Michael Noel Convergent Computing Twitter: @michaeltnoel New Zealand SPUG Tour Auckland, Tauranga, Napier, Wellington, Christchurch, NZ 14-16 April, 2009.
Post on 05-Jan-2016
Virtualizing SharePoint Components
Building the Perfect SharePoint FarmMichael NoelConvergent ComputingTwitter: @michaeltnoel
New Zealand SPUG TourAuckland, Tauranga, Napier, Wellington, Christchurch, NZ14-16 April, 2009SharePoint ConnectionsUpdates will be available at http://www.devconnections.com/updates/LasVegas_Fall08/Windows1Michael NoelAuthor of SAMS Publishing titles SharePoint 2007 Unleashed, the upcoming Teach Yourself SharePoint 2007 in 10 Minutes, SharePoint 2003 Unleashed, Teach Yourself SharePoint 2003 in 10 Minutes, Windows Server 2008 Unleashed, Exchange Server 2007 Unleashed, ISA Server 2006 Unleashed, and many other titles .Partner at Convergent Computing (www.cco.com / +1(510)444-5700) San Francisco, U.S.A. based Infrastructure/Security specialists for SharePoint, AD, Exchange, Security
Session Objectives And AgendaExamine various SharePoint farm architecture best practises that have developed over the yearsUnderstand SharePoint Virtualisation OptionsDive into specific details for each step in the build process:Server ArchitectureHardwareOperating SystemSharePoint Binaries InstallationFarm Installation/Adding to farmShared Services Provider ConfigurationFarm Configuration
Goal of the session is to delve through each portion of SharePoint farm installation and configuration, covering the most common deployment methods and techniques.3Architecting the FarmVarious SharePoint Designs44All SharePoint roles and SQL Server on the same boxFor very small environment without a lot of loadSQL contention with SharePointEasy to deploy, but highest potential for contentionNOTE: Only the smallest environments use SQL Server Express or SQL Embedded
Farm ArchitectureAll-in-One FarmDedicated SQL ServerAll SharePoint roles on single boxDisk IO contention lessened by moving SQL off SP ServerGreater performance can be gained by breaking SharePoint roles onto separate servers
Farm ArchitectureDedicated SQL Database Server2 Web/Query/Application /Central Admin/Inbound Email Servers1 Dedicated Index Server (With Web role to allow it to crawl content)2 SQL Standard Edition Cluster Nodes (Active/Passive)Smallest highly available farm (loss of any one server will not affect functionality)
Farm ArchitectureSmallest Highly-Available FarmFarm ArchitectureScalable FarmMultiple Dedicated Web Role ServersMultiple Dedicated Query ServersMultiple Dedicated Application ServersDedicated SharePoint Central Admin Server(s)Single Index Server (per Shared Services Provider)Multiple node or multiple instance SQL Server Enterprise Edition Cluster(s)
Allows organisations that wouldnt normally be able to have a test environment to run oneAllows for separation of the database role onto a dedicated serverCan be more easily scaled out in the futureVirtualised Farm ArchitectureCost-effective Virtual EnvironmentHigh-Availability across HostsAll components virtualisedUses only two Windows Ent Edition LicensesVirtualised Farm ArchitectureFully Redundant Farm with only Two Servers
Highest transaction servers are physicalMultiple farm support, with DBs for all farms on the SQL clusterOnly five physical servers total, but high performanceVirtualised Farm ArchitectureBest Practise Mixed Virtual/Physical Config with High Performance
Multiple Hosts Scale OutContent Database and Site Collection PlanningDistribute by DefaultStart with a distributed architecture of content databases from the beginning, within reason (more than 50 per SQL instance is not recommended)Distribute content across Site Collections from the beginning as well, it is very difficult to extract content after the faceAllow your environment to scale and your users to grow into their SharePoint site collections
Sample SP Logical ArchitectureHardwarePlanning for the farm1515Hardware Planning ConsiderationsDisk, Memory, and ProcessorSQL Database role requires a great deal of space, especially if versioning is turned on in Document Libraries. Dont underestimate!Index and Query servers also need hard drive space to store the Index files, which can be 5%-30% of the size of the items being indexed.The more memory and processor cores that can be given to SharePoint the better, in the following priority:Database RoleIndex RoleWeb/Query RoleHardware Planning ConsiderationsVirtualisationWindows Server 2008 Hyper-V is an excellent option, and can save money.Microsoft supports third party if they are a member of the SVVP (KB 897615), this includes VMware and Citrix XenServer. There are some limitations, consult the KB article.Not all roles are the best candidates for virtualisation, depending on the level of disk I/O that is expected. The best candidate for virtualisation is the Web/Frontend, followed by Query, Application, Index, and finally SQL.Operating SystemLaying the foundation1818Operating System Best practisesVersionsHighly recommended: Windows Server 2008 for security, performance (client/server traffic improvements), and ease of setupx64 bit also very highly recommended (Next version of SharePoint is x64 bit only.Enterprise Edition of Windows only required for very large SQL instances (More than two cluster nodes, high transaction volume, etc.) Standard edition of Windows is adequate in nearly all other cases.Operating System Best practisesSQL ServerSQL Server 2008 Recommended, particularly if you have high security requirements, as it allows for transparent encryption of databasesSQL Server 2005 also fully supportedEnterprise edition of SQLonly required for more than two nodes in a cluster, Asynchronous database mirror replication, and/or greater than 32GB RAMSeparate Reporting Services server may be required for intensive reporting
Operating System Best practisesInstallation: SQL ServerInstall the defaults for Windows Server 2008SQL ServerInstall SQL Server 2005/2008 Install any service packs and updates (i.e. SQL 2005 SP2 / SQL 2008 SP1)Open port 1433 on the Windows Firewall.
