to deployment of the customization solution. It is the customer's responsibility to ensure that development and testing has been done using the appropriate version of Office SharePoint Server. Office SharePoint Server 2007 patches are cumulative; as a general rule, they 'cannot be rolled back in a production environment after being deployed. To learn from Microsoft experience with internal testing of the customer environment and internal testing of custom-developed code for SharePoint Online, see "Best Practices for Testing" later in this document. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 17 Using the Code Analysis Framework Tool The customer must use the Microsoft SharePoint Online Code Analysis Framework (CAF) tool to validate the customization prior to submission to the Online Services engineering team. The CAF application includes a user's guide in a compiled help file. The CAF tool may be downloaded from the Microsoft Online Services customer knowledge base site. The CAF tool performs a rules-based code analysis of the solution to establish whether it is built using known best practices. The report generated by the CAF tool instructs developers on the parts of the solution that need changing in order to meet the validation criteria. SharePoint Online reserves the right to add new rules to the CAF engine; however, new rules are not retroactive. They will only apply to new customizations or to updates of existing customization. Code analysis focuses on areas like memory management, security vulnerabilities, exception management, object model usage, quality gates for unsupported features, and reporting. The framework uses existing tools like FxCop and SPDisposeCheck for analyzing the customizations. The elementary unit of execution for the CAF tool is a check for best practices or for recommended guidelines as prescribed by the Online Services operations team. Rules of similar category are grouped together while creating a test case. These test cases are then run during the analysis of the solution packages. SharePoint Online also provides a document of manual test cases, outside the scope of the CAF tool, that Microsoft uses to validate customer solutions. The Test Cases document is available for all existing SharePoint Online Dedicated customers at the Microsoft Online Services customer knowledge base site. The customer is must run these manual tests on the customization prior to submission. Microsoft Responsibilities Provide guidance about all installed builds and patches within the SharePoint Online environment. Provide guidance about how the production environment is built so the customer can create test environments that adequately mimic the production environment. Customer Responsibilities Build and maintain development and test environments. Adequately test all custom code before submitting it to the Online Services engineering team for validation. Outline and test any requirements concerning performance, scale, and language. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 18 Customization Packaging When custom code development and testing are finished, the customer development team must create and present a customization package—including adequate documentation—to the Online Services engineering team for testing and analysis prior to deployment in the production environment. Testing by Microsoft does not begin until all documentation and final code are delivered. Package Requirements The following are requirements for submitting customizations: Documentation is required, whether submitting a new customization or an update to an existing customization. Several types of documents must be created; for a summary see Table 3. The solution itself, and the customization package as a whole, should have meaningful titles. (The two can have the same name.) For example, "Jan_26_customization" is too general to be an appropriate title. The customization package should be titled in this form: "CustomerName_CustomizationTitle_Version". For multiple solution packages, each can have this form: "CustomerName_CustomizationTitle_Solution-SolutionName". When packaging code and documentation into the customization package, the customer must compress the entire package using the .zip file format. Other third-party compression tools are not permitted for installation on host data center computers, and SharePoint Online does not repackage the customization package if the incorrect compression tool is used. The customization package should be submitted through the TAM by creating a change request. When preparing the solution packages and the documentation for the customization package, it is important to know that all customization packages are deployed to both a primary and a secondary data center; the secondary data center is maintained for disaster recovery. Deployment instructions should note which package components must be run, installed, and deployed in which data center. For example, scripts to create a custom database only run once, and only on the primary data center, but SharePoint Online solution packages must be deployed to both data centers. Microsoft Responsibility Provide guidance on the structure of the customization package. Customer Responsibilities Package all of the final tested customization code as WSP files. (This step is required for all inhouse development.) Include detailed validation steps in the deployment guide so that MSO can verify that the solution is working as expected post-deployment. Components The customization package should be organized in an easy-to-follow file system. For example, folders should be used to separate source code, final tested code, and release documentation. The Deployment guide specifies the folder structure that should be followed when submitting a customization. The components of the submission should be organized according to the following guidelines: The customization package must have a folder called "Release Documents" that contains all the relevant documents related to the release. The test documentation must be in a folder called "Test Documents". The solution packages, including final tested code, must be in a folder called "Solution Packages," although this is not required for submission. The CAF uses this directory to create a CAB file which should be placed in the root directory. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 19 If there are any scripts that must be run as part of the installation, they must be in a folder called "Installation Scripts". The source code must be in a folder called "Source Code". Table 3 presents an overview of what must be included in the customization package. Complete details are included in "Appendix D: Customization Package Checklist" later in this document. Customization Package Structure One of the elements that the CAF tool checks is the customization package structure. The customization package that is sent to SharePoint Online must adhere to the directory structure shown in Table 3. For more information on CAF, see "Using the Code Analysis Framework Tool" earlier in this document. Table 3. Customization Package Components Package Component Directory Description Scheduling information Release Documents State the expected date for code-drop submission and deployment. Also include the expected duration of downtimes for deployment configuration and post-deployment configuration. Deployment guide Release Documents Online Services operations team provides a deployment guide template for customers to submit as part of the customization package. The deployment guide includes details about how to install all of the customization package components, any architecture diagrams that are related to the installation of the custom code, and procedures for how to test that the solution packages and the solution as a whole have been properly deployed. It also includes a list of prerequisite software and any open source software used in the customization. (The installation and uninstall scripts are handled in a separate section of the customization package, below.) Include detailed verification steps (in the deployment guide so that Online Services operations can verify that the solution is working as expected post-deployment, including any telltale signs, GAC versions, or even screen shots of the environment that indicate successful deployment. The deployment guide must be completely self-contained. Do not include references to e-mail threads or other documentation, or else the customization package will be rejected. For customers who are using third-party solutions, pointers to the vendor's installation documentation are not suitable documentation. Open/shared source code waiver Release Documents If any open source or shared source code or components are used in the solution, the customer is required to provide a waiver in writing stating that the customer will be responsible for supporting any issues that arise from the use of open source software. CAF report Release Documents Include the CAF report on the final code drop. Also include all the exception comments from the exceptions found by the CAF tool as part of the report. Rollback plan Release Documents Provide a rollback plan, in case the customization must be removed. Include screen shots of how the environment must look after a successful rollback. Note: If it is not possible to roll back a solution, this must be called out in the deployment guide so that the risks can be discussed between SharePoint Online and the customer development team and any preparations for a system recovery can be planned by both teams. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 20 Package Component Directory Description Solution packages Solution Package Include the final versions of all the solution packages, including final tested code and the CAF report, in this folder. Installation scripts Installation Scripts Store all installation and un-installation scripts (such as Windows PowerShell™ scripts and batch files) in this folder, including a tailored set for the secondary data center, if warranted. Test documents and results Test Documents For testing and validation purposes, it's extremely important to supply a copy of the solution test plan, test scenarios, unit test results, and all performance and scale testing that has been performed related to the code. This is even more important if the code has a dependency (Web service, data, or system) that cannot be tested during SharePoint Online acceptance testing. Include details about all elements of the customization that the customer wants deployed, including any third-party components and other solutions that the customer has purchased. Dependencies list Release Documents Submit a list of all dependencies for the code. This can include an account and password, Web services, databases, other solutions, features, patches, tool sets, and libraries. Event log Release Documents Provide a list of all event entries generated by the customization, and the troubleshooting actions to take for them. The list commonly takes the form of a table of error codes, the corresponding severity, and root cause. Client troubleshooting documentation Release Documents Submit end-user troubleshooting guidance for the Online Services Operations team and one or two test accounts, if appropriate, to diagnose problems that are related to the customer's dependencies. If an account is provided, it should be set up with low privilege and used for no other purpose. A template is provided in "Appendix G: Troubleshooting Guide Templates," later in this document, to show the correct format for the client-facing Troubleshooting Guide. Source code Source Code Include the project files and source code (validated through the CAF tool), where developed in-house. All source code is treated with utmost confidentiality by Microsoft. Details about the treatment of customer source code can be found in the customer's contract, in the section "Pre-Existing Work". Note: If the solution is a third party off-the-shelf application, no source code is needed for submission. Public debug symbols Source Code To aid in the possible troubleshooting scenarios, include the public debug symbols for all custom code. This symbol file is automatically created by Microsoft Visual Studio® as long as either "pdb only" or "full" is selected from the Debug Info setting, which can be accessed via the Advanced settings on the Build page in Visual Studio. For more information, see the article "PDB Files (C# and Visual Basic)" in the Visual Studio Developer Center. Third-party licensing document Release Documents Provide the licensing details and, if necessary, keys or certificates for installation, if using a third-party component or solution. Include all details about the testing that has been done against the third-party component or solution. Note: Remember to purchase licenses for both the primary and secondary data center computers. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 21 Package Component Directory Description Customer's security and compliance review document Release Documents We recommend that customers have their own security and compliance team review and approve all customizations that are being presented to Online Services for deployment. Include the customer's Security and Compliance Review approval of the design, and all test details from this review process. Monitoring document Release Documents Provide all details related to monitoring the customization, including logging details and documentation about all instrumentation. Solution Package Creation SharePoint Online requires the use of Windows Solution Package (WSP) files to deploy customizations to the SharePoint Online environment. A solution package is a compressed .wsp file—Windows Solution Package file— that consists of the various resources necessary for deploying the solution. A custom solution may include several solution packages to contain all the components of the solution. There are several advantages of deploying with solution packages : The packages are stored on a SharePoint Server, and can be redeployed to existing or new servers as they are brought online. The packages are completely self-contained and do not generally require tracking of a specific installation order. The packages can be deployed very quickly to a new server farm for disaster recovery of the SharePoint Online environment. Components that can be packaged in a solution package .wsp file include: Microsoft .NET Framework assemblies. Deployment files such as .aspx files, master pages, and page layouts. New templates and definitions for such components as lists, libraries, fields, and content types. Configurations that must be carried out at the Web-server level (for example, the Web.config files for the registration of Web Part assemblies). These solution packages can be built within the Visual Studio development system or manually. Each solution package is stored as a WSP file, and a custom solution sometimes requires numerous WSP files. If the development team is designing a solution that requires more than 10 WSP files, the team should reconsider its architecture. It is difficult to manage and deploy so many WSP files within a single deployment window, and the solution risks rejection because of the complexity for SharePoint Online of managing it. Some solutions that are developed by third parties might not use solution packages, and yet might be acceptable to the Online Services operations team that is reviewing the package. However, all custom solutions that are developed by an in-house customer development team must use the WSP packaging technology. For further details about solution packaging and WSP files, see "Appendix C: Solution Packaging Resources" later in this document. Customization Package Submission The delivery of the customization package to the Online Services engineering team is handled by the customer's TAM. The customization package must be delivered at least 16 business days before a scheduled change window, to ensure that the deployment can be implemented in a timely manner in the production environment. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 22 Custom solution deployments are implemented during Microsoft-defined change windows. The customer should be aware of the scheduled change windows when submitting the customization package for review. Each customer receives a change window calendar that contains the available windows during which customizations can be deployed. The 16-day lead time enables SharePoint Online to schedule resources, build a lab environment in preparation for testing, and perform testing. It also provides time to obtain approvals from the Change Advisory Board (CAB), and to ensure that SharePoint Online has adequate staffing on hand to ensure a successful deployment. For more information about designated change windows, see the SharePoint Online Change Calendar documentation, which is available from the customer's TAM or the SharePoint Online customer knowledge base site. Updating Existing Custom Code When updating an existing customization and therefore existing documentation, the following should be provided in addition to the components detailed in Table 3: A summary of what has changed from the previous version. This summary must include what has changed (for example, "Master page layout changed, referenced a new CSS file, and updated the underlying JavaScript."). Design changes. If the design has changed and now requires a feature enhancement or other change to functionality, customers must submit an HLD document. If existing custom code is being updated only to address bugs, with no fundamental design changes, no HLD document is necessary. The customer can provide a heads-up five business days prior to the designated code drop window, through the TAM, and submit the customization package (including updates to the source code, deployment guide, and any other component from the package as needed) for Online Services operations team to review. The review process takes up to ten business days. The original solution source code. As a part of solution analysis, the new source code is validated against this original source code to ensure that no issues were introduced with the planned change. Anticipated problems during upgrade. Submit details about any errors, rendering issues, or other problems that might be expected when upgrading the customization. Updated support documentation. Include updates for the end-user troubleshooting guide and other documents. Describe anything that has changed and any new features that could potentially require support or monitoring. Rollback steps. The rollback steps must include the necessary scripts for retracting the solution and adding the previous version of the solution. Any change to a custom solution requires that the customer submit a complete new package for review that covers the updated solution. