af010163853

Deployment for Office SharePoint Server 2007

Microsoft Corporation

Published: March 2009

Author: Microsoft Office System and Servers Team ([email protected])

Abstract

This book provides deployment instructions for Microsoft Office SharePoint Server 2007. The

audiences for this book include application specialists, line-of-business application specialists,

and IT administrators who are ready to deploy Office SharePoint Server 2007 and want

installation steps. Before using the instructions in this book you should read the Planning and

architecture for Office SharePoint Server (http://technet.microsoft.com/en-

us/library/cc261834.aspx) and plan your deployment. For a complete list of downloadable books

for Office SharePoint Server 2007, see Downloadable books for Office SharePoint Server 2007

(http://technet.microsoft.com/en-us/library/cc262788.aspx).

The content in this book is a copy of selected content in the Office SharePoint Server technical

library (http://go.microsoft.com/fwlink/?LinkId=84739) as of the publication date. For the most

current content, see the technical library on the Web.

mailto:[email protected]

http://technet.microsoft.com/en-us/library/cc261834.aspx



http://go.microsoft.com/fwlink/?LinkId=84739


ii

The information contained in this document represents the current view of Microsoft Corporation

on the issues discussed as of the date of publication. Because Microsoft must respond to

changing market conditions, it should not be interpreted to be a commitment on the part of

Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the

date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,

EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the

rights under copyright, no part of this document may be reproduced, stored in or introduced into a

retrieval system, or transmitted in any form or by any means (electronic, mechanical,

photocopying, recording, or otherwise), or for any purpose, without the express written permission

of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from Microsoft, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail

addresses, logos, people, places and events depicted herein are fictitious, and no association

with any real company, organization, product, domain name, email address, logo, person, place

or event is intended or should be inferred.

© 2009 Microsoft Corporation. All rights reserved.

Microsoft, Microsoft, Access, Active Directory, Excel, Groove, InfoPath, Internet Explorer,

OneNote, Outlook, PowerPoint, SharePoint, SQL Server, Visio, Windows, Windows Server, and

Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the

United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their

respective owners.

iii

Contents

Getting Help ............................................................................................................................. xv

Roadmap to Office SharePoint Server 2007 content ................................................................ 1

Office SharePoint Server 2007 content by audience ................................................................ 1

Office SharePoint Server 2007 IT professional content by stage of the IT life cycle ................ 2

Evaluate .............................................................................................................................. 3

Plan ..................................................................................................................................... 3

Deploy ................................................................................................................................. 5

Operate ............................................................................................................................... 6

Security and Protection ....................................................................................................... 7

Technical Reference ........................................................................................................... 7

Deployment worksheets for Office SharePoint Server 2007 ..................................................... 8

Deployment worksheets by task ................................................................................................ 8

Deployment worksheets by title ................................................................................................. 9

I. End-to-end deployment scenarios ........................................................................................ 11

Chapter overview: End-to-end deployment scenarios ............................................................ 12

Install Office SharePoint Server 2007 on a stand-alone computer ......................................... 14

Hardware and software requirements ..................................................................................... 14

Configure the server as a Web server ..................................................................................... 15

Install and configure IIS .................................................................................................... 15

Install the Microsoft .NET Framework version 3.0 ............................................................ 15

Enable ASP.NET 2.0......................................................................................................... 16

Install and configure Office SharePoint Server 2007 with Microsoft SQL Server 2005 Express

Edition .................................................................................................................................. 16

Post-installation steps .............................................................................................................. 18

Deploy in a simple server farm ................................................................................................ 20

Deployment overview .............................................................................................................. 20

Suggested topologies ....................................................................................................... 21

Before you begin deployment ........................................................................................... 21

Overview of the deployment process ................................................................................ 23

Deploy and configure the server infrastructure ....................................................................... 23

Security account requirements ......................................................................................... 23

Prepare the database server ............................................................................................ 24

Verify that servers meet hardware and software requirements ........................................ 26

Run Setup and build the farm ........................................................................................... 28

Run Setup on the first server ............................................................................................ 30

Run the SharePoint Products and Technologies Configuration Wizard ........................... 31

iv

Add the SharePoint Central Administration Web site to the list of trusted sites ............... 32

Configure proxy server settings to bypass the proxy server for local addresses ............. 33

Add servers to the farm ..................................................................................................... 33

Run the SharePoint Products and Technologies Configuration Wizard on additional

servers ........................................................................................................................... 35

Start the Windows SharePoint Services Search service (optional) .................................. 35

Stop the Central Administration service on all index servers ............................................ 36

Disable the Windows SharePoint Services Web Application service on all servers not

serving content .............................................................................................................. 36

Create and configure a Shared Services Provider .................................................................. 37

Start the Office SharePoint Server Search service ........................................................... 37

Create a Web application to host the SSP and create the SSP ....................................... 39

Perform additional configuration tasks .................................................................................... 40

Create a site collection and a SharePoint site ......................................................................... 41

Configure the trace log ............................................................................................................ 45

Deploy using DBA-created databases .................................................................................... 47

About deploying by using DBA-created databases ................................................................. 47

Required database hardware and software ............................................................................ 48

Required accounts ................................................................................................................... 48

Create and configure the databases ....................................................................................... 50

Deploy a simple farm on the Windows Server 2008 operating system ................................... 57

Deployment overview .............................................................................................................. 57

Suggested topologies........................................................................................................ 58

Before you begin deployment ........................................................................................... 58

Overview of the deployment process ................................................................................ 59

Deploy and configure the server infrastructure ....................................................................... 60

Prepare the database server ............................................................................................ 60

Verify that servers meet hardware and software requirements ........................................ 62

Run Setup on all servers in the farm ................................................................................. 63

Run the SharePoint Products and Technologies Configuration Wizard.................................. 76

Run the SharePoint Products and Technologies Configuration Wizard on additional

servers ........................................................................................................................... 83

Start the Windows SharePoint Services Search Service .................................................. 83

Configure Windows Firewall with Advance Security ......................................................... 84

Perform additional configuration tasks .................................................................................... 86

Create a site collection and a SharePoint site ......................................................................... 88

Configure the trace log ............................................................................................................ 92

Configure Windows Server Backup .................................................................................. 93

Install Office SharePoint Server 2007 by using the command line ......................................... 95

Install software requirements ................................................................................................... 95

Determine required accounts for installation ........................................................................... 96

Install Microsoft Office SharePoint Server 2007 by running Setup at a command prompt ..... 98

v

Configure the server by using the Psconfig command-line tool ............................................ 101

Configure SharePoint Server 2007 on a stand-alone server .......................................... 101

Configure SharePoint Server 2007 on a farm ................................................................. 101

Perform additional configuration tasks .................................................................................. 103

Create a Shared Services Provider (SSP) by using the Stsadm command-line tool ............ 104

Create a site collection by using the Stsadm command-line tool .......................................... 106

Configure the trace log .......................................................................................................... 109

Install Office SharePoint Server 2007 with least privilege administration by using the

command line ..................................................................................................................... 110

Install software requirements................................................................................................. 111

Determine required accounts for least-privilege administration ............................................ 111

Install Microsoft Office SharePoint Server 2007 by using least-privilege administration ...... 114

Configure the server by using the Psconfig command-line tool ............................................ 116

Configure SharePoint Server 2007 on a stand-alone server .......................................... 116

Configure SharePoint Server 2007 on a farm ................................................................. 117

Perform additional configuration tasks .................................................................................. 119

Create a Shared Services Provider by using the Stsadm command-line tool ...................... 119

Create a site collection by using the Stsadm command-line tool .......................................... 122


Migrate a stand-alone installation to a server farm installation ............................................. 125

Install SharePoint Portal Server 2007 on a new farm ........................................................... 126

Prepare servers for installation ....................................................................................... 126

Install SharePoint Server 2007 and configure the server by using the SharePoint

Products and Technologies configuration wizard ........................................................ 127

Migrate data from the stand-alone server ............................................................................. 127

Stsadm Command-Line Tool .......................................................................................... 130

Create and attach data from the Shared Services Provider (SSP) ....................................... 131

Attach site collection data from content databases ............................................................... 132

Perform a stand-alone installation of Office SharePoint Server 2007 on Windows Server 2008

........................................................................................................................................... 134

Hardware and software requirements ................................................................................... 135

IIS 6.0 Management Compatibility role service .............................................................. 135

Microsoft .NET Framework version 3.0........................................................................... 135

Perform installation steps ...................................................................................................... 136

Configure SharePoint Products and Technologies ......................................................... 137

Perform post-installation steps .............................................................................................. 139


Configure Windows Server Backup ....................................................................................... 141

II. Install Office SharePoint Server 2007 in a server farm environment ................................ 143

Chapter overview: Install Office SharePoint Server 2007 in a server farm environment ...... 144

vi

Suggested topologies ............................................................................................................ 144

Before you begin deployment ................................................................................................ 145

Overview of the deployment process .................................................................................... 146

Phase 1: Deploy and configure the server infrastructure ................................................ 146

Phase 2: Create and configure a Shared Services Provider .......................................... 147

Phase 3: Deploy and configure SharePoint site collections and sites ............................ 147

Prepare the database servers ............................................................................................... 148

SQL Server and database collation ....................................................................................... 148

Required accounts ................................................................................................................. 149

Preinstall databases (optional) .............................................................................................. 149

Prepare the Web and application servers ............................................................................. 150

Install the Microsoft .NET Framework version 3.0 ................................................................. 150

Enable ASP.NET 2.0 ............................................................................................................. 150

Install Office SharePoint Server 2007 and run the SharePoint Products and Technologies

configuration wizard ........................................................................................................... 151

Recommended order of configuration ................................................................................... 151

Add servers to the farm ................................................................................................... 153

Run Setup on the first server ................................................................................................. 153

Run the SharePoint Products and Technologies Configuration Wizard................................ 154

Add the SharePoint Central Administration Web site to the list of trusted sites .................... 156

Configure proxy server settings to bypass the proxy server for local addresses .................. 156

Add servers to the farm ......................................................................................................... 156

Run the SharePoint Products and Technologies Configuration Wizard on additional servers

............................................................................................................................................ 158

Start the Windows SharePoint Services Search service (optional) ....................................... 159

Stop the Central Administration service on all index servers ................................................ 159

Disable the Windows SharePoint Services Web Application service on all servers not serving

content ................................................................................................................................ 160

Deploy language packs ......................................................................................................... 161

About language IDs and language packs .............................................................................. 162

Preparing your front-end Web servers for language packs ................................................... 163

Installing language packs on your front-end Web servers .................................................... 164

III. Create and configure Shared Services Providers ............................................................ 167

Chapter overview: Create and configure Shared Services Providers ................................... 168

Configure the primary Shared Services Provider .................................................................. 169

Create the Shared Services Provider .................................................................................... 169

Create a new SSP ................................................................................................................. 171

Associate an SSP with a Web application ............................................................................. 172

vii

Configure the Office SharePoint Server Search service ....................................................... 173

Server-level configuration ...................................................................................................... 173

Install protocol handlers .................................................................................................. 173

Install and register IFilters ............................................................................................... 174

Farm-level configuration ........................................................................................................ 176

Create crawler impact rules ............................................................................................ 176

Configure farm-level search settings .............................................................................. 177

Configure the trace log .................................................................................................... 178

SSP-level configuration ......................................................................................................... 179

Open the administration page for the SSP ..................................................................... 179

Specify the default content access account .................................................................... 179

Create content sources ................................................................................................... 179

Create crawl rules ........................................................................................................... 181

Reorder your crawl rules ................................................................................................. 182

Configure the file type inclusions list ............................................................................... 183

Crawl the content ............................................................................................................ 183

Create managed properties ............................................................................................ 184

Create shared scopes ..................................................................................................... 185

Create scope rules .......................................................................................................... 186

Specify authoritative pages ............................................................................................. 189

Create server name mappings ........................................................................................ 190

Manage search-based alerts .......................................................................................... 190

Site collection–level configuration ......................................................................................... 191

Create scopes at the site collection level ........................................................................ 191

Create scope rules at the site collection level ................................................................. 192

Manage display groups ................................................................................................... 194

Create keywords and Best Bets ...................................................................................... 196

A. Configure personalization ................................................................................................. 198

Chapter overview: Configure personalization ........................................................................ 199

Configure personalization permissions ................................................................................. 199

Configure connections to personalization services ............................................................... 199

Configure targeted content .................................................................................................... 200

Configure personalization sites ............................................................................................. 200

Configure policies for Profile Services ................................................................................... 200

Configure personalization permissions ................................................................................. 201

Configure SSP administrator permissions for Profile Services ............................................. 201

Configure access to the SSP pages ...................................................................................... 202

Configure user permissions for personalization .................................................................... 203

Configure access to trusted My Site host locations............................................................... 204

Configure connections to Profile Services ............................................................................. 206

Configure import settings ....................................................................................................... 206

viii

Add import connections ......................................................................................................... 207

Configure user profiles .......................................................................................................... 211

Configure targeted content .................................................................................................... 214

Create and configure audiences ............................................................................................ 214

Configure published links to Office client applications .......................................................... 216

Configure personalization site links ....................................................................................... 216

Configure access to trusted My Site host locations ............................................................... 217

Configure personalization sites ............................................................................................. 219

Create personalization sites .................................................................................................. 219

Design personalization sites .................................................................................................. 220

Target personalization site links ............................................................................................ 220

Configure policies for Profile Services ................................................................................... 222

Configure policies for personalization features ..................................................................... 222

Configure policies for user profiles ........................................................................................ 223

B. Configure business intelligence features .......................................................................... 226

Chapter overview: Configure business intelligence features ................................................ 227

Configure access to business data........................................................................................ 227

Register line-of-business applications in the Business Data Catalog ................................... 227

Customize business data lists, Web Parts, and sites ............................................................ 228

Configure business data search ............................................................................................ 228

Configure access to business data........................................................................................ 229

Configure SSP administrator rights for the Business Data Catalog ...................................... 229

Configure access to the SSP pages ...................................................................................... 230

Configure application definitions and single sign-on for the Business Data Catalog ............ 231

Configure data warehousing .................................................................................................. 232

Configure permissions for business data .............................................................................. 233

Register business applications in the Business Data Catalog .............................................. 235

Create application definitions ................................................................................................ 235

Import application definitions ................................................................................................. 236

Configure enterprise application definitions for single sign-on .............................................. 236

Configure business data types and fields .............................................................................. 238

Manage permissions for an application or entity ............................................................ 238

Add business data actions for an entity .......................................................................... 239

Edit the profile page template ......................................................................................... 240

Customize business data lists, Web Parts, and sites ............................................................ 241

Create business data lists ..................................................................................................... 241

Create KPIs and KPI lists ...................................................................................................... 242

Create and configure reports in the Report Center site......................................................... 243

ix

Create and configure dashboard sites .................................................................................. 243

Create other business data sites ........................................................................................... 244

Configure business data search ............................................................................................ 246

Ensure availability of business data ...................................................................................... 246

Configure and crawl business data content sources ............................................................. 246

Configure and customize query options for business data ................................................... 247

C. Configure Excel Services .................................................................................................. 249

Chapter overview: Configure Excel Services ........................................................................ 250

About Excel Services configuration ....................................................................................... 250

Add a trusted file location ...................................................................................................... 251

About trusted file locations .................................................................................................... 251

Add a trusted file location ...................................................................................................... 251

Start the Single Sign-On service ........................................................................................... 253

About single sign-on authentication ...................................................................................... 253

Start the Single Sign-On service ........................................................................................... 253

Manage settings for single sign-on ........................................................................................ 254

About single sign-on settings................................................................................................. 254

Manage single sign-on settings ............................................................................................. 254

Add a trusted data provider ................................................................................................... 255

About trusted data providers ................................................................................................. 255

Add a trusted data provider ................................................................................................... 255

Add a trusted data connection library .................................................................................... 257

About trusted data connection libraries ................................................................................. 257

Add a trusted data connection library .................................................................................... 257

Enable user-defined functions ............................................................................................... 259

About user-defined functions ................................................................................................. 259

Enable user-defined functions ............................................................................................... 259

Enable user-defined functions for workbooks in a trusted file location ................................. 260

D. Configure InfoPath Forms Services .................................................................................. 261

Configure InfoPath Forms Services for Office SharePoint Server ........................................ 262

Configure InfoPath Forms Services using Central Administration ........................................ 262

Configure session state for InfoPath Forms Services ........................................................... 265

Configure session state for Forms Services .......................................................................... 265

Session state versus Form view ............................................................................................ 265

E. Configure Office Project Server ........................................................................................ 267

x

Deploy Project Server 2007 with Office SharePoint Server 2007 ......................................... 268

IV. Perform additional configuration tasks ............................................................................. 269

Chapter overview: Additional configuration tasks .................................................................. 270

Configure additional administrative settings .......................................................................... 270

Configure incoming e-mail settings ....................................................................................... 272

Install and configure the SMTP service ................................................................................. 273

Start the Windows SharePoint Services Web Application service ................................. 273

Install the SMTP service ................................................................................................. 273

Configure the SMTP service ........................................................................................... 274

Add an SMTP connector in Exchange Server ................................................................ 275

Configure Active Directory ..................................................................................................... 275

Configure Active Directory under atypical circumstances ............................................... 277

To delegate full control of the organizational unit to the Central Administration application

pool account ................................................................................................................ 277

To add the Delete Subtree permission for the Central Administration application pool

account ........................................................................................................................ 278

Configure permissions to the e-mail drop folder .................................................................... 279

Configure e-mail drop folder permissions for the logon account for the Windows

SharePoint Services Timer service ............................................................................. 279

Configure e-mail drop folder permissions for the application pool account for a Web

application .................................................................................................................... 279

Configure DNS Manager ....................................................................................................... 280

Configure attachments from Outlook 2003 ............................................................................ 281

Configure incoming e-mail settings ....................................................................................... 281

Configuring incoming e-mail on SharePoint sites .................................................................. 283

Configure outgoing e-mail settings ........................................................................................ 284





Configure outgoing e-mail settings for a specific Web application ........................................ 287





Configure workflow settings ................................................................................................... 290

Configuring workflow settings ................................................................................................ 290

Configure diagnostic logging settings .................................................................................... 292

Customer Experience Improvement Program ....................................................................... 292

xi

Error reports........................................................................................................................... 292

Event throttling ....................................................................................................................... 293

Configuring diagnostic logging settings ................................................................................. 294

Configure single sign-on ........................................................................................................ 296

Configure and start the Microsoft Single Sign-On service .................................................... 296

Configure Single Sign-On for Office SharePoint Server 2007 .............................................. 297

Manage the encryption key ................................................................................................... 299

Create a new encryption key .......................................................................................... 299

Back up an encryption key .............................................................................................. 300

Restore an encryption key .............................................................................................. 300

Manage enterprise application definitions ............................................................................. 300

Manage account information for an enterprise application definition .................................... 301

Configure antivirus settings ................................................................................................... 303

Administrative credentials ...................................................................................................... 303

Configure authentication ........................................................................................................ 304

Office SharePoint Server authentication ............................................................................... 304

Windows authentication provider........................................................................................... 305

Forms authentication provider ............................................................................................... 308

Web single sign-on (SSO) authentication provider ............................................................... 308

Configure anonymous access ............................................................................................... 309

About anonymous access ..................................................................................................... 309

Enable anonymous access for a zone .................................................................................. 309

Enable anonymous access for individual sites ...................................................................... 310

Enable anonymous access for individual lists ....................................................................... 311

Configure digest authentication ............................................................................................. 312

About digest authentication ................................................................................................... 312

Enable digest authentication for a zone of a Web application .............................................. 313

Configure IIS to enable digest authentication ........................................................................ 313

Configure forms-based authentication .................................................................................. 315

About forms-based authentication ......................................................................................... 315

Configure forms-based authentication across multiple zones ............................................... 318

Configure forms-based authentication for My Sites Web applications .................................. 319

Configure the SSP for forms-based authentication ............................................................... 322

Configure user profiles and people search ............................................................................ 324

Configure Web SSO authentication by using ADFS ............................................................. 326

About federated authentication systems ............................................................................... 326

Before you begin ................................................................................................................... 326

Configuring your extranet Web application to use Web SSO authentication ........................ 327

Allowing users access to your extranet Web site .................................................................. 329

xii

About using Central Administration ................................................................................. 331

Working with the People Picker ............................................................................................. 332

Working with E-mail and UPN claims .................................................................................... 333

Working with groups and organizational group claims .......................................................... 333

Configure Kerberos authentication ........................................................................................ 336

About Kerberos authentication .............................................................................................. 336

Before you begin.................................................................................................................... 337

Software version requirements ....................................................................................... 338

Known issues .................................................................................................................. 338

Additional background..................................................................................................... 339

Server farm topology ....................................................................................................... 340

Active Directory, computer naming, and NLB conventions ............................................. 341

Active Directory domain account conventions ................................................................ 342

Preliminary configuration requirements .......................................................................... 343

Configure Kerberos authentication for SQL communications ............................................... 343

Create the SPNs for your SQL Server service account .................................................. 344

Confirm Kerberos authentication is used to connect servers running Office SharePoint

Server 2007 to SQL Server ......................................................................................... 344

Configure Internet Explorer to include port numbers in Service Principal Names ................ 346

Create Service Principal Names for your Web applications using Kerberos authentication . 347

Deploy the server farm .......................................................................................................... 348

Install Office SharePoint Server 2007 on all of your servers .......................................... 349

Run the SharePoint Products and Technologies Configuration Wizard and create a new

farm .............................................................................................................................. 349

Run the SharePoint Products and Technologies Configuration Wizard and join the other

servers to the farm ....................................................................................................... 351

Configure services on servers in your farm ........................................................................... 352

Windows SharePoint Services Search ........................................................................... 352

Index server .................................................................................................................... 352

Query server ................................................................................................................... 353

Create Web applications using Kerberos authentication ...................................................... 353

Create the portal site Web application ............................................................................ 353

Create the My Site Web application ................................................................................ 354

Create the Shared Services Administration site Web application .................................. 354

Create a site collection using the Collaboration Portal template in the portal site Web

application .......................................................................................................................... 355

Create a Shared Services Provider for your farm ................................................................. 356

Confirm successful access to the Web applications using Kerberos authentication ............ 356

Confirm correct Search Indexing functionality ....................................................................... 359

Confirm correct Search Query functionality ........................................................................... 359

Configure your SSP infrastructure for Kerberos authentication ............................................ 360

Register new custom-format SPNs for your SSP service account in Active Directory ......... 361

xiii

Run the Stsadm command-line tool to set the SSP infrastructure to use Kerberos

authentication ..................................................................................................................... 362

Add a new registry key to all of your servers running Office SharePoint Server to enable

generation of the new custom-format SPNs ...................................................................... 362

Confirm Kerberos authentication for root-level shared services access ............................... 363

Confirm Kerberos authentication for virtual-directory-level shared services access ............. 364

Configuration limitations ........................................................................................................ 366

Additional resources and troubleshooting guidance.............................................................. 366

Run the Best Practices Analyzer tool .................................................................................... 368

Configure usage reporting ..................................................................................................... 369

About usage reporting ........................................................................................................... 369

Enable Windows SharePoint Services usage logging .......................................................... 370

Enable usage reporting ......................................................................................................... 371

Activate usage reporting ........................................................................................................ 371

Monitor usage reporting ......................................................................................................... 372

V. Deploy and configure SharePoint sites ............................................................................. 373

Chapter overview: Deploy and configure SharePoint sites ................................................... 374

Create or extend Web applications ....................................................................................... 376

Create a new Web application............................................................................................... 376

Extend an existing Web application ...................................................................................... 378

Configure alternate access mapping ..................................................................................... 380

Manage alternate access mappings ...................................................................................... 380

Add an internal URL .............................................................................................................. 380

Edit or delete an internal URL ............................................................................................... 381

Edit public URLs .................................................................................................................... 381

Map to an external resource .................................................................................................. 381

Create zones for Web applications ....................................................................................... 383

Create a new zone ................................................................................................................ 383

View existing zones ............................................................................................................... 383

Create quota templates ......................................................................................................... 384

Create a new quota template ................................................................................................ 384

Edit an existing quota template ............................................................................................. 385

Delete a quota template ........................................................................................................ 385

Create a site collection .......................................................................................................... 386


Create a blank site to migrate content into ............................................................................ 388


xiv

Add site content ..................................................................................................................... 390

Use Web site designers to design and add content .............................................................. 390

Migrate content from another site .......................................................................................... 391

Allow users to add content directly ........................................................................................ 391

Enable access for end users ................................................................................................. 392

Add site collection administrators .......................................................................................... 393

Add site owners or other users .............................................................................................. 394

xv

Getting Help

Every effort has been made to ensure the accuracy of this book. This content is also available

online in the Office System TechNet Library, so if you run into problems you can check for

updates at:

http://technet.microsoft.com/office

If you do not find your answer in our online content, you can send an e-mail message to the

Microsoft Office System and Servers content team at:

[email protected]

If your question is about Microsoft Office products, and not about the content of this book, please

search the Microsoft Help and Support Center or the Microsoft Knowledge Base at:

http://support.microsoft.com

http://technet.microsoft.com/office

http://support.microsoft.com/

1

Roadmap to Office SharePoint Server 2007 content

In this section:

Office SharePoint Server 2007 content by audience

Office SharePoint Server 2007 IT professional content by stage of the IT life cycle

Office SharePoint Server 2007 content by audience Each audience for Microsoft Office SharePoint Server 2007 can go to a specific Web site for

content that is tailored for that audience. The following table lists the audiences and provides links

to the content for each audience.

Information Workers IT Professionals Developers

Content available on

Office Online


TechNet


MSDN

Home page - a central portal

for Information Worker

resources

(http://go.microsoft.com/fwlin

k/?LinkId=89166&clcid=0x40

9)

Help and How To - an index

for Information Worker

content

(http://go.microsoft.com/fwlin

k/?LinkId=89167&clcid=0x40

9)

TechCenter - a central portal for IT

professional resources

(http://go.microsoft.com/fwlink/?Link

ID=80125&clcid=0x409)

Technical Library - an index for IT

professional content


Id=89168&clcid=0x409)

Newly published content - an article

that lists new or updated content in

the Technical Library


Id=89171&clcid=0x409)

Downloadable books — an article

that lists the books available for

download


Id=89172&clcid=0x409)

Developer Portal - a

central portal for

developer resources

(http://go.microsoft.com/f

wlink/?LinkID=88846&cl

cid=0x409)

MSDN Library - an index

for developer content

(http://go.microsoft.com/f

wlink/?LinkID=88847&cl

cid=0x409)

http://go.microsoft.com/fwlink/?LinkId=89166&clcid=0x409


http://go.microsoft.com/fwlink/?LinkID=80125&clcid=0x409






2

Additionally, there is information for all users of SharePoint Products and Technologies at the

community and blog sites listed in the following table.

Community content and blogs

SharePoint Products and Technologies community portal — a central place for community

information (blogs, newsgroups, and so on) about SharePoint Products and Technologies

(http://go.microsoft.com/fwlink/?LinkId=88915&clcid=0x409)

SharePoint Products and Technologies team blog — a group blog from the teams who

develop the SharePoint Products and Technologies


Support Center for Microsoft Office SharePoint Server 2007 — a central place for issues and

solutions from Microsoft Help and Support


Office SharePoint Server 2007 IT professional content by stage of the IT life cycle IT Professional content for Office SharePoint Server 2007 follows the IT life cycle and includes

content appropriate for each stage in that cycle — evaluate, plan, deploy, and operate — plus

technical reference content. The following sections describe each stage in the IT life cycle and list

the content available to assist IT professionals during that stage. The most up-to-date content is

always available on the TechNet Web site.

We also offer downloadable books that cover each stage in the IT life cycle, plus books that cover

all stages of the lifecycle for a specific solution. For an updated list of all downloadable books

available for Office SharePoint Server 2007, see Downloadable books for Office SharePoint

Server 2007 (http://go.microsoft.com/fwlink/?LinkID=89172&clcid=0x409).






3

Evaluate

During the evaluation stage, IT professionals (including decision makers, solution architects, and

system architects) focus on understanding a new technology and evaluate how it can help them

address their business needs. The following table lists resources that are available to help you

evaluate Office SharePoint Server 2007.

Content Description Links

Online content Includes the most

up-to-date

content. The

Technical Library

on TechNet is

continually

refreshed with

new and updated

content.

Product evaluation for Office SharePoint Server 2007


Evaluation

Guide

Provides

overview, what's

new, and

conceptual

information for

understanding

Office SharePoint

Server 2007.

Evaluation guide for Office SharePoint Server 2007


Evaluation

Guide for

Search

Provides

overview, what's

new, and

conceptual

information for

understanding

how searching

works in Office

SharePoint Server

2007.

Evaluation guide for search in Office SharePoint Server

2007

(http://go.microsoft.com/fwlink/?LinkID=79614&clcid=0x409)

Plan

During the planning stage, IT professionals have different needs depending on their role within an

organization. If you are focused on designing a solution, including determining the structure,

capabilities, and information architecture for a site, you might want information that helps you to




4

determine which capabilities of Office SharePoint Server 2007 you want to take advantage of,

and that helps you to plan for those capabilities and to tailor the solution to your organization's

needs. On the other hand, if you are focused on the hardware and network environment for your

solution, you might want information that helps you to structure the server topology, plan

authentication methods, and understand system requirements for Office SharePoint Server 2007.

We have planning content, including worksheets, to address both of these needs.

The following table lists resources that are available to help you plan for using Office SharePoint

Server 2007.



up-to-date content.

The Technical

Library on TechNet

is continually

refreshed with new

and updated

content.

Planning and architecture for Office SharePoint Server

2007


Planning

Guide, Part 1

Provides in-depth

planning

information for

application

administrators

designing a

solution based on

Office SharePoint

Server 2007.

Planning and architecture for Office SharePoint Server, part 1

(http://go.microsoft.com/fwlink/?LinkID=79552)

Planning

Guide, Part 2

Provides in-depth

planning

information for IT

professionals

designing the

environment to

host a solution

based on Office

SharePoint Server

2007.

Planning and architecture for Office SharePoint Server, part 2



http://go.microsoft.com/fwlink/?LinkID=79552


5

Deploy

During the deployment stage, you configure your environment, install Office SharePoint Server

2007, and then start creating SharePoint sites. Depending on your environment and your

solution, you may have several configuration steps to perform for your servers, for your Shared

Services Providers, and for your sites. Additionally, you may have templates, features, or other

custom elements to deploy into your environment.

The process of upgrading from a previous version product, such as Microsoft Office SharePoint

Portal Server 2003, Microsoft Content Management Server 2002, or Windows SharePoint

Services, is also part of the deployment stage of the IT life cycle, and we have content that

addresses planning for upgrade, performing the upgrade, and performing post-upgrade steps.

The following table lists resources that are available to help you deploy or upgrade to Office

SharePoint Server 2007.


Online content Includes the

most up-to-date

content. The

Technical

Library on

TechNet is

continually

refreshed with

new and

updated

content.



Deployment

Guide

Provides in-

depth

deployment

information for

Office

SharePoint

Server 2007.





6


Upgrade Guide Provides

overview and in-

depth

information for

upgrading from

a previous

version product

to Office

SharePoint

Server 2007.

Upgrading to Office SharePoint Server 2007

(http://go.microsoft.com/fwlink/?LinkId=85556)

Migration and

Upgrade for

SharePoint

Developers

Provides cross-

audience (IT

and developer)

information for

migration and

upgrade from a

previous version

product to Office

SharePoint

Server 2007.

Migration and Upgrade Information for SharePoint

Developers


Operate

After deployment, in which you install and configure your environment, you move to the

operations stage. During this stage, you are focused on the day-to-day monitoring, maintenance

and tuning of your environment.

The following table lists resources that are available to help with day-to-day operations for Office




up-to-date

content. The

Technical Library

on TechNet is

continually

refreshed with

new and updated

content.

Operations for Office SharePoint Server 2007






7

Security and Protection

Because security and protection are concerns during all phases of the IT life cycle, appropriate

content for security and protection is included in the content for each life cycle stage. However,

an aggregate view of this content is provided in a Security and Protection section of the

documentation. The following table lists resources that are available to help you understand

security and protection for Office SharePoint Server 2007.



up-to-date

content. The

Technical Library

on TechNet is

continually

refreshed with

new and updated

content.

Security and protection for Office SharePoint Server 2007


Technical Reference

Technical reference information supports the content for each of the IT life cycle stages by

providing the technical information you need to work with Office SharePoint Server 2007. For

example, the Technical Reference content has information about how permissions work, how to

perform operations from the command line, and how to use Setup.exe from the command line.

The following table lists resources that are available to help you use Office SharePoint Server

2007.



up-to-date

content. The

Technical Library

on TechNet is

continually

refreshed with

new and updated

content.

Technical Reference for Office SharePoint Server 2007




8

Deployment worksheets for Office SharePoint Server 2007

In this section:

Deployment worksheets by task

Deployment worksheets by title

This section provides links to worksheets that you can use to record information that you gather

and decisions that you make as you perform your deployment of Microsoft Office SharePoint

Server 2007. Use these worksheets in conjunction with — not as a substitute for — Deployment

for Office SharePoint Server 2007.

Deployment worksheets by task

For this task Use this worksheet To do this

Chapter

overview:

Create and

configure

Shared

Services

Providers

Deploy and

configure

SharePoint

sites

Upgrading to

Office

SharePoint

Server 2007

Custom templates and mapping files worksheet


Record which

custom site

definitions and

page templates

need mapping

files, and record

file names and

paths for

mapping files.


9

For this task Use this worksheet To do this

Estimate database space and time for upgrade worksheet


Record current

database sizes

and estimate how

much space you

need for upgrade.

Supported topologies for upgrade worksheet


Record current

topologies and

any changes

needed before

upgrade.

Upgrade server requirements worksheet


List servers in the

farm, hardware

capacities, and

identify

requirements

before upgrading.

Deployment worksheets by title

Use this worksheet For this task To do this

Custom templates and mapping files worksheet


Upgrading to

Office

SharePoint

Server 2007

Record which

custom site

definitions and

page templates

need mapping

files, and record

file names and

paths for

mapping files.

Estimate database space and time for upgrade worksheet


Upgrading to

Office

SharePoint

Server 2007

Record current

database sizes

and estimate how

much space you

need for upgrade.






10

Use this worksheet For this task To do this

Supported topologies for upgrade worksheet


Upgrading to

Office

SharePoint

Server 2007

Record current

topologies and

any changes

needed before

upgrade.

Upgrade server requirements worksheet


Upgrading to

Office

SharePoint

Server 2007

List servers in the

farm, hardware

capacities, and

identify

requirements

before upgrading.



11

I. End-to-end deployment scenarios

Comment [A1]: Boilerplate section #1

12

Chapter overview: End-to-end deployment scenarios

This chapter provides information and directions for deploying Microsoft Office SharePoint Server

2007 as an end-to-end solution, whether on a single computer or on a simple server farm. This

chapter does not discuss more complex deployments. For information about deploying Office

SharePoint Server 2007 in a large server farm, see Deploy in a simple server farm.

The articles in this chapter include:

Install Office SharePoint Server 2007 on a stand-alone computer discusses how to install

Office SharePoint Server 2007 on a single-server computer running the Windows Server

2003 operating system. A stand-alone configuration is useful if you want to evaluate Office

SharePoint Server 2007 features and capabilities, such as collaboration, document

management, and search. A stand-alone configuration is also useful if you are deploying a

small number of Web sites and you want to minimize administrative overhead.


discusses how to install Office SharePoint Server 2007 on a single-server computer running

the Windows Server 2008 operating system. A stand-alone configuration is useful if you want

to evaluate Office SharePoint Server 2007 features and capabilities, such as collaboration,

document management, and search. A stand-alone configuration is also useful if you are

deploying a small number of Web sites and you want to minimize administrative overhead.

Deploy in a simple server farm discusses how to do a clean installation of Office SharePoint

Server 2007 in a server farm environment on the Windows Server 2003 operating system.

You can deploy in a server farm environment if you are hosting a large number of sites, if you

want the best possible performance, or if you want the scalability of a multi-tier topology. A

server farm consists of one or more servers dedicated to running the Office SharePoint

Server 2007 applications.

Deploy a simple farm on the Windows Server 2008 operating system discusses how to do a

clean installation of Office SharePoint Server 2007 in a server farm environment on the

Windows Server 2008 operating system. You can deploy in a server farm environment if you

are hosting a large number of sites, if you want the best possible performance, or if you want

the scalability of a multi-tier topology. A server farm consists of one or more servers

dedicated to running the Office SharePoint Server 2007 applications.

Deploy using DBA-created databases discusses how to deploy Office SharePoint Server

2007 in an environment in which database administrators (DBAs) create and manage

databases. This section discusses how DBAs can create these databases and how farm

administrators configure them. The deployment includes all the required databases, one

portal site, a Shared Services Administration Web site, My Sites, and one Shared Services

Provider (SSP).

13

Install Office SharePoint Server 2007 by using the command line discusses how to use the

command-line tools Setup.exe, Psconfig.exe, and Config.xml, to install and configure Office

SharePoint Server 2007 from the command prompt window.

Install Office SharePoint Server 2007 with least privilege administration by using the

command line discusses how to install Office SharePoint Server 2007 from the command

prompt window while granting the user the least privileges necessary.

Migrate a stand-alone installation to a server farm installation discusses the process for

moving from a stand-alone installation to a server farm installation. This process consists of

creating a new server farm, and then migrating the data from your stand-alone server to the

new farm.

14

Install Office SharePoint Server 2007 on a stand-alone computer

In this section:

Hardware and software requirements

Configure the server as a Web server

Install and configure Office SharePoint Server 2007 with Microsoft SQL Server 2005

Express Edition

Post-installation steps

Important:

This section discusses how to install Microsoft Office SharePoint Server 2007 on a

single computer as a stand-alone installation. It does not cover installing Office

SharePoint Server 2007 in a farm environment, upgrading from previous releases of

Office SharePoint Server 2007, or how to upgrade from SharePoint Portal Server 2003.

For information about how to do this, see the following:

Deploy in a simple server farm

Upgrading to Office SharePoint Server 2007 (http://technet.microsoft.com/en-

us/library/cc303420.aspx)

You can quickly publish a SharePoint site by deploying Office SharePoint Server 2007 on a single

server computer. A stand-alone configuration is useful if you want to evaluate Office SharePoint

Server 2007 features and capabilities, such as collaboration, document management, and

search. A stand-alone configuration is also useful if you are deploying a small number of Web

sites and you want to minimize administrative overhead. When you deploy Office SharePoint

Server 2007 on a single server using the default settings, the Setup program automatically

installs Microsoft SQL Server 2005 Express Edition and uses it to create the configuration

database and content database for your SharePoint sites. In addition, the Setup program creates

a Shared Services Provider (SSP), installs the SharePoint Central Administration Web site and

creates your first SharePoint site collection and site.

Note:

There is no direct upgrade from a stand-alone installation to a farm installation.

Hardware and software requirements Before you install and configure Office SharePoint Server 2007, be sure that your servers have

the required hardware and software. For more information about these requirements, see

Determine hardware and software requirements (http://technet.microsoft.com/en-

us/library/cc262485.aspx).



15

Configure the server as a Web server Before you install and configure Office SharePoint Server 2007, you must install and configure

the required software. This includes installing and configuring Internet Information Services (IIS)

so your computer acts as a Web server, installing the Microsoft .NET Framework version 3.0, and

enabling ASP.NET 2.0.

Install and configure IIS

Internet Information Services (IIS) is not installed or enabled by default in the Microsoft Windows

Server 2003 operating system. To make your server a Web server, you must install and enable

IIS, and you must ensure that IIS is running in IIS 6.0 worker process isolation mode.


1. Click Start, point to All Programs, point to Administrative Tools, and then click

Configure Your Server Wizard.

2. On the Welcome to the Configure Your Server Wizard page, click Next.

3. On the Preliminary Steps page, click Next.

4. On the Server Role page, click Application server (IIS, ASP.NET), and then click Next.

5. On the Application Server Options page, click Next.

6. On the Summary of Selections page, click Next.

7. Click Finish.


Internet Information Services (IIS) Manager.

9. In the IIS Manager tree, click the plus sign (+) next to the server name, right-click the

Web Sites folder, and then click Properties.

10. In the Web Sites Properties dialog box, click the Service tab.

11. In the Isolation mode section, clear the Run WWW service in IIS 5.0 isolation mode

check box, and then click OK.

Note:

The Run WWW in IIS 5.0 isolation mode check box is only selected if you

have upgraded to IIS 6.0 on Windows Server 2003 from IIS 5.0 on Microsoft

Windows 2000. New installations of IIS 6.0 use IIS 6.0 worker process isolation

mode by default.

Install the Microsoft .NET Framework version 3.0

Go to the Microsoft Download Center Web site

(http://go.microsoft.com/fwlink/?LinkID=72322&clcid=0x409), and on the Microsoft .NET

Framework 3.0 Redistributable Package page, follow the instructions for downloading and

installing the .NET Framework version 3.0. There are separate downloads for x86-based


16

computers and x64-based computers. Be sure to download and install the appropriate version for

your computer. The .NET Framework version 3.0 download contains the Windows Workflow

Foundation technology, which is required by workflow features.

Note:

You can also use the Microsoft .NET Framework version 3.5. You can download the

.NET Framework version 3.5 from the Microsoft Web site

(http://go.microsoft.com/fwlink/?LinkId=110508).

Enable ASP.NET 2.0

ASP.NET 2.0 is required for proper functioning of Web content, the Central Administration Web

Site, and many other features and functions of Office SharePoint Server 2007.

Enable ASP.NET 2.0



2. In the Internet Information Services tree, click the plus sign (+) next to the server name,

and then click the Web Service Extensions folder.

3. In the details pane, right-click ASP.NET v2.0.50727, and then click Allow.

Install and configure Office SharePoint Server 2007 with Microsoft SQL Server 2005 Express Edition When you install Office SharePoint Server 2007 on a single server, run the Setup program using

the Basic option. This option uses the Setup program's default parameters to install Office

SharePoint Server 2007 and SQL Server 2005 Express Edition.

Notes

If you uninstall Office SharePoint Server 2007 and then later install Office SharePoint

Server 2007 on the same computer, the Setup program could fail when creating the

configuration database causing the entire installation process to fail. You can prevent this

failure by either deleting all the existing Office SharePoint Server 2007 databases on the

computer or by creating a new configuration database. You can create a new

configuration database by running the following command:

psconfig -cmd configdb -create -database <uniquename>

Run Setup

1. From the product disc, run Setup.exe, or from the product download, run

Officeserver.exe.

2. On the Enter your Product Key page, enter your product key, and then click Continue.


17

Note:

Setup automatically verifies the product key, places a green check mark next to

the text box, and enables the Continue button after it validates the key. If the key

is not valid, Setup places a red circle next to the text box and displays a message

that the key is incorrect.

3. On the Read the Microsoft Software License Terms page, review the terms, select the

I accept the terms of this agreement check box, and then click Continue.

4. On the Choose the installation you want page, click Basic to install to the default

location. To install to a different location, click Advanced, and then on the File Location

tab, specify the location you want to install to and finish the installation.

5. When Setup finishes, a dialog box prompts you to complete the configuration of your

server. Be sure that the Run the SharePoint Products and Technologies

Configuration Wizard now check box is selected.

6. Click Close to start the configuration wizard.

Run the SharePoint Products and Technologies Configuration Wizard

1. On the Welcome to SharePoint Products and Technologies page, click Next.

2. In the dialog box that notifies you that some services might need to be restarted or reset

during configuration, click Yes.

3. On the Configuration Successful page, click Finish. Your new SharePoint site opens.

Note:

If you are prompted for your user name and password, you might need to add the

SharePoint site to the list of trusted sites and configure user authentication

settings in Internet Explorer. Instructions for configuring these settings are

provided in the following procedure.

Note:

If you see a proxy server error message, you might need to configure your proxy

server settings so that local addresses bypass the proxy server. Instructions for

configuring proxy server settings are provided later in this section.

Add the SharePoint site to the list of trusted sites

1. In Internet Explorer, on the Tools menu, click Internet Options.

2. On the Security tab, in the Select a Web content zone to specify its security

settings box, click Trusted Sites, and then click Sites.

3. Clear the Require server verification (https:) for all sites in this zone check box.

4. In the Add this Web site to the zone box, type the URL to your site, and then click

Add.

5. Click Close to close the Trusted Sites dialog box.

18

6. Click OK to close the Internet Options dialog box.

If you are using a proxy server in your organization, use the following steps to configure Internet

Explorer to bypass the proxy server for local addresses.

Configure proxy server settings to bypass the proxy server for local addresses


2. On the Connections tab, in the Local Area Network (LAN) settings area, click LAN

Settings.

3. In the Automatic configuration section, clear the Automatically detect settings check

box.

4. In the Proxy Server section, select the Use a proxy server for your LAN check box.

5. Type the address of the proxy server in the Address box.

6. Type the port number of the proxy server in the Port box.

7. Select the Bypass proxy server for local addresses check box.

8. Click OK to close the Local Area Network (LAN) Settings dialog box.


Post-installation steps After Setup finishes, your browser window opens to the home page of your new SharePoint site.

Although you can start adding content to the site or you can start customizing the site, we

recommend that you perform the following administrative tasks by using the SharePoint Central

Administration Web site.

Configure incoming e-mail settings You can configure incoming e-mail settings so that

SharePoint sites accept and archive incoming e-mail. You can also configure incoming e-mail

settings so that SharePoint sites can archive e-mail discussions as they happen, save e-

mailed documents, and show e-mailed meetings on site calendars. In addition, you can

configure the SharePoint Directory Management Service to provide support for e-mail

distribution list creation and management. For more information, see Configure incoming e-

mail settings.

Configure outgoing e-mail settings You can configure outgoing e-mail settings so that

your Simple Mail Transfer Protocol (SMTP) server sends e-mail alerts to site users and

notifications to site administrators. You can configure both the "From" e-mail address and the

"Reply" e-mail address that appear in outgoing alerts. For more information, see Configure

outgoing e-mail settings.

Create SharePoint sites When Setup finishes, you have a single Web application that

contains a single SharePoint site collection that hosts a SharePoint site. You can create more

SharePoint sites collections, sites, and Web applications if your site design requires multiple

sites or multiple Web applications.

19

Configure Workflow settings Specify whether users can assemble new workflows and if

participants without site access should be sent documents in email attachments so they can

participate in document workflows. For more information, see Configure workflow settings.

Configure diagnostic logging settings You can configure several diagnostic logging

settings to help with troubleshooting. This includes enabling and configuring trace logs, event

messages, user-mode error messages, and Customer Experience Improvement Program

events. For more information, see Configure diagnostic logging settings.

Configure antivirus protection settings You can configure several antivirus settings if you

have an antivirus program that is designed for Office SharePoint Server 2007. Antivirus

settings enable you to control whether documents are scanned on upload or download and

whether users can download infected documents. You can also specify how long you want

the antivirus program to run before it times out, and you can specify how many execution

threads the antivirus program can use on the server. For more information, see Configure

antivirus settings.

Configure search You can configure several search and index settings to customize how

Office SharePoint Server 2007 crawls your site content or external content. For more

information, see Configure the Office SharePoint Server Search service


Configure Excel Services Before you can use Excel Services, you must start the service

and add at least one trusted location. For more information about doing this, see C. Configure

Excel Services.

Perform administrator tasks by using the Central Administration site

1. Click Start, point to All Programs, point to Microsoft Office Server, and then click

SharePoint 3.0 Central Administration.

2. On the Central Administration home page, under Administrator Tasks, click the task

you want to perform.

3. On the Administrator Tasks page, next to Action, click the task.


20


In this section:

Deployment overview

Deploy and configure the server infrastructure

Create and configure a Shared Services Provider

Perform additional configuration tasks

Create a site collection and a SharePoint site

Configure the trace log

Deployment overview

Important:

This section discusses how to do a clean installation of Microsoft Office SharePoint

Server 2007 in a server farm environment. It does not cover upgrading from previous

releases of Office SharePoint Server 2007 or how to upgrade from Microsoft SharePoint

Portal Server 2003. For more information about upgrading from Microsoft Office

SharePoint Portal Server 2003, see Upgrading to Office SharePoint Server 2007


Note:

This section does not cover installing Office SharePoint Server 2007 on a single

computer as a stand-alone installation. For more information, see Install Office

SharePoint Server 2007 on a stand-alone computer.

You can deploy Office SharePoint Server 2007 in a server farm environment if you are hosting a

large number of sites, if you want the best possible performance, or if you want the scalabil ity of a

multi-tier topology. A server farm consists of one or more servers dedicated to running the Office

SharePoint Server 2007 application.

Note:


Because a server farm deployment of Office SharePoint Server 2007 is more complex than a

stand-alone deployment, we recommend that you plan your deployment. Planning your

deployment can help you to gather the information you need and to make important decisions

before beginning to deploy. For information about planning, see Planning and architecture for

Office SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/cc261834.aspx).

Deploying Office SharePoint Server 2007 in a DBA environment

In many IT environments, database creation and management are handled by the database

administrator (DBA). Security and other policies might require that the DBA create the databases




21

required by Office SharePoint Server 2007. This topic provides details about how the DBA can

create these databases before beginning the Office SharePoint Server 2007 installation or

creation of a Shared Services Provider (SSP). For more information about deploying using DBA-

created databases, including detailed procedures, see Deploy using DBA-created databases.

Suggested topologies

Server farm environments can encompass a wide range of topologies and can include many

servers or as few as two servers.

A small server farm typically consists of a database server running either Microsoft SQL Server

2005 or Microsoft SQL Server 2000 with the most recent service pack, and one or more servers

running Internet Information Services (IIS) and Office SharePoint Server 2007. In this

configuration, the front-end servers are configured as Web servers and application servers. The

Web server role provides Web content to clients. The application server role provides Office

SharePoint Server 2007 services such as servicing search queries, and crawling and indexing

content.

A medium server farm typically consists of a database server, an application server running

Office SharePoint Server 2007, and one or two front-end Web servers running Office SharePoint

Server 2007 and IIS. In this configuration, the application server provides indexing services and

Excel Calculation Services, and the front-end Web servers service search queries and provide

Web content.

A large server farm typically consists of two or more clustered database servers, several load-

balanced front-end Web servers running Office SharePoint Server 2007, and two or more

application servers running Office SharePoint Server 2007. In this configuration, each of the

application servers provides specific Office SharePoint Server 2007 services such as indexing or

Excel Calculation Services, and the front-end servers provide Web content.

Note:

All of the Web servers in your server farm must have the same SharePoint Products and

Technologies installed. For example, if all of the servers in your server farm are running

Office SharePoint Server 2007, you cannot add to your farm a server that is running only

Microsoft Office Project Server 2007. To run Office Project Server 2007 and Office

SharePoint Server 2007 on your server farm, you must install Office Project Server 2007

and Office SharePoint Server 2007 on each of your Web servers. To enhance the

security of your farm and reduce the surface area that is exposed to a potential attack,

you can turn off services on particular servers after you install SharePoint Products and

Technologies.

Before you begin deployment

This section provides information about actions that you must perform before you begin

deployment.

22

Important

The account that you select for installing Office SharePoint Server 2007 needs to be a

member of the Administrators group on every server on which you install Office

SharePoint Server 2007. You can, however, remove this account from the Administrators

group on the servers after installation.

For information about assigning users to be SSP administrators, see ―Shared Services

Providers‖ in Plan for administrative and service accounts


To deploy Office SharePoint Server 2007 in a server farm environment, you must provide

credentials for several different accounts. For information about these accounts, see ―Shared

Service Providers‖ in the Planning and architecture for Office SharePoint Server 2007

(http://technet.microsoft.com/en-us/library/cc261834.aspx) guide.

You must install Office SharePoint Server 2007 on the same drive on all load-balanced front-

end Web servers.

You must install Office SharePoint Server 2007 on a clean installation of the Microsoft

Windows Server 2003 operating system with the most recent service pack. If you uninstall a

previous version of Office SharePoint Server 2007, and then install Office SharePoint Server

2007, Setup might fail to create the configuration database and the installation will fail.

Note:

We recommend that you read the Known Issues/Readme documentation before you

install Office SharePoint Server 2007 on a domain controller. Installing Office

SharePoint Server 2007 on a domain controller requires additional configuration

steps that are not discussed in this document.

You must install the same language packs on all servers in the farm. For more information

about installing language packs, see Deploy language packs.

All the instances of Office SharePoint Server 2007 in the farm must be in the same language.

For example, you cannot have both an English version of Office SharePoint Server 2007 and

a Japanese version of Office SharePoint Server 2007 in the same farm.

You must use the Complete installation option on all computers you want to be index

servers, query servers, or servers that run Excel Calculation Services.

If you place a query server beyond a firewall from its index server, you must open the

NetBIOS ports (TCP/User Datagram Protocol (UDP) ports 137, 138, and 139) on all firewalls

that separate these servers. If your environment does not use NetBIOS, you must use direct-

hosted server message block (SMB). This requires that you open the TCP/UDP 445 port.

If you want to have more than one index server in a farm, you must use a different Shared

Services Provider (SSP) for each index server.



23

Overview of the deployment process

The deployment process consists of three phases: deploying and configuring the server

infrastructure, creating and configuring one or more Shared Services Providers (SSPs), and

deploying and configuring SharePoint sites.

Phase 1: Deploy and configure the server infrastructure

Deploying and configuring the server infrastructure consists of the following steps:

Preparing the database server.

Verifying that the servers meet hardware and software requirements.

Running Setup on each server you want to be in the farm, including running the SharePoint

Products and Technologies Configuration Wizard.

If you want to search over the Help content for Office SharePoint Server 2007, starting the

Windows SharePoint Services Search service.

Phase 2: Create and configure a Shared Services Provider

Creating and configuring a Shared Services Provider consists of the following steps:

Creating a Web application to host the SSP.

Creating the SSP.

Configuring the Web application and the SSP.

Configuring services on servers.

Phase 3: Create site collections and SharePoint sites

Creating SharePoint site collections and SharePoint sites consists of the following steps:

Creating a Web Application to host the site collections and SharePoint sites.

Creating site collections.

Creating SharePoint sites.


Security account requirements


credentials for several different accounts. For information about these accounts, see Plan for

administrative and service accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx) in

the Planning and architecture for Office SharePoint Server 2007 guide.



24

Prepare the database server

The database server must be running Microsoft SQL Server 2005 or Microsoft SQL Server 2000

with the most recent service pack.

The Office SharePoint Server 2007 Setup program automatically creates the necessary

databases when you install and configure Office SharePoint Server 2007. Optionally, you can

preinstall the required databases if your IT environment or policies require this.

For more information about prerequisites, see Determine hardware and software requirements


If you are using SQL Server 2005, you must also change the surface area settings.

Configure surface area settings in SQL Server 2005

1. Click Start, point to All Programs, point to Microsoft SQL Server 2005, point to

Configuration Tools, and then click SQL Server Surface Area Configuration.

2. In the SQL Server 2005 Surface Area Configuration dialog box, click Surface Area

Configuration for Services and Connections.

3. In the tree view, expand the node for your instance of SQL Server, expand the Database

Engine node, and then click Remote Connections.

4. Select Local and Remote Connections, select Using both TCP/IP and named pipes,

and then click OK.

SQL Server and database collation

The SQL Server collation must be configured for case-insensitive. The SQL Server database

collation must be configured for case-insensitive, accent-sensitive, Kana-sensitive, and width-

sensitive. This is used to ensure file name uniqueness consistent with the Windows operating

system. For more information about collations, see Selecting a SQL Collation

(http://go.microsoft.com/fwlink/?LinkId=121667&clcid=0x409) or Collation Settings in Setup

(http://go.microsoft.com/fwlink/?LinkId=121669&clcid=0x409) in SQL Server 2005 Books Online.




25

Required accounts

The following table describes the accounts that are used to configure Microsoft SQL Server and

to install Office SharePoint Server 2007. For more information about the required accounts,

including specific privileges required for these accounts, see Plan for administrative and service

accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx).

Account Purpose Requirements

SQL Server

Service

Account

This account is used as

the service account for

the following SQL Server

services:

MSSQLSERVER

SQLSERVERAGENT

If you are not using the

default instance, these

services will be shown as:

MSSQL$InstanceName

SQLAgent$InstanceName

SQL Server prompts for this account during SQL

Server Setup. You have two options:

Assign one of the built-in system accounts (Local

System, Network Service, or Local Service) to the

logon for the configurable SQL Server services.

For more information about these accounts and

security considerations, refer to the Setting Up

Windows Service Accounts topic

(http://go.microsoft.com/fwlink/?LinkId=121664&clc

id=0x409) in the SQL Server documentation.

Assign a domain user account to the logon for the

service. However, if you use this option you must

take the additional steps required to configure

Service Principal Names (SPNs) in Active

Directory in order to support Kerberos

authentication, which SQL Server uses.

Setup user

account

The Setup user account

is used to run the

following:

Setup on each server

The SharePoint

Products and

Technologies

Configuration Wizard

The PSConfig

command-line tool

The Stsadm

command-line tool

Domain user account

Member of the Administrators group on each

server on which Setup is run

SQL Server login on the computer running SQL

Server

Member of the following SQL Server security roles:

securityadmin fixed server role

dbcreator fixed server role

If you run Stsadm command-line tool commands that

read from or write to a database, this account must be

a member of the db_owner fixed database role for the

database.





26


Server farm

account/

Database

access

account

The Server farm account

is used to:

Act as the application

pool identity for the

SharePoint Central

Administration

application pool.

Run the Windows

SharePoint Services

Timer service.

Domain user account.

If the server farm is a child farm with Web

applications that consume shared services from a

larger farm, this account must be a member of the

db_owner fixed database role on the configuration

database of the larger farm.

Additional permissions are automatically granted for

this account on Web servers and application servers

that are joined to a server farm.

This account is automatically added as a SQL Server

login on the computer running SQL Server and added

to the following SQL Server security roles:



db_owner fixed database role for all databases in

the server farm

Verify that servers meet hardware and software requirements

Before you install and configure Office SharePoint Server 2007, be sure that your servers have

the recommended hardware and software. To deploy a server farm, you need at least one server

computer acting as a Web server and an application server, and one server computer acting as a

database server.

For more information about these requirements, see Determine hardware and software

requirements (http://technet.microsoft.com/en-us/library/cc262485.aspx).

Important:

Office SharePoint Server 2007 requires Active Directory directory services for farm

deployments. Therefore Office SharePoint Server 2007 cannot be installed in a farm on a

Microsoft Windows NT Server 4.0 domain.


Internet Information Services (IIS) is not installed or enabled by default in the Microsoft Windows

Server 2003 operating system. To make your server a Web server, you must install and enable

IIS, and you must ensure that IIS is running in IIS 6.0 worker process isolation mode.



Configure Your Server Wizard.

27

2. On the Welcome to the Configure Your Server Wizard page, click Next.

3. On the Preliminary Steps page, click Next.

4. On the Server Role page, click Application server (IIS, ASP.NET), and then click Next.

5. On the Application Server Options page, click Next.

6. On the Summary of Selections page, click Next.

7. Click Finish.



9. In the IIS Manager tree, click the plus sign (+) next to the server name, right-click the

Web Sites folder, and then click Properties.

10. In the Web Sites Properties dialog box, click the Service tab.

11. In the Isolation mode section, clear the Run WWW service in IIS 5.0 isolation mode

check box, and then click OK.

Note:

The Run WWW in IIS 5.0 isolation mode check box is only selected if you have

upgraded to IIS 6.0 on Windows Server 2003 from IIS 5.0 on Microsoft Windows

2000. New installations of IIS 6.0 use IIS 6.0 worker process isolation mode by

default.


Go to the Microsoft Download Center Web site

(http://go.microsoft.com/fwlink/?LinkID=72322&clcid=0x409). On the Microsoft .NET Framework

3.0 Redistributable Package page, follow the instructions for downloading and installing the

Microsoft .NET Framework version 3.0. There are separate downloads for x86-based computers

and x64-based computers; be sure to download and install the appropriate version for your

computer. The Microsoft .NET Framework version 3.0 download contains the Windows Workflow


Note:




Enable ASP.NET 2.0

You must enable ASP.NET 2.0 on all Office SharePoint Server 2007 servers.

Enable ASP.NET 2.0



2. In the IIS Manager tree, click the plus sign (+) next to the server name, and then click the



28

Web Service Extensions folder.

3. In the details pane, click ASP.NET v2.0.50727, and then click Allow.

Run Setup and build the farm

Run Setup and then the SharePoint Products and Technologies Configuration Wizard on all your

farm servers. Do this on all farm servers before going on to create a Shared Services Provider

(SSP).

Note:

We recommend that you run Setup on all the servers that will be in the farm before

configuring the farm.

You can add servers to the farm at this point, or after you have created and configured an SSP.

You can add servers after you have created and configured an SSP to add redundancy, such as

additional load-balanced Web servers or additional query servers. It is recommended that you run

Setup and the configuration wizard on all your application servers before you create and

configure the SSP.

Recommended order of configuration

We recommend that you configure Office SharePoint Server 2007 in the order listed below. This

order makes configuration easier and ensures that services and applications are in place before

they are required by server types.

Recommended Order of installation

1. We recommend that the Central Administration site be installed on an application server. In a

server farm that includes more than one application server, install the Central Administration

site on the application server with the least overall performance load. If your farm will have an

application server, install Office SharePoint Server 2007 on that server first. This also installs

the Central Administration site.

2. All your front-end Web servers.

3. The index server (if using a separate server for search queries and indexing).

4. The query servers, if separate from the index server.

Note:

To configure more than one query server in your farm, you cannot configure your

index server as a query server.

5. Other application servers (optional).

Because the SSP configuration requires an index server, you must start the Office SharePoint

Server Search service on the computer that you want to be the index server, and configure it as

an index server before you can create an SSP. Because of this, you must deploy and configure

an index server before other servers. You can choose any server to be the first server on which

you install Office SharePoint Server 2007. However, the Central Administration Web site is

automatically installed on the first server on which you install Office SharePoint Server 2007.

29

You can configure different features on different servers. The following table shows which

installation type you should use for each feature set.

Server type Installation type

Central Administration Web application Complete or Web Front End

Application server (such as Excel Calculation

Services)

Complete

Search index server Complete

Search query server Complete

Web server Web Front End (subsequent servers must join

an existing farm) or Complete

Note:

If you choose the Web Front End

installation option you will not be able

to run additional services, such as

search, on the server.

When you install Office SharePoint Server 2007 on the first server, you establish the farm. Any

servers that you add you will join to this farm.

Setting up the first server involves two steps: installing the Office SharePoint Server 2007

components on the server, and configuring the farm. After Setup finishes, you can use the

SharePoint Products and Technologies Configuration Wizard to configure Office SharePoint

Server 2007. The SharePoint Products and Technologies Configuration Wizard automates

several configuration tasks, including: installing and configuring the configuration database,

installing Office SharePoint Server 2007 services, and creating the Central Administration Web

site.

Add servers to the farm

We recommend that you install and configure Office SharePoint Server 2007 on all of the farm

servers before you configure Office SharePoint Server 2007 services and create sites.

Regardless of how many Web servers you have in your server farm, you must have SQL Server

running on at least one database server before you install Office SharePoint Server 2007 on your

Web servers. By default, when you add servers to the farm and run the SharePoint Products and

Technologies Configuration Wizard, the wizard does not create additional Central Administration

sites on the servers that you add, nor does it create any databases on your database server.

However, you can use the wizard to create additional Central Administration sites on the servers

that you add.

30

Run Setup on the first server

Important:

If you uninstall Office SharePoint Server 2007 from the first server on which you installed

it, your farm might experience problems. It is not recommended that you install Office

SharePoint Server 2007 on an index server first.

Note:

Setup installs the Central Administration Web site on the first server on which you run

Setup. Therefore, we recommend that the first server on which you install Office

SharePoint Server 2007 is a server from which you want to run the Central Administration

Web site.



Officeserver.exe, on one of your Web server computers.


Note:



is not valid, Setup displays a red circle next to the text box and prompts you that

the key is incorrect.

3. On the Read the Microsoft Software License Terms page, review the terms, select the I

accept the terms of this agreement check box, and then click Continue.

4. On the Choose the installation you want page, click Advanced. The Basic option is for

stand-alone installations.

