Building the Perfect SharePoint 2010 Farm

26 February 2011
Building the ‘Perfect’
SharePoint 2010 Farm
Best Practices from the Field
Presented by: Michael Noel
Partner, Convergent Computing
Michael Noel
Author of SAMS Publishing titles “SharePoint 2010 Unleashed,” “SharePoint 2007
Unleashed,” “SharePoint 2003 Unleashed”, “Teach Yourself SharePoint 2003 in 10
Minutes,” “Windows Server 2008 R2 Unleashed,” “Exchange Server 2010 Unleashed”,
“ISA Server 2006 Unleashed”, and many other titles .
Partner at Convergent Computing ( / +1(510)444-5700) – San Francisco
Bay Area based Infrastructure/Security specialists for SharePoint, AD, Exchange,
What we will cover
• Examine various SharePoint 2010 farm architecture best
practices that have developed over the past year
• Examine SharePoint Best Practice Farm Architecture
• Understand SharePoint Virtualization Options
• Explore SharePoint DR and HA strategies using Database
• Explore other common best practices (IPv6, SSL, NLB)
• Learn how to Enable Kerberos for Best Practice Security
• A large amount of best practices covered (i.e. Drinking
through a fire hose), expectation is that you can take
away 2-3 useful pieces of information that can be used in
your environment
Architecting the Farm
SharePoint 2010 Architecture
Small Farms
• ‘All-in-One’ (Avoid)
DB and SP Roles Separate
SharePoint 2010 Architecture
“Smallest Highly Available Farm”
• 2 SharePoint Servers running
Web and Service Apps
• 2 Database Servers
(Clustered or Mirrored)
• 1 or 2 Index Partitions with
equivalent query
• Smallest farm size that is
fully highly available
SharePoint 2010 Architecture
“The Six Server Farm”
• 2 Dedicated Web Servers
• 2 Service Application Servers
• 2 Database Servers
(Clustered or Mirrored)
• 1 or 2 Index Partitions with
equivalent query
SharePoint 2010 Architecture
Large Farm
Multiple Dedicated
Web Servers
Multiple Dedicated
Query Servers
Multiple Dedicated
Crawl Servers, with
multiple Crawl DBs to
increase parallelization
of the crawl process
Multiple distributed
Index partitions (max
of 10 million items per
index partition)
Two query
components for each
Index partition, spread
among servers
SharePoint 2010
Virtualization Guidelines
Virtualized Farm Architecture
Cost-effective Virtual Environment / No HA
Allows Organizations that wouldn’t normally be able to have a test
environment to run one
Allows for separation of the database role onto a dedicated server
Can be more easily scaled out in the future
Virtualized Farm Architecture
Highly Available Farm with only Two Servers
across Hosts
Uses only
Ent Edition
Virtualized Farm Architecture
Best Practice Virtual/Physical with HA/Perf
servers are
with DBs for
all farms on
the SQL
Virtualized Farm Architecture
Large Virtual Farms
Content Database and Site
Collection Architecture
Content Database and Site Collection
• Start with a distributed architecture of content
databases from the beginning, within reason (more
than 50 per SQL instance is not recommended)
• Distribute content across Site Collections from the
beginning as well, it is very difficult to extract content
after the face
• Allow your environment to scale and your users to
‘grow into’ their SharePoint site collections
SQL Database Mirroring
SQL Database Mirroring
HA Solutions using Mirrored Copies of SharePoint Databases
• New in SQL 2005, available in both Standard and
Enterprise editions, improved in SQL 2008
• Works by keeping a mirror copy of a database or
databases on two servers
• Can be used locally, or the mirror can be remote
• Can be set to use a two-phase commit process to ensure
integrity of data across both servers
• Can be combined with traditional shared storage
clustering to further improve redundancy
SQL Database Mirroring
SQL Mirroring Modes
• High Performance (Enterprise Edition only)
– Asynchronous Mirroring
– Safety level = OFF
– Failure of principal server may result in data loss
