#SPSJHB 26 February 2011 Building the ‘Perfect’ SharePoint 2010 Farm Best Practices from the Field Presented by: Michael Noel Partner, Convergent Computing www.SharePointSaturday.org/johannesburg Michael Noel • • Author of SAMS Publishing titles “SharePoint 2010 Unleashed,” “SharePoint 2007 Unleashed,” “SharePoint 2003 Unleashed”, “Teach Yourself SharePoint 2003 in 10 Minutes,” “Windows Server 2008 R2 Unleashed,” “Exchange Server 2010 Unleashed”, “ISA Server 2006 Unleashed”, and many other titles . Partner at Convergent Computing (www.cco.com / +1(510)444-5700) – San Francisco Bay Area based Infrastructure/Security specialists for SharePoint, AD, Exchange, Security What we will cover • Examine various SharePoint 2010 farm architecture best practices that have developed over the past year • Examine SharePoint Best Practice Farm Architecture • Understand SharePoint Virtualization Options • Explore SharePoint DR and HA strategies using Database Mirroring • Explore other common best practices (IPv6, SSL, NLB) • Learn how to Enable Kerberos for Best Practice Security • A large amount of best practices covered (i.e. Drinking through a fire hose), expectation is that you can take away 2-3 useful pieces of information that can be used in your environment www.SharePointSaturday.org/johannesburg #SPSJHB Architecting the Farm www.SharePointSaturday.org/johannesburg SharePoint 2010 Architecture Small Farms • ‘All-in-One’ (Avoid) DB and SP Roles Separate www.SharePointSaturday.org/johannesburg SharePoint 2010 Architecture “Smallest Highly Available Farm” • 2 SharePoint Servers running Web and Service Apps • 2 Database Servers (Clustered or Mirrored) • 1 or 2 Index Partitions with equivalent query components • Smallest farm size that is fully highly available www.SharePointSaturday.org/johannesburg SharePoint 2010 Architecture “The Six Server Farm” • 2 Dedicated Web Servers (NLB) • 2 Service Application Servers • 2 Database Servers (Clustered or Mirrored) • 1 or 2 Index Partitions with equivalent query components www.SharePointSaturday.org/johannesburg SharePoint 2010 Architecture Large Farm • • • • • Multiple Dedicated Web Servers Multiple Dedicated Query Servers Multiple Dedicated Crawl Servers, with multiple Crawl DBs to increase parallelization of the crawl process Multiple distributed Index partitions (max of 10 million items per index partition) Two query components for each Index partition, spread among servers www.SharePointSaturday.org/johannesburg #SPSJHB SharePoint 2010 Virtualization Guidelines www.SharePointSaturday.org/johannesburg Virtualized Farm Architecture Cost-effective Virtual Environment / No HA Allows Organizations that wouldn’t normally be able to have a test environment to run one Allows for separation of the database role onto a dedicated server Can be more easily scaled out in the future www.SharePointSaturday.org/johannesburg Virtualized Farm Architecture Highly Available Farm with only Two Servers HighAvailability across Hosts All components Virtualized Uses only two Windows Ent Edition Licenses www.SharePointSaturday.org/johannesburg Virtualized Farm Architecture Best Practice Virtual/Physical with HA/Perf Highest transaction servers are physical Multiple farm support, with DBs for all farms on the SQL cluster www.SharePointSaturday.org/johannesburg Virtualized Farm Architecture Large Virtual Farms www.SharePointSaturday.org/johannesburg #SPSJHB Content Database and Site Collection Architecture www.SharePointSaturday.org/johannesburg Content Database and Site Collection Planning • Start with a distributed architecture of content databases from the beginning, within reason (more than 50 per SQL instance is not recommended) • Distribute content across Site Collections from the beginning as well, it is very difficult to extract content after the face • Allow your environment to scale and your users to ‘grow into’ their SharePoint site collections www.SharePointSaturday.org/johannesburg #SPSJHB SQL Database Mirroring www.SharePointSaturday.org/johannesburg SQL Database Mirroring HA Solutions using Mirrored Copies of SharePoint Databases • New in SQL 2005, available in both Standard and Enterprise editions, improved in SQL 2008 • Works by keeping a mirror copy of a database or databases on two servers • Can be used locally, or the mirror can be remote • Can be set to use a two-phase commit process to ensure integrity of data across both servers • Can be combined with traditional shared storage clustering to further improve redundancy www.SharePointSaturday.org/johannesburg SQL Database Mirroring SQL Mirroring