5. On the Server Type tab, select Complete.

6. Optionally, to install Office SharePoint Server 2007 at a custom location, select the File

Location tab, and then type the location or Browse to the location.

7. Optionally, to participate in the Customer Experience Improvement Program, select the

Feedback tab and select the option you want. To learn more about the program, click the

link. You must have an Internet connection to view the program information.

8. When you have chosen the correct options, click Install Now.

9. When Setup finishes, a dialog box appears that prompts you to complete the

configuration of your server. Be sure that the Run the SharePoint Products and

Technologies Configuration Wizard now check box is selected.

10. Click Close to start the configuration wizard. Instructions for completing the wizard are

provided in the next set of steps.

31


After Setup finishes, you can use the SharePoint Products and Technologies Configuration

Wizard to configure Office SharePoint Server 2007. The configuration wizard automates several

configuration tasks, including: installing and configuring the configuration database, installing

Office SharePoint Server 2007 services, and creating the Central Administration Web site. Use

the following instructions to run the SharePoint Products and Technologies Configuration Wizard.



2. Click Yes in the dialog box that notifies you that some services might need to be

restarted during configuration.

3. On the Connect to a server farm page, click No, I want to create a new server farm,

and then click Next.

4. In the Specify Configuration Database Settings dialog box, in the Database server

box, type the name of the computer that is running SQL Server.

5. Type a name for your configuration database in the Database name box, or use the

default database name. The default name is "SharePoint_Config".

6. In the User name box, type the user name of the Server farm account. (Be sure to type

the user name in the format DOMAIN\username.)

Important:

The server farm account is used to access your configuration database. It also

acts as the application pool identity for the SharePoint Central Administration

application pool, and it is the account under which the Windows SharePoint

Services Timer service runs. The SharePoint Products and Technologies

Configuration Wizard adds this account to the SQL Server Logins, the SQL

Server Database Creator server role, and the SQL Server Security

Administrators server role. The user account that you specify as the service

account must be a domain user account, but it does not need to be a member of

any specific security group on your Web servers or your back-end database

servers. We recommend that you follow the principle of least privilege and

specify a user account that is not a member of the Administrators group on your

Web servers or your back-end servers.

7. In the Password box, type the user's password, and then click Next.

8. On the Configure SharePoint Central Administration Web Application page, select the

Specify port number check box and type a port number if you want the SharePoint

Central Administration Web application to use a specific port, or leave the Specify port

number check box cleared if you do not care which port number the SharePoint Central

Administration Web application uses.

9. In the Configure SharePoint Central Administration Web Application dialog box, do

32

one of the following:

If you want to use NTLM authentication (the default), click Next.

If you want to use Kerberos authentication, click Negotiate (Kerberos), and then

click Next.

Note:

In most cases, use the default setting (NTLM). Use Negotiate (Kerberos)

only if Kerberos authentication is supported in your environment. Using the

Negotiate (Kerberos) option requires you to configure a Service Principal

Name (SPN) for the domain user account. To do this, you must be a member

of the Domain Admins group. For more information, see How to configure a

Windows SharePoint Services virtual server to use Kerberos authentication

and how to switch from Kerberos authentication back to NTLM authentication

(http://go.microsoft.com/fwlink/?LinkID=76570&clcid=0x409).

10. On the Completing the SharePoint Products and Technologies Configuration Wizard

page, click Next.

11. On the Configuration Successful page, click Finish.

The SharePoint Central Administration Web site home page opens.

Note:


SharePoint Central Administration site to the list of trusted sites and configure

user authentication settings in Internet Explorer. Instructions for configuring these

settings are provided in the next set of steps.

Note:

If a proxy server error message appears, you might need to configure your proxy


configuring this setting are provided later in this section.

Add the SharePoint Central Administration Web site to the list of trusted sites


2. On the Security tab, in the Select a Web content zone to specify its security settings

box, click Trusted sites, and then click Sites.


4. In the Add this Web site to the zone box, type the URL for the SharePoint Central

Administration Web site, and then click Add.

5. Click Close to close the Trusted sites dialog box.




33





Settings.


box.








We recommend that you install and configure Office SharePoint Server 2007 on all of your Web

servers and the index server before you configure Office SharePoint Server 2007 services and

create sites. If you want to build a minimal server farm configuration, and incrementally add Web

servers to expand the farm, you can install and configure Office SharePoint Server 2007 on a

single Web server and configure the Web server as both a Web server and an application server.

Regardless how many Web servers you have in your server farm, you must have SQL Server

running on at least one back-end database server before you install Office SharePoint Server

2007 on your Web servers.

Important:




Run Setup on additional servers — front-end Web servers




Note:


34






4. On the Choose the installation you want page, click Advanced.

5. On the Server Type tab, click Web Front End.











provided in the following section.

Run Setup on additional servers — index or query server




Note:








5. On the Server Type tab, click Complete.








35






After Setup finishes, you can use the SharePoint Products and Technologies Configuration


configuration tasks, including installing Office SharePoint Server 2007 services. Use the following

instructions to run the SharePoint Products and Technologies Configuration Wizard.





3. On the Connect to a server farm page, click Yes, I want to connect to an existing

server farm, and then click Next.



5. Click Retrieve Database Names, and then from the Database name list, select the

database name that you created when you configured the first server in your server farm.

6. In the User name box, type the user name of the account used to connect to the

computer running SQL Server. (Be sure to type the user name in the format

DOMAIN\username.) This must be the same user account you used when configuring the

first server.



page, click Next.


Start the Windows SharePoint Services Search service (optional)

You must start the Windows SharePoint Services Search service on every computer that you

want to search over Help content. If you do not want users to be able to search over Help

content, you do not need to start this service.


1. On the SharePoint Central Administration home page, click the Operations tab on the

36

top link bar.

2. On the Operations page, in the Topology and Services section, click Services on

server.

3. On the Services on Server page, next to Window SharePoint Services Search, click

Start.

4. On the Configure Windows SharePoint Services Search Service Settings page, in the

Service Account section, type the user name and password for the user account under

which the Windows SharePoint Services Search service account will run.

5. In the Content Access Account section, type the user name and password for the user

account that the search service will use to search over content. This account must have

read access to all the content you want it to search over. If you do not specify credentials,

the same account used for the search service will be used.

6. In the Indexing Schedule section, either accept the default settings, or specify the

schedule that you want the search service to use when searching over content.

7. After you have configured all the settings, click Start.

Stop the Central Administration service on all index servers

In farms with more than one index server, you should stop the Central Administration service on

all index servers. This service is used for the Central Administration site and is not required on

index servers. Stopping this service on index servers can help avoid URL resolution problems

with indexing. On the other hand, you must be sure that this service is started on the server that

hosts the Central Administration Web site, even if that server is also an index server. You do not

need to stop this service for installations where the farm has only one index server.

Before stopping the service on the index server, make sure that the service is running another

server.

Stop the Central Administration service on an index server

1. On the Services on Server page, select the index server from the Server drop-down list.

2. Under Select server role to display services you will need to start in the table

below, select the Custom option.

3. In the table of services, next to Central Administration, in the Action column, click

Stop.

Disable the Windows SharePoint Services Web Application service on all servers not serving content

You should disable the Windows SharePoint Service Web Application service on all servers that

are not serving content, especially index servers. On the other hand, you must be sure that this

service is enabled on the servers that are serving content.

37

Disable the Windows SharePoint Services Web Application service on a server


top link bar.


server.

3. On the Services on Server page, next to Window SharePoint Services Web

Application, click Stop.

Create and configure a Shared Services Provider This section covers how to create and configure a single Shared Services Provider (SSP). An

SSP is a logical grouping of shared services and their supporting resources. In Office SharePoint

Server 2007, the SSP enables sharing services across multiple server farms, Web applications,

and site collections. For more information about configuring and using SSPs, see Chapter

overview: Create and configure Shared Services Providers.

In this phase, you create one or more SSPs and configure them to meet the needs of your farm.

Each server farm can host one or more SSPs, or consume services provided by an SSP on

another server farm. Each SSP runs in its own Web application, which contains one or more site

collections. Other Web applications on a server farm can be associated with any of the SSPs on

the farm. Shared services cannot be enabled or disabled separately from other shared services.

Web applications on a farm consume either all of the services of an SSP or none of them. For

more information about SSPs, see Plan Shared Services Providers


Start the Office SharePoint Server Search service

You must start the Office SharePoint Server Search service on at least one computer that was

set up by using the Complete option during Setup. This service must be started on the computer

that you want to use as your index server and optionally as a query server before you can create

an SSP.

Start the Office SharePoint Server Search service on the index server


top link bar.


server.

3. In the Server list, select the server that you want to configure as an index server and —

optionally — as a query server.

4. On the Services on Server page, next to Office SharePoint Server Search, click Start.

5. Select the Use this server for indexing content check box. This expands the page and

adds the Index Server Default File Location, Indexer Performance, and Web Front


38

End and Crawling sections.

6. If you want to use this server to service search queries, select the Use this server for

servicing search queries check box. This expands the page and adds the Query

Server Index File Location section. If not, skip to the next step.

7. In the Contact E-mail Address section, type the e-mail address you want external site

administrators to use to contact your organization if problems arise when their sites are

being crawled by your index server.

8. In the Farm Search Service Account section, specify the User name and Password of

the account under which the search service will run. This domain account should not be a

member of the Farm Administrators group in the Central Administration Web site (the

WSS_ADMIN_WPG Windows security group). For least privilege scenarios, this should

be a separate domain account, used only for this service. For more information about this

account, see Plan for administrative and service accounts


9. Optionally, you can also configure other settings or accept the default settings.

10. When you have configured all the settings, click Start.

You can optionally use the following steps to start the Office SharePoint Server Search service on

computers that were set up by using the Complete option during Setup to deploy query servers.

Important:

If you selected the Use this server for serving search queries option in step 6 of the

previous procedure, you cannot deploy additional query servers unless you first remove

the query server role from the index server.

For information about how to perform this procedure using the Stsadm command-line tool, see

Osearch: Stsadm operation (http://technet.microsoft.com/en-us/library/cc262920.aspx).

Start the Office SharePoint Server Search service on query servers


top link bar.


server.

3. In the Server list, select the server that you want to configure as a query server.

4. On the Services on Server page, next to Office SharePoint Server Search, click Start.

5. Select the Use this server for servicing search queries check box. This expands the

page and adds the Query Server Index File Location section.

6. In the Farm Search Service Account section, specify the User name and Password of

the account under which the search service will run. This domain account should not be a

member of the Farm Administrators group in the Central Administration Web site (the

WSS_ADMIN_WPG Windows security group). For least privilege scenarios, this should

be a separate domain account, used only for this service. For more information about this

account, see Plan for administrative and service accounts




39


7. In the Query Server Index File Location section, in the Query server index file

location box, either type the location on the local drive of the query server on which you

want to store the propagated index, or accept the default path.

8. In the Query Server Index File Location section, select one the following:

Configure share automatically Select this option to automatically configure the

share on which you want to store the propagated index, and type the user name and

password of the account that you want to use to propagate the index

(recommended).

Important:

This account must a member of the Administrators group and a member of

the WSS_ADM_WPG group on the query server before you proceed to the

next step, or propagation of the index will fail.

I will configure the share with STSAdm Select this option if you want to use the

Stsadm command-line tool to create this share at a later time.

Do nothing. The share is already configured Select this option if the share

already exists and the permissions to the share are configured as described above.

9. When you have configured all the settings, click Start.

For information about how to perform this procedure using the Stsadm command-line

tool, see Osearch: Stsadm operation (http://technet.microsoft.com/en-


Create a Web application to host the SSP and create the SSP

1. On the SharePoint Central Administration home page, click the Application

Management tab on the top link bar.

2. On the Application Management page, in the Office SharePoint Server Shared

Services section, click Create or configure this farm's shared services.

3. On the Manage this Farm's Shared Services page, click New SSP.

4. On the New Shared Services Provider page, in the SSP Name section, click Create a

new Web application.

Note:

If you see any items in the Web application drop-down list, a Web application

has already been created. You can either use this Web application or create

another.

5. On the Create New Web Application page, in the Application Pool section, specify the

User name and Password for the user account that the Web application pool will run

under.


40

6. You can also configure other settings on this page, or click OK to create the new Web

application.

Note:

By default, the Web application uses the default Web site in IIS and port 80. This

port might be used by other Web applications. Ensure that this port is open for

use, or choose another port before you click OK.

Note:

By default, Restart IIS Manually is selected. If you use this setting, you must

restart the default Web site in IIS, or restart the W3C service by using the

command line.

7. On the New Shared Services Provider page, in the SSP Service Credentials section,

type the user name and password for the user account that the SSP service will run

under.

8. Optionally, you can also configure other settings.

9. When you have configured all the settings, click OK.

10. If you used the same Web application for the SSP administration site and the My Sites

site collection, you will be prompted to use separate Web applications for these site

collections. If you want to use the same Web application, click OK. For more information

about site planning, see Plan Web site structure and publishing


11. After the SSP has been created, click OK on the confirmation page that appears.

Perform additional configuration tasks After Setup finishes, your browser window opens to the home page of your new SharePoint site.

Although you can start adding content to the site or customizing the site, we recommend that you

first perform the following administrative tasks by using the SharePoint Central Administration

Web site.







mail settings.







41

Configure workflow settings Specify whether users can assemble new workflows, and if

participants without site access should be sent documents in e-mail attachments so they can

participate in document workflows. For more information, see Configure workflow settings.







settings enable you to control whether documents are scanned on upload or download, and




antivirus settings.

Configure search Before search queries can be serviced, content must first be crawled.

You can configure several search and index settings to customize how Office SharePoint

Server 2007 crawls your site content or external content. For more information, see Configure

the Office SharePoint Server Search service.

Configure Excel Calculation Services Before you can use Excel Services, you must start

the service and add at least one trusted location. For more information, see C. Configure

Excel Services.


1. Click Start, point to All Programs, point to Microsoft Office Server, and then click


2. On the Central Administration home page, in the Administrator Tasks section, click

the task you want to perform.


Create a site collection and a SharePoint site This section guides you through the process of creating a single site collection containing a single

SharePoint site. You can create many site collections, and many sites under each site collection.

For more information, see V. Deploy and configure SharePoint sites.

You can create new portal sites or migrate pre-existing sites or content from a previous version of

Windows SharePoint Services. For information about planning SharePoint sites and site

collections, see Plan Web site structure and publishing (http://technet.microsoft.com/en-

us/library/cc262789.aspx). For information about migrating content, see Deploy new server farm

and migrate content (http://technet.microsoft.com/en-us/library/cc303436.aspx).




42

You can also migrate content from a pre-existing Microsoft Content Management Server 2002

source. For information, see Migrate from Microsoft Content Management Server 2002 to Office

SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/cc261812.aspx).

Before you can create a site collection or a site, you must first create a Web application. A Web

application is comprised of an Internet Information Services (IIS) site with a unique application

pool.

Create a new Web application

1. Click the Start button, point to All Programs, then point to Microsoft Office Server, and

then click SharePoint 3.0 Central Administration.

2. On the Central Administration home page, click Application Management.

3. On the Application Management page, in the SharePoint Web Application

Management section, click Create or extend Web application.

4. On the Create or Extend Web Application page, in the Adding a SharePoint Web

Application section, click Create a new Web application.

5. On the Create New Web Application page, in the IIS Web Site section, you can configure

the settings for your new Web application.

a. To choose to use an existing Web site, select Use an existing Web site, and specify

the Web site on which to install your new Web application by selecting it from the

drop-down menu.

b. To choose to create a new Web site, select Create a new IIS Web site, and type the

name of the Web site in the Description box.

c. In the Port box, type the port number you want to use to access the Web application.

If you are creating a new Web site, this field is populated with a suggested port

number. If you are using an existing Web site, this field is populated with the current

port number.

d. In the Host Header box, type the URL you wish to use to access the Web

application. This is an optional field.

e. In the Path box, type the path to the site directory on the server. If you are creating a

new Web site, this field is populated with a suggested path. If you are using an

existing Web site, this field is populated with the current path.

6. In the Security Configuration section, configure authentication and encryption for your

Web application.

a. In the Authentication Provider section, choose either Negotiate (Kerberos) or

NTLM.

b. In the Allow Anonymous section, choose Yes or No. If you choose to allow

anonymous access, this enables anonymous access to the Web site by using the

computer-specific anonymous access account (that is, IUSR_<computername>).

c. In the Use Secure Sockets Layer (SSL) section, select Yes or No. If you choose to

enable SSL for the Web site, you must configure SSL by requesting and installing an



43

SSL certificate.

7. In the Load Balanced URL section, type the URL for the domain name for all sites that

users will access in this Web application. This URL domain will be used in all links shown

on pages within the Web application. By default, the box is populated with the current

server name and port.

The Zone box is automatically set to Default for a new Web application and cannot be

changed from this page.

8. In the Application Pool section, choose whether to use an existing application pool or

create a new application pool for this Web application. To use an existing application

pool, select Use existing application pool. Then select the application pool you wish to

use from the drop-down menu.

a. To create a new application pool, select Create a new application pool.

b. In the Application pool name box, type the name of the new application pool, or

keep the default name.

c. In the Select a security account for this application pool section, select

Predefined to use an existing application pool security account, and then select the

security account from the drop-down menu.

d. Select Configurable to use an account that is not currently being used as a security

account for an existing application pool. In the User name box, type the user name

of the account you wish to use, and type the password for the account into the

Password box.

9. In the Reset Internet Information Services section, choose whether to allow Office

SharePoint Server 2007 to restart IIS on other farm servers. The local server must be

restarted manually for the process to finish. If this option is not selected and you have

more than one server in the farm, you must wait until the IIS Web site is created on all

servers and then run iisreset/noforce on each Web server. The new IIS site is not

usable until that action is completed. These choices are unavailable if your farm only

contains a single server.

10. Under Database Name and Authentication, choose the database server, database

name, and authentication method for your new Web application.

Item Action

Database Server Type the name of the database server and

SQL Server instance you want to use in the

format <SERVERNAME\instance>. You

may also use the default entry.

Database Name Type the name of the database, or use the

default entry.

44

Database Authentication Choose whether to use Windows

authentication (recommended) or SQL

authentication.

If you want to use Windows

authentication, leave this option

selected.

If you want to use SQL

authentication, select SQL

authentication. In the Account

box, type the name of the account

you want the Web application to

use to authenticate to the SQL

Server database, and then type the

password in the Password box.

11. Click OK to create the new Web application, or click Cancel to cancel the process and

return to the Application Management page.


tool, see Createsiteinnewdb: Stsadm operation (http://technet.microsoft.com/en-


Create a site collection



2. On the Application Management page, in the SharePoint Site Management section,

click Create site collection.

3. On the Create Site Collection page, in the Web Application section, either select a Web

application to host the site collection from the Web Application drop-down list, or create

a new Web application to host the site collection.

4. In the Title and Description section, type a title and description for the site collection.

5. In the Web Site Address section, select a URL type, and specify a URL for the site

collection.

6. In the Template Selection section, select a template from the tabbed template control.

7. In the Primary Site Collection Administrator section, type the user account name for

the user you want to be the primary administrator for the site collection. You can also

browse for the user account by clicking the Book icon to the right of the text box. You can

verify the user account by clicking the Check Names icon to the right of the text box.

8. Optionally, in the Secondary Site Collection Administrator section, type the user

account for the user you want to be the secondary administrator for the site collection.

You can also browse for the user account by clicking the Book icon to the right of the text


45

box. You can verify the user account by clicking the Check Names icon to the right of the

text box.

9. Click Create to create the site collection.


tool, see Createsite: Stsadm operation (http://technet.microsoft.com/en-


Create a SharePoint site




click Site collection list.

3. On the Site Collection List page, in the URL column, click the URL for the site collection

to which you want to add a site. The full URL path for the site collection appears in the

URL box.

4. Copy and paste the full URL path into your browser, and then, on the home page of the

top-level site for the site collection, on the Site Actions menu, click Create.

5. On the Create page, in the Web Pages section, click Sites and Workplaces.

6. On the New SharePoint Site page, in the Title and Description section, type a title and

description for the site.

7. In the Web Site Address section, specify a URL for the site.


9. Either change other settings, or click Create to create the site.

10. The new site opens.

After creating sites, you might want to configure alternate access mappings. Alternate access

mappings direct users to the correct URLs during their interaction with Office SharePoint Server

2007 (while browsing to the home page of a Office SharePoint Server 2007 Web site, for

example). Alternate access mappings enable Office SharePoint Server 2007 to map Web

requests to the correct Web applications and sites, and they enable Office SharePoint Server

2007 to serve the correct content back to the user. For more information, see Plan alternate

access mappings (http://technet.microsoft.com/en-us/library/cc261814.aspx).


Createsite: Stsadm operation (http://technet.microsoft.com/en-us/library/cc262594.aspx).

Configure the trace log The trace log can be useful for analyzing problems that might occur. You can use events that are

written to the trace log to identify what configuration changes were made in Office SharePoint

Server 2007 before the problem occurred.





46

By default, Office SharePoint Server 2007 saves two days of events in the trace log files. This

means that trace log files that contain events that are older than two days are deleted. Whether

you are using the Office SharePoint Server Search service or the Windows SharePoint Services

Search service, we recommend that you configure the trace log to save seven days of events.

You can use the Diagnostic Logging page in Central Administration to configure the maximum

number of trace log files to maintain and how long (in minutes) to capture events to each log file.

By default, 96 log files are kept, each one containing 30 minutes of events.

96 log files * 30 minutes of events per file = 2880 minutes or two days of events.

You can also specify the location where the log files are written or accept the default path.

Configure the trace log to save seven days of events

1. In Central Administration, on the Operations tab, in the Logging and Reporting section,

click Diagnostic logging.

2. On the Diagnostic Logging page, in the Trace Log section, do the following:

In the Number of log files box, type 336.

In the Number of minutes to use a log file box, type 30.

Tip:

To save 10,080 minutes (seven days) of events, you can use any

combination of number of log files and minutes to store in each log file.

3. Ensure that the path specified in the Path box has enough room to store the extra log

files or change the path to another location.

Tip:

We recommend that you store log files on a hard drive partition that is used to

store log files only.

4. Click OK.

Trace log files can help you to troubleshoot issues related to configuration changes of either the

Office SharePoint Server Search service or the Windows SharePoint Services Search service.

Because problems related to configuration changes are not always immediately discovered, we

recommend that you save all trace log files that the system creates on any day that you make any

configuration changes related to either search service. Store these log files for an extended

period of time in a safe location that will not be overwritten. See step 3 in the previous procedure

to determine the location that the system stores trace log files for your system.


Logging and events: Stsadm operations (http://technet.microsoft.com/en-



47

Deploy using DBA-created databases

In this topic:

About deploying by using DBA-created databases

Required database hardware and software

Required accounts

Create and configure the databases

About deploying by using DBA-created databases In many IT environments, database administrators (DBAs) create and manage databases.

Security policies and other policies in your organization might require that DBAs create the

databases required by Microsoft Office SharePoint Server 2007.

This section discusses how DBAs can create these databases and farm administrators configure

them. This section describes how to deploy Office SharePoint Server 2007 in an environment in

which DBAs create and manage databases. The deployment includes all the required databases,

one portal site, a Shared Services Administration Web site, My Sites, and one Shared Services

Provider (SSP). This section only applies to farms that use Microsoft SQL Server 2000 with the

most recent service pack or Microsoft SQL Server 2005 database software.

Some procedures in this section use the Psconfig or Stsadm command-line tools. These tools are

located in the following folder: Program Files\Common Files\Microsoft Shared\web server

extensions\12\BIN.

Note:

This section does not cover using the Office SharePoint Server 2007 graphical user

interface tools to create or configure databases. For information about creating and

configuring databases by using the Office SharePoint Server 2007 graphical user

interface tools, see Deploy in a simple server farm.

Using these procedures, the DBA will create databases and the farm administrator will perform

other configuration actions in the following order:

The configuration database (only one per farm).

The content database for Central Administration (only one per farm).

Central Administration Web application (only one per farm, created by Setup).

The Windows SharePoint Services search database (only one per farm).

Start the Office SharePoint Search service.

For each portal site:

Portal site Web application content database.

For each SSP:

48

A content database for the My Sites Web application (if the SSP is using its own Web

application).

A content database for the Shared Services Administration Web application (if the SSP is

using its own Web application).

SSP Search database (one per SSP).

SSP Web application (created by Setup if the SSP is using its own Web application).

Note:

As part of the Web site and application pool creation process, a Web application is also

created in Internet Information Services (IIS). Extending a Web application will create an

additional Web site in IIS, but not an additional application pool.

Required database hardware and software Before you install and configure the databases, be sure that your database servers have the

recommended hardware and software. For more information about these requirements, see

Determine hardware and software requirements (http://technet.microsoft.com/en-


There are also requirements specific to the database server, and, if you are using SQL Server

2005 database software, the DBA must configure surface area settings so that local and remote

connections use TCP/IP only.

All of the databases required by Office SharePoint Server 2007 use the

Latin1_General_CI_AS_KS_WS collation. All of the databases require that the Setup user

account be assigned to them as the database owner (dbo, or db_owner).

For more information about the security requirements for these databases, see Plan for

administrative and service accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx).

Required accounts The DBA needs to create SQL Server logins for the accounts that are used to access the

databases for Office SharePoint Server 2007 and add them to roles

For more information about the required accounts, including specific permissions and roles

required for these accounts, see Plan for administrative and service accounts






49

The following table describes the accounts that are used to access the databases for Office



SQL Server

Service

Account

This account is used as the

service account for the

following SQL Server

services:

MSSQLSERVER

SQLSERVERAGENT




MSSQL$InstanceName





System, Network Service, or Local Service) to

the logon for the configurable SQL Server

services. For more information about these

accounts and security considerations, refer to the

Setting Up Windows Service Accounts topic

(http://go.microsoft.com/fwlink/?LinkId=121664&

clcid=0x409) in the SQL Server documentation.

Assign a domain user account to the logon for

the service. However, if you use this option you

must take the additional steps required to

configure Service Principal Names (SPNs) in

Active Directory in order to support Kerberos


Setup user

account

The Setup user account is

used to run the following:


The SharePoint

Products and

Technologies


The PSConfig

command-line tool

The Stsadm command-

line tool

Domain user account




Server

Member of the following SQL Server security

roles:




read from or write to a database, this account must

be a member of the db_owner fixed database role

for the database.


50


Server farm

account/

Database

access

account

The Server farm account is

used to:



SharePoint Central

Administration

application pool.

Run the Windows

SharePoint Services

Timer service.



applications that consume shared services from

a larger farm, this account must be a member of

the db_owner fixed database role on the

configuration database of the larger farm.





login on the computer running SQL Server and

added to the following SQL Server security roles:



db_owner fixed database role for all databases

in the server farm

Note:

If you are using the least-privilege principle for added security, use a different account for

each service, process, and application pool identity for each Web application. Each SSP

will use two accounts, one for the SSP service account and one for the application pool

identity for the Shared Services Administration Web application.

Create and configure the databases Use the procedures in this section to create the required databases and give the accounts

membership in the database Users security group and database roles.

The procedures require action by the DBA and the Setup user account. Each step is labeled

[DBA] or [Setup] to indicate which role performs the action.

The following procedure will only have to be performed once for the farm, on the server you want

to run the Central Administration Web site. The farm only has one configuration database and

one content database for Central Administration.

Create and configure the configuration database, the Central Administration content database, and the Central Administration Web application

1. [DBA] Create the configuration database and the Central Administration content

database using the LATIN1_General_CI_AS_KS_WS collation sequence and set the

database owner (dbo) to be the Setup user account.

2. [Setup] Run Setup on each server computer in the farm. You must run Setup on at least

51

one of these computers by using the Complete installation option.

Note:

The rest of the farm servers will be configured after the procedures in the article

are finished and the farm is established. You will run the SharePoint Products

and Technologies Configuration Wizard on these servers by selecting the Yes, I

want to connect to an existing server farm option, instead of by using the

commands used in this procedure.

3. [Setup] On the server on which you used the Complete installation option, do not run the

SharePoint Products and Technologies Configuration Wizard after Setup. Instead open

the command line, and then run the following command to configure the databases:

Psconfig –cmd configdb –create –server <SqlServerName> –database

<SqlDatabaseName> –user <DomainName\UserName> –password <password> –

admincontentdatabase <SqlAdminContentDatabaseName>

Note:

<SqlDatabaseName> is the configuration database. -user is the server farm

account. <SqlAdminContentDatabaseName> is the Central Administration

content database.

4. [Setup] After the command has completed, run the SharePoint Products and

Technologies Configuration Wizard and complete the remainder of the configuration for

the server. This creates the Central Administration Web application and performs other

setup and configuration tasks.

5. [DBA] After the SharePoint Products and Technologies Configuration Wizard has

completed, perform the following actions for both the configuration database and the

Central Administration content database:

Add the Office SharePoint Server Search account, default content access account,

and the SSP service account to the Users group.

Add the Office SharePoint Server Search account, default content access account,

and the SSP service account to the WSS_Content_Application_Pools role.

6. [Setup] To confirm that the databases were created and correctly configured, verify that

the home page of the Central Administration Web site can be accessed. However, do not

configure anything by using Central Administration at this time. If the Central

Administration page does not render, verify the accounts used in this procedure and

ensure that they are properly assigned.

52

The following procedure will only have to be performed once for the farm. The farm has only one

Windows SharePoint Services search database.

Create and configure the Windows SharePoint Services Search database and start the Windows SharePoint Services Search service

1. [DBA] Create the Windows SharePoint Services Search database using the

LATIN1_General_CI_AS_KS_WS collation sequence and set the database owner (dbo)

to be the Setup user account.

2. [Setup] Open the command line, and then run the following command to configure the

database and start the Windows SharePoint Services Search service:

stsadm -o spsearch -action start -farmserviceaccount <DomainName\UserName> -

farmservicepassword <password> -farmcontentaccessaccount

<DomainName\UserName> -farmcontentaccesspassword <password> -

databaseserver <server\instance> -databasename <DatabaseName>

Note:

-farmserviceaccount is the server farm account. -farmcontentaccessaccount

is the Office SharePoint Services Search service account. For -databaseserver,

if you are using the default instance of SQL Server, you only have to specify the

name of the computer running SQL Server.

The following procedure must be performed once for each server running indexing or search

queries in the farm.

Start the Office SharePoint Server Search service on each server that will run search queries or indexing

1. [Setup] Open the command line, and then run the following command:

stsadm -o osearch -action start -role <OsearchRole>-farmcontactemail

<FarmContactEmail> -farmserviceaccount <DomainName\UserName> -

farmservicepassword <password>

For additional information, see Osearch: Stsadm operation


Note:

farmserviceaccount is the server farm account. role specifies what type of server

role the server plays. The values for OsearchRole can be "Index", "Query", or

"IndexQuery". For more information about these options, see Add query servers to

expand a farm (http://technet.microsoft.com/en-us/library/cc297192.aspx).

The following procedure will only have to be performed once for the farm. The farm only has one

My Sites database. The My Sites Web application typically is hosted by its own SSP.

Create and configure the content database and Web application for My Sites

1. [DBA] Create the My Sites content database using the LATIN1_General_CI_AS_KS_WS




53

collation sequence and set the database owner (dbo) to be the Setup user account.

2. [DBA] Add the SSP service account to the db_owner role for the My Sites Web

application content database.

3. [Setup] Open the command line, and then run the following command to configure the My

Sites content database:

stsadm.exe -o extendvs -url <url> -donotcreatesite -exclusivelyusentlm -

databaseserver <DatabaseServerName> -databasename <DatabaseName> -

apidtype configurableid -description <IISWebSiteName> -apidname

<AppPoolName> -apidlogin <DomainName\UserName> -apidpwd <password>

For additional information, see Extendvs: Stsadm operation


Note:

url is the URL (in the form http://hostname:port) of the My Sites Web application.

databasename is the content database for the My Sites Web application.

description is the text name you give to the Web site in IIS. apidname is the

text name that you give to the Web application pool in IIS. apidlogin is the

identity for the application pool in IIS. This is the application pool process

account. If you are using Kerberos v5 authentication rather than NTLM

authentication, use the negotiate parameter rather than the exclusivelyusentlm

parameter

Important:

This command must be run on the same computer that is indicated in the url

parameter. This is the same computer that is running the My Sites Web

application. The host name and port combination must not describe a Web

application that already exists or an error will result without creating the Web

application.

4. [Setup] Open the command line, and then run the following command to restart IIS:

iisreset /noforce.

You must create a Shared Services Administration site Web application for every SSP in the

farm.

Create the content database and the Web application for the Shared Services Administration site

1. [DBA] Create the Shared Services Administration site content database using the



2. [DBA] Using SQL Server Management Studio, add the SSP service account to the Users

group and then to the db_owner role for the Shared Services Administration site content

database.

3. [Setup] Open the command line, and then run the following command to create the


54

Shared Services Administration site Web application and configure the content database:







Note:

url is the URL (in the form http://hostname:port) of the Shared Services

Administration site Web application. databasename is the content database for

the Shared Services Administration site Web application. description is the text

name you give to the Web site in IIS. apidname is the text name that you give to

the application pool in IIS. apidlogin is the identity for the application pool in IIS.

This is the application pool process account. If you are using Kerberos v5

authentication rather than NTLM authentication, use the negotiate parameter

rather than the exclusivelyusentlm parameter

Important:


parameter. This is the same computer that is running the Shared Services

Administration Web application. The host name and port combination must not

describe a Web application that already exists or an error results and the Web

application is not created.


iisreset /noforce.

The following procedure will have to be performed once for each portal site in the farm.

Create and configure the portal site Web application content database

1. [DBA] Create the portal site Web application content database using the



2. [DBA] Using Microsoft SQL Server Management Studio, add the SSP Service account to

the Users group and then to the db_owner role for the portal site Web application

content database.

3. [Setup] Open the command line, and then run the following command to configure the

portal site Web application content database:








55


Note:

url is the URL (in the form http://hostname:port) of the portal site Web

application. databasename is the content database for the portal site Web

application. description is the text name you give to the Web site in IIS.

apidname is the text name that you give to the Web application pool in IIS.

apidlogin is the identity for the application pool in IIS. This is the application pool

process account. If you are using Kerberos v5 authentication rather than NTLM

authentication, use the negotiate parameter rather than the exclusivelyusentlm

parameter.

Important:


parameter. This is the same computer that is running the Web application. The

host name and port combination must not describe a Web application that

already exists or an error results and the Web application is not created.


iisreset /noforce.

The following procedure must be performed once for each SSP in the farm.

Create and configure the SSP content database and SSP Search database, and then create and configure the SSP

1. [DBA] Create the SSP content database and the SSP Search database using the



2. [DBA] Using Microsoft SQL Server Management Studio, add the following accounts to

the Users group and then to the db_owner role in both databases:

Server farm account

SSP Service account

Windows SharePoint Services Search service account

Office SharePoint Server Search service account

Application pool process account. This is the Web application pool identity for each

Web application associated with the SSP. In this section, these are the Shared

Services Administration Web application and the My Sites site Web application.

3. [Setup] Open the command line, and then run the following command to create the SSP

(the SSP will use the DBA-created SSP content database and the SSP Search

database):

stsadm -o createssp -title <SSPName> -url <url> -mysiteurl <url>-ssplogin

<UserName> -ssppassword <password> -indexserver <IndexServerName>-

indexlocation <IndexFilePath>-sspdatabaseserver <SSPDatabaseServerName> -

sspdatabasename <SSPDatabaseName> -searchdatabaseserver

56

<SearchDatabaseServer> -searchdatabasename <SearchDatabaseName>

For additional information, see Createssp: STSadm operation


Note:

url is the URL (in the format http://hostname:port/ssp/admin) of the Shared

Services Administration site. mysiteurl is the URL (in the format

http://hostname:port) of the My Sites Web site. ssplogin is the SSP service

account in the format domain\username. indexserver is the name of the server

that the index is hosted on. indexlocation is the directory on the index server

where the farm administrator specified the index to be stored. By default this is

SystemDrive:\Program Files\Microsoft Office Servers\12.0\Data\Office

Server\Applications.

Important:


parameter. This is the same computer that is running the Web applications. In

this section, this is the server where the Shared Services Administration site Web

application and the My Sites Web application are running.

Note:

For more information about properly sizing these databases, see Estimate

performance and capacity requirements (http://technet.microsoft.com/en-

us/library/cc261716.aspx) and Estimate performance and capacity requirements for

portal collaboration environments (http://technet.microsoft.com/en-







57

Deploy a simple farm on the Windows Server 2008 operating system

In this section:

Deployment overview



Create a site collection and a SharePoint site


As of the release of Microsoft Office SharePoint Server 2007 Service Pack 1 (SP1), you can

install Office SharePoint Server 2007 on a server running Windows Server 2008. As with the

Windows Server 2003 operating system, you must download and run Setup and the SharePoint

Products and Technologies Configuration Wizard. You cannot install Office SharePoint Server

2007 without service packs on Windows Server 2008.

Important:

Office SharePoint Server 2007 requires the following components: the Web Server role,

Windows Internal Database, and the Microsoft .NET Framework. Office SharePoint

Server 2007 will cease to run if you uninstall these components.

Deployment overview You can deploy Office SharePoint Server 2007 in a server farm environment if you are hosting a

large number of sites, if you want the best possible performance, or if you want the scalability of a

multi-tier topology. A server farm consists of one or more servers dedicated to running Office


Note:


Important:

This section discusses how to perform a clean installation of Office SharePoint Server

2007 with SP1 in a server farm environment on Windows Server 2008. It does not cover

upgrading the operating system from Windows Server 2003 to Windows Server 2008.

Note:


computer as a stand-alone installation on Windows Server 2008. For more information,

58

see Perform a stand-alone installation of Office SharePoint Server 2007 on Windows

Server 2008.






Deploying Office SharePoint Server 2007 in a DBA environment

In many IT environments, database creation and management are handled by the database


required by Office SharePoint Server 2007. For more information about deploying using DBA-

created databases, including detailed procedures that describe how the DBA can create these

databases, see Deploy using DBA-created databases.


Server farm environments can encompass a wide range of topologies and can include many


A server farm typically consists of a database server and one or more servers running Internet

Information Services (IIS) and Office SharePoint Server 2007. In this configuration, the front-end

servers are configured as Web servers. The Web server role provides Web content and services

such as search.


balanced front-end Web servers running IIS and Office SharePoint Server 2007, and two or more

servers providing Search services.

When you install Office SharePoint Server 2007, you can decide if you want to perform a

complete installation, which results in an application server, or to install just a front-end Web

server. The main difference between an application server installation and a front-end Web server

installation is the ability to run services such as the Search service. Since the front-end Web

server installation is a subset of the application server installation, if necessary, you can use an

application server as a front-end Web server; however, you should note that this configuration

increases the attack surface area on the server.


This section provides information about actions that you must perform before you begin

deployment.

To deploy Office SharePoint Server 2007 in a server farm environment on computers running

Windows Server 2008, you must provide credentials for several different accounts. For

information about these accounts, see Plan for administrative and service accounts





59

All the Office SharePoint Server 2007 installations in the server farm must be in the same

language. For example, you cannot have both an English version of Office SharePoint Server

2007 and a Japanese version of Office SharePoint Server 2007 in the same server farm.

Note:

We recommend that you read the Known Issues and the Readme documentation

before you install Office SharePoint Server 2007 on a domain controller. Installing

Office SharePoint Server 2007 on a domain controller requires additional

configuration steps that are not discussed in this section.

All of the Office SharePoint Server 2007 installations must be running the same software

update. For example, if one of the servers is updated to Post Service Pack 1 rollup, you

should update all of the Office SharePoint Server 2007 servers in the server farm to that

software update.


The deployment process consists of two phases: deploying and configuring the server

infrastructure, and deploying and configuring SharePoint site collections and sites.




Pre-installing databases (optional).


Running Setup on all servers you want to be in the server farm, installing SP1, and then

running the SharePoint Products and Technologies Configuration Wizard.

Starting the Windows SharePoint Services Search service. This is an optional step, but we

recommend you start the Search service because it is used to search the Office SharePoint

Server 2007 Help.

Phase 2: Deploy and configure SharePoint site collections and sites

Deploying and configuring SharePoint site collections and sites consists of the following steps:

Creating site collections.

Creating SharePoint sites.

60


Prepare the database server


databases when you install and configure Office SharePoint Server 2007. Optionally, if your IT

environment or policies require, you can preinstall the required databases.



We recommend that you run Microsoft SQL Server 2005 on the database server. However, both

Microsoft SQL Server 2005 and Microsoft SQL Server 2000 database software with the most

recent service pack are supported. If you are using SQL Server 2005, you must also change the

surface area settings.









and then click OK.


The SQL Server collation must be configured for case-insensitive. The SQL Server database


sensitive. This is used to ensure file name uniqueness consistent with the Windows operating

system. For more information about collations, see Selecting a SQL Collation

(http://go.microsoft.com/fwlink/?LinkId=121667&clcid=0x409) or Collation Settings in Setup

(http://go.microsoft.com/fwlink/?LinkId=121669&clcid=0x409) in SQL Server 2005 Books Online.




61

Required accounts

The following table lists the accounts used to configure SQL Server and to install Office

SharePoint Server 2007. For detailed information about the required accounts, including specific

role memberships and permissions required for these accounts, see Plan for administrative and

service accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx).


SQL Server

Service

Account

This account is used as the

service account for the

following SQL Server

services:

MSSQLSERVER

SQLSERVERAGENT




MSSQL$InstanceName





System, Network Service, or Local Service) to

the logon for the configurable SQL Server

services. For more information about these

accounts and security considerations, refer to the

Setting Up Windows Service Accounts topic

(http://go.microsoft.com/fwlink/?LinkId=121664&

clcid=0x409) in the SQL Server documentation.

Assign a domain user account to the logon for

the service. However, if you use this option you

must take the additional steps required to

configure Service Principal Names (SPNs) in

Active Directory in order to support Kerberos


Setup user

account

The Setup user account is



The SharePoint

Products and

Technologies


The PSConfig

command-line tool

The Stsadm command-

line tool

Domain user account




Server

Member of the following SQL Server security

roles:




read from or write to a database, this account must

be a member of the db_owner fixed database role

for the database.




62


Server farm

account/Dat

abase

access

account

The Server farm account is

used to:



SharePoint Central

Administration

application pool.

Run the Windows

SharePoint Services

Timer service.



applications that consume shared services from

a larger farm, this account must be a member of

the db_owner fixed database role on the

configuration database of the larger farm.





login on the computer running SQL Server and

added to the following SQL Server security roles:



db_owner fixed database role for all databases

in the server farm

If you use a domain user account for the SQL Server service account, you must make sure that a

valid service principal name (SPN) for that account and instance of SQL Server on their database

server exists in their environment. This is the case regardless of whether you use NTLM or

Kerberos authentication for Office SharePoint Server 2007.

You must configure the SPN for that account in the domain using the Setspn.exe command-line

tool. Setspn.exe is installed by default on computers running Windows Server 2008. Run the

following command on a computer that is joined to the same domain as the user/service account.

setspn -a <http/<farmclusterdnsname> <serviceaccountname>

You only have to complete this task once for this account.

Verify that servers meet hardware and software requirements

Before you install and configure Office SharePoint Server 2007, be sure that your servers have

the recommended hardware and software. To deploy a server farm, you need at least one server

computer acting as a Web server and an application server, and one server computer acting as a

database server. For more information about these requirements, see Determine hardware and

software requirements (http://technet.microsoft.com/en-us/library/cc262485.aspx). Also, make

sure the Management Compatibility role service is added to your server and the .NET Framework

is installed, as described below.

Important:

Office SharePoint Server 2007 requires Active Directory Domain Services for farm

deployments in a Windows Server 2008 environment.



63

IIS 6.0 Management Compatibility role service

If you use the Windows Server 2008 Server Manager to perform a default Internet Information

Services (IIS) 7.0 installation, the IIS 6.0 Management Compatibility role service is not included.

Since this is a required role service, you must use the following procedure.

Add the IIS 6.0 Management Compatibility role service

1. Click Start, point to Administrative Tools, and then click Server Manager.

2. In the left navigation pane, expand Roles, and then right-click Web Server (IIS) and

select Add Role Services.

3. In the Add Role Services wizard, in the Role services area, select IIS 6 Management

Compatibility.

4. In the Select Role Services pane, click Next, and then in the Confirm Installations

Selections pane, click Install.

5. To complete the Add Role Services wizard, click Close.

Install Microsoft .NET Framework

Before you install Office SharePoint Server 2007 on Windows Server 2008, you must install the

Microsoft .NET Framework. You do not need to install the Web Server role or the Windows

Process Activation Service; these are installed automatically, along with the Windows Internal

Database when you install Office SharePoint Server 2007 SP1. Use the following procedure to

install Microsoft .NET Framework version 3.0.

Install Microsoft .NET Framework version 3.0


2. In Server Manager, on the Action menu, click Add features.

3. In the Features list, select the .NET Framework 3.0 Features check box, and then click

Next.

4. Follow the wizard steps to install Microsoft .NET Framework version 3.0.

Note:




Run Setup on all servers in the farm

You can only install Office SharePoint Server 2007 with SP1 on Windows Server 2008, so on

each server in the server farm you must run the Office SharePoint Server 2007 Setup and then

install SP1 before you run the SharePoint Products and Technologies Configuration Wizard. To

save time and effort on setup tasks, we recommend that you create a slipstreamed installation

source for Office SharePoint Server 2007. This installation source must include the files from both


64

Windows SharePoint Services 3.0 SP1 and Office SharePoint Server 2007 SP1. For more

information about using the updates folder to create a slipstreamed source, see the topic Create

an installation source that includes software updates (http://technet.microsoft.com/en-


Note:

If you have not created an updated installation source, you must first install Office

SharePoint Server 2007 without any software updates, and then, without running the

SharePoint Products and Technologies Configuration Wizard at the end of the

installation, install SP1. After the installations are complete, you can run the SharePoint


The server farm is established when you configure Office SharePoint Server 2007 on the first

server. You must join additional servers in the server farm to this farm.

Setting up the first server involves two steps: installing the Office SharePoint Server 2007 and

SP1 components on the server, and configuring the farm. After Setup finishes, you can use the



several configuration tasks, including: installing and configuring the configuration database,


site.

The first server

We recommend that you install and configure Office SharePoint Server 2007 and Office

SharePoint Server 2007 SP1 on all of the servers in your server farm before you configure Office

SharePoint Server 2007 services and create sites. You must have SQL Server database software

running on at least one back-end database server before you install Office SharePoint Server

2007 on your farm servers.

Note:



SharePoint Server 2007 be a server on which you want to run the Central Administration

Web site.



65


1. From the slipstreamed installation source, run Setup.exe on one of your Web servers.

For more information about slipstreaming, see Create an installation source that includes

software updates (http://technet.microsoft.com/en-us/library/cc261890.aspx).


Note:



is not valid, Setup displays a red circle next to the text box and alerts you that the

key is incorrect.



66



67

4. On the Choose the installation you want page, click Advanced. (The Basic option is for

stand-alone installations.)

68


69



70





71



Configuration Wizard now check box is not selected.

10. Click Close.

Note:

You should wait to run the SharePoint Products and Technologies Configuration Wizard

until you have installed Office SharePoint Server 2007 and Office SharePoint Server

2007 SP1 and performed the rest of the procedures in this section on all the servers in

the server farm.

Use the following procedure to add the SharePoint Central Administration Web site to the list of

trusted sites.

Add the SharePoint Central Administration Web site to the list of trusted sites.

1. In Windows Internet Explorer, on the Tools menu, click Internet Options.


72







Use the following procedure to configure proxy server settings to bypass the proxy server for local

addresses.




Settings.


box.







Additional servers

We recommend that you install and configure Office SharePoint Server 2007 on all of your front-

end Web servers and the index server before you configure Office SharePoint Server 2007

services and create sites. If you want to build a minimal server farm configuration, and

incrementally add front-end Web servers to expand the farm, you can install and configure Office

SharePoint Server 2007 on a single Web server, and configure the Web server as both a front-

end Web server and an application server. Regardless of how many servers you have in your

server farm, you must have SQL Server 2005 running on at least one back-end database server

before you install Office SharePoint Server 2007 on your front-end Web servers.

Important:




73




Note:











74










Use the following procedure to run Setup on additional servers in your server farm.




Note:








75













76

Run the SharePoint Products and Technologies Configuration Wizard After you have run Setup and both Office SharePoint Server 2007 and Office SharePoint Server

2007 SP1 are installed on all the servers in your server farm, you can use the SharePoint

Products and Technologies Configuration Wizard to configure Office SharePoint Server 2007.

The configuration wizard automates several configuration tasks, including installing and

configuring the configuration database, installing Office SharePoint Server 2007 services, and

creating the Central Administration Web site. Use the following instructions to run the SharePoint


Run the SharePoint Products and Technologies Configuration Wizard to configure Office SharePoint Server 2007


SharePoint Products and Technologies Configuration Wizard.


77

3. In the dialog box that notifies you that some services might need to be restarted during

configuration, click Yes.

78



79




default database name. The default name is SharePoint_Config.

7. In the User name box, type the user name of the server farm account. (Be sure to type

the user name in the format <DOMAIN>\<user name>.)

Important:

The server farm account is used to access your configuration database. It also

acts as the application pool identity for the SharePoint Central Administration

application pool, and it is the account under which the Windows SharePoint

Services Timer service runs. The SharePoint Products and Technologies

Configuration Wizard adds this account to the SQL Server Logins, the SQL

Server Database Creator server role, and the SQL Server Security

Administrators server role. The user account that you specify as the service

account must be a domain user account, but it does not need to be a member of

80

any specific security group on your Web servers or your back-end database

servers. We recommend that you follow the principle of least privilege, and

specify a user account that is not a member of the Administrators group on your

Web servers or your back-end servers.



Specify port number check box; type a port number if you want the SharePoint Central

Administration Web application to use a specific port, or leave the Specify port number

check box cleared if it does not matter which port number the SharePoint Central






click Next.

81

Note:



Negotiate (Kerberos) option requires you to configure a service principal

name (SPN) for the domain user account. To do this, you must be a member






page, click Next.




82



Notes

If you are prompted for your user name and password, you might need to add the SharePoint

Central Administration Web site to the list of trusted sites, and configure user authentication

settings in Internet Explorer. Instructions for configuring these settings are provided in the

next set of steps.

If a proxy server error message appears, you might need to configure your proxy server

settings so that local addresses bypass the proxy server. Instructions for configuring this

setting are provided later in this section.

83


After Setup finishes, use the SharePoint Products and Technologies Configuration Wizard to

configure Windows SharePoint Services 3.0. The configuration wizard automates several

configuration tasks, including: installing and configuring the configuration database, and installing

Windows SharePoint Services 3.0 services. Use the following instructions to run the SharePoint


Run the SharePoint Products and Technologies Wizard














<DOMAIN>\<user name>.) This must be the same user account you used when

configuring the first server.



page, click Next.


Start the Windows SharePoint Services Search Service

You must start the Windows SharePoint Services Search service on every computer that you

want to search content. You must start it on at least one of your servers.

Start the Windows SharePoint Services Search service on computers used to search content


top link bar.

2. On the Operations page, in the Topology and Services section, click Servers in farm.

3. On the Servers in Farm page, click the server on which you want to start the Windows

84

SharePoint Services Search service.

4. Next to Window SharePoint Services Search, click Start.


Service Account section, specify the user name and password for the user account

under which the Search service will run.

6. In the Content Access Account section, specify the user name and password for the

user account that the Search service will use to search content. This account must have

read access to all the content you want it to search. If you do not enter credentials, the

same account used for the Search service will be used.


schedule that you want the Search service to use when searching content.


Configure Windows Firewall with Advance Security

After you create Web applications in your server farm, you must use Windows Firewall with

Advanced Security in Windows Server 2008 to open ports on computers that host Web

Applications. You only need to open the ports for the SSP on computers that do not host any

Web applications.

By default, port 80 is open on Web servers, but to be able to communicate with other computers

you must open the port for Central Administration and, for the SSP, you must open ports 56737

and 56738. You must also open the ports for any additional Web applications that you create in

your server farm.

The default configuration of the Windows Server 2008 firewall is to deny all connections unless

there is an exception. Make sure you create the exceptions for the currently enabled profile

(Private, Public, or Domain) when you are making changes to ports. If you create the exceptions

in the wrong profile they will not work.

Note:

If you configure host headers in IIS, the ports for the Web Applications will be created on

port 80 and you may not have to perform the procedures in this section. If, however, you

use the host header mode in Windows SharePoint Services 3.0 to create multiple

domain-named sites in a single Web application you will need to perform the procedures

in this section to determine which ports the Web applications, including Central

Administration, will use in your server farm.

Determine ports used by Web Applications



2. On the Central Administration site, click Application Management.

3. On the Application Management Web page, in the SharePoint Web Application

Management section, click Web application list.

85

4. On the Web Application List Web page, in the URL column, the server name with port

number is listed for each Web application.

You should use Windows Firewall with Advanced Security to open the ports required for your

server farm as identified in the Determine ports used by Web Applications

(http://technet.microsoft.com/en-

us/library/cc263408.aspx#BKMK_DeterminePortsUsedByWebApplications) procedure.

For ease in managing the rules, we recommend that you create one rule per Web application and

one for the two SSP ports. Alternatively, for more centralized rule management you can create

one rule to manage all the ports.

For Web applications you only need to create a rule to open a port for incoming connections, the

rule for the two SSP ports must be configured to enable both incoming and outgoing traffic.

Configure Windows Firewall with Advanced Security


Windows Firewall with Advanced Security.

2. In the User Account Control dialog box, click Continue.

3. On the details pane, in the Overview section, verify that the domain profile is active by

noting if the domain network location entry displays Domain Profile is Active.

4. In the Domain Profile is Active area, depending on how the inbound connections rule is

configured, choose one of these options.

If it is Inbound connections that do not match a rule are allowed, then you do not

need to complete this procedure.

If it is Inbound connections that do not match a rule are blocked, then you must

proceed to the next step in this procedure to configure the firewall to allow Office

SharePoint Server 2007 traffic.

5. On the Console Tree, select Inbound Rules, and then in the Actions pane click New

Rule.

6. Complete the New Inbound Rule Wizard using the settings from the following table.

Wizard page Settings

Rule Type Select Port.

Protocol and Ports Select TCP.

Select Specific local ports. In the

Specific local ports text box, type all

the port numbers that you need.

Action Select Allow the connection.

Profile Enable Domain.

Clear Private and Public.

http://technet.microsoft.com/en-us/library/cc263408.aspx#BKMK_DeterminePortsUsedByWebApplications

86

Name In the Name and Description text boxes,

type information that is both descriptive

and meaningful for your network

administrators. As a best practice, we

recommend that you assign each firewall

rule a unique name. When unique names

are assigned, it is easier to use Windows

Server 2008 Network Shell (Netsh)

commands to manage the network.

7. On the Console Tree, select Outbound Rules, in the Actions pane click. New Rule.

8. Complete the New Outbound Rule Wizard using the settings from the following table.

Wizard page Settings

Rule Type Select Port.

Protocol and Ports Select TCP.

Select Specific local ports. In the

Specific local ports text box, type

all the port numbers that you need.

Action Select Allow the connection.

Profile Enable Domain.

Clear Private and Public.

Name In the Name and Description text boxes,

type information that is both descriptive

and meaningful for your network

administrators. As a best practice, we

recommend that you assign each firewall

rule a unique name. When unique names

are assigned, it is easier to use Windows

Server 2008 Network Shell (Netsh)

commands to manage the network.

For more information about Windows Firewall with Advanced Security, see Windows Firewall

(http://go.microsoft.com/fwlink/?LinkID=84639).

Perform additional configuration tasks After the initial installation and configuration of Office SharePoint Server 2007, you can configure

several additional settings. The configuration of additional settings is optional, but many key

features are not available unless these settings are configured.


87



settings so that SharePoint sites can archive e-mail discussions as they happen, save

documents, and send meeting requests to site calendars. In addition, you can configure the

SharePoint Directory Management Service to provide support for e-mail distribution list

creation and management. For more information, see Configure incoming e-mail settings.




"Reply" e-mail address that appear in outgoing alerts. You can also configure outgoing e-mail

settings for all Web applications or for only one Web application. For more information, see

Configure outgoing e-mail settings and Configure outgoing e-mail settings for a specific Web

application.

Configure workflow settings You can configure workflow settings to enable end users to

create their own workflows by using code pre-generated by administrators. You can also

configure whether internal users without site access can receive workflow alerts, and whether

external users can participate in workflows by receiving copies of documents by e-mail. For

more information, see Configure workflow settings.


settings to help with troubleshooting. These include enabling and configuring trace logs,

event messages, user-mode error messages, and Customer Experience Improvement

Program events. For more information, see Configuring diagnostic logging settings.

Configure single sign-on You can configure single sign-on settings in the farm. Single

sign-on enables you to connect to external data sources by using Excel Calculation Services

or the Business Data Catalog. For more information, see Configure single sign-on.

Configure antivirus settings You can configure several antivirus settings if you have an

antivirus program that is designed for Office SharePoint Server 2007. Antivirus settings allow

you to control whether documents are scanned on upload or on download, and whether users

can download infected documents. You can also specify how long you want the antivirus

program to run before it times out, and you can specify how many execution threads the

antivirus program can use on the server. For more information, see Configure antivirus

settings.

You can use the following procedure to configure optional administrative settings using

SharePoint Central Administration.

Configure administrative settings using SharePoint Central Administration



2. On the SharePoint Central Administration home page, in the Administrator Tasks

list, click the administrative task that you want to perform.


88

Create a site collection and a SharePoint site This section guides you through the process of creating a single site collection containing a single

SharePoint site. You can create many site collections and many sites under each site collection.

For more information, see Chapter overview: Deploy and configure SharePoint sites. For

information about planning SharePoint sites and site collections, see Plan Web site structure and

publishing (http://technet.microsoft.com/en-us/library/cc262789.aspx).

Before you can create a site or a site collection, you must first create a Web application. A Web

application is composed of an Internet Information Services (IIS) site with a unique application

pool. When you create a new Web application, you also create a new database and define the

authentication method used to connect to the database.

If you are in an extranet environment where you want different users to access content by using

different domains, you might also need to extend a Web application to another IIS Web site. This

action exposes the same content to different sets of users by using an additional IIS Web site to

host the same content.


1. Click Start, point to All Programs, then point to Microsoft Office Server, and then click











drop-down menu.

b. To create a new Web site, select Create a new IIS Web site, and then type the





port number.









89

Web application.


NTLM.

Note:

To enable Kerberos authentication, you must perform additional configuration

tasks. For more information about authentication methods, see Plan

authentication methods (http://technet.microsoft.com/en-



anonymous access, this enables anonymous access to the Web site using the


Note:

If you want users to be able to access any site content anonymously, you

must enable anonymous access for the entire Web application. Later, site

owners can configure how anonymous access is used within their sites. For

more information about anonymous access, see Determine which Windows

security groups and accounts to use for granting access to sites.



SSL certificate.

Important:

If you use SSL, you must add the appropriate certificate on each server by

using IIS administration tools. For more information about using SSL, see

Plan for secure communication within a server farm






The Zone box is automatically set to Default for a new Web application, and cannot be

changed from this page. To change the zone for a Web application, see Extend an

existing Web application.












90





of the account you wish to use, and then, in the Password box, type the password

for the account.

9. In the Reset Internet Information Services section, choose whether to allow Windows

SharePoint Services to restart IIS on other farm servers. The local server must be

restarted manually for the process to finish. If this option is not selected, and you have


servers and then run iisreset /noforce on each Web server. The new IIS site is not

usable until that action is completed. The choices are unavailable if your farm only


10. In the Database Name and Authentication section, choose the database server,

database name, and authentication method for your new Web application.

Item Action



format <SERVERNAME>\<instance>. You

may also use the default entry.


default entry.



authentication.



selected.





you want the Web application to

use to authenticate to the SQL

Server database, and then type the




91

Use the following procedure to create a site collection.


1. On the top link bar, click Application Management.



3. On the Create Site Collection page, in the Web Application menu, if the Web application

in which you want to create the site collection is not selected, click Change Web

Application on the Web Application, and then on the Select Web Application page,

click the Web application in which you want to create the site collection.

4. In the Title and Description section, type the title and description for the site collection.

5. In the Web Site Address section, in the URL area, select the path to use for your URL

(such as an included path like /sites/ or the root directory, /).

If you select a wildcard inclusion path, such as /sites/, you must also type the site name

to use in your site's URL.

Note:

The paths available for the URL option are taken from the list of managed paths

that have been defined as wildcard inclusions. For more information about

managed paths, see ―Define managed paths‖ in the Central Administration Help

(http://technet.microsoft.com/en-us/library/cc263179.aspx) system.

6. In the Template Selection section, in the Select a template list, select the template that

you want to use for the top-level site in the site collection.

7. In the Primary Site Collection Administrator section, enter the user name (in the form

DOMAIN\user name) for the user who will be the site collection administrator.

8. If you want to identify a user as the secondary owner of the new top-level Web site

(recommended), in the Secondary Site Collection Administrator section, enter the

user name for the secondary administrator of the site collection.

9. If you are using quotas to limit resource use for site collections, in the Quota Template

section, click a template in the Select a quota template list.

10. Click OK.

Use the following procedure to create a SharePoint site.

Create a SharePoint site




click Site collection list.

3. On the Site Collection List page, in the URL column, click the URL for the site collection

to which you want to add a site. The full URL path for the site collection appears in the


92

URL box.

4. Copy and paste the full URL path into your browser, and then, on the home page of the

top-level site for the site collection, on the Site Actions menu, click Create.

5. On the Create page, in the Web Pages section, click Sites and Workplaces.


description for the site.

7. In the Web Site Address section, type a URL for the site.


9. Either change other settings, or click Create to create the site.

The new site opens.






2007 to display the correct site. For more information, see Plan alternate access mappings


Configure the trace log Trace log files can help you to troubleshoot issues related to configuration changes of the

Windows SharePoint Services Search service. The trace log can also be useful for analyzing

problems that might occur. For example, you can use events that are written to the trace log to

identify what configuration changes were made in Office SharePoint Server 2007 before the

problem occurred.



configuration changes related to the Search service. Store these log files for an extended period

of time in a safe location that will not be overwritten.

By default, Office SharePoint Server 2007 saves two days of events in the trace log files; trace

log files that contain events that are older than two days are deleted. When using the Windows

SharePoint Services Search service, we recommend that you configure the trace log to save

seven days of events.


number of trace log files to maintain and the duration (in minutes) to capture events to each log

file. By default, 96 log files are kept, each one containing 30 minutes of events.


You can also specify where the log files are written or accept the default path. See step 3 in this

procedure to determine where the system stores trace log files for your system.


93







Tip:

To save 10,080 minutes (seven days) of events, you can use any combination of

number of log files and minutes to store in each log file.


files, or change the path to another location.

Tip:



4. Click OK.

Configure Windows Server Backup

If you want to use Windows Server Backup with Windows SharePoint Services 3.0, you must

configure the following registry keys. If you do not configure these registry keys, Windows Server

Backup will not work properly with Windows SharePoint Services 3.0.

Important:

You must be logged on as a member of the Administrators group on the local server

computer to edit the registry. Incorrectly editing the registry might severely damage your

system. Before making changes to the registry, you should back up any valued data on

the computer.

Configure registry keys for Windows Server Backup

1. Click Start, click Run, and in the Open box, type regedit, and then click OK.

2. In the User Account Control dialog box, click Continue to open the Registry Editor.

3. In the Registry Editor, locate the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\

4. On the Edit menu, click New, and then click Key.

5. Type WindowsServerBackup, and then press ENTER.

6. Select the WindowsServerBackup key, and then on the Edit menu, click New, and then

click Key.

94

7. Type Application Support, and then press ENTER.

8. Select the Application Support key, and then on the Edit menu, click New, and then

click Key.

9. Type {c2f52614-5e53-4858-a589-38eeb25c6184} as the key name, and then press

ENTER.

This is the GUID for the WSS Writer.