• High Availability
Synchronous Mirroring
Safety level = ON
Dual-commit process ensures no data loss
Third witness server required
• High Protection
– Synchronous Mirroring
– Safety level = ON
– Manual failover, no witness server
SQL Mirroring Designs
Various SharePoint Mirrored DB Options
• Single Site HA Mirrored Farm
– Synchronous Replication
– All Servers in one Physical Location
• Cross Site Mirrored HA Farm
– Synchronous Replication
– Servers split across highly connected physical sites
• Two Farm / Mirrored Content DBs
– Asynchronous Replication
– Content Databases Mirrored Only
– Manual Failover Process
Single Site HA Mirrored Farm
• Single Site
• Synchronous
• Uses a SQL
Witness Server
to Failover
• Mirror all
SharePoint DBs
in the Farm
• Use a SQL Alias
to switch to
Mirror Instance
Cross-Site Mirrored HA Farm
• Two Sites
• 1 ms
• 1GB
• Farm
Servers in
• Auto
Two Farm / Mirrored Content DBs
• Two Sites
• Two Farms
• Mirror only
• Failover is
• Must Reindex
Hardware Planning Considerations
Disk, Memory, and Processor
• SQL Database role requires a great deal of space,
especially if versioning is turned on in Document
Libraries. Don’t underestimate!
• Servers running the Search Service Application Index or
Query need hard drive space to store the Index files,
which can be 5%-30% of the size of the items being
• The more memory and processor cores that can be given
to SharePoint the better, in the following priority:
Database Role
Search Service Application Role
Other Service Application Roles
Web Role
Operating System Best practices
• Highly recommended: Windows Server 2008 R2 for
security, performance (client/server traffic
improvements), and ease of setup.
• Windows Server 2008 SP1 is also possible, but
requires some custom configuration (Kerberos, etc.)
• Enterprise Edition of Windows only required for very
large SQL instances (More than two cluster nodes,
high transaction volume, etc.) Standard edition of
Windows is adequate in nearly all other cases.
Operating System Best practices
SQL Server
• SQL Server 2008 R2 Recommended, particularly if you have
high security requirements, as it allows for transparent
encryption of databases and PowerPivot (R2 only)
• SQL Server 2005 x64 also supported
• Enterprise edition of SQL only required for more than two
nodes in a cluster, Asynchronous database mirror replication,
and/or greater than 32GB RAM
• Separate Reporting Services server may be required for
intensive reporting
• Separate Analysis Services server may be required for
• Create exception in Windows Firewall policy for port 1433
Operating System Best practices
IPv6 for SharePoint Servers
• Yes, it is a good idea.
• IPv4 range has just recently been exhausted on
the Internet (but ISPs will still give out addresses
for a while)
• Enabled by Default with Windows 2008/2008 R2
• Prepare for the future.
• Consider DHCP Reservations of IPv6 addresses for
the Primary IP of the SharePoint
servers…technical reasons for it are many.
SharePoint Installation
SharePoint Installation
Sample Service Accounts
Service Account Name
Role of Service Account
Special Permissions
SharePoint Installation Account
SQL Service Account
Local Admin on all SharePoint
Local Admin on Database
SharePoint Farm Account;
Application Pool Identity account for
the Central Admin App Pool
Managed Services Account
Search Account
Default Content Access Account
Read rights to any external data
sources to be crawled
Default Profiles Content Account
Member of Domain Users (to be
able to read attributes from users
in domain.
Application Pool Identity account for N/A
the MySite App Pool
Application Pool Identity account for N/A
the Home App Pool
SharePoint Installation
Installation Process
• For most flexibility, choose
‘Complete’ Installation,
even if not installing all of
the roles on the server.
This will allow for the
addition of roles in the
future as needed.