Modes • High Performance (Enterprise Edition only) – Asynchronous Mirroring – Safety level = OFF – Failure of principal server may result in data loss • High Availability – – – – Synchronous Mirroring Safety level = ON Dual-commit process ensures no data loss Third witness server required • High Protection – Synchronous Mirroring – Safety level = ON – Manual failover, no witness server www.SharePointSaturday.org/johannesburg SQL Mirroring Designs Various SharePoint Mirrored DB Options • Single Site HA Mirrored Farm – Synchronous Replication – All Servers in one Physical Location • Cross Site Mirrored HA Farm – Synchronous Replication – Servers split across highly connected physical sites • Two Farm / Mirrored Content DBs – Asynchronous Replication – Content Databases Mirrored Only – Manual Failover Process www.SharePointSaturday.org/johannesburg Single Site HA Mirrored Farm • Single Site • Synchronous Replication • Uses a SQL Witness Server to Failover Automatically • Mirror all SharePoint DBs in the Farm • Use a SQL Alias to switch to Mirror Instance www.SharePointSaturday.org/johannesburg Cross-Site Mirrored HA Farm • Two Sites • 1 ms Latency • 1GB Bandwidth • Farm Servers in each location • Auto Failover www.SharePointSaturday.org/johannesburg Two Farm / Mirrored Content DBs • Two Sites • Two Farms • Mirror only Content DBs • Failover is Manual • Must Reindex www.SharePointSaturday.org/johannesburg #SPSJHB Hardware/Software www.SharePointSaturday.org/johannesburg Hardware Planning Considerations Disk, Memory, and Processor • SQL Database role requires a great deal of space, especially if versioning is turned on in Document Libraries. Don’t underestimate! • Servers running the Search Service Application Index or Query need hard drive space to store the Index files, which can be 5%-30% of the size of the items being indexed. • The more memory and processor cores that can be given to SharePoint the better, in the following priority: – – – – Database Role Search Service Application Role Other Service Application Roles Web Role www.SharePointSaturday.org/johannesburg Operating System Best practices Versions • Highly recommended: Windows Server 2008 R2 for security, performance (client/server traffic improvements), and ease of setup. • Windows Server 2008 SP1 is also possible, but requires some custom configuration (Kerberos, etc.) • Enterprise Edition of Windows only required for very large SQL instances (More than two cluster nodes, high transaction volume, etc.) Standard edition of Windows is adequate in nearly all other cases. www.SharePointSaturday.org/johannesburg Operating System Best practices SQL Server • SQL Server 2008 R2 Recommended, particularly if you have high security requirements, as it allows for transparent encryption of databases and PowerPivot (R2 only) • SQL Server 2005 x64 also supported • Enterprise edition of SQL only required for more than two nodes in a cluster, Asynchronous database mirror replication, and/or greater than 32GB RAM • Separate Reporting Services server may be required for intensive reporting • Separate Analysis Services server may be required for PowerPivot • Create exception in Windows Firewall policy for port 1433 www.SharePointSaturday.org/johannesburg Operating System Best practices IPv6 for SharePoint Servers • Yes, it is a good idea. • IPv4 range has just recently been exhausted on the Internet (but ISPs will still give out addresses for a while) • Enabled by Default with Windows 2008/2008 R2 • Prepare for the future. • Consider DHCP Reservations of IPv6 addresses for the Primary IP of the SharePoint servers…technical reasons for it are many. www.SharePointSaturday.org/johannesburg #SPSJHB SharePoint Installation www.SharePointSaturday.org/johannesburg SharePoint Installation Sample Service Accounts Service Account Name Role of Service Account Special Permissions COMPANYABC\SRV-SP-Setup SharePoint Installation Account COMPANYABC\SRV-SP-SQL SQL Service Account Local Admin on all SharePoint servers Local Admin on Database Serverr(s) COMPANYABC\SRV-SP-Farm SharePoint Farm Account; Application Pool Identity account for the Central Admin App Pool Managed Services Account Search Account Default Content Access Account COMPANYABC\SRV-SP-Services COMPANYABC\SRV-SP-Search COMPANYABC\SRV-SP-Content COMPANYABC\SRV-SP-Prof COMPANYABC\SRV-SP-MySite COMPANYABC\SRV-SP-Home N/A N/A N/A Read rights to any external data sources to be crawled Default Profiles Content Account Member of Domain Users (to be able to read attributes from users in domain. Application Pool Identity account for N/A