10. Select the new key, and then on the Edit menu, click New, and then click String Value.

11. Type Application Identifier as the new value, and then press ENTER.

12. Right-click the Application Identifier value, and then click Modify.

13. In the Value Data box, type Windows SharePoint Services, and then click OK.

14. On the Edit menu, click New, and then click DWORD (32-bit) Value.

15. Type UseSameVssContext as the new value name, and then press ENTER.

16. Right-click the UseSameVssContext value, and then click Modify.

17. In the Value Data box, type 00000001, and then click OK.

95

Install Office SharePoint Server 2007 by using the command line

In this section:

Install software requirements

Determine required accounts for installation

Install Microsoft Office SharePoint Server 2007 by running Setup at a command prompt

Configure the server by using the Psconfig command-line tool


Create a Shared Services Provider (SSP) by using the Stsadm command-line tool

Create a site collection by using the Stsadm command-line tool


This section discusses how to do a clean installation of Microsoft Office SharePoint Server 2007

on a stand-alone server or on a server farm by using command-line tools.

The command-line tools enable you to customize the configuration of Office SharePoint Server

2007. Additionally, you can streamline deployment by using command-line installations in

combination with other administrator tools to automate unattended installations.

To install Office SharePoint Server 2007 on a server farm, you have to complete the following

steps:

1. Plan the deployment and ensure that you have installed all the software requirements.

2. Determine the required accounts that are used during installation.

3. Install Office SharePoint Server 2007 by running Setup at a command prompt, and specifying

a configuration file.

4. Configure the server by using the Psconfig command-line tool with the appropriate options.

5. Create a Shared Services Provider (SSP) by using the Stsadm command-line tool (only

applies on server-farm installations).

6. Create a site collection by using the Stsadm command-line tool (only applies on server-farm

installations).

Install software requirements Before you run Setup, you must perform several actions to prepare the deployment. For more

information about the complete list of actions you must perform before installation, see Chapter

overview: Install Office SharePoint Server 2007 in a server farm environment. Ensure that you

have the following software requirements before you run Setup:

Office SharePoint Server 2007 on a clean installation of the Windows Server 2003 operating

system with the most recent service pack. To install Office SharePoint Server 2007 on

96

Windows Server 2008, see Installing Microsoft Office SharePoint Server 2007 on Windows

Server 2008 (http://go.microsoft.com/fwlink/?LinkId=122586&clcid=0x409).

Note:

All the instances of Office SharePoint Server 2007 in the farm must be in the same

language. For example, you cannot have both English and Japanese versions of

Office SharePoint Server 2007 in the same farm.

The Microsoft .NET Framework version 3.0. The .NET Framework version 3.0 download

contains the Windows Workflow Foundation technology, which is required by workflow

features.

Note:


.NET Framework version 3.5 from the Microsoft Download Center


ASP.NET 2.0 enabled in the Internet Information Services (IIS) Manager on all servers that

are running Office SharePoint Server 2007.

Microsoft SQL Server 2000 or Microsoft SQL Server 2005 with the most recent service pack

running on at least one database server before you install Office SharePoint Server 2007 on

the Web servers.

To deploy a server farm, you must have at least one server computer acting as a Web server and

an application server, and one server computer acting as a database server.

Determine required accounts for installation Before installing Office SharePoint Server 2007 at a command prompt, you should understand

the three-tier security model for Office SharePoint Server 2007 and the detailed account

permissions that are required for each configuration. For more information, see the following

resources:

Plan for security roles (http://technet.microsoft.com/en-us/library/cc262918.aspx)

Plan for administrative and service accounts (http://technet.microsoft.com/en-


Office SharePoint Server Security Account Requirements








97

The following table describes the accounts that are used during installation and configuration of

Office SharePoint Server 2007. These accounts must be created and configured before you run

Setup.


Setup user account The Setup user account is


Setup on each server.

The SharePoint Products

and Technologies

Configuration Wizard.

The Psconfig command-

line tool.

The Stsadm command-

line tool.


Member of the Administrators

group on each server on which

Setup is run.

SQL Server login on the

computer that is running SQL

Server.

Member of the following SQL

Server security roles:

securityadmin fixed server

role


If you run Stsadm command-line

tool commands that read from or

write to a database, the Setup user

account must be a member of the

db_owner fixed database role for

the database.

98


Server farm account or

database access account

The server farm account is

used to:

Configure and manage

the server farm.



SharePoint Central

Administration application

pool.

Run the Windows

SharePoint Services

Timer service.


If the server farm is a child farm

with Web applications that

consume shared services from

a larger farm, the server farm

account must be a member of

the db_owner fixed database

role on the configuration

database of the larger farm.

Additional permissions are

automatically granted for the server

farm account on Web servers and

application servers that are joined to

a server farm.

The server farm account is

automatically added as a SQL

Server login on the computer that is

running SQL Server, and added to

the following SQL Server security

roles:



db_owner fixed database role

for all databases in the server

farm

Install Microsoft Office SharePoint Server 2007 by running Setup at a command prompt After you have determined the required accounts for the installation, you can install Office

SharePoint Server 2007. The product DVD contains examples of configuration (Config.xml) files.

These example files are stored under the \Files folder in the root directory of the DVD, in folders

that correspond to different scenarios. These example files are described in the following table.

99

Configuration file Description

Setup\Config.xml Stand-alone server installation, using Microsoft

SQL Server 2005 Express Edition

SetupFarm\Config.xml Server farm installation

SetupFarmSidebySide\Config.xml Gradual upgrade of an existing farm

SetupFarmSilent\Config.xml Server farm installation in silent mode

SetupFarmUpgrade\Config.xml In-place upgrade of an existing farm

SetupSilent\Config.xml Stand-alone server installation, using SQL

Server 2005 Express Edition, in silent mode

SetupSingleUpgrade\Config.xml In-place upgrade of an existing single-server

installation

Important:

The example configuration files that are included with Office SharePoint Server 2007 omit

the <Setting Id="SETUP_REBOOT"Value="Never"/> setting. You must include this

setting if you want to suppress restarts during a command-line installation.

Example

The following example shows the configuration file for setting up a single server in silent mode

(SetupSilent).

<Configuration>

<Package Id="sts">

<Setting Id="LAUNCHEDFROMSETUPSTS" Value="Yes"/>

<Setting Id="REBOOT" Value="ReallySuppress"/>

<Setting Id="SETUPTYPE" Value="CLEAN_INSTALL"/>

</Package>

<Package Id="spswfe">

<Setting Id="SETUPCALLED" Value="1"/>


<Setting Id="OFFICESERVERPREMIUM" Value="1" />

</Package>

<Logging Type="verbose" Path="%temp%" Template="Office Server Setup(*).log"/>

<Display Level="none" CompletionNotice="no" />

<PIDKEY Value="Enter PID Key Here" />

<Setting Id="SERVERROLE" Value="SINGLESERVER"/>

100

<Setting Id="USINGUIINSTALLMODE" Value="0"/>

</Configuration>

Run Setup with a Config.xml file at a command prompt

1. On the drive on which the Office SharePoint Server 2007 product DVD is located, change

to the root directory to locate the setup.exe file.

2. Run Setup with the selected Config.xml file.

setup /config<path and file name>

Note:

You can select one of the example files, or customize your own configuration file.

3. Press ENTER.

Setup is now finished.

Example

To run Setup in silent mode, type one of the following commands at a command prompt, and then

press ENTER:

setup /config Files\SetupSilent\config.xml (for a single server deployment)

setup /config Files\SetupFarmSilent\config.xml (for a farm deployment)

You can also customize your own configuration file. To control the installation, first edit the

Config.xml file in a text editor to include the elements that you want with the appropriate settings

for those elements. Then run setup /config<path and file name> to specify that Setup runs and

uses the options that you set in the Config.xml file.

Some typical configuration options include the following:

Bypassing the prompt for the product key by providing the key as a value, <PIDKEY

Value="Enter PID Key Here" />, in the Config.xml file.

Adding a location for a log file, <Logging Type="off" | "standard"(default) | "verbose"

Path="path"Template="file name.log"/>, which you can view if command-line installation fails.

Important:

Use a text editor, such as Notepad, to edit Config.xml. Do not use a general-purpose

XML editor such as Microsoft Office Word 2007.

For more information about the options available for customizing the configuration file, see

Config.xml reference (http://technet.microsoft.com/en-us/library/cc261668.aspx).

For more information about the command-line options for Setup, see Setup.exe command-line

reference (http://technet.microsoft.com/en-us/library/cc262897.aspx).




101

Configure the server by using the Psconfig command-line tool You use the Psconfig command-line tool to configure Office SharePoint Server 2007 after Setup

has finished. The tool is located at %COMMONPROGRAMFILES%\Microsoft shared\Web Server

Extensions\12\bin. The configuration options are different depending on whether you install Office

SharePoint Server 2007 on a stand-alone server or on a server farm.

For more information about the Psconfig command-line tool and its operations and parameters,

see Command-line reference for the SharePoint Products and Technologies Configuration

Wizard (http://technet.microsoft.com/en-us/library/cc263093.aspx). For more information about

the services and features that are registered during the configuration, see Using PSConfig.exe

command-line options to complete SharePont Server Configuration

(http://go.microsoft.com/fwlink/?LinkId=122627&clcid=0x409).

Configure SharePoint Server 2007 on a stand-alone server

In stand-alone server deployments, you can run the Psconfig command-line tool with the setup

command.

After you have logged on by using the Setup user account that you previously created and

configured, you configure Office SharePoint Server 2007.

Configure SharePoint Server 2007 on a stand-alone server by using the Psconfig command-line tool

1. On the drive on which SharePoint Products and Technologies is installed, change to the

following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server

extensions\12\Bin.

2. Type the following command, and then press ENTER:

psconfig -cmd setup

The Psconfig command-line tool describes the configuration steps as they occur, and notes the

successful completion of configuration. For a stand-alone server installation, this is the final step

in a command-line installation.

Configure SharePoint Server 2007 on a farm

In server farm deployments, you use the Psconfig command-line tool to create a new farm or

connect to an existing farm. The Psconfig command-line tool installs the SharePoint Central

Administration Web site on the first server in the farm. Therefore, we recommend that the first

server on which you install Office SharePoint Server 2007 is a server from which you want to run

the Central Administration Web site.

The following procedure describes how to configure the first server in the farm. How to add

servers to the farm is described at the end of this procedure.





102

Note:

Ensure that you follow the procedure in the order that it is written to avoid configuration

problems.

Configure SharePoint Server 2007 on a farm by using the Psconfig command-line tool



extensions\12\Bin.

2. Create the configuration database:

psconfig-cmd configdb -create -server<database server name>-database<database

name>

[-dbuser<domain\user name>-dbpassword<password>]

-user<domain\user name>-password<password>

-addomain<domain name>-adorgunit<org unit>

-admincontentdatabase<Central Administration Web application content database

name>

Note:

The dbuser and dbpassword parameters are only used in deployments that use

SQL Server authentication. If you are using Windows authentication, these

parameters are not required.

3. Install all Help collections:

psconfig-cmd helpcollections -installall

4. Perform resource security enforcement:

psconfig-cmd secureresources

5. Register services in the server farm:

psconfig-cmd services -install

Note:

After installing services, you must start and configure two services, Windows

SharePoint Services Search and Office SharePoint Server Search, by using the

Stsadm command-line tool:

a. stsadm-o spsearch -action start -farmserviceaccount <domain\user name> -

farmservicepassword<password>[-database name<content database name>][-

database server<server instance>][-search server<search server name>]

For more information, see Spsearch: Stsadm operation


b. stsadm -o osearch -action start -role IndexQuery -farmserviceaccount

<domain\user name> -farmservicepassword<password> -

farmcontactemail<[email protected]>


103

For more information, see Osearch: Stsadm operation


c. Provision the services of the farm:

psconfig -cmd services -provision

6. Register all features:

psconfig-cmd installfeatures

7. Provision the SharePoint Central Administration Web application:

psconfig-cmd adminvs -provision -port<port>-windowsauthprovider onlyusentlm

8. Install shared application data:

psconfig-cmd applicationcontent -install

The SharePoint Central Administration Web site has now been created.


servers before you create sites.

Note:

If any of these commands fail, look in the post-setup configuration log files. The log files

are available at %COMMONPROGRAMFILES%\Microsoft shared\Web server

extensions\12\Logs, and can be identified by a file name that begins with ―PSC‖ and the

.log file name extension.

To connect to an existing configuration database and join the server to an existing server farm,

you have to run the configdb command together with the -connect parameter instead of the -

create parameter.

psconfig -cmd configdb -connect -server<server name>-database<database name>

Note:

Omit the -admincontentdatabase command because you have already included this

command when you created the configuration database.

Use the psconfig -cmd adminvs -provision -port<port>-windowsauthprovider onlyusentlm

command if you want to provision the SharePoint Central Administration Web application on

additional servers, which reduces the risk if the server that is running the SharePoint Central

Administration Web application fails.

To successfully complete the command-line installation on a server farm, you must use the

Stsadm command-line tool to create the Shared Services Provider (SSP), and then a site

collection for the farm. However, before you create the SSP and a site collection, we recommend

that you first perform some additional configuration tasks.

Perform additional configuration tasks After you have installed Office SharePoint Server 2007, we recommend that you perform the

following administrative tasks:

Configure incoming e-mail settings.


104

Configure outgoing e-mail settings.

Configure workflow settings.

Configure diagnostic logging settings.

Configure antivirus settings.

Create a Shared Services Provider (SSP) by using the Stsadm command-line tool After you create and configure Office SharePoint Server 2007 on a farm, you must use the

Stsadm command-line tool to create the SSP for the farm. The Stsadm command-line tool is

available on the installation drive for Office SharePoint Server 2007 at

%COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin.

Important:

To run the Stsadm command-line tool, you must be a member of the Administrators

group on the local computer.

The recommended procedure for creating an SSP is to create a Web application for the My Site

host location, and a separate Web application for the Shared Services Administration Web site.

To create a new Web application, use the following procedure.

Create a Web application by using the Stsadm command-line tool



extensions\12\Bin.


stsadm -o extendvs

-url<URL name>

-ownerlogin<domain\user name>

-owneremail<e-mail address>

[-exclusivelyusentlm]

[-ownername<display name>]

[-databaseuser<database user name>]

[-databaseserver<database server name>]

[-databasename<new content database name>]

[-databasepassword<database password>]

[-lcid<language>]

[-sitetemplate<site template>]

[-donotcreatesite]

[-description]

105

[-sethostheader]

[-apidname<application pool name>]

[-apidtype {configurableID | NetworkService}]

[-apidlogin<domain\user name>]

[-apidpwd <application pool password>]

[-allowanonymous]

For more information, see Extendvs: Stsadm operation (http://technet.microsoft.com/en-


The extendvs operation creates the Web application. The donotcreatesite parameter creates

the Web application without creating a site collection on the Web application.

After creating the Web applications for the My Site host location and for the Shared Services

Administration Web site, you create the SSP.

Create an SSP by using the Stsadm command-line tool



extensions\12\Bin.


stsadm -o createssp

-title<SSP name>

-url<Web application URL>

-mysiteurl<My Site Web application URL>

-ssplogin<user name>

-indexserver<index server name>

-indexlocation<index file path>

[-ssppassword<password>]

[-sspdatabaseserver<SSP database server name>]

[-sspdatabasename<SSP database name>]

[-sspsqlauthlogin<SQL user name]

[-sspsqlauthpassword <SQL password>]

[-searchdatabaseserver<search database server name>]

[-searchdatabasename<search database name>]

[-searchsqlauthlogin<SQL user name>]

[-searchsqlauthpassword<SQL password>]

[-ssl {Yes | No}]

For more information, see Createssp: Stsadm operation (http://technet.microsoft.com/en-




106

Example

The following command creates a Web application with the URL http://intranet:8080 that can be

used to host the SSP Administration site.

stsadm -o extendvs -url http://intranet:8080 -ownerlogin <domain\user name> -owneremail

<[email protected]> -exclusivelyusentlm -databaseserver <database server name> -

databasename <SSP content database> -donotcreatesite -apidname <SSP application pool

name> -apidtype {configurableID | NetworkService}-apidlogin<domain\user name> -apidpwd

<password>

Similarly, you can create another Web application as the My Site host location by using the

following command:


<[email protected]> -exclusivelyusentlm -databaseserver <database server name > -

databasename <My Sites content database name> -donotcreatesite -apidname <My Sites

application pool name>-apidtype {configurableID | NetworkService}-apidlogin<domain\user

name> -apidpwd <password>

Then you create the SSP, named MySSP1_db:

stsadm -o createssp -title MySSP1 -url http://intranet -mysiteurl http://intranet:8090 -

ssplogin <domain\user name> -ssppassword <password> -sspdatabaseserver <SSP

database server name > -sspdatabasename MySSP1_db -indexserver <index server name> -

indexlocation "D:\Program Files\Microsoft Office Servers\12.0\Data\Office

Server\Applications" -searchdatabaseserver <search database server name> -

searchdatabasename <search database name>

For more information, see Stsadm command-line tool (http://technet.microsoft.com/en-


Create a site collection by using the Stsadm command-line tool You create the top-level site collection by using the same extendvs command that you used to

create the Web applications for My Sites and the Shared Services Administration Web site

Important:






extensions\12\Bin.



107

stsadm -o extendvs

-url<URL name>









[-lcid<language>]


[-donotcreatesite]

[-description]

[-sethostheader]





[-allowanonymous]


us/library/cc263040.aspx) and Stsadm command-line tool


Example

The following command creates a site collection at http://intranet that uses the corporate intranet

site template.

stsadm -o extendvs -url http://intranet -ownerlogin<domain\user name> -owneremail

<[email protected]> -exclusivelyusentlm -sitetemplate SPSPORTAL -apidname

"SharePoint AppPool" -apidtype {configurableID | NetworkService} -apidlogin< domain\user

name> -apidpwd <password>

If you do not specify the site template to use, site owners can choose the site template when they

first browse to the site.

The following table lists common templates.

Parameter value Description

STS#0 Team site

STS#1 Blank site



108

Parameter value Description

STS#2 Document workspace

MPS#0 Basic meeting workspace

MPS#1 Blank meeting workspace

MPS#2 Decision meeting workspace

MPS#3 Social meeting workspace

MPS#4 Multipage meeting workspace

BLOG#0 Blog

WIKI#0 Wiki site

If you want to create additional Web applications or site collections by using the Stsadm

command-line tool, you can use either the extendvs operation or the createsite operation.

The extendvs operation extends a Web application and creates a new content database. The

createsite operation creates a site collection at a specific URL with a specified user as a site

owner.

Note:

The createsite operation does not create a new content database. If you want to create a

new content database with the new site, use the createsiteinnewdb operation.

For more information, see Createsite: Stsadm operation (http://technet.microsoft.com/en-

us/library/cc262594.aspx) and Createsiteinnewdb: Stsadm operation


The extendvs operation also enables site collection administrators to specify the language of the

site collection by using the Locale ID (LCID) parameter. If you do not specify an LCID, the

language of the server is used for the top-level site collection. For more information about the

available LCID values, see List of Locale ID (LCID) Values as Assigned by Microsoft














109


written to the trace log to determine what configuration changes were made in Office SharePoint



means that trace log files that contain events that are older than two days are deleted. When you

are using the Windows SharePoint Services Search service, we recommend that you configure

the trace log to save seven days of events.


number of trace log files to maintain, and how long (in minutes) to capture events to each log file.



You can also specify where the log files are written or accept the default path.

Trace log files can help you troubleshoot issues related to configuration changes of the Windows

SharePoint Services Search service. Because problems related to configuration changes are not

always immediately discovered, we recommend that you save all trace log files that the system

creates on any day that you make any configuration changes. Store these log files for some time

in a safe location that will not be overwritten. We recommend that you store log files on a hard

disk drive partition that is used to store log files only.

See Also










110

Install Office SharePoint Server 2007 with least privilege administration by using the command line

In this section:

Install software requirements

Determine required accounts for least-privilege administration

Install Microsoft Office SharePoint Server 2007 by using least-privilege administration

Configure the server by using the Psconfig command-line tool


Create a Shared Services Provider by using the Stsadm command-line tool



This section discusses how to install Microsoft Office SharePoint Server 2007 on a stand-alone

server or on a server farm by using least-privilege administration.

The Office SharePoint Server 2007 standard configuration uses a set of user accounts and

installation settings for both stand-alone servers and server farms to simplify the installation

process. However, enterprises are often required to use least-privilege administration in which

each service or user is provided with only the minimum permissions and group memberships that

they need to accomplish the tasks that they are authorized to perform. Installing Office

SharePoint Server 2007 with least-privilege administration requires additional preparation and

configuration steps. We strongly recommend that you use least-privilege administration.

To install Office SharePoint Server 2007 by using least-privilege administration on either a stand-

alone server or a server farm, you complete the following steps:

1. Plan the deployment and ensure that you have installed all the software requirements.

2. Determine the required accounts that are used during installation.

3. Use the least-privilege Setup user account to install Office SharePoint Server 2007 by using

Setup at a command prompt and specifying a configuration file.

4. Configure the server by using the Psconfig command-line tool with the appropriate options.

5. Create a Shared Services Provider (SSP) by using the Stsadm command-line tool (only

applies on server-farm installations).

6. Create a site collection by using the Stsadm command-line tool (only applies on server-farm

installations).

111

Install software requirements Before running Setup, you must perform several actions to prepare the deployment. For more

information about the complete list of actions you must perform before installation, see Chapter

overview: Install Office SharePoint Server 2007 in a server farm environment. Ensure that you

have the following software requirements before you run Setup in any deployment:

Office SharePoint Server 2007 on a clean installation of the Windows Server 2003 operating

system with the most recent service pack. To install Office SharePoint Server 2007 on

Windows Server 2008, see Installing Microsoft Office SharePoint Server 2007 on Windows

Server 2008 (http://go.microsoft.com/fwlink/?LinkID=122586&clcid=0x409).

Note:

All the instances of Office SharePoint Server 2007 in the farm must be in the same

language. For example, you cannot have both English versions and Japanese

versions of Office SharePoint Server 2007 in the same farm.

The Microsoft .NET Framework version 3.0. The .NET Framework version 3.0 download

contains the Windows Workflow Foundation technology, which is required by workflow

features.

You can also use the Microsoft .NET Framework version 3.5. You can download the .NET

Framework version 3.5 from the Microsoft Download Center


ASP.NET 2.0 enabled in the Internet Information Services (IIS) Manager on all Office

SharePoint Server 2007 servers.

Microsoft SQL Server 2005 or Microsoft SQL Server 2000 with the most recent service pack

running on at least one database server before you install Office SharePoint Server 2007 on

the Web servers.

Note:

To deploy a server farm, you must have at least one server computer acting as a Web

server and an application server, and one server computer acting as a database server.

Determine required accounts for least-privilege administration Before installing Office SharePoint Server 2007 by using least-privilege administration in any

security configuration, you should understand the three-tier security model for Office SharePoint

Server 2007 and the detailed account permissions that are required for each configuration. For

more information, see the following topics:









112



Many requirements and configuration steps for installing Office SharePoint Server 2007 by using

least-privilege administration resemble the standard farm installation. For more information about

the standard farm installation, see Chapter overview: Install Office SharePoint Server 2007 in a

server farm environment.

The following table describes the accounts that are used to install Office SharePoint Server 2007

for least-privilege administration compared to the standard account requirements for farm

installation.

Account Purpose Server farm standard

requirement

Least-privilege

administration using

domain user accounts

requirements

Setup user

account

The Setup user

account is used to

run the following:

Setup on each

server.

The SharePoint

Products and

Technologies

Configuration

Wizard.

The Psconfig

command-line

tool.

The Stsadm

command-line

tool.

Domain user account

Member of the

Administrators group on

each server on which

Setup is run

SQL Server login on the

computer that is running

SQL Server

Member of the following

SQL Server security roles:

securityadmin fixed

server role

dbcreator fixed server

role

If you run Stsadm command-

line commands that read from

or write to a database, the

Setup user account must be a

member of the db_owner

fixed database role for the

database.

Server farm standard

requirements with the

following additions or

exceptions:

Use a separate

domain user

account.

The Setup user

account should

not be a member

of the

Administrators

group on the

computer that is

running SQL

Server.


113

Account Purpose Server farm standard

requirement

Least-privilege

administration using

domain user accounts

requirements

Server farm

account or

database access

account

The server farm

account is used to:

Configure and

manage the

server farm.

Act as the

application pool

identity for the

SharePoint

Central

Administration

Web site.

Run the

Windows

SharePoint

Services Timer

service.


If the server farm is a child

farm with Web applications

that consume shared

services from a larger

farm, this account must be

a member of the

db_owner fixed database

role on the configuration

database of the larger

farm.

Additional permissions are

automatically granted for the

server farm account on Web

servers and application

servers that are joined to a

server farm.

The server account is

automatically added as a SQL

Server login on the computer

that is running SQL Server and

added to the following SQL

Server security roles:

dbcreator fixed server

role

securityadmin fixed

server role

db_owner fixed database

role for all databases in

the server farm.

Server farm standard

requirements with the

following additions or

exceptions:

Use a separate

domain user

account.

The server farm

account is not a

member of the

Administrators

group on any

server in the

server farm. This

includes the

computer that is

running SQL

Server.

The server farm

account does not

require permissions

to SQL Server before

you create the

configuration

database.

114

The minimum requirements to achieve least-privilege administration include the following:

Separate accounts are used for different services and processes.

No executing service or process account is running with local administrator permissions.

By using separate service accounts for each service and limiting the permissions assigned to

each account, you reduce the opportunity for a malicious user or process to compromise the

environment.

Least-privilege administration can be implemented in many ways, depending on the security

configuration of each scenario. The configurations for least-privilege administration include:

Separate domain user accounts

SQL Server authentication

Domain user accounts connecting to existing databases

Install Microsoft Office SharePoint Server 2007 by using least-privilege administration After you have determined the required accounts for the installation, you can install Office

SharePoint Server 2007. The product DVD contains examples of configuration (Config.xml) files.

These example files are stored under the \Files folder in the root directory of the DVD, in folders

that correspond to different scenarios. These example files are described in the following table.

Configuration file Description

Setup\Config.xml Stand-alone server installation, using Microsoft

SQL Server 2005 Express Edition

SetupFarm\Config.xml Server farm installation

SetupFarmSidebySide\Config.xml Gradual upgrade of an existing farm

SetupFarmSilent\Config.xml Server farm installation in silent mode

SetupFarmUpgrade\Config.xml In-place upgrade of an existing farm

SetupSilent\Config.xml Stand-alone server installation, using SQL

Server 2005 Express Edition, in silent mode

SetupSingleUpgrade\Config.xml In-place upgrade of an existing single-server

installation

Important:

The example configuration files that are included with Office SharePoint Server 2007 omit

the <Setting Id="SETUP_REBOOT" Value="Never"/> setting. You must include this

setting if you want to suppress restarts during a command-line installation.

115

Example

The following example shows the configuration for setting up a single server in silent mode

(SetupSilent).

<Configuration>

<Package Id="sts">

<Setting Id="LAUNCHEDFROMSETUPSTS" Value="Yes"/>


<Setting Id="SETUPTYPE" Value="CLEAN_INSTALL"/>

</Package>

<Package Id="spswfe">

<Setting Id="SETUPCALLED" Value="1"/>


<Setting Id="OFFICESERVERPREMIUM" Value="1" />

</Package>

<Logging Type="verbose" Path="%temp%" Template="Office Server Setup(*).log"/>

<Display Level="none" CompletionNotice="no" />

<PIDKEY Value="Enter PID Key Here" />

<Setting Id="SERVERROLE" Value="SINGLESERVER"/>

<Setting Id="USINGUIINSTALLMODE" Value="0"/>

</Configuration>

Run Setup with a Config.xml file at a command prompt

1. On the drive on which the Office SharePoint Server 2007 product DVD is located, change

to the root directory to locate the setup.exe file.

2. Run Setup with the selected Config.xml file.

setup /config<path and file name>

Note:

You can select one of the example files, or customize your own configuration file.

3. Press ENTER.

Setup is now complete.

Example

To run Setup in silent mode, type the following command at a command prompt, and then press

ENTER:

setup /config Files\SetupSilent\config.xml (for a single server deployment)

setup /config Files\SetupFarmSilent\config.xml (for a farm deployment)

You can also customize the configuration file. To control the installation, first edit the Config.xml

file in a text editor to include the elements that you want with the appropriate settings for those

116

elements. Then run setup /config<path and file name> to specify that Setup runs and uses the

options that you set in the Config.xml file.

Some typical configuration options include:

Bypassing the prompt for the product key by providing the key as a value, <PIDKEY

Value="Enter PID Key Here" />, in the Config.xml file.

Adding a location for a log file, <Logging Type="off" | "standard"(default) | "verbose"

Path="path name"Template="file name.log"/>, which you can view if command-line

installation fails.

Important:

Use a text editor, such as Notepad, to edit Config.xml. Do not use a general-purpose

XML editor such as Microsoft Office Word 2007.

For more information about the options available for customizing the configuration file, see

Config.xml reference (http://technet.microsoft.com/en-us/library/cc261668.aspx).

For more information about the command-line options for Setup, see Setup.exe command-line

reference (http://technet.microsoft.com/en-us/library/cc262897.aspx).

For more information about command-line installation, see Install Office SharePoint Server 2007

by using the command line.

Configure the server by using the Psconfig command-line tool You use the Psconfig command-line tool to configure Office SharePoint Server 2007 after Setup

has finished. The tool is located at %COMMONPROGRAMFILES%\Microsoft shared\Web server

extensions\12\Bin. The configuration options are different depending on whether you install Office

SharePoint Server 2007 on a stand-alone server or on a server farm.

For more information about the Psconfig command-line tool and its operations and parameters,

see Command-line reference for the SharePoint Products and Technologies Configuration

Wizard (http://technet.microsoft.com/en-us/library/cc263093.aspx). For more information about

the services and features that are registered during the configuration, see Using PSConfig.exe

command-line options to complete SharePont Server Configuration


Configure SharePoint Server 2007 on a stand-alone server

In stand-alone server deployments that use least-privilege administration, you can run the

Psconfig command-line tool with the setup command.

After you have logged on by using the Setup user account that you previously created and

configured, you configure Office SharePoint Server 2007.

Configure SharePoint Server 2007 by using the Psconfig command-line tool









117


extensions\12\Bin.


psconfig -cmd

The Psconfig command-line tool describes the configuration steps as they occur, and notes the

successful completion of configuration. For a stand-alone-server installation, this is the final step

in a command-line installation.

Configure SharePoint Server 2007 on a farm

In server farm deployments that use least-privilege administration, you use the Psconfig

command-line tool to create a new farm or connect to an existing farm. The Psconfig command-

line tool installs the SharePoint Central Administration Web site on the first server in the farm.

Therefore, we recommend that the first server on which you install Office SharePoint Server 2007

is a server from which you want to run the Central Administration Web site.

The following procedure describes how to configure the first server in the farm.

Note:

Ensure that you follow the procedure in the order that it is written to avoid configuration

problems.

Configure SharePoint Server 2007 on a farm by using the Psconfig command-line tool

1. Log on by using the Setup user account that you previously created and configured.



extensions\12\Bin.

3. Create the configuration database:

psconfig-cmd configdb -create -server <database server name>-database<database

name>

-dbuser<domain\user name>-dbpassword<password>

-user<domain\user name>-password<password>

-addomain<domain name>-adorgunit<org unit>

-admincontentdatabase<Central Administration Web application content database

name>

Note:

The dbuser and dbpassword parameters are only used in deployments that use

SQL Server authentication. If you are using Windows authentication, these

parameters are not required.

4. Install all Help collections:

psconfig-cmd helpcollections installall

118

5. Perform resource security enforcement:

psconfig-cmd secureresources

6. Register services in the server farm:

psconfig-cmd services -install

Note:

After installing services, you must start and configure two services, Windows

SharePoint Services Search and Office SharePoint Server Search, by using the

Stsadm command-line tool:

a. stsadm-o spsearch -action start -farmserviceaccount <domain\user name> -

farmservicepassword<password>[-database name<content database name>][-

database server<server instance>][-search server<search server name>]

For more information, see Spsearch: Stsadm operation


Note:

Use the domain and user account information for the server farm account

that you previously created and configured.

b. stsadm -o osearch -action start -role IndexQuery -farmserviceaccount

<domain\user name>-farmservicepassword<password>-

farmcontactemail<[email protected]>

For more information, see Osearch: Stsadm operation


Note:

Use the domain and user account information for the server farm account

that you created and configured previously.

c. Provision the services of the farm:

psconfig -cmd services -provision

7. Register all features:

psconfig-cmd installfeatures

8. Provision the SharePoint Central Administration Web application:

psconfig-cmd adminvs -provision -port<port>-windowsauthprovider onlyusentlm

9. Install shared application data:

psconfig-cmd applicationcontent -install

The Central Administration Web site has now been created.


servers before you create sites.



119

Note:

If any of these commands fail, look in the post-Setup configuration log files. The log files

are available at %COMMONPROGRAMFILES%\Microsoft shared\Web server

extensions\12\Logs. They can be identified by a file name starting with ―PSC‖ and the .log

file name extension.

To connect to an existing configuration database and join the server to an existing server farm,

you must run the configdb command together with the -connect parameter instead of the -

create parameter.

psconfig -cmd configdb -connect -server<server name>-database<database name>

Note:

Omit the -admincontentdatabase command because you have already included this

command when you created the configuration database.

Use the psconfig -cmd adminvs -provision -port<port>-windowsauthprovider onlyusentlm

command if you want to provision the SharePoint Central Administration Web application on

additional servers, which reduces the risk if the server that is running the SharePoint Central

Administration Web application fails.

To successfully complete command-line installation on a server farm, you must use the Stsadm

command-line tool to create an SSP, and then a site collection for the farm. However, before you

create a Shared Services Provider and a site collection, we recommend that you first perform

some additional configuration tasks.

Perform additional configuration tasks After you have installed Office SharePoint Server 2007, we recommend that you perform the

following administrative tasks:

Configure incoming e-mail settings

Configure outgoing e-mail settings

Configuring workflow settings

Configuring diagnostic logging settings

Configure antivirus settings

Create a Shared Services Provider by using the Stsadm command-line tool After you create and configure Office SharePoint Server 2007 on a farm, you must use the

Stsadm command-line tool to create the SSP and site collection for the farm.

Important:



120

The recommended procedure for creating an SSP is to create a Web application for the My Sites

host location, and a separate Web application for the Shared Services Administration Web site.

Create a Web application by using the Stsadm command-line tool



extensions\12\Bin.


stsadm -o extendvs

-url<URL name>









[-lcid<language>]


[-donotcreatesite]

[-description]

[-sethostheader]





[-allowanonymous]



The extendvs operation creates the Web application. The donotcreatesite parameter creates

the Web application without creating a site collection on the Web application.

After creating the Web applications for the My Sites host location and for the Shared Services

Administration Web site, you create the SSP.

Create an SSP by using the Stsadm command-line tool




121

extensions\12\Bin.


stsadm -o createssp

-title<SSP name>

-url<Web application URL>

-mysiteurl<My Sites Web application URL>

-ssplogin<user name>

-ssppassword<password>

-sspdatabaseserver<SSP database server>

-sspdatabasename<SSP database name>

-indexserver<index server name>

-indexlocation<index file path>

[-ssppassword<SSP password>]

[-sspdatabaseserver<SSP database server name>]

[-sspdatabasename<SSP database name>]

[-sspsqlauthlogin<SQL user name>]

[-sspsqlauthpassword<SQL password>]

[-searchdatabaseserver<search database server name>]

[-searchdatabasename<search database name>]

[-searchsqlauthlogin<SQL user name>]

[-searchsqlauthpassword<SQL password>]

[-ssl {Yes | No}]

Example

The following command creates a Web application with the URL http://intranet:8080 that can be

used to host the SSP Administration site.


<[email protected]> -exclusivelyusentlm -databaseserver <database server name > -

databasename <SSP content database name> -donotcreatesite -apidname <SSP application

pool> -apidtype configurableID -apidlogin <domain\user name> -apidpwd<password>

Similarly, you can create another Web application as the My Sites host location by using the

following command:


<[email protected]> -exclusivelyusentlm -databaseserver <SQL Server> -databasename

<site content database name> -donotcreatesite -apidname <site application pool> -apidtype

configurableID -apidlogin <domain\user name> -apidpwd <password>

Then you create the SSP, named MySSP1_db:

122

stsadm -o createssp -title MySSP1 -url http://intranet -mysiteurl http://intranet:8090 -

ssplogin <domain\user name> -ssppassword <password> -sspdatabaseserver <database

server name > -sspdatabasename MySSP1_db -indexserver <index server name> -

indexlocation "D:\Program Files\Microsoft Office Servers\12.0\Data\Office

Server\Applications"-searchdatabaseserver<search database server name>-

searchdatabasename<search database name>


us/library/cc263040.aspx) and Createssp: Stsadm operation (http://technet.microsoft.com/en-


Create a site collection by using the Stsadm command-line tool You create the top-level site collection by using the same extendvs operation that you used to

create the Web applications for My Sites and the Shared Services Administration Web site.

Important:






extensions\12\Bin.


stsadm -o extendvs

-url<URL name>









[-lcid<language>]


[-donotcreatesite]

[-description]



123

[-sethostheader]


[-apidtype {configurableID | NetworkService} ]



[-allowanonymous]

For more information about how to create a site collection, see Createsite: Stsadm

operation (http://technet.microsoft.com/en-us/library/cc262594.aspx).

Example

The following example creates a site collection at http://intranet that uses the corporate intranet

site template.

stsadm -o extendvs -url http://intranet -ownerlogin <domain\user name> -owneremail

<[email protected]> -exclusivelyusentlm -sitetemplate SPSPORTAL -apidname

"SharePoint AppPool" -apidtype configurableID -apidlogin <domain\user name> -apidpwd

<password>

This command can also be used to add other site collections and sites.

If you do not specify the site template to use, the site collection administrator can choose the site

template when he or she first browses to the site.

The extendvs operation also enables you to specify the language of the site collection by using

the Locale ID (LCID) parameter. If you do not specify an LCID, the language of the server is used

for the top-level site collection. For more information about the available LCID values, see List of

Locale ID (LCID) Values as Assigned by Microsoft


For more information about the Stsadm command-line tool, see Stsadm command-line tool










written to the trace log to determine what configuration changes were made in Office SharePoint











124

are using the Windows SharePoint Services Search service, we recommend that you configure

the trace log to save seven days of events.


number of trace log files to maintain, and how long (in minutes) to capture events to each log file.



You can also specify where the log files are written or accept the default path.

Trace log files can help you troubleshoot issues related to configuration changes of the Windows

SharePoint Services Search service. Because problems related to configuration changes are not

always immediately discovered, we recommend that you save all trace log files that the system

creates on any day that you make any configuration changes. Store these log files for an

extended period of time in a safe location that will not be overwritten. We recommend that you

store log files on a hard disk drive partition that is used to store log files only.

See Also










125

Migrate a stand-alone installation to a server farm installation

In this section:

Install Office SharePoint Server 2007 on a new farm

Migrate data from the single-server installation

Create and attach data from the Shared Services Provider (SSP)

Attach site collection data from content databases

Installing Microsoft Office SharePoint Server 2007 as a stand-alone installation on a single server

computer simplifies deployment. A stand-alone installation of Microsoft Office SharePoint Server

2007 is a good choice for:

A low-capacity deployment with a small number of Web sites

A small number of concurrent users

The initial evaluation of Office SharePoint Server 2007 before you begin testing and

implementing a more complex deployment.

Many deployments have greater performance and capacity requirements that can only be

achieved with a farm deployment. You can migrate a stand-alone installation of Office SharePoint

Server 2007 to a server farm installation to meet expanded performance, capacity, or scalability

requirements. Migration enables you to meet these requirements while also retaining the data,

content, and sites from your single-server installation. A direct upgrade from a stand-alone server

to a farm is not available.

It is usually easier to expand an existing farm deployment by adding servers to meet

performance, capacity, or scalability requirements than it is to migrate a stand-alone deployment

to a farm deployment. If you know that your organization is going to require a server farm

eventually, it is a better idea to start with a simple farm deployment.

For more information about installing Office SharePoint Server 2007 on a simple server farm, see

Deploy in a simple server farm. For more information about installing Office SharePoint Server

2007 on a stand-alone server, see Install Office SharePoint Server 2007 on a stand-alone

computer.

You have two options for a migration from a stand-alone installation to a farm installation of Office

SharePoint Server 2007:

SQL Backup and Restore, followed by using the Stsadm command-line tool to attach the

databases

Central Administration Backup and Restore

This section describes the first option. For more information about using Central Administration to

migrate from a stand-alone installation to a farm installation, see Migrate to another farm by using

the Central Administration Web site (http://technet.microsoft.com/en-us/library/cc262281.aspx).



126

To migrate from a stand-alone server to a server farm, you perform the following steps:

1. Install Office SharePoint Server 2007 on a new farm.

2. Migrate data from the stand-alone server to the Microsoft SQL Server 2005 database server

that is part of the new server farm by using SQL Backup and Restore.

3. Create and attach data from the Shared Services Provider (SSP) by using the Stsadm

command-line tool.

4. Attach the restored databases to the new server farm by using the Stsadm command-line

tool.

Install SharePoint Portal Server 2007 on a new farm Before you can migrate data from a single-server to a server farm, you must install Office

SharePoint Server 2007 on the farm. A farm installation typically requires the following steps:

1. Prepare the database server and one or more Office SharePoint Server 2007 servers.

2. Install Office SharePoint Server 2007, and configure the server by using the SharePoint

Products and Technologies configuration wizard or the PSConfig.exe command-line tool.

3. Create a Shared Services Provider (SSP).

4. Create a site collection for the top-level site.

When you are installing Office SharePoint Server 2007 on a server farm for the purposes of

migration from a stand-alone server, do not create an SSP or site collection until you have

migrated data from the single-server installation by using SQL Backup and Restore. After

restoring the databases, you create an SSP and attach the new SSP database and the content

database to the new server farm.

For more information about installing Office SharePoint Server 2007 on a server farm, see

Chapter overview: Install Office SharePoint Server 2007 in a server farm environmentChapter

overview: Install Office SharePoint Server 2007 in a server farm environment.

Prepare servers for installation

The following software is required before you run Setup:

You must install Office SharePoint Server 2007 on a clean installation of Windows Server

2003 with the most recent service pack.

You must install the Microsoft .NET Framework version 3.0. The .NET Framework version 3.0

download contains the Windows Workflow Foundation technology, which is required by

workflow features.

Note:

You can also use the Microsoft .NET Framework version 3.5. You can download

the .NET Framework version 3.5 from the Microsoft Download Center



127

You must enable ASP.NET 2.0 in the Internet Information Services (IIS) Manager on all

Office SharePoint Server 2007 servers.

You must have Microsoft SQL Server 2005 or Microsoft SQL Server 2000 with the most

recent service pack running on at least one database server before you install Office

SharePoint Server 2007 on your Web servers.

You must also create and configure the following accounts:

SQL Server service account

Setup user account

Server farm account

It is possible to use the same account for each of these account roles, unless you are using least

privilege administration. For more information about these required accounts and other account

requirements for Office SharePoint Server 2007, see Plan for administrative and service accounts


For more information about preparing servers for installation, see the following articles:

Chapter overview: Install Office SharePoint Server 2007 in a server farm environmentChapter

overview: Install Office SharePoint Server 2007 in a server farm environment

Prepare the database servers

Prepare the Web and application servers


Install SharePoint Server 2007 and configure the server by using the SharePoint Products and Technologies configuration wizard

You can install Office SharePoint Server 2007 by using the Setup wizard or running Setup.exe

from a command prompt. After completing Setup, you configure the server by using the

SharePoint Products and Technologies configuration wizard. The SharePoint Products and

Technologies configuration wizard creates the Central Administration site.

When you have completed the wizard, do not create an SSP or other site collection unti l you have

finished migrating data from the stand-alone server and have attached the restored databases to

the new server farm.

For more information about installing and configuring SharePoint Server 2007, see the following

articles:

Install Office SharePoint Server 2007 and run the SharePoint Products and Technologies

configuration wizard


Migrate data from the stand-alone server A single-server installation of Office SharePoint Server 2007 includes Microsoft SQL Server 2005

Express Edition. A server farm installation uses a separate Microsoft SQL Server 2005 database

server. To successfully migrate from a stand-alone server to a farm, you must migrate databases


128

from the stand-alone server to the database server in the farm by using SQL Server Management

Studio Express and Microsoft SQL Server Management Studio.

SQL Server Management Studio Express is installed on the stand-alone server by running Setup

for SQL Server Express with Advanced Services or SQL Server Express Toolkit. It is used to

enable a connection from the database server that is running SQL Server Management Studio.

SQL Server Management Studio is used to back up databases from the stand-alone server and

restore the databases to the database server in the farm.

For more information about managing SQL Server Express, see Managing SQL Server Express

with SQL Server 2005 Management Studio Express Edition


To download SQL Server Management Studio Express, visit the Visual Studio Download Center


Migrate data from the stand-alone server to the database server on the farm

1. Set the databases on the stand-alone server to be read-only:

a. In SQL Server Management Studio Express, right-click the name of the database that

you want to set to read-only, and then click Properties.

b. In the Select a page section, click Options.

c. In the Other options section of the right pane, expand State, click the drop-down

arrow for the values of Database Read-Only, and then click True.

2. Connect to the stand-alone server by using SQL Server Management Studio and back up

the following databases:

Shared Services DB

Shared Services Search DB

Shared Services Content DB

WSS Content DB

All additional content databases associated with Web applications on the stand-alone

server:

d. On your database server, click Start, point to All Programs, point to

Microsoft SQL Server 2005, and then click SQL Server Management

Studio.

e. In the Connect to Server box, fill in the connection information, and then

click Connect.

f. After connecting to the appropriate instance of the SQL Server 2005

Database Engine, in Object Explorer, expand the server tree by clicking

the plus sign next to the server name.




129

Note:

The SQL Server Express instance name that is used to connect

to the databases on the stand-alone server is set to

OfficeServers by default.

g. Expand Databases, right-click the database that you want to back up,

point to Tasks, and then click Back Up. The Back Up Database dialog

box appears.

h. In the Source section, in the Database box, verify the database name.

i. In the Backup type box, click the drop-down arrow for the values, and

then click Full.

j. Under Backup component, select Database.

k. In the Backup set section, in the Name box, either accept the default

value or type a different name.

l. In the Destination section, specify the type of backup destination by

selecting Disk or Tape, and then specify a destination. To create a

different destination, click Add.

m. Click OK to start the backup process.

1. Restore databases to the database server on the farm by using Microsoft SQL Server

Management Studio:

a. After connecting to the appropriate instance of the SQL Server 2005 Express, in

Object Explorer, expand the server tree by clicking the plus sign next to the server

name.

b. Right-click Databases, and then click New Database.

c. In the Database name box, type the name of the database you want to restore.

d. In the Owner box, specify an owner if desired.

e. In the Database files section, in the Logical Name box for the Data file type, verify

that the logical name is the one you want to use.

f. In the Initial Size (MB) box, adjust the size to approximately the size of the database

you want to restore.

g. In the Logical Name box for the Log file type, verify that the logical name is the one

you want to use.

h. In the Initial Size (MB) box, adjust the size to approximately three or four times the

size of the log file for the database you want to restore.

Make the log file large to accommodate entries during the upgrade process. You can

always shrink the transaction log after you have completed the upgrade.

i. In the Autogrowth column for the log file, set the value to By 10 percent,

unrestricted growth.

You can change this setting after you perform the upgrade, but again, you do not

want to have the log file run out of space during the upgrade process.

130

j. Click OK to create the database.

For more information about migrating databases including different backup and restore options

for different versions of SQL Server, see Migrate databases (http://technet.microsoft.com/en-


Stsadm Command-Line Tool

Microsoft Office SharePoint Server 2007 includes the Stsadm command-line tool for

administration of Office SharePoint Server 2007 servers and sites. The Stsadm command-line

tool is located at the following path on the drive where SharePoint Products and Technologies is

installed: %COMMONPROGRAMFILES%\microsoft shared\web server extensions\12\bin. You

must be an administrator on the local computer to use the Stsadm command-line tool.

The Stsadm command-line tool provides a method for performing the Office SharePoint Server

2007 administration tasks at a command prompt or by using batch files or scripts. The Stsadm

command-line tool provides access to operations that are not available by using the Central

Administration site, such as changing the administration port. The command-line tool has a more

streamlined interface than Central Administration, and it allows you to perform the same tasks.

There are certain operations and certain parameters that are only available by using the Stsadm

command-line tool.

The Stsadm command-line tool will be used to attach the restored stand-alone databases to the

SQL Server database on the farm so that the site content (including the Shared Services

Provider) will be available on the new installation on the farm.

To see what actions are available with the tool you can run stsadm –help which returns the

operations that can be performed and stsadm –help <operation name> to get detailed

documentation about a particular operation.



For more details about Stsadm command-line operations and parameters, see: Index for Stsadm

operations and properties (http://technet.microsoft.com/en-us/library/cc263384.aspx).

To start and configure the required services:

Start the Windows SharePoint Services Search:

stsadm -o spsearch -action start -farmserviceaccount Redmond\user -

farmservicepassword MyPassword

Start the Office SharePoint Server Search service:

stsadm -o osearch -action start -role IndexQuery -farmserviceaccount domain\user -

farmservicepassword MyPassword -farmcontactemail [email protected]

For additional information, see Osearch: Stsadm operation (http://technet.microsoft.com/en-







131

Create and attach data from the Shared Services Provider (SSP) After you migrate data from the stand-alone server to the farm, you must use the Stsadm

command-line tool to create the SSP Web application for the farm and attach the restored SSP

database to the farm. The Stsadm command-line tool is available on the installation drive for

Office SharePoint Server 2007 at %Common Program Files%\Microsoft Shared\Web Server

Extensions\12\bin.

You create the SSP Web application by using the following command:

stsadm -o extendvs

-url <URL>

-ownerlogin <domain/username>

-owneremail <emailed>

-exclusivelyusentlm

-databaseserver <DBservername>

-databasename <NewcontentDBname>

-apcreatenew

-apidname <Apppoolname>

-apidtype configurableid

-apidlogin <domain/username>

-apidpwd <Password>

Example

stsadm -o extendvs -url http://intranet:8080 -ownerlogin domain\username -owneremail

[email protected] -exclusivelyusentlm -databaseserver SQLServer -databasename

SSPContentDB -apcreatenew -apidname SSPAppPool -apidtype configurableid -apidlogin

domain\username -apidpwd MyPassword

This command creates a Web application with the URL http://intranet:8080 that can be used to

host the SSP.

Note:

The databasename parameter is the Shared Services content database that was

restored from the stand-alone server.

The stand-alone installation uses the default Web application for the My Site host location. When

you migrate to a farm, we recommend that the My Site host location use a separate Web

application.

Example

stsadm -o extendvs -url http://intranet:8090 -ownerlogin domain\username -owneremail

[email protected] -exclusivelyusentlm -databaseserver SQLServer -databasename

132

MySiteContentDB -apcreatenew -apidname MySiteAppPool -apidtype configurableid -

apidlogin domain\username -apidpwd MyPassword

After creating both Web applications, you restore the SSP by using the restoressp command.

The sspdatabasename and searchdatabasename for the databases that were restored to the

farm from the stand-alone server:

stsadm –o restoressp

–title <SSP name>

-url <Web application url>

-mysiteurl <MySite Web application url>

-ssplogin <username>

-ssppassword <password>

-sspdatabaseserver <SSP database server>

-sspdatabasename <SSP database name>

-searchdatabaseserver <Search database server>

-searchdatabasename <Search database name)

-indexserver <index server>

-indexlocation <index file path>

Example

stsadm -o restoressp -title Migrated_SSP1 -url http://intranet:8080 -mysiteurl

http://intranet:8090 -ssplogin domain\username -ssppassword MyPassword -

sspdatabaseserver SQLServer -sspdatabasename MySSP1_db -searchdatabaseserver

SearchServer-searchdatabasename SharedServices1_Search

–indexserver MyServer -indexlocation "D:\Program Files\Microsoft Office

Servers\12.0\Data\Office Server\Applications"

For more information about the Stsadm command-line tool, see Stsadm command-line tool


For additional information about how to perform this procedure using the Stsadm command-line

tool, see Restoressp (http://technet.microsoft.com/en-us/library/cc262163.aspx), Extendvs

(http://technet.microsoft.com/en-us/library/cc263040.aspx), and Createssp


Attach site collection data from content databases The final step of migrating a stand-alone installation to a server farm installation is the migration

of content databases for each site collection. For each site collection on the stand-alone server,

run the following command by using the Stsadm command-line tool:

stsadm -o extendvs

-url <URL>

-ownerlogin <domain/username>





133

-owneremail <emailed>

-exclusivelyusentlm

-databaseserver <DBservername>

-databasename <NewcontentDBname>

-apcreatenew

-apidname <Apppoolname>

-apidtype configurableid

-apidlogin <domain/username>

-apidpwd <Password>

Example

stsadm -o extendvs -url http://intranet -ownerlogin domain\username -owneremail

[email protected] -exclusivelyusentlm -databaseserver intranet-databasename WSSContent

-apcreatenew -apidname SharePoint_80_AppPool -apidtype configurableid -apidlogin

domain\username -apidpwd MyPassword

This command restores the top-level site collection http://intranet that also contains the My Site

content.

The databasename parameter is the restored database from the stand-alone installation that will

now be attached to the top-level site.

For additional information, see Extendvs: Stsadm operation (http://technet.microsoft.com/en-


See Also

Chapter overview: Install Office SharePoint Server 2007 in a server farm environment


Install Office SharePoint Server 2007 on a stand-alone computer

Migrate to another farm by using the Central Administration Web site

(http://technet.microsoft.com/en-us/library/cc262281.aspx)


Stsadm command-line tool (http://technet.microsoft.com/en-us/library/cc261956.aspx).




134


In this section:

Hardware and software requirements

Perform installation steps

Perform post-installation steps


Configure Windows Server Backup

As of the release of Microsoft Office SharePoint Server 2007 Service Pack 1 (SP1), you can

install Office SharePoint Server 2007 on a server running Windows Server 2008. As with the

Windows Server 2003 operating system, you must download and run Setup and the SharePoint

Products and Technologies Configuration Wizard. You cannot install Office SharePoint Server

2007 without service packs on Windows Server 2008.

Important:

This section discusses how to perform a clean installation of Office SharePoint Server

2007 with SP1 in a stand-alone environment on Windows Server 2008. It does not cover

upgrading the operating system from Windows Server 2003 to Windows Server 2008.

Note:

This section does not cover installing Office SharePoint Server 2007 in a server farm on

Windows Server 2008. For more information, see Deploy a simple farm on the Windows

Server 2008 operating system.

Note:


You can quickly publish a SharePoint site by deploying Office SharePoint Server 2007 on a single

server computer. A stand-alone configuration is useful if you want to evaluate Office SharePoint

Server 2007 features and capabilities, such as collaboration, document management, and

search. A stand-alone configuration is also useful if you are deploying a small number of Web

sites and you want to minimize administrative overhead. When you deploy Office SharePoint

Server 2007 on a single server using the default settings, the Setup program automatically

installs the Windows Internal Database and uses it to create the configuration database and an

initial content database for your SharePoint sites. In addition, Setup installs the SharePoint

Central Administration Web site and creates your first SharePoint site collection and site.

135

Important:

Office SharePoint Server 2007 requires the following components: the Web Server role,

Windows Internal Database, and the Microsoft .NET Framework. Office SharePoint

Server 2007 will cease to run if you uninstall these components.

Hardware and software requirements Before you install and configure Office SharePoint Server 2007, be sure that your server has the

required hardware and software. For more information about these requirements, see Determine

hardware and software requirements (http://technet.microsoft.com/en-us/library/cc262485.aspx).

Also, make sure the Management Compatibility role service is added to your server and the .NET

Framework is installed, as described below.

Notes

Server Manager is designed to guide server administrators through the process of

installing, configuring, and managing server roles and features that are part of Windows

Server 2008. For more information on using the Server Manager, see the Windows

Server 2008 Server Manager Technical Overview


IIS 6.0 Management Compatibility role service

If you use the Server Manager to perform a default Internet Information Services (IIS) 7.0

installation, the IIS 6.0 Management Compatibility role service is not included. Since this is a

required role service, you must use the following procedure.

Add the IIS 6.0 Management Compatibility role service


2. In the left navigation pane, expand Roles, and then right-click Web Server (IIS) and

select Add Role Services.

3. In the Add Role Services wizard, under Role services, select IIS 6 Management

Compatibility.

4. From the Select Role Services pane, click Next, and then at the Confirm Installations

Selections pane, click Install.

5. To complete the Add Role Services wizard, click Close.

Microsoft .NET Framework version 3.0

Before you install Office SharePoint Server 2007 on Windows Server 2008, you must install the

.NET Framework version 3.0. You do not need to install the Web Server role or the Windows

Process Activation Service; these are installed automatically—along with Windows Internal

Database—when you install Office SharePoint Server 2007 SP1. Use the following procedure to

install the .NET Framework version 3.0.





136

Install Microsoft .NET Framework version 3.0


2. In Server Manager, on the Action menu, click Add features.

3. In the Features list, select the .NET Framework 3.0 Features check box, and then click

Next.

4. Follow the wizard steps to install the.NET Framework version 3.0.

Note:


.NET Framework version 3.5 from the Microsoft Download Center


Perform installation steps You can only install Office SharePoint Server 2007 with SP1 on Windows Server 2008. We

recommend that you create a slipstreamed installation source for Office SharePoint Server 2007.

This installation source must include the files from both Windows SharePoint Services 3.0 SP1

and Office SharePoint Server 2007 SP1. For more information on using the updates folder to

create a slipstream source, see the topic Create an installation source that includes software

updates (http://technet.microsoft.com/en-us/library/cc261890.aspx).

Note:

If you have not created an updated installation source, you must first install Office

SharePoint Server 2007 without any software updates and, without running the

SharePoint Products and Technologies Configuration Wizard at the end of the

installation, install Service Pack 1. After the installations are complete, you can run the


To install and configure Office SharePoint Server 2007, you must first install Office SharePoint

Server 2007 with SP1 and then run the SharePoint Products and Technologies Configuration

Wizard. When you install Office SharePoint Server 2007 on a single server, run the Setup

program using the Basic option. This option uses the Setup program's default parameters to

install Office SharePoint Server 2007 and Windows Internal Database.

Notes

If you uninstall Office SharePoint Server 2007, and then later reinstall Office SharePoint

Server 2007 on the same computer, the Setup program could fail when creating the

configuration database, causing the entire installation process to fail. You can prevent

this failure by either deleting all the existing Office SharePoint Server 2007 databases on

the computer or by creating a new configuration database. You can create a new

configuration database by running the following command from the directory

%COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin:

psconfig -cmd configdb -create -database <unique database name>




137

Install Office SharePoint Server 2007 with SP1

1. From your slipstreamed installation source, run Setup.exe.


Note:



is not valid, Setup places a red circle next to the text box and displays a message

that the key is incorrect.

3. On the Read the Microsoft Software License Terms page, review the terms, select the

I accept the terms of this agreement check box, and then click Continue.

4. On the Choose the installation you want page, click Basic to install to the default

location. To install to a different location, click Advanced, and then on the File Location

tab, specify the location you want to install to and finish the installation.


server. Make sure that the Run the SharePoint Products and Technologies


6. Click Close to start the configuration wizard.

The SharePoint Products and Technologies Configuration Wizard starts, and you can go

directly to the procedure "To run the SharePoint Products and Technologies

Configuration Wizard."

Note:

Do not add any server roles in Windows Server 2008 Server Manager before the setup

for Office SharePoint Server 2007 is complete. If you add a server role, the setup process

will fail, and you will need to uninstall and reinstall Office SharePoint Server 2007.

Configure SharePoint Products and Technologies

Once you have finished installing Office SharePoint Server 2007 with SP1, you can run the

SharePoint Products and Technologies Configuration Wizard to configure the installation.



2. In the dialog box that notifies you that some services might need to be restarted or reset

during configuration, click Yes.

3. On the Configuration Successful page, click Finish. Your new SharePoint site opens.

Note:


SharePoint site to the list of trusted sites and configure user authentication

settings in Internet Explorer. Instructions for configuring these settings are

138

provided in the following procedure.

Note:

If you see a proxy server error message, you might need to configure your proxy


configuring proxy server settings are provided later in this section.

If you want to configure the installation from the command line, use the following procedure.

Run the SharePoint Products and Technologies Configuration Wizard from the command line

Type the following command, and then press ENTER:

psconfig.exe -cmd setup -cmd standaloneconfig -lcid 0 -cmd configdb -create -

server<servername>\OfficeServers -cmd helpcollections -installall -cmd

secureresources -cmd services -install -provision -cmd installfeatures -cmd

adminvs -provision -cmd evalprovision -provision -cmd applicationcontent -install

After you have configured the Office SharePoint Server 2007 installation, you should add the

SharePoint site to the list of trusted sites, using the following steps.

Add the SharePoint site to the list of trusted sites



box, click Trusted Sites, and then click Sites.


4. In the Add this Web site to the zone box, type the URL of your site, and then click Add.

5. Click Close to close the Trusted Sites dialog box.


If you are using a proxy server in your organization, use the following steps to configure Internet

Explorer to bypass the proxy server for local addresses.




Settings.


box.


5. In the Address box, type the address of the proxy server.

6. In the Port box, type the port number of the proxy server.


139



Perform post-installation steps After Setup finishes, your browser window opens to the home page of your new SharePoint site.

Although you can start adding content to the site, or start customizing the site, we recommend

that you perform the following administrative tasks by using the SharePoint Central Administration

Web site.







mail settings.












settings enable you to control whether documents are scanned on upload or download and




antivirus settings.

Create SharePoint sites When Setup finishes, you have a single Web application that

contains a single SharePoint site collection that hosts a SharePoint site. You can create more

SharePoint site collections, sites, and Web applications if your site design requires multiple

sites or multiple Web applications. For more information, see Chapter overview: Deploy and

configure SharePoint sites.

Note:

If you create additional Web applications to host SharePoint sites, you must also

configure Windows Firewall to allow communication on the ports for those Web

140

applications. For more information, see Deploy a simple farm on the Windows Server

2008 operating system.




2. On the Central Administration home page, under Administrator Tasks, click the task

you want to perform.


Configure the trace log Trace log files can help you to troubleshoot issues related to configuration changes of the

Windows SharePoint Services Search service. The trace log can also be useful for analyzing

problems that might occur. For example, you can use events that are written to the trace log to

identify what configuration changes were made in Office SharePoint Server 2007 before the

problem occurred.



configuration changes related to the search service. Store these log files for an extended period

of time in a safe location that will not be overwritten.

By default, Office SharePoint Server 2007 saves two days of events in the trace log files; trace

log files that contain events that are older than two days are deleted. When using the Windows

SharePoint Services Search service, we recommend that you configure the trace log to save

seven days of events.


number of trace log files to maintain and the duration (in minutes) to capture events to each log

file. By default, 96 log files are kept, each one containing 30 minutes of events.


You can also specify the location where the log files are written or accept the default path. See

step 3 in this procedure to determine the location that the system stores trace log files for your

system.







Tip:

141

To save 10,080 minutes (seven days) of events, you can use any combination of

number of log files and minutes to store in each log file.


files or change the path to another location.

Tip:



4. Click OK.

Configure Windows Server Backup If you want to use Windows Server Backup with Windows SharePoint Services 3.0, you must

configure the following registry keys. If you do not configure these registry keys, Windows Server

Backup will not work properly with Windows SharePoint Services 3.0.

Important:

You must be logged on as a member of the Administrators group on the local server

computer to edit the registry. Incorrectly editing the registry might severely damage your

system. Before making changes to the registry, you should back up any valued data on

the computer.

Configure registry keys for Windows Server Backup

1. Click Start, click Run, and in the Open box, type regedit, and then click OK.

2. In the User Account Control dialog box, click Continue to open the Registry Editor.

3. In the Registry Editor, locate the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\

4. On the Edit menu, click New, and then click Key.

5. Type WindowsServerBackup and then press ENTER.

6. Select the WindowsServerBackup key, and then on the Edit menu, click New, and then

click Key.

7. Type Application Support, and then press ENTER.

8. Select the Application Support key, and then on the Edit menu, click New, and then

click Key.