• Be sure not to select
‘Stand-Alone’, unless you
plan on having a very small
farm with a limited
database (SQL Server
SharePoint Installation
Installation Process
• Highly recommended to
choose the final destination
for the Index/Query to live
(i.e. if it’s on a different
drive, enter that during
installation). It’s difficult to
change index location later.
• Remember, after installing
the binaries, the server is
not a farm member yet…it
can be added to any farm.
Good concept to use to prestage servers.
SharePoint Installation
Command-line Installation of SharePoint
• Good to understand how to install SharePoint from
the command-line, especially if setting up multiple
• Allows for options not available in the GUI, such as
the option to rename databases to something
easier to understand.
• Use PowerShell
Function Configure-SPSearch {
PARAM($AppPool, $FarmName, $SearchServiceAccount)
$searchServiceInstance = Get-SPEnterpriseSearchServiceInstance -local
Start-SPEnterpriseSearchServiceInstance -Identity $searchServiceInstance
$dbName = $FarmName + "_SearchServiceApplication"
$searchApplication = New-SPEnterpriseSearchServiceApplication -Name "$FarmName Search Service Application" -ApplicationPool $AppPool -DatabaseName $dbName
$searchApplicationProxy = New-SPEnterpriseSearchServiceApplicationProxy -name "$FarmName Search Service Application Proxy" -SearchApplication $searchApplication
Set-SPEnterpriseSearchAdministrationComponent -SearchApplication $searchApplication -SearchServiceInstance $searchServiceInstance
$crawlTopology = New-SPEnterpriseSearchCrawlTopology -SearchApplication $searchApplication
$crawlDatabase = Get-SPEnterpriseSearchCrawlDatabase -SearchApplication $searchApplication
New-SPEnterpriseSearchCrawlComponent -CrawlTopology $crawlTopology -CrawlDatabase $crawlDatabase -SearchServiceInstance $searchServiceInstance
while($crawlTopology.State -ne "Active")
$crawlTopology | Set-SPEnterpriseSearchCrawlTopology -Active -ErrorAction SilentlyContinue
if ($crawlTopology.State -ne "Active")
Start-Sleep -Seconds 10
$queryTopology = New-SPenterpriseSEarchQueryTopology -SearchApplication $searchApplication -partitions 1
$searchIndexPartition = Get-SPEnterpriseSearchIndexPartition -QueryTopology $queryTopology
New-SPEnterpriseSearchQueryComponent -indexpartition $searchIndexPartition -QueryTopology $queryTopology -SearchServiceInstance $searchServiceInstance
$propertyDB = Get-SPEnterpriseSearchPropertyDatabase -SearchApplication $searchApplication
Set-SPEnterpriseSearchIndexPartition $searchIndexPartition -PropertyDatabase $propertyDB
while ($queryTopology.State -ne "Active")
$queryTopology | Set-SPEnterpriseSearchQueryTopology -Active -ErrorAction SilentlyContinue
if ($queryTopology.State -ne "Active")
Start-Sleep -Seconds 10
SharePoint Installation
Some Manual Service Apps Still Required
• Due to bugs in SharePoint, certain Service Apps
will need to be manually configured, they won’t
work in PowerShell yet, hopefully fixed in later
• This includes the following:
– PerformancePoint Service Application
– User Profile Service Application
– Web Analytics Service Application
Configuring the Farm
Configuring the Farm
Running the Config Wizard to Install Servers (If used)
• Consider using an easy to
remember port for the Central
Admin service (i.e. 8888). Change
to 443 later.
• You are welcome to change the
Config Database name to match a
common naming convention
• Your database access account is
the SP Service account, which
only needs DBCreator and
Security Admin rights on SQL.
Don’t give it more!
• Run the wizard on additional
servers as necessary
Configuring the Farm
SQL Alias
• A SQL Alias will help you if
you need to change your DB
location. For example, if
your SQL server name is
‘SQL1’, use something like
‘SPSQL’ to connect, and have
DNS point to the proper
server location. This makes
it MUCH more flexible.