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 23 Online Services Testing, Validation, and Deployment After the customization package is delivered to SharePoint Online, the Online Services engineering team reviews and validates the customization to ensure that the solution is supportable, and that it matches the details of the HLD document. The engineering team may also perform tests in an Online Services internal lab environment. During that time, the customer may also have the opportunity to test the customization in a pre-production environment (PPE). Preparation for deploying to the production environment is the final step in the process. Important If it is necessary for the customer to deliver a new version of the code after validation begins, SharePoint Online must reset the validation process, and the original deployment window is placed at risk. Timeline for Online Services Review SharePoint Online begins analysis and pre-production testing after the customization package is delivered. Here is an example of the timing of a typical customization package handoff and review: Package delivery notification. Five business days prior to the intended code drop date, the customer must notify the Online Services engineering team, through the TAM, that a customization package, including final documentation and source code, is being provided for review. Package delivery. The customer submits the customization package to SharePoint Online at least 16 business days prior to the change window in which the customer wants to deploy the customization. Engineering team review: testing and validation. The Online Services engineering team begins reviewing the submitted customization package; this takes 10 business days. This step includes testing the code in an Online Services internal lab environment and validating the customization. Initial CAB review. If the PPE is available, the Change Advisory Board (CAB) spends one day reviewing the solution prior to PPE deployment. (For more information about the PPE, see "Error! Reference source not found." later in this section.) Engineering team deployment decision. Based on the review of the deployment package, the Online Services engineering team approves or rejects deployment of the customization package to the PPE. If a deployment is rejected, in some cases a resubmission is possible within the same deployment window. See "Re-Drop Policy for the Customization Package" later in this section for details. PPE solution deployment. The approved customization package is deployed to the PPE environment, if the PPE is enabled for that customer. Otherwise, it is pushed to the production environment. Customer PPE review. The customer team reviews the solution in the PPE for five days. The customer team then approves or rejects deployment to the SharePoint Online production environment. Final CAB review. The CAB reviews the testing and validation results after both the Online Services engineering team and the customer team have approved production deployment. Operational deployment preparation. SharePoint Online spends four days preparing for production deployment and waiting for the change window. The standard deployment windows are scheduled for Fridays. Figure 2 is an example of the customization package review and testing schedule. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 24 Figure 1. Customization package review and testing schedule Customer Responsibilities Notify SharePoint Online at least 21 business days before the scheduled Microsoft change window. Provide a complete customization package to Microsoft at least 16 business days before the scheduled change window. Online Services Operations Team Testing In parallel with customer testing of the deployment in the PPE, the Online Services operations team may perform the following tests in an Online Services internal lab environment separate from the PPE: Run the CAF application and manual test cases to analyze the solution packages. Evaluate solution packages and installation/uninstall scripts. Check for memory leaks. Determine whether error handling and exception handling are sufficient. Ensure that the code falls within the customization policy. Make sure that elevated privileges follow best practices. Determine that all code is fully trusted. Ensure that unmanaged code is properly handled. Check compatibility with current production version of Office SharePoint Server. Test for security vulnerabilities. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 25 Follow development best practices. This testing and analysis attempts to evaluate the following: Supportability of the code on the customer's architecture within the Online Services hosted environment. Dependencies that may pose conflicts or risks. Quality of error handling when dependent components are not available to the code. Adequacy of the documentation: that it describes the custom code that has been provided, details all dependencies, and demonstrates that the customer has done adequate functional unit testing. Core functionality is occasionally tested, including the deployment footprint on the installation, to ensure that the application does not make an unnecessary or potentially harmful change to the service. Aesthetic aspects of the solution code for those solutions—the user interface, for example—are disregarded. It is the customer's responsibility to ensure that the customization meets its own requirements and fulfills the anticipated need. The code is not formally unit tested. In some cases, if the dependencies (Web services, data, or systems) are not available in the Microsoft Online Services internal lab environment, the code can't be tested. In these cases, Microsoft does review the code, and tries to establish that adequate testing has been performed by the customer, based on the documentation provided. Customers are encouraged to test dependencies within the PPE prior to the production deployment. Pre-Production Environment Validation Microsoft provides a pre-production environment (PPE) so that customer development teams can validate customizations before moving on to the production environment. The PPE is a scaled-down replica of the production environment that matches production configuration. This enables validation of custom solutions prior to deployment in a production environment, and validation of existing production custom solutions against a new version of Office SharePoint Server (patch, service pack, major release). The PPE is not subject to an SLA or availability KPI. For more information about the PPE environment, review the "SharePoint Online Customer Handbook" located at the Microsoft Online Services customer knowledge base site. The virtualized PPE environment is designed to have the same logical architecture as the production environment, with the following restrictions: The total volume of content does not exceed 150 gigabytes (GB). The total number of content databases per Web application does not exceed 2. Up to 250 concurrent users can access the PPE at the same time. The PPE is not configured to send mail. The PPE validation process begins with the customer submitting a new or updated customization package to Microsoft. Microsoft reviews the design and documentation at the weekly CAB meeting. Only after approval from the CAB can the solution be implemented in the PPE for validation. Deployment to the PPE usually occurs approximately one week after the package is submitted to Microsoft, and following CAB approval. Note: The PPE environment is not intended for scale and performance testing—it is intended only for performing the UAT/smoke testing of the customization. After the solution is installed in the PPE, the customer can access the solution to do the following: Validate the solution in a user acceptance test (UAT) environment before production deployment. Provide designated users access to the solution prior to going live in production. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 26 Validate existing custom solutions (solutions that are currently in production) with SharePoint Online upgrades or updated custom solutions. Microsoft Responsibilities Provide a dedicated, hosted PPE to validate the customer solutions. Deploy the custom solution following the customer's installation guide. Test that the customization is successfully deployed using the test process provided by the customer. Provide data connections to existing data connections, systems, or services within a UAT scenario. Maintain the environment to ensure that it replicates the current settings and configurations in production. Customer Responsibilities Verify that the solution is working as expected according to the customization project schedule. Provide details about what has changed, in the case of an update to an existing solution or new package. Submit details on rolling back or installing the previous version of the customization. Provide details about any problems that should be expected while the update is run. Note: There is no separate section of the PPE that is reserved for validating solutions destined for just the partner-accessed environment. From a customization validation perspective, a partner access solution can be validated against the standard PPE environment. Developers may encounter an issue if they directly parse the user identity (user@UPN.com versus domain/user). However, if SPUser objects are used, testing can be completed within the existing PPE environment. After the customization has been fully validated in PPE, the customer must sign off via e-mail to the TAM and Microsoft service manager so that Microsoft operations can proceed to deploy the customization in the production environment according to the change window calendar. Change Advisory Board (CAB) Production Review If the Microsoft engineering team and the customer development team approve the customization deployment for production, the Microsoft engineering team prepares supporting documentation for submission to the next CAB meeting for production deployment approval. If the CAB rejects the deployment, deployment is canceled for that change window. Details of the failure are provided to the customer's development team, and the customer is contacted to begin remediation—first by e-mail and if necessary with follow-up meetings. After remediation, testing is rescheduled for the next available change window. More details about the CAB process are available in the Microsoft Online Services Change Management Service Description document. Microsoft Responsibilities Test the deployment process and evaluate installation, rollback, and test documentation. As far as possible, validate the basic functionality of the new customization via the smoke test (validation test) that is provided by the customer. This may not be possible if a dependency (Web service, data, or system) is unavailable in the Online Services lab environment. Review the security of the application for protection against SQL injection, impersonation, and cross-site scripting. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 27 Important This review does not constitute the following: Full security review (which the customer should perform at the design phase). Handling, transport, or dissemination of any confidential information. Evaluation of the quality of the error handling and exception handling. Production Environment Deployment After the custom solution is approved by the CAB, Microsoft prepares to deploy the solution to the production environment. This happens during an upcoming change window in the Online Services production environment. These windows are dedicated deployment windows for tested and approved customizations, and are usually scheduled for Friday evenings. All customers receive a change window schedule from their TAM to calculate the work-back dates for developing a solution, submitting a customization package, and moving the customization package through the test and review process. The production environment deployment includes the following: Installation of the solution packages to the SharePoint Online environment as outlined in the deployment guide. Testing the deployment based on the customer-specified validation instructions, to ensure that the solution successfully deployed. Important Deployment does not include any further activities by the Microsoft operations team. Microsoft does not do any performance or functional testing in the production environment. If the nature of the customization requires extensive testing after deployment, it is the customer's responsibility to make resources available to perform this work. If negotiated in advance, a Microsoft operations team member can be available for the duration of the window to help make minor adjustments to the deployment. When the deployment window expires, all further updates to the customization that require operational deployment must be approved through the CAB process. Microsoft Responsibilities Deploy the customization following the customer's installation guidance in the deployment guide. Test to ensure that the customization is successfully deployed, using the smoke test process that is provided by the customer. If the deployment is unsuccessful, roll back the customization following the rollback plan provided by the customer. Respond immediately to any customer notification of corruption or problems with a customization. In the event of a serious problem, during business hours, initiate an emergency CAB meeting if criteria are met to roll back to the most current version available. If the customer requires a customization to be rolled back after business hours, a service request must be opened via the customer's help desk and escalated to the Online Services support team. Important There is a risk of loss of content or information if a rollback is required. The customer must notify Microsoft as quickly as possible, to minimize the loss of content. Customer Responsibilities Make resources available if necessary during the deployment window to test the functionality and confirm the performance of the customization. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 28 Notify Microsoft as soon as possible about any corruption or problems with the customization. Re-Drop Policy for the Customization Package A re-drop is a resubmission by the customer of any part of the customization package that might be able to keep the same change (deployment) window. The following re-drop policy outlines what is eligible for a re-drop and under what circumstances a re-drop can occur. The timeframe references are based on the testing schedule shown in Figure 2. Re-drop for the same change window will not be possible if the solution is considered so large that review by day three after the customization package was submitted is not feasible. The Online Services engineering team provides an assessment of the project size during the HLD review process. For small and medium solutions, the Online Services engineering team completes the initial engineering review by day three after the customization package was submitted. This initial review includes only the re-drop–eligible testing, as outlined in Table 4 below and in the installation/uninstall script. If the deployment fails and is delayed, Microsoft does not guarantee that the initial review will be completed by day three after the customization package was submitted. Some test steps cannot be performed until the solution successfully deploys. Only one deployment re-drop is permitted per change window. If the re-drop fails during the Microsoft engineering team review, deployment of the customization package is postponed until the next available change window. Re-dropped code must be delivered to Microsoft by the end of day five after the customization package was initially submitted and must be validated by CAF again prior to re-drop. If code was submitted on a Thursday, this is the next Thursday (unless a holiday intervenes). If deployment, installation, or configuration of the solution fails due to a customer code failure, Microsoft does not allow a re-drop for the same change window. If the failure is a problem with the installation script or deployment documents and the affected documents can be corrected before day five after the customization package was submitted, Microsoft does permit a re-drop. When submitting a re-drop, the customer must carefully document the changes that have been made after the initial drop, and must provide a traceability matrix and a statement of the impact of the change. The re-drop is a new deployment package validated by the CAF tool, and must include the entire deployment package with the changes and fixes. If the customer fails to provide this information, the submission regrettably must be rejected, and deployment is moved to the next change window. Microsoft reserves the right to reject a delivery if the design deviates fundamentally from the approved HLD. An updated HLD document must be submitted to reflect the design change, if the re-drop modification constitutes a design change. Table 4 provides additional details about the re-drop policy. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 29 Table 4. Re-Drop Policy by Test Step Microsoft Test Step Failed Test Step Eligible for Re-Drop Evaluate deployment Evaluate installation/uninstall script. Yes Evaluate deployment guide. Yes Determine whether deployment overwrites system files. Yes Check for memory leaks Check object disposal, file handles, connections. Yes All code fully trusted Ensure that all code is listed as fully trusted in Web.config. Yes Evaluate cross-site scripting vulnerabilities Confirm that all input is properly encoded and code is not vulnerable to cross-site scripting (XSS). Yes Test for SQL injection Confirm that the input used for SQL queries is not vulnerable to SQL injection. Yes Confirm that CSS/JavaScript/Images/Styles are on hard disk. Yes Confirm that caching is used as appropriate, and cache invalidated as appropriate. Yes Inherit from System.Web.Webpart rather than from Microsoft.SharePoint.Webpart. Yes Verify SQL queries for Enterprise Search. Yes All protected methods handle exceptions and log exceptions to event viewers. No Determine whether error handling and exception handling are sufficient Exception handling in Feature receivers is rethrown. Application writes to custom Event Node <Customer codename_log>. Events have unique IDs and specify source, category, type, and description. Code falls within customization policy Confirm that all customizations are supported within the customization policy. No Elevated privileges Ensure that best practices are followed for all cases where elevated privileges are used. No Unmanaged code Ensure that unmanaged code is properly handled. No Compatibility with current version of Office SharePoint Server Check to ensure execution within the current production version of Office SharePoint Server. No Best practices Ensure that code is thread safe. No Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 30 Online Services Engineering Policies for Custom Solutions This section describes Microsoft Online Services engineering policies for SharePoint Online Dedicated custom code deployments. System Monitoring Where possible, Microsoft requires that all customizations write to the event log and, if possible, also to the Unified Logging Service (ULS) log for SharePoint Server. A customization that cannot be monitored may be deemed unsupportable. The current version of CAF does not validate whether the customization writes to the event log; however this action is validated via the manual test cases. If the customization contains the ability to write to the event log to report errors or problems, Microsoft may configure Microsoft Operations Manager or Microsoft System Center Operations Manager to record and respond accordingly to the events using alerts. Monitoring configuration occurs during the same change window as the deployment. If the customization has no ability to write to the event log, this step is skipped. However, it is critical that the customization provide a means to monitor its health. Without one, Microsoft is dependent on users reporting problems with the customization, and has no means to assess or measure the health of the customization. If Microsoft finds that a customization feature is adversely impacting a core service or service stability, Microsoft reserves the right to disable the customization, and provide notification to the customer immediately after stability has been achieved or the core service is back online. All custom applications from the customer development team must use a custom event node of the form <customer codename_Log>. In the monitoring section of the deployment guide, provide instructions for actions that must be taken in the event of errors. Proactive operational monitoring is critical and any customization-related errors that must be monitored are logged into the event log. Third-party solutions can log on to the application event logs, but must have unique IDs, and must specify the source, category, type, and description of the event. Within the customization package, the deployment guide must include the following information for all events: Event type Event source Event category Event ID Error string Description of error Impact of error In addition, each event must have a troubleshooting article associated with it. For a troubleshooting article template, see "Appendix G: Troubleshooting Guide Template" later in this document. Microsoft Responsibilities Evaluate the event log that is provided in the customization package, and determine whether monitoring is possible and necessary. If a customization adversely affects a core service, disable the customization and notify the customer. Customer Responsibilities Ensure that the customization writes information to the event log, which will assist with assessing the health of the customization. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 31 Act quickly when notified that a customization must be disabled or removed due to adverse impact to a core service or service stability. Patching Impacts To ensure the stability and security of Microsoft Online Services, it may be necessary to patch customer environments. Some updates are both critical and time-sensitive, others are not. Microsoft performs besteffort testing of patches (hotfixes and cumulative updates) or service packs to ensure a smooth deployment. However, Microsoft does not test patches or service packs against deployed customizations. Note: It is the customer's responsibility to perform any pre-deployment testing of patches or service packs against their customizations. Customers can reference the customer-facing build guides or contact their TAM for the latest patch levels and planned patching for their environment. Microsoft deploys patches (and service packs to the customer's PPE a minimum of six weeks before the deployment of the patches or service packs to the production environment. Security patch releases, such as the monthly security patches, are applied to the PPE and production environment on a shorter release schedule due to the critical and time-sensitive nature of the patches. When best practices are followed, customizations rarely need to be modified or touched because of a patch or service pack. Microsoft Responsibilities Test patches and service packs against the standard hosted environment to confirm that no problems arise and that the deployment process is successful. If the update is not critical or time-sensitive, notify the customer at least ten days before the deployment of any patches or service packs. If the patch is not publicly available, provide a copy of the patch on demand if the patch is released and being distributed externally. If an update is critical and time-sensitive, notify the customer as soon as possible before deployment of the patch. Customer Responsibilities Test customizations against the patch or service pack in the test environments (optional). Contact Microsoft as soon as possible if any problems related to patches are found. Except when the problem requires an emergency CAB update sooner than the negotiated deployment window, provide Microsoft with the necessary update and documentation to mitigate or prevent the problem when the patch or service pack is applied. To view the criteria for an emergency CAB meeting, see "Break-Fix Remediation" later in this section. Updating a Customization When a customer provides an update to a customization that is deployed in the production environment, the customer should follow the steps described in "Timeline Overview of Customization Process" earlier in this document. Some steps are completed more quickly when minimal code changes have been made. When the customer submits an update to a customization or its documentation, it is very important to highlight in the deployment guide what is changed and to provide details about the uninstall or rollback process to the previous version. It is also important to call out any problems that might be expected with the update. Microsoft Responsibility Determine whether the validation process can be completed more quickly than the normal 10 days. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 32 Customer Responsibilities Provide complete documentation, as specified in "Updating Existing Custom Code" earlier in this document. Understand that the Microsoft engineering team will take the update through the entire validation process, although that process may be a bit shorter for an update than for a new customization. Break-Fix Remediation Break-fix remediation addresses what happens if a critical problem is found with a customization that is deployed within the production environment—whether the problem occurs immediately after deploying the customization, or some time later. These are the immediate options that are available to customers: Retract the solution. Roll the solution back to the previous production version. Wait until a custom code fix can be deployed. Microsoft makes every effort to accelerate the testing of the fix, but does not provide a specific shortened SLA. If remediation of the issue is required, it is generally handled in the same manner as other changes made to the production environment, as directed by the change management process. All efforts are made to perform remediation as quickly as possible, but the change cannot be made until the first available negotiated change (deployment) window that occurs after the break-fix solution remediation is complete. Important No changes will be accepted to the deployment documentation after the customer has signed off on PPE validation. The customer will need to reschedule the deployment date to the following change window, if any further changes to the customization are identified. For a detailed description of the process to escalate post-deployment issues that are related to customizations, see "Appendix L: Process to Escalate Customization Post-Deployment Issues" later in this document. Emergency Change Remediation If a critical problem meets the Microsoft emergency change criteria, the remediation is accelerated by Microsoft to address the situation as quickly as possible. Emergency deployments are not restricted to a scheduled window, and all effort is made to negotiate the window between Microsoft and the customer. Emergency change criteria for a broken customization are defined as follows for a break-fix situation. One or more of the following criteria must be met: Causes a significant and quantifiable business impact. Impacts availability or system stability. Puts information or the security of content at risk. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 33 Important The following are not emergency change criteria: o Errors that affect the visual presentation of data. o Errors that affect the display of content from a third-party solution. o A customization that doesn't work as expected but doesn't meet the emergency change criteria. If the problem does not meet the emergency change criteria, the change must be submitted like any other update through the regular customization process. Within 24 hours of receipt of the emergency customization package, Microsoft responds with the time required to deploy the code to production. The time that is required depends on both the complexity of the code and the risk to the service. The customer should escalate a service-impacting situation caused by a customization to the Microsoft Online Services support team, with a joint troubleshooting session if the root cause is unknown. A change request (CR) may follow if a code update is required. If the service is not impacted and the solution is known, then customer must fill out a High Priority CR after the solution is fixed and fully tested on premises. If custom code has an adverse impact on the Online Services customer experience, or impacts the ability of Microsoft to meet its SLA for performance, stability, and availability to clients, it will be necessary to take immediate action. This may include debugging the application and optimizing it for current load and stress conditions, or removing the code from the environment to return to a stable state. If one of these situations occurs, an emergency CAB meeting is called, and the customer is consulted to make the best decision possible. Important The SLA is suspended for any downtime that is incurred during emergency change deployment. Microsoft Responsibilities Respond within 24 hours when notified by a customer of a problem within the environment. If the problem meets one of the emergency change criteria, take the request to the emergency CAB. Validate the proposed change as quickly as possible. Customer Responsibilities Notify Microsoft as soon as possible via a service request (SR) when a problem is encountered. If necessary, build an update to address the problem, and provide adequate documentation for Microsoft to install, smoke test, and roll back. Be ready to validate the change immediately after the remediation deployment notification is sent. Impact of SharePoint Online Upgrade on Customizations Microsoft Online Services has committed to providing customers with the most recent version of Office SharePoint Server. This means that at some point, Microsoft will upgrade the current Office SharePoint Server version that is used for SharePoint Online to the next release. The customization upgrade process is the same as the customization validation process, with the exception that in the upgrade process there are no HLD reviews. Customers will receive upgrade guidance documentation regarding specific dates at least four months before their upgrade date. The upgrade process is documented in Figure 3. Note: The upgrade processes documented here may change for future releases. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 34 Figure 3. Online Services upgrade to new version of Office SharePoint Server Microsoft Online Services will provide customers with access to the upgraded SharePoint Online preproduction environment 11 weeks before the customer's environment will be upgraded. The 11-week timeframe before upgrade consists of two periods: a 9-week validation of the PPE environment and a 2week user acceptance testing of the production environment. During the 9-week PPE validation, the customer will get three code drops. The customer needs to deploy at minimum a third of the upgraded customizations in the first code drop. After the PPE validations, the customer will have a 2-week period to do user acceptance testing against the production farm. Important The PPE is only for user acceptance testing and verification. All customizations must be fully tested in the customer's QA environment prior to PPE deployment. Prior to using the PPR, the customer must document any open known issues in the deployment guide. The upgrade schedule is shown in Table 5, with the Microsoft operations team responsibilities and customer responsibilities clearly defined. Table 5. Schedule for Upgrade to Next Version of Office SharePoint Server Week Activity 16 Generate inventory and CAF reports 16 Upgrade dev and test environments 15 Deliver reports to customer 15-11 Upgrade impacted customizations Microsoft Operations Microsoft SharePoint Online Dedicated Custom Solution Policies and Process Customer 35 Week Activity Microsoft Operations Customer 11 Build PPE 11-10 Validate batch 1 9 PPE installation of batch 1 9 PPE customization validation 9-8 Validate batch 2 7 PPE installation of batch 2 7 PPE customization validation 7-6 Validate batch 3 5 PPE installation of batch 3 5 PPE customization validation 4 Complete verification in PPE 3-2 Production and disaster recovery deployment 1 Final upgrade user acceptance testing 1 New HLD documents accepted 0 Upgrade event Microsoft expects the customer to provide the necessary resources to adequately review the customizations and confirm full functionality. It is the customer's responsibility to make any changes necessary for the code to work after the migration, following the standard Microsoft review and documentation process. This structured approach to SharePoint Online upgrades is designed to provide a seamless migration process. If Microsoft discovers any customization that it feels will be difficult to migrate, this will be called out in a customization inventory report and provided to the customer. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 36 Service Policies Service policies define the customization types by which SharePoint Online Dedicated can be modified. Supported customization types are shown in Table 6. If a customization type is not listed, it might still be supported; contact the TAM for clarification. Table 6. Supported Customization Types Customization Type Supported Comment Custom-managed path No Microsoft Online Services does not support custom-managed paths used for self-site creation (users creating their own site collections through the SharePoint interface). SharePoint database schema change No Changes directly to the database schema are not supportable. SharePoint database data access No No access is provisioned directly to the SharePoint databases. All access to the databases is via the object model (OM) or Web services. Modify built-in SharePoint files No Online Services does not support any changes to the SharePoint files on the file system. This includes shipped site definitions. Web services access Yes All Web services that ship with Office SharePoint Server are exposed. Office SharePoint Designer editing Yes Any changes that can be made with Office SharePoint Designer are supported. Change mapped host name after deployment No Online Services does not support the changing of the hosted domain name—for example, sharepoint.contoso.com—after the environment has been deployed. The customer should carefully choose the host name of its environment before service adoption. Visual Studio installed on deployment No Online Services does not allow Visual Studio to be installed on a Web front-end (WFE) server for troubleshooting. Install Microsoft Office client on server No Online Services does not allow Microsoft Office clients to be installed on a WFE server. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 37 Supported Customizations Policy Table 7 describes the various types of SharePoint customizations that are possible and which are supported within the Microsoft Online Services environment. Non-supported types are either planned for a later release of Online Services solutions or have been determined at this time to pose a risk to the environment, add additional operational overhead, or be potentially difficult to upgrade to future versions of SharePoint Online Dedicated. Table 7. Supported Customization Types Customization Type Supported Comment SharePoint Features Yes Office SharePoint Server Features are server-side customizations at the file system level. They can contain modular items that can be installed and activated in a SharePoint Online environment. Feature stapling Yes Feature stapling, also known as Feature site template associations, is the ability for a Feature to be attached to all new instances of sites that use a given site definition, without modifying the site definition or creating code routines to activate the feature on each site. Feature event receiver Yes A Feature event receiver, or Feature receiver, is a server-side code routine that is called as part of certain key events in the lifetime of a Feature, such as installation, activation, deactivation, or removal. Windows Server® service No The Windows Server service is installed on the server to perform major actions. It runs in a separate process space from the Office SharePoint Server instance. A service has a relatively high cost for deployment and manageability. Timer job Yes A timer job is a built-in Office SharePoint Server object structure that can perform various tasks within the SharePoint Online environment on a scheduled or one-time event basis. Timer jobs pose a risk for system performance and stability. Scheduled task Yes A scheduled task permits the running of code on the Windows-based server on a defined schedule. On event occurrence, the code is run. Scheduled tasks run outside of Office SharePoint Server. There is no trigger from within Office SharePoint Server. Web application No A Web application is code or content installed in a new Web application directory, or as a subdirectory under an existing Web application. It provides functionality that SharePoint does not. Additional Web applications pose an additional support burden on the Microsoft operations team. Web service Yes A Web service is server-side code that exposes code routines to be called from remote systems. Site definition No A site definition is a server-side collection of files that defines the structure of one or more site templates. When a site is created with a custom site definition, it is dependent on that site definition in the future, including when upgrading to a new version of Office SharePoint Server. List definition Yes A list definition provides the schema for an Office SharePoint Server list. Site template Yes A site template is a package that contains a customized site design based on an existing site definition. List template Yes A list template is a package that contains a set of customizations from a base list structure. A list template should not be confused with a list definition. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 38 Customization Type Supported Comment Field type Yes A field type is an extensible method for allowing new common data structures within Office SharePoint Server for use in lists or other locations that can use SPField objects. Content type Yes A content type is a reusable collection of settings that can be applied to a certain category of content. Content types enable the management of metadata and behaviors of a document, item, or folder type in a centralized, reusable way. Column template (column definition) Yes A site column, also known as a field, is a reusable column definition, or template, that can be assigned to multiple lists across multiple SharePoint sites. Site columns decrease duplication of work and help ensure consistency of metadata across sites and lists. Delegate control Yes Delegate controls allow certain predefined elements pieces of the SharePoint environment to be replaced (like a field control) by other controls through Office SharePoint Server Features. Form template Yes Form templates are user-control–based (ASCX-based) control templates that bring together multiple controls into a nested structure, where each control consists of templates and can be used to richly extend list item forms. Custom action Yes Custom actions are items (commands) that are added to menus or toolbars through the use of Features. _layouts page Yes A _layouts page is any page stored in the _layouts virtual directory within Office SharePoint Server. Event handler Yes An event handler is a server-side code routine that is called when registered events occur within the SharePoint environment. Custom event handlers can be attached to and have a scope of Web application, site collection, Web, list, or document library. Backward-compatible event handler Yes A backward-compatible event handler is a server-side code routine that is called when a registered event occurs within an Office SharePoint Server document library. Backward-compatible event handlers can be attached to and have a scope of a document library only. Coded workflow Yes Coded workflows are Windows Workflow Foundation workflows that reference an assembly for the workflow pipeline. No-code workflow (declarative workflow) Yes No-code workflows, also known as declarative workflows, are sequential workflow pipelines that are configured on a list or document library. They require no installation of server-side code. Workflow activity Yes Workflow activities are compiled classes that are used as a part of the modular steps in a workflow. An activity is used as part of a workflow action that will be run. Workflow activities run as server-side code when used as activities within the SharePoint environment. Solutions that customize or change the Central Administration Web application No Central Administration (CA) is currently not provisioned on all farm Web front-end (WFE) servers as a best practice. In case a customer custom solution is deployed to CA, it is deployed only to the machines where CA is provisioned. This results in a situation where, if there is the need to provision a new CA on a different server on the farm, the custom solution is not deployed to the new server. This causes the features using the solution to malfunction. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 39 Customization Type Supported Comment Workflow condition Yes Workflow conditions are compiled classes that are used as a part of the modular steps in a workflow. A condition is used to determine when a workflow action will be run. Workflow conditions run as server-side code when used as conditions within the SharePoint environment. Web Part Yes A Web Part is a modular component that is used within the SharePoint environment to perform activities or display information. SharePoint theme Yes Office SharePoint Server themes are collections of graphics and cascading style sheets that can modify how a Web site looks. Document icon Yes Document icons are the graphical items that are used to represent documents that are exposed within document libraries. Each preconfigured document type in SharePoint has a corresponding document icon entry in a server configuration file, but other file formats may lack appropriate icons. iFilter or protocol handler Yes An iFilter is a server-side component that is used by the indexing system to index documents that are identified as having a file format that is associated with the iFilter. Custom iFilters require deployment to all servers in the environment that do indexing; they also require changes to mapped properties for search. A protocol handler enables indexing applications like Office SharePoint Server to systematically crawl the nodes of a data store to extract relevant information to include in the index. Each protocol handler is used to index a specific type of data store. Document converter No A document converter is a custom executable file that takes a document of one file type, and generates a copy of that file in another file type. Information management policy Yes An information management policy is a set of rules for a certain type of important content. Policy enables administrators to control and evaluate who can access the information, how long to retain information, and how effectively people are complying with the policy itself. Business Data Catalog (BDC) definition Yes A BDC definition is an XML file that defines the structures used by the BDC. BDC (GenericInvoker) Yes Customers can use the GenericInvoker property of a BDC entity definition to write back to a data source. BDC-based search crawl No Search crawls based on a BDC definition are not supported. Properties associated with a user profile will be indexable and displayed within People Search. Excel user-defined function (UDF) Yes User-defined functions (UDFs) are server-side managed code, run by Microsoft Office Excel® Calculation Services to provide capabilities not included in the base product. These include: Functions that are not built into Office Excel. Custom implementations to built-in functions. Custom data feeds for legacy or unsupported data sources. Application-specific data flows. InfoPath Forms Services custom code Yes Microsoft Office InfoPath® Forms Services custom code is uploaded and hosted by the server-side Office InfoPath Forms Services. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 40 Customization Type Supported Comment InfoPath form view control Yes An Office InfoPath form view control is a server-side Office InfoPath Forms Services viewer control can display a Web browser view of an Office InfoPath form. HTTP handler No HTTP handlers are used to handle file requests within the ASP.NET 2.0 framework. For example, within ASP. NET 2.0 and Office SharePoint Server 2007, ASPX page requests and ASMX Web service requests are served by HTTP handlers. HTTP module Yes HTTP modules are classes that handle runtime events in ASP.NET 2.0 and Office SharePoint Server 2007. Pluggable authentication provider No A pluggable authentication provider is a module used by ASP.NET 2.0 and Office SharePoint Server to replace the built-in authentication providers. Custom modules require a high level of testing to help ensure security. Pluggable single signon provider No A pluggable single sign-on provider is a modular component that can be used to handle the storage and mapping of credentials for use in connecting with third-party or back-end systems. This customization type requires a high level of security review and scrutiny. STSADM command extension Yes A custom STSADM command extension is server-side code that allows the Stsadm utility to have new commands available to run from the command line. Inline code No Inline code is server-side code that is directly embedded into a Web page. Inline code has a high level of risk compared to compiled assemblies. Web.config settings change Yes The Web.config file controls most settings for the ASP.NET environment that Office SharePoint Server 2007 is built on. Typically these controls are modified as a part of a solution. Changes must be implemented using a Feature receiver so that they will be automatically populated on all the WFE servers. Manual modification of the Web.config settings is not supported. Security policy Yes A custom security policy grants code access security (CAS) rights to certain server-side code components that run under a specific Web application context. COM server No A Component Object Model (COM) server is an unmanaged library that typically runs on a server with full permissions. COM objects typically perform poorly when interops are set up between the COM object and .NET code. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 41 Appendix A: SharePoint Developer Resources This appendix offers links to content that may be useful to developers of custom code for SharePoint Online Dedicated. It also presents a discussion of best practices for developers. Getting Started SharePoint Developer Center Primary MSDN site for SharePoint developers. Office SharePoint Server - TechNet site Articles and blogs about Office SharePoint Server that are submitted and rated by the general community. Best Practices Resource Center for Office SharePoint Server 2007 - TechNet site Best practices as outlined by the Office SharePoint Server product team and Microsoft Consulting Services. Finding Developer Help for SharePoint Products and Technologies - MSDN article An introduction to where to find SDKs, peer-to-peer forums, MSDN developer centers, and Microsoft TechNet resources that can be helpful for developing with Office SharePoint Server products and technologies. "Development Tools and Techniques for Working with Code in Windows SharePoint Services 3.0" An MSDN article that discusses the differences between Windows SharePoint Services and traditional ASP.NET development (in two parts). o Part 1 of 2 o Part 2 of 2 Working with ASP.NET 2.0 Web Parts and Windows SharePoint Services 3.0 - MSDN article Best practices for deploying custom Web Parts to SharePoint sites. An In-Depth Look at Windows SharePoint Services and Office SharePoint Server 2007 (Level 200) A TechNet webcast by Arpan Shah (91 minutes). Getting Started with SharePoint Development - MSDN blog Helpful information and blog discussions by a Microsoft technical product manager for the Office SharePoint Server Developer Platform. Writing to the Trace Log - MSDN reference Sample code that demonstrates how to write to the trace log, including calls to unmanaged code. If writing to the trace logs, ensure that it adheres to this publicly available documentation. Webcasts The Microsoft Events and Webcasts site offers a series of useful SharePoint webcasts created for MSDN about development on Office SharePoint Server: o Application Development o Collaborative Solutions o Content Management Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 42 o Overview o Portals and Search o SharePoint Internet Business o Workflow More Development Resources Best Practices: Common Coding Issues When Using the SharePoint Object Model - MSDN article Common issues encountered by developers who write custom code by using the Office SharePoint Server object model (updated April 2009). Best Practices: Using Disposable Windows SharePoint Services Objects - MSDN article Appropriate ways to write code using Windows SharePoint Services objects to avoid retaining objects in memory. There is also a section near the end of this article that talks more about disposing objects. The article was recently refreshed to reference the SPDisposeCheck tool. Common Page and Site Customization Tasks - MSDN reference Step-by-step procedures for common page and site customization tasks from SDK. Silverlight Blueprint for SharePoint - MSDN Channel9 Guidance about how to use Microsoft Silverlight™ 2 with Office SharePoint Server. Microsoft Office Interactive Developer Map Version 2 - Office Developer Center download Introduction to interactive mapping of development features to resource material. SharePoint Guidance - MSDN Patterns and Practices A demo and guidance for common topics such as unit testing, debugging, packaging and deployment, setting up a team development environment, solution maintenance and upgrade, and how and when to use Office SharePoint Designer. Approaches to Creating Master Pages and Page Layouts in Office SharePoint Server 2007 - MSDN article Two ways to create ASP.NET 2.0 master pages that define a site's global appearance, and how to create page layouts that define the rendering of specific content pages. E-Learning Resources Microsoft Office SharePoint Server 2007 Training Portal The main portal for all SharePoint related e-learning materials published by Microsoft. Best Practices for SharePoint Developers The following are best practices that have been developed by Microsoft for custom SharePoint solution development. Best Practices for Development Environments Replicate the SharePoint Online environment. The SharePoint Online team creates SQL and SharePoint build guides that describe the build settings and product versions used in the SharePoint Online Production environment, and help customers build their local lab and test environments. Customers can request the build guides from their TAMs. By using these guides the customers can create development and test environments that mimic the actual SharePoint Online environment. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 43 Configure development environment as a one-way trust. Note that the SharePoint Online environment is configured to use Secure Sockets Layer (SSL), and that the SharePoint Online service is accessed using a fully qualified domain name (FQDN). In addition to this, the Active Directory® service is implemented to use a one-way trust. To validate the customizations—especially the line-of-business systems—be sure to configure the development environment so that a one-way trust is in place. Development Environment Software Best Practices Ensure a complete software installation. In the case where a development environment will have everything installed on the same server, Table 8 shows the software that is typically installed. Table 8: Developer Server Software Software Requirements Windows components IIS, SMTP Microsoft .NET Framework Version 3.5 SP1 Source control client Team Foundation Server (recommended) Visual Studio 2008 Visual Studio 2008 extensions for Windows SharePoint Services 3.0 Microsoft Office system Office SharePoint Designer Microsoft Office Word, Office Outlook®, Office Excel, Office PowerPoint®, Office Access® Software development kits (SDKs) Office SharePoint Server 2007 SDK Office SharePoint Server 2007 Standard or Enterprise Microsoft SQL Server® 2005 or SQL Server 2008 With latest service pack Browsers Windows Internet Explorer® 7.0 or Internet Explorer 8.0 Windows SharePoint Services 3.0 SDK Mozilla Firefox Opera Apple Safari – Windows Version Assemble appropriate aids. Developers should also have the following development aids available: Microsoft Internet Explorer Developer Toolbar Team Foundation Server for source control and build automation .NET Reflector for analyzing .NET assemblies Fiddler Web debugging proxy WSPBuilder SharePoint solution package (WSP) creation tool STSDEV development tools U2U CAML Query Builder SPDisposeCheck SharePoint Dispose Checker Tool Integrate FxCop into the build process. Even though the CAF application validates solutions using FxCop and other tools, it can be beneficial to integrate these tools as a part of the actual build Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 44 process. For more information, see FAQ: How do I run FxCop during a post-build event? from the Visual Studio Code Analysis team blog. Integrate each developer's environment. Developers work within their own environment and use source control to share and integrate their work. Keep in mind that each developer on a team needs an environment similar to the configuration outlined in Table 7. A separate integration environment should also be maintained for formal daily builds. With a product like Visual Studio Team Foundation Server, an automated build process can be established where the checked-in code is compiled and deployed (usually scripted) to the central development server. For additional best practices in this area, see Team-Based Development in Microsoft Office SharePoint Server 2007. Automate Source Control and Build Process Whether a project includes one or many developers, source control is very important for Office SharePoint Server. Office SharePoint Server doesn't support version control or "versioning", so management of the source and build process is vital for a successful project. Microsoft recommends Team Foundation Server for source control and build automation. Tools like WSPBuilder can greatly assist in the build process for the customer's solutions. Do Not Attempt Solution Versioning Versioning custom solutions—that is, maintaining version control over them—is not realistic. Each solution must have a unique name. It is possible to create a unique name for each new version of a solution as it is deployed. However, the contents of the solution can easily overwrite data from a previous version. When there is an overlap in data (DLL, for example), removing the solution causes the data to be removed from the system. All solutions with those common elements then fail to work. Any versioning effort results in a much more complicated support path. Use Proper Namespaces for Customizations Each feature of a SharePoint customization is deployed to the Web front-end (WFE) servers file system, into a folder corresponding to the feature name. In order to minimize the risk of having two features overwriting each other's files, we recommend that the features be named with a proper namespace. For instance, instead of calling the feature Contract, call it HR.Contract. Avoid Feature Versioning Although features can be deployed on specific site collections on a SharePoint Online farm, as with solution versioning, the only way that a development team can version features is to name each feature differently—even features with the same code base. There will seldom be a need to install multiple versions of a feature within the same solution. It's much more likely that newer versions of a solution will contain newly added features―and this doesn't require versioning. It's best not to attempt to have multiple versions on the same farm, primarily because of support issues. Use as Little Code as Possible in Application Development . The less code that the development team needs to write, the fewer bugs are introduced into the system. Also the quicker an application can be fixed and re-installed, the less downtime a system will experience. Sharing common code is conducive to this goal. Common code reduces the code footprint. Each solution should have as little code as possible. Having several solutions per "application" makes for better and safer rapid deployment scenarios. Web sites are active, constantly evolving environments. There is a certain amount of risk with deploying an application, but if the application has many installable components, it becomes safer to test and install one of the components, instead of having all of the components packaged as a single solution. This means breaking down the installation of an application into smaller pieces, and the administrator who runs the installation must make decisions about which specific pieces to update. Internally at Microsoft, a simplified installation process is used to install a single batch file--), which includes all the solutions and applications dependencies with each deployment folder--so that the Microsoft operations team can open up and examine to see what will be happening.. The batch file is very Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 45 configurable and allows for specifying which components to install, in keeping with the strategy highlighted above. When developing an online solution, Microsoft uses Visual Studio Team Foundation Server for building the solution. The solution that is created is simply a series of batch files. Both 32-bit and 64-bit copies of each solution are built. The Office SharePoint Server binaries have the same references, regardless of whether it's 32 or 64-bit, so building a copy directly on a 64-bit machine is not necessary. Plan Carefully when Installing Dependencies Solutions have configuration and application dependencies. Dependencies are not always straightforward, nor are they static over the course of development or even over the life cycle of the code in production. Some dependencies are used by multiple applications. This is where the discussion of "versioning" becomes important. Because versioning is not encouraged, it's important to keep as little code as possible on the system. Almost every application that is deployed will have at least some commonality with other applications. Breaking the