the MySite App Pool Application Pool Identity account for N/A the Home App Pool SharePoint Installation Installation Process • For most flexibility, choose ‘Complete’ Installation, even if not installing all of the roles on the server. This will allow for the addition of roles in the future as needed. • Be sure not to select ‘Stand-Alone’, unless you plan on having a very small farm with a limited database (SQL Server Express) www.SharePointSaturday.org/johannesburg SharePoint Installation Installation Process • Highly recommended to choose the final destination for the Index/Query to live (i.e. if it’s on a different drive, enter that during installation). It’s difficult to change index location later. • Remember, after installing the binaries, the server is not a farm member yet…it can be added to any farm. Good concept to use to prestage servers. www.SharePointSaturday.org/johannesburg SharePoint Installation Command-line Installation of SharePoint • Good to understand how to install SharePoint from the command-line, especially if setting up multiple servers. • Allows for options not available in the GUI, such as the option to rename databases to something easier to understand. • Use PowerShell www.SharePointSaturday.org/johannesburg Script: http://tinyurl.com/SPFarm-Config Function Configure-SPSearch { PARAM($AppPool, $FarmName, $SearchServiceAccount) $searchServiceInstance = Get-SPEnterpriseSearchServiceInstance -local Start-SPEnterpriseSearchServiceInstance -Identity $searchServiceInstance $dbName = $FarmName + "_SearchServiceApplication" $searchApplication = New-SPEnterpriseSearchServiceApplication -Name "$FarmName Search Service Application" -ApplicationPool $AppPool -DatabaseName $dbName $searchApplicationProxy = New-SPEnterpriseSearchServiceApplicationProxy -name "$FarmName Search Service Application Proxy" -SearchApplication $searchApplication Set-SPEnterpriseSearchAdministrationComponent -SearchApplication $searchApplication -SearchServiceInstance $searchServiceInstance $crawlTopology = New-SPEnterpriseSearchCrawlTopology -SearchApplication $searchApplication $crawlDatabase = Get-SPEnterpriseSearchCrawlDatabase -SearchApplication $searchApplication New-SPEnterpriseSearchCrawlComponent -CrawlTopology $crawlTopology -CrawlDatabase $crawlDatabase -SearchServiceInstance $searchServiceInstance while($crawlTopology.State -ne "Active") { $crawlTopology | Set-SPEnterpriseSearchCrawlTopology -Active -ErrorAction SilentlyContinue if ($crawlTopology.State -ne "Active") { Start-Sleep -Seconds 10 } } $queryTopology = New-SPenterpriseSEarchQueryTopology -SearchApplication $searchApplication -partitions 1 $searchIndexPartition = Get-SPEnterpriseSearchIndexPartition -QueryTopology $queryTopology New-SPEnterpriseSearchQueryComponent -indexpartition $searchIndexPartition -QueryTopology $queryTopology -SearchServiceInstance $searchServiceInstance $propertyDB = Get-SPEnterpriseSearchPropertyDatabase -SearchApplication $searchApplication Set-SPEnterpriseSearchIndexPartition $searchIndexPartition -PropertyDatabase $propertyDB while ($queryTopology.State -ne "Active") { $queryTopology | Set-SPEnterpriseSearchQueryTopology -Active -ErrorAction SilentlyContinue if ($queryTopology.State -ne "Active") { Start-Sleep -Seconds 10 } www.SharePointSaturday.org/johannesburg SharePoint Installation Some Manual Service Apps Still Required • Due to bugs in SharePoint, certain Service Apps will need to be manually configured, they won’t work in PowerShell yet, hopefully fixed in later versions • This includes the following: – PerformancePoint Service Application – User Profile Service Application – Web Analytics Service Application www.SharePointSaturday.org/johannesburg #SPSJHB Configuring the Farm www.SharePointSaturday.org/johannesburg Configuring the Farm Running the Config Wizard to Install Servers (If used) • Consider using an easy to remember port for the Central Admin service (i.e. 8888). Change to 443 later. • You are welcome to change the Config Database name to match a common naming convention • Your database access account is the SP Service account, which only needs DBCreator and Security Admin rights on SQL. Don’t give it more! • Run the wizard on additional servers as necessary www.SharePointSaturday.org/johannesburg Configuring the Farm SQL Alias • A SQL Alias will help you if you need to change your DB location. For example, if your SQL server name is ‘SQL1’, use something like ‘SPSQL’ to connect, and have DNS point to the proper server location. This makes it MUCH more flexible. • Use the SQL Native Client 10.0 Configuration (32bit) node to create the alias www.SharePointSaturday.org/johannesburg Configuring the Farm SQL Alias • Install SQL Client Tools, including the Backwards Compatibility Client Tools. • Launch the SQL Server Configuration Manager and create three SQL aliases using the 32bit Alias section: – spdbcontent.companyabc.com – spdbfarm.companyabc.com – spdbservices.companyabc.com • Point all to the SQL server name, port 1433. • Launch the SQL Server Client Network Utility (\System32\cliconfg.exe) and create the same 3 aliases as above using TCP/IP and port 1433. Make sure to map the alias to the SQL netbios name (or cluster netbios name) as above www.SharePointSaturday.org/johannesburg Configuring the Farm Network Load Balancing • Hardware Based Load Balancing (F5, Cisco, Citrix NetScaler – Best performance and scalability • Software Windows Network Load Balancing fully supported • If using Unicast, use two NICs on the server, one for communications between nodes. • If using Multicast, be sure to configure routers appropriately • Set Affinity to Single (Sticky Sessions) www.SharePointSaturday.org/johannesburg Configuring the Farm Network Load Balancing • Best Practice – Create Multiple Web Apps with Loadbalanced VIPs (Sample below) – Web Role Servers • sp1.companyabc.com (10.0.0.101) – Web Role Server #1 • sp2.companyabc.com (10.0.0.102) – Web Role Server #2 – Clustered VIPs shared between SP1 and SP2 (Create A records in DNS) • • • • spnlb.companyabc.com (10.0.0.103) - Cluster spca.companyabc.com (10.0.0.104) – SP Central Admin spsmtp.companyabc.com (10.0.0.105) – Inbound Email VIP home.companyabc.com (10.0.0.106) – Main SP Web App (can be multiple) • mysite.companyabc.com (10.0.0.107) – Main MySites Web App www.SharePointSaturday.org/johannesburg Configuring the Farm Security Considerations • Infrastructure Security and Best Practices – Best Practice Service Account Setup – Kerberos Authentication • Data Security – SharePoint Security ACLs and Role Based Access Control (RBAC) – Transparent Data Encryption (TDE) of SQL Databases • Transport Security – Secure Sockets Layer (SSL) from Server to Client – IPSec from Client to Server – Inbound Internet Security (Forefront UAG/TMG) / Certs • Rights Management www.SharePointSaturday.org/johannesburg Configuring the Farm SSL Certificates • External or Internal Certs highly recommended • Protects Transport of content • 20% overhead on Web Servers • Can be offloaded via SSL offloaders if needed • Don’t forget for SPCA as well! www.SharePointSaturday.org/johannesburg Configuring the Farm User Profile Sync (UPS) Setup • Most complex part of a SharePoint installation • Uses the Forefront Identity Manager (FIM) subcomponent on the server to synch My Site Profiles with external directory source such Active Directory • Would take an entire session to describe the process, but best blog on the topic is SharePoint MVP Spencer Harbar’s (harbar.net) www.SharePointSaturday.org/johannesburg • To configure diagnostic logging – On the Central Administration Home page, click Monitoring. – In the Reporting section, click Configure diagnostic logging. – On the Diagnostic Logging page, verify that Enable Event Log Flood Protection is selected. If not, click the corresponding check box to enable this feature. – Leave default values for other items – Click OK to save your changes. • To configure usage and health data collection: – On the Central Administration Monitoring page, click Configure usage and health data collection. – Click the check box to Enable Usage Data Collection. – Click the check box to Enable Health Data Collection. – Name database – Leave all other settings at default – Click OK. www.SharePointSaturday.org/johannesburg Configuring the Farm Best Practices • For Email enabled content, create a dedicated OU for Email enabled contacts and distribution lists and give the SP Admin account rights to create and modify contacts and groups in that OU. • Don’t forget Alternate Access Mappings if connecting to the content in more than one way (i.e. https://home.companyabc.com vs. just http://home) • If using SSL on a web app, it must have a dedicated IP address, not just a host header • Don’t forget to install Antivirus (MS Forefront Protection for SharePoint recommended) • Don’t forget a comprehensive backup solution (MS System Center Data Protection Manager (DPM) 2010 recommended) www.SharePointSaturday.org/johannesburg #SPSJHB Kerberos www.SharePointSaturday.org/johannesburg Kerberos Best practice: Enable Kerberos! • When creating any Web Applications for Content, USE KERBEROS. It is much more