• Use the SQL Native Client
10.0 Configuration (32bit)
node to create the alias
Configuring the Farm
SQL Alias
• Install SQL Client Tools, including the Backwards
Compatibility Client Tools.
• Launch the SQL Server Configuration Manager and create
three SQL aliases using the 32bit Alias section:
• Point all to the SQL server name, port 1433.
• Launch the SQL Server Client Network Utility
(\System32\cliconfg.exe) and create the same 3 aliases as
above using TCP/IP and port 1433. Make sure to map the
alias to the SQL netbios name (or cluster netbios name) as
Configuring the Farm
Network Load Balancing
• Hardware Based Load Balancing (F5, Cisco, Citrix
NetScaler – Best performance and scalability
• Software Windows Network Load Balancing fully
• If using Unicast, use two NICs on the server, one
for communications between nodes.
• If using Multicast, be sure to configure routers
• Set Affinity to Single (Sticky Sessions)
Configuring the Farm
Network Load Balancing
• Best Practice – Create Multiple Web Apps with Loadbalanced VIPs (Sample below)
– Web Role Servers
• ( – Web Role Server #1
• ( – Web Role Server #2
– Clustered VIPs shared between SP1 and SP2 (Create A
records in DNS)
• ( - Cluster ( – SP Central Admin ( – Inbound Email VIP ( – Main SP Web App (can be
• ( – Main MySites Web App
Configuring the Farm
Security Considerations
• Infrastructure Security and Best Practices
– Best Practice Service Account Setup
– Kerberos Authentication
• Data Security
– SharePoint Security ACLs and Role Based Access
Control (RBAC)
– Transparent Data Encryption (TDE) of SQL Databases
• Transport Security
– Secure Sockets Layer (SSL) from Server to Client
– IPSec from Client to Server
– Inbound Internet Security (Forefront UAG/TMG) / Certs
• Rights Management
Configuring the Farm
SSL Certificates
• External or Internal Certs highly
• Protects Transport of content
• 20% overhead on Web Servers
• Can be offloaded via SSL offloaders if
• Don’t forget for SPCA as well!
Configuring the Farm
User Profile Sync (UPS) Setup
• Most complex part of a SharePoint installation
• Uses the Forefront Identity Manager (FIM)
subcomponent on the server to synch My Site
Profiles with external directory source such Active
• Would take an entire session to describe the
process, but best blog on the topic is SharePoint
MVP Spencer Harbar’s (
• To configure diagnostic logging
– On the Central Administration Home page, click Monitoring.
– In the Reporting section, click Configure diagnostic logging.
– On the Diagnostic Logging page, verify that Enable Event Log Flood Protection
is selected. If not, click the corresponding check box to enable this feature.
– Leave default values for other items
– Click OK to save your changes.
• To configure usage and health data collection:
– On the Central Administration Monitoring page, click Configure usage and
health data collection.
– Click the check box to Enable Usage Data Collection.
– Click the check box to Enable Health Data Collection.
– Name database
– Leave all other settings at default
– Click OK.
Configuring the Farm
Best Practices
• For Email enabled content, create a dedicated OU for Email
enabled contacts and distribution lists and give the SP Admin
account rights to create and modify contacts and groups in
that OU.
• Don’t forget Alternate Access Mappings if connecting to the
content in more than one way (i.e. vs. just http://home)
• If using SSL on a web app, it must have a dedicated IP address,
not just a host header
• Don’t forget to install Antivirus (MS Forefront Protection for
SharePoint recommended)
• Don’t forget a comprehensive backup solution (MS System
Center Data Protection Manager (DPM) 2010 recommended)
Best practice: Enable Kerberos!
• When creating any Web Applications for Content, USE
KERBEROS. It is much more secure and also faster with heavy
loads as the SP server doesn’t have to keep asking for auth
requests from AD.
• Kerberos auth does require extra steps, which makes people
shy away from it, but once configured, it improves security
considerably and can improve performance on high-load sites.