9. Type {c2f52614-5e53-4858-a589-38eeb25c6184} as the key name, and then press

ENTER.

This is the GUID for the WSS Writer.

10. Select the new key, and then on the Edit menu, click New, and then click String Value.

11. Type Application Identifier as the new value, and then press ENTER.

12. Right-click the Application Identifier value, and then click Modify.

142

13. In the Value Data box, type Windows SharePoint Services, and then click OK.

14. On the Edit menu, click New, and then click DWORD (32-bit) Value.

15. Type UseSameVssContext as the new value name, and then press ENTER.

16. Right-click the UseSameVssContext value, and then click Modify.

17. In the Value Data box, type 00000001, and then click OK.

143

II. Install Office SharePoint Server 2007 in a server farm environment


144

Chapter overview: Install Office SharePoint Server 2007 in a server farm environment

In this section:




Important:

This section discusses how to do a clean installation of Microsoft Office SharePoint

Server 2007 in a server farm environment. It does not cover upgrading from previous

releases of Office SharePoint Server 2007 or how to upgrade from Microsoft Office

SharePoint Portal Server 2003. For more information about upgrading from

SharePoint Portal Server 2003, see Upgrading to Office SharePoint Server 2007


Note:


computer as a stand-alone installation. For more information, see Install Office


You can deploy Office SharePoint Server 2007 in a server farm environment if you are hosting a

large number of sites, if you want the best possible performance, or if you want the scalability of a

multi-tier topology. A server farm consists of one or more servers dedicated to running the Office

SharePoint Server 2007 application.

Note:







Suggested topologies Server farm environments can encompass a wide range of topologies, and can include many


A small server farm typically consists of a database server running either Microsoft SQL Server

2005 or Microsoft SQL Server 2000 with the most recent service pack, and one or more servers

running Internet Information Services (IIS) and Office SharePoint Server 2007. In this

configuration, the front-end servers are configured as Web servers and application servers. The




145

Web server role provides Web content to clients. The application server role provides Office

SharePoint Server 2007 services such as servicing search queries, and crawling and indexing

content.

A medium server farm typically consists of a database server, an application server running

Office SharePoint Server 2007, and one or two front-end Web servers running Office SharePoint

Server 2007 and IIS. In this configuration, the application server provides indexing services and

Excel Calculation Services, and the front-end Web servers service search queries and provide

Web content.


balanced front-end Web servers running Office SharePoint Server 2007, and two or more

application servers running Office SharePoint Server 2007. In this configuration, each of the

application servers provides specific Office SharePoint Server 2007 services such as indexing or

Excel Calculation Services, and the front-end servers provide Web content.

Note:

All of the Web servers in your server farm must have the same SharePoint Products and

Technologies installed. For example, if all of the servers in your server farm are running

Office SharePoint Server 2007, you cannot add to your farm a server that is running only

Microsoft Office Project Server 2007. To run Office Project Server 2007 and Office

SharePoint Server 2007 in your server farm, you must install Office Project Server 2007

and Office SharePoint Server 2007 on each of your Web servers. To enhance the

security of your farm and reduce the surface area that is exposed to a potential attack,

you can turn off services on particular servers after you install SharePoint Products and

Technologies.

Before you begin deployment This section provides information about actions that you must perform before you begin

deployment.

Important

The account that you select for installing Office SharePoint Server 2007 needs to be a

member of the Administrators group on every server on which you install Office

SharePoint Server 2007. However, you can remove this account from the Administrators

group on the servers after installation.

For information about assigning users to be SSP administrators, see ―Shared Services

Providers‖ in Plan for security roles (http://technet.microsoft.com/en-



credentials for several different accounts. For information about these accounts, see ―Plan for

administrative and service accounts‖ in the Planning and architecture for Office SharePoint

Server 2007 (http://technet.microsoft.com/en-us/library/cc261834.aspx) guide.




146

You must install Office SharePoint Server 2007 on the same drive on all load-balanced front-

end Web servers.

You must install Office SharePoint Server 2007 on a clean installation of the Microsoft

Windows Server 2003 operating system with the most recent service pack. If you uninstall a

previous version of Office SharePoint Server 2007, and then install Office SharePoint Server

2007, Setup might fail to create the configuration database and the installation will fail.

Note:

We recommend that you read the Known Issues/Readme documentation before you

install Office SharePoint Server 2007 on a domain controller. Installing Office

SharePoint Server 2007 on a domain controller requires additional configuration

steps that are not discussed in this section.

You must install the same language packs on all servers in the farm. For more information

about installing language packs, see Deploy language packs.

All the instances of Office SharePoint Server 2007 in the farm must be in the same language.

For example, you cannot have both an English version of Office SharePoint Server 2007 and

a Japanese version of Office SharePoint Server 2007 in the same farm.

You must use the Complete installation option on all computers you want to be index

servers, query servers, or servers that run Excel Calculation Services.

If you place a query server beyond a firewall from its index server, you must open the

NetBIOS ports (TCP/User Datagram Protocol (UDP) ports 137, 138, and 139) on all firewalls

that separate these servers. If your environment does not use NetBIOS, you must use direct-

hosted server message block (SMB); this requires that you open the TCP/UDP 445 port.

If you want to have more than one index server in a farm, you must use a different Shared

Services Provider (SSP) for each index server.

Overview of the deployment process The deployment process consists of three phases: deploying and configuring the server

infrastructure, creating and configuring one or more Shared Services Providers (SSPs), and

deploying and configuring SharePoint site collections and sites.




Preinstalling the databases (optional).


Running Setup on all servers you want to be in the farm.

Installing available language template packs on front-end Web servers (optional). For more

information about installing language template packs, see Deploy language packs.

Running the SharePoint Products and Technologies Configuration Wizard.

147

If you want to search over the Help content for Office SharePoint Server 2007, starting the

Windows SharePoint Services Search service.

Phase 2: Create and configure a Shared Services Provider

Creating and configuring an SSP consists of the following steps:

Creating a Web application to host the SSP.

Creating the SSP.

Configuring the Web application and the SSP.

Configuring services on the servers.

For more information about creating and configuring SSPs, see III. Create and configure Shared

Services Providers.

Phase 3: Deploy and configure SharePoint site collections and sites

Deploying and configuring SharePoint site collections and sites consists of the following steps:

Creating a Web Application to host the site collections and sites.

Creating the site collections.

Creating the sites.

For more information about creating site collections and sites, see Deploy and configure

SharePoint sites (http://technet.microsoft.com/en-us/library/cc262442.aspx).



148

Prepare the database servers

In this section:


Required accounts

Preinstall databases (optional)

Before installing Microsoft Office SharePoint Server 2007, you must prepare the database server.

The database server must be running Microsoft SQL Server 2005 or Microsoft SQL Server 2000

with the most recent service pack.


databases when you install and configure Office SharePoint Server 2007. Optionally, you can

preinstall the required databases if your IT environment or policies require this.



If you are using SQL Server 2005, you must also change the surface area settings.









and then click OK.

SQL Server and database collation The SQL Server collation must be configured for case-insensitive. The SQL Server database


sensitive. This is to ensure file name uniqueness consistent with the Windows operating system.

For more information about collations, see "Selecting a SQL Collation" or "Collation Settings in

Setup" in SQL Server Books Online

(http://www.microsoft.com/downloads/details.aspx?familyid=BE6A2C5D-00DF-4220-B133-

29C1E0B6585F&displaylang=en).


http://www.microsoft.com/downloads/details.aspx?familyid=BE6A2C5D-00DF-4220-B133-29C1E0B6585F&displaylang=en

149

Required accounts The following table describes the accounts that are used to configure Microsoft SQL Server and

to install Office SharePoint Server 2007. For more information about the required accounts,

including specific privileges required for these accounts, see Plan for administrative and service

accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx).

Account Purpose

SQL Server service account SQL Server prompts for this account during SQL Server Setup.

This account is used as the service account for the following SQL

Server services:

MSSQLSERVER

SQLSERVERAGENT

If you are not using the default instance, these services will be

shown as:

MSSQL$InstanceName


Setup user account The user account that is used to run Setup on each server.

Server farm account This account is also referred to as:

Database access account

This account is:

The application pool account for the Central Administration

site

The process account for the Windows SharePoint Services

Timer (SPAdmin) service

Preinstall databases (optional) In many IT environments, database creation and management are handled by the database


required by Office SharePoint Server 2007. This topic provides details about how the DBA can

create these databases before beginning the Office SharePoint Server 2007 installation or

creation of a Shared Services Provider (SSP). For more information about preinstalling

databases, including detailed procedures, see Deploy using DBA-created databases.



150

Prepare the Web and application servers

In this section:


Enable ASP.NET 2.0

Before you install and configure Microsoft Office SharePoint Server 2007, be sure that your

servers have the recommended hardware and software. To deploy a server farm, you need at

least one server acting as a Web server and an application server, and one server acting as a

database server.

For more information about these requirements, see Determine hardware and software

requirements (http://technet.microsoft.com/en-us/library/cc262485.aspx).

Install the Microsoft .NET Framework version 3.0 Go to the Microsoft Download Center Web site

(http://go.microsoft.com/fwlink/?LinkID=72322&clcid=0x409), and on the Microsoft .NET

Framework 3.0 Redistributable Package page, follow the instructions for downloading and

installing the .NET Framework version 3.0. There are separate downloads for x86-based

computers and x64-based computers; be sure to download and install the appropriate version for

your computer. The .NET Framework version 3.0 download contains the Windows Workflow


Enable ASP.NET 2.0 You must enable ASP.NET 2.0 on all Office SharePoint Server 2007 servers.

Enable ASP.NET 2.0



2. In the IIS Manager tree, click the plus sign (+) next to the server name, and then click the

Web Service Extensions folder.

3. In the details pane, click ASP.NET v2.0.50727, and then click Allow.




151

Install Office SharePoint Server 2007 and run the SharePoint Products and Technologies configuration wizard

In this section:

Recommended order of configuration







Start the Windows SharePoint Services Search service

Stop the Central Administration service on all index servers

Disable the Windows SharePoint Services Web Application service on all servers not serving

content

After preparing your database and the servers in your farm, run Setup and then run the

SharePoint Products and Technologies Configuration Wizard on all your farm servers. Do this on

all farm servers before going on to create a Shared Services Provider (SSP).

Note:

We recommend that you run Setup on all the servers that will be in the farm before you

configure the farm.

You can add servers to the farm at this point, or after you have created and configured an SSP.

You can add servers after you have created and configured an SSP to add redundancy, such as

additional load-balanced Web servers or additional query servers. It is recommended that you run

Setup and the configuration wizard on all your application servers before you create and

configure the SSP.

Recommended order of configuration We recommend that you configure Microsoft Office SharePoint Server 2007 in the order listed

below. This order makes configuration easier, and ensures that services and applications are in

place before they are required by server types.

1. We recommend that the Central Administration site be installed on an application server. In a

server farm that includes more than one application server, install the Central Administration

site on the application server with the least overall performance load. If your farm will have an

152

application server, install Office SharePoint Server 2007 on that server first; this also installs

the Central Administration Web site.

2. All your front-end Web servers.

3. The index server (if using a separate server for search queries and indexing).

4. The query servers, if separate from the index server.

Note:

To configure more than one query server in your farm, you cannot configure your

index server as a query server.

5. Other application servers (optional).

Because the SSP configuration requires an index server, you must start the Office SharePoint

Server Search service on the computer that you want to be the index server, and configure it as

an index server before you can create an SSP. Because of this, you must deploy and configure

an index server before other servers. You can choose any server to be the first server on which

you install Office SharePoint Server 2007. However, the Central Administration Web site is

automatically installed on the first server on which you install Office SharePoint Server 2007.

You can configure different features on different servers. The following table shows which

installation type should be used for each feature set.

Server type Installation type

Central Administration Web application Complete or front-end Web

Application server (such as Excel Calculation

Services)

Complete

Search index server Complete

Search query server Complete

Web server Complete or front-end Web (subsequent

servers must join an existing farm)

Note:

If you choose the front-end Web

installation option, you will not be able

to run additional services, such as

search, on the server.

When you install Office SharePoint Server 2007 on the first server, you establish the farm. Any

servers that you add you will join to this farm.

Setting up the first server involves two steps: installing the Office SharePoint Server 2007

components on the server, and configuring the farm. After Setup finishes, you can use the



153

several configuration tasks, including installing and configuring the configuration database,


site.



servers before you configure Office SharePoint Server 2007 services and create sites.

Regardless of how many Web servers you have in your server farm, you must have Microsoft

SQL Server 2005 database software running on at least one database server before you install

Office SharePoint Server 2007 on your Web servers. By default, when you add servers to the

farm and run the SharePoint Products and Technologies Configuration Wizard, the wizard does

not create additional Central Administration Web sites on the servers that you add, nor does it

create any databases on your database server. However, you can use the wizard to create

additional Central Administration Web sites on the servers that you add.


Important:




Note:



SharePoint Server 2007 be a server from which you want to run the Central

Administration Web site.



Officeserver.exe, on one of your Web servers.


Note:







4. On the Choose the installation you want page, click Advanced. The Basic option is for

stand-alone installations.

154













Run the SharePoint Products and Technologies Configuration Wizard After Setup finishes, you can use the SharePoint Products and Technologies Configuration


configuration tasks, including installing and configuring the configuration database, installing

Office SharePoint Server 2007 services, and creating the Central Administration Web site. Use

the following instructions to run the SharePoint Products and Technologies Configuration Wizard.










default database name. The default name is "SharePoint_Config".

6. In the User name box, type the user name of the server farm account. (Be sure to type

the user name in the format DOMAIN\username.)

Important

This account is the server farm account and it is used to access your configuration database.

It also acts as the application pool identity for the SharePoint Central Administration

application pool, and it is the account under which the Windows® SharePoint Services Timer

service runs. The SharePoint Products and Technologies Configuration Wizard adds this

account to the SQL Server Logins, the SQL Server Database Creator server role, and the

155

SQL Server Security Administrators server role.

The user account that you specify for this service account must be a domain user account.

Because this account does not require a high level privilege, we recommend that you follow

the principle of least privilege, and specify a user account that is not a member of the

Administrators group on your Web servers or your back-end servers.



Specify port number check box; type a port number if you want the SharePoint Central

Administration Web application to use a specific port, or leave the Specify port number

check box cleared if you do not care which port number the SharePoint Central






click Next.

Note:



Negotiate (Kerberos) option requires you to configure a Service Principal

Name (SPN) for the domain user account. To do this, you must be a member






page, click Next.



Notes

If you are prompted for your user name and password, you might need to add the SharePoint

Central Administration Web site to the list of trusted sites, and configure user authentication

settings in Internet Explorer. Instructions for configuring these settings are provided in the

next set of steps.

If a proxy server error message appears, you might need to configure your proxy server

settings so that local addresses bypass the proxy server. Instructions for configuring this

setting are provided later in this section.




156















Settings.


box.







Add servers to the farm We recommend that you install and configure Office SharePoint Server 2007 on all of your Web

servers and the index server before you configure Office SharePoint Server 2007 services and

create sites. If you want to build a minimal server farm configuration, and incrementally add Web

servers to expand the farm, you can install and configure Office SharePoint Server 2007 on a

single Web server, and configure the Web server as both a Web server and an application server.

Regardless of how many Web servers you have in your server farm, you must have SQL Server

157

2005 running on at least one back-end database server before you install Office SharePoint

Server 2007 on your Web servers.

Important:








Note:
























Note:



158


















Run the SharePoint Products and Technologies Configuration Wizard on additional servers After Setup finishes, you can use the SharePoint Products and Technologies Configuration


configuration tasks, including installing Office SharePoint Server 2007 services. Use the following

instructions to run the SharePoint Products and Technologies Configuration Wizard.













DOMAIN\username.) This must be the same user account you used when you configured

159

the first server.



page, click Next.


Start the Windows SharePoint Services Search service (optional) You must start the Windows SharePoint Services Search service on every computer that you

want to search over Help content. If you do not want users to be able to search over Help

content, you do not need to start this service.



top link bar.


server.

3. On the Services on Server page, next to Windows SharePoint Services Search, click

Start.


Service Account section, type the user name and password for the user account under

which the Windows SharePoint Services Search service account will run.

5. In the Content Access Account section, type the user name and password for the user

account that the Search service will use to search over content. This account must have

read access to all the content you want it to search over. If you do not specify credentials,

the same account used for the Search service will be used.


schedule that you want the Search service to use when searching over content.


Stop the Central Administration service on all index servers In farms with more than one index server, stop the Central Administration service on all index

servers. This service is used for the Central Administration Web site and is not required on index

servers. Stopping this service on index servers can help avoid URL resolution problems with

indexing. On the other hand, you must be sure that this service is started on the server that hosts

the Central Administration Web site, even if that server is also an index server. You do not need

to stop this service for installations where the farm has only one index server.

160

Before stopping the service on the index server, make sure that the service is running another

server.

Stop the Central Administration service on an index server

1. On the Services on Server page, select the index server from the Server drop-down list.

2. Under Select server role to display services you will need to start in the table

below, select the Custom option.

3. In the table of services, next to Central Administration, in the Action column, click

Stop.

Disable the Windows SharePoint Services Web Application service on all servers not serving content Disable the Windows SharePoint Services Web Application service on all servers that are not

serving content, especially index servers. On the other hand, you must be sure that this service is

enabled on the servers that are serving content.

Disable the Windows SharePoint Services Web Application service on a server


top link bar.


server.

3. On the Services on Server page, next to Windows SharePoint Services Web

Application, click Stop.

161

Deploy language packs

In this section:

About language IDs and language packs

Preparing your front-end Web servers for language packs

Installing language packs on your front-end Web servers

Language packs enable site owners and site collection administrators to create SharePoint sites

and site collections in multiple languages without requiring separate installations of Microsoft

Office SharePoint Server 2007. You install language packs, which contain language-specific site

templates, on your front-end Web servers. When an administrator creates a site or a site

collection based on a language-specific site template, the text that appears on the site or the site

collection is displayed in the site template's language. Language packs are typically used in

multinational deployments where a single server farm supports people in different locations or in

situations where sites and Web pages must be duplicated in one or more languages. For more

information about language packs, see Plan for multilingual sites (http://technet.microsoft.com/en-


Note:

You cannot change an existing site, site collection, or Web page from one language to

another by applying different language-specific site templates; once you choose a

language-specific site template for a site or a site collection, the site or site collection will

always display content in the language of the original site template.

Word breakers and stemmers enable you to efficiently and effectively search across content on

SharePoint sites and site collections in multiple languages without requiring separate installations

of Office SharePoint Server 2007. Word breakers and stemmers are not installed with language

packs. Instead, they are automatically installed on your front-end Web servers by the Setup

wizard. For more information about word breakers and stemmers, see the "Plan word breakers

and stemmers" section in Plan to crawl content (http://technet.microsoft.com/en-


You can install language packs for Microsoft Office Server products from the Microsoft Download

site, at 2007 Office System Language Packs

(http://www.microsoft.com/downloads/details.aspx?FamilyId=2447426B-8689-4768-BFF0-

CBB511599A45&displaylang=en).

Important:

If you are uninstalling a Microsoft Office Server product, you must uninstall all language

packs before you uninstall the product.



http://www.microsoft.com/downloads/details.aspx?FamilyId=2447426B-8689-4768-BFF0-CBB511599A45&displaylang=en

162

About language IDs and language packs When site owners or site collection administrators create sites or site collections, they can choose

a language for the each site or site collection

The language they choose represents the language identifier (ID), and the language ID

determines the language that is used to display text and interpret text that is put on the site or site

collection. For example, when a site administrator chooses to create a site in French, the site's

toolbars, navigation bars, lists, and column headings appear in French. Likewise, if a site

administrator chooses to create a site in Arabic, the site's toolbars, navigation bars, lists, and

column headings appear in Arabic, and the default left-to-right orientation of the site changes to a

right-to-left orientation to properly display Arabic text.

The list of available languages that a site administrator can use to create a site or site collection is

generated by the language packs that are installed on your front-end Web servers. By default,

sites and site collections are created in the language in which Office SharePoint Server 2007 was

installed. For example, if you install the Spanish version of Office SharePoint Server 2007, the

default language for sites, site collections, and Web pages is Spanish. If a site administrator

needs to create sites, site collections or Web pages in a language other than the default Office

SharePoint Server 2007 language, you must install the language pack for that language on your

front-end Web servers. For example, if you are running the French version of Office SharePoint

Server 2007, and a site administrator wants to create sites in French, English, and Spanish, you

must install the English and Spanish language packs on your front-end Web servers.

Note:

By default, when a site administrator creates a new Web page within a site, the Web

page uses the site's language ID to display text.

Language packs for Office SharePoint Server 2007 are not bundled into multilingual installation

packages. You must install a specific language pack for each language that you want to support.

Also, language packs must be installed on each of your front-end Web servers to ensure that

each Web server can render content in the specified language.

The following table lists the language packs that are available for Office SharePoint Server 2007.

Language Country/Region Language ID

German Germany 1031

English United States 1033

Japanese Japan 1041

Although a site administrator specifies a language ID for a site, some user interface elements

such as error messages, notifications, and dialog boxes do not display in the language that was

specified. This is because Office SharePoint Server 2007 relies on several supporting

technologies — for example, the Microsoft .NET Framework, Microsoft Windows Workflow

Foundation, Microsoft ASP.NET, and Microsoft SQL Server 2005 — some of which are localized

into only a limited number of languages. If a user interface element is generated by any of the

163

supporting technologies that is not localized into the language that the site administrator specified

for the site, the user interface element appears in English. For example, if a site administrator

creates a site in Hebrew, and the.NET Framework component displays a notification message,

the notification message will not display in Hebrew because the .NET Framework is not localized

into Hebrew. This situation can occur when sites are created in any language except the

following: Chinese, French, German, Italian, Japanese, Korean, and Spanish.

In some cases, some text might originate from the original installation language, which can create

a mixed-language experience. This type of mixed-language experience is typically seen only by

content creators or site administrators and is not seen by site users.

Preparing your front-end Web servers for language packs Before you install language packs on your front-end Web servers, you must do the following:

Install the necessary language files on your front-end Web servers.

Install Office SharePoint Server 2007 on each of your front-end Web servers.

Run the SharePoint Products and Technologies Configuration Wizard on each of your front-

end Web servers.

Language files are used by the operating system and provide support for displaying and entering

text in multiple languages. Language files include:

Keyboard files

Input Method Editors (IMEs)

TrueType font files

Bitmap font files

Code page conversion tables

National Language Support (.nls) files

Script engines for rendering complex scripts

Most language files are installed by default on the Microsoft Windows Server 2003 operating

system. However, you must install supplemental language files for East Asian languages and

languages that use complex script or require right-to-left orientations. The East Asian languages

include Chinese, Japanese, and Korean; the complex script and right-to-left oriented languages

include Arabic, Armenian, Georgian, Hebrew, the Indic languages, Thai, and Vietnamese.

Instructions for installing these supplemental language files are provided in the following

procedure.

We recommend that you install these language files only if you need them. The East Asian files

require about 230 megabytes of hard disk space. The complex script and right-to-left languages

do not use much disk space, but installing either set of files might reduce performance when

entering text.

164

Note:

You must be a member of the Administrators group on the computer to install these

language files. After the language files are installed, the languages are available to all

users of the computer.

Note:

You will need your Windows Server 2003 product disc to perform this procedure, or you

will need to know the location of a shared folder that contains your operating system

installation files.

Note:

You must restart your computer after you install supplemental language files.

Install additional language files

1. On your front-end Web server, click Start, point to Settings and then Control Panel, and

then click Regional and Language Options.

2. In the Regional and Language Options dialog box, on the Languages tab, in the

Supplemental Language Support section, select one or both of the following

checkboxes:

Install files for complex script and right-to-left languages

Install files for East Asian languages

3. Click OK in the dialog box that alerts you that additional disk space is required for the

files.

4. Click OK to install the additional language files.

5. When prompted, insert your Windows Server 2003 product disc or provide the location of

your Windows Server 2003 installation files.

6. When prompted to restart your computer, click Yes.

After you install the necessary language files on your front-end servers, you need to install Office

SharePoint Server 2007 and run the SharePoint Products and Technologies Configuration

Wizard. The wizard creates and configures the configuration database and performs other

configuration tasks that must be done before you install language packs. For more information

about installing Office SharePoint Server 2007 and running the SharePoint Products and

Technologies Configuration Wizard, see Deploy in a simple server farm and Install Office


Installing language packs on your front-end Web servers After you install the necessary language files on your front-end servers, you can install your

language packs. Language packs are available as individual downloads (one download for each

supported language). If you have a server farm environment, and you are installing language

165

packs to support multiple languages, you must install the language packs on each of your front-

end Web servers.

Important:

The language pack installs in its native language, for example the Russian language

pack executable file is localized into Russian. The procedure provided below is for the

English language pack.

Install a language pack

1. Run setup.exe.



3. The setup wizard runs and installs the language pack.

4. Rerun the SharePoint Products and Technologies Configuration Wizard, using the default

settings. If you do not run the SharePoint Products and Technologies Configuration

Wizard after you install a language pack, the language pack will not be installed properly.

Rerun the SharePoint Products and Technologies Configuration Wizard




3. Click Yes in the dialog box that alerts you that some services might need to be restarted

during configuration.

4. On the Modify server farm settings page, click Do not disconnect from this server

farm, and then click Next.

5. If the Modify SharePoint Central Administration Web Administration Settings page

appears, do not modify any of the default settings, and then click Next.


page, click Next.


When you install language packs, the language-specific site templates are installed in the

\Program Files\Common Files\Microsoft Shared\web server extensions\12\template\number

directory, where number is the Language ID for the language that you are installing. For example,

the US English language pack installs to the \Program Files\Common Files\Microsoft Shared\web

server extensions\12\template\1033 directory. After you install a language pack, site owners and

site collection administrators can create sites and site collections based on the language-specific

site templates by specifying a language when they are creating a new SharePoint site or site

collection.

166

Uninstalling language packs

If you no longer need to support a language for which you have installed a language pack, you

can remove the language pack by using Add/Remove Programs in Control Panel. Removing a

language pack removes the language-specific site templates from your computer. All sites that

were created with those language-specific site templates will no longer work (the URL will

produce a HTTP 500 - Internal server error page). Reinstalling the language pack will make the

site functional.

Note:

You cannot remove the language pack for the version of Office SharePoint Server 2007

that you have installed on your server. For example, if you are running the Japanese

version of Office SharePoint Server 2007, you cannot uninstall the Japanese language

support for Office SharePoint Server 2007.

167

III. Create and configure Shared Services Providers


168

Chapter overview: Create and configure Shared Services Providers

After you have installed Microsoft Office SharePoint Server 2007, you must configure the primary

Shared Services Provider (SSP) that your SharePoint sites will rely on to provide services such

as search, personalization, or business intelligence. This chapter helps you create the primary

Shared Services Provider, and configure settings for the shared services that are hosted by that

SSP.

In this chapter:

Configure the primary Shared Services Provider

Configure the Office SharePoint Server Search service

A. Configure personalization

B. Configure business intelligence features

C. Configure Excel Services

D. Configure InfoPath Forms Services

E. Configure Office Project Server

169

Configure the primary Shared Services Provider

Create the Shared Services Provider 1. On the SharePoint Central Administration home page, click the Application Management

tab on the top navigation bar.

2. On the Application Management page, in the Office SharePoint Server Shared Services

section, click Create or configure this farm's shared services.

3. On the Manage this Farm's Shared Services page, click New SSP.

Important:

If you have not created a Web application for the SSP administration site, you need

to create one before you create the SSP. If you have already created a Web

application for the SSP administration site, skip to step 14.

4. On the New Shared Services Provider page, click Create a new Web application.

5. On the Create New Web Application page, in the IIS Web Site section, click Create a new

IIS web site, and do not modify the default settings in this section.

6. In the Security Configuration section, under Authentication provider, select the

appropriate option for your environment, and do not modify the default settings in the

remainder of this section.

Note:

By default, the authentication provider is set to NTLM. Use the Negotiate (Kerberos)

setting only if Kerberos is supported in your environment. This option will require

configuring a Service Principal Name for the domain user account, for which you

must have Domain Administrator credentials. For more information about configuring

Kerberos, see Microsoft Knowledge Base article KB 832769: HOW TO: Configure

Windows SharePoint Services to Use Kerberos Authentication

(http://support.microsoft.com/?kbid=832769).

7. In the Load Balanced URL section, do not modify the default settings.

8. In the Application Pool section, click Create new application pool.

9. In Application pool name, enter the name of your application pool or use the default name.

10. Click Configurable, and in User name and Password, type the user name and password for

the user account that you want to act as the application pool identity for your SSP Web

application.

The user account must be a domain user account, but the user account does not have to be

a member of any particular security group. It is recommended that you use the principle of

least privilege and select a unique user account that does not have administrative rights on

http://support.microsoft.com/?kbid=832769

http://support.microsoft.com/?kbid=832769

170

your front-end servers or on your back-end database servers. You can use the user account

that you specified as the Microsoft Office SharePoint Server 2007 service account; however,

if that user account is a member of a security group that has administrative rights on your

front-end servers or your back-end database servers, you will not be following the principle of

least privilege. The user name must be in the format DOMAIN\username.

11. In the Database Name and Authentication section, verify the database information and

make sure that Windows Authentication (recommended) is selected.

12. In the Search Server section, do not modify the default settings.

13. Click OK.

Upon successful creation of the Web application, the New Shared Services Provider page

appears.

14. In the SSP Name section, in Web Application, select the Web application that you created

for the SSP, and do not modify any of the default settings in this section.

15. In My Site Location section, choose the correct Web application.

Note:

It is recommended that you run My Sites and the SSP administration site in different

Web applications so that you can back up and restore My Sites separately from the

SSP administration site.

16. In the SSP Service Credentials section, in User name and Password, type the user name

and password for the user account under which you want the SSP to run.

The user account must be a domain user account, but the user account does not have to be

a member of any particular security group. It is recommended that you use the principle of

least privilege and select a unique user account that does not have administrative rights on

your front-end servers or on your back-end database servers. You can use the user account

that you specified as the Office SharePoint Server 2007 service account; however, if that

user account is a member of a security group that has administrative rights on your front-end

servers or your back-end database servers, you will not be following the principle of least

privilege. The user name must be in the format DOMAIN\username.

17. In the SSP Database section, you can either accept the default settings (recommended), or

specify your own settings for the database server, the database name, or the SQL

authentication credentials.

18. In the Search Database section, you can either accept the default settings (recommended),

or specify your own settings for the search database server, the database name, or the SQL

Server authentication credentials.

19. In the Index Server section, in Index Server, click the server on which you configured the

Search service.

If there is no index server listed in the Index Server section, then no server in your farm has

been assigned the index server role. To assign the index server role to a server in your farm,

follow the instructions in Configure a dedicated front-end Web server for crawling



171

20. In the SSL for Web Services section, click No.

21. Click OK.

Upon successful creation of the SSP, the Success page appears.

22. On the Success page, click OK to return to the Manage this Farm's Core Services page.


Shared Services Provider: Stsadm operation (http://technet.microsoft.com/en-


Create a new SSP

Important:

To configure an SSP, you must have already configured an index server for the farm.

Without an index server, creation of a new SSP will fail. For more information about

configuring an index server, see the topic Configure the primary Shared Services

Provider (http://technet.microsoft.com/en-us/library/cc262649.aspx).

To create and configure a new SSP:

1. In a Web browser, open the Central Administration page for your farm.

2. On the top navigation bar, click Application Management.

3. On the Application Management page, under Office SharePoint Server Shared

Services, click Create or configure this farm's shared services.

4. On the Manage this Farm's Shared Services page, on the top navigation bar, click New

SSP.

5. In the SSP Name section, specify a unique, descriptive name for this SSP. This name will

be used to identify the SSP in administration pages.

6. In the My Site location section, select the Web application for this SSP.

7. In the SSP Service Credentials section, specify the credentials which will be used by

SSP Web services for inter-server communication and for the SSP timer service to run

jobs.

8. In the SSP Database section, specify the database server and database name for storing

session data. Use of the default database server and database name is recommended

for most cases.

9. In the Index Server section, select the index server which will crawl content in all Web

applications associated with this SSP. You may also specify the path on the index server

where the indexes will be located if you do not want to use the default path.

10. In the SSL for Web Services section, choose whether or not to use SSL to protect

communications to and from Web services.

Note:

If you choose to enable SSL for Web services, you must add the certificate on




172

each server in the farm by using the IIS administration tool. Until this is done, the

Web services will not be available.

11. Click OK to create the SSP.

Associate an SSP with a Web application A Web application may be associated with only one SSP, but each SSP may be associated with

multiple Web applications.

To associate an SSP with a Web application:

1. On the taskbar, click Start, point to Administrative Tools, and then click SharePoint 3.0

Central Administration.

2. In the Quick Launch, click Shared Services Administration.

3. On the Manage this Farm's Shared Services page, on the top navigation bar, click

Change Associations.

Note:

In the SSP Name column in the SSP list, you will see all the Web applications

with which each SSP is currently associated.

4. On the Change Association between Web Applications and SSPs page, under Shared

Services Provider, select the SSP you want to configure.

5. In the Web applications section, select the Web applications you want to associate with

the SSP.

6. Click OK to associate the SSP with the selected Web applications.

173

Configure the Office SharePoint Server Search service

In this section:

Server-level configuration

Farm-level configuration

SSP-level configuration

Site collection-level configuration

This section describes the process of deploying the search features for Microsoft Office

SharePoint Server 2007 that are related to crawling content. If you have not already done so, we

highly recommend that you first read the topics described in Plan search

(http://technet.microsoft.com/en-us/library/cc263400.aspx) and fill out the companion Plan to

crawl content worksheet (http://go.microsoft.com/fwlink/?LinkID=73748&clcid=0x409). As you

proceed through this section, refer to this worksheet so that you have the information you need to

configure these search features.


Osearch: Stsadm operation (http://technet.microsoft.com/en-us/library/cc262920.aspx).

Server-level configuration The procedures in this section are performed at the server level. To perform these procedures,

you must be a member of the Administrators group for each server on which you want to perform

them.

Install protocol handlers

The following protocols are supported by the default protocol handlers:

bdc

bdc2

file

http

https

rb

rbs

sps

sps3

sps3s

spsimport





174

spss

sts

sts2

sts2s

sts3

sts3s

Refer to the Protocol handlers section of the Plan to crawl content worksheet to review your

decisions for installing additional protocol handlers. When installing the protocol handlers on your

index server, follow the appropriate installation instructions provided by the manufacturer of each

protocol handler.

Note:

You must be a member of the Administrators group on each server on which you want to

install an additional protocol handler.

Install and register IFilters

The procedures used to install and register IFilters vary among different IFilters. Refer to the File

type inclusions section of the Plan to crawl content worksheet for the IFilters you decided to

add.

This section includes instructions for installing and registering the following IFilters. If an IFilter

that you need is not listed here, contact the manufacturer for instructions for installing third-party

IFilters. If you do not need to install additional IFilters, skip to the next section.

Note:

You must be a member of the Administrators group on each server on which you want to

install an IFilter.

Install and register the OneNote IFilter

Before Microsoft Office OneNote 2007 files can be crawled and indexed, you must first do the

following:

Install Office OneNote 2007 on the index server. This installs the OneNote IFilter.

Note:

The Office OneNote 2007 IFilter can crawl both OneNote 2003 and Office OneNote

2007 files. The Office OneNote 2003 IFilter can crawl OneNote 2003 files only.

Add the OneNote file extension to the File Types list.

Register the OneNote IFilter.

Note:

You must be a member of the Administrators group on the index server to perform

the following procedures.

175

Add the OneNote file extension to the File Types list

1. Open the administration page for the Shared Services Provider (SSP).

To open the administration page for the SSP, do the following:

a. In Central Administration, on the top link bar, click Application Management.

b. On the Application Management page, in the Office SharePoint Server Shared


c. On the Manage this Farm's Shared Services page, click the SSP for which you want

to open the administration page.

2. On the Shared Services Administration page, in the Search section, click Search

settings.

3. On the Configure Search Settings page, in the Crawl Settings section, click File Types.

4. On the Manage File Types page, click New File Type.

5. On the Add File Type page, in the File extension box, type one, and then click OK.

Note:

Do not type the period character "." before the file extension.

Register the OneNote IFilter

1. On the index server, click Start, and then click Run.

2. In the Open box, type notepad, and then click OK.

3. Type or copy the following text into Notepad:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office

Server\12.0\Search\Setup\Filters\.one]

"Extension"="one"

"FileTypeBucket"=dword:00000001

"MimeTypes"="application/msonenote"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office

Server\12.0\Search\Setup\ContentIndexCommon\Filters\Extension\.one]

@="{B8D12492-CE0F-40AD-83EA-099A03D493F1}"

4. In Notepad, on the File menu, click Save As.

5. In the Save As dialog box, in the File name box, type onenote.reg, and then click Save.

6. On the index server, double-click the onenote.reg file that you just created.

Note:

This step starts the process of setting the necessary registry keys for registering

176

the OneNote IFilter.

7. If the Open File - Security Warning dialog box appears, click Run.

8. In the Registry Editor dialog box, click Yes.

9. Click OK to close the Registry Editor box.

10. Restart the index server.

Note:

The index server must be restarted for the IFilter registration to take effect.

After you restart the index server, you must start a full crawl of the locations that contain Office

OneNote 2007 files before they can appear in search queries. If your document l ibraries require

check-out to edit the files, Office OneNote 2007 files will often be in checked-out state. Any

updates to the checked-out files that are saved to the library will not be crawled until the files are

checked in. In general, we recommend that administrators do not require that files be checked out

before they can be edited for document libraries that are intended for storing OneNote files.

Farm-level configuration The procedures in this section are performed at the farm level. To perform these procedures, you

must be a farm administrator.

Create crawler impact rules

Use the following procedure, along with the decisions you recorded in the Crawler impact rules

section of the Plan to crawl content worksheet, to create crawler impact rules.

Create crawler impact rules

1. In Central Administration, on the Application Management tab, in the Search section,

click Manage search service.

2. On the Manage Search Service page, in the Farm-Level Search Settings section, click

Crawler impact rules.

3. On the Crawler Impact Rules page, click Add Rule.

4. On the Add Crawler Impact Rule page, in the Site section, in the Site box, type the site

name that will be associated with this crawler impact rule.

Note:

When typing the URL, you must exclude the protocol. For example, do not

include http:// or file://.

5. In the Request Frequency section, select one of the following options:

Request up to the specified number of documents at a time and do not wait

between requests. If you choose this option, use the Simultaneous requests list to

select how many documents you want the crawler to request at one time when

crawling this URL. You can specify the maximum number of requests that the Office

177

SharePoint Services Search service can make at one time when crawling this URL.

Request one document at a time and wait the specified time between requests.

You can specify a delay (in seconds) between requests, when crawling this URL.

When this option is selected, the Office SharePoint Services Search service makes

one request per site at one time, and then it waits for the specified amount of time

before making the next request. In the Time to wait (in seconds) box, type the time

to wait (in seconds) between requests. The minimum time to wait between requests

is one second, and the maximum time is 1,000 seconds.

6. Click OK.

Configure farm-level search settings

Use the following procedure, along with the decisions you recorded in the Farm-level search

settings section of the Plan to crawl content worksheet, to configure your farm-level search

settings.

Configure farm-level search settings

1. In Central Administration, on the Application Management tab, in the Search section,

click Manage search service.

2. On the Manage Search Service page, in the Farm-Level Search Settings section, click

Farm-level search settings.

3. On the Manage Farm-Level Search Settings page, in the Contact E-mail Addresses

section, type the e-mail address of the person in your organization whom external site

administrators can contact if problems arise when their site is being crawled.

4. In the Proxy Server Settings section, if you want to use a proxy server when crawling,

select Use the proxy server specified and then do the following:

In the Address box, enter either the NetBIOS name or the IP address of the proxy

server.

In the Port box, type the port to use for this proxy server.

To bypass this proxy server when crawling local addresses, select the Bypass proxy

server for local (intranet) addresses check box.

To specify addresses for which to bypass the proxy server when crawling, enter

those addresses in the Do not use proxy server for addresses beginning with

box.

5. In the Timeout Settings section, do the following:

In the Connection time (in seconds) box, enter the number of seconds you want

the server to wait while connecting to other services.

In the Request acknowledgement time (in seconds) box, enter the number of

seconds you want the server to wait for another service to acknowledge a request to

connect to that service.

6. In the SSL Certificate Warning Configuration section, select the Ignore SSL

178

certificate name warnings check box if you want to trust that sites are legitimate even if

their certificate names are not exact matches. Otherwise, ensure that this check box is

unselected.

7. Click OK.


The trace log can be very useful for analyzing problems that may occur. Events that are written to

the trace log are especially helpful because you can use them to determine what configuration

changes where made in Office SharePoint Server 2007 before the problem occurred.



are using either the Office SharePoint Server Search service or the Windows SharePoint

Services Search service, we recommend that you configure the trace log to save seven days of

events.


number of trace log files to maintain and how long (in minutes) to capture events to each log file.



You can also specify the location where the log files are written or accept the default path.







Tip:

You can use any combination of number of log files and minutes to store in

each log file you want to achieve 10,080 minutes (seven days) of events.


files, or change the path to another location.

Tip:



4. Click OK.

Trace log files are invaluable for troubleshooting issues related to configuration changes of either

the Office SharePoint Server Search service or the Windows SharePoint Services Search

service. Because problems related to configuration changes are not always discovered right

away, we recommend that you save all trace log files that the system creates on any day that you

179

make any configuration changes related to either search service. Store these log files for an

extended period of time in a safe location that will not be overwritten. See step 3 in the procedure

above to determine the location where the system stores trace log files for your system.

SSP-level configuration The procedures in this section are performed at the Shared Services Provider (SSP) level. To

perform these procedures, you must be an SSP administrator for Search.

Open the administration page for the SSP

Use the following procedure to open the administration page for the SSP that you want to

configure.

Open the administration page for the SSP

1. In Central Administration, on the top link bar, click Application Management.

2. On the Application Management page, in the Office SharePoint Server Shared


3. On the Manage this Farm's Shared Services page, click the SSP for which you want to

open the administration page.

Specify the default content access account

Use the following procedure, along with the decision you recorded in the Default content access

account section of the Plan to crawl content worksheet, to specify the content access account

that the crawler will use, by default, when crawling content.

Specify the default content access account


settings.

2. On the Configure Search Settings page, in the Crawl settings section, click Default

content access account.

3. On the Default Content Access Account page, in the Account box, type the domain and

user name for the account (in the form domain\username).

4. In the Password and Confirm Password boxes, type the password for the account.

5. Click OK.

Create content sources

Use the following procedure, along with the decisions you recorded in the Content sources

section of the Plan to crawl content worksheet, to create your content sources.

180

Use the following procedure to create a content source of any of the following content source

types:

SharePoint sites

Web sites

File shares

Microsoft Exchange public folders

Create content sources


settings.

2. On the Configure Search Settings page, in the Crawl Settings section, click Content

sources and crawl schedules.

3. On the Manage Content Sources page, click New Content Source.

4. On the Add Content Source page, in the Name section, in the Name box, type a name

for the content source.

Note:

Each content source name must be unique within the SSP in which it is created.

5. In the Content Source Type section, select the type of content you want to crawl by

using this content source.

6. In the Start Addresses section, in the Type start addresses below (one per line) box,

type the URLs from which the search system should start crawling.

Note:

For performance reasons, you cannot add the same start addresses to multiple

content sources.

7. In the Crawl Settings section, select the behavior for the type of content you selected.

8. In the Crawl Schedules section, you can specify when to start full and incremental

crawls.

You can create a full crawl schedule by clicking the Create Schedule link below the

Full Crawl list.

You can create an incremental crawl schedule by clicking the Create Schedule link

below the Incremental Crawl list.

9. Click OK.

10. Repeat steps 4 through 10 for any additional content sources you want to create.

Use the following procedure to create a content source of the business data content source type.

Create content source for business data


settings.

181



3. On the Manage Content Sources page, click New Content Source.

4. On the Add Content Source page, in the Name section, in the Name box, type a name

for the content source.

Note:

Each content source name must be unique within the SSP in which it is created.

5. In the Content Source Type section, select Business Data.

6. In the Applications section, select Crawl entire Business Data Catalog to crawl all

applications registered in the Business Data Catalog or select Crawl selected

applications and select the specific applications you want to crawl.

7. In the Crawl Schedules section, you can specify when to start full and incremental

crawls.

You can create a full crawl schedule by clicking the Create Schedule link below the

Full Crawl list.

You can create an incremental crawl schedule by clicking the Create Schedule link

below the Incremental Crawl list.

8. Click OK.

9. Repeat steps 4 through 9 for any additional content sources you want to create.

Create crawl rules

Use the following procedure, along with the decisions you recorded in the Crawl rules section of

the Plan to crawl content worksheet, to create crawl rules.

Create crawl rules


settings.

2. On the Configure Search Settings page, in the Crawl Settings section, click Crawl rules.

3. On the Manage Crawl Rules page, click New Crawl Rule.

4. On the Add Crawl Rule page, in the Path section, in the Path box, type the path affected

by this rule. You can use standard wildcard characters in the path. For example:

http://server1/folder* contains all Web resources with a URL that starts with

http://server1/folder.

*://*.txt includes every document with the txt file extension.

5. In the Crawl Configuration section, select one of the following:

Exclude all items in this path. Select this option if you want all items in the

specified path to be excluded from the crawl.

Include all items in this path. Select this option if you want all items in the path to

182

be crawled.

6. If you chose to exclude all items in this path, skip to step 8. Otherwise, you can further

refine the inclusion by selecting any combination of the following:

Follow links on the URL without crawling the URL itself. Select this option if you

want to crawl links contained within the URL, but not the URL itself.

Crawl complex URLs (URLs that contain a question mark (?)). Select this option

if you want to crawl URLs that contain parameters that use the question mark (?)

notation.

Crawl SharePoint content as HTTP pages. Normally, SharePoint content is

crawled by using a special protocol. Select this option if you want SharePoint content

to be crawled as HTTP pages instead. When the content is crawled by using the

HTTP protocol, item permissions are not stored.

7. In the Specify Authentication section, do one of the following:

To use the default content access account when crawling URLs affected by this crawl

rule, select Use the default content access account.

If you want to use a different content access account, select Specify a different

content access account, and then do the following:

In the Account box, type the account name that can access the paths defined by this

crawl rule. Examples are user_name and DOMAIN\user_name.

In the Password and Confirm Password boxes, type the password for this account.

If you want to prevent basic authentication from being used, select the Do not allow

Basic Authentication check box.

To use a client certificate for authentication, select Specify client certificate, and

then click a certificate on the Certificate menu.

8. Click OK.

9. Repeat steps 4 through 8 for each new crawl rule you want to create.

Reorder your crawl rules

After you create all your crawl rules, we recommend that you specify the order in which you want

the rules to be applied while content is being crawled. Crawl rules are applied in the order in

which they are listed. Therefore, if two rules cover the same or overlapping content, the first rule

that is listed is applied. Use the following procedure to specify the order of your crawl rules.

Reorder crawl rules


settings.

2. On the Configure Search Settings page, in the Crawl Settings section, click Crawl rules.

3. On the Manage Crawl Rules page, in the Order column in the list of crawl rules, select a

value in the drop-down list that specifies the position you want the rule to occupy. Other

183

values are shifted accordingly.

Configure the file type inclusions list

Use the following procedure, along with the decisions that you recorded in the File-type

inclusions section of the Plan to crawl content worksheet, to add file types from the fi le type

inclusions list.

Add file types


settings.

2. On the Configure Search Settings page, in the Crawl Settings section, click File types.

3. On the Manage File Types page, click New File Type.

4. On the Add File Type page, in the File extension box, type the file name extension for

the file type that you want to add (for example, type doc).

Note:

Do not precede the file type with the period "." character.

5. Click OK.

6. Repeat steps 4 through 7 for any other file types you want to add.

You can also delete file types from this list for the file types you don't want the crawler to include

in the content index. Use the following procedure, along with the decisions you recorded in the

File-type inclusions section of the Plan to crawl content worksheet, to delete file types from the

file type inclusions list.

Delete file types

1. On the Manage File Types page, position the cursor over the file name extension that

you want to delete, and then click Delete on the menu that appears.

2. In the message box, click OK to confirm that you want to delete the file type.

Crawl the content

Before the content can be indexed, you must first crawl the content. You can either crawl the

content defined in a particular content source individually, or crawl all the content specified by all

content sources at one time.

Crawl content defined in a particular content source

Use the following procedure to crawl content defined in a particular content source.

Crawl content defined in a particular content source


184

settings.



3. On the Manage Content Sources page, position the cursor over the content source you

want to crawl, and then click Start full crawl on the menu that appears.

Crawl content specified by all content sources

Use the following procedure to crawl content specified by all content sources.

Crawl content specified by all content sources


settings.



3. On the Manage Content Sources page, in the Quick Launch, click Start all crawls.

Create managed properties

Use the following procedure, along with the decisions you recorded in the Plan managed

properties section of the Plan the end-user search experience worksheet

(http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to create managed properties.

Create managed properties


settings.

2. On the Configure Search Settings page, in the Crawl Settings section, click Metadata

property mappings.

3. On the Metadata Property Mappings page, click New Managed Property.

4. On the New Managed Property page, in the Name and type section, in the Property

name box, type the name of the managed property you want to create.

5. In the Description box, type a description for this managed property.

6. Under The type of information in this property, select a property type.

7. In the Mappings to crawled properties section, select one of the following:

Include values from all crawled properties mapped. Select this option if you want

values from all crawled properties to be mapped. A query for a property in a

document in which all crawled properties are mapped returns a result if any of the

crawled properties that are mapped match the query.

Include values from a single crawled property based on the order specified.

Select this option if you want only a single value mapped. When multiple crawled

properties are mapped to a managed property, the one that is chosen will be the first


185

in the list that has a value for a given document. You can reorder the list by using the

Move up and Move down buttons.

8. If you selected Include values from all crawled properties mapped, skip to step 12.

9. Click Add Mapping to add a mapping to the list.

10. The Crawled property selection dialog box appears. Configure the settings as follows:

a. On the Select a category menu, click either All categories or a specific type of

document category (for example, Office or SharePoint).

b. In Select a crawled property, select a crawled property to map to the managed

property that you are adding.

Because the list of crawled properties is likely to be long, you can type the name (or

the first part of the name) of the property that you are looking for in the Crawled

property name box and then click Find.

c. Click OK.

11. Repeat steps 9 through 10 for each additional crawled property that you want to map to

this managed property.

12. On the New Managed Property page, in the Use in scopes section, select the Allow this

property to be used in scopes check box if you want this managed property to be

available for defining scopes.

13. Click OK.

Note:

Changes to the property mappings take effect on a document-by-document basis

as soon as a document is crawled, regardless of the type of the crawl. A full

crawl ensures that the changes are consistently applied to the entire index.

Create shared scopes

Use the following procedure, along with the decisions you recorded in the Plan scopes section of

the Plan the end-user search experience worksheet

(http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to create shared scopes.

Create shared scopes


settings.

2. On the Configure Search Settings page, in the Scopes section, click View scopes.

3. On the View Scopes page, click New Scope.

4. On the Create Scope page, in the Title and Description section, in the Title box, type a

title for the scope.

5. In the Description box, type a description for the scope that informs administrators what

the purpose of the scope is.


186

Note:

These descriptions are not visible to users.

6. Your credentials are automatically entered in the read-only Last modified by box.

Note:

Last modified by settings are not visible to users.

7. In the Target Results Page section, select one of the following:

Use the default Search Results Page. Select this option if you want search results

from this scope to be presented by using the standard Search Results page.

Specify a different page for searching this scope. Select this option if you want

search results from this scope to be presented on a custom page. If you select this

option, type the URL for the custom Search Results page in the Target results page

box.

8. Click OK.

Create scope rules

Use the following procedure, along with the decisions you recorded in the Plan scopes section of

the Plan the end-user search experience worksheet

(http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to create scope rules.


187

The following table describes the four scope rule types that you can choose from when creating a

scope rule. For simplicity, a separate procedure is provided for each scope rule type.

Scope rule type Purpose

Web address Select this option if you want the scope to include or exclude

content from any resource in the search index that can be

identified either by a URL (such as Web sites, file shares, and

Exchange public folders) or by a host name, domain name, or

subdomain name.

Folder. Select this option if you want to include or exclude

items in the folder and subfolders of the indicated URL (for

example, http://site/subsite/folder).

Hostname. Select this option if you want to specify a host

name. All items in the host name will be included or excluded

from the scope (according to the behavior rules).

Domain or subdomain. Select this option if you want to

specify a domain or subdomain (for example,

widgets.contoso.com). All items in the domain or subdomain

will be included in or excluded from the scope.

Property query Select this option if you want the scope to include or exclude

content that has a managed property with a particular value. For

example, Author="John Doe".

Content source Select this option if you want the scope to include or exclude

content that was crawled by using a particular content source.

All content Select this option if the rule should not restrict the scope (the

scope will include or exclude all content in the search index).

Use the following procedure to open the Add Scope Rule page.

Open the Add Scope Rule page


settings.

2. On the Configure Search Settings page, in the Scopes section, click View scopes.

3. On the View Scopes page, position the cursor over the scope that you want to edit, click

the arrow that appears, and then click Edit Properties and Rules on the menu that

appears.

4. On the Scope Properties and Rules page, in the Rules section, click New rule.

188

Use the following procedure to create scope rules by using the Web address scope rule type.

Create scope rules by using the Web address scope rule type

1. On the Add Scope Rule page, in the Scope Rule Type section, select Web Address.

2. In the Web Address section, select one of the following options and provide the address

you want to associate with this rule:

Folder. Select this option if you want to include or exclude items in the folder and

subfolders of the indicated URL (for example, http://site/subsite/folder).

Hostname. Select this option if you want to specify a host name. All items in the host

name will be included or excluded from the scope (according to the behavior rules).

Domain or subdomain. Select this option if you want to specify a domain or

subdomain (for example, widgets.contoso.com). All items in the domain or

subdomain will be included in or excluded from the scope.

3. In the Behavior section, select one of the following options:

Include. Select this option if you want the rule to be applied (if another rule precludes

its inclusion, it won't be included). The Include option is analogous to the logical

operator AND.

Require. Select this option if you want the rule to be applied regardless of other

rules. The Require option is analogous to the logical operator OR.

Exclude. Select this option if you want items that match this rule to be excluded from

the scope. The Exclude option is analogous to the logical operator AND NOT.

4. Click OK.

Use the following procedure to create scope rules by using the Property query scope rule type.

Create scope rules by using the Property query scope rule type

1. On the Add Scope Rule page, in the Scope Rule Type section, select Property Query.

2. In the Property Query section, select the managed property that you want to use to limit

the scope from the Add property restrictions menu.

3. In the = box, type the string (value) that the managed property needs to match.




operator AND.





5. Click OK.

189

Use the following procedure to create scope rules by using the Content source scope rule type.

Create scope rules by using the Content source scope rule type

1. On the Add Scope Rule page, in the Scope Rule Type section, select Content source.

2. In the Content Source section, in the corresponding menu, select the content source from

the list that you want to associate with this rule.




operator AND.





4. Click OK.

Use the following procedure to create scope rules by using the All content scope rule type.

Create scope rules by using the All content scope rule type

1. On the Add Scope Rule page, in the Scope Rule Type section, select All Content.

2. Click OK.

Specify authoritative pages

Use the following procedure, along with the decisions you recorded in the Authoritative pages

section of the Plan the end-user search experience worksheet

(http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to specify authoritative pages.

Specify authoritative pages


settings.

2. On the Configure Search Settings page, in the Authoritative Pages section, click

Specify authoritative pages.

3. On the Specify Authoritative Pages page, in the Authoritative Web Pages section, in the

Most authoritative pages box, list the URLs that are central or authoritative.

Note:

Separate the URLs by hard returns so that you list one full URL per line.

4. In the Second-level authoritative pages box, list the URLs that are secondary.

5. In the Third-level authoritative pages box, list the URLs that are tertiary.

6. In the Non-authoritative Sites section, in the Sites to demote box, list the URLs that


190

you want to mark as unimportant when search results are returned (for example, URLs of

sites that contain outdated information but are kept for record-keeping).

Note:

Any URL or item whose prefix matches the provided URLs in the Sites to

demote box is demoted.

7. If you want the ranking calculations to begin after you click OK, in the Refresh Now

section, select the Refresh now check box. If the check box is cleared, ranking

calculations occur according to a predetermined schedule.

8. Click OK.

Create server name mappings

Use the following procedure, along with the decisions you recorded in the Server name

mappings section of the Plan the end-user search experience worksheet

(http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to specify server name mappings.

Specify server name mappings


settings.

2. On the Configure Search Settings page, in the Crawl Settings section, click Server

name mappings.

3. On the Server Name Mappings page, click New Mapping.

4. On the Add Server Name Mapping page, in the Address in index box, type the address

for the crawled content.

5. In the Address in search results box, type the address that you want users to see on

the Search Results page when they receive query results for the address you typed in the

Address in index box.

6. Click OK.

Manage search-based alerts

Search-based alerts are active, by default. However, you can deactivate them. Refer to the

decision you recorded in the Search-based alerts section of the Plan the end-user search

experience worksheet (http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), and do the

following steps if you want to deactivate search-based alerts.

Deactivate search-based alerts


settings.

2. On the Configure Search Settings page, in the Crawl Settings section, click Search-

based alerts.




191

3. On the Configure Search-based Alerts page, click Deactivate.

Site collection–level configuration The procedures in this section are performed at the site collection level. To perform these

procedures, you must be a site collection administrator for the site collection on which you want to

perform them.

Create scopes at the site collection level

Site collection administrators can choose to use scopes that were created at the SSP level, copy

scopes that were created at the SSP level and modify them, or create new site collection level

scopes.

Use the following procedure, along with the decisions you recorded in the Site-collection level

scopes section of the Plan the end-user search experience worksheet

(http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to copy shared scopes at the site

collection level.

Copy shared scopes

1. On the top-level site of the site collection on which you want to create a scope, click Site

actions, point to Site Settings, and then click Modify All Site Settings.

2. On the Site Settings page, in the Site Collection Administration section, click Search

scopes.

3. On the View Scopes page, position the cursor over the name of the shared scope you

want to copy, and then click Make Copy on the menu that appears.

Note:

The copy of the shared scope appears in the Unused Scopes section of the

View Scopes page.



(http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to create scopes at the site

collection level.

Create scopes at the site collection level

1. On the top-level site of the site collection on which you want to create a scope, click Site



scopes.

3. On the View Scopes page, click New Scope.

4. On the Create Scope page, in the Title and Description section, type a brief title for the

scope that will best explain it to your users. You can also type a fuller description for



192

reference by site administrators.

5. Ignore the Display Groups section for now. We will assign display groups to scopes later

in this section.

6. In the Target Results Page section, select one of the following:

Use the default Search Results Page. Select this option if you want search results

from this scope to be presented by using the standard Search Results page.

Specify a different page for searching this scope. Select this option if you want

search results from this scope to be presented on a custom page. If you select this

option, type the URL for the custom Search Results page in the Target results page

box.

7. Click OK.

Create scope rules at the site collection level



(http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to create scope rules.

The following table describes the scope rule types that you can choose from when creating a site-

collection level scope rule. For simplicity, a separate procedure is provided for each scope rule

type.


Web address Select this option if you want the scope to include or exclude

content from any resource in the search index that can be

identified either by a URL (such as Web sites, file shares, and

Exchange public folders) or by a host name, domain name, or

subdomain name.

Folder. Select this option if you want to include or exclude

items in the folder and subfolders of the indicated URL (for

example, http://site/subsite/folder).

Hostname. Select this option if you want to specify a host

name. All items in the host name will be included or excluded

from the scope (according to the behavior rules).

Domain or subdomain. Select this option if you want to

specify a domain or subdomain (for example,

widgets.contoso.com). All items in the domain or subdomain

will be included in or excluded from the scope.

Property query Select this option if you want the scope to include or exclude

content that has a managed property with a particular value. For

example, Author="John Doe".


193


All content Select this option if the rule should not restrict the scope (the

scope will include or exclude all content in the search index).

Use the following procedure to open the Add Scope Rule page.

Open the Add Scope Rule page

1. On the top-level site of the site collection on which you want to create a scope rule, click

Site actions, point to Site Settings, and then click Modify All Site Settings.


scopes.

3. On the View Scopes page, position the cursor over the scope that you want to edit, click

the arrow that appears, and then click Edit Properties and Rules on the menu that

appears.

Note:

You cannot add scope rules to shared scopes at the site collection level.

4. On the Scope Properties and Rules page, in the Rules section, click New rule.

Use the following procedure to create scope rules by using the Web address scope rule type.

Create scope rules by using the Web address scope rule type

1. On the Add Scope Rule page, in the Scope Rule Type section, select Web Address.

2. In the Web Address section, select one of the following options and provide the address

you want to associate with this rule:

Folder. Select this option if you want to include or exclude items in the folder and

subfolders of the indicated URL (for example, http://site/subsite/folder).

Hostname. Select this option if you want to specify a host name. All items in the host

name will be included or excluded from the scope (according to the behavior rules).

Domain or subdomain. Select this option if you want to specify a domain or

subdomain (for example, widgets.contoso.com). All items in the domain or

subdomain will be included in or excluded from the scope.




operator AND.





194

4. Click OK.

Use the following procedure to create scope rules by using the Property Query scope rule type.

Create scope rules by using the Property Query scope rule type

1. On the Add Scope Rule page, in the Scope Rule Type section, select Property Query.

2. In the Property Query section, select the managed property that you want to use to limit

the scope from the Add property restrictions list.

3. In the = box, type the string (value) that the managed property needs to match.




operator AND.





5. Click OK.

Use the following procedure to create scope rules by using the All content scope rule type.

Create scope rules by using the All content scope rule type

1. On the Add Scope Rule page, in the Scope Rule Type section, select All Content.

2. Click OK.

Manage display groups

To support a customized search experience, you can set up new display groups with which to

associate your scopes, and you can assign scopes to the default display groups. Site

administrators can also control the order in which scopes appear within a particular display group.

After you create a display group, designers can modify the Search Box Web Part to display it.

Create a new display group

Use the following procedure, along with the decisions you recorded in the Display groups

section of the Plan the end-user search experience worksheet

(http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to create display groups at the site

collection level and to assign the scopes you want to them.

Create display groups

1. On the top-level site of the site collection on which you want to create a display group,

click Site actions, point to Site Settings, and then click Modify All Site Settings.



195

scopes.

3. On the View Scopes page, click New Display Group.

4. On the Create Scope Display Group page, type a title and description that easily

identifies the purpose of the group.

5. In the Scopes section, select the check box next to each scope that you want to include

in this display group. You can manage the ordering of the scopes in the group by using

the Position from Top lists.

6. In the Default Scope section, in the Default Scope list, select the scope that you want to

be applied if users do not make a choice on their own.

7. Click OK.

Assign scopes to default display groups

Use the following procedure, along with the decisions you recorded in the Display groups section

of the Plan the end-user search experience worksheet

(http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to assign scopes to the default

Search Drop-down and Advanced Search display groups.

Assign scopes to default display groups

1. On the top-level site of the site collection on which you want to assign scopes, click Site



scopes.

3. On the View Scopes page, in the Title column, click Search Dropdown.

4. On the Edit Scope Display Group page, in the Scopes section, select the check boxes

for the scopes you want to be included in this display group, and clear the check boxes

for the scopes you want to remove from this display group.

5. Optionally use the Position from Top lists to specify the order in which the scopes will

appear to the user for this display group.

6. Click OK.

7. On the View Scopes page, in the Title column, click Advanced Search.

8. On the Edit Scope Display Group page, in the Scopes section, select the check boxes

for the scopes you want to be included in this display group, and clear the check boxes

for the scopes you want to remove from this display group.

9. Optionally use the Position from Top lists to specify the order in which the scopes will

appear to the user for this display group.

10. Click OK.

Modify the Search Box Web Part for a new display group

Use the following procedure to modify the Search Box Web Part for a new display group.


196

Modify the Search Box Web Part for a new display group

1. Go to the Search Center page on the site collection on which you want to modify the

Search Box Web Part.