secure and also faster with heavy loads as the SP server doesn’t have to keep asking for auth requests from AD. • Kerberos auth does require extra steps, which makes people shy away from it, but once configured, it improves security considerably and can improve performance on high-load sites. www.SharePointSaturday.org/johannesburg Kerberos Step 1: Create the Service Principal Names • Use the setspn utility to create Service Principle Names in AD, the following syntax for example: – Setspn.exe -A HTTP/mysite.companyabc.com DOMAINNAME\MYSiteAppAccount – Setspn.exe -A HTTP/mysite DOMAINNAME\MYSITEAppAccount – Setspn.exe -A HTTP/home.companyabc.com DOMAINNAME\HOMEAppAccount – Setspn.exe -A HTTP/sp DOMAINNAME\HOMEAppAccount www.SharePointSaturday.org/johannesburg Kerberos Step 2: Enable Kerberos from SP Servers to SQL • Use setspn to create SPNs for SQL Service Account • SPNs need to match the name that SharePoint uses to connect to SQL (Ideally SQL Alias, more on this later) • Syntax similar to following: – Setspn.exe -A MSSQLSvc/spsql:1433 COMPANYABC\SRV-SQL-DB – Setspn.exe –A MSSQLSvc/spsql.companyabc.com:1433 COMPANYABC\SRV-SQL-DB • MSSQLSvc = Default instance, if named instance, specify the name instead • In this example, SRV-SQL-DB is the SQL Admin account www.SharePointSaturday.org/johannesburg Kerberos Step 3: Allow User and Computer Accounts to Delegate (Optional) • Required for Excel Services and other impersonation applications. • On all SP Computer accounts and on the Application Identity accounts, check the box in ADUC to allow for delegation. – In ADUC, navigate to the computer or user account, right-click and choose Properties. – Go to the Delegation tab – Choose Trust this user/computer for delegation to any service (Kerberos) www.SharePointSaturday.org/johannesburg Kerberos Step 4: Enable Kerberos on Web Application • • • • Go to Application Management – Authentication Providers Choose the appropriate Web Application Click on the link for ‘Default’ under Zone Change to Integrated Windows Authentication - Kerberos (Negotiate) • Run iisreset /noforce from the command prompt • If creating Web App from scratch, this step may be unnecessary if you choose Negotiate from the beginning www.SharePointSaturday.org/johannesburg Kerberos Step 5: Validate Kerberos Functionality • Logon to SharePoint Web Front-End as the setup account • Launch the SQL Management Studio • At the Connect to Server screen, connect to one of the alias names (spdbcontent, sbdbservices, spdbsearch) • Make sure you are able to connect to the SQL server instance • Login to the SQL server as SQL Admin account – – – – Launch Server Manager View Security event log under Diagnostics Look for Event ID 4624/Logon Open the event and look under the Detailed Authentication Information section which should read Kerberos for both Logon Process and Authentication Package for the Setup account www.SharePointSaturday.org/johannesburg Kerberos Bonuses for SPCA – Kerberos, NLB, SSL, and Default Port • Bonus #1: Enable Kerberos – Add the SPNs for SPCA • HTTP/spca.companyabc.com, HTTP/spca (Add to App Pool Identity Account for SPCA) Configure Kerberos as defined in this presentation • Bonus #2: Configure for SSL – – Encrypts traffic and Admin passwords Create and install Web certs for spca.companyabc.com • Bonus #3: Load Balance SPCA – – – Install SPCA on multiple web role servers Enable either Hardware NLB or Software Windows Network Load Balancing Requires DNS A record (spca.companyabc.com), registry key and AAM modification (below) • Bonus #4: Setup SPCA on port 443/80 – – – Delete default IIS Web Site Assign dedicated IP (VIP if load balancing) to SPCA Web App Run STSADM to change the port(s) • • – – stsadm –o setadminport –port 80 stsadm –o setadminport –ssl –port 443 Change Port to 80 and 443 in IIS, Assign Cert (if using SSL) Modify SPCA URL on SP Servers - “HKLM\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\14.0\WSS\CentralAdministrationURL” (REG_SZ) = https://spca.companyabc.com/ – Change your default AAM to https://spca.companyabc.com www.SharePointSaturday.org/johannesburg Session Takeaways • Use multiple service accounts, definitely don’t mix Application Pool identity accounts with the farm admin accounts • Use Kerberos when at all possible • Use a SQL DB Alias for greatest flexibility with a SP Farm • Consider DB Mirroring as a DR option • A five server farm is the smallest that is highly available • One last best practice – Don’t forget Antivirus and Backup www.SharePointSaturday.org/johannesburg Michael Noel Twitter: @MichaelTNoel www.cco.com