solution into smaller deployable units is preferred, so this means that there are many more solutions that have dependencies on one another. Driven by a build environment, all dependencies are kept within an output folder for each application project. This is the only guaranteed way to know the dependences for each project. For testing, this is the difference between being 100-percent certain that the latest binaries were installed and being 90-percent sure. When the dependencies are not included in the output folder, this becomes a tedious manual step: to first install dependencies (from some build number, typically communicated in an e-mail message), and then to install the applications. The customer test team should deploy their solutions in the same manner that the Online Services operations team would deploy the application. Because the test team also wants to be 100-percent certain that all of the latest dependencies on each deployment are included, it's best not to allow anything to change, and to eliminate manual steps. Again, if the dependencies are not kept together in a separate folder, there is not a 100-percent certainty that the version will be correct during installation. It's very easy to grab a mismatched solution, and then have it take hours or even days to realize the mistake. Many product groups handle common dependencies by building and dropping all applications into one folder structure. SharePoint Online development teams for Microsoft use a very iterative deployment cycle, and build only the specific feature being worked on. With this common code the same type of risk exists, but on a less significant scale. It is possible for common code to break dependent solutions that are not in the current build. The test team must identify and verify these issues. One negative aspect of having dependencies in the application output folder instead of a common folder is that it becomes harder for the Microsoft operations team to manage that dependency. However, having a common output folder for commonly used dependencies provides a false sense of security, because actually any solution or feature can modify attributes and assemblies in any other feature without warning. The Microsoft operations team must rely on the customer’s development team's naming convention to know what is happening. It's possible that the development team could accidentally install a feature over another feature of the same name, but that's what the customer test team should be catching. The test team has validated the solution by the time it gets to production, so the expectation is that no errors will be found in the mirror and production environments. Limit the Number of Solution Packages in a Customization When a Microsoft operations team is managing the deployment of a solution to SharePoint Online, having a large number of solution packages that need to be tracked and managed poses a challenge. The more solution packages in a customization, the greater the possibility that something will not be installed correctly, the longer the solution will take to deploy, and the easier it is to mix incompatible versions of solution packages. Microsoft recommends that customers scrutinize their deployment plans and keep the number of solution packages to the minimum number possible needed for the project. Keep in mind that a solution package can contain several features, so there is no necessity to have one solution package for each feature. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 46 Do Not Use ADO.NET to Connect to Databases SharePoint Online does not support the use of ADO.NET to connect to databases that are not hosted by Microsoft Online Services. Microsoft supports connectivity via service-oriented architecture (Web services). We recommend that, where possible, developers consider using a Windows Communication Foundation (WCF) application instead of just a SOAP-based service. For more information, see the following references: Guidelines and Best Practices for creating Communication Foundation applications (MSDN article) Walkthrough: Creating a Custom Web Service (MSDN article) Creating a Custom Web Service for SharePoint ("Toolbox for IT" blog) Best Practices for Developing Code that Connects to an Internet Address Microsoft Online Services has observed slow crawl times for customer development teams that are writing code or using components that connect to Internet URLs. Examples are stock feeds, RSS feeds, or JavaScript elements from remote services like Google Analytics. The Office SharePoint Server index server that performs search crawling does not have Internet connectivity outbound from the Microsoft data center. This lack of Internet connectivity impacts page rendering because the page waits for the connection request to time out before finishing. We recommend that developers write their code using an asynchronous call system such as AJAX. AJAX is JavaScript that is downloaded by the index server but is not run. It is also best if the index server does not attempt to connect to the Internet. These steps ensure that crawl times are not impacted by the customer's customization. Best Practices for Increasing SharePoint Site Performance Performance is usually a high priority for any Web site deployment, including SharePoint site deployments. Developers who are writing code and deploying code for SharePoint sites with even moderate traffic should consider using the PortalSiteMapProvider for increased performance. The following Microsoft developer blog provides guidance on how to use it: Increased Performance for MOSS Apps Using the PortalSiteMapProvider (in the Microsoft Enterprise Content Management (ECM) team blog) Another useful resource on the use of the CrossListQueryCache object, which is built on top of the object cache / PortalSiteMapProvider: CrossListQueryCache Class (MSDN reference) Configuring Caching All customizations should leverage the appropriate caching mechanisms. For example, the home pages of any portals or other frequently read sites must be configured to use output caching. The Output caching feature can be used on a site (or site collection) only if the Office SharePoint Server Publishing feature is activated for the site. For more information, see the Microsoft TechNet article Caching in Office SharePoint Server 2007. Using Content by Query Web Part Objects Whenever using Content by Query Web Part objects, ensure that they are scoped properly. For example, if the customer must retrieve information from just one site, or from one list in a site collection, it is much less resource-intensive to configure the Web Part to read only that site or list instead of having it enumerate through the entire site collection. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 47 Customers should archive content that is not necessary and may be inadvertently considered in the scope of Content by Query Web Part. For more information, see the Microsoft TechNet article Additional performance and capacity planning factors (Office SharePoint Server). Removing Unused Web Parts from SharePoint Pages If the customer does not need a Web Part to be present on a Web page, the customer should remove it from the page rather than closing it. Closed Web Parts are still part of the page rendering process, although they will not show anything. The customer should also check the Advanced Web Part gallery and options link to verify whether the customer has any parts in the Closed Web Parts collection. Configuration Management Two mechanisms can be used when changing SharePoint configuration information: Web.config modifications and SharePoint configuration modifications. Web.config modifications are any changes to this file. SharePoint configuration modification includes changes to search settings (scopes, managed properties), audience information, and other settings that are typically accessed via either the Central Administration or the SSP management pages. Customizations that must change these settings must be implemented using Feature receivers. The Feature receivers can use the appropriate SharePoint APIs to update both Web.config and the SharePoint settings. Microsoft reserves the right to reject any customizations that are implemented as applications that need to be manually run by the Microsoft operations team. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 48 Appendix B: Testing Resources SharePoint Online testing resources and testing best practices are identified in this appendix. It also presents a discussion of best practices for testers. Online Resources Checklist for Testing SharePoint Web Parts 2003 checklist that largely still applies. Testing Your Web Applications for Cross-Site Scripting Vulnerabilities Recommendations on how to handle testing XSS vulnerabilities. Load Testing and Performance Resources Load-Testing Web Applications (MSDN Patterns and Practices) General introduction about how to load-test a Web application. SharePoint Test Data Load Tool Details about the WSSDW.exe test data load tool. Tools for performance and capacity planning (Office SharePoint Server) Details about the WSSDW.exe test data load tool. Load Testing SharePoint 2007 Sites and Applications using Visual Studio 2008 Tester Edition Webcast about using Visual Studio 2008 Tester Edition to scale Office SharePoint Server 2007 sites and applications. Effective Web and Load Testing in Visual Studio Team System (Level 200) Webcast developer session about using Visual Studio Team System to load-test Web applications. Performance and Capacity Planning Resource Center for SharePoint Server 2007 Published resources about performance and capacity planning for SharePoint Online. Caching in Office SharePoint Server 2007 Information about output caching, object caching, and caching for binary large objects (BLOBs). Estimate performance and capacity requirements for portal collaboration environments A usage profile example for load testing purposes. Working with Large Lists in Office SharePoint Server 2007 (white paper) Guidance about strategies for working with large lists hosted within SharePoint Online. Note: The customer will be prompted to download a Word document. How to integrate SP Dispose Check into Visual Studio Solutions A blog entry that outlines the steps necessary to integrate SP Dispose Check into the integrated Visual Studio runtime environment. Best Practices for Testing The following best practices for the testing process are used by the Microsoft Online Services internal development teams. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 49 Scope of Testing Do not limit testing to just what has changed. Regressions in the code can impact seemingly unrelated portions of the customization. We recommend full test passes, even for small updates. Ultimately, the extent of testing is at the customer's discretion. The secret to success with testing against Office SharePoint Server is to adhere to a process and stay with an agile methodology as closely as possible. (For an overview of agile methodology, see the Agile Modeling site at www.agilemodeling.com/.) Microsoft Testing of Custom Solutions When presented with code from customers, Microsoft performs the following tests: 64 bit machines are required for appropriate testing of all customizations. Check for memory leaks. o Check for object disposal. o Avoid making use of Microsoft Win32® application programming interfaces (unmanaged code). o Verify that file handles are closed. o Verify that connections are closed. o Tool: CAF o Tool: .NET Reflector Determine whether the error and exception handling have been sufficiently done. o Verify that all the protected methods can handle exceptions, and log exceptions to event viewer. o Verify that exception handling in the Feature receivers is rethrown; if not, the Feature is only partially activated. o Verify that all custom applications from the customer use a custom event node, of the form <Customer codename_Log>. o Verify that any generated application event logs (in-house code or third-party) have unique IDs and include source, category, type, and description. Walk through the code to determine whether all customizations fall within the scope of the customization policy presented in this document. Evaluate all cases where elevated privileges are requested by the code. o Reference: Running Commands with Elevated Privileges in Windows SharePoint Services 3.0 o Reference: Best Practices for Using Elevated Privileges and Impersonation in SharePoint Services (Note: This is Mindsharp premium content: the customer must register at the Mindsharp login page to gain access.) Verify that all code is fully trusted. o Confirm that all code is registered within Web.config as fully trusted. Verify that unmanaged code is handled properly. o Verify a smart location of the interop boundary to promote performance. o Verify the use of abstraction or batching layers as appropriate. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 50 Use of an interoperability technology (P\Invoke, C++/CLI, COM) that matches the code. o Reference: Managed and Native Code Interoperability: Best Practices (Note: This may take some time to load.) o Reference: CLR Inside Out: Introduction to COM Interop o Reference: CLR Inside Out: Marshalling between Managed and Unmanaged Code Evaluate deployment. o Determine whether the deployment overwrites any system files (pre-existing Office SharePoint Server 2007 files on the file system). o Verify that every release has an installation script. o Verify that the solution can be removed, added to, or upgraded when it is run multiple times. o Verify that uninstall scripts are provided to roll back to previous version. Verify that the code runs correctly against the current production version of SharePoint Online. Evaluate cross-site scripting vulnerabilities for all data input. o Make sure to use Server.HtmlEncode. o Test using scripts provided at the MSDN reference site Testing Your Web Applications for Cross-Site Scripting Vulnerabilities. o Reference: How To: Protect from Injection Attacks in ASP.NET Test for SQL injection, especially if a custom database is used. o Test for security vulnerabilities. o Reference: How To: Protect from SQL Injection in ASP.NET. Microsoft Code Analysis Tool .NET (CAT.NET) is a binary code analysis tool that helps identify common variants of prevailing vulnerabilities that can give rise to common attack vectors like cross-site scripting (XSS), SQL injection, and XPath injection. Best practices (recommended, but not a basis for solution rejection): o CSS, JavaScript, images, and styles should be on the hard disk, to use IIS compression (GZip). o Caching should be used appropriately, invalidating the cache as appropriate. o Inherit from System.Web.Webpart rather than from Microsoft.SharePoint.Webpart unless required for Windows SharePoint Services-specific Features, as described in this reference article: Reference: Best Practices: Common Coding Issues When Using the SharePoint Object Model o Verify that code is thread safe. o Verify SQL queries for Enterprise Search, as described in this reference article: Reference: Best Practices: Writing SQL Syntax Queries for Relevant Results in Enterprise Search o Reference: Checklist for Creating SharePoint Web Parts Test Environments Test environments are different from development environments in several ways: Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 51 Neither Visual Studio nor Microsoft SQL Server® database software should be installed. Test environments should be attached to a copy of one or many content databases. Virtual machines (VMs) should be limited to 1.5 GB of memory. The goal in testing the custom applications is to find any failure points (see next section) and test them. Speed is not important; in fact, for testing purposes memory should be limited, to see what happens. If an application passes in this type of environment, it probably doesn't have large memory requirements. Failure Points The following are failure points—actions that are likely to cause failure at some time in the life of the solution—and are considered by the Online Services engineering team to be the most common ones: Altered computer configurations. The developer configures his own computer, and then writes a solution to mimic those (altered) settings. Then the solution is installed in a clean environment where the developer has access. The failure point comes when the developer "fixes" an issue on his own computer, but the problem can't be duplicated in the clean environment. Solution not named with GUID. The administrator installs the solution using a standard name rather than a globally unique identifier (GUID). One result of this action is that there is now no way to version the solution. For example, if the new solution contains a DLL that was installed by a previous (unrelated) solution, the new instance of the DLL overrides the previous instance. Another result is that if the Microsoft operations team removes the first solution, the DLL that both applications are using is removed. The human element: general. There are numerous ways to deploy solutions, but the best course of action is to adhere to a process and deploy the same way every single time, eliminating as far as possible any human variables. For example, needing to assign the same tasks to different individuals is a failure point. Even the requirement for any documentation at all could be considered a failure point. The human element: rushing. Simple changes can be more complicated than they look. For example, a developer may make a very minor change, such as changing the name of a Web Part. However, due to time constraints this "minor text change" is not properly understood by the tester. Consequently, no testing is done, and the install fails. Why? The developer did remember to change the manifest to point to the new Web Part name, but forgot to change the name in the Feature receiver. That's just one scenario; a million similar things could occur. Solution files are fragile. A change in the code or even a change to the structure of the Web site can keep a solution from deploying properly. There is no developer tool that can show everything that the solution is going to do. The only thing developers can do is test out each change. It can be very tough to know whether the latest version of the solution is working or not, especially because developers rarely wipe their computers clean after each install. It is really the customer test team's responsibility to verify that the solution works—in an upgrade situation, for a fresh install, or in the production environment as it is configured today. Multiple Web front-end (WFE) servers. The environment hosted by Microsoft Online Services contains multiple WFE servers. It is not uncommon that the code or deployment process will fail when multiple WFE servers are in a server farm. Make at least one pass against a farm configuration with two WFE servers. Incomplete removal of previous solutions. A previous solution may not be completely removed from development integration or a test environment, causing a number of false positives to be returned because the wrong version of a solution is still deployed. Clean-up prior to the installation of a new build is critical to successful development on SharePoint Online. Also, a detailed list of steps for a complete retraction is necessary in the event of a failed install or failed smoke test. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 52 Appendix C: Solution Packaging Resources The following links offer information about SharePoint Online solution packaging: Creating a Solution Definition, creation procedure, and code sample of a solution package. Creating a Solution Package in Windows SharePoint Services 3.0 Overview of the packaging process. Solutions and Web Part Packages Solution links in SDK documentation to the Windows SharePoint Services solution framework. Working with Features SDK article about working with Features in Windows SharePoint Services. Understanding Solution Packages in Microsoft Office SharePoint Server 2007/Windows SharePoint Services 3.0 Bill Baer's blog. Building and deploying SharePoint Solution packages Chris O'Brien's blog. WSPBuilder A CodePlex tool for automating the creation of Office SharePoint Server solution files. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 53 Appendix D: Customization Package Checklist Customers can use this checklist to make sure they have proper documentation ready for the Microsoft Online Services customization package review when delivering custom SharePoint Online Dedicated solutions. This documentation is required for Microsoft analysis and testing of the customization. If any component is missing from the customization package, the entire package is rejected. General Instructions Use the SharePoint Online deployment guide template provided by the customer's TAM or solution architect to indicate the requirements, planned design, and implementation details for the customization. Prior to submission, ensure that all documents (including embedded documents, if any) open without errors. Outline what the customer plans to test and validate (including memory usage, scale, and functionality). It is important that the customer has validated the third-party product prior to providing the deployment guide to Microsoft. Scheduling Information The scheduling information document must include: The expected deployment date for this customization. (If applicable) The expected duration of downtimes for deployment configuration and postdeployment configuration of this customization. If no downtime, indicate 0 minutes. The estimated date for code-drop submission, based on the customer's development calendar. Deployment Guide (Installation Instructions) The deployment guide must include: Instructions for installing all the customization package components. Note: For third-party products, do not point to the vendor's documentation. The customer must provide Microsoft with the necessary documentation in this deliverable. Instructions for conducting the smoke test (validation testing), which confirms that the package was properly installed and the custom solution works correctly. Any architecture diagrams, such as illustrations of dependencies and data flow. List of all prerequisite software. Notation of the presence of open source code, if any open source code is used in the customization. Note: As a part of the deployment guide, the customer is required to provide a waiver in writing that the customer will be responsible for supporting any issues that arise from the open source software. A list of all design changes, if this design is not the original HLD for this customization. Notation of whether the post-deployment validation testing of the configuration must be performed by Microsoft. If so, provide thorough validation steps for the Microsoft operations teams to perform post-deployment. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 54 Rollback Plan The rollback plan must include the following procedures: Procedures such as uninstall and clean-up for a situation in which the customization must be removed. Note: If it is not possible to roll back a solution, this must be called out in the deployment guide. Solution Packages Each solution package must include: Final tested code for deployment by Online Services. This needs to have been validated with CAF. CAF report, including explanations of all detected rule exceptions. Install and uninstall scripts for the customization package in the Microsoft primary data center. Install and uninstall scripts for the customization package in the secondary data center (if warranted). Note: Ensure that the .zip file format is used for file compression. Test Documents and Results Include details about all elements of the customization that the customer wants deployed, including any third-party components and other solutions that the customer has purchased. This section must include the following test documents: Test plan that describes what was tested, why it was tested, how it was tested, and whether multiple WFE servers were tested. This should include details about what assumptions were made, and a usage profile or any data points that describe the test environment. Test scenarios that were tested, and what devices, browsers, latency, or permissions were used in testing. Describe the variations based on audience and presentation requirements. Unit test results that describe what unit tests were run for feature or functionality testing. This should include which clients were used, what the results were, what dependencies were tested, and what failure situations were tested. Performance and scale test results that describe what performance or scale tests were run against the customization. This should include which usage profile was used and what assumptions were made. Dependencies List List of all dependencies for the code, such as a particular Web service, account, database, solution, feature, patch, tool set, or library. Event Log The event log must include the following components: Table of all event entries that are generated by the customization, with event IDs. Table headings typically include error code, severity, and root cause. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 55 Troubleshooting instructions for all event entries. Client Troubleshooting Documentation The troubleshooting information must include these two documents: Troubleshooting guidance for client-facing problems. Note: For a template that shows the correct format for the client-facing troubleshooting document, see Appendix G: Troubleshooting Guide Template. One or two test accounts for diagnosing problems with related dependencies, if appropriate. The account should be a low-privilege account that is used for no other purpose. Source Code All source code is treated with utmost confidentiality by Microsoft. Details about the treatment of customer source code can be found in the customer's contract, in the section "Pre-Existing Work." If the solution is a third party off-the-shelf application, no source code is needed for submission. The source code section must include the following: Project files (where available) Source code, validated through the CAF tool Public debug symbols for all custom code Note: Ensure that the .zip file format is used for file compression. Third-Party Licensing Document The licensing document must include: Any third-party licensing keys or certificates for deployment to the environment. Note: Be sure to purchase licenses for both the primary and secondary data center computers. All details about the testing that has been done against the third-party component or solution. Customer's Security and Compliance Review Document We recommend that customers have their own security and compliance team review and approve all customizations that are being presented to Microsoft Online Services for deployment. This review document must include: The customer's Security and Compliance Review approval of the design. All test details from this review process. Monitoring Document The monitoring document must include: All monitoring guidance and details, which must include all information about logging and instrumentation for the custom solution. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 56 Update or Revision to an Existing Customization When updating an existing customization and therefore existing documentation, any change to the solution requires submission of a complete new package for review that covers the updated solution. Provide the following components to Microsoft: Updated versions of all support documents that are detailed earlier in this checklist, such as an update for the end-user troubleshooting guide. Include descriptions of anything that has changed and any new features that could potentially require support or monitoring. Summary of changes between current version and previous version, in adequate detail to describe clearly what has changed. (Use the "Changes in This Release" section of the HLD template.) The original solution source code, for validating against the new source code. If appropriate, uninstall (rollback) information for the previous customization, along with a test that can be run to confirm that the customization has been removed. Details about any problems that are expected to be encountered during the upgrade: any errors, rendering issues, or other problems that might be expected when upgrading the customization. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 57 Appendix E: Building a Mirror Production Environment There are several ways to build a mirror production environment. This section details how Microsoft internal development teams approach mirror environments before they deploy customizations to production. For detailed build documents that are customer-ready for the SharePoint and SQL roles, contact the customer's TAM. A new build document is produced with each release of SharePoint Online. Typically, a Microsoft Online Services development machine is configured as an unmodified SharePoint Online environment using Office SharePoint Server 2007 Standard or Enterprise, and having all necessary services enabled and running as appropriate to the current development. Everything runs as an administrator because the developer is either physically on the machine or using Terminal Services. We recommend testing the code on a lower-permission account (or several accounts, if there is a series of actions that can be done with different levels of rights in the system). Test Machines Having two sets of test machines is optimal. One machine should be configured as an integration environment where the code is brought in for the first time with a pseudo-copy of the production environment. This environment is for finding deployment, installation, and functionality issues. It is not suitable for scale testing or load testing, nor should it be used for user acceptance testing, because performance is a key concern for that audience. The second environment should more closely mimic the production environment: it should contain at least two Web front-end (WFE) servers, use SSL certificates (HTTPS), and have Web URLs that are fully qualified, such as https://portal.contoso.com. It is not important to mimic the disaster recovery (DR) portion of the environment, nor is it important to equal the number of WFE servers. However, it is important to consider DR in the deployment guide and installation/uninstall scripts, because both the primary and secondary data centers must be configured. Generally assume a linear unit of scale unless network bandwidth, SQL Server throughput, or SQL Server storage I/O are constraints. The WFE servers above have both the Office SharePoint Server Web and Query services running on the servers. The index server has only the Index service running, and in most cases hosts the SSP Web application. The application server hosts Excel Services in Office SharePoint Server 2007. Finally, expect to have a minimum of two machines running SQL Server, although for testing only one will be necessary. Figure 4 illustrates the deployment of production environment hardware without the introduction of heavy loads or heavy customization. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 58 Figure 4. Sample SharePoint Online topology Table 9 shows the current hardware configuration for production environment servers. Table 9. Production Server Specifications Specification WFE, Index, and Application Servers Machine Running SQL Server Model HP DL380 G5 HP DL380 G5 CPU 2x4 Intel Xeon 2.33-GHz Quad Core 2x4 Intel Xeon 2.33-GHz Quad Core RAM 16 GB 32 GB Hard Disk 550.4 GB 9894.0 GB If planning a complete production mirror environment, contact Microsoft Online Services for more details about hardware configuration. The above machines would be necessary for heavy load and scale testing; lesser machines or virtual machines (VMs) are generally suitable for all other testing. For integration environments, Microsoft generally recommends virtual machines, which can be constrained as follows: Windows Server 2008, Windows Server 2008 R2, or Windows Server 2003 SP2 SQL Server 2005 - on separate hardware Office SharePoint Server 2007 SP2 with February 2010 Cumulative Update 32-bit,1.5-GB RAM (32-bit VM fine for integration testing, but a pass on 64-bit hardware should also be done) For the production mirror environment, we recommend the following: Physical 64-bit–compatible hardware; we recommend Intel-based hardware to match production Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 59 Windows Server 2008, Windows Server 2008 R2, or Windows Server 2003 SP2 4 GB of RAM minimum, 8 or 16 GB of RAM if load testing will be done 2 to 4 cores, 2-GHz minimum CPU 2 WFE servers and 1 index/application server Dedicated SQL Server environment, SQL Server 2005 with latest service pack Microsoft Forefront® Security for SharePoint Online with SP1 Recommended settings for environments: Disable automatic updates for Windows Server. Verify that the page file for virtual memory is on the C: drive only. Stop and disable the Windows Firewall service. Add service accounts to the Local Administrators group. Ensure that NT Authority/Authenticated Users and NT Authority/Interactive are a part of the Local Users group. Configure the server to not use the Recycle Bin and configure setup to not move files to the Recycle Bin. If desktop antivirus software is installed, configure the antivirus solution to scan files on upload only. Copy the Office SharePoint Server 2007 (Standard or Enterprise) installation bits locally. Install Internet Information Services (IIS) and both ASP.NET 2 and ASP.NET 3. If the site will contain Asian language sites, go to Control Panel and set the Regional and Language options (on the Language tab) to install files for East Asian languages. For IIS, verify that ASP.NET v1.1.4322 and ASP.NET v2.0.50727 are set to allowed status for the machine's Web Server Extensions. Uninstall Internet Explorer Enhanced Security through Add/Remove Programs. Install Office SharePoint Server 2007, and choose Advanced and Complete to install all components. When testing indexing, change the default indexing location to a dedicated drive. After the installation wizard has completed, install the language packs. Install all QFEs or service packs. Verify the correct installation and use of appropriate SSL certificates. Use only fully qualified URLs such as https://portal.contoso.com. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 60 Appendix F: Implementing Master Pages The Microsoft Online Services Platform Architecture group has prepared the following guidance for implementing master pages. Prerequisites Office SharePoint Server 2007 Office SharePoint Server Publishing Infrastructure Introduction Master pages are a feature of ASP.NET 2.0 and share the common functionality in Windows SharePoint Services 3.0 and Office SharePoint Server 2007. Master pages provide a template that can be applied across a collection of pages to enable the application of a predesigned style and layout to Windows SharePoint Services 3.0 site collections and subsites (Web). In most scenarios, master pages are applied manually after site creation through an Office SharePoint– compatible editor such as Office SharePoint Designer 2007 or through the Office SharePoint Server 2007 user interface. This requires the Office SharePoint Server Publishing Infrastructure feature; however, in some scenarios an organization may want to apply a specific master page when a site collection or Web site is created to complement a governance plan or maintain a consistent visual layout across the platform. Sample Master Page Using Clarity Master Page Sample In Windows SharePoint Services 3.0, when a new site is created it uses the default master page that is located on the file system. The default master page is referenced as default.master in %commonprogramfiles%\Microsoft Shared\Web Server Extensions\12\TEMPLATE\GLOBAL. Windows SharePoint Services 3.0 provides four tokens to reference the master page—two dynamic tokens: ~masterurl/default.master and ~masterurl\custom.master, and two static tokens: ~site/default.master and ~sitecollection/default.master. (Tokens are specific to Windows SharePoint Services and are not applicable to ASP.NET 2.0.) For additional information, see Customizing Master Pages in Windows SharePoint Services in MSDN. Windows SharePoint Services 3.0 provides classes for responding to Feature events, which allows trapping and responding to an event that fires when a Feature is installed in the server farm, when a feature is added to a new virtual server, or when a Feature is removed. Feature provisioning callouts allow specific code to be written to handle various events that transpire in the life cycle of a Feature. To develop a server-level Master Page Feature: 1. Create a directory to store all of the necessary resource files required to build the Windows SharePoint Services 3.0 solution package. In this document, C:\Temp is used. 2. Create a TEMPLATE directory in C:\Temp to store the solution Features and supplemental resources. 3. Create a FEATURES directory in C:\Temp\TEMPLATE to store the Features used in the solution. 4. Create optional IMAGES and LAYOUTS directories in C:\Temp\TEMPLATE to store resource files used by the master page. Note: The directories created in the previous steps are relative to %commonprogramfiles%\Microsoft Shared\Web Server Extensions\12\BIN. 5. Create a DLL directory in C:\Temp\. This directory will store the Windows assembly (Feature receiver) used by the Features. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 61 Master Page Feature Use the following steps to create a Feature that applies the custom master page to site collections when created either through the Office SharePoint Server user interface or the SharePoint Administration Toolkit. Features are filing-system–level customizations that contain items that can be installed and activated in an Office SharePoint Server environment. To create the site collection Master Page Feature 1. Create a Sample.MasterPage directory in C:\Temp\TEMPLATE\FEATURES. 2. Create Feature.xml in the Sample.MasterPage directory created in the previous step with the following content which uses the Feature element to register the Feature. <!-- _lcid="1033" _version="12.0.4518" _dal="1" --> <!