2. Click Site actions, and then click Edit Page.

3. In the search box, click Edit, and then click Modify Shared Web Part.

4. In the Search Box tool pane, click the plus sign (+) next to Miscellaneous.

5. In the Scope Display Group text box, type the name of the display group that you want

to use, and then click Apply.

6. Click OK to close the tool pane.

7. On the Search Center page, click either Publish or Check In to Share Draft, depending

on your site permissions and workflow.

Create keywords and Best Bets

Search keywords and Best Bets enable you to provide two important features to help your users

get the search results they need:

Search keywords enable you to create a glossary of important terms within your organization.

When a user types the keyword in a search query, the definition that has been created for

that keyword is displayed at the top of the Search Results page.

Best Bets enable you to prominently present editorially selected search results. Best Bets are

URLs to pages, documents, or external Web sites that you associate with particular search

keywords. When a user types a keyword in a search query that has one or more Best Bets,

the Search Results page prominently displays the Best Bet URLs, including the title and

description of each one.

Best Bets are most helpful in situations in which a site administrator wants to promote specific

pages. Because the Best Bet URLs are displayed prominently on the Search Results page, end

users may be more inclined to view them.

Use the following procedure, along with the decisions you recorded in the Keywords and Best

Bets section of the Plan the end-user search experience worksheet

(http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to create keywords and Best Bets.

Create keywords and Best Bets

1. On the top-level site of the site collection on which you want to create keywords and Best

Bets, click Site actions, point to Site Settings, and then click Modify All Site Settings.


keywords.

3. On the Manage Keywords page, click Add Keyword.

4. On the Add Keyword page, in the Keyword Information section, in the Keyword Phrase

box, type the keyword phrase you want to create.

5. In the Synonyms box, type the synonyms you want to associate with this keyword


197

phrase. You can type more than one synonym by separating them with semicolons.

6. If you want to associate a Best Bet with this keyword, in the Best Bets section, click Add

Best Bet. Otherwise, skip to step 13.

7. If this is the first Best Bet you will create on this site collection, skip to step 9. Otherwise,

in the Add Best Bet dialog box, do one of the following:

To create a new Best Bet, select Add new best bet and then skip to step 9.

To select an existing Best Bet, select Select existing best bet, click the Best Bet

you want from the Select best bets from the list below box, and then click OK. Skip

to step 13.

8. In the URL box, type the URL you want to associate with this Best Bet.

9. In the Title box, type the title you want to associate with this Best Bet. This title appears

in the Select best bets from the list below box, when selecting an existing Best Bet.

10. In the Description box, type a description for this Best Bet. This description appears with

the Best Bet on the Search Results page.

11. Click OK.

12. If you want to create a definition for this keyword, in the Keyword Definition section,

type the definition that you want to appear next to Best Bets for this keyword on the

Search Results page (optional).

13. In the Contact section, type the user name of the person to inform when the keyword is

past its review date (optional).

14. In the Publishing section, you can optionally choose end and review dates for this

keyword.

15. Click OK.

16. Repeat steps 4 through 16 to create additional keywords and best bets.

198

A. Configure personalization


199

Chapter overview: Configure personalization

In this section:

Configure personalization permissions

Configure connections to personalization services

Configure targeted content

Configure personalization sites

Configure policies for Profile Services

The personalization service in Microsoft Office SharePoint Server 2007 uses information about

users in your organization that is stored in directory services. That information can be

supplemented with information about users from line-of-business applications. Personalization

information can then be displayed in user profiles, and the properties in user profiles can be used

to target content.

Consult the plan for personalization in your initial deployment, and then configure the options that

you have selected.

Configure personalization permissions Before you can use personalization properties in your deployment, you must configure access to

the service. You must enable access for administrators of the Shared Services Provider (SSP) to

the service and to the associated Web application on which the SSP is hosted. You must also

configure user permissions to view and share personalization information from My Sites.

For more information about configuring personalization permissions, see Configure

personalization permissions.

Configure connections to personalization services The administrator of personalization services for the SSP configures connections to directory

services to include properties for the accounts of all users who view and share information across

the organization. If some groups of users work entirely separately, those accounts connect to

separate SSPs. Directory services can include Active Directory directory services and Lightweight

Directory Access Protocol (LDAP) directory services.

After configuring connections to personalization services, you must also configure the settings to

regularly import properties from each directory services connection. Each property is mapped to a

property in the user profile.

For more information about configuring connections to personalization services, see Configure

policies for Profile Services.

200

Configure targeted content After the SSP administrator has configured access to directory services and has configured user

profiles, it is time to configure targeted content.

Content is primarily targeted by using audiences. Audiences are defined by using rules based on

properties from directory services. Lists, sites, and other content are then targeted to those

audiences so that only members of targeted audiences can see the content.

Some kinds of content are not targeted to users until their locations are selected by

administrators as trusted. The SSP administrator configures trusted My Site locations, published

links to Office client applications, and personalization site links so that the correct content is

available for the right users.

For more information about targeting content, see Configure targeted content.

Configure personalization sites Personalization sites use targeted Web Parts and the Current User Filter Web Part to target

information to users based on their account name or display name, so that each person sees

personalized information on the site. This differs from other targeted Web Parts in that the

information is targeted by user and not by audience.

For more information about configuring personalization sites, see Configure personalization sites.

Configure policies for Profile Services After configuring user profiles, targeted content, and personalization sites, SSP administrators for

the personalization service can configure privacy policies that determine how that information is

viewed and how it can be shared.

For more information about configuring policies, see Configure policies for Profile Services.

See Also

Plan for personalized content and sites (http://technet.microsoft.com/en-



201

Configure personalization permissions

In this section:

Configure SSP administrator permissions for Profile Services

Configure access to SSP pages

Configure user permissions for personalization

Configure access to trusted My Site host locations

Before enabling personalization features in your deployment, you must first configure permissions

to personalization features. Although some permissions are configured by default for

deployments using Active Directory directory services, other configuration options vary according

to the specific plan for deployment.

Administrators of the Shared Services Provider (SSP) have limited ability to configure

personalization services. The administration options for personalization services are associated

with a set of permissions for different personalization features. Administrators can have access to

some or all of these administration options.

The users of the SSP have access to personal features associated with My Sites. Administrators

of personalization permissions are responsible for configuring any changes to the default

permissions for users.

Configure SSP administrator permissions for Profile Services SSP administrators can view the SSP Home page and some configuration options, but many of

the personalization management tasks are only available to administrators that have additional

permissions. These additional configuration tasks include:

Managing permissions.

Managing user profiles.

Managing audiences.

Managing portal usage for personalization.

By default, the account that was used to install Microsoft Office SharePoint Server 2007 on the

server has all of these permissions. This account can be used to delegate permissions to other

users.

In some organizations, one SSP administrator will have all permissions, and access to every

management task. In other organizations, the permissions will be distributed among more than

one administrator. Refer to your deployment plan when adding permissions for administrators.

Use the following procedure to configure administrator permissions to the SSP for personalization

services.

202

Configure administrator permissions to the SSP for personalization sites

1. Open the administration page for the SSP.

To open the administration page for the SSP, perform the following:

a. On the top navigation bar, click Application Management.


Services section, click Create or configure this farm’s shared services.

c. On the Manage this Farm’s Shared Services page, there is a link to each SSP and

links to the Web applications for each SSP. Click the link for the SSP that you want to

open.

You can also access the SSP by clicking the link to the SSP Home page in the Quick

Launch.

2. On the SSP Home page, in the User Profiles and My Sites section, click

Personalization services permissions.

3. On the Manage Permissions page, click Add Users/Groups.

4. On the Add Users/Groups page, in the Choose Users section, type the name of the

users and groups that you want to add. If a user or group is already on the list, select the

check box for that user or group, and then click Modify Permissions of Selected Users.

5. In the Choose Permissions section, select the permissions that you want for the added

users and groups:

To enable administration of user profiles, select Manage user profiles. Users who

have this permission can access the User profiles and properties page and the

Profile services policies page.

To enable administration of permissions to personalization services, select Manage

permissions.

To enable administration of audiences, select Manage Audiences.

To enable administration of the portal usage reporting service, select Manage usage

analytics.

6. Click Save.

Configure access to the SSP pages SSP administrators managing Profile Services must have access to the SSP pages for Profile

Services. This access is in addition to the separate permissions to the service. To access the

SSP Home page, an account must be a member of the Site Collection Administrators group.

By default, the account that set up the SSP is a member of the Site Collection Administrators

group. For the first SSP in the initial deployment, that is the account that was used to install Office

SharePoint Server 2007. If that same account is used to administer the SSP, no additional steps

are necessary. In most organizations, SSP administration will be delegated to one or more

additional users. The account used to set up the SSP can be used to add other accounts to the

Site Collection Administrators group.

203

Use the following procedure to configure access to SSP pages.

Configure access to SSP pages








open.


Launch.

2. On the SSP Home page, click the Site Actions menu.

3. In the Site Action menu, click Site Settings.

4. On the Site Settings page, in the Users and Permissions section, click Site collection

administrators.

5. On the Site Collection Administrators page, in the Site Collection Administrators

section, perform the following:

a. Type the name or account that you want to add to the Site Collection Administrators

group.

b. Click the Check Names icon. If the name or account is found in directory services, it

will appear as a link in the text box.

c. If the name or account was not found, or if you want to search for more users, click

the Browse icon.

d. On the Select People dialog box, in the Find box, type part or all of the user's name

or account name, and then press Enter. All accounts that match appear in the text

box.

e. Select one or more accounts that you want to add, and then click Add.

f. When you are done adding SSP administrators, click OK.

6. On the Site Collection Administrators page, click OK.

Configure user permissions for personalization After configuring permissions for administrators, it is time to configure permissions for other

users. By default, all users have both of the following permissions:

Use personal features

Create personal site

204

Users who have the Use personal features permission can see personalized information in sites,

including user profiles for other users. Users who have both the Use personal features permission

and the Create personal site permission can create a My Site by clicking the My Site link in the

top navigation bar.

In some organizations, personalization features may not be enabled. In these scenarios, the

administrator with permission to manage permissions would remove these permissions for all

authenticated users.

In other organizations, only some users will have access to personalization features. In these

scenarios, the personalization permissions would be removed for the All Authenticated Users

group, and another group would be created containing users who have both permissions.

In some organizations, My Sites will be created on a case-by-case basis, or created by managers

during deployment. In these scenarios, users would have the Use personal features permission,

but not the Create personal site permission.

Because these permissions are managed in the same place as administrator permissions, it is

possible to create several groups with different combinations of permissions. It is recommended

that you carefully plan group permissions during the initial deployment so that you can minimize

administration tasks during regular operations.

Use the following procedure to configure user permissions for personalization.

Configure user permissions for personalization

1. On the SSP home page, in the User Profiles and My Sites section, click

Personalization services permissions.

2. On the Manage Permissions page, click Add Users/Groups.

3. On the Add Users/Groups page, in the Choose Users section, type the name of the

users and groups that you want to add. If a user or group is already on the list, select the

check box for that user or group, and then click Modify Permissions of Selected Users.

4. In the Choose Permissions section, select the permissions that you want for the added

users and groups:

To enable creation of My Sites, select Create personal site.

To enable access to personalization features, select Use personal features.

5. Click Save.

Access to personalized information can also be modified by configuring profile services policies

for users. For more information about configuring profile services policies, see Configure policies

for Profile Services.

Configure access to trusted My Site host locations Users of personalization services have the permissions given to them by administrators, but

these permissions are limited to the services consumed from a single SSP.

205

While good planning can avoid many situations where users need access to multiple My Sites,

some scenarios may require that a user have access to more than one My Site host location. The

typical scenario that requires multiple My Site host locations is a geographically distributed

deployment with multiple sets of shared services in different locations. In these scenarios, it is

common for each region to have its own set of My Sites and personalization features based on

the needs of each region.

Use the following procedure to add trusted My Site host locations.

Add trusted My Site host locations

1. On the SSP home page, in the User Profiles and My Sites section, click Trusted My

Site host locations.

2. On the Trusted My Site Host Locations page, click New to add another Trusted My Site

host location.

3. On the Trusted My Site Host Locations: New Item page, in the URL section, type the

URL of the trusted My Site host location, and type a description for the location.

4. In the Target Audiences section, select one or more audiences to use. For trusted My

Site locations, the relevant audiences typically represent the set of users that belong to

each My Site host location.

5. Click OK.

During regular operations, in response to changes in directory services, one or more users often

end up with My Sites in different locations. Trusted My Site host locations can be used to provide

access to personalization features targeted for only these users, without enabling access to all

users.

See Also



206

Configure connections to Profile Services

In this section:

Add import connections

Configure import connections

Configure user profiles

Personal information about the users in your organization is stored in directory services and line-

of-business applications and imported to the user profile store so that it can be used to present

personalized or targeted content in sites, and to search for people in your organization.

When the administrator of the Shared Services Provider (SSP) configures user profile imports,

the import connections necessary for those settings are configured automatically except for

custom connections. Custom import connections must be configured separately.

Configure import settings Import settings are used to regularly import properties from each directory services connection.

Each property is mapped to a property in the user profile.

Use the following procedure to configure import settings.

Configure import settings








open.

You can also access the SSP by clicking the link to the SSP home page in the Quick

Launch.

2. On the SSP home page, in the User Profiles and My Sites section, click User profiles

and properties.

3. On the User Profiles and Properties page, in the Profiles and Import Settings section,

click Configure profile import.

4. On the Configure Profile Import page, in the Source section, select the source for the

import. This is usually the current domain, or the entire forest.

207

Note:

Changing this setting will delete any manually configured connections for the current

source.

5. In the Default Access Account section, select Specify Account and type a name and

password for the access account.

Note:

It is recommended that you specify an account, rather than relying on the default

content access account. To use the default content access account, select Use

Default Content Access Account.

6. Depending on your plan for scheduling user profile imports, select Schedule full import

in the Full Import Schedule section, or select Schedule incremental import in the

Incremental Import Schedule section, and then select the day and time to schedule the

import.

7. Click OK.

Before continuing with configuration of personalization features, ensure that you have imported all

user profiles at least once. To run a full import of user profiles:

On the User Profiles and Properties page, in the Profile and Import Settings section, click

Start full import.

Add import connections The administrator of personalization services for the SSP configures import connections, adding

accounts for all users who are sharing personalized information by using the SSP. In

deployments that have groups of isolated users, personalized information is isolated by using

multiple SSPs. In deployments that have multiple SSPs, the SSP administrator must add

connections between SSPs.

Connections to directory services can include Active Directory directory services and Lightweight

Directory Access Protocol (LDAP) directory services. You can add a connection to the Business

Data Catalog, but it is recommended that you first add import connections for directory services.

Most of these connections are configured automatically when import settings are configured. You

can change the default configuration options or add custom import connections.

Use the following procedure to add an import connection.

Add an import connection






c. On the Manage this Farm's Shared Services page, there is a link to each SSP and

208


open.


Launch.

2. On the SSP home page, in the User Profiles and My Sites section, click User profiles

and properties.

3. On the User Profiles and Properties page, in the Profile and Import Settings section,

click View import connections.

4. On the View Import Connections page, click Create New Connection.

5. To add a connection to Active Directory directory services:

a. On the Add Connection page, in the Connection Settings section, on the Type

menu, click Active Directory.

b. In the Domain name text box, type the domain name for the domain that contains

the information that you want to import.

c. Select Auto discover domain controller if the specific domain controller is not

important. To select a specific domain controller, select Specify a domain

controller, and then in the Domain controller name menu, click the name of a

specific domain controller.

d. In the Port text box, type the number of the port to use to connect to the domain. To

use SSL to help secure the connection, select the Use SSL-secured connection

check box, and type a port number that is configured to use SSL in the Port text

box.

e. To minimize the performance impact on the domain controller, type a number of

seconds in the Time out text box, and select Enable Server Side Incremental.

Note:

The Enable Server Side Incremental option must be selected if you are

planning to perform incremental imports.

6. To add a connection to an Active Directory resource:

a. In the Connection Settings section, on the Type menu, click Active Directory

Resource.

b. In the Domain name text box, type the domain name for the domain that contains

the information that you want to import.

c. Select Auto discover domain controller if the specific domain controller is not

important. To select a specific domain controller, select Specify a domain

controller, and then in the Domain controller name menu, click the name of a

specific domain controller.




box.

209



f. In the Master Forest Connection Settings section, in the Domain name text box,

type the domain name for the master forest associated with the Active Directory

resource that you want to import.

g. Select Auto discover domain controller if the specific domain controller for the

master forest is not important. To select a specific domain controller, select Specify a

domain controller, and then in the Domain controller name menu, click the name

of a specific domain controller.

h. In the Port text box, type the number of the port to use to connect to the domain. To



box.

Select Specify Account and type the account name and password that you want to

use to import user profiles from this connection.

Note:

It is recommended that you specify an account, rather than relying on the

default content access account. To use the default content access account,

select Use Default Account.

7. To add a connection to LDAP directory services:

a. On the Add Connection page, in the Connection Settings section, in the Type

menu, click LDAP Directory.

b. In the Connection name text box, type the name of the connection.

c. In the Directory service server name text box, type the name of the server for the

directory service.




box.



f. In the Providername text box, type the name of the provider for this connection.

g. In the Username attribute text box, type the name of the attribute to import.

Note:

This attribute is the identification attribute for each entry in LDAP directory

services, associated with a single user or account. By default, this is the uid

attribute.

8. In the Search Settings section, in the Search base text box, type the distinguished

name of the directory node from which to import the users. If you do not know the

210

distinguished name, click the Auto Fill Root Search Base button.

9. In the User filter text box, you can add new query clauses to the default query to filter

which user profiles are imported.

10. Under Scope, select One level to import one level of user profiles, or Subtree to import

all user profiles under the search base.

11. To improve performance, you can type a maximum number of user profiles to import in

the Page Size text box, and type a maximum number of seconds for the import in the

Page time out text box.

12. In the Authentication Information section, select Specify Account and type the

account name and password that you want to use to import user profiles from this

connection.

Note:

It is recommended that you specify an account, rather than relying on the default

content access account. To use the default content access account, select Use

Default Account.

13. Click OK.

For most connections, unless you have a specific need to narrow the scope of the import or limit

the impact on the servers for directory services, you can accept the default values that appear on

the Add Connection page. If you have non-user accounts in Active Directory, such as accounts

used for testing, you might want to filter out those accounts. Configuration settings for

connections can be modified to improve performance as part of regular operations.

For more information about the exact settings to use when importing user profiles, see the

technical reference documentation for Microsoft SharePoint Office Server 2007. For more

information about Active Directory, see the documentation for Active Directory.

After you have configured import connections to directory services, you can add a connection for

additional properties imported from the Business Data Catalog. Unlike directory services, it is not

possible to create user profiles from the Business Data Catalog. You can only add Business Data

Catalog data to existing user profiles imported from directory services, although you can add as

much or as little data as you want.

Use the following procedure to add an import connection to the Business Data Catalog.

Add an import connection to the Business Data Catalog

1. On the View Import Connections page, click Create New Connection.

2. On the Add Connection page, in the Connection Settings section, in the Type menu,

click Business Data Catalog.

3. In the Connection name text box, type the name of the connection.

4. In the Domain name text box, type the domain name for the domain that contains the

information that you want to import.

5. In the Business Data Catalog Entity menu, select the name of the business data type

211

that contains the data field to import as a user profile property.

6. Under Connection, select Connect User Profile Store to Business Data Catalog

Entity as a 1:1 mapping, and then select a profile property that maps to the business

data type in the Return items identified by this profile property menu.

7. To import multiple items for the business data type, select Connect User Profile Store

to Business Data Catalog Entity as a 1:many mapping, select a property to filter by in

the Filter items by menu, and then type a property for the filter value in the Use this

profile property as the filter value menu.

8. Select Auto discover domain controller if the specific domain controller is not

important. To select a specific domain controller, select Specify a domain controller,

and then in the Domain controller name menu, click the name of a specific domain

controller.

9. In the Port text box, type the number of the port to use to connect to the domain. To use

SSL to help secure the connection, select the Use SSL-secured connection check

box, and type a port number that is configured to use SSL in the Port text box.

10. To minimize the performance impact on the domain controller, type a number of seconds

in the Time out text box, and select Enable Server Side Incremental.

11. In the Providername text box, type the name of the provider for this connection.

12. In the Username attribute text box, type the name of the attribute to import.

Note:

This attribute is the identification attribute for each entry in the Business Data

Catalog for this business data type.

Configure user profiles You can add properties to user profiles other than those that are imported from directory services

and the business data catalog. These properties can be mapped to existing properties so that

their values can be automatically updated during profile imports.

During initial deployment, add the additional properties that you identified during user profile

planning.

Use the following procedure to add properties to user profiles.

Add properties to user profiles

1. On the User Profiles and Properties page, in the User Profile Properties section, click

Add profile property.

2. On the Add User Profile Property page, in the Property Settings section, type a name

and display name for the property.

Note:

If your deployment uses multiple languages, you can provide alternative display

names for each language by clicking the Edit Languages button, clicking Add

212

Language, selecting a language from the menu, and then typing the display

name in the new language. You can add display names for any of the available

languages. The display name that appears depends on the language used by the

user viewing the property.

3. On the Type menu, select the data type for the property.

4. On the Length menu, type the maximum number of characters allowed for values for this

property.

5. To allow multiple values for this property, select the Allow multiple values check box,

and then select an option from the Multivalue Separator menu.

Note:

If you select the Allow multiple values check box, the property will be

permanently set as a multi-valued property. You cannot change this setting after

you have selected it.

6. To allow users to select values from a list of choices, select the Allow choice list check

box

7. In the User Description section, type a description that provides instructions for users

who are adding values for this property.

Note:

If your deployment uses multiple languages, you can provide alternative

descriptions for each language by clicking the Edit Languages button, clicking

Add Language, selecting a language from the menu, and then typing the display

name in the new language. You can add descriptions for any of the available

languages. The description that appears depends on the language used by the

user viewing the property.

8. In the Policy Settings, Edit Settings, and Display Settings sections, select a policy

setting and default privacy setting for this property, select whether users can edit values

for this property, and configure display options. For more information about privacy

policies, see Configure policies for Profile Services.

9. In the Choice List Settings section, choose whether the property uses a defined choice

list, add the choices, and select whether users can add to the choice list.

Note:

This section is only available if you selected the Allow choice list check box in

the Property Settings section. For more information about choice lists, see Plan

for people and user profiles.

10. In the Search Settings section, select the Alias check box if the property is equivalent to

the user's name for purposes of search. Select Indexed if this property is part of the

search schema for users, so that it can be used to find users or is displayed in users

search results.

11. In the Property Import Mapping section, select the data source and data type field to

213

use when mapping this property.

12. Click OK.

See Also

Plan for people and user profiles (http://technet.microsoft.com/en-us/library/cc262095.aspx)





214


In this section:

Create and configure audiences

Configure published links to Office client applications

Configure personalization site links

Configure access to trusted My Site host locations

In Microsoft Office SharePoint Server 2007, content in a site can be targeted to individuals and

groups of users so that a site can provide a personalized experience for all users. This

encourages collaboration across an organization.

Content is primarily targeted by using audiences. Audiences are defined by using audience rules

based on properties in user profiles or membership in distribution lists and SharePoint groups.

Properties and distribution list membership information are imported from directory services or

from line-of-business applications that are registered in the Business Data Catalog. SharePoint

groups are configured within each site or site collection.

SharePoint lists and Web Parts can be targeted by using audiences, so that only members of the

targeted audience can view content.

Links to certain sites can be targeted by audience. Examples of targeted links include published

links to Office client applications and personalization site links. Targeted links appear in Office

client applications and My Sites only for users who are members of the target audiences.

Administrators of the Shared Services Provider (SSP) create and configure audiences, and then

configure the compilation schedules for audiences. After audiences are created by SSP

administrators, any other user with the correct permissions can use audiences to target content.

SSP administrators also configure the settings for published links to the Office client applications

and personalization site links. In configurations that have more than one My Site location, the

SSP administrator for personalization services configures trusted My Site locations so that some

groups of users can view personalized content across all My Site locations.

Create and configure audiences Audiences use the information from directory services and user profiles to target information in

links, lists, Web Parts, document libraries, and sites. Before you can create, configure, and

compile audiences, you must import user profiles from directory services.

After creating audiences, you can target content by configuring the audience targeting properties

of the content.

Use the following procedures to create and configure audiences

Create and configure audiences

1. On the SSP home page, in the Audiences section, click Audiences.

215

2. On the Manage Audiences page, click Create audience.

3. On the Create Audience page, type a name and description.

4. In the Owner text box, type or select a person to own this audience.

5. Select Satisfy all of the rules or Satisfy any of the rules depending on the rules you

have planned for each audience.

Note Complex rules containing AND and OR can be created by developers using the

SharePoint object model.

6. Click OK.

7. On the Add Audience Rule page, to add a rule based on a user:

a. In the Operand section, select User.

b. In the Operator section, select Reports Under to create a rule based on

organizational hierarchy or select Member Of to target by group or distribution list.

c. Type or select the user that you want to use to test this rule. For a Reports Under

rule, select the person who is the manager of the users that you want to include in

the audience. For a Member Of audience, select the group or distribution list to

include for the audience rule.

8. To add a rule based on a property of user profiles:

a. In the Operand section, select Property, and then select a property from the menu.

b. In the Operator menu, select an operator for the property. The operators vary by

property, but common operators include =, Contains, and <>. Full descriptions of the

operators are available in the planning and operations documentation for Office


c. Type a value to use when evaluating the property against this rule.

9. Click OK.

Use the following procedure to configure audience compilation and compile audiences.

Configure audience compilation and compile audiences

1. On the Manage Audiences page, click Specify compilation schedule.

2. On the Specify Compilation Schedule page, select Enable scheduling.

3. Select a start time in the Start at menu.

To compile audiences at the same time each day, select Every day.

To compile audiences at the same time once per week, select Every week on, and

then select a day of the week

To compile audiences once a month, select Every month on this date, and then

select a day of the month.

4. Click OK.

On the Manage Audiences page, click Start compilation at any time to compile audiences. All

audiences will be compiled.

216

Note:

You can compile audiences individually from the View Audiences page by clicking the

audience, and then clicking Compile.

Actual targeting of content based on audiences is performed by site administrators or

contributors. As part of planning for your initial deployment, your planning team will identify the

key content to target. Audience administrators should work with site administrators during

deployment to ensure that content is targeted according to plan.

Configure published links to Office client applications Users of Office 2007 client applications can see links to SharePoint sites from those applications.

This allows users to quickly and easily access sites and save documents to sites or document

libraries.

SSP administrators configure published links to Office applications during initial deployment, and

can add or change links as part of regular operations. Links can be visible for all users or only

specific groups of users by using audiences.

Administrators configure published links to Office client applications and target them to

audiences.

Use the following procedure to configure published links to Office client applications.

Configure published links to Office client applications

1. On the SSP Home page, in the User Profiles and My Sites section, click Published

links to Office client applications.

2. On the Published links to Office client applications page, click New to add a link to Office

client applications.

3. On the Published links to Office client applications: New Item page, in the URL section,

type the URL of the link that you want to appear in Office applications, and type a

description for the link.

4. In the Type section, select the kind of site for the URL. This will affect how client

applications display the link.

5. In the Target Audiences section, select one or more audiences to use. Only members of

these audiences will have access to the link in Office client applications.

6. Click OK.

Configure personalization site links Personalization sites are sites that present information that is personalized based on the current

user of a site by using a filter Web Part to display only the information relevant for the current

user. Creating a personalization site link adds the link to the My Site navigation bar.

217

Every user who is a member of a targeted audience can see the personalization link when

viewing their personal site, along with other relevant personalization sites. This enables each user

to have a single access point for personalized content.

The configuration page for personalization sites does not check the template of linked sites, so

SSP administrators can theoretically create a link to any kind of sites. However, to focus the

purpose of My Sites, it is recommended that only personalization site links or links to sites that

use a similar template be added to the list on the Personalization site links page.

SSP administrators select an owner for each personalization site link. This provides a contact for

the personalization link, but does not configure any permissions for audiences. The visibility of

each link can be modified by the relevant site administrator of each site during regular operations,

by changing the targeted audiences. Audience creation and membership can only be configured

by the audiences administrator from the SSP administration pages.

Configure the personalization site links for the key personalization sites identified during site

hierarchy and personalization planning. Additional links can be added as necessary as part of

regular operations.

Use the following procedure to configure personalization site links.


1. On the SSP Home page, in the User Profiles and My Sites section, click

Personalization site links.

2. On the Personalization site links page, click New to add a link to a personalization site.

3. On the Personalization site links: New Item page, in the URL section, type the URL of the

link that you want to appear in the My Site navigation bar, and type a description for the

link.

4. In the Owner section, type the account name of an owner for the site link. This user is

typically the site administrator for the personalization site.


these audiences will see the link in the My Site navigation bar.

6. Click OK.

Configure access to trusted My Site host locations Users of personalization services have the permissions given to them by administrators, but

these permissions are limited to a single SSP. While good planning can avoid many situations

where users need access to multiple My Sites, some scenarios require that a user have access to

more than one My Site host location. These scenarios typically involve geographically distributed

server farms, each with its own set of shared services.

Consult your planning for SSPs and trusted My Site host locations to determine which trusted My

Site host locations you need to add and the audiences you need to use when targeting those

locations.

218

Use the following procedure to add trusted My Site host locations.

Add trusted My Site host locations

1. On the SSP Home page, in the User Profiles and My Sites section, click Trusted My

Site host locations.

2. On the Trusted My Site Host Locations page, click New to add another Trusted My Site

host location.

3. On the Trusted My Site Host Locations: New Item page, in the URL section, type the

URL of the trusted My Site host location, and type a description for the location.

4. In the Target Audiences section, select one or more audiences to use. For trusted My

Site locations, the relevant audiences typically represent the set of users that belong to

each My Site host location.

5. Click OK.

During regular operations, in response to changes in directory services, one or more users can

end up with My Sites in different locations. This can happen when an account is migrated from

one SSP to another, such as when an employee changes geographic divisions in an organization

that uses different SSPs for geographically distributed locations. Trusted My Site host locations

can be used to provide access to personalization features targeted for only these users, without

enabling access to all users.

See Also

Plan for audiences (http://technet.microsoft.com/en-us/library/cc261958.aspx)



219


In this section:

Create personalization sites

Design personalization sites

Target personalization site links

Microsoft Office SharePoint Server 2007 provides a template for creating personalization sites.

Personalization sites use a Current User Filter Web Part that can be connected to other Web

Parts on the page to display content that is personalized for each user who visits the site.

Unlike personal sites, which combine Web Parts that display information configured by Shared

Services Provider (SSP) administrators by configuring user profiles and personalization policies

with content customized by each user, personalization sites are designed to be customized by

site owners for a larger audience.

Site owners are selected during initial deployment by SSP administrators when they configure

personalization links. The site owner of each site is typically the site administrator for the site, and

decides which audiences to use when targeting the display of the personalization link on the My

Site navigation bar.

Site administrators, possibly working with site designers, create and customize personalization

sites based on recognized business needs.

Create personalization sites Creation of personalization sites is straightforward. A personalization site can be created by any

user who has the create sites permission. Use the following procedure to create a personalization

site.

Create a personalization site

1. On the Site Actions menu, click Create Site.


description for the personalization site.

3. In the Web Site Address section, type a directory name to complete the URL in the URL

name text box.

4. In the Permissions section, select the desired permissions.

5. In the Template Selection section, click the Enterprise tab, and then click

Personalization Site.

6. Configure navigation options and site categories depending on the purpose of the site

and your site hierarchy and site navigation plans.

7. Click Create.

220

Design personalization sites Design of personalization sites can be simple or complex depending on the need of the site. The

key personalization sites for the initial deployment are identified during site hierarchy planning

based on the needs of your organization. Consult site hierarchy planning, and then design each

personalization site to meet your identified needs.

The list of Web Parts that can be used in designing personalization sites is provided in part in the

planning documentation, developer documentation, and technical reference documentation for

Office SharePoint Server 2007. For more information about the full capabilities of Web Parts, see

this documentation. The key concept to understand regardless of the exact Web Parts used is

how to connect the Current User Filter Web Part to other Web Parts.

Use the following procedure to connect the Current User Filter Web Part to other Web Parts.

Connect the Current User Filter Web Part to other Web Parts

1. On the Site Actions menu, click Edit Page.

2. Add the Web Parts that you want to connect to the filter Web Parts, based on your plan

for the design of this site.

3. On the Current User Filter Web Part, click the Edit menu, point to Connections, point to

Send Values To, and then click the name of the Web Part that you want to connect to

the filter Web Part.

Note:

Some connected Web Parts can accept a default value from the Current User

Web Part. The procedure to connect these Web Parts uses the Send Default

Value To connection option, but is otherwise the same.

4. On the Configure Connection Webpage dialog, in the Consumer Field Name menu,

select the property to filter by.

For example, to filter the contents of a Documents Web Part, select Modified By to filter

the list in the Documents Web Part to display only the documents modified by the current

user.

5. Click Finish.

6. Click Exit Edit Mode when you are done connecting Web Parts.

Target personalization site links Personalization site links determine how personalization site links appear in the My Site

navigation bar. Links to personalization sites are targeted by using audiences. The SSP

administrator creates audiences and assigns an owner and set of audiences for each

personalization site link. The owner is responsible for maintaining the targeting of the link over

time by selecting new audiences, but typically cannot create audiences.

221

Personalization sites do not have to appear in the My Site navigation bar. However, users are

much more likely to view a personalization site and work on the information they see on a

personalization site if it is one of the sites that appears in the My Site navigation bar.

Because the personalization sites created during initial deployment represent key business

processes identified during planning, it is usually a good idea to include links to the sites in the My

Site navigation bar and carefully consider how those links are targeted.

Use the following procedure to configure personalization site links.


1. On the SSP home page, in the User Profiles and My Sites section, click

Personalization site links.

2. On the Personalization Site Links page, click New to add a link to a personalization site.

3. On the Personalization Site Links: New Item page, in the URL section, type the URL of

the link that you want to appear in the My Site navigation bar, and type a description for

the link.

4. In the Owner section, type the account name of an owner for the site link. This user is

typically the site administrator for the personalization site.


these audiences will see the link in the My Site navigation bar.

6. Click OK.

For more information on configuring personalization site links, see Configure targeted content.

222


In this section:

Configure policies for personalization features

Configure policies for user profiles

In Microsoft Office SharePoint Server 2007, Shared Services Provider (SSP) administrators for

personalization services configure the policies that determine who can view personalized

information and how that information can be shared. Every kind of personalized information is

affected by these policies, including:

Memberships in SharePoint sites and distribution lists.

Social networking features, such as My Colleagues.

Links on personal sites.

Personalization site link pinning.

User profile properties.

Consult your planning for personalization policies, and then configure settings for each of these

personalization features.

Configure policies for personalization features Policies for profile services are used to configure the access and privacy settings for My Site

personalization features and user profile properties. Although all users with the Use personal

features permission can view personalized information, SSP administrators can configure policies

for each specific feature or user profile to achieve greater precision in preserving privacy and

sharing information according to the needs of each organization.

Use the following procedure to configure policies for personalization features.

Configure policies for personalization features

1. On the SSP home page, in the User Profiles and My Sites section, click Profile

services policies.

2. On the Manage Policy page, click the policy that you want to set, and then click Edit

Policy.

3. On the Edit Policy page, in the Policy Settings section, in the Policy Setting menu,

select the policy setting for the feature or property.

Click Enabled to enable the information to be shared by users other than the SSP

administrator. The visibility of enabled features is configured in the Default Privacy

Settings menu. This option is only available for policies for features and not policies

for user profile properties.

Select Disabled to prevent anyone but the SSP administrator from viewing the

223

property or feature.

Select Required if the property must contain information. The visibility of the property

is configured in the Default Privacy Settings menu.

Select Optional if the property is not required. Each user decides whether optional

properties contain information based on the user's preference.

4. In the Default Privacy Setting menu, select the people who can view information for the

feature or property.

Click Only Me to limit visibility to the user.

Click My Manager to limit visibility to the user and the user's manager.

Click My Workgroup to limit visibility to the user and all users who report to the same

manager.

Click My Colleagues to limit visibility to the user and all colleagues for that user.

Click Everyone to share the information with all users who have the "use personal

features" permission.

5. To enable users to change the default privacy setting, select the User can override

check box.

6. To enable a property to be available in user information lists for SharePoint sites other

than My Site, select the Replicable check box. This property and its values from the user

profile will be replicated to other sites.

Note:

If you clear a check box that has already been selected, any information that was

replicated before the change will remain on other SharePoint sites until it is

changed on each site. This can occur during deployment if you clear a check box

for a property that is replicable by default if the property has already been

imported from directory services or the Business Data Catalog.

7. Click OK.

Configure policies for user profiles Use the following procedure to configure policies for user profiles.

Configure policies for user profiles

1. On the SSP home page, in the User Profiles and My Sites section, click User profile

and properties.

2. On the User Profiles and Properties page, in the User Profile Properties section, click

View profile properties.

3. On the View Profile Properties page, click the property that you want to configure, and

then click Edit.

4. On the Edit User Profile Property page, in the Policy Settings section, from the Policy

224

Setting menu, click the policy setting for the property.

Select Required if the property must contain information. The visibility of the property

is configured in the Default Privacy Settings menu, as discussed in step 5.

Select Optional if the property is not required. Each user decides whether or not to

provide values for optional properties.

Select Disabled to prevent anyone but the SSP administrator from viewing the

property or feature.

5. In the Default Privacy Setting menu, select the people who can view information for the

feature or property.

Click Only Me to limit visibility to the user.

Click My Manager to limit visibility to the user and the user's manager.

Click My Workgroup to limit visibility to the user and all users who report to the same

manager.

Click My Colleagues to limit visibility to the user and all colleagues for that user.

Click Everyone to share the information with all users who have the Use personal

features permission.

6. To enable users to change the default privacy setting, select the User can override

check box.

7. To enable a property to be available in user information lists for SharePoint sites other

than My Site, select the Replicable check box. This property and its values from the user

profile will be replicated to other sites.

Note:

Replication occurs during profile imports. The information list is replaced by the

values for the property in the imported user profile. Changes made to properties

in the user profile that are not replicated will not appear on other sites. If you

clear a Replicable check box that was previously selected, any information that

was replicated before the change will remain on other SharePoint sites until it is

changed on each site. This can occur during deployment if you clear a check box

for a property that is replicable by default after the property has been imported

from directory services or the Business Data Catalog.

8. In the Edit Settings section, click an option to allow or not allow users to edit values for

properties in their user profiles.

To allow users to edit values for the property in their user profiles, click Allow users

to edit values for this property.

To prevent users from editing values for the property, click Do not allow users to

edit values for this property.

9. In the Display Settings section, select where the property is displayed on My Site.

To display the property in the profile properties section of the user's profile page,

select Show in the profile properties section of the user's profile page.

225

To display the property on the Edit Details page available from the personal page of

My Site, select Show on the Edit Details page.

To display changes to the property in the Colleagues section of My Site and all other

instances of the Colleague Tracker Web Part, click Show changes in the Colleague

Tracker web part.

10. Click OK.

See Also

Plan for people and user profiles (http://technet.microsoft.com/en-us/library/cc262095.aspx)

Policies for Profile Services (http://technet.microsoft.com/en-us/library/cc263160.aspx)



226



227

Chapter overview: Configure business intelligence features

In this section:

Configure access to business data

Register line-of-business applications in the Business Data Catalog

Customize business data lists, Web Parts, and sites

Configure business data search

Microsoft Office SharePoint Server 2007 enables the integration of data from line-of-business

applications with features that enable that data to be found, displayed, and analyzed along with

other content by users who use SharePoint sites.

After you have planned the line-of-business applications, SharePoint lists, and sites for your

organization, you must configure the connection between data in applications and the features in

your deployment that use data.

Configure access to business data The first step to enabling business data within your deployment involves configuring access to

business data. You must configure access to the Business Data Catalog for a Shared Services

Provider (SSP) administrator. For each line-of-business application, you configure access to the

underlying database, or to a database that contains a copy of the data that has been isolated

from the data. Finally, you configure access to the business data that is made available by the

Business Data Catalog, so that business data features are available for the users who use that

data and unavailable to other users.

For more information about configuring access to business data, see Configure access to

business data.

Register line-of-business applications in the Business Data Catalog When you register line-of-business applications in the Business Data Catalog, you select the

business data types and properties for each business data type to import. You select fields in the

line-of-business application and then map them to business data properties that appear in

SharePoint lists, Web Parts, business dashboards, and the Report Center site.

For more information about registering line-of-business applications in the Business Data

Catalog, see Register business applications in the Business Data Catalog.

228

Customize business data lists, Web Parts, and sites After you configure access to business data and imported business data types and properties,

you can include the data in SharePoint lists and Web Parts. These lists and Web Parts are used

in sites across your organization, particularly business dashboards and the Report Center site.

Business data displayed in dashboard sites enables complex data analysis and action through

business intelligence features, such as Excel Web Access Web Parts and key performance

indicators (KPIs).

These features are implemented by site administrators and end users, but business planners and

SSP administrators should work closely with these users during initial deployment to implement

the decisions made during planning.

For more information about customizing business data in lists, Web Parts, and sites, see

Customize business data lists, Web Parts, and sites.

Configure business data search A key step to making business data easily available is to integrate business data into your initial

search deployment. For more information about finding business data, see Configure business

data search.

See Also

Chapter overview: Plan for business intelligence (http://technet.microsoft.com/en-



229


In this section:

Configure SSP administrator rights for the Business Data Catalog

Configure access to the SSP pages

Configure application definitions and single sign-on for the Business Data Catalog

Configure data warehousing

Configure permissions for business data

In Microsoft Office SharePoint Server 2007, the Business Data Catalog enables users to find and

analyze business data and take effective actions directly from SharePoint sites that use business

data. When configuring the Business Data Catalog, it is critical that you protect the security and

integrity of the data in line-of-business applications.

One of the most important ways to protect your data is to carefully enable access to data to users

who can use it effectively, and preventing access by other users. During planning for your

deployment, you identify the purpose of your sites, the business applications associated with key

business purposes, and the users who use each application. During deployment, you enable

access to the groups of users identified during planning.

To enable access to business data, you should:

Configure Shared Services Provider (SSP) administrator rights for the Business Data

Catalog.

Configure access to the SSP pages.

Configure single sign-on for the Business Data Catalog.

Configure data warehouses for data security.

Configure user permissions for business data.

Configure SSP administrator rights for the Business Data Catalog SSP administrators must have permissions to both the Business Data Catalog service and the

SSP administration pages for the Business Data Catalog.

Use the following procedure to configure SSP administrator rights to the Business Data Catalog

service.

Configure SSP administrator rights to the Business Data Catalog service




230





open.


Launch.

2. On the SSP home page, in the Business Data Catalog section, click Business Data

Catalog permissions.

3. On the Manage Permissions: Business Data Catalog page, click Add Users/Groups.

4. On the Add Users/Groups: Business Data Catalog page, in the Choose Users section,

enter the name or account of the user that you want to add.

5. In the Choose Permissions section, select one or more permissions for the user. For

the main administrator of the Business Data Catalog, it is common to select all

permissions.

Edit: Select this permission to enable users to import application definitions and add,

edit, or delete application definitions, business data types, and data fields for

business data types.

Execute: Select this permission to enable users to change the properties of business

data.

Select in Clients: Select this permission to enable the user to refer to business data

types and fields in SharePoint lists, Web Parts, sites, and client applications.

Set permissions: Select this permission to enable the user to configure permissions

for other users.

6. Click Save.

Configure access to the SSP pages SSP administrators who manage the Business Data Catalog must have access to the SSP pages

for the Business Data Catalog. This access is in addition to the separate permissions to the

Business Data Catalog service. To access the SSP home page, an account must be a member of

the Site Collection Administrators group.

By default, the account that set up the SSP is a member of the Site Collection Administrators

group. For the first SSP in the initial deployment, that is the account that was used to install Office

SharePoint Server 2007. If that same account is used to administer the SSP, no additional steps

are necessary. In most organizations, SSP administration will be delegated to one or more

additional users. The account used to set up the SSP can be used to add other accounts to the

Site Collection Administrators group.

Use the following procedure to configure access to the SSP pages.

231

Configure access to the SSP pages








open.


Launch.

2. On the SSP home page, click the Site Actions menu.

3. On the Site Actions menu, click Site Settings.

4. On the Site Settings page, in the Users and Permissions section, click Site collection

administrators.

5. On the Site Collection Administrators page, in the Site Collection Administrators

section, do the following:

a. Type the name or account that you want to add to the Site Collection Administrators

group.

b. Click the Check Names icon. If the name or account is found in directory services, it

will appear as a link in the text box.

c. If the name or account was not found, or if you want to search for more users, click

the Browse icon.

d. On the Select People dialog box, in the Find box, type part or all of the user's name

or account name, and then press Enter. All accounts that match appear in the text

box.

e. Select one or more accounts that you want to add, and then click Add.

f. When you are done adding SSP administrators, click OK.

6. On the Site Collection Administrators page, click OK.

Configure application definitions and single sign-on for the Business Data Catalog Line-of-business applications are added to the Business Data Catalog by importing application

definitions authored in XML. In most scenarios, access to applications from a single account is

accomplished by using the single-sign on (SSO) feature of Office SharePoint Server 2007.

SSO maps permissions from external data sources including line-of-business applications to

permissions in Office SharePoint Server 2007. This enables a user to access multiple data

sources regardless of platform or authentication requirements without having to re-enter

232

credentials for each system. This enables more accessible use and sharing of data without

sacrificing security.

The Business Data Catalog is only one of several features and services that take advantage of

SSO. SSO is also used by Excel Services in Microsoft Office SharePoint Server 2007, InfoPath

Forms Services, and in a variety of Web Parts, lists, and search features that access external

data sources. With SSO, all of these data sources can be accessed securely by using a single

sign-on.

The Business Data Catalog relies on application definitions to translate the data types and fields

of data sources into metadata that is useful in sites and applications that use Office SharePoint

Server 2007. The SSP administrator for the Business Data Catalog, or a Web designer author the

XML file for the application definition, includes authentication information and the business data

types and fields in the planned business data schema. The SSP administrator then imports the

application definitions to the Business Data Catalog. This data can then be viewed and analyzed

in SharePoint sites to improve business data collaboration and business intelligence.

To use SSO for applications in the Business Data Catalog, the farm administrator must configure

SSO on the server farm. Then, the farm administrator must create application definitions for each

line-of-business application that match the separate application definitions already imported into

the Business Data Catalog.

By the end of server farm configuration of SSO, enterprise application definitions should exist for

all of the line-of-business applications in the Business Data Catalog. The administrator of the

Business Data Catalog should work closely with farm administrators to ensure that the necessary

application definitions are created. For more information on the configuration of SSO on the

server farm, see Configure single sign-on.

After SSO is configured on the server farm and enterprise application definitions have been

created for the line-of-business applications that will be added to the Business Data Catalog, the

administrator of the Business Data Catalog imports the application definitions to the Business

Data Catalog. Then, you can import the business data types and fields for those applications. For

more information about importing application definitions, see Register business applications in the

Business Data Catalog. For more information about managing single sign-on, see Central

Administration Help (http://technet.microsoft.com/en-us/library/cc263179.aspx).

Configure data warehousing While it is possible to enable access directly to your line-of-business applications, you might

choose to copy a relevant subset of data from the application to a data warehouse. This protects

more sensitive data by keeping it accessible to a small number of people on a relatively isolated

server, while the data more useful for collaboration and business intelligence across your

organization is copied to a server to which a broader number of people have direct access. You

might also want to limit the load on your line-of-business application server by using the copied

data, and limit direct access to the application to business data actions designed to update data

based on analysis and business intelligence. This practice decreases the freshness of the data

displayed in SharePoint lists and sites, and creates a greater need to ensure data normalization

during regular operations.



233

During planning for your deployment, you considered these trade-offs, and identified the data that

you want to copy to a data warehouse.

To copy data from a line-of-business application to a data warehouse, follow the procedures for

copying the data relevant to the particular application. When you configure the connections to

business applications, use the location of the business data warehouse instead of the line-of-

business application. When configuring business data actions that are intended to update the

underlying data, you will have to separately configure access to the business data application.

Configure permissions for business data After you have configured administrator permissions, you will register business data applications

in the Business Data Catalog. For more information about registering applications and importing

business data types and properties, see Register business applications in the Business Data

Catalog.

To use the data from the applications registered in the Business Data Catalog, you must then

configure SharePoint permissions for groups of users that collaborate on projects that use

business data.

Use the following procedure to configure permissions for business data.

Configure permissions for business data

1. On the SSP home page, in the Business Data Catalog section, click Business Data

Catalog permissions.

2. On the Manage Permissions: Business Data Catalog page, click Add Users/Groups.

3. On the Add Users/Groups: Business Data Catalog page, in the Choose Users section,

enter the name or account of the user that you want to add.

4. In the Choose Permissions section, select one or more permissions for the user.

Edit: Select this permission to enable users to import application definitions and add,

edit, or delete application definitions, business data types, and data fields for

business data types.

Execute: Select this permission to enable users to change the properties of business

data.

Select in Clients: Select this permission to enable the user to refer to business data

types and fields in SharePoint lists, Web Parts, sites, and client applications.

Set permissions: Select this permission to enable the user to configure permissions

for other users.

5. Click Save.

234

See Also

Register business applications in the Business Data Catalog



Plan for business intelligence (http://technet.microsoft.com/en-us/library/cc262935.aspx)

../../../../Greenbooks/MOSSDeployment/Plan%20for%20business%20intelligence

235


In this section:

Create application definitions

Import application definitions

Configure enterprise application definitions for single sign-on

Configure business data types and fields

Before you can use data from any line-of-business application in Microsoft Office SharePoint

Server 2007, you must register that information in the Business Data Catalog. The Business Data

Catalog is the service that manages connections among line-of-business applications and the

SharePoint lists, Web Parts, and sites that use data from those applications.

To register line-of-business applications in the business data catalog, you should:

Create application definitions for each application or database in your organization.

Application definitions contain connection settings, authentication mode, and definitions for

the business data types and properties imported for a particular application.

Import application definitions to the Business Data Catalog.

Configure single sign-on (SSO) enterprise application definitions for applications that will be

using SSO.

Configure business data types and the fields for each business data type.

After completing these steps for each line-of-business application in your organization, you can

then use the data from applications in SharePoint lists, Web Parts, and business data-enabled

sites such as business dashboards and the Report Center site. Data can also be imported for use

in user profiles or used in enterprise search to find business data.

Create application definitions An application definition is a file that describes a database or Web service. An application

includes the following information:

Connection settings

Authentication mode

Definitions of business data types

Other information, depending upon the application

Application definitions are XML files that are authored by Business Data Catalog administrators or

Web designers who understand the business data schema established in the plan for business

data. During deployment, an application definition is created for each line of business application.

For each application, the business data types (also known as entities) and properties for each

entity are defined within the application definition file according to the schema. The application

236

definition files can be imported into the Business Data Catalog, and can be exported as a backup

for disaster recovery scenarios.

For more information about authoring application definitions, see the Microsoft Office SharePoint

Server 2007 Software Development Kit (SDK).

Import application definitions To use application definitions in the Business Data Catalog, you must import the application

definitions. During initial deployment, you can add newly created application definitions for each

line-of-business application. During regular operations, you will have to export your existing

application definitions before importing them to ensure that you do not overwrite a new

application definition with one that is out of date. Because application definitions include security

settings, it is important that you always ensure that you are updating the correct version of any

application definition so that your security settings are retained.

Use the following procedure to import an application definition.

Import an application definition

1. On the SSP home page, in the Business Data Catalog section, click Import application

definition.

2. On the Import Application Definition page, in the Application Definition section, enter

the location of the application definition.

3. In the File Type section, select the type of application definition to import.

Note: The author of the application definition file should know the file type for the

application definition. If you don't know the file type, use the default option.

4. In the Resources to import section, select the resources to import.

Select Localized Names to import names for business data fields in multiple

languages.

Select Properties to import properties from the application definition.

Select Permissions to import permissions from the application definition.

5. Click Import.

Configure enterprise application definitions for single sign-on If you are using SSO to access line of business applications, you must configure SSO for your

line-of-business applications. For more information about configuring SSO for the Business Data

Catalog, see Configure access to business data, or see Configure single sign-on. Server farm

administrators create application definitions for line-of-business applications and other data

sources.

237

Use the following procedure to create an application definition.

Create an application definition

1. In Central Administration, on the top navigation bar, click Operations.

2. On the Operations page, in the Security Configuration section, click Manage settings

for single sign-on.

3. On the Manage Settings for Single Sign-On page, click Manage settings for enterprise

application definitions.

4. On the Manage Enterprise Application Definitions page, click New Item.

5. On the Create Enterprise Application Definition page, in the Application and Contact

Information section, in the Display name box, type the name that is displayed to users.

6. In the Application name box, type the name that Web Parts use to refer to the

enterprise application definition. Single sign-on components use the application name to

specify which enterprise application definition to use. This name should match the name

used in the application definition in the Business Data Catalog.

7. In the Contact e-mail address box, type the e-mail address that users can contact for

the enterprise application.

8. In the Account type section, select one of the following:

a. Group. Select this option if users will connect to the enterprise application through a

group account. If you select this option, you need to configure account information for

the application definition.

b. Individual. Select this option if each user has an account in the application definition.

c. Group using restricted account. Select this option if users will connect to the

enterprise application through a group that uses a restricted account. If you select

this option, credentials are stored separately for regular credentials and a different

API is used to access the credentials. Select this option only when all of the following

is true:

9. The account is a group account.

10. An intermediary application such as Business Data Catalog imposes further security

restrictions.

11. The data is highly sensitive.

12. In the Authentication type section, select the Windows authentication check box.

Warning:

If Windows authentication is not used, the logon credentials are not encrypted.

13. In the Logon Account Information section, configure each of the Field boxes for

soliciting required logon information from users. Selecting Yes for Mask hides the text

typed by the user. This helps to keep sensitive information such as passwords secret.

14. Click OK.

238

Administrators for the Business Data Catalog should work closely with farm administrators to

ensure that the necessary application definitions are created that correspond to the configuration

plans for the Business Data Catalog.

Configure business data types and fields The business data types (also known as entities) and the fields for each business data type are

included and defined in the application definition file. Application definitions created according to

the business schema will already be properly configured. However, some configurations might

still be necessary if:

If the business data schema changes during the process of deployment, you might have to

update entities and fields for existing applications. These changes are made by changing and

re-importing the application definition file.

If you want to change the list of people with access to a particular application or entity, you

can configure permissions in the business data catalog.

If you plan additional business data actions for one or more entities, you can configure the

business data actions in the Business Data Catalog.

If you want to change how business data profiles appear, you can edit the profile page

template.

To add or edit fields for existing business data types or to import new business data types, you

must edit the application definition file.

Manage permissions for an application or entity

Use the following procedure to manage permissions for an application or entity.

Manage permissions for an application or entity

1. On the SSP home page, in the Business Data Catalog section, click View applications

or View entities.

2. On the Business Data Catalog Applications or Business Data Catalog Entities page, click

the application or entity you want to manage.

3. On the View Application or View Entity page, click Manage Permissions.

4. On the Manage Permissions page, click Add Users/Groups to add users and groups.

5. On the Add Users/Groups page, in the Choose Users section, enter the new users and

groups that you want to add.

6. In the Choose Permissions section, select the permissions that you want for the users

and groups.

7. Click OK.

8. To remove users or groups, on the Manage Permissions page, select the check boxes for

the users and groups that you want to remove, and then click Remove Selected Users.

9. To modify the permissions of selected users, click Modify Permissions of Selected

239

Users.

10. On the Modify Permissions page, in the Choose Permissions section, select the

permissions that you want for the user or group.

11. Click OK.

12. To copy permissions for an application to all entities for that application, or to copy

permissions for an entity to all child entities, click Copy all permissions to

descendants, and click OK on the dialog box that appears.

For more information about business data catalog permissions, see Configure access to business

data.

Add business data actions for an entity

Use the following procedure to add business data actions for an entity.

Add business data actions for an entity

1. On the SSP home page, in the Business Data Catalog section, click View entities.

2. On the Business Data Catalog Entities page, click the entity that you want to edit.

3. On the View Entity page, in the Actions list, click Add Action.

4. On the Add Action page, in the Name section, type a name for the action in the Action

Name text box.

5. In the URL section, type the URL that will appear in the browser when this action is

selected in the Navigate to this URL text box.

6. To assign properties and add them as parameters to the URL:

a. In the URL Parameters section, click the Add Parameter button.

b. Select a parameter from the dropdown list that appears.

c. To remove a parameter, click the Remove button next to the parameter that you

want to remove.

d. Note: Properties assigned to parameters are sent to the target URL and can be

processed by business data Web Parts on that page, such as filter Web Parts.

7. In the Icon section, to use a standard icon, select Standard icon, and then click the

standard icon that is relevant for this action.

8. To use a custom icon, in the Icon section, select The image at this URL, and then type

the URL of the image.

9. Click OK.

240

Edit the profile page template

Use the following procedure to edit the profile page template.

Edit the profile page template

1. On the SSP home page, in the Business Data Catalog section, click Edit profile page

template.

2. On the profile template page, click Site Actions, and then click Edit Page.

3. In Edit Mode, add and modify Web Parts according to the planned template.

Note:

To view business data profiles in a complex business dashboard, you can

replace the default profile page template with the dashboard page template, and

then modify the new template. This enables you to use key performance

indicators, filters, and other tools for business intelligence and analysis directly

from business data profiles.

241


In this section:

Create business data lists

Create KPIs and KPI lists

Create and configure reports in the Report Center site

Create and configure dashboard sites

Create other business data sites

After configuring access to business data and registering applications in the Business Data

Catalog, business data is available for use in lists, Web Parts, and sites in your deployment. The

initial creation and customization of lists, Web Parts, and sites is performed by site administrators,

designers, and contributors. While these tasks are daily operations for different users, and not the

responsibility of IT professionals, it is important to set up key lists, Web Parts, and sites as part of

an initial deployment of Microsoft Office SharePoint Server 2007.

The relevant customization tasks during deployment include:

Creating SharePoint lists that use business data that can be used by business data Web

Parts and sites that use business data.

Creating key performance indicators (KPIs) based on business data lists, other SharePoint

lists, Excel workbooks, or data sources made available in data connection libraries.

Creating reports and adding KPI lists and business data lists to the Reports Library of the

Report Center site or any site that uses the Report Center template.

Creating and configuring dashboard sites in the Report Center site.

Creating additional Report Center sites and other sites that use business data.

Create business data lists Business data lists are any SharePoint lists that include business data. The data is imported from

properties of line-of-business applications registered in the Business Data Catalog. Business data

lists are typically stored in document libraries for sites related to the applications that are the

source of data, and can also be used to configure business data Web Parts that are used in sites,

such as personalization sites and the Report Center site.

Use the following procedure to create a business data list.

Create a business data list

1. In the Quick Launch, click Lists.

2. On the All Site Content page in the list view, click Create to create a custom list, or click

the link to an existing list.

242

3. On the list page, on the Settings menu, click Create Column.

4. On the Create Column page, in the Name and Type section, type a name and then

select the Business data check box.

5. In the Additional Column Settings section, select the business data type and field that

contains the data you want to add to the list.

6. To display the action menu for the selected business data type, click Display the actions

menu.

7. To link the column to the business data profile for the type, click Link this column to the

profile page.

8. Click OK.

You can add as many business data columns as you want. For more information about business

data lists, see the User's Guide.

Create KPIs and KPI lists KPIs provide a quick graphical indication of the state of a key business process. KPIs calculate a

single value based on a range of data from one of several sources, and then test that value

against a value that represents progress toward a business goal.

For each KPI planned in your initial configuration, you create a KPI list. Then, you add one or

more KPIs to the list, grouping KPIs for related business processes. For organizational purposes,

each KPI list is typically created and stored in the site that will be displaying KPIs, such as the

Reports Library of a Report Center site.

Use the following procedure to create KPIs and KPI lists.

Create KPIs and KPI lists

1. On the Quick Launch, click Lists.

2. On the All Site Content page, click Create.

3. On the Create page in the Custom Lists section, click KPI list.

4. On the New page, in the Name and Description page, type a name and description.

5. In the Navigation section, click Yes if you want the KPI to be visible on the Quick

Launch.

6. Click Create.

7. On the KPI list page, click the New menu, and then click the type of indicator that you

want to add. You can use data from a SharePoint list, an Excel workbook, a SQL Server

2005 Analysis Services cube from a data connection library, of from a manual list of

values.

8. On the New Item page, enter values for the relevant properties.

For more information on creating and configuring KPIs, see the User's Guide.

243

Create and configure reports in the Report Center site For business data lists and KPI lists that are based on data from the Business Data Catalog that

you plan to use in the Report Center site, you can create the lists the Reports Library of the

Report Center site. These lists can then be used in dashboards for the Report Center site.

In the Report Center site, you can also create reports based on Excel data Use the fol lowing

procedure to create a report.

Create a report in the Report Center site

1. In the Reports Library, click the New menu, and then click Report.

2. On the Reports Library: Report page, enter properties for the report, and then click OK.

3. In the Reports Library, click the menu for the report, and then click Edit in Microsoft

Office Excel to add data to the report.

During deployment, you will only add the key reports that you identified during planning. The

other reports can be added by users during normal operations.

For more information about using reports to display Excel data, see C. Configure Excel Services.

Create and configure dashboard sites Dashboard sites are configured by adding and configuring the relevant Web Parts.

Dashboard sites use filter Web Parts to provide both automatic and user-selected filtering of data

displayed in KPI List Web Parts and Excel workbooks. In some cases, they may also include

business data Web Parts. Each filter is connected to the Web Parts it filters by the site

administrator. Dashboard sites can be created from the Report Center site, or from any site that is

created by using the Report Center template.

KPI List Web Parts are used to display either a list of several KPIs for your organization, or the

details of a single KPI from a KPI list. Excel Web Access Web Parts are used to display

information from Excel workbooks. Business data Web Parts can be used to display data from

line-of-business applications, by using a business data list that includes data from the relevant

applications.

Use the following procedure to create and configure a dashboard site.

Create and configure a dashboard site

1. On the home page of the site, in the Quick Launch, click Reports to open the Report

Center site.

Note:

If your site template does not include a Report Center site, you must first create a

site by using the Report Center template, and then open that site.

2. On the home page of the Report Center site, in the Quick Launch, click Dashboards to

244

open a list of dashboards in the Reports Library page of the Report Center site.

3. On the Reports Library page, click the New menu, and then click Dashboard Page.

4. On the New Dashboard page, in the Page Name section, provide a name, title, and

description for the dashboard site.

5. In the Key Performance Indicator section, select Allow me to select an existing KPI

later.

Note:

Alternatively, you can select Create a KPI list for me automatically, and then

configure the KPI list later.

6. Click OK.

7. On the Dashboard page, in the Site Actions menu, click Edit Page.

8. For the Web Part Page zone in which you want to add a Web Part, click Add a Web

Part.

9. On the Add Web Parts Web page, in the Suggested Web Parts section, select the check

box for the type of Web Part you want to add, and then click Add.

10. To configure the Web Part, click the Edit menu, and then click Modify Shared Web Part.

For more information about the configuration options for Business Data Web Parts, see Plan

business data Web Parts (http://technet.microsoft.com/en-us/library/cc261941.aspx).

Use the following procedure to configure filter Web Parts.

Configure filter Web Parts

1. On the Add Web Parts Web page, select the checkbox for the filter Web Part that you

want to add, and then click Add.

2. On the filter Web Part, click Edit, point to Connections, and then select the Web Part to

connect to the filter.

For more information about the configuration options for filter Web Parts, see Plan dashboards

and filters (http://technet.microsoft.com/en-us/library/cc262682.aspx).

For more information about configuring Excel Web Access Web Parts, see Chapter overview:

Configure Excel Services.

Create other business data sites Business data Web Parts and KPI List Web Parts can be used in any site. Site administrators can

add business data to personalization sites so that each person views a personalized view of the

data in each Web Part. KPIs for key business processes are often available on portal home

pages, or pages in the Search Center site organized around business data. Refer to your site

hierarchy plan for your initial deployment, and add business data and KPI Web Parts for each

relevant site.