Step 1: Create the Service Principal Names
• Use the setspn utility to create Service Principle Names in
AD, the following syntax for example:
– Setspn.exe -A HTTP/
– Setspn.exe -A HTTP/mysite DOMAINNAME\MYSITEAppAccount
– Setspn.exe -A HTTP/
– Setspn.exe -A HTTP/sp DOMAINNAME\HOMEAppAccount
Step 2: Enable Kerberos from SP Servers to SQL
• Use setspn to create SPNs for SQL Service Account
• SPNs need to match the name that SharePoint uses
to connect to SQL (Ideally SQL Alias, more on this
• Syntax similar to following:
– Setspn.exe -A MSSQLSvc/spsql:1433 COMPANYABC\SRV-SQL-DB
– Setspn.exe –A MSSQLSvc/
• MSSQLSvc = Default instance, if named instance, specify the
name instead
• In this example, SRV-SQL-DB is the SQL Admin account
Step 3: Allow User and Computer Accounts to Delegate (Optional)
• Required for Excel Services
and other impersonation
• On all SP Computer accounts
and on the Application
Identity accounts, check the
box in ADUC to allow for
– In ADUC, navigate to the
computer or user account,
right-click and choose
– Go to the Delegation tab
– Choose Trust this
user/computer for delegation
to any service (Kerberos)
Step 4: Enable Kerberos on Web Application
Go to Application Management – Authentication Providers
Choose the appropriate Web Application
Click on the link for ‘Default’ under Zone
Change to Integrated Windows Authentication - Kerberos
• Run iisreset /noforce from the command prompt
• If creating Web App from scratch, this step may be unnecessary
if you choose Negotiate from the beginning
Step 5: Validate Kerberos Functionality
• Logon to SharePoint Web Front-End as the setup account
• Launch the SQL Management Studio
• At the Connect to Server screen, connect to one of the alias
names (spdbcontent, sbdbservices, spdbsearch)
• Make sure you are able to connect to the SQL server
• Login to the SQL server as SQL Admin account
Launch Server Manager
View Security event log under Diagnostics
Look for Event ID 4624/Logon
Open the event and look under the Detailed Authentication
Information section which should read Kerberos for both Logon
Process and Authentication Package for the Setup account
Bonuses for SPCA – Kerberos, NLB, SSL, and Default Port
• Bonus #1: Enable Kerberos
Add the SPNs for SPCA
• HTTP/, HTTP/spca (Add to App Pool Identity Account for SPCA)
Configure Kerberos as defined in this presentation
• Bonus #2: Configure for SSL
Encrypts traffic and Admin passwords
Create and install Web certs for
• Bonus #3: Load Balance SPCA
Install SPCA on multiple web role servers
Enable either Hardware NLB or Software Windows Network Load Balancing
Requires DNS A record (, registry key and AAM modification (below)
• Bonus #4: Setup SPCA on port 443/80
Delete default IIS Web Site
Assign dedicated IP (VIP if load balancing) to SPCA Web App
Run STSADM to change the port(s)
stsadm –o setadminport –port 80
stsadm –o setadminport –ssl –port 443
Change Port to 80 and 443 in IIS, Assign Cert (if using SSL)
Modify SPCA URL on SP Servers - “HKLM\SOFTWARE\Microsoft\Shared Tools\Web Server
Extensions\14.0\WSS\CentralAdministrationURL” (REG_SZ) =
– Change your default AAM to
Session Takeaways
• Use multiple service accounts, definitely don’t
mix Application Pool identity accounts with the
farm admin accounts
• Use Kerberos when at all possible
• Use a SQL DB Alias for greatest flexibility with a
SP Farm
• Consider DB Mirroring as a DR option
• A five server farm is the smallest that is highly
• One last best practice – Don’t forget Antivirus
and Backup
Michael Noel
Twitter: @MichaelTNoel