Operating System Best practisesInstallation: SharePoint ServerInstall the defaults for Windows Server 2008SharePoint ServersAdd the .NET Framework 3.0 Features from the Add Features wizardDefault Windows Firewall settings will work for front-ends
SharePoint InstallationAdding the SharePoint binaries2323SharePoint InstallationService AccountsNever use a single account for all services unless its a test farm.At a minimum, create the following accounts:SQL Admin AccountInstallation Account (Local admin rights on SP servers)SharePoint Farm Admin (Requires SQL DBCreator and SQL Security Admin on SQL box)Search Admin (Requires local admin rights on any Query or Index serversDefault Content Access Account (Read-only access to all indexed locations)Application Pool Identity Account (at least one, can use multiple for each App pool.) It is critical for security that this isnt the farm admin account.SharePoint InstallationInstallation ProcessFor most flexibility, choose Complete Installation, even if not installing all of the roles on the server. This will allow for the addition of roles in the future as needed.Be sure not to select Stand-Alone, unless you plan on having a very small farm with a limited database (SQL Server Express)
SharePoint InstallationInstallation ProcessHighly recommended to choose the final destination for the Index/Query to live (i.e. if its on a different drive, enter that during installation). Its difficult to change index location later.Remember, after installing the binaries, the server is not a farm member yetit can be added to any farm. Good concept to use to pre-stage servers.
SharePoint InstallationCommand-line Installation of SharePointGood to understand how to install SharePoint from the command-line, especially if setting up multiple servers.Allows for options not available in the GUI, such as the option to rename the Central Admin Database to something easier to understand.Use SETUP, PSCONFIG and STSADM to script the install process, check online blogs for details.Creating A FarmUsing the Configuration Wizard or PSCONFIG2828Creating the FarmRunning the Config Wizard to Install ServersConsider using an easy to remember port for the Central Admin service (i.e. 8888)You are welcome to change the Config Database name to match a common naming conventionYour database access account is the SP Service account, which only needs DBCreator and Security Admin rights on SQL. Dont give it more!Run the wizard on additional servers as necessary
Creating the FarmUsing a SQL AliasDo yourself a HUGE favor and dont forget to use a SQL Alias when creating the SQL Config Database. For example, if your SQL server name is SQLSERVER1, use something like SPSQL to connect, and have DNS point to the proper server location. This makes it MUCH more flexible.
Shared Services ProviderBest Practises3131Reviewing SharePoint ArchitectureUnderstanding the Shared Services ProviderA Shared Services Provider coordinates services that are used by multiple servers in a farm, including:AD Profile ImportEnterprise Search (Including Index)Business Data CatalogAudiencesExcel ServicesMy SitesUsage ReportingThere can only be one Index per SSPSome scenarios why multiple SSPs can be created:If needing to separate Indexes from multiple content sources (Security reasons)Unique search required for different branches of the organisationIf needing to separate My Sites content, including custom settingsGlobal multi-farm SharePoint deployments
SSP Web ApplicationsWeb Application Best practisesRecommended to create multiple Web Applications, even for smaller farms, i.e.:SP Central Admin Web Appssp1.companyabc.commysite.companyabc.comhome.companyabc.comMuch more flexible approach to use dedicated web applications. Mysite and the root SP site can be combined in certain circumstances, but is not as flexible.