245

See Also


Plan business data lists (http://technet.microsoft.com/en-us/library/cc261850.aspx)

Plan business data Web Parts (http://technet.microsoft.com/en-us/library/cc261941.aspx)

Plan key performance indicators (http://technet.microsoft.com/en-us/library/cc263321.aspx)

Plan reports (http://technet.microsoft.com/en-us/library/cc263506.aspx)

Plan business data actions (http://technet.microsoft.com/en-us/library/cc262684.aspx)

Plan dashboards and filters (http://technet.microsoft.com/en-us/library/cc262682.aspx)







246


In this section:

Ensure availability of business data

Configure and crawl business data content sources

Configure and customize query options for business data

Administrators of the search service and administrators of individual site collections must

configure several options before business data is available in search results. To make business

data available for search, you should:

Ensure that the data you want users to find is available in the Business Data Catalog, and

ensure that users have the intended permissions.

Configure and crawl business data content sources.

Configure and customize query options for business data.

Most of these tasks are performed by the administrator of the search shared service or by the

administrator of the Business Data Catalog. Some tasks are performed by site collection

administrators. Both shared services administrators and site collection administrators will help

plan search for business data.

Ensure availability of business data Users can only search for business data for line-of-business applications if it is available in the

Business Data Catalog, and only if users have the intended permissions. The Shared Services

Provider (SSP) administrator for the Business Data Catalog must configure access to business

data and register business data types and properties for all line-of-business applications that use

the SSP.

For more information on configuring access to business data, see Configure access to business

data. For more information about registering line-of-business applications in the Business Data

Catalog, see Register business applications in the Business Data Catalog.

Configure and crawl business data content sources Business data, as any other content, can only be found during search queries if a content source

has been created that includes a start address for the data. SSP administrators for the search

service must create and configure all content sources for business data, based on the data

identified during planning.

When you add start addresses for business data, you must use a location that respects the

security settings configured in the Business Data Catalog. For example, if the Business Data

Catalog connects to a server containing a copy of data instead of the server that is running the

247

line-of-business application, you must use the location of the copied data in the start address for

the business data content source.

Use the following procedure to configure business data content sources.

Configure business data content sources

1. Create one or more content sources for the data in line-of-business applications, using

one start address per application. Use a start address that respects your security

configuration.

2. To use a crawling account other than the default content access account to crawl a

particular business data start address, create a crawl rule for that start address. All

content sources that include that start address will use that account.

3. To change how a particular start address is crawled, configure a crawl rule for that start

address.

4. Crawl all business data content sources.

5. Some properties for business data might appear as crawled properties in the search

schema. Based on search schema planning, select relevant properties in the Configure

Search section of the Business Data Catalog and map them to managed properties for

search. These properties will be available for use during search queries.

6. Crawl the content sources again to complete the mapping of managed properties.

Configure and customize query options for business data After crawling business data content sources, the SSP administrator for the search service

creates and configures shared search scopes for business data. Then site administrators create

site search scopes and keywords, and configure relevance settings for queries performed on the

sites that they manage.

Both SSP administrators and site administrators configure query options based on decisions

made during planning for the initial deployment. Many of these settings will be changed as part of

regular operations, but it is helpful to configure the initial query options for your deployment of

Office SharePoint Server 2007.

Use the following procedure to configure the initial query options.

Configure initial query options

1. Create shared search scopes for business data (SSP administrator).

2. Create site-specific search scopes for business data (site administrators).

3. Configure keywords for business data (site administrators).

4. Configure relevance settings (site administrators).

5. Customize the Search Center tabs for business data.

248

See Also



249

C. Configure Excel Services


250

Chapter overview: Configure Excel Services

Configure Excel Services in Microsoft Office SharePoint Server 2007 to centrally manage user

access to system resources and external databases. From the Central Administration Web

application in Microsoft Office SharePoint Server 2007, you can configure the SharePoint

document libraries, UNC paths, and HTTP Web sites from which Excel Calculation Services can

open workbooks.

You can also configure which external databases workbook authors are allowed to access. You

can configure restrictions on the use of data connections, single sign-on (SS0) authentication,

and the use of user-defined functions.

About Excel Services configuration Trusted file locations These are SharePoint document libraries, UNC paths, or HTTP Web

sites that have to be explicitly trusted before Excel Calculation Services is allowed to access

them. For more information, see Add a trusted file location.

Single sign-on SSO enables authentication against external data sources without having to

provide authentication credentials more than once. SSO authentication is required in a

trusted subsystem environment. For more information, see Start the Single Sign-On service

and Manage settings for single sign-on.

Trusted data providers These are databases that reside outside of the Excel Services

farm and that Excel Calculation Services is explicitly configured to trust when processing data

connections in workbooks. Excel Calculation Services attempts to process a data connection

only if the connection is to a database that has been added to the Excel Services trusted data

providers list. For more information, see Add a trusted data provider.

Trusted data connection libraries These are SharePoint document libraries that contain

Office data connection (.odc) files that are used to manage workbook connections to trusted

data providers. In the trusted subsystem model, front-end Web servers and application

servers running Excel Calculation Services trust the accounts of the associated Office

SharePoint Server 2007 applications. For more information, see Add a trusted data

connection library.

User-defined functions These are functions that enable users to extend the functionality of

Excel Web Services. For more information, see Enable user-defined functions.

See Also

Plan Excel Services security (http://technet.microsoft.com/en-us/library/cc263086.aspx)


251

Add a trusted file location

In this section:

About trusted file locations


About trusted file locations In Microsoft Office SharePoint Server 2007, a trusted file location is a SharePoint document

library, a UNC path, or an HTTP Web site that is configured as a trusted repository for workbooks

that Excel Calculation Services can access. Excel Calculation Services opens workbooks that are

stored in trusted file locations only.

If you are planning to use a new SharePoint document library as a trusted file location for Excel

Services in Microsoft Office SharePoint Server 2007, create the new document library on a

SharePoint site. To create the new document library, click the Site Actions menu, select Create,

and then click Document Library. On the New page, type a name for the new document library

and click Create.

Add a trusted file location Use the following procedure to add a trusted file location.


1. From Administrative Tools, open the SharePoint Central Administration Web

application.


3. On the Application Management page, in the Office SharePoint Server 2007 Shared

Services section, click Create or Configure this Farm's Shared Services.

4. On the Manage this Farm's Shared Services page, click SharedServices1 (Default).

This is the Shared Services Provider (SSP) that you will configure.

5. On the Shared Services home page, in the Excel Services Settings section, click

Trusted file locations.

6. On the Excel Services Trusted File Locations page, click Add Trusted File Location.

7. In the Address section, type the location and name of the SharePoint Office SharePoint

Server 2007 document library that you want to add as a trusted file location in Excel

Services. If the document library is stored in the Windows SharePoint Services 3.0

content database, ensure that Windows SharePoint Services 3.0 is selected as the

Location Type.

252

8. In the External Data section, select the type of data connections that you will allow

workbooks in this trusted file location to contain and click OK.

In the External Data section, you can determine whether workbooks stored in trusted file

locations and opened in Excel Calculation Services sessions can access an external data source.

You can designate whether Allow External Data is set to None, Trusted data connection

libraries only, or Trusted data connection libraries and embedded.

If you select either Trusted data connection libraries only or Trusted data connection

libraries and embedded, the workbooks stored in the trusted file locations are allowed to access

external data sources. External data connections can be accessed only when they are embedded

in or linked from a workbook. Excel Calculation Services checks the list of trusted file locations

before opening a workbook. If you select None, Excel Calculation Services will block any attempt

to access an external data source. If you manage data connections for a large number of

workbook authors, you might want to select Trusted data connection libraries only.


Add-ecsfiletrustedlocation (http://technet.microsoft.com/en-us/library/cc262818.aspx).

See Also

Add a trusted data connection library


253

Start the Single Sign-On service

In this section:

About single sign-on authentication


About single sign-on authentication In Microsoft Office SharePoint Server 2007, single sign-on (SSO) authentication enables users to

access multiple system resources without having to provide authentication credentials more than

once. Office SharePoint Server 2007 implements SSO authentication by including a Windows

service and a secure credentials database.

To authenticate a data connection in a workbook against an external data source, you can

configure Excel Calculation Services to retrieve authentication credentials from an SSO store. To

enable SSO functionality for Office SharePoint Server 2007, you need to start the Microsoft

Single Sign-On service and then manage SSO settings in the SharePoint Central Administration

Web application.

Start the Single Sign-On service Use the following procedure to start the Single Sign-On service.


1. From Administrative Tools, click Services.

2. Double-click Microsoft Single Sign-On Service.

3. On the Log On tab of the Single Sign-On Service Properties page, click This account,

and then type the domain, user name, and password that you have used to install and

manage your server.

4. Click Apply.

5. On the General tab of the Single Sign-On Service Properties page, change the startup

type to Automatic, click Start, and then click OK.

Note:

Start the Single Sign-On service on all front-end Web servers and all application

servers in your farm that run Excel Calculation Services.

See Also

Manage settings for single sign-on

254

Manage settings for single sign-on

In this section:

About single sign-on settings

Manage single sign-on settings

About single sign-on settings Excel Services in Microsoft Office SharePoint Server 2007 supports three data authentication

methods: Integrated Windows authentication, single sign-on (SSO) authentication, and None.

Imagine a data connection in a workbook opened in an Excel Calculation Services application

server that uses stored credentials for authentication against an external data source. In this

scenario, Excel Calculation Services has to retrieve valid credentials from an SSO authentication

database, and then use the credentials to authenticate against a data source before the data

connection can be established.

To enable SSO functionality for Microsoft Office SharePoint Server 2007, you need to start the

Microsoft Single Sign-On service, and then manage SSO settings in the SharePoint Central

Administration Web application.

Manage single sign-on settings Use the following procedure to manage SSO settings.

Manage SSO settings


application.

2. On the Central Administration home page, click Operations.

3. In the Security Configuration section, click Manage settings for single sign-on.

4. On the Manage Settings for Single Sign-On page, click Manage server settings.

5. In the Account Name box for the SSO Administrator account, type the same domain and

user name that you used to configure the Single Sign-On service. If the user name you

used to configure the Single Sign-On service is a member of a Windows security group,

you can type the name of the Windows security group instead of a user name.

6. In the Enterprise Application Definition Administrator Account box, type the same

domain and user name that you used to configure the Single Sign-On service.

See Also


255

Add a trusted data provider

In this section:

About trusted data providers


About trusted data providers Trusted data providers are external databases that Excel Calculation Services is explicitly

configured to trust when processing data connections in workbooks. Excel Calculation Services

attempts to process a data connection only if the connection is to a trusted data provider.

You can control access to external data by explicitly defining the data providers that are trusted

and recording them in the list of trusted data providers. The list of trusted data providers

designates specific external data providers to which workbooks opened in Excel Calculation

Services are permitted to connect.

Before instantiating a data provider to enable a workbook to connect to an external data source,

Excel Calculation Services checks the connection information to determine whether the provider

appears on the list of trusted data providers. If the provider is on the list, a connection is

attempted; otherwise, the connection request is ignored.

Add a trusted data provider Use the following procedure to add a trusted data provider.



application.



Services section, click Create or Configure this Farm’s Shared Services.

4. On the Manage this Farm’s Shared Services page, click SharedServices1 (Default).



Trusted data providers.

6. On the Excel Services Trusted Data Providers page, click Add Trusted Data Provider.

7. In the Provider ID section, type the identifier of the external database you want to add as

a trusted data provider in Excel Services in Microsoft Office SharePoint Server 2007.

Click OK.

256


tool, see Add-ecssafedataprovider (http://technet.microsoft.com/en-


See Also



257


In this section:

About trusted data connection libraries


About trusted data connection libraries In Microsoft Office SharePoint Server 2007, a trusted data connection library is a data connection

library from which you have determined that it is safe to access Office data connection (.odc)

files. The .odc files are used to centrally manage connections to external data sources.

Instead of allowing embedded connections to external data sources, Excel Calculation Services

can be configured to require the use of .odc files for all data connections. The .odc files are stored

in data connection libraries, and the data connection libraries have to be explicitly trusted before

Excel Calculation Services will allow workbooks to access them.

If a data connection is linked from a workbook that is accessed by a server running Excel

Calculation Services, the server checks the connection information and the list of trusted data

connection libraries. If the data connection library is on the list, a connection is attempted by

using the .odc file from the data connection library; otherwise, the connection request is ignored.

Before you can configure a data connection library as a trusted data connection for Excel

Services in Microsoft Office SharePoint Server 2007, you must create a data connection library

on a SharePoint site. To create a data connection library, click the Site Actions menu, select

Create, and then click Data Connection Library. On the New page, type a name for the new

data connection library and click Create.

Add a trusted data connection library Use the following procedure to add a trusted data connection library.



application.



Services section, click Create or Configure this Farm’s Shared Services.

4. On the Manage this Farm’s Shared Services page, click SharedServices1 (Default).



Trusted data connection libraries.

258

6. On the Excel Services Trusted Data Connection Libraries page, click Add Trusted Data

Connection Library.

7. Type the address of the data connection library that you want to configure as a trusted

data connection library and click OK.

For information about how to perform this procedure by using the Stsadm command-line tool, see

Add-ecstrusteddataconnectionlibrary (http://technet.microsoft.com/en-us/library/cc261726.aspx).

See Also



259

Enable user-defined functions

In this section:

About user-defined functions


Enable user-defined functions for workbooks in a trusted file location

About user-defined functions User-defined functions extend the capabilities of Excel Services in Microsoft Office SharePoint

Server 2007 by enabling you to define and create custom functions. To enable this functionality,

you need to configure Excel Services to support user-defined functions.

To configure this support, you must enable user-defined functions on trusted file locations

containing workbooks that require access to this functionality. In addition, you must register user-

defined function assemblies on the Excel Services user-defined function assembly list.

Enable user-defined functions Use the following procedure to enable user-defined functions.



application.



Services section, click Create or Configure this Farm's Shared Services.

4. On the Manage this Farm's Shared Services page, click SharedServices1 (Default).


5. On the Shared Services home page, in the Excel Services Settings section, click User-

defined function assemblies.

6. On the Excel Services User-Defined Functions page, click Add User-Defined Function

Assembly.

7. In the Assembly box, type the assembly strong name or the file path of the user-defined

function assembly that you want to register.

8. In Assembly Location, perform the following actions:

a. Select the global assembly cache (GAC) if you are deploying a user-defined function

assembly to the GAC on each Excel Calculation Services application server in your

farm.

b. Select Local file if you want to save a user-defined function to a directory on an

260

Excel Calculation Services application server (a local path), or to a network share (a

UNC path).

c. Ensure that the Enable Assembly check box is selected, and then click OK.


tool, see Add-ecsuserdefinedfunction (http://technet.microsoft.com/en-


Enable user-defined functions for workbooks in a trusted file location Use the following procedure to enable user-defined functions for workbooks in a trusted file

location.

Enable user-defined functions for workbooks in a trusted file location

1. In the Excel Services section of the Shared Services Administration home page, click

Trusted file locations.

2. On the Excel Services Trusted File Locations page, click the URL of the trusted file

location whose properties you want to edit.

3. In the User-Defined Functions section of the Excel Services Edit Trusted File Location

page, select User-defined functions allowed, and then click OK.


tool, see Add-ecsuserdefinedfunction (http://technet.microsoft.com/en-




261

D. Configure InfoPath Forms Services


262

Configure InfoPath Forms Services for Office SharePoint Server

InfoPath Forms Services provides you with the ability to deploy your organization's forms to

Microsoft Office SharePoint Server and enable users to fill out these forms using a Web browser.

There are many ways you can configure InfoPath Forms Services depending on the needs of

your organization. For example, by default, form templates deployed by non-administrators ("user

form templates") can be opened in a browser, but you can disable this feature so that only

administrator-approved templates are browser-enabled.

You should configure InfoPath Forms Services before you begin to deploy form templates in

order to avoid unexpected behavior.

Before you begin to configure InfoPath Forms Services, you should read the planning articles in

Plan Forms Services (http://technet.microsoft.com/en-us/library/cc262498.aspx) to ensure your

configuration choices are aligned with the needs of your organization.

Configure InfoPath Forms Services using Central Administration To configure InfoPath Forms Services, you will need to navigate to the Configure InfoPath Forms

Services page in the SharePoint Central Administration Web site.

Configure InfoPath Forms Services

1. On the taskbar, click Start, point to Administrative Tools, and then click SharePoint 3.0

Central Administration.

2. In the navigation bar, click the Application Management tab.

3. On the Application Management page, in the InfoPath Forms Services section, click

Configure InfoPath Form Services.

4. On the Configure InfoPath Forms Services page, in the User Browser-enabled Form

Templates section, you can choose settings that determine how user form templates are

processed by InfoPath Forms Services.

a. Select the Allow users to browser-enable form templates check box to allow

users to deploy browser-enabled form templates.

b. Select the Render form templates that are browser-enabled by users check box

to allow browser-enabled form templates deployed by users to be rendered in a Web

browser. If this option is not selected, users can still deploy browser-compatible form

templates, but these form templates are not accessible through a Web browser.

5. In the Data Connection Timeouts section, specify default and maximum timeouts for

data connections from a browser-enabled form. The connection timeout can be changed

by code in the form template, but it will never exceed the maximum timeout specified.


263

a. In the Default data connection timeout box, enter the time in milliseconds that will

elapse before a data connection times out. The default timeout is 10000 milliseconds.

You can override this setting with code within a form template that specifies the data

connection timeout value.

b. In the Maximum data connection timeout box, enter the maximum time in

milliseconds that will elapse before a data connection times out. The default timeout

is 20000 milliseconds. This is an absolute setting, and it overrides any data

connection timeout values specified within form template code.

6. In the Data Connection Response Size section, type a value in kilobytes in the box to

specify the maximum size of responses data connections are allowed to process. Data

connection responses that exceed this value will generate an error message.

7. In the HTTP data connections section, select the Require SSL for HTTP

authentication to data sources box to require an SSL-encrypted connection for data

connections that use Basic authentication or Digest authentication. You must have

configured Secure Sockets Layer (SSL) properly in order for this setting to function.

8. In the Embedded SQL Authentication section, select the Allow embedded SQL

authentication box to allow forms to use embedded SQL credentials. Forms that

connect to databases may embed SQL user name and password data in the connection

string. The connection string can be read in plaintext in the universal data connection file

associated with the solution, or in the solution manifest.

9. In the Authentication to data sources (user form templates) section, select the Allow

user form templates to use authentication information contained in data

connection files box to allow user form templates to use embedded authentication

information such as an explicit user name and password or a Microsoft Single Sign-On

application ID.

10. In the Cross-Domain Access for User Form Templates section, select the Allow

cross-domain data access for user form templates that use connection settings in

a data connection file box to allow user form templates to access data from another

domain.

11. In the Thresholds section, specify the thresholds at which to end user sessions and log

error messages. Form operations that exceed these thresholds will terminate the user

session, resulting in the loss of all form data entered during the session, and generate an

error message.

a. In the Number of postbacks per form session state box, type the maximum

number of postbacks you want to allow. The default value is 75.

b. In the Number of actions per postback box, type the maximum number of actions

per postback you want to allow. The default value is 200.

12. Before you configure form session state, you should read Configure session state for

InfoPath Forms Services. Correct configuration of form session state requires that you

understand how session state is configured for Office SharePoint Server, and it can

dramatically affect the behavior of InfoPath Forms Services operations and system

264

performance.

Form session state stores data necessary to maintain a user session. File attachment

data in the form will receive an additional 50 percent of session state space.

Note:

The default parameters should work for most scenarios. If you change the default

settings, verify that form-filling sessions are working properly.

13. In the Form Session State section, configure the following parameters:

a. In the Active sessions should be terminated after text box, type the maximum

session duration in minutes. Form-filling sessions that exceed this value will

terminate, an error message will be generated, and all form data entered during the

session will be lost. The default value is 1440 minutes.

b. In the Maximum size of form session state text box, type the maximum session

state size in kilobytes. Form-filling sessions that exceed this value will terminate, an

error message will be generated, and all form data entered during the session will be

lost. The default value is 4096 kilobytes.

c. In the Select the location to use for storing form session state section, choose

from the following options:

Choose this option To do this

Session State Service (best for low-

bandwidth users)

Store session state data on the

computer running Microsoft SQL Server

Form view (reduces database load on

server)

Store session state data on the client

computer. If form session state is larger

than the value specified in the

associated text box, the Session State

Service will be used instead.

d. In the associated text box, type the session state size in kilobytes at which form view

will be automatically transitioned to the Session State Service. Once this threshold is

reached, session state data will be saved to the SQL Server database, and the

session will continue to use the Session State Service. The default value is 40

kilobytes.

14. Click OK to save your settings.

See Also

Configure session state for InfoPath Forms Services

265

Configure session state for InfoPath Forms Services

In this section:

Configure session state for Forms Services

Session state vs. Form view

InfoPath Forms Services uses session state to store the large amount of transient data generated

while filling out a form. As a result, front-end Web servers can remain stateless between round

trips, and each postback is not burdened with carrying large amounts of session state information

over narrow bandwidth pipes. Other methods of state management, such as in process, are not

supported for farms with multiple front-end Web servers. Session state can only be used with

Web applications that are associated with a Shared Services Provider (SSP). For more

information about SSPs, see Plan Shared Services Providers (http://technet.microsoft.com/en-


Note:

In order for the session state database to be properly maintained, the SQL Agent must be

turned on for the instance of Microsoft SQL Server where session data is stored. If the

SQL Agent is not turned on, expired sessions are not automatically expunged from the

session table and may eventually pose a storage problem.

Note:

If you are deploying Microsoft Office SharePoint Server 2007 with Microsoft SQL Server

2005 Express Edition, such as in a single-server deployment, expired sessions must be

expunged manually. SQL Server 2005 Express Edition does not include the SQL Agent,

and it cannot run automated stored procedures.

Configure session state for Forms Services You can configure session state settings such as state type and session thresholds for InfoPath

Forms Services across the entire farm. If any of the thresholds are exceeded, the user's session

is terminated, resulting in the loss of all form data, and an error is entered in the event log for the

server. The error message shown to the user is "session has exceeded the amount of allowable

resources."

To configure form session state, see step 12 in Configure InfoPath Forms Services for Office

SharePoint Server.

Session state versus Form view You can configure InfoPath Forms Services to use the Session State service (the default option)

or Form view (ASP.NET view state) to control how user sessions are managed. When you


266

configure InfoPath Forms Services to use the Session State service, all browser sessions are

maintained on the SQL Server database, which uses little network bandwidth, but has a

cumulative performance impact on the computer running SQL Server. When you are using Form

view, sessions are maintained on the client browser, and all session data is included in each

postback to the server, up to 40 KB of session data. This approach uses more bandwidth than

using session state does, but it does not affect the performance of the computer running SQL

Server. Once session data reaches 40 KB in size, the session automatically transitions to

session-state management.

We recommend the use of Form view in environments with smaller groups of users, because it

reduces the impact on the computer running SQL Server. If your InfoPath Forms Services

deployment will have many users, particularly if session data is below 40 KB for many high-usage

form templates, session state is likely a better choice. If Form view is used, the bandwidth used

by browser sessions of 40 KB or fewer can be monitored if there is a concern that network

performance might be adversely affected.

See Also

Manage session state for Microsoft Office SharePoint Server 2007


Configure InfoPath Forms Services for Office SharePoint Server


267

E. Configure Office Project Server


268

Deploy Project Server 2007 with Office SharePoint Server 2007

Microsoft Office Project Server 2007 is the core of Microsoft Office Enterprise Project

Management (EPM) Solutions. The Microsoft Office Enterprise Project Management (EPM)

Solution allows you to effectively manage and prioritize projects and resources across your

organization. With it your teams can share knowledge, collaborate smoothly to complete tasks

and deliverables, and adjust activities quickly to accommodate project changes and updates. And

you can accurately assess your needs and effectively deploy resources across the organization.

For more information about Office Project Server 2007 and EPM Solutions, see What's new in

Office Project 2007 (http://technet.microsoft.com/en-us/library/cc197654.aspx).

Note:

Additional information can be found in the Microsoft Office Enterprise Project

Management Solution and Microsoft Office Project Server 2007 Product Guide

(http://www.microsoft.com/office/preview/solutions/epm/guide.mspx).

You can easily install and configure Office Project Server 2007 on an existing Office SharePoint

Server 2007 farm. For detailed information and procedures, see Deploy Project Server 2007 to an

existing deployment of Office SharePoint Server 2007 (http://technet.microsoft.com/en-




http://www.microsoft.com/office/preview/solutions/epm/guide.mspx

http://www.microsoft.com/office/preview/solutions/epm/guide.mspx



269

IV. Perform additional configuration tasks


270

Chapter overview: Additional configuration tasks

After the initial installation and configuration of Microsoft Office SharePoint Server 2007, you can

configure several additional settings. The configuration of additional settings is optional, but many

key features are not available unless these settings are configured.

Configure additional administrative settings To take full advantage of the administrative features and capabilities of Microsoft Office

SharePoint Server 2007, perform the following optional administrative tasks by using SharePoint

Central Administration:







mail settings.




"Reply" e-mail address that appear in outgoing alerts. You can also configure outgoing e-mail

settings for all Web applications or for only one Web application. For more information, see

Configure outgoing e-mail settings and Configure outgoing e-mail settings for a specific Web

application.

Configure workflow settings You can configure workflow settings to enable end users to

create their own workflows by using code pre-generated by administrators. You can also

configure whether internal users without site access can receive workflow alerts, and whether

external users can participate in workflows by receiving copies of documents by e-mail. For

more information, see Configure workflow settings.


settings to help with troubleshooting. These include enabling and configuring trace logs,

event messages, user-mode error messages, and Customer Experience Improvement

Program events. For more information, see Configure diagnostic logging settings.

Configure single sign-on You can configure single sign-on settings in the farm. Single

sign-on enables you to connect to external data sources by using Excel Calculation Services

or the Business Data Catalog. For more information, see Configure single sign-on.

Configure antivirus settings You can configure several antivirus settings if you have an

antivirus program that is designed for Office SharePoint Server 2007. Antivirus settings allow

271

you to control whether documents are scanned on upload or on download, and whether users

can download infected documents. You can also specify how long you want the antivirus

program to run before it times out, and you can specify how many execution threads the

antivirus program can use on the server. For more information, see Configure antivirus

settings.

You can use the following procedure to configure optional administrative settings using

SharePoint Central Administration.

Configure administrative settings using SharePoint Central Administration



2. On the SharePoint Central Administration home page, under Administrative Tasks,

click the administrative task that you want to perform.

3. On the Administrative Tasks page, next to Action, click the task.

272


In this section:

Install and configure the SMTP service

Configure Active Directory

Configure permissions to the e-mail drop folder

Configure DNS Manager

Configure attachments from Outlook 2003


Configure incoming e-mail on SharePoint sites

Use this procedure to configure the incoming e-mail settings for Microsoft Office SharePoint

Server 2007.

The features of Office SharePoint Server 2007 that use incoming e-mail are not available until

these settings are configured.

Before you configure incoming e-mail settings in Office SharePoint Server 2007, confirm that:

You have read the topic Plan incoming e-mail (http://technet.microsoft.com/en-


One or more servers in your server farm are running the Internet Information Services (IIS)

Simple Mail Transfer Protocol (SMTP) service, or you know the name of another server that

is running the SMTP service. This server must be configured to accept relayed e-mail from

the mail server for the domain.

One or more servers in your server farm are running the Microsoft SharePoint Directory

Management Service, or you know the name of another server that is running the SharePoint

Directory Management Web Service.

The application pool account for the SharePoint Central Administration Web site has the

Create, delete, and manage user accounts right to the container in the Active Directory

directory service.

The application pool account for Central Administration, the logon account for the Windows

SharePoint Services Timer service, and the application pool accounts for your Web

applications have the correct permissions to the e-mail drop folder.

The domain controller running Active Directory has a Mail Exchanger (MX) entry in DNS

Manager for the mail server that you plan to use for incoming e-mail.

Note:

All of these configuration steps are described in detail in the following sections.


273

Install and configure the SMTP service Incoming e-mail for Office SharePoint Server 2007 uses the SMTP service. The SMTP service

can be either installed on one or more servers in the farm, or administrators can provide an e-mail

drop folder for e-mail forwarded from the service on another server. The drop folder option is not

recommended because administrators of the other server can affect the availability of incoming e-

mail by changing the configuration of SMTP, and because this requires the additional step of

configuring permissions to the e-mail drop folder.

If a drop folder is not used, the SMTP service must be installed on each server that is used to

receive and process incoming e-mail. Typically, this includes every front-end Web server in the

farm.

Start the Windows SharePoint Services Web Application service

Each server that is running the SMTP service must also be running the Windows SharePoint

Services Web Application service. These servers are called front-end Web servers. In many

cases, this service will have already been configured.

Important:

Membership in the Farm Administrators group of the Central Administration site is

required to complete this procedure.

Start the Windows SharePoint Services Web Application service

1. On the top navigation bar, click Operations.


server.

3. On the Services on Server page, find Windows SharePoint Services Web Application

in the list of services, and click Start.

Install the SMTP service

The SMTP service is a component of IIS. It must be installed on every front-end Web server in

the farm that you want to configure for incoming e-mail.

Important:

Membership in the Administrators group on the local computer is required to complete

this procedure.


1. In Control Panel, click Add or Remove Programs.

2. In Add or Remove Programs, click Add/Remove Windows Components.

3. In the Windows Components Wizard, in the Components box, click Application Server,

and then click the Details button.

274

4. In the Application Server dialog box, in the Subcomponents of Application Server

box, click Internet Information Services (IIS), and then click the Details button.

5. In the Internet Information Services (IIS) dialog box, select the SMTP Service check

box.

6. Click OK to return to the Application Server dialog box.

7. Click OK to return to the main page of the Windows Components Wizard.

8. Click Next.

9. When Windows has finished installing the SMTP service, on the Completing the Windows

Components Wizard page, click Finish.

Configure the SMTP service

After installing the SMTP service, you must configure the service to accept relayed e-mail from

the mail server for the domain.

You can decide to accept relayed e-mail from all servers except those you specifically exclude.

Alternatively, you can block e-mail from all servers except those you specifically include. You can

include servers individually, or in groups by subnet or domain.

Important:


this procedure.




2. In IIS Manager, expand the server name that contains the SMTP server that you want to

configure.

3. Right-click the SMTP virtual server that you want to configure, and then click Properties.

4. On the Access tab, under Access control, click Authentication.

5. In the Authentication dialog box, under Select acceptable authentication methods for

this resource, verify that Anonymous access is selected.

6. Click OK.

7. On the Access tab, under Relay restrictions, click Relay.

8. To enable relaying from any server, under Select which computer may relay through

this virtual server, select All except the list below.

9. To accept relaying from one or more specific servers, follow these steps:

a. Under Select which computer may relay through this virtual server, select Only

the list below.

b. Click Add, and then add servers one at a time by IP address, or in groups by using a

subnet or a domain.

275

c. Click OK to close the Computer dialog box.

10. Click OK to close the Relay Restrictions dialog box.

11. Click OK to close the Properties dialog box.

Add an SMTP connector in Exchange Server

In some scenarios, mail from Microsoft Exchange Server computers might not be automatically

relayed to the Office SharePoint Server 2007 servers that are running the SMTP service. In these

scenarios, administrators of Exchange mail servers can add an SMTP connector so that all mail

sent to the Office SharePoint Server 2007 domain uses the Office SharePoint Server 2007

servers that are running the SMTP service.

For more information about SMTP connectors, see the Help documentation for Exchange Server.

Configure Active Directory Incoming e-mail uses the Microsoft SharePoint Directory Management Service to connect

SharePoint sites to the directory services used by your organization. If you enable the Microsoft

SharePoint Directory Management Service, users can create and manage distribution groups

from SharePoint sites. SharePoint lists that use e-mail can then be found in directory services,

such as the Address Book. You must also select which distribution group requests from

SharePoint lists require approval. The Microsoft SharePoint Directory Management Service can

be installed on a server in the farm, or you can use a remote Microsoft SharePoint Directory

Management Service.

To use the Microsoft SharePoint Directory Management Service on a farm or server, you must

configure the Central Administration application pool identity account to have the Create, delete,

and manage user accounts right to the container that you specify in Active Directory. The

preferred way to do this is by delegating the right to the Central Administration application pool

identity account. An Active Directory administrator must set up the organizational unit (OU) and

delegate the Create, delete, and manage user accounts right to the container. The advantage

of using the Microsoft SharePoint Directory Management Service on a remote farm is that you do

not have to delegate rights to the organizational unit for multiple farm service accounts.

If the application pool account for Central Administration is different from the application pool

account for the Web application of the list or site that is enabled for e-mail, you must use the

application pool account for the Web application when completing the following procedures. You

must then delegate additional rights to the Central Administration application pool account.

The following procedures are performed on a domain controller that runs Microsoft Windows

Server 2003 SP1 (with DNS Manager) and Microsoft Exchange Server 2003 SP1. In some

deployments, these applications might run on multiple servers in the same domain.

Important:

Membership in the Domain Administrators group or delegated authority for domain

administration is required to complete this procedure.

276

Create an organizational unit in Active Directory

1. Click Start, point to Control Panel, point to Administrative Tools, and then click Active

Directory Users and Computers.

2. In Active Directory Users and Computers, right-click the folder for the second-level

domain that contains your server farm, point to New, and then click Organizational Unit.

3. Type the name of the organizational unit, and then click OK.

After creating the organization unit, we recommend that you delegate the Create, delete, and

manage user accounts right to the container.

Important:

Membership in the Domain Administrators group or the Enterprise Administrators group

in Active Directory, or delegated authority for administration, is required to complete this

procedure.

Delegate right to the application pool account

1. In Active Directory Users and Computers, find the organizational unit that you just

created.

2. Right-click the organizational unit, and then click Delegate control.

3. On the Welcome page of the Delegation of Control Wizard, click Next.

4. On the Users and Groups page, click Add, and then type the name of the application

pool identity account that the Web application uses.

5. In the Select Users, Computers, and Groups dialog box, click OK.

6. On the Users or Groups page of the Delegation of Control Wizard, click Next.

7. On the Tasks to Delegate page of the Delegation of Control Wizard, select the Create,

delete, and manage user accounts check box, and then click Next.

8. On the last page of the Delegation of Control Wizard, click Finish to exit the wizard.

If you must add permissions for the application pool identity account directly, complete the

following procedure.

Important:

Membership in the Account Operators group, Domain Administrators group, or the

Enterprise Administrators group in Active Directory, or delegated authority for

administration, is required to complete this procedure.

Add permissions for the application pool account

1. In Active Directory Users and Computers, click the View menu, and then click Advanced

Features.

2. Right-click the organizational unit that you just created, and then click Properties.

3. In the Properties dialog box, click the Security tab, and then click Advanced.

4. Click Add, and then type the name of the application pool identity account for the Web

277

application.

5. Click OK.

6. In the Permission Entries section, double-click the application pool identity account.

7. In the Permissions section, under Allow, select the Modify permissions check box.

8. Click OK to close the Permissions dialog box.


10. Click OK to close the Active Directory Users and Computers plug-in.

If you decide instead to use the remote Microsoft SharePoint Directory Management Service, you

must know the URL for the Web service. This URL is typically in the following format:

http://server:adminport/_vti_bin/SharePointEmailWS.asmx.

Configure Active Directory under atypical circumstances

If you are using the Directory Management Service and the Central Administration application

pool uses a different account from the Web application for the list or site on which you want to

enable incoming e-mail, you must delegate additional rights to the Central Administration

application pool account. If you do not delegate these rights, then you cannot enable incoming e-

mail for the list or site.

Note:

Before you delegate the following rights to the Central Administration application pool

account for the organizational unit, you must delegate rights to the application pool

account for the Web application. The procedures for delegating those rights are

explained in the previous section.

Administrators must delegate full control of the organizational unit to the Central Administration

application pool account. After this delegation is complete, administrators can enable incoming e-

mail.

To delegate full control of the organizational unit to the Central Administration application pool account

Important:

Membership in the Domain Administrators group or the Enterprise Administrators group

in Active Directory, or delegated authority for administration, is required to complete this

procedure.

Delegate full control of the organizational unit to the Central Administration application pool account

1. Right-click the organizational unit, and then click Delegate control.

2. In the Delegation of Control wizard, click Next.

3. Click Add, and then type the name of the application pool account for Central

278

Administration.

4. Click OK.

5. Click Next.

6. On the Tasks to Delegate page of the Delegation of Control wizard, select Create a

custom task to delegate, and then click Next.

7. Select This folder, existing objects in this folder, and creation of new objects in this

folder, and then click Next.

8. In the Permissions section, select Create all Child Objects and Delete all Child

Objects.

9. Click Next.

10. On the last page of the Delegation of Control wizard, click Finish to exit the wizard.

Delegating full control of the organizational unit to the Central Administration application pool

account enables administrators to enable e-mail for a list. Administrators cannot disable e-

mail for the list or document library after delegating full control because the Central

Administration account tries to delete the contact from the entire organizational unit rather

than deleting the contact from the list.

To add the Delete Subtree permission for the Central Administration application pool account

To enable administrators to disable incoming e-mail on a list, you must add the Delete Subtree

permission for the Central Administration application pool account.

Important:

Membership in the Account Operators group, Domain Administrators group, or the

Enterprise Administrators group in Active Directory, or delegated authority for

administration, is required to complete this procedure.

Add the Delete Subtree permission for the Central Administration application pool account

1. In Active Directory Users and Computers, click the View menu, and then click Advanced

Features.

2. Right-click the organizational unit and then click Properties.

3. In the Properties dialog box, click the Security tab, and then click Advanced.

4. In the Permission Entries section, double-click the Central Administration application

pool account.

5. In the Permissions section, under Allow, select Delete Subtree.

6. Click OK to close the Permissions dialog box.


8. Click OK to close the Active Directory Users and Computers plug-in.

279

After adding the permission, you must restart Internet Information Services (IIS) for the farm.

For more information about Active Directory, see the Help documentation for Active Directory.

Configure permissions to the e-mail drop folder When incoming e-mail settings are set to advanced mode, you must ensure that certain accounts

have the correct permissions to the e-mail drop folder.

Configure e-mail drop folder permissions for the logon account for the Windows SharePoint Services Timer service

Ensure that the logon account for the Windows SharePoint Services Timer service has the Modify

permission on the e-mail drop folder. If the logon account for the service does not have the

Modify permission, e-mail enabled document libraries will receive duplicate e-mail messages.

Important:

Membership in the Administrators group on the local computer that contains the e-mail

drop folder is required to complete this procedure.

Configure e-mail drop folder permissions

1. In Windows Explorer, right-click the drop folder, click Properties, and then click the

Security tab.

2. On the Security tab, under the Group or user names box, click the Add button.

3. In the Select Users, Computers, or Groups dialog box, in the Enter objects to select

box, type the name of the logon account for the Windows SharePoint Services Timer

service, and then click OK.

Note:

This account is listed on the Log On tab of the Properties dialog box for the

service in the Services console.

4. In the Permissions for User or Group box, next to Modify, select the Allow check box.

5. Click OK.

Configure e-mail drop folder permissions for the application pool account for a Web application

If your deployment uses different application pool accounts for Central Administration and one or

more Web applications for front-end Web servers, each application account must have

permissions to the e-mail drop folder. If the application pool account for the Web application does

not have the required permissions, e-mail will not be delivered to document libraries on that Web

application.

In most cases, when you configure incoming e-mail settings and select an e-mail drop folder,

permissions are added for two worker process groups:

280

WSS_Admin_WPG, which includes the application pool account for Central Administration

and the logon account for the Windows SharePoint Services Timer service, has Full Control

permission.

WSS_WPG, which includes the application pool accounts for Web applications, has Read &

Execute, List Folder Contents, and Read permissions.

In some cases, these groups might not be configured automatically for the e-mail drop folder. For

example, if Central Administration is running as the Network Service account, the groups or

accounts needed for incoming e-mail will not be added when the e-mail drop folder is created. It

is a good idea to check whether these groups have been added automatically to the e-mail drop

folder. If the groups have not been added automatically, you can add them or add the specific

accounts that are required.

Important:

Membership in the Administrators group on the local computer that contains the e-mail

drop folder is required to complete this procedure.

Configure e-mail drop folder permissions

1. In Windows Explorer, right-click the drop folder, click Properties, and then click the

Security tab.

2. On the Security tab, under the Group or user names box, click the Add button.

3. In the Select Users, Computers, or Groups dialog box, in the Enter objects to select

box, type the name of the worker process group or application pool account for the Web

application, and then click OK.

Note:

This account is listed on the Identity tab of the Properties dialog box for the

application pool in IIS.

4. In the Permissions for User or Group box, next to Modify, select the Allow check box.

5. Click OK.

Configure DNS Manager Incoming mail requires a Mail Exchanger (MX) resource record to be added in DNS Manager for

the host or subdomain running Office SharePoint Server 2007. This is distinct from any existing

MX records in the domain.

Important:


this procedure.

Add a Mail Exchanger (MX) resource record for the subdomain

1. In DNS Manager, select the forward lookup zone for the domain that contains the

281

subdomain for Office SharePoint Server 2007.

2. Right-click the zone, and then click New Mail Exchanger.

3. In the Host or domain text box, type the host or subdomain name for Office SharePoint

Server 2007.

4. In the Fully qualified domain name (FQDN) of mail server text box, type the fully

qualified domain name for the server that is running Office SharePoint Server 2007. This

is typically in the format subdomain.domain.com.

5. Click OK.

Configure attachments from Outlook 2003 Attachments to messages sent from Microsoft Outlook 2003 must be encoded in UUEncode or

Binhex format to appear separately in e-mail enabled document libraries. Attachments from

Outlook 2003 that use different encoding will not be listed, but e-mail messages that contain

attachments will be listed.

Configure incoming e-mail settings Before you can enable incoming e-mail on the server that is running Office SharePoint Server

2007, you must have configured the SMTP service on front-end Web servers in the farm and the

Active Directory and DNS Manager on the domain controller, or you must know the name of other

servers that are running these services.

This procedure configures the settings that are used for incoming e-mail. You can also configure

options for safe e-mail servers and the incoming e-mail display address.

Important:

Membership in the Administrators group of the Central Administration site is required to

complete this procedure.



2. On the Operations page, in the Topology and Services section, click Incoming e-mail

settings.

3. If you want to enable sites on this server to receive e-mail, on the Incoming E-mail

Settings page, in the Enable Incoming E-Mail section, click Yes.

4. Select either the Automatic or the Advanced settings mode.

If you select Advanced, you can specify a drop folder instead of using an SMTP server.

5. If you want to connect to the Microsoft SharePoint Directory Management Service, in the

Directory Management Service section, click Yes.

a. In the Active Directory container where new distribution groups and contacts

will be created box, type the name of the container in the format

282

OU=ContainerName, DC=domain, DC=com, where ContainerName is the name of

the organizational unit in Active Directory, domain is the second-level domain, and

com is the top-level domain.

Note:

The Central Administration application pool account must be delegated the

Create, delete, and manage user accounts task for the container. Access

is configured in the properties for the organizational unit in Active Directory.

b. In the SMTP mail server for incoming mail box, type the name of the SMTP mail

server. The server name must match the fully qualified domain name in the MX entry

for the mail server in DNS Manager.

c. To accept only messages from authenticated users, click Yes for Accept messages

from authenticated users only. Otherwise, click No.

d. To allow creation of distribution groups from SharePoint sites, click Yes for Allow

creation of distribution groups from SharePoint sites. Otherwise, click No.

e. Under Distribution group request approval settings, select the actions that will

require approval. Actions include the following:

Create new distribution group

Change distribution group e-mail address

Change distribution group title and description

Delete distribution group

6. If you want to use a remote SharePoint Directory Management Web Service, select Use

remote.

a. In the Directory Management Service URL box, type the URL of the Microsoft

SharePoint Directory Management Service that you want to use.

b. In the SMTP mail server for incoming mail box, type the name of the SMTP mail

server. The server name must match the fully qualified domain name in the MX entry

for the mail server in DNS Manager on the domain server.

c. To accept messages from authenticated users only, click Yes for Accept messages

from authenticated users only. Otherwise, click No.

d. To allow creation of distribution groups from SharePoint sites, click Yes for Allow

creation of distribution groups from SharePoint sites. Otherwise, click No.

7. If you do not want to use the Microsoft SharePoint Directory Management Service, click

No.

8. In the Incoming E-Mail Server Display Address section, type a display name for the e-

mail server (for example, mail.fabrikam.com) in the E-mail server display address box.

Tip:

You can specify the e-mail server address that is displayed when users create an

incoming e-mail address for a list or group. Use this setting together with the

Microsoft SharePoint Directory Management Service to provide an e-mail server

283

address that is more user-friendly.

9. In the Safe E-Mail Servers section, select one of the following options:

Accept mail from all e-mail servers

Accept mail from these safe e-mail servers. If you select this option, type the IP

addresses (one per line) of the e-mail servers that you want to specify as safe in the

corresponding box.

10. In the E-mail Drop Folder section, in the E-mail drop folder box, type the name of the

folder in which Microsoft Windows SharePoint Services polls for incoming e-mail from the

SMTP service.

This option is available only if you selected advanced mode.

11. Click OK.

Configuring incoming e-mail on SharePoint sites After configuring incoming e-mail settings, site administrators can configure e-mail enabled lists

and document libraries. For more information about e-mail enabled document libraries, see the

Help documentation for site administrators.

Contact addresses created for these document libraries appear automatically in Active Directory

Users and Computers under the organizational unit for Office SharePoint Server 2007, and must

be managed by the administrator of Active Directory. The Active Directory administrator can add

more e-mail addresses for each contact. For more information about how to manage contacts in

Active Directory, see the Help documentation for Active Directory.

Alternatively, the Exchange Server computer can be configured by adding a new Exchange

Server Global recipient policy to automatically add external addresses that use the second-level

domain name and not the subdomain or host for Office SharePoint Server 2007. For more

information about how to manage Exchange Server, see the Help documentation for Exchange

Server.

See Also

Plan incoming e-mail (http://technet.microsoft.com/en-us/library/cc263260.aspx)

Demo: Configure a SharePoint Server 2007 site to receive e-mail (http://office.microsoft.com/en-

us/sharepointserver/HA102047921033.aspx)


http://office.microsoft.com/en-us/sharepointserver/HA102047921033.aspx

284


In this section:

Install and configure the SMTP service4


Use this procedure to configure the default outgoing e-mail settings for all Web applications. You

can override the default outgoing e-mail settings for specific Web applications by using the

procedure that is described in Configure outgoing e-mail settings for a specific Web application.

Install and configure the SMTP service Before you can enable outgoing e-mail, you must install the Internet Information Services (IIS)

Simple Mail Transfer Protocol (SMTP) service. After determining which SMTP server to use, the

SMTP server must be configured to allow anonymous access and to allow e-mail messages to be

relayed. Additionally, the SMTP server must have Internet access if you want the ability to send

messages to external e-mail addresses, or it must be able to relay authenticated e-mail to a

server that has Internet access. The SMTP server that you use can be a server in the farm, or

another server.


The SMTP service is a component of IIS.

Important:


this procedure.









box.



8. Click Next.


285



After installing the SMTP service, configure the service to accept relayed e-mail from servers in

your farm.




By enabling both anonymous access and e-mail relaying, you increase the possibility that the

SMTP server will be used to relay unsolicited commercial e-mail (spam). It is important to limit

this possibility by carefully configuring your mail servers to help protect against spam. One way

that you can do this is by limiting relaying to a specific list of servers or domain, and preventing

relaying from all other servers.

Important:


this procedure.





configure.





6. Click OK.






the list below.


subnet or domain.




286


Important:




1. On the top navigation bar of the SharePoint Central Administration Web site, click

Operations.

2. On the Operations page, in the Topology and Services section, click Outgoing e-mail

settings.

3. On the Outgoing E-Mail Settings page, in the Mail Settings section, type the SMTP

server name for outgoing e-mail (for example, mail.example.com) in the Outbound

SMTP server box.

4. In the From address box, type the e-mail friendly address as you want it to appear to e-

mail recipients.

5. In the Reply-to address box, type the e-mail address to which you want e-mail recipients

to reply.

6. In the Character set menu, select the character set that is appropriate for your language.

7. Click OK.


tool, see Email: Stsadm operation (http://technet.microsoft.com/en-


See Also

Plan outgoing e-mail (http://technet.microsoft.com/en-us/library/cc262844.aspx)



287

Configure outgoing e-mail settings for a specific Web application

In this section:

Install and configure the SMTP service


Use this procedure to configure the outgoing e-mail settings for a specific Web application. Before

using this procedure, you must first configure the default outgoing e-mail settings for all Web

applications by using the procedure described in Configure outgoing e-mail settings.

Install and configure the SMTP service Before you can enable outgoing e-mail, you must install the Internet Information Services (IIS)

Simple Mail Transfer Protocol (SMTP) service. After determining which SMTP server to use, the

SMTP server must be configured to allow anonymous access and to allow e-mail messages to be

relayed. Additionally, the SMTP server must have Internet access if you want the ability to send

messages to external e-mail addresses, or it must be able to relay authenticated e-mail to a

server that has Internet access. The SMTP server that you use can be a server in the farm, or

another server.


The SMTP service is a component of IIS.

Important:


this procedure.









box.



288

8. Click Next.




After installing the SMTP service, configure the service to accept relayed e-mail from servers in

your farm.




By enabling both anonymous access and e-mail relaying, you increase the possibility that the

SMTP server will be used to relay unsolicited commercial e-mail (spam). It is important to limit

this possibility by carefully configuring your mail servers to help protect against spam. One way

that you can do this is by limiting relaying to a specific list of servers or domain, and preventing

relaying from all other servers.

Important:


this procedure.





configure.





6. Click OK.






the list below.


subnet or domain.


289




Important:




1. On the top navigation bar of the SharePoint Central Administration Web site, click

Application Management.


Management section, click Web application outgoing e-mail settings.

3. On the Web Application E-Mail Settings page, select a Web application by using the Web

Application menu in the Web Application section.

4. In the Mail Settings section, type the SMTP server name for outgoing e-mail (for

example, type mail.fabrikam.com) in the Outbound SMTP server box.

5. In the From address box, type the e-mail friendly address as you want it to appear to e-

mail recipients.

6. In the Reply-to address box, type the e-mail address to which you want e-mail recipients

to reply.

7. On the Character set menu, click the character set that is appropriate for your language.

8. Click OK.

See Also

Plan outgoing e-mail (http://technet.microsoft.com/en-us/library/cc262844.aspx)


290

Configure workflow settings

Use this procedure to configure the workflow settings for Microsoft Office SharePoint Server

2007.

Workflow settings are configured at the Web application level, enabling you to configure different

settings for different Web applications. When you configure workflow settings, you must first

select the Web application to configure.

Site administrators can create workflows from the Site Settings page for the site or site collection.

By default, end users can create their own workflows by using code already deployed by an

administrator. You can also choose to limit workflow creation to site administrators.

By default, workflows can include users who do not have site access. Users without site access

who attempt to complete the task assigned to them will be directed to the Error: Access Denied

page, where they can request access to the site. If you do not enable alerts for internal users

without site access, workflows that include those users will not generate alerts for those users.

By default, external users cannot participate in workflows, and external users included in

workflows will not be alerted. You can choose to allow external users to participate in workflows

by sending copies of documents to those users by e-mail.

Configuring workflow settings

Note:



Configure workflow settings


2. On the Application Management page, in the Workflow Management section, click

Workflow settings.

3. On the Workflow Settings page, in the Web Application section, the current Web

application is displayed in the Web Application menu. To configure the settings for a

different Web application, click Change Web Application, and then select a new Web

application on the Select Web Application page.

4. In the User-Defined Workflows section, select Yes if you want to enable user-defined

workflows, or select No if you do not want to enable user-defined workflows.

5. In the Workflow Task Notifications section, under Alert internal users who do not have

site access when they are assigned a workflow task, select Yes if you want internal

users without site access to be sent an e-mail alert when a task is assigned to them.

Users attempting to complete the task by using the link in the alert will be directed to the

Request Permissions page. If you do not want internal users without site access to be

291

sent an e-mail alert when a task is assigned to them, select No.

6. Under Allow external users to participate in workflow by sending them a copy of

the document, select Yes if you want documents to be sent to external users by e-mail

when those users are part of the workflow but they do not have access permissions to

the documents. If you do not want documents to be sent to external users who do not

have access permissions, select No.

Note:

If the object in the workflow is not a document but a list item, the list item

properties are displayed in a table as part of the e-mail message.

7. Click OK.


tool, see Workflow management: Stsadm operation (http://technet.microsoft.com/en-



292

Configure diagnostic logging settings

In this section:

Customer Experience Improvement Program

Error reports

Event throttling


Use this procedure to configure the diagnostic logging settings for Microsoft Office SharePoint

Server 2007.

You can configure how diagnostic events are logged according to their critical ity. Additionally, you

can set the maximum number of log files that can be maintained, and you can set how long to

capture events to a single log file.

You can also indicate whether or not to provide Microsoft with continuous improvement and Dr.

Watson event data.

Customer Experience Improvement Program The Customer Experience Improvement Program (CEIP) is designed to improve the quality,

reliability, and performance of Microsoft® products and technologies. With your permission,

anonymous information about your server will be sent to Microsoft to help us improve

SharePoint® Products and Technologies.

For more information, see the Customer Experience Improvement Program privacy statement


Error reports Error reports are created when your system encounters hardware or software problems. Microsoft

and its partners actively use these reports to improve the reliability of your software. Error reports

include the following: information regarding the condition of the server when the problem occurs;

the operating system version and computer hardware in use; and the Digital Product ID, which

can be used to identify your license. The IP address of your computer is also sent because you

are connecting to an online service to send error reports; however, the IP address is used only to

generate aggregate statistics.

Microsoft does not intentionally collect any personal information. However, error reports could

contain data from log files, such as user names, IP addresses, URLs, file or path names, and e-

mail addresses. Although this information, if present, could potentially be used to determine your

identity, the information will not be used in this way. The data that Microsoft collects will be used

only to fix problems and to improve software and services. Error reports will be sent by using

encryption technology to a database with limited access, and will not be used for marketing

purposes.


293

For more information, see the Microsoft Error Reporting Service privacy statement


If you want to provide error reports to Microsoft and its partners, select the option to collect error

reports. Base your decision on your organization's policies about sharing the information

collected by error reports, and the potential impact of error collection on users and administrators.

Two options are available for error reports:

You can choose to periodically download a file from Microsoft that can help identify system

problems based on the error reports that you provide to Microsoft.

You can change the error collection policy to silently send all reports. This changes the

computer's error reporting behavior to automatically send reports to Microsoft without

prompting users when they log on.

Event throttling You can configure the diagnostic options for event logging. Events can be logged in either the

Windows® event log or the trace log. You can configure event throttling settings to control how

many events are recorded in each log, according to the criticality of the events. To provide more

control in event throttling, you can decide to throttle events for all events, or for any single

category of events. Several categories of events are available, based on different services and

features of SharePoint Products and Technologies.

Categories of events can be defined by individual services or by groupings of related events.

Selected event categories include:

All

Categories defined by product, such as Office SharePoint Server 2007 and Microsoft Office

Project Server 2007

Administrative functions such as Administration, Backup and Recovery, Content Deployment,

and Setup and Upgrade

Feature areas such as Document Management, E-Mail, Forms Services, Information Policy

Management, Information Rights Management, Publishing, Records Center, Site Directory,

Site Management, User Profiles, and Workflow

SharePoint Services and other services such as the Load Balancer Service

Shared services such as all Office Server Shared Services, Business Data, and Excel

Calculation Services

For the selected category, select the least-critical event to record, for both the Windows event log

and the trace log. Events that are equally critical to or more critical than the selected event will be

recorded in each log. The list entries are sorted in order from most-critical to least-critical.

The levels of events for the Windows event log include:

None

Error

Warning


294

Audit Failure

Audit Success

Information

The levels of events for the trace log include:

None

Unexpected

Monitorable

High

Medium

Verbose

For more information about the Windows event log or the trace log, see the Windows

documentation.


Note:



Configure diagnostic logging settings


2. On the Operations page, in the Logging and Reporting section, click Diagnostic

logging.

3. On the Diagnostic Logging page, in the Customer Experience Improvement Program

section, under Sign Up for the Customer Experience Improvement Program, select one of

the following options:

Yes, I am willing to participate anonymously in the Customer Experience

Improvement Program (Recommended).

No, I don't wish to participate.

If you select Yes, users can decide whether they want to report Customer Experience

Improvement Program events to Microsoft.

4. In the Error Reports section, under Error reporting, select one of the following:

Collect error reports.

If you select this option, you can also select or clear two options to control how error

reports are collected:

Periodically download a file that can help identify system problems.

Change this computer's error collection policy to silently send all reports. This

changes the computer's error reporting behavior to automatically send reports to

295

Microsoft without prompting users when they log on.

Ignore errors and don't collect information.

5. In the Event Throttling section, in the Select a category menu, select a category of

events:

a. In the Least critical event to report to the event log menu, select the least-critical

event to report to the event log for the selected category.

b. In the Least critical event to report to the trace log menu, select the least-critical

event to report to the trace log for the selected category.

6. In the Trace Log section, in the Path text box, type the local path to use for the trace log

on all servers in the farm. The location must exist on all servers in the farm.

a. In the Number of log files text box, type the maximum number of files that you want

to maintain.

b. In the Number of minutes to use a log file text box, type the number of minutes to

use each log file.

7. Click OK.


Setlogginglevels (http://technet.microsoft.com/en-us/library/cc261740.aspx) and Listlogginglevels




296

Configure single sign-on

Single sign-on (SSO) is a Microsoft Office SharePoint Server feature that provides storage and

mapping of credentials such as account names and passwords. Using SSO, portal site–based

applications can retrieve information from third-party applications and back-end systems such as

Enterprise Resource Planning (ERP) and Customer Relations Management (CRM) systems.

The use of single sign-on functionality enables users to authenticate only once when they access

portal site–based applications that need to obtain information from other business applications

and systems.

Configuring single sign-on consists of five tasks:

Configure and start the Microsoft Single Sign-On service

Configure Single Sign-On for Office SharePoint Server 2007

Manage the encryption key

Manage enterprise application definitions

Manage account information for an enterprise application definition

Note that you must be logged into the SharePoint Central Administration Web site on a farm

server to configure single sign-on (SSO) for Office SharePoint Server 2007. If you attempt to

configure SSO on a workstation or any computer that is not a farm server, you will see an error

message that reads "Single sign-on cannot be configured from this server. To configure single

sign-on, go to the computer running the single sign-on service and specify these settings locally."

Follow the procedures in the sections that follow to configure SSO for your Office SharePoint

Server 2007 environment.

Configure and start the Microsoft Single Sign-On service To use single sign-on, the Microsoft Single Sign-On service (SSOSrv) must be installed on all

Microsoft Windows front-end Web servers in the farm. SSOSrv must also be installed on all

servers running Excel Services. If the Business Data Catalog search is used, SSOSrv must also

be installed on the index server.

SSOSrv is configured by using the Services console. When configuring the service, a logon

account is required. The logon account must meet all of the following criteria:

Must be a domain user account. It cannot be a group account.

Must be an Office SharePoint Server farm account.

Must be a member of the local Administrators group on the encryption-key server. (The

encryption-key server is the first server on which you start SSOSrv.)

Must be a member of the Security Administrators role and db_creator role on the computer

running Microsoft SQL Server.

297

Must be either the same as the single sign-on administrator account, or a member of the

group account that is the single sign-on administrator account.

Configure and start the Microsoft Single Sign-On service

1. On the server, click Start, Control Panel, Administrative Tools, and then click

Computer Management.

2. In the Computer Management console, expand Services and Applications, and then

click Services.

3. Right-click Microsoft Single Sign-On Service, and then choose Properties.

4. On the General tab, change the Startup type to Automatic.

5. On the General tab, under Service Status, click Start.

6. Click OK to save your changes and close the Properties window.

7. Repeat steps 1 through 6 for each applicable server in the farm.

Configure Single Sign-On for Office SharePoint Server 2007 Managing server settings for single sign-on includes specifying the appropriate administrator

accounts, the single sign-on database server and server name, and time-out and audit log

settings.

Note:

You must open Central Administration on the computer that runs Office SharePoint

Server 2007 to manage server settings for single sign-on.

Configure SSO for Office SharePoint Server 2007

1. On Central Administration, on the top navigation bar, click Operations.


for single sign-on.

3. On the Manage Settings for Single Sign-On page, in the Server Settings section, click

Manage server settings.

4. On the Manage Settings for Single Sign-On page, in the Account name box in the

Single Sign-On Administrator Account section, type the single sign-on administrator

account name by using the form domain/group or domain/username.

Note:

The single sign-on administrator account specifies the set of people who can

create, delete, or modify application definitions. The administrator account can

also back up the encryption key.

The user or group that you specify as the single sign-on administrator must be all of the

following:

298

Either a Windows global group or an individual user account. This account cannot be

a domain local group account or a distribution list.

The same account as the single sign-on service account, if a user is specified. If a

group is specified, the single sign-on service account must be a member of that

group.

The same as the configuration account for single sign-on, if a user is specified. If a

group is specified, the configuration account for single sign-on must be a member of

that group.

A member of the Farm Administrators group on Central Administration.

If a group is specified, all users who are added to the group for the purpose of

administering single sign-on must be members of the local Administrators group on the

encryption-key server. Do not make this account a member of the local Administrators

group on the encryption-key server.

5. In the Enterprise Application Definition Administrator Account section, in the

Account name box, type the account name of the group or user who can set up and

manage enterprise application definitions. Type the name by using the form

domain/group or domain/username.

The enterprise application definition administrator account can manage credentials of an

enterprise application definition, including changing the password of a group enterprise

application definition and changing or deleting credentials for an individual enterprise

application definition.

The user or group that you specify must be the following:

Either a Windows global group or an individual user account. This account cannot be

a domain local group account or a distribution list.

A member of the Reader SharePoint group on Central Administration.

6. In the Database Settings section, in the Server name box, type the NetBIOS name of

the single sign-on database server (for example, computer_name or

computer_name\SQL_Server_instance). Do not type the fully qualified domain name.

7. In the Database name box, enter the name of the single sign-on database server.

Note:

Unless you are pre-creating databases, we recommend that you use the default

database server and single sign-on database server.

8. In the Time Out Settings section, in the Ticket time out (in minutes) box, type a value

for how many minutes passes before a single sign-on ticket expires. The time-out should

be long enough to last between the time that the ticket is issued and the time that the

enterprise application redeems the ticket. Two minutes is the recommended value.

9. In the Delete audit log records older than (in days) box, type a value for how many

days the audit log holds records before deleting them.

10. Click OK.

299

Manage the encryption key The first server that SSOSrv is enabled on becomes the encryption-key server. The encryption-

key server generates and stores the encryption key. The encryption key is used to encrypt and

decrypt the credentials that are stored in the SSO database.

Because the encryption key protects security credentials, we recommend that you create a new

encryption key on a regular schedule (for example, every 90 days). We also recommend that you

create a new encryption key immediately if you suspect that account credentials have been

compromised.

The encryption key must be backed up each time a new key is created. You do not need to back

up the encryption key at any other time (except when you are moving the encryption-key server

role from one server to another). You must back up the encryption key from the encryption-key

server locally; the key cannot be backed up remotely.

You can also use encryption key backup and restore to move the encryption-key server role from

one server to another. (Other tasks must also be completed to move the encryption-key server

role.)

Note:

You must open Central Administration on the computer that runs Office SharePoint

Server 2007 to manage the encryption key.

Manage the encryption key



for single sign-on.

3. On the Manage Settings for Single Sign-On page, in the Server Settings section, click

Manage encryption key.

From the Manage Encryption Key page, you can perform three management tasks:

Create a new encryption key

Back up an encryption key

Restore an encryption key

Create a new encryption key

1. On the Manage Encryption Key page, in the Encryption Key section, click Create

Encryption Key.

2. On the Create Encryption Key page, select the Re-encrypt all credentials by using the

new encryption key check box.

Important:

300

If you do not re-encrypt the existing credentials with the new encryption key,

users must retype their credentials for individual application definitions, and

administrators must retype group credentials for group application definitions.