-- _LocalBinding --> <FeatureId="<00000000-0000-0000-0000-000000000000>" Title="Sample Site Collection Master Page" Description="The sample master page provides an instant style ready to be applied to your SharePoint site." Version="1.0.0.0" Scope="Site" Hidden="False" DefaultResourceFile="core" xmlns="http://schemas.microsoft.com/sharepoint/"> <ElementManifests> <ElementManifestLocation="ProvisionedFiles.xml"/> </ElementManifests> </Feature> Feature.xml defines the Feature properties, to include the GUID, title, description, and other information to identify the Feature. The <Feature> element defines the Feature and specifies the location of assemblies, files, dependencies, and additional properties that support the Feature. In Feature.xml the Title attribute specifies the name of the Feature as it appears in the Office SharePoint Server user interface, and is supported by the Description attribute, which can be used to specify additional descriptive text to identify the Feature. It is best to provide a clear description of the Feature, its purpose, and its scope in the Description attribute, to easily identify the Feature in the Office SharePoint Server user interface. The Scope attribute specifies the scope at which the Feature applies itself. In this example, the scope is at the Site level. The Hidden attribute specifies whether the Feature is visible in the Office SharePoint Server user interface, and the DefaultResourceFile specifies the default resource file to be used by the Feature. The <ElementManifests> element specifies references to element manifests and element files that contain definitions for the Feature elements. See Feature Element (Feature) for additional information about the Feature element and attributes. 3. Replace the GUID in the sample code above with a new GUID using %programfiles%\Microsoft Visual Studio 8\Common7\Tools\guidgen.exe. 4. Create a MasterPages directory in %commonprogramfiles%\Microsoft Shared\web server extensions\12\TEMPLATE\FEATURES\Sample.MasterPage. This directory will be used to host the master page applied to sites by this Feature. 5. Create a ProvisionedFiles.xml in the Sample MasterPage directory with the following content, which specifies details specific to the master page applied by the Feature. <!-- _lcid="1033" _version="12.0.4518" _dal="1" --> <!-- _LocalBinding --> <Elementsxmlns="http://schemas.microsoft.com/sharepoint/"> Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 62 <ModuleName="OSGMasterPages"Url="_catalogs/masterpage"Path="MasterPages"RootWeb Only="TRUE"> <FileUrl="Sample.master"Type="GhostableInLibrary"> <PropertyName="ContentType"Value="$Resources:cmscore,contenttype_masterpage_nam e;" /> <PropertyName="PublishingPreviewImage"Value="/_layouts/images/clarity/clarity.g if" /> <PropertyName="MasterPageDescription"Value="Sample Master Page" /> </File> </Module> </Elements> ProvisionedFiles.xml defines the resources that are provisioned on the Web server as a component of the underlying associated Feature. Feature Stapling Feature stapling is a method by which developers can apply or attach a Feature to all new instances of sites using a given site definition and preserving the site definition integrity without the complexity and overhead of code routines that activate a Feature on a site or collection of sites. Feature stapling is implemented through a Feature that is specifically designed to apply other Features to one or more site definitions in addition to making that Feature available to any new sites created from any site definition. For more information, review the MSDN article Feature Stapling. To create a feature that uses Feature stapling 1. Create a Sample.Stapler directory in C:\Temp\TEMPLATE\FEATURES. 2. Create an ElementsManifest.xml in the Sample.Stapler directory with the following content, which specifies the site definitions to which the Feature created in the previous steps applies. ElementsManifests.xml contains definitions for the Feature elements. <!-- _lcid="1033" _version="12.0.4518" _dal="1" --> <!-- _LocalBinding --> <Elementsxmlns="http://schemas.microsoft.com/sharepoint/"> <!--Clarity.MasterPage Feature--> <!--Team Site--> <FeatureSiteTemplateAssociationId="A89F34C5-66C6-41d4-8CCC362892BBAD42"TemplateName="STS#0" /> <!--Consoto.Web.Master Feature--> <!--Team Site--> <FeatureSiteTemplateAssociationId="7E573FEB-418F-4a02-B5432169212B0477"TemplateName="STS#0" /> </Elements> The <FeatureSiteTemplateAssociation> element specifies the site templates to which the Feature should be associated. In ElementManifest.xml the Id attribute specifies the GUID for the site template that the Feature should be associated to, and the TemplateName attribute specifies the friendly name of the template that is associated with the GUID in the Id attribute. In this example, the Feature is associated with an example collection of the pre-existing site definitions for both sites and Webs. Use additional site templates as needed, by adding the identification values in the <Elements> element. This uses the Feature element to register the Feature. <!-- _lcid="1033" _version="12.0.4518" _dal="1" --> <!-- _LocalBinding --> <FeatureId="00000000-0000-0000-0000-000000000000" Title="Clarity Stapler" Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 63 Description="Clarity Stapler Feature" Version="1.0.0.0" Scope="Farm" Hidden="False" DefaultResourceFile="core" xmlns="http://schemas.microsoft.com/sharepoint/"> <ElementManifests> <ElementManifestLocation="ElementManifest.xml"/> </ElementManifests> </Feature> To create the Web-Scoped Master Page Feature, create a Sample.Web.Master directory in %commonprogramfiles%\Microsoft Shared\web server extensions\12\TEMPLATE\FEATURES. Create Feature.xml in the Sample.Web.Master directory with the following content, which uses the Feature element to register the Feature. <!-- _lcid="1033" _version="12.0.4518" _dal="1" --> <!-- _LocalBinding --> <FeatureId="00000000-0000-0000-0000-000000000000" Title="Sample Web Master Page" Description="The sample master page provides an instant style ready to be applied to your SharePoint site." Version="1.0.0.0" ReceiverAssembly="SampleReceiver, Version=1.0.0.0, Culture=neutral,PublicKeyToken=2f0124eb80d993f2" ReceiverClass="SampleReceiver.FeatureReciever" Scope="Web" Hidden="False" DefaultResourceFile="core" xmlns="http://schemas.microsoft.com/sharepoint/"> <ElementManifests> <ElementManifestLocation="ProvisionedFiles.xml"/> </ElementManifests> <Properties> <PropertyKey="MasterName"Value="Sample.master"/> </Properties> </Feature> Create a ProvisionedFiles.xml in C:\SampleMasterPage\TEMPLATES. <!-- _lcid="1033" _version="12.0.4518" _dal="1" --> <!-- _LocalBinding --> <Elementsxmlns="http://schemas.microsoft.com/sharepoint/"> </Elements> ProvisionedFiles.xml defines the resources that are provisioned on the Web server as a component of the underlying associated Feature. Master Page Feature Receiver Sample Code (C#) The Feature receiver provides the ability to respond to Feature events that permit trapping and responding to an event that fires when a Feature is installed in the Web farm or is added to a Web application, or when a Feature is removed. For additional information about Feature events, see msdn2.microsoft.com/en-us/library/ms469501.aspx.Or, for additional information about using Feature receivers to modify master page properties and application on an SPWeb object, see blogs.msdn.com /bgeoffro/archive/tags/branding/default.aspx. The Feature receiver is the core of the master page solution. It enables a method by which an event is acted on when the Feature function or functions are called. The Feature receiver used in this example is Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 64 called by the Clarity.Web.Master Feature. Event handlers within the Feature Receiver class are fired when the Feature is installed, activated, uninstalled, or deactivated. To instruct the SPWeb object to use the new master page, supply the necessary code inside the FeatureActivated event handler. In the sample Feature receiver, the master page URL used by the site is set to the custom master page on FeatureActivated. Sample Feature Receiver for Server-Level Master Pages using using using using using using System; System.Runtime.InteropServices; System.Web.UI; System.Xml.Serialization; Microsoft.SharePoint; Microsoft.SharePoint.WebControls; namespace SampleReceiver { publicclassFeatureReciever : SPFeatureReceiver { publicoverridevoid FeatureActivated(SPFeatureReceiverProperties properties) { <try { SPWeb curWeb = (SPWeb)properties.Feature.Parent { //code } string strMaster = string.Empty; strMaster = properties.Feature.Properties["MasterName"].Value; if ((strMaster != null) && (strMaster != string.Empty)) { using (SPSite curSite = curWeb.Site) { SPList oMasterList = curSite.GetCatalog(SPListTemplateType.MasterPageCatalog); SPQuery oQuery = newSPQuery(); oQuery.Query = "<Where><Eq><FieldRef Name=\"FileLeafRef\" />" + "<Value Type=\"File\">" + strMaster + "</Value>" + "</Eq></Where>"; SPListItemCollection oItems = oMasterList.GetItems(oQuery); if (oItems.Count > 0) { string strSiteURL = string.Empty; // Get the server-relative URL of the root Web site in the Site Collection. strSiteURL = curSite.ServerRelativeUrl.ToString(); if (!strSiteURL.Equals("/")) strSiteURL += "/"; strMaster = strSiteURL + oItems[0].Url.ToString(); // Set the URL of the master page used for the Web site to the custom master page. curWeb.MasterUrl = strMaster; curWeb.CustomMasterUrl = strMaster; curWeb.Update(); } } } } } catch (Exception ex) { throw new Exception("Failed to update the master page.<br>" + ex.Message.ToString()); } } // Feature provisioning callouts allow you to write specific code to handle various events that transpire in the lifecycle of a Feature. publicoverridevoid FeatureDeactivating(SPFeatureReceiverProperties properties) Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 65 { //Restore the default values SPWeb curWeb = (SPWeb)properties.Feature.Parent; curWeb.MasterUrl = "default.master"; curWeb.CustomMasterUrl = "default.master"; curWeb.Update(); } publicoverridevoid FeatureInstalled(SPFeatureReceiverProperties properties) { } publicoverridevoid FeatureUninstalling(SPFeatureReceiverProperties properties) { } } } Code Licensing The code presented in this appendix has been released in accordance with the Microsoft Public License (Ms-PL). To use the provided sample code, create a new Windows Assembly in Visual Studio 2005 or Visual Studio 2008, and add a reference to Microsoft.SharePoint.dll. Note:The Feature receiver is installed in the global assembly cache, which requires the assembly to be digitally signed. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 66 Appendix G: Troubleshooting Guide Templates This section presents a sample outline for a Microsoft Troubleshooting Guide (TSG) that is used by the Microsoft operational support team. The same document can be used by the customer service desk, and Online Services support team and Online Services operations team. Any event that is raised in the customer's application must have an associated TSG article, or the event is ignored. Monitoring Troubleshooting Guide Use the following TSG for monitoring issues. The customer can copy and paste this into a document. Monitoring Troubleshooting Guide SME: [name] Customization Version: Updated: [date] Document Tracking Tested By Reviewers Group Owner [Document Title] This document is a troubleshooting guide for the following issue: [Issue to be listed here] Contents Support Tier Level of Action Priority Overview Instructions Escalation Related Documents Document History Support Tier Level of Action [Which support tier should take this action? Help Desk, Second Tier, Server Support, etc.] Priority [Initial priority] [Possible change in priority] Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 67 Overview [Background about what applicable scenarios cause this alert to fire] Instructions 1. What activities should the analyst take? 2. If this TSG is for a monitoring event, be sure to include the following information: o Event type o Event source o Event category o Event ID o Error string o Description of error o Impact of error Escalation [Relevant escalation contacts for TSG] Related Documentation [All related documents] Last Updated By: Last Saved: Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 68 Support Troubleshooting Guide Use the following TSG for support issues. The customer may copy and paste this into a document. Support Troubleshooting Guide SME: [name] Customization Version: Updated: [date] Document Tracking Tested By Reviewers Group Owner [Document Title] This document is a troubleshooting guide for the following issue: [Issue to be listed here] 1. Symptoms: 2. Cause: 3. Resolution: 4. More information: 5. Microsoft internal support information: 6. Steps to reproduce: 7. Author ID (e-mail alias): 8. Writer ID(e-mail alias): 9. Tags (keywords): Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 69 Appendix H: Approved Third-Party Solutions Table 10 shows all third-party solutions that have been evaluated and approved for hosting by Microsoft SharePoint Online. Customers that purchase these third-party solutions should reference the table to determine whether the solution can be deployed without an HLD review. Please note the approved version number; requests for different versions will require a review by SharePoint Online. If a third party application, or a Microsoft-created application that is not a part of SharePoint Online, is not included in this list, it has not been pre-approved by SharePoint Online. Thus, it must follow the regular customization process in order to be deployed to a customer's SharePoint Production environment. Table 10. Approved Third-Party Solutions Third Party Tool/Solution Approved Version Requires HLD Review to Deploy Mindjet MindManager 7 No AutoCAD utilities (DFW Viewer) 1.0 No Telerik RadEditor1 5.4.1 Yes Telerik RadEditor Lite N/A No Telerik RadMenu 4.4.5 No KWizCom SharePoint Forum Web Part 1.1.00 No KWizCom SharePoint Survey Plus 2.2 No Infragistics Ultra Web Navigator (Ultra Web tree) 8.1.20081.1000 No BrightWork pmPoint 8.0 No MicroLink Fetch Framework 2.1 No KwizCom SharePoint Remote List Viewer 2.3.04 No Kwizcom List Chart 1.1.01 No KwizCom SharePoint Media Plus 1.1.01 KWizCom SharePoint Picture Library Plus 1.5.01 No KWizCom SharePoint Image Rotator 1.3.00 No KWizCom SharePoint Unique Field Feature 1.1.00 No Metalogix SharePoint Site Migration Manager3 3.6.20 No Metalogix Extensions Web Service for SharePoint3 4.0.73 Yes Quest Web Parts 5.1 Yes Bamboo World Clock 1.0 (HW17) No Smiling Goat FeedReader N/A No NewsGator Social Sites2 2.7.277 No 1Telerik RadEditor does not have its own installation or WSP solution package. This solution is integrated by the customer into the customer's custom code, and must be reviewed as a part of the HLD customization review process. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 70 2Microsoft Online Services is working to create an ecosystem of independent software vendor (ISV) solutions that work with SharePoint Online. NewsGator Social Sites is the first such solution to be pre-approved for use with SharePoint Online. NewsGator Social Sites is an application that provides enhanced social computing for SharePoint Online. Fully integrated with the SharePoint environment, NewsGator Social Sites features include social networking, online communities, enriched user profiles, and enterprise RSS. NewsGator Social Sites helps businesses to better collaborate, share content, expand employee knowledge, and improve productivity. The pre-approved design is built on a federated services model, in which the NewsGator Social Sites software is installed on SharePoint Online frontend servers in Microsoft data centers and configured to communicate with NewsGator Enterprise Servers (NGES) located on the customer's premises or at other providers' sites. This model provides flexibility and agility for customers who request integration of NGES functionality into their managed SharePoint Online investment. Microsoft hosts the NewsGator Social Sites software, and will collaborate with the customer to troubleshoot NewsGator-related issues. The customer is responsible for purchasing NewsGator licenses and configuring the NewsGator Social Sites software. 3Metalogix SharePoint Site Migration Manager has both a server and client component. Customers are responsible for the distribution of the client component. SMMM is the second solution to be pre-approved for use with SharePoint Online. SMMM helps user migrate content between site collections remotely preserving key metadata and data integrity. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 71 Appendix I: Building Custom Solutions with Web Parts Web Parts can serve as "building blocks" for custom Web applications and pages. Solutions that include Web Parts may be written and deployed by either the administrator of a Web site or the individual users of the Web site to provide easy functional customization. However, to ensure proper integration and support of custom solutions for SharePoint Online Dedicated, refer to Table 11. It is not an exhaustive list of best practices for Web Part development and, if a best practice is not listed, do not assume that it is allowed. Questions regarding use of Web Parts should be directed to the customer's service manager or solution architect. The MSDN article Introducing the ASP.NET 2.0 Web Parts Framework provides an overview of developing safe ASP.NET 2.0 Web Parts. When creating new Web Parts, start by using the Visual Studio Extension for Windows SharePoint Services 3.0 Web Parts (see Creating a Windows SharePoint Services 3.0 Web Part Using Visual Studio 2005 Extensions). The template contains references to necessary dynamic link libraries (DLLs) and helps the customer package the Web Part as an Office SharePoint Server solution. Table 11. Best Practices for Using Web Parts Guideline Description Use of Office SharePoint Server architecture The SharePoint Online architecture provides several frameworks for functionality, such as feature deployment. All custom Web Parts should use the Microsoft Office SharePoint Server architecture to ensure consistent behavior across the application. Dependence on downlevel legacy .NET Framework versions Microsoft Online Services hosted customizations standardize on the .NET Framework 2.0, .NET Framework 3.0, or .NET Framework 3.5 for multiple reasons. .NET Framework 2.0 provides additional security features, improved memory management, garbage collection, scalability, and stability. The Online Services environment strongly discourages dependencies on older versions of .NET Framework. In addition, Online Services discourages concurrent operation under multiple .NET Framework versions. 64-bit compatibility All third-party code deployed to the SharePoint Online Dedicated service must be 64bit compatible. This ensures proper use of memory management and scalable capacity planning in the deployed design. Modular deployable Feature solutions Custom Web Parts (including resource files) must be contained within a SharePoint Office Server Feature and packaged as an Office SharePoint Server solution in order to be deployed. The Office SharePoint Server Feature framework enables the customer to package sets of interrelated customizations as a single Feature, while also permitting inclusion of multiple Features in a solution package. Solution packages are the recommended form of deployment for customizations into a managed SharePoint Online environment, because solution packages can be deployed, upgraded, and even uninstalled gracefully. No direct database access attempts Customizations should make no attempts to directly access any of the SharePoint Online databases. Data stores in SharePoint Online should only be updated using the Office SharePoint Server object model. All database reads or writes should be made through the services that are provides by the Office SharePoint Server object model, with no routines attempting direct access to the SQL Server data structures. This protects the Online Service for upgrades as well as for data integrity. Referencing SPWeb or SPSite objects When referencing the SPWeb or SPSite objects, a "using" statement should be employed, or alternatively an explicit call of the .Dispose method, to ensure proper use and disposal of the memory objects. Reduce unnecessary round trips Use caching as appropriate to reduce unnecessary round trips. Improper management of the number of round trips required for interactions with Web Parts can be exacerbated by latency conditions. This results in a poor end-user experience, while potentially affecting back-end service performance. The customer should expose the cache expiration (duration) as a Web Part property. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 72 Guideline Description Minimized attack surface Input surfaces in Web Parts and other customizations must include boundary checks, input data integrity checks, and appropriate exception handling to prevent the potential for cross-site scripting and SQL injection. Specify Code Access Security (CAS) policy & safe controls When packaging a solution, include a CAS policy for that solution, and if necessary include the customer's assembly in the safe controls list through the solution. Requiring Code Access Security and registering safe controls allows Online Services to maintain a secure environment while allowing customizations. Error handling & logging When writing error handling code, inherit from the SPException class to ensure that the errors are consistent in appearance with any errors from Office SharePoint Server. Also trap errors at all possible entry points, including constructors. Use logging where appropriate to help troubleshoot errors. When writing logging code, use the Portal Log class to log the SharePoint Unified Logging Service (ULS) logs. Also be sure to use the Page Error event to handle all errors on .aspx and Web Part pages. Configuration of Web Parts The configuration of the Web Parts being deployed should allow the flexibility of deploying to the Web application level or lower. This improves supportability and maintenance. Developers are encouraged to include configuration data with the Web Part itself as metadata. Web Part connections The SharePoint Web Part infrastructure provides a standardized set of connection interfaces that allow Web Parts to exchange information with each other at run time. The customer should use these when it is necessary to pass data between Web Parts and, when appropriate, between a list and a Web Part. There are a number of Office SharePoint Server filter Web Parts that already emit data. The customer's Web Part should be able to receive that data if connection with those Web Parts is desired. User interface (UI) & presentation layer When possible, abstract the presentation layer from the logic code by using either user controls (ASCX) or XSL. If the Web Part requires form input, the customer should utilize user controls; otherwise, the Web Part should output raw XML and apply an XSLT to format the output. When using an XSL, store the XSLT as a Web Part property, allowing for modification from the tool pane. Avoid using a data tables/dataset approach and HTML formatting in the Web Part. Delegate controls Determine whether the functionality or customization to be developed needs to be done as a Web Part or if it can be done using delegate controls. By using delegate controls, the customer can easily replace existing controls that are already in the page using less custom code. Localization Avoid hard coding strings and labels; use resources or language files instead. This allows for easier localization of the Web Part if or when the time comes. XML mapping Use the AppSettings object to implement the XML mapping. This can be provided outof-the-box using the existing Settings framework in .NET Framework 2.0. Avoid creating custom XML files and a strongly typed object for this purpose. Unsafe updates Avoid using AllowUnsafeUpdates. Use ValidateFormDigest() and, if necessary, interact with Office SharePoint Server objects using elevated privileges. In cases where AllowUnsafeUpdates must be used, set AllowUnsafeUpdates to False in the try-catch finally block, or a Dispose() method as required by the IDisposable interface to avoid security holes. Deployment logging Installation and deployment logging should be included the event logs to enable appropriate operational troubleshooting during installation and un-installation. Querying large lists When querying large lists, use the RowLimit property in the SPQuery class if all the results do not need to be returned. Make the limit as small as possible while using <OrderBy> to ensure the most relevant results. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 73 Guideline Description Updating large lists Use the Web service to update multiple list items if needed. If the customer needs to update more than one item at a time, avoid using SPListItem.Update() in the code. When using the Count property of a SPListItemCollection, the property should only be called once and then stored in a variable where it can be referred to when looping instead of calling it inside the loop. Providing source code and documentation to Online Services Source code for third-party Web Parts solutions, whenever possible, should be provided with good documentation to ensure good support. Licensing disclosure for third-party Web Parts Full disclosure must be provided to Microsoft for licensed Web Parts that are to be deployed to the Online Services environment. This will be provided as part of the customization package. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 74 Appendix J: Code Development and Deployment Responsibilities Designing and building secure applications is a collaborative effort involving multiple roles. The RACI chart in Table 12 shows Microsoft and customer responsibilities for deploying custom code in a SharePoint Online environment. RACI is an acronym for the following: Responsible (the role responsible for performing the task) Accountable (the role with overall responsibility for the task) Consulted (people who provide input to help perform the task) Informed (people with a vested interest who should be kept informed) Table 12. RACI Chart for Custom Code Development Task Customer/ Partner Microsoft Operations Microsoft Engineering Project Management Initiate and plan project RA Gather requirements RA Use cases and constraints RA Development Prepare high level design document RA I Review high level design document C RA Build custom solutions RA Perform developer and user acceptance testing RA Package custom solutions RA Write documentation RA Run CAF RA I Prepare documentation (deployment, rollback, test, event log, client troubleshooting, third-party licensing, security and compliance, monitoring, CAF report , and dependencies) RA I Review documentation I RA Validate solution I RA Deploy production build CI RA Test post-deployment RA I RA I Documentation Deployment System Monitoring Provide monitoring hooks in code Microsoft SharePoint Online Dedicated Custom Solution Policies and Process I 75 Task Customer/ Partner Monitor code with System Center Operations Manager Microsoft Operations Microsoft Engineering RA Patching Test patching against SharePoint Online environment I RA RA Deploy to PPE environment I RA Test customizations against patches RA I Deploy patches to production I RA Author fix/change to customization RA I Review and test changes I Deploy changes to Production I RA Upgrade PPE environment I RA Validate customizations in a timely manner RA I Author fix/change to customization RA CI Review and test changes I RA Upgrade production environment and deploy changes I Break-Fix Remediation C RA Upgrade Microsoft SharePoint Online Dedicated Custom Solution Policies and Process RA 76 Appendix K: Custom Solutions Using External Databases When developing solutions, customers may need to have SQL Server database software hosted for their custom code. Microsoft Online Services supports the use of SQL Server databases following the guidelines described in Table13. If a database customization item is not listed in the table, do not assume that it is therefore allowed. Contact the service manager for further information. Online Services supports only one database for each custom solution that is deployed by a customer. Notes: Databases that are resource-intensive—that have high storage, CPU, connections, and memory requirements—cannot be hosted. A customer has the option to host a resource-intensive SQL Server database on its own servers in its own data centers. Microsoft Online Services is planning to support more than one customer database in the future. Microsoft will notify customers if and when multiple database support becomes available. Table 13. SQL Server Support Guidelines Database Customization Supported Comment SQL Server database Yes The Microsoft Online Services infrastructure uses SQL Server hosted on the existing SharePoint Online Dedicated infrastructure. Microsoft supports only one version of SQL Server. The current version supported by Online Services is SQL Server 2005 SP2 build 9.00.3215. Custom non-SQL Server database No Microsoft does not support database servers other than SQL Server. Customers can choose to host such databases on their own premises and integrate them with Online Services using the Windows Communication Foundation (WCF) interface with a Web service. More than one custom SQL Server database No Online Services hosts a single SQL Server database for customers on the shared SQL Server infrastructure. Database data access No When developing the code, direct access to the SQL Server database via technologies such as ADO.NET is permitted only if the database is hosted by Online Services. All access to the databases on the customer's premises by custom code must be through a middle tier developed with a WCF/Web service interface. There can be no other direct access, such as SQL Server Integration Services (SSIS), Data Transformation Services (DTS), or Bulk Copy Program (BCP). Custom-developed Web Parts/SharePoint Online pages with custom database integration Yes Custom applications must be isolated from out-of-the-box features, and should be running as an independent entity. Failure of the custom database access should not cause the entire farm to fail. No standard existing functionality (for example, search and workflows) should fail due to a failure on a custom database. Ajax UI implementation is recommended when connecting to a custom database to minimize page load impact if the custom database connection becomes slow. Custom database as an authentication or credential store No The database cannot be used as an authentication store. No credentials are allowed to be stored. Access to SQL Server No Customer access to the SQL Server database using the SQL Server client tools is not permitted under any circumstances, even during troubleshooting. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 77 Database Customization Supported Comment Backups of the custom SQL Server database Yes Customers may request a copy of their custom SQL Server database through their service manager up to once per month. Depending on the size of the custom database, the logistics of providing a copy may be challenging. The customer should be prepared to cover any costs required in transferring a copy of the database. Installation of a copy of a SQL Server database or scripting the creation of a custom SQL Server database Yes The creation of the custom SQL Server database within the hosted Online Services environment can be done by providing Microsoft a copy of the SQL Server database (not populated) or through the use of scripting to create the database and associated schema. Upgrade path Yes All databases hosted by Online Services are subject to the same upgrade strategy as the SQL Server product offering. Customers will be notified of plans to upgrade the SQL Server build or version in advance (with six weeks' notice) of the actual exercise and are responsible for testing that their custom database and the functionality they are using will work with the new build or version. As of the writing of this document, Online Services supports only the SQL Server 2005 SP2 build 9.00.3215. SQL Server Reporting Services Web Parts (Restricted to pre-SP2 SQL Server 2005 version) Yes The SQL Server team has released Web Parts to display data within a Reporting Services system. However, only pre-SP2 versions of SQL Server 2000 and SQL Server 2005 Reporting Services Web Parts can work within a hosted environment. The current design of the Reporting Services Web Parts requires the Reporting Services server to be hosted within the same domain as the SharePoint Online environment. Customers who want to use the shipped Reporting Services Web Parts should know that Online Services supports only the pre-SP2 version of SQL Server 2005. Non-Supported SQL Server Features Microsoft Online Services supports any standard SQL Server features that are used in development practices on SQL Server, except the following: Integration Services (or any SSIS packages, DTS, BCP) Reporting Services Analysis Services Notification Services Replication All SQL Server features that are required by the custom design should be detailed in the HLD document for review and approval by Online Services. Microsoft provides feedback if a feature that the customer plans to use is not supportable. Features that are not enabled by default and are not supported are: SQL Server 2005 data encryption Linked server configuration Cross-database chaining C2 audit tracing Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 78 Common criteria compliance Server proxy account Database Mail or SQL Mail Extended stored procedures (XPs) Common language runtime (CLR) integration Ad hoc remote queries (OPENROWSET AND OPENDATASOURCE support) Native XML Web service (HTTP endpoints) Custom OLE automation Service broker or message queuing Web Assistant (as deprecated in SQL 2005) xp_cmdshell Custom SQL Server Agent jobs (maintenance jobs already inclusive of the hosting system) Trace flags Lightweight pooling Terms and Conditions The terms and conditions for hosting a single database for a custom solution are described in this section. If a condition is not listed, this does not mean it is automatically allowed. Customers should contact their service manager for further information. Database Configuration Microsoft Online Services enforces restrictions on each database. The database cannot grow above 100 GB. The database is set up with the following configuration: Full recovery model Compatibility mode: 90 (SQL Server 2005) Database ownership set to sa Database access level for application is set to read/write only A single MDF file and a single LDF file MDF and LDF data files are located in dedicated Data and Log locations respectively. For example, data files (.mdf) should be placed on H:\MSSQL\Data and log files (.ldf) on O:\MSSQL\DATA. Data files are initialized at 20 GB for MDF and 5 GB for LDF, with auto-growth set for 200 MB for both file types; the data files are set for Restricted to a maximum size of 80 GB for MDF and 20 GB for LDF Remote query timeout set to 600 seconds Not provided: Full-text search is not enabled, and not allowed when co-hosted on the SharePoint Online back end Do not use: SQL Server 2000 backwards compatibility components Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 79 Security Model Integrated Windows Authentication only Not allowed: SQL Server standard logons Not provided: SQL Server manages the sa password, which will not be provided (disabled) Database Maintenance All custom databases will have a maintenance window that is similar to that for SharePoint Online databases: Weekly full backup (using SQLLitespeed compression) Daily diff backup (using SQLLitespeed compression) 15-minute transaction log backup, with file retention of 21 days Weekly index rebuild with a default 80-percent FillFactor Daily index defrag Daily update of statistics (with sp_updatestats) Weekly calls to DBCC CheckDatabase High Availability Protection Database is mirrored (high-protection mode) within local data center Database is log-shipped to remote data center for disaster recovery Database backup files are copied to tape as follows: o Weekly full o Daily diff o Monthly offsite o 90-day offsite retention Connectivity and Access SQL Server connectivity using TCP/IP protocol only Access to database via ADO.NET only; no direct access to server or database via SQL Server Management Studio or OSQL Database access level for application is set to Read/Write only Not provided: View server state Not allowed: the commands create, delete, detach, attach, backup database Support Database backup file can be provided via FTP download or courier of a DVD Custom databases must meet acceptable levels of performance that do not impact SharePoint operations Transaction per second < 100 Reads per transaction (one RPC call) < 100,000 Not provided: Archive data to tape for long-term retention Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 80 Note: Microsoft reserves the right to implement indexes to improve performance of the database if server performance is impacted by the hosted database. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 81 Appendix L: Process to Escalate Customization PostDeployment Issues Table 14 outlines the events involved in escalating a custom solution issue after the solution has been deployed. Table 14: Escalation Process for Custom Solution Issue Escalation Events How Communicated Responsibility 1. Microsoft Online Services successfully verifies post-deployment steps provided by the customer in deployment guide. After completion of the custom solution deployment, Microsoft e-mails the customer-designated distribution list of the successful deployment. SharePoint Online change management team 2. Customer identifies issues with deployed changes. After internal triage, the customer submits a service request to Microsoft Online Services support service desk (mossup@microsoft.com) by providing completed escalation template and severity level. Customer The detailed escalation process can be found in the Customer Run state Handbook in the Online Services Customer Knowledge base site. 3. Microsoft Online Services support team triages the submitted service request and evaluates the incident based on the severity level. Refer to the Customer Run State Handbook for more information about assigning severity levels to service requests. 4. If after completion of triage through the regular service request process Microsoft Online Services determines that the customer issue is due to the deployed customization and/or configuration, Microsoft Online Services follows rollback instructions provided in the deployment guide to uninstall deployed code and/or configuration. Rollback scheduling is based on the assigned severity level of the incident, Severity A: Rollback is performed immediately for the customization in question. Microsoft Online Services support team will communicate status of the service request based on the severity level assigned. Microsoft Online Services support team Communication to customer via service request e-mail notifications. Microsoft Online Services support team and SharePoint Online change management team Severity B: Rollback of the customization can be scheduled at an agreed-upon time with the customer, and can be done outside a change window with written approval from customer. Note: Standard support process, as with any outage or service degradation incident, applies if root cause analysis indicates that issue is due to out-of-the-box functionality. Microsoft SharePoint Online Dedicated Custom Solution Policies and Process 82