SSP Web ApplicationsWeb Applications Best practisesConsider using unique hosts headers when creating the web applications, even if you will separate by IP later. This helps when provisioning new web front-ends.For the SSP and Central Admin Web Apps you can use NTLM for convenience, but know that post SP2 it is now supported to use Kerberos on them.
When creating any Web Applications for Content, USE KERBEROS. It is much more secure and also much faster as the SP server doesnt have to keep asking for auth requests from AD.Kerberos auth does require extra steps, which makes people shy away from it, but once configured, it improves performance and security considerably.
KerberosBest practise: Enable Kerberos!Kerberos in 4 Easy StepsStep 1: Create the Service Principal NamesUse the setspn utility to create Service Principle Names in AD, the following syntax for example:Setspn.exe -A HTTP/mysite.companyabc.com DOMAINNAME\MYSiteAppAccountSetspn.exe -A HTTP/mysite DOMAINNAME\MYSITEAppAccountSetspn.exe -A HTTP/home.companyabc.com DOMAINNAME\HOMEAppAccountSetspn.exe -A HTTP/sp DOMAINNAME\HOMEAppAccount
On all SP Computer accounts and on the Application Identity accounts, check the box in ADUC to allow for delegation. In ADUC, navigate to the computer or user account, right-click and choose Properties. Go to the Delegation tab Choose Trust this user/computer for delegation to any service (Kerberos)
Kerberos in 4 Easy Steps Step 2: Allow User and Computer Accounts to Delegate
On Each SharePoint Web Front-end:Go to Start All Programs Administrative Tools Component Services Navigate to Component Services Computers My Computer Right-click My Computers, choose Properties Choose the Default Properties tab Change Default Impersonation Level to Delegate Click OK
Kerberos in 4 Easy Steps Step 3A: Set default Impersonation Level in Component Services
From Component Services snap-in on each web role:Navigate to Component Services Computers My Computers DCOM Config Right-click on IIS WAMREG Admin Service and choose Properties Select the Security tab Under Launch and Activation Permissions, click the Edit button Add the application pool account and check the Allow box for Local Activation on each account. Click OK, OK, and close Component Services
Kerberos in 4 Easy Steps Step 3B: Set IISWAMREG Permissions
Windows Server 2008 front-ends requires the ApplicationHost.config file to be modified to contain the following string:
Kerberos in 4 Easy Steps Step 4 (Windows 2008 only): Edit ApplicationHost.config fileConfiguring the FarmA smattering of best practises4141Configuring the FarmBest practisesFor Email enabled content, create a dedicated OU for Email enabled contacts and distribution lists and give the SP Admin account rights to create and modify contacts and groups in that OU.Use the Index server (if a separate role) as a dedicated server for crawling content, to do this you have to turn on the web role, however.Dont forget to configure an NLB VIP for inbound Mail using the SMTP service in a multi-server environment.You can use multiple web applications that are extended if you need to provide multiple access mechanisms to the same content.
Configuring the FarmBest practisesDont forget Alternate Access Mappings if connecting to the content in more than one way (i.e. https://home.companyabc.com vs. just http://home)If using SSL on a web app, it is recommended to have a dedicated IP address, not just a host headerDont forget to install Antivirus (MS Forefront Security for SharePoint recommended)Dont forget a comprehensive backup solution (MS System Center Data Protection Manager (DPM) 2007 recommended)For indexing PDFs, consider a 64bit iFilter like FoxIT
Key TakeawaysUse multiple service accounts, definitely dont mix Application Pool identity accounts with the farm admin acccountsUse Kerberos for any user facing web applicationUse a SQL Alias for greatest flexibilityA five server farm is the smallest that is highly availableSeparate the DB role from the SP server if you can
For More InformationSharePoint 2007 Unleashed (SAMS Publishing) (http://www.samspublishing.com)SAMS Teach Yourself SharePoint 2007 in 10 Minutes(http://www.samspublishing.com)Microsoft Virtualizing SharePoint Infrastructure Whitepaper (http://tinyurl.com/virtualsp )
Microsoft ASP.NET ConnectionsUpdates will be available at http://www.devconnections.com/updates/LasVegas _06/ASP_Connections45
Thanks for having me at your User Group in beautiful New Zealand!
Questions?Michael NoelTwitter: @michaeltnoelwww.cco.com
SP Central Admin
AdditionalDeptartmentalSite Collections,each withSeparatecontentdatabases