3. Click OK.

Back up an encryption key

1. On the Manage Encryption Key page, in the Drive list in the Encryption Key Backup

section, click the removable media drive on which you want to store the encryption-key

backup.

2. Click Back Up.

Restore an encryption key

You should always back up the encryption key when you back up the single sign-on database,

because the database is useless without the encryption key. Also, before you replace an

encryption-key server, make sure to back up the encryption key so that it can be restored on the

new encryption-key server.

1. On the Manage Encryption Key page, in the Drive list in the Encryption Key Restore

section, click the removable media drive from which you want to restore the encryption-

key backup.

2. Click Restore.

Manage enterprise application definitions In the single sign-on environment, the back-end external data sources and systems are referred

to as enterprise applications. For each enterprise application that Office SharePoint Server 2007

connects to, a corresponding enterprise application definition needs to be configured.



for single sign-on.

3. On the Manage Settings for Single Sign-On page, click Manage settings for enterprise


301

Manage account information for an enterprise application definition If you are using a group to connect to the enterprise application, you need to provide account

credentials for the group to use. If individual users are connecting directly to the enterprise

application, you can preset or reset user passwords, or you can delete users from the enterprise

application definition.



for single sign-on.

3. On the Manage Settings for Single Sign-On page, in the Enterprise Application

Definition Settings section, click Manage account information for enterprise


4. On the Manage Account Information for an Enterprise Application Definition page, in the

Enterprise application definition list in the Account Information section, click the

application definition for which you want to manage account information.

5. In the Group account name box, type the name of the group that is allowed access to


6. In the Enterprise Application Definition section, select one of the following:

Option Purpose

Update account information Enter credentials for the first time or

update the credentials used to connect to


Delete stored credentials for this

account from this enterprise

application definition

Delete the credentials currently used to

connect to the enterprise application.

Delete stored credentials for this

account from all enterprise application

definitions

Delete the credentials currently used to

connect the selected enterprise

application from all enterprise application

definitions. Deleting stored credentials

deletes credentials only for individual

accounts; it does not delete credentials for

group accounts.

If you select Update account information, complete the following steps:

a. Click Set.

b. On the Provide Account Information page, in the Logon Information section, type

302

the user name and password of the account that will be used to connect to the

enterprise application.

c. Click OK.

7. Click Done.

303


Use this procedure to configure the antivirus settings for Microsoft Office SharePoint Server 2007.

You can activate antivirus measures only after installing a compatible antivirus scanner. In a

server farm, you must install antivirus software on every front-end Web server in the server farm.

You can configure four antivirus settings:

Scan documents on upload Select this setting to scan uploaded documents. This helps

prevent users with infected documents from distributing them to other users.

Scan documents on download Select this setting to scan downloaded documents. This

helps prevent users from downloading infected documents by warning them about infected

files. Users can still choose to download infected files, unless the option to allow users to

download infected documents is not selected.

Allow users to download infected documents If this option is selected, users can

download infected documents. In most cases, do not select this option. Unless you have a

specific reason to download infected documents, such as troubleshooting a virus infection on

your system, do not select this option.

Attempt to clean infected documents Select this setting to automatically clean infected

documents that were discovered during scanning.

Administrative credentials Membership in the Administrators group of the Central Administration site is required to complete

this procedure.



2. On the Operations page, in the Security Configuration section, click Antivirus.

3. On the Antivirus page, in the Antivirus Settings section, select one or all of the

following:

Scan documents on upload

Scan documents on download

Allow users to download infected documents

Attempt to clean infected documents

4. Click OK.


Antivirus: Stsadm properties (http://technet.microsoft.com/en-us/library/cc261683.aspx).


304

Configure authentication

In this section:

Configure anonymous access

Configure digest authentication

Configure forms-based authentication

Configure Web SSO authentication by using ADFS

Configure Kerberos authentication

Authentication is the process of validating client identity, usually by means of a designated

authority. Web site authentication helps establish that a user who is trying to access Web site

resources can be verified as an authenticated entity. An authentication application obtains

credentials from a user who is requesting Web site access. Credentials can be various forms of

identification, such as user name and password. The authentication application tries to validate

the credentials against an authentication authority. If the credentials are valid, the user who

submitted the credentials is considered to be an authenticated identity.

Office SharePoint Server authentication To determine the most appropriate Office SharePoint Server authentication mechanism to use,

consider the following issues:

To use a Windows authentication mechanism, you need an environment that supports user

accounts that can be authenticated by a trusted authority.

If you use a Windows authentication mechanism, the operating system performs user

credential management tasks. If you use an authentication provider other than Windows,

such as forms authentication, you must plan and implement a credential management system

and determine where to store user credentials.

You might need to implement an impersonation/delegation model that can pass a user's

operating system–level security context across tiers. This enables the operating system to

impersonate the user and delegate the user's security context to the next downstream

subsystem.

Microsoft Office SharePoint Server is a distributed application that is logically divided into three

tiers: the front-end Web server tier, the application server tier, and the back-end database tier.

Each tier is a trusted subsystem and authentication can be required for access to each tier.

Credential validation requires an authentication provider. Authentication providers are software

components that support specific authentication mechanisms. Office SharePoint Server 2007

authentication for is built on the ASP.NET authentication model and includes three authentication

providers:

Windows authentication provider

Forms authentication provider

305

Web SSO authentication provider

You can use the Active Directory directory service for authentication, or you can design your

environment to validate user credentials against other data stores, such as a Microsoft SQL

Server database, a lightweight directory access protocol (LDAP) directory, or any other directory

that has an ASP.NET 2.0 membership provider. The membership provider specifies the type of

data store you are going to use. The default ASP.NET 2.0 membership provider uses a SQL

Server database. Office SharePoint Server 2007 includes an LDAP v3 membership provider, and

ASP.NET 2.0 includes a SQL Server membership provider.

You can also deploy multiple authentication providers to enable, for example, intranet access by

using Windows authentication and external access by using forms authentication. Using multiple

authentication providers requires the use of multiple Web applications. Each Web application

must have a designated zone and a single authentication provider.

The authentication providers are used to authenticate against user and group credentials that are

stored in Active Directory, in a SQL Server database, or in a Non-Active Directory LDAP directory

service (such as NDS). For more information about ASP.NET membership providers, see

Configuring an ASP.NET Application to Use Membership


Windows authentication provider The Windows authentication provider supports the following authentication methods:

Anonymous authentication

Anonymous authentication enables users to find resources in the public areas of Web sites

without having to provide authentication credentials. Internet Information Services (IIS)

creates the IUSR_computername account to authenticate anonymous users in response to a

request for Web content. The IUSR_computername account, where computername is the

name of the server that is running IIS, gives the user access to resources anonymously under

the context of the IUSR account. You can reset anonymous user access to use any valid

Windows account. In a stand-alone environment, the IUSR_computername account is on the

local server. If the server is a domain controller, the IUSR_computername account is defined

for the domain. By default, anonymous access is disabled when you create a new Web

application. This provides an additional layer of security, because IIS rejects anonymous

access requests before they can ever be processed if anonymous access is disabled.

Basic authentication

Basic authentication requires previously assigned Windows account credentials for user

access. Basic authentication enables a Web browser to provide credentials when making a

request during an HTTP transaction. Because user credentials are not encrypted for network

transmission, but are sent over the network in plaintext, using basic authentication over an

unsecured HTTP connection is not recommended. To use basic authentication, you should

enable Secure Sockets Layer (SSL) encryption.


306

Digest authentication

Digest authentication provides the same functionality as basic authentication, but with

increased security. User credentials are encrypted instead of being sent over the network in

plaintext. User credentials are sent as an MD5 message digest in which the original user

name and password cannot be deciphered. Digest authentication uses a challenge/response

protocol that requires the authentication requestor to present valid credentials in response to

a challenge from the server. To authenticate against the server, the client has to supply an

MD5 message digest in a response that contains a shared secret password string. The MD5

Message-Digest Algorithm is described in detail in Internet Engineering Task Force (IETF)

RFC 1321 (http://www.ietf.org).

To use digest authentication, note the following requirements:

The user and IIS server must be members of, or trusted by, the same domain.

Users must have a valid Windows user account stored in Active Directory on the domain

controller.

The domain must use a Microsoft Windows Server 2003 domain controller.

You must install the IISSuba.dll file on the domain controller. This file is copied

automatically during Windows Server 2003 Setup.

Integrated Windows authentication

Integrated Windows authentication can be implemented using either NTLM or constrained

Kerberos delegation. Constrained Kerberos delegation is the most secure authentication

method. Integrated Windows authentication works well in an intranet environment where

users have Windows domain accounts. In Integrated Windows authentication, the browser

attempts to use the current user's credentials from a domain logon, and if the attempt is

unsuccessful, the user is prompted to enter a user name and password. If you use Integrated

Windows authentication, the user's password is not transmitted to the server. If the user has

logged on to the local computer as a domain user, the user does not have to authenticate

again when the user accesses a network computer in that domain.

Kerberos authentication

This method is for servers that are running Active Directory on Microsoft Windows 2000

Server and more recent versions of Windows. Kerberos is a secure protocol that supports

ticketing authentication. A Kerberos authentication server grants a ticket in response to a

client computer authentication request that contains valid user credentials. The client

computer then uses the ticket to access network resources. To enable Kerberos

authentication, the client and server computers must have a trusted connection to the domain

Key Distribution Center (KDC). The client and server computers must also be able to access

Active Directory. For more information about configuring a virtual server to use Kerberos

authentication, see Microsoft Knowledge Base article 832769: How to configure a Windows

SharePoint Services virtual server to use Kerberos authentication and how to switch from

Kerberos authentication back to NTLM authentication


http://www.ietf.org/




307

Constrained Kerberos delegation

Constrained authentication is the most secure configuration for communication between

multiple application tiers. You can use constrained delegation to pass the original caller's

identity through multiple application tiers: for example, from a Web server to an application

server to a database server. Constrained Kerberos delegation is also the most secure

configuration for accessing back-end data sources from application servers. Impersonation

enables a thread to run in a security context other than the context of the process that owns

the thread. In most server farm deployments in which front-end Web servers and application

servers run on different computers, impersonation will require constrained Kerberos

delegation.

Impersonation and Kerberos delegation

Kerberos delegation enables an authenticated entity to impersonate the credentials of a user

or computer within the same forest. When impersonation is enabled, the impersonating entity

is allowed to use credentials for performing tasks on behalf of the impersonated user or

computer.

During impersonation, ASP.NET applications can run by using the credentials of another

authenticated entity. By default, ASP.NET impersonation is disabled. If impersonation is

enabled for an ASP.NET application, then that application runs using the credentials of the

access token IIS passes to ASP.NET. That token can be either an authenticated user token,

such as a token for a logged-in Windows user, or the token that IIS provides for anonymous

users (typically, the IUSR_computername identity).

When impersonation is enabled, only your application code runs under the context of the

impersonated user. Applications are compiled and configuration information is loaded by

using the identity of the ASP.NET process.

For more information about impersonation, see ASP.NET Impersonation


NTLM authentication

This method is for Windows servers that are not running Active Directory on a domain

controller. NTLM authentication is required for networks that receive authentication requests

from client computers that do not support Kerberos authentication. NTLM is a secure protocol

that supports user credential encryption and transmission over a network. NTLM is based on

encrypting user names and passwords before sending the user names and passwords over

the network. NTLM authentication is required in networks where the server receives requests

from client computers that do not support Kerberos authentication. NTLM is the

authentication protocol that is used in Windows NT Server and in Windows 2000 Server

workgroup environments, and in many Active Directory deployments. NTLM is used in mixed

Windows 2000 Active Directory domain environments that must authenticate Windows NT

systems. When Windows 2000 Server is converted to native mode where no down-level

Windows NT domain controllers exist, NTLM is disabled. Kerberos then becomes the default

authentication protocol for the enterprise.


308

Forms authentication provider The forms authentication provider supports authentication against credentials stored in Active

Directory, in a database such as a SQL Server database, or in an LDAP data store such as

Novell eDirectory, Novell Directory Services (NDS), or Sun ONE. Forms authentication enables

user authentication based on validation of credential input from a logon form. Unauthenticated

requests are redirected to a logon page, where the user must provide valid credentials and

submit the form. If the request can be authenticated, the system issues a cookie that contains a

key for reestablishing the identity for subsequent requests.

Web single sign-on (SSO) authentication provider Web SSO is also referred to as federated authentication or delegate authentication, because it

supports secure communication across network boundaries.

SSO is an authentication method that enables access to multiple secure resources after a single

successful authentication of user credentials. There are several different implementations of SSO

authentication. Web SSO authentication supports secure communication across network

boundaries by enabling users who have been authenticated in one organization to access Web

applications in another organization. Active Directory Federation Services (ADFS) supports Web

SSO. In an ADFS scenario, two organizations can create a federation trust relationship that

enables users in one organization to access Web-based applications that are controlled by

another organization. For information about using ADFS to configure Web SSO authentication,

see Configure Web SSO authentication by using ADFS. For information about how to perform

this procedure using the Stsadm command-line tool, see Authentication: Stsadm operation



309

Configure anonymous access

In this section:

About anonymous access

Enable anonymous access for a zone

Enable anonymous access for individual sites

Enable anonymous access for individual lists

Anonymous access enables users to find resources in the public areas of Web sites without

having to provide authentication credentials.

About anonymous access Internet Information Services (IIS) creates the IUSR_computername account to authenticate

anonymous users in response to a request for Web content. The IUSR_computername account,

where computername is the name of the server that is running IIS, gives the user access to

resources anonymously under the context of the IUSR account. You can reset anonymous user

access to use any valid Windows account.

Note:

You can set up different anonymous accounts for different Web sites, virtual or physical

directories, and files.

In a stand-alone environment, the IUSR_computername account is on the local server. If the

server is a domain controller, the IUSR_computername account is defined for the domain.

By default, anonymous access is disabled by Office SharePoint Server 2007 when you create a

new Web application. This provides an additional layer of security because IIS rejects anonymous

access requests before they can ever be processed by Office SharePoint Server 2007 if

anonymous access is disabled.

Enable anonymous access for a zone Use the following procedures to enable anonymous access for a zone of a Web application.

Within each Web application, you can categorize different classes of users into one of the

following five zones:

Internet is the zone used for customers. Typically, the Internet zone is the only zone you

would configure for anonymous access.

Intranet is the zone used for internal employees.

Default is the zone used for remote employees.

Custom is the zone used for administrators.

Extranet is the zone used for partners.

310

Enable anonymous access for a zone of a Web application

1. From Administrative Tools, open the SharePoint Central Administration Web site

application.


3. On the Application Management page, in the Application Security section, click

Authentication providers.

4. On the Authentication Providers page, make sure the Web application that is listed in the

Web Application box (under Site Actions) is the one that you want to configure. If the

listed Web application is not the one that you want to configure, click the drop-down

arrow to the right of the Web Application drop-down list box and select Change Web

Application.

5. In the Select Web Application dialog box, click the Web application that you want to

configure.

6. On the Authentication Providers page, click the zone of the Web application on which you

want to enable anonymous access. The zones that are configured for the selected Web

application are listed on the Authentication Providers page.

7. On the Edit Authentication page, in the Anonymous Access section, select Enable

Anonymous Access, and then click Save.

At this point, the Web application zone has been enabled for anonymous access.

Enable anonymous access for individual sites Now you need to enable anonymous access for individual sites in the site collection.

Enable anonymous access for individual sites

1. Go to the site on which you want to enable anonymous access and click the Site Actions

menu.


3. On the Site Settings page, in the Users and Permissions section, click Advanced

Permissions.

4. On the Permissions page, on the Settings menu, click Anonymous Access. The

settings for anonymous access lists three options:

Entire Web site Select this option if you want to enable anonymous access for the

entire Web site.

Lists and libraries Select this option if you want to limit anonymous access to only

the lists and libraries on your site.

Nothing Select this option if you want to prevent anonymous access from being

used on your site.

5. Click OK.

311

At this point, your site is configured for anonymous access based on the options that you have

selected.

Enable anonymous access for individual lists If you select Lists and libraries, enable anonymous access for individual lists.

Enable anonymous access for individual lists

1. Go to the home page of your Web site and, in the left navigation pane, click View All Site

Content.

2. Click the list on which you want to enable anonymous access.

3. On the Settings menu, click List Settings.

4. On the Customize List page, in the Permissions and Management section, click

Permissions for this list.

5. On the Permissions page, on the Actions menu, click Edit Permissions. A dialog box is

displayed informing you that you are about to create unique permissions for this list. Click

OK.

6. On the Settings menu, click Anonymous Access.

7. Select permissions for users who have anonymous access to the list, and then click OK.

At this point, users have anonymous access to the list you have configured. You can control

whether users have anonymous access to other lists, the home page, or other pages on this site.

312

Configure digest authentication

In this section:

About digest authentication

Enable digest authentication for a zone of a Web application

Configure IIS to enable digest authentication

About digest authentication Basic authentication requires previously assigned Windows account credentials for user access.

Basic authentication enables a Web browser to provide credentials when making a request during

an HTTP transaction. Because user credentials are not encrypted for network transmission, but

are sent over the network in plaintext, using basic authentication over an unsecured HTTP

connection is not recommended. To use basic authentication, you should enable Secure Sockets

Layer (SSL) encryption.

Digest authentication provides the same functionality as basic authentication, but with increased

security. User credentials are encrypted instead of being sent over the network in plaintext. User

credentials are sent as an MD5 message digest in which the original user name and password

cannot be deciphered. Digest authentication uses a challenge/response protocol that requires the

authentication requestor to present valid credentials in response to a challenge from the server.

To authenticate against the server, the client has to supply an MD5 message digest in a response

that contains a shared secret password string. The MD5 Message-Digest Algorithm is described

in detail in RFC 1321. For access to RFC 1321, see Internet Engineering Task Force (IETF)

(http://www.ietf.org).

To use digest authentication, note the following requirements:

The user and IIS server must be members of, or trusted by, the same domain.

Users must have a valid Windows user account stored in Active Directory on the domain

controller.

The domain must use a Microsoft Windows Server 2003 domain controller.

You must install the IISSuba.dll file on the domain controller. This file is copied automatically

during Windows Server 2003 Setup.

You must install Windows Server 2003 with SP2 or later. Microsoft Office SharePoint Server

2007 does not support digest authentication on Windows Server 2003 with SP1 or earlier.

To enable digest authentication to work with browsers other than Microsoft Internet Explorer

6.0 or Internet Explorer 7.0, you must install the IIS hotfix described in Knowledge Base

article 932729. For information about this hotfix, see FIX: Error message when you try to

access a Web site that is hosted on IIS 6.0: Access Denied


http://www.ietf.org/



313

Enable digest authentication for a zone of a Web application Use the following procedures to enable digest authentication for a zone of a Web application.

Within each Web application, you can categorize different classes of users into one of the

following five zones:

Internet is the zone used for customers.

Intranet is the zone used for internal employees.

Default is the zone used for remote employees.

Custom is the zone used for administrators.

Extranet is the zone used for partners.

Enable digest authentication for a zone of a Web application

1. From Administrative Tools, open the SharePoint Central Administration Web site

application.




4. On the Authentication Providers page, make sure the Web application that is listed in the

Web Application box (under Site Actions) is the one that you want to configure. If the

listed Web application is not the one that you want to configure, click the drop-down

arrow to the right of the Web Application drop-down list box and select Change Web

Application.

5. In the Select Web Application dialog box, click the Web application that you want to

configure.

6. On the Authentication Providers page, click the zone of the Web application on which you

want to enable digest authentication. The zones that are configured for the selected Web

application are listed on the Authentication Providers page.

7. On the Edit Authentication page, in the IIS Authentication section, clear the Integrated

Windows authentication and Basic authentication check boxes, and then click Save.

At this point use the IIS Management Console to configure IIS to enable digest authentication.

Configure IIS to enable digest authentication Use the following procedures to configure IIS to enable digest authentication.

Configure IIS to enable digest authentication

1. From Administrative Tools on the Start menu, click Internet Information Services to

start the IIS Management Console.

2. Under the Web Sites node on the console tree, right-click the IIS Web site that

314

corresponds to the Web application zone on which you want to configure digest

authentication, and then click Properties.

3. On the Web Site Properties page, click the Directory Security tab.

4. In the Anonymous access and authentication control section, click the Edit button.

5. In the Authenticated access section of the Authentication Methods dialog box, select

Digest authentication for Windows domain servers. A dialog box is displayed

informing you that digest authentication only works with Active Directory domain

accounts, and asking you if you want to continue. Click Yes.

6. In the Realm section of the of the Authentication Methods dialog box, click the Select

button.

7. Select the appropriate realm and click OK. On the other open dialog boxes, click OK.

At this point, your Web site is configured to use digest authentication.

315

Configure forms-based authentication

In this section:

About forms-based authentication

Configure forms-based authentication across multiple zones

Configure forms-based authentication for My Sites Web applications

Configure the SSP for forms-based authentication

Configure user profiles and people search

Microsoft Office SharePoint Server 2007 authentication is performed by an authentication

mechanism that is supported by one of the available authentication providers. Providers are

modules that contain the code necessary to authenticate the credentials of a requestor

Authentication for Office SharePoint Server 2007 is built on the ASP.NET authentication model

and includes three authentication providers:

Windows authentication provider

Forms-based authentication provider

Web Single Sign-On (SSO) authentication provider

In addition, ASP.NET supports the use of pluggable authentication providers, which means that

you can write an authentication provider to support any credential store that you want to use.

About forms-based authentication The forms-based authentication provider supports authentication against credentials stored in

Active Directory, in a database such as a SQL Server database, or in a Lightweight Directory

Access Protocol (LDAP) data store such as Novell eDirectory, Novell Directory Services (NDS),

or Sun ONE. Forms-based authentication enables user authentication based on validation of

credential input from a logon form. Unauthenticated requests are redirected to a logon page,

where the user must provide valid credentials and submit the form. If the request can be

authenticated, the system issues a cookie that contains a key for reestablishing the identity for

subsequent requests.

The forms-based authentication provider supports authentication against credentials stored in


The Active Directory directory service

A database

An LDAP data store

To enable forms-based authentication for a Office SharePoint Server 2007 Web site and add

users to the user account database, perform the following procedures.

316

Create a new site

1. On the home page of the SharePoint Central Administration Web site, click Application

Management.



3. On the Create or Extend Web Application page, click Create a new Web application.

4. On the Create New Web Application page, in the Security Configuration section, make

sure NTLM is selected under Authentication provider. Also, select Yes under Allow

Anonymous.

5. Use the default entries to complete the new Web application creation procedure and click

OK.

At this point, you have created a new site placeholder. Use the following procedure to create a

site collection.


1. On the top link bar, click Application Management.



3. On the Create Site Collection page, in the Web Application section, verify that the Web

application in which you want to create the site collection is selected.

If it is not, click Change Web Application on the Web Application menu. Then, on the

Select Web Application page, click the Web application in which you want to create the

site collection.


5. In the Web Site Address section, under URL, select the path to use for your URL.

Note:

If you select a wildcard inclusion path, you must also type the site name to use in

the URL of your site. The paths available for the URL option are taken from the

list of managed paths that have been defined as wildcard inclusions.




domain\username) for the user who will be the site collection administrator.






10. Click OK.

317

At this point, you have created a site collection. Use the following procedure to configure a forms-

based authentication provider.

Configure a forms-based authentication provider

1. On the home page of the SharePoint Central Administration Web site, click Application

Management.


Management section, click Web application list.

3. On the Web Application List page, double-click the new Web application that you created

in the previous procedure.



5. On the Authentication Providers page, click the zone name for the authentication provider

whose settings you want to configure.

6. On the Edit Authentication page, in the Authentication Type section, select Forms.

If you need to explicitly grant anonymous access to a site collection, in the Anonymous

Access section, select the Enable anonymous access check box for all sites within the

Web application. To disable anonymous access for all sites within the Web application,

clear the Enable anonymous access check box.

Note:

If you enable anonymous access here, anonymous access can still be denied at

the site collection level or at the site level. However, if you disable anonymous

access here, it is disabled at all levels within the Web application.

7. In the Membership Provider Name section, in the Membership provider name box,

type the name of the membership provider that you want to use.

Note:

If the Web application is going to support forms-based authentication, the

membership provider must be correctly configured in the Web.config file for the

IIS Web application that hosts SharePoint content on each Web server. The

membership provider must also be added to the Web.config file for the IIS Web

application that hosts Central Administration.

8. In the Client Integration section, under Enable Client Integration, make sure No is

selected, and then click Save.

If you select Yes, features that start client applications according to document types

will be enabled. This option will not work correctly with some types of forms-based

authentication.

If you select No, features that start client applications according to document types

will be disabled. Users will have to download documents and then upload them after

they make changes.

318

Notes

For forms-based authentication, client integration is disabled by default. When client

integration is disabled, links to client applications are not visible and documents cannot be

opened in client applications; documents can only be opened in a Web browser. However,

users can download documents, edit them in client applications locally, and then upload them

to the site.

Client integration is disabled by default when you use forms-based authentication. This is

because client integration does not natively support forms-based authentication. You might

be able to use many client integration features with forms-based authentication, and there are

workarounds available to implement varying levels of client integration functionality with

forms-based authentication. However, if published workarounds are inadequate, or if you find

unexpected issues using workarounds, we do not provide support and there are no product

changes to address these issues. If you plan to use client integration with forms-based

authentication, you must fully test any available solutions or workarounds to determine if the

performance and functionality are acceptable in your environment.

Product Support can provide commercially reasonable support to help you troubleshoot

published workarounds.

After a user provides credentials, the system issues a cookie that identifies the user. On

subsequent requests, the system first checks the cookie to see whether the user has already

been authenticated, so the user does not have to supply credentials again.

If the user has not selected the Remember me? box on the logon page, the credential

information is not cached on the client computer, and is valid only during the current session. This

is especially important in a scenario where users are connecting from public computers or kiosks,

where you would not want user credentials to be cached. Users are required to reauthenticate if

they close the browser, log off from a session, or navigate to another Web site. Also, you can

configure a maximum idle session time-out value to force reauthentication if a user is idle for a

prolonged period of time during a session.

Configure forms-based authentication across multiple zones Implementing forms-based authentication can interfere with enterprise search functionality. To

enable search across content authenticated using a custom authentication mechanism, you must

have the Default zone configured to support NTLM authentication. The Office SharePoint Server

2007 search crawler polls zones in the following order:

Default zone

Intranet zone

Internet zone

Custom zone

Extranet zone

319

Note:

If you use forms-based authentication and the Office SharePoint Server 2007 search

crawler polls a zone that is configured to support Kerberos authentication, the Office

SharePoint Server 2007 search crawler will fail. If you use forms-based authentication

and the Office SharePoint Server 2007 search crawler polls a zone that is configured to

support basic or certificate authentication, you have to configure a crawl rule and provide

credentials or certificates in the Shared Services Provider (SSP) search settings. If a

crawl rule is not configured, the crawler will cycle through all of the zones until it finds a

zone that is configured with NTLM. If the crawler finds a zone configured with NTLM, the

crawl will succeed. If the crawler finds a zone configured with Kerberos or Digest

authentication, the crawl will fail and polling will stop.

Office SharePoint Server 2007 does not allow a Web application to work with the same provider

name across multiple zones. You can configure the Web.config file to use the same provider for

each zone; however, the name of the provider has to be unique for each zone.

For additional information on authentication mechanisms and samples for configuring forms-

based authentication with multiple providers, see Plan for authentication


Configure forms-based authentication for My Sites Web applications To plan a forms-based authentication implementation across your Office SharePoint Server 2007

deployment, you need to determine how to configure forms-based authentication to interoperate

with My Sites Web applications. To ensure that forms-based authenticated users can perform

people searches and create My Sites Web applications in an Office SharePoint Server 2007 farm,

perform the following procedure:

1. Create a Web application with NTLM authentication configured for the Default zone. For

information about creating a Web application, see Create or extend Web applications.

2. Create an SSP. For information about creating an SSP, see Chapter overview: Create and

configure Shared Services Providers.

At this point, all the Web applications are extended to the Default zone, and the

authentication mechanism is configured as NTLM.


320

3. To ensure that the crawler can access the content, configure the extended content Web

application for forms-based authentication by selecting the Web application from the Web

Application list in Central Administration, as shown in the following figure:

4. Follow the link to Create or Extend Web Application and choose the option to extend a Web

application. Type in the details, such as choosing a port number where the new Web

application will be hosted in IIS, and choosing the zone that this extended Web application

will reside under.

The following figure shows the original Web application, which is always created in the

Default zone, and the extended Web application created under the Custom zone.

Each of the zones identifies the logical separation of access restrictions to the same content.

Note:

You cannot increase the number of zones.

5. Configure the membership provider name of the extended Web application for forms-based

authentication, as shown in the following figure.

After extending the content Web application to a different zone, you can configure

authentication providers and enable different authentication mechanisms using different

321

URLs. At this point, add a provider section in the Web.config file of the extended Web

application.

Note:

Adding the provider section in the Web.config file for the default zone will have no

impact on Office SharePoint Server 2007 awareness of the provider for the new

zone. Practically, the two zones are isolated from each other as far as IIS Web sites

are concerned, even though they will still share the same application pool.

6. Modify the authentication provider by following the link to the Authentication Providers page.

This page displays all of the zones on which the Web application has been extended. Select

the appropriate zone and configure the authentication provider. In the preceding example, the

authentication provider is configured as the PeopleDCLDAPMemberShipProvider for the

Custom zone.

7. Add the first administrative user who will have administrative access on all site collections

within the Web application. In this example, the content is the same and the site collections

are identical across all the extended zones (Default and Custom), even though the URLs are

different. When the Web application is first created, the application pool identity is granted

Full Read permissions on the Web application for all zones. For the Default zone, access is

controlled by the primary site collection administrator who was specified during the creation of

the site collection at the root of the Web application. For the extended zone, you have to add

a specific user with Full Control on the Web application to enable initial logon to the site

collections and to perform administrative tasks. To add a user, click Add Users on the Policy

for Web Application page, and select a zone. Run the People Picker and resolve the name of

the user.

Note:

The user will be added as provider:username because the People Picker will resolve

the user by using the provider configured in the Web.config file for the extended Web

application. Office SharePoint Server 2007 ignores the custom provider if All Zones

is selected in the Zone drop-down list. Therefore, it is very important to ensure that

the appropriate zone is selected.

8. After the user has been added, verify that forms-based authentication is functioning and

browse to the URL for the extended zone. In this example, the content Web application is in

the Default zone on port 2000 and is extended to the Custom zone on port 2001. Browse to

the extended port.

9. At this point, the forms-based authentication logon screen is displayed. Type the credentials

for the user you added earlier, and click Submit. You are then redirected to the Default.aspx

page of the site.

The Default.aspx page is very similar to a standard Default.aspx page of a default zone site.

However, in this example, the My Site creation link is not displayed. My Sites and personalization

are services provided by the Shared Services Provider (SSP). There is an existing SSP that

provides these services to this Web application. At this point in the procedure, the SSP is

unaware of the new user, whose credentials you used to log in. Because links are security

322

trimmed, they are not displayed and, in this example, the current user is not recognized by the

SSP. To correct this situation, enable the SSP for forms-based authentication, as described in the

following procedure.

Configure the SSP for forms-based authentication To configure the Shared Services Provider (SSP) for forms-based authentication, extend the SSP

administration Web application to map to the same zone as the content Web application. On the

Manage this Farm's Shared Services page, the administration site host for the SSP is listed on

port 80, and the SSP is only aware of NTLM authentication. To make the SSP aware of the

custom provider, configure the SSP for forms-based authentication.

1. Extend the Web application on port 80 (the administration site host) to the same zone on

which the content Web application was extended, and then configure the extended Web

application for forms-based authentication.

Note:

Typically, users are not aware of this new Web application and this Web application

only provides forms-based authentication awareness to the SSP.

2. Browse to the new SSP administration site. After the administration Web application is forms-

based authentication enabled, you can point the browser to a URL such as

http://<server>:<extended port>/ssp/admin/default.aspx. This is similar to the URL for the

SSP administration site (with a different port number). However, now you are prompted for

credentials on the forms-based authentication logon page.

After you enter the credentials of the user that you added during the Add Users procedure on

the Policy for Web Application page, you are redirected to the Administration page.

Note:

If you try to browse to Personalization Services Permissions in the User Profiles and

My Sites section of the Shared Services Administration page, access is denied.

This is because the logged-on user does not have permissions to modify

personalization services permissions even though the forms-based authenticated

user has permissions to browse the site. To change this behavior, the user has to

have permissions explicitly provided in a different account, and the account itself has

to have permissions to modify personalization services permissions. In this example,

that configuration would be difficult to configure because you are currently browsing

using the one account that has been added with Full Control over the SSP. Users in

a Windows authenticated zone are the only ones who have permissions to edit

personalization services permissions. To enable forms-based authenticated users to

edit personalization services permissions, you must be logged on as a user in a

Windows authenticated zone.

3. Add permissions for personalization links by logging in to the SSP administration site using

the Default zone.

323

Note:

Make sure the welcome control displays the identity of the Windows user.

4. Browse to the Personalization Services Permissions page, and launch the People Picker.

5. Try resolving the forms-based authenticated user here. The People Picker will not resolve the

forms-based authenticated user because this zone is not aware that there is another provider

that can be queried to find these users.

6. To make this zone aware of the provider, modify the Web.config file for this zone and add the

same provider section that you added for enabling forms-based authentication.

Important:

In the Web.config file, do not set the defaultProvider attribute. If you set this

attribute, the People Picker and security trimmer will always use this provider to

resolve and authenticate users.

7. Browse back to the Personalization Services Permissions page and launch the People

Picker, which now resolves the forms-based authentication user and displays all users who

meet the same criteria.

8. Select a user and a choose the permissions you want to assign to this user:

Create Personal Site: This permission is required to make the My Site link visible, and

enables users to create a My Site.

Use Personal Features: This permission enables users to access SSP and My Site

features.

Manage user profiles: This permission enables users to view and manage user profiles

from the Profile Store.

Manage Audiences: This permission enables users to manage audiences.

Manage Permissions: This permission enables permission management on an SSP.

Manage Usage Analytics: This permission enables users to manage and configure

usage analysis.

9. Click Save.

At this point, you can log back on to the Custom zone SSP site as a forms-based authenticated

user and add additional users. In addition, you can configure sets of permissions for these

additional users. After the user is enabled with the Create Personal Site permissions, the My Site

link will be displayed. You can browse to the Custom zone portal using the forms-based

authenticated user and note the Welcome control suite displays the My Site link. However,

clicking the link will not actually create a My Site. This is because the SSP still only refers to the

default zone for the My Site host, even though the SSP is extended on the Custom zone. The

Web application is not yet aware of the forms authenticated users. You can address this by

extending the My Site Web application and configuring it for forms-based authentication.

Because you can manually set the My Site host from within the SSP, it does not matter if the My

Site host is extended to a different zone than the SSP administration Web application. If you are

implementing a scenario in which these two zones have to be different, you can browse to the

SSP, using forms-based authentication, and manually set the My Site host. Browse to the SSP

324

administration Web site using forms-based authentication and then browse to the My Site

Settings page.

Now you can edit the personal site provider to point to the newly extended My Site Web

application. If you extend the My Site Web application onto the same zone as the SSP

administration Web application, Office SharePoint Server 2007 will automatically realign the My

Sites and this manual configuration is not necessary.

In addition, you can go to the content site, log on by using forms-based authentication, and create

a My Site for the forms-based authenticated user.

Configure user profiles and people search To plan a forms-based authentication implementation across your Office SharePoint Server 2007

deployment, you need to determine how to configure forms-based authentication to interoperate

with user profiles and people search. Office SharePoint Server 2007 imports user profiles using

the active authentication provider. For people search to work with forms-based authentication, the

user profiles have to be imported with the forms-based authentication provider. If the same set of

users is imported using Windows authentication over the Default zone, and forms-based

authentication over the Custom zone, profile import will import the same set of users at the same

time, identifying them differently. For example, the user, "domain\user1" is treated differently from

the user "provider:user1". This is true even though all of the properties are identical, including the

source from which they were imported. It is the provider that differentiates the two users and

treats them as two different users.

Assuming that you have already configured the SSP administration Web application to work with

forms-based authentication, perform the following procedures to enable people search. Make

sure that the SSP administration Web application is extended and correctly configured to use

forms-based authentication. In addition, note that the administrative user should be explicitly

assigned permission to manage user profiles from the Personalization Service Permissions page.

1. To configure a user profile import, browse to the SSP administration site for the Custom

zone. Because this has already been configured with forms-based authentication, you can

logon using the credentials of the administrative user.

2. Click User Profiles and Properties and configure a new import connection.

The available options are Active Directory, LDAP Directory, Active Directory Resource, and

Business Data Catalog. In this example, because the source is a user store on a domain, an

LDAP directory is selected as the connection type.

3. Populate the connection name and the name of the LDAP server, as defined in the provider

section.

4. Type the provider name, as listed in the Web.config file, and the user name attribute from the

provider section. The rest of the information should be filled in automatically.

5. Start the import using the newly added import connection.

325

6. Verify that the profiles are imported by clicking View User Profiles, as shown in the following

figure:

After the import is performed, the user profile store in Office SharePoint Server 2007 is

updated with the new profiles. To enable people search, perform the next procedure.

7. Initiate a crawl of the people content source. When the crawl is complete, you will be able to

perform a people search on the forms-based authentication site.

326

Configure Web SSO authentication by using ADFS

In this section:

About federated authentication systems

Before you begin

Configuring your extranet Web application to use Web SSO authentication

Allowing users access to your extranet Web site

Working with the People Picker

Working with E-mail and UPN claims

Working with groups and organizational group claims

About federated authentication systems Microsoft Office SharePoint Server 2007 provides support for federated authentication scenarios

where the authentication system is not local to the computer that hosts Office SharePoint Server

2007. Federated authentication systems are also known as Web single sign-on (SSO) systems.

With Active Directory Federation Services (ADFS), people in one company can access servers

hosted by a different company by using their existing Active Directory accounts. ADFS also

establishes a trust relationship between the two companies and a seamless one-time logon

experience for end users. ADFS relies on 302 redirects to authenticate end users. Users are

issued an authentication token (cookie) after they are authenticated.

Before you begin Before you use ADFS to configure Web SSO authentication for your extranet Web application,

you should become familiar with the following resources:

Microsoft SharePoint Products and Technologies Team Blog entry about configuring multiple

authentication providers (http://blogs.msdn.com/sharepoint/archive/2006/08/16/configuring-

multiple-authentication-providers-for-sharepoint-2007.aspx).

Step-by-Step Guide for Active Directory Federation Services

(http://go.microsoft.com/fwlink/?LinkId=145396). The server names and examples used in

this section are based on this step-by-step guide, which describes setting up ADFS in a small

lab environment. In this environment, a new server named Trey-SharePoint is joined to the

Trey Research forest. Follow the steps in the step-by-step guide to configure your ADFS

infrastructure. However, because this section describes how to configure Office SharePoint

Server 2007 in a claims-aware application mode, you do not have to implement all the steps

for building Windows NT token agent applications that are described in the step-by-step

guide.


327

Note:

When you use the People Picker to add users to Windows SharePoint Services 3.0,

Windows SharePoint Services 3.0 validates the users against the provider, which in this

example is ADFS. Therefore, you should configure the Federation Server before you

configure Windows SharePoint Services 3.0.

Important:

The setup process has been captured in a VBScript file that you can use to configure

Office SharePoint Server 2007 to use ADFS for authentication. This script file is

contained in the file (SetupSharePointADFS.zip) and is available on the Microsoft

SharePoint Products and Technologies blog, listed in the Attachments section. For more

information, see the blog page A script to configure SharePoint to use ADFS for

authentication (http://go.microsoft.com/fwlink/?LinkId=113894).

Configuring your extranet Web application to use Web SSO authentication 1. Install the Web Agent for Claims Aware Applications.

2. Download and install the hot fix for ADFS described in The role provider and the membership

provider cannot be called from Windows SharePoint Services 3.0 on a Windows Server 2003

R2-based computer that is running ADFS and Microsoft Windows SharePoint Services 3.0

(http http://go.microsoft.com/fwlink/?LinkId=145397). This hot fix will be included in Windows

Server 2003 Service Pack 2 (SP2).

3. Install Office SharePoint Server 2007, configure all the services and servers in the farm, and

then create a new Web application. By default, this Web application will be configured to use

Windows authentication, and it will be the entry point through which your intranet users will

access the site. In the example used in this section, the site is named http://trey-moss.

4. Extend the Web application that you created in step 2 in another zone. On the Application

Management page in the SharePoint Central Administration Web site, click Create or Extend

Web Application, click Extend an existing Web Application, and then do the following:

a. Add a host header. This is the DNS name by which the site will be known to users in the

extranet. In this example, the name is extranet.treyresearch.net.

b. Change the zone to Extranet.

c. Give the site a host header name that you will configure in DNS for your extranet users to

resolve against.

d. Click Use Secure Sockets Layer (SSL), and change the port number to 443. ADFS

requires that sites be configured to use SSL.

e. In the Load Balanced URL box, delete the text string :443. Internet Information Services

(IIS) will automatically use port 443 because you specified the port number in the

previous step.

f. Complete the rest of the steps on the page to finish extending the Web application.






328

5. On the Alternate Access Mappings (AAM) page, verify that the URLs resemble the following

table.

Internal URL Zone Public URL for Zone

http://trey-moss Default http://trey-moss

https://extranet.treyresearch.net Extranet https://extranet.treyresearch.net

6. Add an SSL certificate to the Extranet Web Site in IIS. Make sure that this SSL certificate is

issued to extranet.treyresearch.net, because this is the name that clients will use when they

access the sites.

7. Configure the Authentication provider for the extranet zone on your Web application to use

Web SSO by doing the following:

a. On the Application Management page of your farm’s Central Administration site, click

Authentication Providers.

b. Click Change in the upper-right corner of the page, and then select the Web application

on which you want to enable Web SSO.

c. In the list of two zones that are mapped for this Web application (both of which should

say Windows), click the Windows link for the Extranet zone.

d. In the Authentication Type section, click Web Single Sign On.

e. In the Membership provider name box, type

SingleSignOnMembershipProvider2

Make a note of this value; you will be adding it to the name element of the <membership>

section in the web.config files that you will edit later in this procedure.

f. In the Role manager name box, type

SingleSignOnRoleProvider2

Make a note of this value; you will be adding it to the name element of the

<roleManager> section in the web.config files you will edit later in this procedure.

g. Make sure the Enable Client Integration setting is set to No.

h. Click Save.

Your extranet Web application is now configured to use Web SSO. However, at this point, the site

will be inaccessible because no one has permissions to it. The next step is to assign permissions

to users so that they can access this site.

Note:

After selecting WebSSO as the Authentication Provider, Anonymous Authentication will

be automatically enabled for the SharePoint site in IIS (no user action is required). This

setting is required for the site to allow access using only claims.

329

Allowing users access to your extranet Web site 1. Use a text editor to open the web.config file for the Web site on the default zone that is using

Windows authentication.

2. Add the following entry anywhere in the <system.web> node.

<membership>

<providers>

<add name="SingleSignOnMembershipProvider2"

type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvide

r2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,

Culture=neutral, PublicKeyToken=31bf3856ad364e35" fs="https://fs-

server/adfs/fs/federationserverservice.asmx" />

</providers>

</membership>

<roleManager enabled="true"

defaultProvider="AspNetWindowsTokenRoleProvider">

<providers>

<remove name="AspNetSqlRoleProvider" />

<add name="SingleSignOnRoleProvider2"

type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,

System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,



</providers>

</roleManager>

3. Change the value for fs-server to reflect your resource Federation Server

(adfsresource.treyresearch.net). Ensure that you entered the correct membership provider

and the role manager names on the Central Administration Authentication Providers page.

When this entry is added to web.config, the People Picker on the default zone site that is

using Windows authentication is able to know about the ADFS providers and, therefore, can

resolve the ADFS claims. This enables you to grant permissions to the ADFS claims on your

Web site.

4. Grant ADFS claims access to the site by doing the following:

a. Navigate to the Web site on the default zone that uses Windows authentication as an

administrator of the site.

b. Click the Site Actions menu, point to Site Settings, and then click Advanced

Permissions.

c. Click New, and then click Add Users.

330

d. To add a user claim, specify their e-mail address or User Principal Name in the

Users/Groups section. If both UPN and e-mail claims are sent from the federation

server, then SharePoint will use UPN to verify against the MembershipProvider.

Therefore, if you want to use e-mail, you will have to disable the UPN claim in your

federation server. See ―Working with UPN and e-mail Claims‖ for more information.

e. To add a group claim, type the name of the claim you want the SharePoint site to use in

the Users/Groups section. For example, create an organizational group claim named

Adatum Contributers on the Federation Server. Add the claim name Adatum

Contributers to the Sharepoint site as you would a Windows user or group. You can

assign this claim Home Members [Contribute], and then any user who accesses the

SharePoint site by using this group claim will have Contributor access to the site.

f. Select the appropriate permission level or SharePoint group.

g. Click OK.

5. Use the text editor of your choice to open the web.config file for the extranet site, and add the

following entry in the <configSections> node.

<sectionGroup name="system.web">

<section name="websso"

type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler,

System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,

PublicKeyToken=31bf3856ad364e35, Custom=null" />

</sectionGroup>

6. Add the following entry to the <httpModules> node

<add name="Identity Federation Services Application Authentication

Module"

type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule,

System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,

PublicKeyToken=31bf3856ad364e35, Custom=null" />

Note:

The ADFS authentication module should always be specified after the Sharepoint

SPRequest module in the <httpModules> node of the web.config file. It is safest to

add it as the last entry in that section.

7. Add the following entry anywhere under the <system.web> node.

<membership defaultProvider="SingleSignOnMembershipProvider2">

<providers>




Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

</providers>

</membership>

331


defaultProvider="SingleSignOnRoleProvider2">

<providers>




Culture=neutral, PublicKeyToken=31bf3856ad364e35 />

</providers>

</roleManager>

<websso>

<authenticationrequired />

<auditlevel>55</auditlevel>

<urls>

<returnurl>https://your_application</returnurl>

</urls>

<fs>https://fs-server/adfs/fs/federationserverservice.asmx</fs>

<isSharePoint />

</websso>

Note:

Change the value for fs-server to your Federation Server computer, and change the

value of your_application to reflect the URL of your extranet Web application.

8. Browse to the https://extranet.treyresearch.net Web site as an ADFS user who has

permissions to the extranet web site.

About using Central Administration

You can also use Central Adminstration policy to grant rights to ADFS users, but it is best not to

use that method for the following reasons:

Granting rights by policy is a very coarse operation. It allows the user (or group) to have the

same set of rights in every Web site, in every site collection on the whole Web application. It

should be used very judiciously; in this particular scenario, we can grant access to ADFS

users without using this method.

After the sites are being used in an extranet environment, it is very likely that the internal

users will be responsible for granting access to sites and content. Because only the farm

administrators have access to the Central Administration site, it makes the most sense that

internal users can add ADFS claims from the default zone site that is using Windows

authentication.

332

As you extend Web applications by using different providers, you can configure one or more

of them to be able to find users and groups from various providers that you are using on that

Web application. In this scenario, we configured our site that uses Windows authentication in

a way that allows users of that site to select other Windows users, Windows groups, and

ADFS claims, all from one site.

Working with the People Picker The People Picker cannot perform wildcard searches for searching roles. If you have a Web SSO

Role provider role named Readers, and you type Read in the People Picker search dialog box, it

will not find your claim. If you type Readers, it will. This is not a bug, you just cannot perform

wildcard searching by using the Role provider.

Command-line executable files like stsadm.exe will not be able to resolve the ADFS claims by

default. For example, you might want to add a new user to the extranet site by using the

stsadm.exe –o adduser command. To enable Stsadm (or other executable file) to resolve users,

create a new config file by doing the following:

Create a new file named stsadm.exe.config in the same directory where stsadm.exe is

located (%programfiles%\Common Files\Microsoft Shared Debug\Web Server

Extensions\12\BIN). Add the following entry in the stsadm.exe.config file:

<configuration>

<system.web>

<membership defaultProvider="SingleSignOnMembershipProvider2">

<providers>






</providers>

</membership>


defaultProvider="SingleSignOnRoleProvider2">

<providers>






</providers>

333

</roleManager>

</system.web>

</configuration>

Note:

Change the value of fs-server to your resource Federation Server

(adfsresource.treyresearch.net).

Working with E-mail and UPN claims To configure whether or not the Federation Server is enabled to send e-mail or UPN claims to

Office SharePoint Server 2007, perform the following procedure.

1. From Administrative Tools on your Federation Server, open the ADFS snap-in.

Note:

You can also open the ADFS snap-in by typing ADFS.MSC in the Run dialog

box.

2. Select your Office SharePoint Server 2007 application node (your application should

already be added to the list of nodes).

3. In the claims list on the right, right-click E-mail, and select Enable or Disable.

4. In the claims list on the right, right-click UPN, and select Enable or Disable.

Note:

If both UPN and E-mail are enabled, Office SharePoint Server 2007 will use UPN

to perform user claim verification. Therefore, when configuring the Office

SharePoint Server 2007, be careful about which user claim you enter. Also note

that the UPN claim will only work consistently if the UPN suffixes and the e-mail

suffixes that are accepted by the Federation Server are identical. This is because

the membership provider is e-mail based. Because of this complexity in

configuring UPN claims, e-mail is the recommended user claim setting for

membership authentication.

Working with groups and organizational group claims In Office SharePoint Server 2007, rights can be assigned to Active Directory groups by adding

them to a SharePoint group or directly to a permission level. The level of permissions a given

user has on a site is calculated based on the Active Directory groups the user is a member of, the

SharePoint groups the user belongs to, and any permission levels that the user has been directly

added to.

334

When you use ADFS as a role provider in Office SharePoint Server 2007, the process is different.

There is no way for the Web SSO provider to directly resolve an Active Directory group; instead, it

resolves groups by using organizational group claims. When you use ADFS with Office

SharePoint Server 2007, you must create a set of organizational group claims in ADFS. You can

then associate multiple Active Directory groups with an ADFS organizational group claim.

For group claims to work with the latest version of ADFS, you need to edit the web.config file for

the ADFS application in IIS on your ADFS server.

Open the web.config file and add <getGroupClaims /> to the

<FederationServerConfiguration> node inside the <System.Web> node, as shown in the

following example.

<configuration>

<system.web>

<FederationServerConfiguration>

<getGroupClaims />

</FederationServerConfiguration>

</system.web>

</configuration>

In the Adatum (Account Forest), do the following:

1. Create an Active Directory group named Trey SharePoint Readers.

2. Create an Active Directory group named Trey SharePoint Contributors.

3. Add Alansh to the Readers group and Adamcar to the Contributors group.

4. Create an organizational group claim named Trey SharePoint Readers.

5. Create an organizational group claim named Trey SharePoint Contributors.

6. Right-click the Active Directory account store, and then click New Group Claim Extraction.

a. Select the Trey SharePoint Readers organizational group claim, and then associate it

with the Trey SharePoint Readers Active Directory group.

b. Repeat step 6, and then associate the Trey SharePoint Contributors organizational group

claim with the Trey SharePoint Contributors Active Directory group.

7. Right-click the Trey Research Account Partner, and then create the outgoing claim mappings:

a. Select the Trey SharePoint Reader claim, and then map to outgoing claim adatum-trey-

readers.

b. Select the Trey SharePoint Contributor claim, and then map to outgoing claim adatum-

trey-contributors.

Note:

The claim mapping names must be agreed on between the organizations, and they must

match exactly.

335

On the Trey Research side, start ADFS.MSC, and then do the following:

1. Create an organizational group claim named Adatum SharePoint Readers.

2. Create an organizational group claim named Adatum SharePoint Contributors.

3. Create incoming group mappings for your claims:

a. Right-click the Adatum account partner, and then click Incoming Group Claim Mapping.

b. Select Adatum SharePoint Readers, and then map it to the incoming claim name

adatum-trey-readers.

c. Select Adatum SharePoint Contributors, and then map it to the incoming claim name

adatum-trey-contributors.

4. Right-click the Office SharePoint Server 2007 Web application, and then click Enable on both

the Reader and Contributor claims.

Browse to the http://trey-moss site on the Trey Research side as the site administrator, and then

do the following:

1. Click the Site Actions menu, point to Site Settings, and then click People and Groups.

2. If it is not already selected, click the Members group for your site.

3. Click New, and then click Add Users on the toolbar.

4. Click the address book icon next to the Users/Groups box.

5. In the Find box in the People Picker dialog box, type

Adatum SharePoint Readers

In the Give Permission section, select SharePoint group homeVisitors [Readers].

6. In the Find box, type

Adatum SharePoint Contributors

In the Give Permission section, select SharePoint group homeMembers [Contribute].

336

Configure Kerberos authentication

In this section:

About Kerberos authentication

Before you begin

Configure Kerberos authentication for SQL communications

Configure Internet Explorer to include port numbers in Service Principal Names

Create Service Principal Names for your Web applications using Kerberos authentication

Deploy the server farm

Configure services on servers in your farm

Create Web applications using Kerberos authentication

Create a site collection using the Collaboration Portal template in the portal site Web

application

Create a Shared Services Provider for your farm

Confirm successful access to the Web applications using Kerberos authentication

Confirm correct Search Indexing functionality

Confirm correct Search Query functionality

Configure your SSP infrastructure for Kerberos authentication

Register new custom-format SPNs for your SSP service account in Active Directory

Run the Stsadm command-line tool to set the SSP infrastructure to use Kerberos

authentication

Add a new registry key to all of your servers running Office SharePoint Server to enable

generation of the new custom-format SPNs

Confirm Kerberos authentication for root-level shared services access

Confirm Kerberos authentication for virtual-directory-level shared services access

Configuration limitations

Additional resources and troubleshooting guidance

About Kerberos authentication Kerberos is a secure protocol that supports ticketing authentication. A Kerberos authentication

server grants a ticket in response to a client computer authentication request, if the request

contains valid user credentials and a valid Service Principal Name (SPN). The client computer

then uses the ticket to access network resources. To enable Kerberos authentication, the client

and server computers must have a trusted connection to the domain Key Distribution Center

(KDC). The KDC distributes shared secret keys to enable encryption. The client and server

337

computers must also be able to access Active Directory directory services. For Active Directory,

the forest root domain is the center of Kerberos authentication referrals.

To deploy a server farm running Microsoft Office SharePoint Server 2007 using Kerberos

authentication, you must install and configure a variety of applications on your computers. This

section describes an example server farm running Office SharePoint Server 2007 and provides

guidance for deploying and configuring the farm to use Kerberos authentication to support the

following functionality:

Communication between Office SharePoint Server 2007 and Microsoft SQL Server database

software.

Access to the SharePoint Central Administration Web application.

Access to other Web applications, including a portal site Web application, a My Site Web

application, and an SSP Administration site Web application.

Access to the shared services for the Office SharePoint Server 2007 Web applications in the

Office SharePoint Server 2007 Shared Services Provider (SSP) infrastructure.

Before you begin This section is intended for administrative-level personnel who have an understanding of the

following:

Windows Server 2003

Active Directory

Internet Information Services (IIS) 6.0 (or IIS 7.0)

Windows SharePoint Services 3.0

Office SharePoint Server 2007

Windows Internet Explorer

Kerberos authentication, as implemented in Active Directory for Windows Server 2003

Network Load Balancing (NLB) in Windows Server 2003

Computer accounts in an Active Directory domain

User accounts in an Active Directory domain

IIS Web sites and their bindings and authentication settings

IIS application pool identities for IIS Web sites

The SharePoint Products and Technologies Configuration Wizard

Windows SharePoint Services 3.0 and Office SharePoint Server 2007 Web applications

Central Administration pages

Service principal names (SPNs) and how to configure them in an Active Directory domain

Important:

To create SPNs in an Active Directory domain, you must have domain administrative-

level permissions.

338

Kerberos authentication for the SSP infrastructure in Office SharePoint Server 2007 requires the

installation of the Infrastructure Update for Microsoft Office Servers.

Note:

An SSP is a logical grouping of a common set of services and service data that can be

provided to Web applications and their associated Web sites. An SSP infrastructure

enables the sharing of services across server farms, Web applications, and site

collections. The Office Server Web Services Web site is the SSP infrastructure. The SSP

infrastructure exists on any server running Office SharePoint Server 2007 that is

deployed using the Complete installation option. Kerberos authentication does not work

with the Office Server Web Services Web site unless the Infrastructure Update for

Microsoft Office Servers is installed.

This section does not provide an in-depth examination of Kerberos authentication. Kerberos is an

industry-standard authentication method that is implemented in Active Directory.

This section does not provide detailed, step-by-step instructions for installing Office SharePoint

Server 2007 or using the SharePoint Products and Technologies Configuration Wizard.

This section does not provide detailed, step-by-step instructions for using Central Administration

to create Office SharePoint Server 2007 Web applications.

Software version requirements

The guidance provided in this section, and the testing performed to confirm this guidance, are

based on results using systems running Windows Server 2003 and Internet Explorer with the

latest updates applied from the Windows Update site

(http://go.microsoft.com/fwlink/?LinkID=101614&clcid=0x409). The following software versions

were installed:

Windows Server 2003 Service Pack 2 (SP2) with the latest updates from the Windows

Update site (http://go.microsoft.com/fwlink/?LinkID=101614&clcid=0x409)

Windows Internet Explorer 7, version 7.0.5730.11

The released version of Office SharePoint Server 2007

You should also make sure that your Active Directory domain controllers are running Windows

Server 2003 SP2 with the latest updates applied from the Windows Update site


Known issues

Kerberos authentication cannot be configured to work with the SSP infrastructure in Office

SharePoint Server 2007 unless the Infrastructure Update for Microsoft Office Servers is installed.

Therefore, if you do not have the Infrastructure Update for Microsoft Office Servers installed,

disregard the guidance in this section for configuring Kerberos authentication for the SSP

infrastructure.

Office SharePoint Server 2007 can crawl Web applications configured to use Kerberos

authentication if those Web applications are hosted on IIS virtual servers that are bound to default





339

ports (TCP port 80 and Secure Sockets Layer (SSL) port 443). However, Office SharePoint

Server 2007 Search cannot crawl Office SharePoint Server 2007 Web applications that are

configured to use Kerberos authentication if the Web applications are hosted on IIS virtual

servers that are bound to non-default ports (ports other than TCP port 80 and SSL port 443).

Currently, Office SharePoint Server 2007 Search can only crawl Office SharePoint Server 2007

Web applications hosted on IIS virtual servers bound to non-default ports that are configured to

use either NTLM authentication or Basic authentication.

For end-user access using Kerberos authentication, if you need to deploy Web applications that

can only be hosted on IIS virtual servers that are bound to non-default ports, and if you want end-

users to get search query results, then:

The same Web applications must be hosted on other IIS virtual servers on non-default ports.

The Web applications must be configured to use either NTLM or Basic authentication.

Search Indexing must crawl the Web applications using NTLM or Basic authentication.

This section provides guidance for:

Configuring the Central Administration Web application using Kerberos authentication hosted

on an IIS virtual server bound to non-default ports.

Configuring portal and My Site applications, and shared services using Kerberos

authentication hosted on IIS virtual servers bound to default ports and with an IIS host header

binding.

Ensuring that Search Indexing successfully crawls Office SharePoint Server 2007 Web

applications using Kerberos authentication.

Ensuring that users accessing Kerberos-authenticated Web applications can successfully get

search query results for those Web applications.

Configuring Kerberos authentication for the SSP infrastructure (if the Infrastructure Update for

Microsoft Office Servers is installed).

Additional background

It is important to understand that when you use Kerberos authentication, accurate authentication

functionality is dependant in part on the behavior of the client that is attempting to authenticate

using Kerberos. In an Office SharePoint Server 2007 farm deployment using Kerberos

authentication, Office SharePoint Server 2007 is not the client. Before you deploy a server farm

running Office SharePoint Server 2007 using Kerberos authentication, you must understand the

behavior of the following clients:

The browser (in the context of this section, the browser is always Windows Internet Explorer).

The Microsoft .NET Framework.

The browser is the client used when browsing to a Web page in an Office SharePoint Server

2007 Web application. When Office SharePoint Server 2007 performs tasks such as crawling the

local Office SharePoint Server 2007 content sources or making calls to the SSP infrastructure,

the .NET Framework is functioning as the client.

340

For Kerberos authentication to work correctly, you must create SPNs in Active Directory. If the

services to which these SPNs correspond are listening on non-default ports, the SPNs should

include port numbers. This is to ensure that the SPNs are meaningful. It is also required to

prevent the creation of duplicate SPNs.

When a client (Internet Explorer or the .NET Framework) attempts to access a resource using

Kerberos authentication, the client must construct an SPN to be used as part of the Kerberos

authentication process. If the client does not construct an SPN that matches the SPN that is

configured in Active Directory, Kerberos authentication will fail, usually with an ―access denied‖

error.

There are versions of Internet Explorer that do not construct SPNs with port numbers. If you are

using Office SharePoint Server 2007 Web applications that are bound to non-default port

numbers in IIS, you might have to direct Internet Explorer to include port numbers in the SPNs

that it constructs. In a farm running Office SharePoint Server 2007, the Central Administration

Web application is hosted, by default, in an IIS virtual server that is bound to a non-default port.

Therefore, this section addresses both IIS port-bound and IIS host-header-bound Web sites, and

it provides a link to instructions for directing Internet Explorer to include port numbers in SPNs.

In a farm running Office SharePoint Server 2007, by default the .NET Framework does not

construct SPNs that contain port numbers. This is the reason why Search cannot crawl Web

applications using Kerberos authentication if those Web applications are hosted on IIS virtual

servers that are bound to non-default ports. It is also the reason why Kerberos authentication

cannot be correctly configured and made to work for the SSP infrastructure unless the

Infrastructure Update for Microsoft Office Servers is installed.

Server farm topology

This section targets the following Office SharePoint Server 2007 server farm topology:

Two computers running Windows Server 2003 that are acting as front-end Web servers, with

Windows NLB configured.

Three computers running Windows Server 2003 that are acting as application servers. One of

the application servers hosts the Central Administration Web application. The second

application server is running Search Query, and the third application server is running Search

Indexing.

One computer running Windows Server 2003 that is used as the SQL host for the farm

running Office SharePoint Server 2007. For the scenario described in this section, you can

use either Microsoft SQL Server 2000 SP4 or Microsoft SQL Server 2005 SP2.

This section provides guidance for configuring one SSP in the farm.

341

Active Directory, computer naming, and NLB conventions

The scenario described in this section uses the following Active Directory, computer-naming, and

NLB conventions:

Server role Domain name

Active Directory mydomain.net

A front-end Web server running Office

SharePoint Server 2007

mossfe1.mydomain.net

A front-end Web server running Office

SharePoint Server 2007

mossfe2.mydomain.net

Office SharePoint Server 2007 Central

Administration

mossadmin.mydomain.net

Search Indexing running Office SharePoint

Server 2007

mosscrawl.mydomain.net

Search Query running Office SharePoint Server

2007

mossquery.mydomain.net

SQL Server host running Office SharePoint

Server 2007

mosssql.mydomain.net

An NLB VIP is assigned to mossfe1.mydomain.net and mossfe2.mydomain.net as a result of

configuring NLB on these systems. A set of DNS host names that point to this address is

registered in your DNS system. For example, if your NLB VIP is 192.168.100.200, you have a set

of DNS records that resolve the following DNS names to this IP address (192.168.100.200):

kerbportal.mydomain.net

kerbmysite.mydomain.net

kerbsspadmin.mydomain.net

342

Active Directory domain account conventions

The example in this section uses the naming conventions listed in the following table for service

accounts and application pool identities used in the farm running Office SharePoint Server 2007.

Domain account or application pool identity Name

Local administrator account

On all servers running Office SharePoint

Server 2007 (but not on the host computer

running SQL Server)

For Office SharePoint Server 2007 setup

and for the SharePoint Products and

Technologies Configuration Wizard run-as

user

mydomain\pscexec

Local administrator account on the SQL Server

host computer

mydomain\sqladmin

SQL Server service account used to run the

SQL Server service on the SQL host

mydomain\mosssqlsvc

Office SharePoint Server 2007 farm

administrator account

mydomain\mossfarmadmin

This is used as the application pool identity for

Central Administration and as the service

account for the SharePoint Timer Service.

Office SharePoint Server 2007 application pool

identity for the portal site Web application

mydomain\portalpool


identity for the My Site Web application

mydomain\mysitepool


identity for the Shared Services Administration

Web site

mydomain\sspadminpool

Office SharePoint Server 2007 SSP service

account

mydomain\sspsvc

Windows SharePoint Services 3.0 search

service account

mydomain\wsssearch

Windows SharePoint Services 3.0 search

content access account

mydomain\wsscrawl

Office SharePoint Server 2007 search service

account

mydomain\mosssearch

343

Domain account or application pool identity Name

Office SharePoint Server 2007 content access

account

mydomain\mosscrawl

Preliminary configuration requirements

Before you install Office SharePoint Server 2007 on the computers in your server farm, make

sure you have performed the following procedures:

All servers used in the farm, including the SQL host, are set up with Windows Server 2003

SP2, including the latest updates applied from the Windows Update site


All servers in the farm have Internet Explorer 7 (and the latest updates for it) installed from

the Windows Update site (http://go.microsoft.com/fwlink/?LinkID=101614&clcid=0x409).

SQL Server (either SQL Server 2000 SP4 or SQL Server 2005 SP2) is installed and running

on the SQL host computer, and the SQL Server service is running as the account,

mydomain\sqlsvc. A default instance of SQL Server is installed and is listening on TCP port

1433.

The SharePoint Products and Technologies Configuration Wizard run-as user has been

added:

As a SQL Login on your SQL host.

To the SQL Server DBCreators role on your SQL host.

To the SQL Server Security Administrators role on your SQL host.

Configure Kerberos authentication for SQL communications Configure Kerberos authentication for SQL communications before installing and configuring

Office SharePoint Server 2007 on your servers running Office SharePoint Server 2007. This is

necessary because Kerberos authentication for SQL communications has to be configured, and

confirmed to be working, before your computers running Office SharePoint Server 2007 can

connect to your SQL Server.

The process of configuring Kerberos authentication for any service installed on a host computer

running Windows Server 2003 includes creating an SPN for the domain account used to run the

service on the host. SPNs are made up of the following parts:

A Service Name (for example, MSSQLSvc or HTTP)

A host name (either real or virtual)

A port number



344

The following list contains examples of SPNs for a default instance of SQL Server running on a

computer named mosssql and listening on port 1433:

MSSQLSvc/mosssql:1433

MSSQLSvc/mosssql.mydomain.com:1433

These are the SPNs that you will create for the instance of SQL Server on the SQL host that will

be used by the farm described in this section. You should always create SPNs that have both a

NetBIOS name and a full DNS name for a host on your network.

There are different methods that you can use to set an SPN for an account in an Active Directory

domain. One method is to use the SETSPN.EXE utility that is part of the resource kit tools for

Windows Server 2003. Another method is to use the ADSIEDIT.MSC snap-in on your Active

Directory domain controller. This section addresses using the ADSIEDIT.MSC snap-in.

There are two core steps for configuring Kerberos authentication for SQL Server:

Create SPNs for your SQL Server service account.

Confirm Kerberos authentication is used to connect servers running Office SharePoint Server

2007 to servers running SQL Server.

Create the SPNs for your SQL Server service account

1. Log on to your Active Directory domain controller using the credentials of a user that has

domain administrative permissions.

2. In the Run dialog box, type ADSIEDIT.MSC.

3. In the management console dialog box, expand the domain container folder.

4. Expand the container folder containing user accounts, for example CN=Users.

5. Locate the container for the SQL Server Service account, for example CN=mosssqlsvc.

6. Right-click this account, and then click Properties.

7. Scroll down the list of properties in the SQL Server Service account dialog box until you find

servicePrincipalName.

8. Select the servicePrincipalName property and click Edit.

9. In the Value to Add field, in the Multi-Valued String Editor dialog box, type the SPN

MSSQLSvc/mosssql:1433 and click Add. Next, type the SPN

MSSQLSvc/mosssql.mydomain.com:1433 in this field and click Add.

10. Click OK on the Multi-Valued String Editor dialog box, and then click OK on the properties

dialog box for the SQL Server service account.

Confirm Kerberos authentication is used to connect servers running Office SharePoint Server 2007 to SQL Server

Install the SQL Client Tools on one of your servers running Office SharePoint Server 2007, and

use the tools to connect from your server running Office SharePoint Server 2007 to those running

SQL Server. This section does not address the steps for installing the SQL Client Tools on one of

345

your servers running Office SharePoint Server 2007. The confirmation procedures are based on

the following assumptions:

You are using SQL Server 2005 SP2 on your SQL host.

You have logged on to one of your servers running Office SharePoint Server 2007, using the

account mydomain\pscexec, and have installed the SQL 2005 Client Tools on the server

running Office SharePoint Server 2007.

1. Run the SQL Server 2005 Management Studio.

2. When the Connect to Server dialog box appears, type the name of the SQL host computer

(in this example, the SQL host computer is mosssql), and click Connect to connect to the

SQL host computer.

3. To confirm that Kerberos authentication was used for this connection, run the event viewer on

the SQL host computer and examine the Security event log. You should see a Success Audit

record for a Logon/Logoff category event that is similar to the data shown in the following

tables:

Event Type Success Audit

Event Source Security

Event Category Logon/Logoff

Event ID 540

Date 10/31/2007

Time 4:12:24 PM

User MYDOMAIN\pscexec

Computer MOSSSQL

Description

An example of a successful network logon is depicted in the following table.

User Name pscexec

Domain MYDOMAIN

Logon ID (0x0,0x6F1AC9)

Logon Type 3

Logon Process Kerberos

Workstation Name

Logon GUID {36d6fbe0-2cb8-916c-4fee-4b02b0d3f0fb}

346

Caller User Name

Caller Domain

Caller Logon ID

Caller Process ID

Transited Services

Source Network Address 192.168.100.100

Source Port 2465

Examine the log entry to confirm that:

1. The user name is correct. The mydomain\pscexec account logged on over the network to the

SQL host.

2. The logon type is 3. A type 3 logon is a network logon.

3. The logon process and authentication package both use Kerberos authentication. This

confirms that your server running Office SharePoint Server 2007 is using Kerberos

authentication to communicate with the SQL host.

4. The Source Network Address matches the IP address of the computer from which the

connection was made.

If your connection to the SQL host fails with an error message similar to Cannot generate SSPI

context, it is likely that there is an issue with the SPN being used for your instance of SQL

Server. To troubleshoot and correct this, please refer to the article How to troubleshoot the

"Cannot generate SSPI context" error message (http://go.microsoft.com/fwlink/?LinkId=76621)

from the Microsoft Knowledge Base.

Configure Internet Explorer to include port numbers in Service Principal Names Many versions of Internet Explorer do not include port numbers in the SPNs that they construct.

To determine if you are using a version of Internet Explorer 6 that has this problem, and for steps

necessary to correct it, refer to the article Internet Explorer 6 cannot use the Kerberos

authentication protocol to connect to a Web site that uses a non-standard port in Windows XP

and in Windows Server 2003 (http://go.microsoft.com/fwlink/?LinkId=99681) from the Microsoft

Knowledge Base. You should very carefully examine the version number of the DLL referenced in

this section to determine if the version of Internet Explorer that you are using requires the fix

described in the article. If your version of Internet Explorer does not construct an SPN with port

numbers, and you are using Office SharePoint Server 2007 Web applications hosted on IIS

virtual servers bound to non-default ports, you must apply this fix to be able to go to the Web

applications that are using your version of Internet Explorer. Within the context of this section, you

must ensure that the version of Internet Explorer you are using includes port numbers in the






347

SPNs that it constructs, because the SPN that you add to your Active Directory for the Central

Administration Web application will contain a port number.

Create Service Principal Names for your Web applications using Kerberos authentication As far as Kerberos authentication is concerned, there is nothing special about IIS-based Office

SharePoint Server 2007 Web applications—Kerberos authentication treats them as just another

IIS Web site.

This process requires knowledge of the following items:

The Service Class for the SPN (in the context of this section, for Office SharePoint Server

2007 Web applications, this is always HTTP).

The URL for all of your Office SharePoint Server 2007 Web applications using Kerberos

authentication.

The host name portion of the SPN (either real or virtual; this section addresses both).

The port number portion of the SPN (in the scenario described in this section, both IIS port-

based and IIS host-header-based Office SharePoint Server 2007 Web applications are used).

The Windows Active Directory accounts for which your SPNs must be created.

The following table lists the information for the scenario described in this section:

URL Active

Directory

account

SPN

http://mossadmin.mydomain.net:10000 mossfarmadm

in

HTTP/mossadmin.mydomain.net:1

0000

HTTP/mossadmin.mydomain.net:1

0000

http://kerbportal.mydomain.net portalpool HTTP/kerbportal.mydomain.net

HTTP/kerbportal

http://kerbmysite.mydomain.net mysitepool HTTP/kerbmysite.mydomain.net

HTTP/kerbmysite

http://kerbsspadmin.mydomain.net/ssp/a

dmin

sspadminpool HTTP/kerbsspadmin.mydomain.net

HTTP/kerbsspadmin

Notes for this table:

The first URL listed above is for Central Administration, and uses a port number. You don’t

have to use port 10000. This is just an example used for consistency throughout this section.

348

The next three URLs are for the portal site, My Site, and Shared Services Administration site,

respectively.

Use the guidance provided above to create the SPNs you need in Active Directory to support

Kerberos authentication for your Office SharePoint Server 2007 Web applications. You need to

log on to a domain controller in your environment using an account that has domain

administrative permissions. To create the SPNs, you can use either the SETSPN.EXE utility

mentioned previously, or you can use the ADSIEDIT.MSC snap-in mentioned previously. If using

the ADSIEDIT.MSC snap-in, please refer to the instructions provided earlier in this section for

creating the SPNs. Be sure to create the correct SPNs for the correct accounts in Active

Directory.

Deploy the server farm Deploying the server farm includes the following steps:

1. Set up Office SharePoint Server 2007 on all of your servers running Office SharePoint Server

2007.

2. Run the SharePoint Products and Technologies Configuration Wizard and create a new farm.

This step includes creating an Office SharePoint Server 2007 Central Administration Web

application that will be hosted on an IIS virtual server bound to a non-default port and use

Kerberos authentication.

3. Run the SharePoint Products and Technologies Configuration Wizard and join the other

servers to the farm.

4. Configure Services on Servers in your farm for:

Windows SharePoint Services 3.0 Search service

Office SharePoint Server 2007 Search Indexing

Office SharePoint Server 2007 Search Query

5. Create Web applications that are used for the portal site, My Site, and the Shared Services

Administration site using Kerberos authentication.

6. Create a site collection using the Collaboration Portal template in the portal site Web

application.

7. Create a Shared Services Provider for your farm.

8. Confirm successful access to the Web applications using Kerberos authentication.

9. Confirm correct Search Indexing functionality.

10. Confirm correct Search Query functionality.

11. Configure your SSP infrastructure for Kerberos authentication. This is an optional step that

requires the installation of the Infrastructure Update for Microsoft Office Servers.

12. Confirm SSP functionality using Kerberos authentication. This is an optional step that

requires the installation of the Infrastructure Update for Microsoft Office Servers.

349

Install Office SharePoint Server 2007 on all of your servers

This is the straightforward process of running Office SharePoint Server 2007 setup to install the

Office SharePoint Server 2007 binaries on your servers running Office SharePoint Server 2007.

Log on to each of your computers running Office SharePoint Server 2007 using the account

mydomain\pscexec. No step-by-step instructions are provided for this. For the scenario described

in this section, do a Complete installation of Office SharePoint Server 2007 on all servers that

require Office SharePoint Server 2007.

Run the SharePoint Products and Technologies Configuration Wizard and create a new farm

For the scenario described in this section, run the SharePoint Products and Technologies

Configuration Wizard from the MOSSADMIN Search Indexing server first, so that MOSSADMIN

hosts the Office SharePoint Server 2007 Central Administration Web application.

On the server named MOSSCRAWL, when setup completes, a Setup Complete dialog box

appears with a check box selected to run the SharePoint Products and Technologies

Configuration Wizard. Leave this check box selected and close the setup dialog box to run the


When running the SharePoint Products and Technologies Configuration Wizard on this computer,

direct the Wizard to create a new farm using the following settings:

Provide the database server name (in this section, it is the server named MOSSSQL).

Provide a configuration database name (you can use the default, or stipulate a name of your

choice).

Provide the database access (farm administrator) account information. Using the scenario in

this section, that account is mydomain\mossfarmadmin.

Provide the information required for the Office SharePoint Server 2007 Central Administration

Web application. Using the scenario in this section, that information is:

Central Administration Web application port number: 10000

Authentication Method: Negotiate

When you have provided all the required information, the SharePoint Products and Technologies

Configuration Wizard should finish successfully. If it completes successfully, confirm that you can

access the Office SharePoint Server 2007 Central Administration Web application home page

using Kerberos authentication. To do this, perform the following steps:

1. Log on to a different server running Office SharePoint Server 2007 or another computer in

the domain mydomain as mydomain\pscexec. You should not verify correct Kerberos

authentication behavior directly on the computer hosting the Office SharePoint Server 2007

Central Administration Web application. This should be done from a separate computer in the

domain.

2. Start Internet Explorer on this server and attempt to go to the following URL:

http://mossadmin.mydomain.net:10000. The home page of Central Administration should

render.

350

3. To confirm that Kerberos authentication was used to access Central Administration, go back

to the computer named MOSSADMIN and run the event viewer and look in the security log.

You should see a Success Audit record that looks similar to the following table:




Event ID 540

Date 11/1/2007

Time 2:22:20 PM


Computer MOSSADMIN

Description


User Name pscexec

Domain MYDOMAIN

Logon ID (0x0,0x1D339D3)

Logon Type 3


Authentication Package Kerberos

Workstation Name

Logon GUID {fad7cb69-21f8-171b-851b-3e0dbf1bdc79}

Caller User Name

Caller Domain

Caller Logon ID

Caller Process ID

Transited Services


Source Port 2505

351

Examination of this log record shows the same type of information as in the previous log entry:

Confirm that the user name is correct; it is the mydomain\pscexec account that logged on

over the network to the server running Office SharePoint Server 2007 that is hosting Central

Administration.

Confirm that the logon type is 3; a logon type 3 is a network logon.

Confirm that the logon process and authentication package both use Kerberos authentication.

This confirms that Kerberos authentication is being used to access your Central

Administration Web application.

Confirm that the Source Network Address matches the IP address of the computer from

which the connection was made.

If the Central Administration home page fails to render and instead an unauthorized error

message is displayed, Kerberos authentication is failing. There are usually only two causes for

this failure:

The SPN in Active Directory was not registered for the correct account. It should have been

registered for mydomain\mossfarmadmin.

The SPN in Active Directory does not match the SPN being constructed by Internet Explorer

or is otherwise invalid. The most common cause of this is that Internet Explorer is not

constructing an SPN containing the correct port number. See the previous section titled

Configure Internet Explorer to include port numbers in Service Principal Names to correct this

problem. You also might have omitted the port number from the SPN that you registered in

Active Directory. Either way, ensure that this is corrected and that Central Administration is

working, using Kerberos authentication, before proceeding.

Note:

A diagnostic aid you could use to see what is going on over the network is a network

sniffer, such as Microsoft Network Monitor, to take a trace during browsing to Central

Administration. After the failure, examine the trace and look for KerberosV5 Protocol

packets. Find a packet with an SPN constructed by Internet Explorer. If that SPN does

not contain a port number, you need to apply the fix described in the section titled

Configure Internet Explorer to include port numbers in Service Principal Names. If the

SPN in the trace looks correct, either the SPN in Active Directory is invalid, or it has been

registered for the wrong account.

Run the SharePoint Products and Technologies Configuration Wizard and join the other servers to the farm

Now that your farm has been created and you can successfully access Central Administration

using Kerberos authentication, you need to run the SharePoint Products and Technologies

Configuration Wizard and join the other servers to the farm.

On each of the other four servers running Office SharePoint Server 2007 (mossfe1, mossfe2,

mossquery, and mosscrawl), Office SharePoint Server 2007 installation should have completed,

and the setup completion dialog box should appear with the SharePoint Products and

352

Technologies Configuration Wizard check box selected. Leave this check box selected and close

the setup completion dialog box to run the SharePoint Products and Technologies Configuration

Wizard. Perform the procedure to join each of these servers to the farm.

Upon completion of the SharePoint Products and Technologies Configuration Wizard on each

server you add to the farm, verify that each of these servers can render Central Administration,

which is running on the server, MOSSADMIN. If any of these servers fail to render Central

Administration, take the appropriate steps to solve the problem before you proceed.

Configure services on servers in your farm Configure specific Windows SharePoint Services 3.0 and Office SharePoint Server 2007 services

to run on specific servers running Windows SharePoint Services 3.0 and Office SharePoint

Server 2007 in the farm, using the accounts indicated in the following sections.

Note:

This section does not provide an in-depth description of the user interface. Only high-

level instructions are provided. You should be familiar with Central Administration and

how to perform the required steps before you proceed.

Access Central Administration and perform the following steps to configure the services on the

servers indicated, using the accounts indicated.

Windows SharePoint Services Search

On the Services on Server page in Central Administration:

1. Select the server MOSSQUERY.

2. In the list of services that appears, close to the middle of the page, locate the Windows

SharePoint Services 3.0 Search service, and then click Start in the Action column.

3. On the subsequent page, provide the credentials for the Windows SharePoint Services 3.0

search service account and for the Windows SharePoint Services 3.0 Content Access

account. In the scenario in this section, the Windows SharePoint Services 3.0 search service

account is mydomain\wsssearch, and the Windows SharePoint Services 3.0 content access

account is mydomain\wsscrawl. Type the account names and passwords in the appropriate

locations on the page, and then click Start.

Index server


1. Select the server MOSSCRAWL.

2. In the list of services that appears close to the middle of the page, locate the Office

SharePoint Server 2007 Search service, and then click Start in the Action column.

On the subsequent page, check the Use this server for indexing content check box and then

provide the credentials for the Office SharePoint Server 2007 search service account. In the

scenario in this section, the Office SharePoint Server 2007 search service account is

353

mydomain\mosssearch. Type the account names and passwords in the appropriate locations on

the page, and then click Start.

Query server


1. Select the server MOSSQUERY.

2. In the list of services that appears close to the middle of the page, locate the Office

SharePoint Server 2007 Search service, and then click the service name in the Service

column.

On the subsequent page, check the Use this server for serving search queries check box and

click OK.

Create Web applications using Kerberos authentication In this section, create Web applications that are used for the portal site, a My Site, and the

Shared Services Administration site in your farm.

Note:




Create the portal site Web application

1. On the Application Management page in Central Administration, click Create or extend Web

application.

2. On the subsequent page, click Create a new Web application.

3. On the subsequent page, make sure Create a new IIS Web site is selected.

In the Description field, type PortalSite.

In the Port field, type 80.

In the Host Header field, type kerbportal.mydomain.net.

4. Make sure Negotiate is selected as the authentication provider for this Web application.

5. Create this Web application in the Default zone. Do not modify the zone for this Web

application.

6. Make sure Create new application pool is selected.

In the Application Pool Name field, type PortalAppPool.

Make sure Configurable is selected. In the User name field, type the account

mydomain\portalpool.

7. Click OK.

354

8. Confirm that the Web application is successfully created.

Note:

If you want to use an SSL connection and bind the Web application to port 443, type 443

in the Port field and select Use SSL on the Create New Web Application page. In

addition, you must install an SSL wildcard certificate. When using an IIS host header

binding on an IIS Web site configured for SSL, you must use an SSL wildcard certificate.

For more information about SSL host headers in IIS, see Configuring SSL Host Headers

(IIS 6.0) (http://go.microsoft.com/fwlink/?LinkId=111285&clcid=0x409).

Create the My Site Web application


application.



In the Description field, type MySite.


In the Host Header field, type kerbmysite.mydomain.net.



application.


In the Application Pool Name field, type MySiteAppPool.


mydomain\mysitepool.

7. Click OK.


Note:







Create the Shared Services Administration site Web application


application.






355


In the Description field, type SSPAdminSite.


In the Host Header field, type kerbsspadminsite.mydomain.net.



application.


In the Application pool name field, type SSPAdminSiteAppPool.


mydomain\sspadminpool.

7. Click OK.


Note:







Create a site collection using the Collaboration Portal template in the portal site Web application In this section, you create a site collection on the portal site in the Web application that you

created for this purpose.

Note:




1. On the Application Management page in Central Administration, click Create site collection.

2. On the subsequent page, make sure you select the correct Web application. For the example

in this section, select http://kerbportal.mydomain.net.

3. Provide the title and description you want to use for this site collection.

4. Leave the Web site address unchanged.

5. In the Template Selection section under Select a Template, click the Publishing tab and

select the Collaboration Portal template.

6. In the Primary Site Collection Administrator section, type mydomain\pscexec.



356

7. Specify the Secondary Site Collection Administrator you want to use.

8. Click OK.

9. Confirm that the portal site collection is successfully created.

Create a Shared Services Provider for your farm Create a Shared Services Provider for the farm.

Note:




1. On the Application Management page in Central Administration, click Create or configure

this farm’s shared services.

2. On the subsequent page, click New SSP.

3. On the subsequent page, in the SSP Name section, type SSP1 in the SSP Name field.

Then, in the Web application field, select the Web application you created for the Shared

Services Administration site Web application. For the example in this section, select the Web

application named SSPAdminSite.

In the MySite section, in the Web application field, select the Web application you

created for the My Site Web site. For the example in this section, select the Web

application named MySite.

In the SSP service credentials section, in the User name field, type

mydomain\sspsvc.

4. Click OK.

5. Confirm that your farm’s SSP is successfully created.

Confirm successful access to the Web applications using Kerberos authentication Confirm that Kerberos authentication is working for the recently created Web applications. Start

with the portal site.

To do this, perform the following steps:

1. Log on to a server running Office SharePoint Server 2007 rather than either of the two front-

end Web servers that are configured for NLB as mydomain\pscexec. You should not verify

correct Kerberos authentication behavior directly on one of the computers hosting the load-

balanced Web sites using Kerberos authentication. This should be done from a separate

computer in the domain.

2. Start Internet Explorer on this other system and attempt to go to the following URL:

http://kerbportal.mydomain.net.

The home page of the Kerberos-authenticated portal site should render.

357

To confirm that Kerberos authentication was used to access the portal site, go to one of the load-

balanced front-end Web servers and run the event viewer and look in the security log. You should

see a Success Audit record, similar to the following table, on one of the front-end Web servers.

Note that you may have to look on both front-end Web servers before you find this, depending on

which system handled the load-balanced request.




Event ID 540

Date 11/1/2007

Time 5:08:20 PM


Computer mossfe1

Description


User Name pscexec

Domain MYDOMAIN

Logon ID (0x0,0x1D339D3)

Logon Type 3

Logon Process Kerberos authentication

Workstation Name

Logon GUID {fad7cb69-21f8-171b-851b-3e0dbf1bdc79}

Caller User Name

Caller Domain

Caller Logon ID

Caller Process ID

Transited Services


Source Port 2505

358

Examination of this log record shows the same type of information as in the previous log entry:

Confirm that the user name is correct; it is the mydomain\pscexec account that logged on

over the network to the front-end Web server running Office SharePoint Server 2007 that is

hosting the portal site.

Confirm that the logon type is 3; a logon type 3 is a network logon.

Confirm that the logon process and authentication package both use Kerberos authentication.

This confirms that Kerberos authentication is being used to access your portal site.

Confirm that the Source Network Address matches the IP address of the computer from

which the connection was made.

If the home page of the portal site fails to render, and displays an ―unauthorized‖ error message,

then Kerberos authentication is failing. There are usually only a couple of causes for this:

The SPN in Active Directory was not registered for the correct account. It should have been

registered for mydomain\portalpool, for the Web application of the portal site.

The SPN in Active Directory does not match the SPN being constructed by Internet Explorer

or is invalid for another reason. In this case, because you are using IIS host headers without

explicit port numbers, the SPN registered in Active Directory differs from the IIS host header

specified when you extended the Web application. You need to correct this to get Kerberos

authentication working.

Note:

A diagnostic aid you could use to see what is going on over the network is a network

sniffer such as Microsoft Network Monitor to take a trace during browsing to Central

Administration. After the failure, examine the trace and look for KerberosV5 Protocol

packets. You should find a packet with an SPN constructed by Internet Explorer. If that

SPN does not contain a port number, then you need to apply the fix described in the

section Configure Internet Explorer to include port numbers in Service Principal Names. If

the SPN in the trace looks correct, then either the SPN in Active Directory is invalid or the

SPN has been registered for the wrong account.

After you have Kerberos authentication working for your portal site, go to your Kerberos-

authenticated My Site and the Shared Services Administration site using the following URLs:

http://kerbmysite.mydomain.net

http://kerbsspadmin.mydomain.net/ssp/admin

Note:

The first time you access the My Site URL, it will take some time for Office SharePoint

Server 2007 to create a My Site for the logged-on user. However, it should succeed, and

the My Site page for that user should render.

These should both work correctly. If they don’t, refer to the preceding troubleshooting steps.

359

Confirm correct Search Indexing functionality Confirm that Search Indexing is successfully crawling the content hosted on this farm. This is the

step you must take prior to confirming the Search Query results for users accessing the sites

using Kerberos authentication.

Note:




1. Access the Shared Services Administration site Web application at

http://kerbsspadmin.mydomain.net/ssp/admin.

2. On this page, click Search Settings.

3. On the subsequent page, click Content Sources and Crawl Schedules.

4. On the subsequent page, access the ECB for the Office SharePoint Server Content

Sources, and from the drop-down list, select Start Full Crawl.

5. Wait for the crawl to complete. If the crawl fails, you must investigate and correct the failure,

and then run a full crawl. If the crawl fails with "access denied" errors, it is either because the

crawling account does not have access to the content sources, or because Kerberos

authentication has failed. Whatever the cause, this error must be corrected before proceeding

to subsequent steps.

You must complete a full crawl of the Kerberos-authenticated Web applications before

proceeding.

Confirm correct Search Query functionality To confirm that Search Query returns results for users accessing the portal site that uses

Kerberos authentication:

1. Start Internet Explorer on a system in mydomain.net and go to

http://kerbportal.mydomain.net.

2. When the home page of the portal site renders, type a search keyword in the Search field

and press ENTER.

3. Confirm that Search Query results are returned. If they are not, confirm that the keyword you

have entered is valid in your deployment, that Search Indexing is running correctly, that the

Search service is running on your Search Indexing and Search Query servers, and that there

are no problems with search propagation from your Search Index server to your Search

Query server.

360

Configure your SSP infrastructure for Kerberos authentication

Note:

This is an optional procedure that requires installation of the Infrastructure Update for

Microsoft Office Servers. Without the installation of the Infrastructure Update for Microsoft

Office Servers, Kerberos authentication cannot be correctly configured for Office


The Infrastructure Update for Microsoft Office Servers includes a new, custom-format SPN for

Kerberos authentication for the SSP infrastructure. This custom-format SPN introduces a new

Service Class: MSSP. The custom-format SPN is in the following format:

MSSP/<host:port>/<SSP name>.

This new custom-format SPN sets a .NET Framework property to direct the .NET Framework to

use a specific SPN for a given URI. It is the .NET Framework that is used to make inter-server

calls to the Office SharePoint Server 2007 SSP infrastructure Web services.

If you examine the SSP infrastructure on an Office SharePoint Server 2007 application server,

you will see that there is a Search shared service at both the root level and the virtual directory

level in IIS. There is also an Excel Calculation Services (ECS) shared service at the virtual

directory level in IIS. After the SSP infrastructure is configured for Kerberos authentication,

Kerberos will be used for accessing shared services at both the root level and the virtual directory

level.

You do not need to register SPNs for the root-level Web services. You only need to register SPNs

for the virtual-directory-level Web services. This is because when joining a computer to a domain,

a HOST-class SPN is automatically registered for the computer account in the domain, and the

SPN will work for the root-level Web service. However, you do need to register SPNs

corresponding to the virtual directories that actually correlate to the SSPs in your farm.

To successfully configure your SSP infrastructure for Kerberos authentication you must perform

the following steps:

1. Register new custom-format SPNs for your SSP service account in Active Directory.

2. Run the Stsadm command-line tool to set the SSP infrastructure to use Kerberos

authentication.

3. Add a new registry key to all of your servers running Office SharePoint Server 2007 to enable

the generation of new custom-format SPNs.

4. Confirm Kerberos authentication for root-level shared Web service access.

5. Confirm Kerberos authentication for virtual-directory-level shared Web service access.

Note:

In the preceding procedure, steps 4 and 5 pertain to the searchadmin.asmx shared Web

service. This Search-related shared Web service is located at both the root level of the

SSP infrastructure and at the virtual directory level of the SSP infrastructure. The root-

level Search shared service can be thought of as a global Web service that pertains to

361

the configuration of the Office SharePoint Server 2007 Search service settings at the

Services on Server level in Office SharePoint Server 2007 Central Administration. The

virtual-directory-level Search shared service corresponds to a specific SSP in your farm,

and is used when configuring Search settings specific to that SSP on the Shared

Services Administration site. When performing the steps to verify Kerberos authentication

for root-level shared services access, you will not see the generation or use of the new-

format SPNs. You will only see the new-format SPNs when accessing the virtual directory

level Web service; however, you need to verify that access to the shared service works at

both levels.

Register new custom-format SPNs for your SSP service account in Active Directory In this section, the SSP service account is mydomain\sspsvc, and the name of the SSP you

created is SSP1. The SSP infrastructure exists on all servers in the farm; therefore, SPNs that

refer to all servers running Office SharePoint Server 2007 must be created. Because the SSP

infrastructure is bound to TCP port 56737 and SSL port 56738, you need SPNs that include both

port numbers. Because of this, two SPNs are required for each application server. For the

examples used in this section, you need to create 10 SPNs.

Perform the following procedure to create the SPNs for your SSP infrastructure:



2. In the Run dialog box, type ADSIEDIT.MSC.

3. In the Management Console dialog box, expand the domain container folder.

4. Expand the container folder containing user accounts, for example CN=Users.

5. Locate the container for the SSP service account, for example CN=sspsvc.

6. Right-click the SSP service account, and then click Properties.

7. Scroll down the list of properties in the SSP Service account dialog box until you find

servicePrincipalName.

8. Select the servicePrincipalName property and click Edit.

9. In the Value to Add field, in the Multi-Valued String Editor dialog box, add the following

SPNs:

MSSP/mossfe1:56737/SSP1




MSSP/mossadmin:56737/SSP1

MSSP/mossadmin:56738/SSP1

MSSP/mosscrawl:56737/SSP1

362

MSSP/mosscrawl:56738/SSP1

MSSP/mossquery:56737/SSP1

MSSP/mossquery:56738/SSP1

Run the Stsadm command-line tool to set the SSP infrastructure to use Kerberos authentication To configure your SSP infrastructure to use Kerberos authentication, perform the following

procedure:



2. On one of your servers running Office SharePoint Server 2007, open a command prompt.

3. Change to the following directory: %COMMONPROGRAMFILES%\microsoft shared\web

server extensions\12\bin.

4. Type the following command: stsadm –o setsharedwebserviceauthn –negotiate, and then

press ENTER.

Ensure that this command runs successfully before proceeding.

When you have completed this procedure, the command applies to all of the SSPs that you

create in your farm, including SSPs that you create after you have successfully run this

command.

Add a new registry key to all of your servers running Office SharePoint Server to enable generation of the new custom-format SPNs The generation of the new, custom-format SPNs is controlled through the setting of a new registry

key introduced with the Infrastructure Update for Microsoft Office Servers. To enable the

generation of the new, custom-format SPNs, this registry key must be added to all servers in the

farm, and all servers must be restarted.

Perform the following steps to enable the new behavior. On each server in the farm:

1. Log on as a local administrator.

2. Run the Registry Editor, and add the following new registry key:

HKLM\Software\Microsoft\Office Server\12.0\KerberosSpnFormat” (REG_DWORD) = 1

3. Restart the server. It is important to be aware that you must restart the server for the new

registry key to take effect.

Caution:

Incorrectly editing the registry might severely damage your system. Before making

changes to the registry, you should back up any valued data on the computer.

363

Confirm Kerberos authentication for root-level shared services access To confirm Kerberos authentication for the root-level shared services, perform the following

procedure:

1. Log on to the computer that is hosting the Central Administration Web application. If you are

using the example in this section, log on to MOSSADMIN.

2. Go to Central Administration at http://mossadmin.mydomain.net:10000


4. On the Operations page, click Services on Server.

5. In the Server section, click the drop-down arrow to display the list of servers in the farm, and

then click your Search Query server. If you are using the example in this section, select

MOSSQUERY.

6. After the page refreshes, confirm that you are pointing to the correct query server, and in the

Service section, click Office SharePoint Server Search.

7. Confirm that the Configure Office SharePoint Server Search Service Settings on server

mossquery page is displayed.

8. Perform the following steps to confirm that Kerberos authentication was used to render the

page:

Log on to your Search Query server—using the example in this section, log on to the

MOSS machine named MOSSQUERY.

Run the Windows event viewer.

Examine the Security event log.

You should see a log record that is similar to the data shown in the following table:




Event ID 540

Date 5/6/2008

Time 12:12:17 PM


Computer MOSSQUERY

Description

364


User Name pscexec

Domain MYDOMAIN

Logon ID (0x0,0x7252B10)

Logon Type 3



Workstation Name

Logon GUID {a96a9450-3af5-d82e-3bb3-8cd65c8e5c49}

Caller User Name

Caller Domain

Caller Logon ID

Caller Process ID

Transited Services


Source Port 1964

Important:

Repeat this procedure for your Search Indexing server to confirm that the page renders

and that there is a security event viewer log record indicating that the Kerberos

authentication package was used for accessing the page.

Confirm Kerberos authentication for virtual-directory-level shared services access This is the final step in configuring and deploying a server farm running Office SharePoint Server

2007 using Kerberos authentication.

To confirm that Kerberos authentication is used for accessing the virtual-directory-level shared

services, perform the following procedure:

1. Go to the Shared Services Administration home page.

2. Determine which of your load-balanced front-end Web servers is responding to this request.

3. On the front-end Web server that is responding to the request, run Network Monitor and

apply a capture filter to capture KerberosV5 protocol packets. Using Network Monitor 3.2, this

capture filter would be protocol.KerberosV5.

365

4. Start a Network Monitor sniff.

5. On the Shared Services Administration site home page, click Search Settings.

6. Confirm that the Search Settings page is displayed.

7. Stop the sniff and examine captured packets. You should see Kerberos protocol packets with

descriptions that are similar to those shown in the following example:

The Sname value in the preceding example (MSSP/mosscrawl:56738/SSP1) is the new-format

SPN being generated and sent to the Kerberos KDC as a result of the changes included in the

Infrastructure Update for Microsoft Office Servers.

Log on to your index server (in the example in this section, the index server is MOSSCRAWL).

Run the event viewer and examine the security log. You should see an entry that is similar to the

data shown in the following table:




Event ID 540

Date 5/6/2008

Time 1:21:04 PM

User MYDOMAIN\sspadminpool

Computer MOSSCRAWL

Description


User Name sspadminpool

Domain MOSSCRAWL

Logon ID (0x0,0xD84A6)

Logon Type 3



Workstation Name

Logon GUID {2f1cccb3-c10d-27e5-9896-0f918e8ad796}

Caller User Name

366

Caller Domain

Caller Logon ID

Caller Process ID

Transited Services


Source Port 1513

Configuration limitations There are a few configuration limitations with respect to utilizing Kerberos authentication for the

SSP infrastructure using the Infrastructure Update for Microsoft Office Servers:

The host name portion of the new-format SPNs that are created will be the NetBIOS name of

the host running the service, for example: MSSP/kerbtest4:56738/SSP1. This is because the

host names are fetched from the Office SharePoint Server 2007 configuration database, and

only NetBIOS computer names are stored in the Office SharePoint Server 2007 configuration

database. This might be ambiguous in certain scenarios. Currently, the Stsadm command-

line tool to rename a server running Office SharePoint Server 2007 cannot be successfully

used to rename a server running Office SharePoint Server 2007, so there is no workaround

for this issue.

Do not use SSP names containing extended characters. An SPN with an SSP name

containing extended characters cannot be selected as the target for delegation. Therefore,

avoid using extended characters in your SSP names.

Additional resources and troubleshooting guidance

Product/technology Resource

Windows Server 2003 Event ID 10017 error messages are logged in the System

log after you install Windows SharePoint Services 3.0


SQL Server How to make sure that you are using Kerberos

authentication when you create a remote connection to an

instance of SQL Server 2005







367

Product/technology Resource

SQL Server How to troubleshoot the "Cannot generate SSPI context"

error message


SQL Server How to configure SQL Server 2005 Analysis Services to use

Kerberos authentication


.NET Framework AuthenticationManager.CustomTargetNameDictionary

Property


Windows Internet Explorer Internet Explorer 6 cannot use the Kerberos authentication

protocol to connect to a Web site that uses a non-standard

port in Windows XP and in Windows Server 2003


Windows Internet Explorer Error message in Internet Explorer when you try to access a

Web site that requires Kerberos authentication on a

Windows XP-based computer: "HTTP Error 401 -

Unauthorized: Access is denied due to invalid credentials"


Kerberos authentication Kerberos Authentication Technical Reference


Kerberos authentication Troubleshooting Kerberos Errors


Kerberos authentication Kerberos Protocol Transition and Constrained Delegation


IIS Configuring SSL Host Headers (IIS 6.0)


About the author

Mark Grossbard is a Test Engineer, MOSS Core Test, for Office SharePoint Server at Microsoft.


















368

Run the Best Practices Analyzer tool

You can run the Best Practices Analyzer tool to check for common issues and best security

practices. The tool generates a report that can help you optimize the configuration of your

system. The tool can be run locally or from a server that is not attached to the server farm. To

download the tool, click Microsoft Best Practices Analyzer for Windows SharePoint Services 3.0

and the 2007 Microsoft Office System




369

Configure usage reporting

In this section:

About usage reporting

Configure Windows SharePoint Services usage logging

Enable usage reporting

Activate usage reporting

Monitor usage reporting

About usage reporting Usage reporting is a service that enables site administrators, site collection administrators, and

Shared Services Provider (SSP) administrators to monitor statistics about the use of their sites.

Usage reporting also includes usage reporting for search queries that can be viewed by SSP

administrators for search and site collection administrators.

To configure usage reporting, a farm administrator must first enable Windows SharePoint

Services usage logging for the farm that hosts the Web application containing the SSP. The SSP

administrator enables and configures the usage reporting service. Then, site collection

administrators can activate the reporting feature to enable usage reports on the site collection.

After usage reporting is enabled, site administrators and site collection administrators can view

site usage summary pages that have the following information for their sites and site collections:

Requests and queries in the last day and the last 30 days.

Average number of requests per day over the last 30 days.

A chart of requests per day over the last 30 days.

A list of the top page requests over the last 30 days.

A list of top users over the last 30 days.

A chart of top referring hosts over the last 30 days.

A chart of top referring pages over the last 30 days.

A list of top destination pages over the last 30 days.

Top queries for the last 30 days (if search usage reporting is enabled).

Search results top destination pages (if search usage reporting is enabled).

SSP administrators for the search service can view a search usage reports page that tracks the

following information.

Number of queries per day over the previous 30 days.

Number of queries per month over the previous 12 months.

Top queries over the previous 30 days.

Top site collections originating queries over the previous 30 days.

370

Queries per search scope over the previous 30 days.

Site collection administrators for the SSP site can view a usage summary page that tracks the

following information:

Total amount of storage used by the site collection.

Percent of storage space used by Web Discussions.

Maximum storage space allowed.

Number of users for all sites in the hierarchy.

Total hits and recent bandwidth usage across all sites.

Site collection administrators can also view a site usage report that includes monthly and daily

page hit totals filtered by the following criteria:

Page

User

Operating system

Browser

Referrer URL

Usage reporting is very useful for managing complex site hierarchies with many sites, a large

number of page hits, and a large number of search queries, and it is recommended that the

service be enabled for deployments of complex site hierarchies. For less complex deployments,

usage reporting might not be necessary. It is also possible to disable the service temporarily to

conserve resources when other those resources are needed for other processes.

Enable Windows SharePoint Services usage logging Before you can enable usage reporting in a SSP, you must first enable Windows SharePoint

Services usage logging for the farm hosting the Web application containing the SSP.

Use the following procedure to enable usage logging for the farm.

Enable usage logging for the farm


2. On the Operations page, in the Logging and Reporting section, click Usage analysis

processing.

3. On the Usage Analysis Processing page, in the Logging Settings section, select Enable

logging.

4. Type a log file location and number of log files to create.

5. In the Processing Settings section, select Enable usage analysis processing, and

then select a time to run usage processing.

6. Click OK.


371

tool, see Usage Analysis: Stsadm properties (http://technet.microsoft.com/en-


Enable usage reporting After Windows SharePoint Services usage logging is enabled in the server farm, SSP

administrators must enable the usage reporting service. SSP administrators can control the

complexity of usage analysis processing, and select whether or not reporting is enabled for

search queries.

Use the following procedure to enable usage reporting.

Enable usage reporting

1. On the SSP home page, in the Office SharePoint Usage Reporting section, click

Usage reporting.

2. On the Configure Advanced Usage Analysis Processing page, in the Processing

Settings section, click Enable advanced usage analysis processing.

3. In the Search Query Logging section, select Enable search query logging.

4. Click OK.

If advanced usage analysis processing is not selected, usage reporting statistics will be minimal.


Usage Analysis: Stsadm properties (http://technet.microsoft.com/en-us/library/cc263478.aspx).

Activate usage reporting After usage reporting is enabled for the SSP, site collection administrators must activate the

reporting feature. Until the reporting feature is activated on a site collection, usage reports are not

available.

Use the following procedure to activate the reporting feature.

Activate the reporting feature


2. On the Site Settings page, in the Site Collection Administration section, click Site

collection features.

3. On the Site Collection Features page, click the Activate button for the Reporting feature.


tool, see Usage Analysis: Stsadm properties (http://technet.microsoft.com/en-





372

Monitor usage reporting Usage reporting can be viewed in several places:

Site administrators, including administrators of the SSP administration site, can view usage

reporting for their site by clicking Site usage reports in the Site Administration section of

the Site Settings page.

Site collection administrators can view usage reporting by clicking Site collection usage

reports in the Site Collection Administration section of the Site Settings page.

Site collection administrators for the SSP administration site can view a usage summary by

clicking Usage summary in the Site Collection Administration section of the Site Settings

page.

SSP administrators for search can view search usage reports by clicking Search usage

reports in the Search section of the SSP home page.

For information about how to perform this procedure using the Stsadm command-line tool,

see Usage Analysis: Stsadm properties (http://technet.microsoft.com/en-



373

V. Deploy and configure SharePoint sites


374

Chapter overview: Deploy and configure SharePoint sites

After you have installed Microsoft Office SharePoint Server 2007, configured shared services,

and performed the other configuration tasks for your servers, you are ready to begin creating

SharePoint sites.

In this chapter:

Create or extend Web applications SharePoint sites are hosted by Web applications, so you

must create one or more Web applications before you can create any sites. This section

covers how to create a Web application, or how to extend a Web application to host the same

content as another Web application.

Create zones for Web applications Each Web application can have as many as five zones,

and each zone can have a different authentication method. A default zone is automatically

created when you create a Web application. This section helps you configure any additional

zones you need.

Configure alternate access mapping Alternate access mapping enables you to assign

different URLs to the same site (for example, you can configure access via the HTTP protocol

for internal users and via the HTTPS protocol for external users). Alternate access mapping

settings are configured per zone at the Web application level. Although the settings can be

configured at any time, it is useful to configure alternate access mapping before you create

your SharePoint sites. This section helps you configure alternate access mapping for a Web

application.

Create quota templates Quota templates enable you to set a limit on how large a site

collection can become. This section helps you configure the quota templates that you want to

use for any site collections you create.

Create a site collection After you have configured the settings that the previous articles

describe, you can create a site collection. This section helps you create a site collection from

Central Administration and assign primary and secondary owners. If you want to allow users

to create their own sites, you need to configure Self-Service Site Management for the Web

application. For more information about choosing a method to use for site creation, see Plan

process for creating sites (http://technet.microsoft.com/en-us/library/cc263483.aspx).

Create a blank site to migrate content into If you are moving a site collection from one Web

application or server farm to another, or using the content deployment features to deploy an

existing site collection to a new site collection on a different server farm or Web application,

you need to create a blank site collection as the destination for the content. This section

helps you create a blank site collection, either for migrating sites or for content deployment.

Add site content After you have created your site collection, you can begin adding site

content. This section provides links to information that can help you add content to your sites.



375

Enable access for end users After you have created your site, you can add users and grant

them access to the site. This section helps you add users to a site collection.

376

Create or extend Web applications

Before you can create a site or a site collection, you must first create a Web application. A Web

application is comprised of an Internet Information Services (IIS) site with a unique application

pool and can be assigned to an SSP (Shared Services Provider) to enable features such as

InfoPath Forms Services, Excel Calculation Services, and Workflows.

In this section:


Extend an existing Web application














drop-down menu.

b. To choose to create a new Web site, select Create a new IIS Web site, and type the





port number.







Web application.

377


NTLM.






SSL certificate.





The Zone box is automatically set to Default for a new Web application, and cannot be

changed from this page. To change the zone for a Web application, see Extend an

existing Web application later in this section.













of the account you wish to use, and type the password for the account into the

Password box.

9. In the Reset Internet Information Services section, choose whether to allow Windows

SharePoint Services to restart IIS on other farm servers. The local server must be

restarted manually for the process to finish. If this option is not selected and you have


servers and then run iisreset /noforce on each Web server. The new IIS site is not

usable until that action is completed. The choices are unavailable if your farm only


10. Under Database Name and Authentication, choose the database server, database

name, and authentication method for your new Web application.

378

Item Action



format <SERVERNAME\instance>.You may

also use the default entry.


default entry.



authentication.



selected.





you want the Web application to use

to authenticate to the SQL Server

database, and then type the




Extend an existing Web application You can extend an existing Web application if you need to have separate IIS Web sites that

expose the same content to users. This is typically used for extranet deployments where different

users access content using different domains. This option reuses the content database from an

existing Web application.

Extend an existing Web application






4. On the Create or extend Web application page, in the Adding a SharePoint Web

Application section, click Extend an existing Web application.

379

5. On the Extend Web Application to Another IIS Web Site page, in the Web Application

section, click the Web application link and then click Change Web application.

6. On the Select Web Application page, click the Web application you want to extend.

7. On the Extend Web Application to Another IIS Web Site page, in the IIS Web Site

section, you can select Use an existing IIS Web site to use a Web site that has already

been created, or you can choose to leave Create a new IIS Web site selected. The

Description, Port, and Path boxes are populated for either choice. You can choose to

use the default entries or type the information you want into the boxes.

8. In the Security Configuration section, configure authentication and encryption for the

extended Web application.


NTLM.






SSL certificate.

9. Under Load Balanced URL, type the URL for the domain name for all sites that users

will access in this Web application. This URL domain will be used in all links shown on

pages within the Web application. By default, the text box is populated with the current


10. In the Load Balanced URL section, under Zone, select the zone for the extended Web

application from the drop-down menu. You can choose Intranet, Internet, Custom, or

Extranet.

11. Click OK to extend the Web application, or click Cancel to cancel the process and return

to the Application Management page.


tool, see Extendvs: Stsadm operation (http://technet.microsoft.com/en-



380

Configure alternate access mapping

Each Web application can be associated with a collection of mappings between internal and

public URLs. Both internal and public URLs consist of the protocol and domain portion of the full

URL (for example, https://www.fabrikam.com). A public URL is what users type to get to the

SharePoint site, and that URL is what appears in the links on the pages. Internal URLs are in the

URL requests that are sent to the SharePoint site. Many internal URLs can be associated with a

single public URL in multi-server farms (for example, when a load balancer routes requests to

specific IP addresses to various servers in the load-balancing cluster).

Each Web application supports five collections of mappings per URL; the five collections

correspond to five zones (default, intranet, extranet, Internet, and custom). When the Web

application receives a request for an internal URL in a particular zone, links on the pages

returned to the user have the public URL for that zone. For more information, see Plan alternate


Manage alternate access mappings 1. On the top navigation bar, click Operations.

2. On the Operations page, in the Global Configuration section, click Alternate access

mappings.


Addalternatedomain: Stsadm operation (http://technet.microsoft.com/en-


Add an internal URL 1. On the Alternate Access Mappings page, click Add Internal URLs.

2. If the mapping collection that you want to modify is not specified, then choose one. In the

Alternate Access Mapping Collection section, click Change alternate access mapping

collection on the Alternate Access Mapping Collection menu.

3. On the Select an Alternate Access Mapping Collection page, click a mapping collection.

4. In the Add internal URL section, in the URL protocol, host and port box, type the new

internal URL (for example, https://www.fabrikam.com).

5. In the Zone list, click the zone for the internal URL.

6. Click Save.


Addpath: Stsadm operation (http://technet.microsoft.com/en-us/library/cc263161.aspx ).





381

Edit or delete an internal URL

Note:

You cannot delete the last internal URL for the default zone.

1. On the Alternate Access Mappings page, click the internal URL that you want to edit or

delete.

2. In the Edit internal URL section, modify the URL in the URL protocol, host and port box.

3. In the Zone list, click the zone for the internal URL.

4. Do one of the following:

Click Save to save your changes.

Click Cancel to discard your changes and return to the Alternate Access Mappings page.

5. Click Delete to delete the internal URL.

Edit public URLs

Note:

There must always be a public URL for the default zone.

1. On the Alternate Access Mappings page, click Edit Public URLs.

2. If the mapping collection that you want to modify is not specified, then choose one. In the

Alternate Access Mapping Collection section, click Change alternate access mapping

collection on the Alternate Access Mapping Collection menu.

3. On the Select an Alternate Access Mapping Collection page, click a mapping collection.

4. In the Public URLs section, you may add new URLs or edit existing URLs in any of the

following text boxes:

Default

Intranet

Extranet

Internet

Custom

5. Click Save.

Map to an external resource You can also define mappings for resources outside internal Web applications. To do so, you

must supply a unique name, initial URL, and a zone for that URL. (The URL must be unique to

the farm.)

1. On the Alternate Access Mappings page, click Map to External Resource.

2. On the Create External Resource Mapping page, in the Resource Name box, type a unique

name.

382

3. In the URL protocol, host and port box, type the initial URL.

4. Click Save.

383

Create zones for Web applications

If your solution architecture includes Web applications with more than one zone, use the

guidance in this section to create additional zones.

Create a new zone You can create a new zone by extending an existing Web application. Follow the "Extend an

existing Web application" procedure in Create or extend Web applications to create a new zone.

The new zone is created when you select a zone in step 10 of the procedure.

Refer to your planning architecture documents and worksheets to determine which zones you

need to create and what authentication method should be associated with each zone.

You can change the authentication provider for a zone on the Authentication Providers page. For

more information, see Plan authentication methods (http://technet.microsoft.com/en-


View existing zones On the Alternate Access Mappings page, you can view the zones that have been created for your

farm.




3. On the Operations page, in the Global Configuration section, click Alternate access

mappings.

On the Alternate Access Mappings page, each Web application is displayed with its associated

zone.


Enumalternatedomains: Stsadm operation.

See Also

Create or extend Web applications

Configure alternate access mapping

Plan authentication methods (http://technet.microsoft.com/en-us/library/cc262350.aspx)




384

Create quota templates

In this section:

Create a new quota template

Edit an existing quota template

Delete a quota template

A quota template consists of storage limit values that specify how much data can be stored in a

site collection and the storage size that triggers an e-mail alert to the site collection administrator

when that size is reached. You can create a quota template that can be applied to any site

collection in the farm.

Note:

When you apply a quota template to a site collection, the storage limit applies to the site

collection as a whole. In other words, the storage limit applies to the sum of the content

sizes for the top-level site and all subsites within the site collection.

You can also modify existing quota templates. When a quota template is modified, the new

storage limits you defined in the template will apply to any new site collection you create that uses

that quota template. However, existing site collections to which the quota template has been

previously applied will not be automatically updated to reflect the new storage limits.

Create a new quota template 1. Click the Start button, point to All Programs, then point to Microsoft Office Server, and



3. On the Application Management page, in the SharePoint Site Management section, click

Quota templates.

4. On the Quota Templates page, in the Template Name section, select Create a new quota

template.

5. Type the name of the new template in the New template name box.

If you want to base your new template on an existing quota template, click the Template

to start from down arrow and select the desired template from the drop-down menu.

6. In the Storage Limit Values section, set the values you want to apply to the template.

a. If you want to restrict the amount of data that can be stored, click the Limit site storage

to a maximum of check box and type the storage limit in megabytes into the text box.

b. If you want an e-mail to be sent to the site collection administrator when a certain storage

threshold is reached, click the Send warning E-mail when site storage reaches check

box and type the threshold in megabytes into the text box.

385

7. Click OK to create the new quota template, or click Cancel to cancel the operation and return

to the Application Management page.

Edit an existing quota template 1. Click the Start button, point to All Programs, then point to Microsoft Office Server, and




Quota templates.

4. In the Template Name section, click the Template to modify down arrow and select the

template you want to edit from the drop-down menu.

5. In the Storage Limit Values section, set the values you want to apply to the template.

a. If you want to restrict the amount of data that can be stored, click the Limit site storage

to a maximum of check box and type the storage limit in megabytes into the text box.

b. If you want an e-mail to be sent to the site collection administrator when a certain storage

threshold is reached, click the Send warning E-mail when site storage reaches check

box and type the threshold in megabytes into the text box.

6. Click OK to modify the quota template, or click Cancel to cancel the operation and return to

the Application Management page.

Delete a quota template 1. Click the Start button, point to All Programs, then point to Microsoft Office Server, and




Quota templates.

4. In the Template Name section, click the Template to modify down arrow and select the

template you want to delete from the drop-down menu.

5. Click the Delete button.

6. Click OK on the dialog box that appears to delete the quota template.

386


When you create a site collection, you also create the top-level site within that site collection.

Select the appropriate template for your scenario, such as: Publishing Portal for an Internet

presence Web site, or Collaboration Portal for an Intranet portal Web site.





3. On the Create Site Collection page, in the Web Application section, if the Web

application in which you want to create the site collection is not selected, click Change

Web Application on the Web Application menu, and then on the Select Web

Application page, click the Web application in which you want to create the site collection.


5. In the Web Site Address section, under URL, select the path to use for your URL (such

as an included path like /sites/ or the root directory, /).

If you select a wildcard inclusion path, such as /sites/, you must also type the site name

to use in your site's URL.

Note:



managed paths, see Define managed paths in the Central Administration Help





DOMAIN\username) for the user who will be the site collection administrator.







387

10. Click OK.

For information about how to perform this procedure by using the Stsadm command-line




388

Create a blank site to migrate content into

You must create the site collection that is assigned as the destination for content migration by

using the Blank Site template.


Create a site collection by using the Blank Site template




3. On the Create Site Collection page, in the Web Application section, if the Web

application in which you want to create the site collection is not selected, on the Web

Application menu, click Change Web Application.

4. On the Select Web Application page, click the Web application in which you want to

create the site collection.


6. In the Web Site Address section, under URL, select either the root directory ("/") or an

included path (for example, "/sites/") to use for your URL.

If you select a wildcard included path such as /sites/, type the site name to use in your

site's URL.

Note:



managed paths, see the topic Define managed paths in the Central

Administration Help (http://technet.microsoft.com/en-us/library/cc263179.aspx)

system.

7. In the Template Selection section, in the Select a template list, on the Collaboration

tab, click Blank Site.

8. In the Primary Site Collection Administrator section, specify the user name for the

user who will be the site collection administrator.

You can type the user name in the User name box or use the Browse button to search

for a user.

9. If you want to designate a user as the secondary administrator of the new top-level Web

site (recommended), in the Secondary Site Collection Administrator section, specify

the user name for the secondary administrator of the site collection.

10. If you want to use a quota to limit resource use for site collections, in the Quota



389

Template section, select a template in the Select a quota template list.

11. Click OK.



us/library/cc262594.aspx) and Addpath: Stsadm operation




390

Add site content

In this section:

Use Web site designers to design and add content

Migrate content from another site

Allow users to add content directly

There are several methods that you can use to add content to sites, including:

Using Web site designers to design and add content.

Migrating content from another site.

Allowing users to add content directly.

Depending on your scenario, you may find particular methods more appropriate.

Use Web site designers to design and add content when you are working with:

A published intranet portal site

A published Internet Web site

Migrate content from another site when you are working with:

A published Internet site in which authors create content in the authoring site. After you

migrate content, you use content deployment to deploy the content to the production site.

A site or set of sites that is being reorganized.

Allow users to add content directly when you are working with:

A collaboration site in which the site owner can create the lists and libraries that are needed,

and then grant site members access so that they can begin contributing content.

A blog site in which the blog owner can set up the structure for the blog, and then start

creating posts.

A wiki site in which the wiki site owner can grant access to users and the users can start

creating topics in the wiki.

Use Web site designers to design and add content When you create a published site, Web site owners and designers must plan and implement

many elements, such as site navigation, site design (including master pages, page layouts, and

.css files), and the overall information architecture for the site. For more information about

planning for these elements, see Planning and architecture for Office SharePoint Server 2007


Follow the steps in Enable access for end users to give the Web site designers permissions to

the site. When they have completed their work, you can then optionally grant access to authors to

contribute content before you grant access to the other users in your organization or before you

make the site available to the public on the Internet.


391

Migrate content from another site When you are using a published site, you can author content in one site collection and then

publish it to another. For this scenario, you must create a blank site collection to migrate the

content into. For more information, see Create a blank site to migrate content into.

If you are reorganizing an existing site and need to migrate content to a different site collection,

you can use several methods to migrate the content. You can use:

The Export and Import operations for the Stsadm command-line tool to migrate site

collections or subsites.

For more information about using Stsadm operations, see the following resources:

Export: Stsadm operation (http://technet.microsoft.com/en-us/library/cc262759.aspx)

Import: Stsadm operation (http://technet.microsoft.com/en-us/library/cc261866.aspx)

The Content Migration object model to programmatically move content at any level in the site

(Web site, list, library, folder, file, or list item).

For more information about using the Content Migration object model, see "Content Migration

Overview" in the Windows SharePoint Services 3.0 Software Development Kit


Microsoft Office SharePoint Designer 2007 to migrate individual lists or libraries to the

appropriate place in the new site hierarchy.

For more information about using Office SharePoint Designer 2007, see the following articles

in the Office SharePoint Designer 2007 Help system:

Export or import a Web package


Back up, restore, or move a SharePoint site


Allow users to add content directly If you want your site owners to begin adding content directly to a site, you can immediately grant

them access and allow them to control the site's organization and design.

Follow the steps in Enable access for end users to give your end users permissions to the site.

After you grant permissions, users can begin adding content. For more information about adding

content to sites, see the Help system for Microsoft Office SharePoint Server 2007.






392

Enable access for end users

In this section:

Add site collection administrators

Add site owners or other users

After you create your site collection and populate it with content, you are ready to grant access to

end users. This section helps you configure administrative and user permissions for a site

collection. Note that you can also configure permissions for the following securable objects within

a site collection: site, list, library, folder, document, or item. For more information about assigning

permissions for different securable objects within a site collection, see Plan site security


In Microsoft Office SharePoint Server 2007, you can enable access to the site collection by using

different methods, based on the type of site collection. The following list describes some

examples of these methods:

If this is a published site collection intended for an Internet audience, you can publish it to the

blank site collection that you created as a destination by using the content deployment

features. After you publish it, you can then configure the appropriate permissions for the new

environment. For more information about publishing a site collection by using content

deployment, see Plan content deployment (http://technet.microsoft.com/en-

us/library/cc263428.aspx) and the Content Deployment topics in the Central Administration

Help (http://technet.microsoft.com/en-us/library/cc263179.aspx) system.

If this is a site collection in a development or pilot environment, you can migrate the site

collection to your production environment by using import and export, and then configure the

appropriate permissions for the new environment. For more information about using import

and export, see Export: Stsadm operation (http://technet.microsoft.com/en-

us/library/cc262759.aspx) and Import: Stsadm operation (http://technet.microsoft.com/en-


If this is a site collection intended to facilitate collaboration on the intranet, you can easily add

the users and groups that need access to the site collection. This section describes how to

perform these actions.

In most cases, these actions are not performed by farm administrators, but are performed by site

collection administrators or site owners. Moreover, these steps are performed in the site

collection itself, not in Central Administration. (However, you can add site collection

administrators by using Central Administration and by using the Site Settings page in the site

collection.) Nonetheless, this information is presented in the Deployment Guide because it is truly

the final stage of deployment — the stage when the site collection is made available for end

users.







393

This section does not cover how to enable anonymous access. When you create a Web

application, you decide whether to allow anonymous access for site collections on that Web

application. For more information about anonymous access, see the following resources:

Overview: Plan environment-specific security (http://technet.microsoft.com/en-


Plan authentication settings for Web applications in Office SharePoint Server


Choose which security groups to use (http://technet.microsoft.com/en-


"Enable anonymous access‖ in the Central Administration Help


Add site collection administrators When you created the site collection, you were required to supply the user name for at least one

site collection administrator. If the user name you supplied was not that for the actual

administrator for the site collection — for example, if you did not know who was going to be actual

administrator and you used your own user name — or if you need to change or add a user name

for a site collection administrator, you can do so by using the following procedure.

Note:

This procedure uses the Central Administration Web site, but you can also add a site

collection administrator from the top-level site in the site collection by using the Site

Settings page for the top-level site. On the Site Settings page, in the Users and

Permissions section, click Site collection administrators.

Add a site collection administrator



click Site collection administrators.

3. If the selected site is not the site for which you want to manage administrators, on the

Site Collection Administrators page, on the Site Collection menu in the Site Collection

section, click Change Site Collection.

In the Select Site Collection dialog box, select the site for which you want to

manage administrators.

Click OK.

4. In either the Primary site collection administrator box or the Secondary site

collection administrator box, enter the user name of the user to whom you want to

assign that role.

5. Click OK.





394

Add site owners or other users If you have not yet set up any groups for this site or site collection, you must set up groups before

you can add any users to groups. (You can also add users individually, without setting up groups,

but if you want to manage users efficiently, we recommend that you use groups.) To specify

which group to assign to site visitors, site members, site owners, or other groups, use the

following procedure. This procedure helps you set up the default groups, but you can also create

additional groups.

Note:

The SiteName Owners group has the Full Control permission level on the site, so you

can add users to that group to give them administrative access for that site. For more

information about groups and permission levels, see Determine permission levels and

groups to use (http://technet.microsoft.com/en-us/library/cc262690.aspx).

Set up Members, Visitors, and Owners groups for a site

1. On the site home page, click the Site Actions menu, point to Site Settings, and then

click People And Groups.

2. On the People and Groups page, on the Quick Launch, click Groups.

3. On the People and Groups: All Groups page, on the Settings menu, click Set Up

Groups.

4. On the Set Up Groups for this Site page, select a group for each set of users that you

want to change. Alternatively, select Create a new group to assign a custom group to a

set of users.

After you have configured groups for the site, you can add users and grant them permissions by

using the following procedure.

Add users to groups

1. On the site home page, click the Site Actions menu, point to Site Settings, and then

click People And Groups.

2. On the People and Groups page, on the Quick Launch, click Groups.

3. Click the name of the group to which you want to add users.

4. On the People and Groups: Group name page, on the New menu, click Add Users.

5. On the Add Users page, type the account names that you want to add, or browse to find

users from Active Directory directory service.

6. In the Give Permission section, be sure that Add users to a SharePoint group is

selected and that the correct group is displayed.

Note:

In rare cases, you might want to give individual permissions to a user by clicking

Give users permission directly. However, assigning individual permissions to

many users can quickly become difficult and time-consuming to manage. We



395

recommend that you use groups as much as possible to efficiently manage site

access.

7. Click OK.

For more information about managing users and groups, see "Grant access to the portal site" in

the Help system for Office SharePoint Server 2007.